Feature suggestion: --export-option no-include-untrusted-material

David Shaw dshaw at jabberwocky.com
Thu Jan 9 03:25:02 CET 2003

On Wed, Jan 08, 2003 at 03:57:13PM -0500, Michael Young wrote:
> Once again, I'm looking for an automated way to extract only the
> "valid" material (in PGP parlance) from a keyring.  That is, I'd like
> only the keys that are associated with valid userIDs, and *only* the
> valid userIDs on those keys.  The resulting keyring could be used
> without further verification, with programs that don't do any
> themselves (or with GnuPG using the --always-trust option).  This
> will be particularly valuable if GnuPG offers more interesting
> trust/validity models.

I can sort of see where you are going with this.  One of the features
scheduled for the devel branch is a "direct" trust model where you can
use an external program to generate your trustdb and have GnuPG just
follow it without doing any trustdb calculations of its own.  However,
this is really only good for very special circumstances - if you use a
keyring like that with a program that does no checking *at all*, then
how do you know that the set of valid keys that you wrote out are
still valid?  For example, say you wrote out a valid key, but it then
expired later.  If your other program doesn't have the ability to
validate keys you wouldn't know.  This sort of thing may or may not
matter for a particular use, but it is something to consider.

> It's easy to extract only keys that contain *some* valid material,
> but those keys can also contain invalid/untrusted names.
> Weeding out invalid names is hard.  At first glance, you might think
> that the "--edit-key" command would suffice.  Alas, it is virtually
> impossible to use "deluid" from the command-line -- the ordering you
> get from a "--list-keys" is not the same as the one you get inside the
> "--edit-keys" interaction.

The ordering is (will be) the same in 1.2.2.

> I now see another more natural way to add my desired function to the
> command set: as an "--export-options" flag.  For example,
>     --export-options no-include-untrusted-material
> or some such.  Other flags have a filter-like flavor to them;
> this seems to fit in nicely.

So... it would write out the key material, and any user IDs that are
valid, plus those user ID selfsigs?  No other validating signatures?
I'm not sure how this helps you.


   David Shaw  |  dshaw at jabberwocky.com  |  WWW http://www.jabberwocky.com/
   "There are two major products that come out of Berkeley: LSD and UNIX.
      We don't believe this to be a coincidence." - Jeremy S. Anderson

More information about the Gnupg-devel mailing list