On 02/09/2011 03:27 PM, Grant Olson wrote: > The man page does say that this is intentionally not done for > performance reasons: > > --check-sigs > Same as --list-sigs, but the signatures are verified. Note that > for performance reasons the revocation status of a signing key > is not shown. This command has the same effect as using --list- > keys with --with-sig-check.
ah, thanks for helping me RTFM :) sorry i missed that. is the same
thing true about key expiry?
> But shouldn't a user let the trust calculations do their magic and break
> the WoT to Bob's key once Alice's key has been revoked? Before the key
> was valid because Alice had full trust, now it's unvalidated because
> Alice's key is revoked.
yes, it would be good if people did that.
> It seems like this attack only works if you ignore the WoT and
> explicitly start signing keys X-degrees-of-separation away without
> proper verification. (Not that I'm saying I can't conceive of real
> people doing this.)
yeah, i think the problem is that people don't think about these
different ways that manual checking can fail. By not reporting key
expirations, --check-sigs puts the extra burden on the user -- this
might be a performance hit, but it's way more of a performance hit if
the user then has to go and manually look up each key, no?
--dkg
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Gnupg-users mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnupg-users
