\boldhead{2.2. Anti-Entropy with Dormant Death Certificates}

If anti-entropy is used for distributing updates, dormant death certificates should not normally be propagated during anti-entropy exchanges. Whenever a dormant death certificate encounters an obsolete data item, however, the death certificate must be ``activated'' in some way, so it will propagate to all sites and cancel the obsolete data item.

The obvious way to activate a death certificate is to set its timestamp forward to the current clock value. This approach might be acceptable in a system that did not allow deleted data items to be ``reinstated.'' In general it is incorrect, because somewhere in the network there could be a legitimate update with a timestamp between the original and revised timestamps of the death certificate (e.g. an update reinstating the deleted item). Such an update would incorrectly be cancelled by the reactivated death certificate.

To avoid this problem, we store a second timestamp, called the {\it activation timestamp}, with each death certificate. Initially the ordinary and activation timestamps are the same. A death certificate still cancels a corresponding data item if its ordinary timestamp is greater than the timestamp of the item. However, the activation timestamp controls whether a death certificate is considered dormant and how it propagates. Specifically, a death certificate is deleted (or considered dormant by a site on its site list) when its activation timestamp grows older than $\tau𡤁$; a dormant death certificate is deleted when its activation timestamp grows older than $\tau𡤁+\tau𡤂$; and a death certificate is propagated by anti-entropy only if it is not dormant. To reactivate a death certificate, we set its activation timestamp to the current time, leaving its ordinary timestamp unchanged. This has the desired effect of propagating the reactivated death certificate without cancelling more recent updates.