Retaining expired sigs

David Shaw dshaw at jabberwocky.com
Fri Mar 18 05:35:20 CET 2005


On Thu, Mar 17, 2005 at 11:18:26PM -0500, Jason Harris wrote:
> On Thu, Mar 17, 2005 at 05:31:41PM -0500, David Shaw wrote:
> > On Thu, Mar 17, 2005 at 05:10:31PM -0500, Jason Harris wrote:
> 
> > > It was my impression that expired sigs would be retained by default.
> > > Removing expired sigs is tantamount to removing expired/revoked
> > > userids and subkeys, IMO, and should not be done by default.
> > 
> > I don't agree.  An expired signature is not relevant - it is just
> > meaningless bytes at this point.  Note also that expired user IDs and
> 
> GPG currently has no use for expired sigs in its trust calculations, 
> but sigcheck (as part of keyanalyze) does.  They are used if you want
> to recalculate the WoT at a given point in the past (or future) based
> on a given keydump/keyring.  Also, while the GD itself doesn't retain
> its past sigs, elsewhere one can see that 0xB56165AA was signed by
> 0xCA57AD7C starting on 2004-12-29 while 0x99242560 was signed by it
> starting 2004-12-08.  Even if you consider such data points useless,
> particularly where the GD is concerned, rest assured that not everyone
> else does, particularly where human signers are concerned.

To be honest, I don't think I can possibly express just how much I
don't care that "0xB56165AA was signed by 0xCA57AD7C starting on
2004-12-29 while 0x99242560 was signed by it starting 2004-12-08".
All I care is that both signatures have since expired, and are
therefore irrelevant to me.  To say nothing of the fact that anyone
who thinks that OpenPGP has strong date semantics - and bases their
behavior on that - is fooling themselves in a wonderfully large way.

It is not good design to hamper the majority of users to please the
minority of users who like to calculate key signing statistics.  In
any event, I still fail to see a problem here.  Anyone who wants to
import and export expired signatures is free to do so.

Even though the GD prompted this change, this isn't a GD-specific
issue.  Over time, keys build up cruft - expired user IDs, expired
subkeys, and expired sigs.  These items serve no useful purpose for
the vast majority of users.  If someone insists that they are useful
and wants to include them, well, go right ahead.  Just don't bother
the rest of us with it.

David



More information about the Gnupg-users mailing list