Despite "no-include-revoked" revoked still included
David Shaw
dshaw@jabberwocky.com
Tue Dec 10 18:52:02 2002
On Tue, Dec 10, 2002 at 03:38:54PM -0000, Dick Gevers wrote:
> DS>no-include-revoked and no-include-disabled only apply to
> DS>--search-keys. This is for various security reasons, most
> DS>notably if you are doing automated key fetches (say, to verify
> DS>the validity of a possibly revoked key), you want the key even
> DS>if it is disabled or revoked.
>
> Thanks very much for your answer. In all honesty, this had'nt been
> completely clear to me from gpg.man which states:
Yes, you are right - that is confusing. I'll fix the manual.
> Maybe such or similar keyserver options could be allowed
> interactively only, to enable the user to decide when an item on
> pubring is revoked by the key-owner or expired earlier than shown
> on pubring that the user is offered the default option to update
> the pubring, but if such data are not (anymore) on the pubring that
> they are no longer imported?
This involves keeping the actual data around and just hiding it from
the user which GnuPG already does (in some places anyway). That's why
a revoked user ID doesn't show up in --list-keys. The same idea could
be used to hide revoked subkeys, etc.
David
--
David Shaw | dshaw@jabberwocky.com | WWW http://www.jabberwocky.com/
+---------------------------------------------------------------------------+
"There are two major products that come out of Berkeley: LSD and UNIX.
We don't believe this to be a coincidence." - Jeremy S. Anderson