Two remarks on public key cryptology

In 1996, Adam Back floated the idea of a public key cryptosystem with a series of public keys pi and secret keys si that stand in the usual relationship with each other but for which there are updating functions fi and gi such that pi+1 = fi(pi) and si+1 = gi(si) [2]. In this way a single root public key p0 could be certified, and thereafter the key owner could regularly calculate si+1 and destroy si. In this way, the compromise of a private key would not expose traffic encrypted to the key in previous epochs. In 1997 I proposed the obvious extension to digital signatures, in order to prevent the retrospective forgery of messages signed using keys belonging to earlier epochs but without requiring that the public key infrastructure accommodate large numbers of time-limited public keys. As motivation, note that while Diffie-Hellman key exchange [6] can provide forward security easily in interactive communication, the US Defense Messaging System (DMS) apparently uses transient public keys to provide forward security in offline messaging: when Alice wishes to communicate with Bob, she fetches from a directory server a public key signed with his long-term private key. (DMS is described in [8], and the KEA key agreement algorithm which it uses in [10].) Is it possible to provide such functionality without having to commit to a particular directory access infrastructure?