Retaining expired sigs

Jason Harris jharris at widomaker.com
Fri Mar 18 05:18:26 CET 2005


On Thu, Mar 17, 2005 at 05:31:41PM -0500, David Shaw wrote:
> On Thu, Mar 17, 2005 at 05:10:31PM -0500, Jason Harris wrote:

> > It was my impression that expired sigs would be retained by default.
> > Removing expired sigs is tantamount to removing expired/revoked
> > userids and subkeys, IMO, and should not be done by default.
> 
> I don't agree.  An expired signature is not relevant - it is just
> meaningless bytes at this point.  Note also that expired user IDs and

GPG currently has no use for expired sigs in its trust calculations, 
but sigcheck (as part of keyanalyze) does.  They are used if you want
to recalculate the WoT at a given point in the past (or future) based
on a given keydump/keyring.  Also, while the GD itself doesn't retain
its past sigs, elsewhere one can see that 0xB56165AA was signed by
0xCA57AD7C starting on 2004-12-29 while 0x99242560 was signed by it
starting 2004-12-08.  Even if you consider such data points useless,
particularly where the GD is concerned, rest assured that not everyone
else does, particularly where human signers are concerned.

-- 
Jason Harris           |  NIC:  JH329, PGP:  This _is_ PGP-signed, isn't it?
jharris at widomaker.com _|_ web:  http://keyserver.kjsl.com/~jharris/
          Got photons?   (TM), (C) 2004
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 309 bytes
Desc: not available
Url : /pipermail/attachments/20050317/486aa410/attachment.pgp


More information about the Gnupg-users mailing list