default keyserver-options [was: Re: keys not available for signed messages in this maillist]
David Shaw
dshaw at jabberwocky.com
Sat Apr 9 16:48:44 CEST 2011
On Apr 8, 2011, at 6:48 PM, Daniel Kahn Gillmor wrote:
> On 04/08/2011 02:19 PM, John Clizbe wrote:
>> There are additional options for the keyserver-options line. I recommend adding
>> ' include-subkeys include-revoked import-clean'. See the gpg man page.
>
> Thanks for these pointers, John. If you think these are good options,
> maybe we should advocate for changing the defaults to include them?
>
> I support setting include-subkeys and include-revoked to on by default.
> The only reason these aren't more seriously problematic right now is
> that SKS (the dominant HKP implementation today) automatically searches
> subkeys and includes revoked keys. That is, these options have no
> effect when querying SKS keyservers.
>
> As a keyserver client, i think gpg should make it clear that it wants
> these options by default, in case any keyservers attempt to honor them.
I agree that include-subkeys should be on by default. That only makes sense, especially now that subkeys are frequently used for signing.
I'm not so sure about include-revoked, though. For that one, context matters. If the user is doing a --refresh-keys, then yes, revoked keys are necessary. If the user is searching by name for a key they don't currently have, then including revoked keys is noisy and potentially confusing (remember that anyone can fake a revocation for any one else's key on a keyserver).
David
More information about the Gnupg-users
mailing list