default keyserver-options [was: Re: keys not available for signed messages in this maillist]

David Shaw dshaw at
Sat Apr 9 16:48:44 CEST 2011

On Apr 8, 2011, at 6:48 PM, Daniel Kahn Gillmor wrote:

> On 04/08/2011 02:19 PM, John Clizbe wrote:
>> There are additional options for the keyserver-options line. I recommend adding
>> ' include-subkeys include-revoked import-clean'. See the gpg man page.
> Thanks for these pointers, John.  If you think these are good options,
> maybe we should advocate for changing the defaults to include them?
> I support setting include-subkeys and include-revoked to on by default.
> The only reason these aren't more seriously problematic right now is
> that SKS (the dominant HKP implementation today) automatically searches
> subkeys and includes revoked keys.  That is, these options have no
> effect when querying SKS keyservers.
> As a keyserver client, i think gpg should make it clear that it wants
> these options by default, in case any keyservers attempt to honor them.

I agree that include-subkeys should be on by default.  That only makes sense, especially now that subkeys are frequently used for signing.

I'm not so sure about include-revoked, though.  For that one, context matters.  If the user is doing a --refresh-keys, then yes, revoked keys are necessary.  If the user is searching by name for a key they don't currently have, then including revoked keys is noisy and potentially confusing (remember that anyone can fake a revocation for any one else's key on a keyserver).


More information about the Gnupg-users mailing list