list signatures on server

Neil Williams linux@codehelp.co.uk
Thu Aug 21 01:09:02 2003


--Boundary-02=_zAAR/Ltt4wF7x6F
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Content-Description: signed data
Content-Disposition: inline

On Wednesday 20 Aug 2003 11:19 pm, k b wrote:
> when importing from server
> --recv-keys should work as today, plus
> it should do by default or ask to at the same time
> import keys that signed this key.

That could suddenly add several hundred (unnecessary) keys to your keyring =
if=20
you say yes to a key like Werner Koch's. Plus, it is recursive - key1 is=20
imported, you say yes, key 2 is imported and that has been signed by key3 a=
nd=20
key4. Most keys that have been signed, have been signed by >1 other person.=
=20
The number of keys to import rises exponentially.

You might as well say: cp -r keyserver .

There would have to be a limit - but how to define it? Only descend one lev=
el?=20
Only import a maximum of 100 keys? More useful is to follow the trust - use=
=20
wotsap to work up to a strong/well known key like Werner Koch, Richard=20
Stillman etc.
http://www.lysator.liu.se/~jc/wotsap/
(Typical, just when I recommend it, the site becomes slow and unresponsive.)
:-(

> a new option
> --recv-sig-keys-for-key keyID
> that could be used for keys that one already have.

Use a site like wotsap to decide WHICH of these keys you want to import. Us=
e=20
the web of trust to predict which keys would be useful to import.

> a neet feature would then be a slight change of the
> --list-keys option (or a new option called something
> like --list-first-line-keys).
> my suggestion is that --list-keys should only display
> keys that were imported in the first line, keys
> imported only to check signaure (second line) should
> not show up unless i choose to import them to the
> first line.

This is already implemented as ultimate trust, full trust, marginal trust a=
nd=20
unknown trust. Far more useful than an arbitrary concept of=20
first-come-first-printed. Trust > sequence. With a little Perl, you can get=
=20
whatever listing you'd like, based on these four levels.

> for example, in my key ring i have 2 keys, signed by
> myself and a freind. now i import a key that has 100
> signatures, i import it with all of the 100
> signatures. however the 100 signatures are not
> especially interesting when using gpg on a daily
> basis.

What do you gain by having those 100 keys? It's unlikely that you'll find m=
uch=20
of a path to a strong set key within a flat-level import - you'd need to=20
follow the trust upwards, not just horizontally.

Import selected keys and you will be able to see marginal trust in people y=
ou=20
may never have thought possible. Instead of a keyring of several hundred=20
(mostly untrustable) keys, you could have a strongly linked keyring of a fe=
w=20
dozen. After all, what is the point of having keys in your keyring belongin=
g=20
to people who never correspond with you?

> insted whats interesting is to display the 3 keys, and
> then if i request display all.

Try KGPG - you can order the list by Trust level, ultimate at the top and=20
unknown at the bottom.



=2D-=20

Neil Williams
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
http://www.codehelp.co.uk
http://www.dclug.org.uk

http://www.biglumber.com/x/web?qs=3D0x8801094A28BCB3E3

--Boundary-02=_zAAR/Ltt4wF7x6F
Content-Type: application/pgp-signature
Content-Description: signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQA/RAAziAEJSii8s+MRAn84AJ9GHPQz2GEtqFoE0jJIkfVYoOPENACfRlGR
jaFTLtE7tTL+iMo8nkm02ec=
=Xmq4
-----END PGP SIGNATURE-----

--Boundary-02=_zAAR/Ltt4wF7x6F--