Seeking clarification with a few GPG concepts

pzeudo at hushmail.com pzeudo at hushmail.com
Wed Aug 13 14:54:40 CEST 2014


Hi, and thanks again for your answer.

I have the feeling I may have formulated my question badly.
I do know that data that has been out in the open cannot be made forgotten. What I wanted to ask was this, basically:
Assume I generate a completely new gpg key and play around with it. Say I add some UIDs and some subordinate keys, and then remove a subset of those. Only after having done all this, I upload this key's public info, for the first time, to a keyserver and tell you about it. Could you now, from this one snapshot, tell which UIDs and subkeys I added and then deleted again?
I tried playing with list-packets and pgpdump, and to me it looks like no such information is available, but then again, I'm not familiar with the inner workings of gpg.

Thanks!

On 8/13/2014 at 2:30 PM, "Peter Lebbing" <peter at digitalbrains.com> wrote:
>
>On 13/08/14 13:30, pzeudo at hushmail.com wrote:
>> How much history is saved in a gpg key?
>
>Pretty much everything. You can edit what you give others to your
>heart's content, but old data will still linger in a lot of places 
>and
>can recombine with your new data. Keyservers in particular never 
>throw
>any data out (I think), but only add new data to the existing data.
>
>Similarly, unless explicitly instructed, GnuPG will keep old 
>signatures
>and uid's and stuff around.
>
>> Can other people see the full history of what I did in the 
>meantime
>
>They usually can, especially if the key is on the keyserver 
>network.
>
>> what would I have to do to see what's saved?
>
>The most information is given by a command like:
>$ gpg2 --export KEYID | gpg2 --list-packets
>
>There might be switches to be even more verbose, but this already 
>shows
>all old signatures and stuff.
>
>You might want to import your own key from the keyserver to see 
>anything
>you have deleted locally.
>
>But in general, assume that anything you send out will be uploaded 
>by
>someone to the keyserver, and stay there indefinitely.
>
>HTH,
>
>Peter.
>
>-- 
>I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
>You can send me encrypted mail if you want some privacy.
>My key is available at <http://digitalbrains.com/2012/openpgp-key-
>peter>




More information about the Gnupg-users mailing list