deleting signatures from uids

David Shaw dshaw at
Mon Nov 6 06:20:42 CET 2006

On Thu, Nov 02, 2006 at 02:39:45PM -0600, Alex Mauer wrote:
> Qed wrote:
> > This is not a limitation, it'a a feature :-) and this is also the reason
> > why you should not play with PGP on keyservers, the result will be often
> > another abandoned key.
> Is there any reason that the keyserver needs to continue to redistribute
> expired, revoked, or otherwise invalid (e.g. superseded) signatures?
> I can't think of any.
> I can kind of see why you might want to show the full history of a key,
> but does it really need to be distributed out to everyone?
> If this is a security risk, surely the keyserver options
> "import-clean-sigs" and "import-clean-uids" are also, are they not?

No.  GnuPG has the ability to verify signatures, and so can correctly
do this.  It's not as simple as just dropping all expired signatures.
You must distribute some signatures, even though they aren't usable
(for example, the last in a series of expired signatures).

Keyservers don't have any crypto support, so can't verify signatures,
and so can't do any sort of signature cleaning safely.


More information about the Gnupg-users mailing list