list signatures on server

Neil Williams
Thu Aug 21 01:09:02 2003

Content-Type: text/plain;
Content-Transfer-Encoding: quoted-printable
Content-Description: signed data
Content-Disposition: inline

On Wednesday 20 Aug 2003 11:19 pm, k b wrote:
> when importing from server
> --recv-keys should work as today, plus
> it should do by default or ask to at the same time
> import keys that signed this key.

That could suddenly add several hundred (unnecessary) keys to your keyring =
you say yes to a key like Werner Koch's. Plus, it is recursive - key1 is=20
imported, you say yes, key 2 is imported and that has been signed by key3 a=
key4. Most keys that have been signed, have been signed by >1 other person.=
The number of keys to import rises exponentially.

You might as well say: cp -r keyserver .

There would have to be a limit - but how to define it? Only descend one lev=
Only import a maximum of 100 keys? More useful is to follow the trust - use=
wotsap to work up to a strong/well known key like Werner Koch, Richard=20
Stillman etc.
(Typical, just when I recommend it, the site becomes slow and unresponsive.)

> a new option
> --recv-sig-keys-for-key keyID
> that could be used for keys that one already have.

Use a site like wotsap to decide WHICH of these keys you want to import. Us=
the web of trust to predict which keys would be useful to import.

> a neet feature would then be a slight change of the
> --list-keys option (or a new option called something
> like --list-first-line-keys).
> my suggestion is that --list-keys should only display
> keys that were imported in the first line, keys
> imported only to check signaure (second line) should
> not show up unless i choose to import them to the
> first line.

This is already implemented as ultimate trust, full trust, marginal trust a=
unknown trust. Far more useful than an arbitrary concept of=20
first-come-first-printed. Trust > sequence. With a little Perl, you can get=
whatever listing you'd like, based on these four levels.

> for example, in my key ring i have 2 keys, signed by
> myself and a freind. now i import a key that has 100
> signatures, i import it with all of the 100
> signatures. however the 100 signatures are not
> especially interesting when using gpg on a daily
> basis.

What do you gain by having those 100 keys? It's unlikely that you'll find m=
of a path to a strong set key within a flat-level import - you'd need to=20
follow the trust upwards, not just horizontally.

Import selected keys and you will be able to see marginal trust in people y=
may never have thought possible. Instead of a keyring of several hundred=20
(mostly untrustable) keys, you could have a strongly linked keyring of a fe=
dozen. After all, what is the point of having keys in your keyring belongin=
to people who never correspond with you?

> insted whats interesting is to display the 3 keys, and
> then if i request display all.

Try KGPG - you can order the list by Trust level, ultimate at the top and=20
unknown at the bottom.


Neil Williams

Content-Type: application/pgp-signature
Content-Description: signature

Version: GnuPG v1.2.1 (GNU/Linux)