Despite "no-include-revoked" revoked still included

Dick Gevers Dick Gevers <dvgevers@xs4all.nl>
Tue Dec 10 16:37:02 2002 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi David and others,

On Tuesday, 10 December 2002 at 8:33 h, David Shaw wrote about
"Re: Despite "no-include-revoked" revoked still included":

DG>> keyserver-options keep-temp-files verbose no-include-revoked
    <snip>
DG>> gpg --recv-keys KEYID, 
DG>> the revoked keys of KEYID are still imported into my pubring.

DS>no-include-revoked and no-include-disabled only apply to
DS>--search-keys.  This is for various security reasons, most 
DS>notably if you are doing automated key fetches (say, to verify
DS>the validity of a possibly revoked key), you want the key even
DS>if it is disabled or revoked.

Thanks very much for your answer. In all honesty, this had'nt been 
completely clear to me from gpg.man which states:

- --keyserver-options parameters
    ...Valid import-options or export-options
    may be used here as well to apply  to  importing
    (--recv-key)....

and:

    include-revoked
    ...When using  the  LDAP
    keyserver,   this   applies   to  both
    searching (--search-keys) and  receiv=AD
    ing (--recv-keys).

moreover:
    ....Options can be
    prepended with a  `no-'  to  give  the  opposite
    meaning.

so I had hoped revoked key-ID's or subkeys would not be
retrieved.

And I see your point about security reasons: if a valid-on-pubring 
item were revoked one would miss that. 

Maybe such or similar keyserver options could be allowed 
interactively only, to enable the user to decide when an item on 
pubring is revoked by the key-owner or expired earlier than shown 
on pubring that the user is offered the default option to update 
the pubring, but if such data are not (anymore) on the pubring that 
they are no longer imported?

In that context I should like to propose for a "wishlist" (if such 
a beast exists) the keyserver options "no-include-revoked-subkeys",
"no-include-revoked-signatures", "no-include-expired-subkeys"
and/or "no-include-expired-signatures". Ideally, I would also hope 
these would apply in case of the command --refresh-keys.

Perhaps it is asking a lot, but I find that my pubring contains a 
lot of 'deadwood', if I may say so, which one could delete, but 
reappears again upon every '--refresh-keys'. So I'm just hoping it 
could be done sometime whenever....

Thanks again and best regards,
=3DDick Gevers=3D

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (Win32)
Comment: GPGShell 2.65 - QDGPG for Pegasus Mail 1.0.3.0 beta4

iD8DBQE99gblwC/zk+cxEdMRAkImAKCW8qmlUgtiJ31KgGP049hYduC3WgCgt9zS
eT0B1sFhSSX1W4KTvD2J1Ec=3D
=3D0JIK
-----END PGP SIGNATURE-----