Despite "no-include-revoked" revoked still included
Dick Gevers
Dick Gevers <dvgevers@xs4all.nl>
Tue Dec 10 16:37:02 2002
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi David and others,
On Tuesday, 10 December 2002 at 8:33 h, David Shaw wrote about
"Re: Despite "no-include-revoked" revoked still included":
DG>> keyserver-options keep-temp-files verbose no-include-revoked
<snip>
DG>> gpg --recv-keys KEYID,
DG>> the revoked keys of KEYID are still imported into my pubring.
DS>no-include-revoked and no-include-disabled only apply to
DS>--search-keys. This is for various security reasons, most
DS>notably if you are doing automated key fetches (say, to verify
DS>the validity of a possibly revoked key), you want the key even
DS>if it is disabled or revoked.
Thanks very much for your answer. In all honesty, this had'nt been
completely clear to me from gpg.man which states:
- --keyserver-options parameters
...Valid import-options or export-options
may be used here as well to apply to importing
(--recv-key)....
and:
include-revoked
...When using the LDAP
keyserver, this applies to both
searching (--search-keys) and receiv=AD
ing (--recv-keys).
moreover:
....Options can be
prepended with a `no-' to give the opposite
meaning.
so I had hoped revoked key-ID's or subkeys would not be
retrieved.
And I see your point about security reasons: if a valid-on-pubring
item were revoked one would miss that.
Maybe such or similar keyserver options could be allowed
interactively only, to enable the user to decide when an item on
pubring is revoked by the key-owner or expired earlier than shown
on pubring that the user is offered the default option to update
the pubring, but if such data are not (anymore) on the pubring that
they are no longer imported?
In that context I should like to propose for a "wishlist" (if such
a beast exists) the keyserver options "no-include-revoked-subkeys",
"no-include-revoked-signatures", "no-include-expired-subkeys"
and/or "no-include-expired-signatures". Ideally, I would also hope
these would apply in case of the command --refresh-keys.
Perhaps it is asking a lot, but I find that my pubring contains a
lot of 'deadwood', if I may say so, which one could delete, but
reappears again upon every '--refresh-keys'. So I'm just hoping it
could be done sometime whenever....
Thanks again and best regards,
=3DDick Gevers=3D
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (Win32)
Comment: GPGShell 2.65 - QDGPG for Pegasus Mail 1.0.3.0 beta4
iD8DBQE99gblwC/zk+cxEdMRAkImAKCW8qmlUgtiJ31KgGP049hYduC3WgCgt9zS
eT0B1sFhSSX1W4KTvD2J1Ec=3D
=3D0JIK
-----END PGP SIGNATURE-----