Deleting signatures question.

Jason Harris
Fri Aug 15 00:25:02 2003

Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Thu, Aug 14, 2003 at 02:34:38PM +0100, Stewart V. Wright wrote:

> Points:
>  * I know that the next time I refresh my pubring I will get all the
>    unwanted signatures back, but if the process is automatic I can
>    just re-run the cleaning.
>  * This issue does not really have any relevance apart from the space
>    that I will save by not having the unnecessary signatures on my
>    "quota"ed account.

I have made my ~/.gnupg/pubring.gpg read-only and added a temporary
keyring via "keyring <...>.gpg" in my options file.  Keys I have signed
or have a long-term interest in remain in pubring.gpg, all others go into
the temporary keyring (or other keyrings).

The temporary keyrings can be cleared at will, while pubring.gpg can keep
bare-bones copies of important keys, perhaps with local sigatures (to
detect tampering) for long-term use.  Such local signatures should be
made with a (private) key _not_ kept on a shared/school machine, but one
that can be specified as a trusted key by (long) keyid.  This way,
depending on your threat model, you can audit the keyring on the shared
machine pretty easily by verifying your signing key's fingerprint and your
local signatures on the keys.

To trust more keys than you want to store, keep a (secure, signed)
textfile of fingerprints of keys you have decided to trust along with
some identifying information and ask GPG to fetch the keys as you need
them.  (For v4 keys, the fingerprint is truncated to produce the long
and short keyids, so you don't need to list the keyids separately.)
Verify the fingerprints before using the keys, and delete the keys when
you're done.

Keep a copy of your signing key's fingerprint in your wallet to bootstrap
the trust checks when using a shared machine (and for impromptu keysignings=

Jason Harris          | NIC:  JH329, PGP:  This _is_ PGP-signed, isn't it? | web:

Content-Type: application/pgp-signature
Content-Disposition: inline

Version: GnuPG v1.2.1 (FreeBSD)