Re: Using the "clean" function (and the "PGP Global Directory")
On 06/22/10 20:44, Dan Mahoney, System Admin wrote: > On Tue, 22 Jun 2010, David Shaw wrote: > >> On Jun 22, 2010, at 11:02 PM, Dan Mahoney, System Admin wrote: >> >>> It seems there's two interesting problems which inter-relate. >>> >>> The first is PGP corporation's "global directory", which seems to >>> operate orthogonally from every other keyserver I've seen. It's >>> HTTP-only, not queryable by any of the open-source clients (in fact, >>> it doesn't support wildcard searches at all, and returns a captcha >>> before delivering results), and not SUBMITTABLE to from any of the >>> open source clients. >> >> Not exactly. The GD speaks LDAP, so you can set your keyserver to >> ldap://keyserver.pgp.com and you can query and submit, etc. > > Interesting, I didn't see mention of that. I must try this (assuming > I've built with LDAP support, that is, which under BSD is a bit obtuse). Assuming you're talking about FreeBSD, 'ls /usr/local/libexec/gpg2keys_ldap' should tell you. :) There is an option at compile time to include it, but it's off by default so if you're using the package you'll have to build it yourself. IME the pgp.com keyserver is queryable by ldap, but it doesn't seem to do anything with updates to my key via --send-keys. I haven't done an exhaustive test though, so this could be wrong. >>> It's also the ONLY keyserver I've seen that supports photo IDs, and >>> actually uses the web interface to show you the person. >> >> The SKS servers (i.e. pretty much everything that isn't the GD) do >> support photo IDs, but they do not use the web interface to show you >> the photo. http://biglumber.com/ displays photos as well. I think it would be nice if the SKS keyservers added this feature since it would definitely make figuring out if the key(s) I found in a search are for the person I'm looking for, but I don't care enough about it to dig into the code, too many other things to do. :) >> Are you sure about that? "clean" strips off useless signatures >> (useless being defined as an invalid signature, a superseded >> signature, a revoked signature, and a signature from a key that isn't >> present on the keyring). Signatures from keys that are present, but >> have no trust value are not stripped off. It's actually kind of interesting timing that Dan brought this up since this aspect of the clean function has been bugging me as well. I like the fact that 'clean' strips off all but the latest of duplicate sigs, and in particular with the pgp.com keyserver I like that it does this, but leaves the latest one even if it's expired. What I don't like is that the generic 'clean' (and by this I mean import-clean and export-clean in import/export/keyserver options) also strips off signatures for keys that are not already present in the keyring. IMNSHO it would be better if the default clean did everything it does now _except_ stripping sigs for absent keys, and that the latter was a new, additional layer. If that's not possible for backwards compatibility reasons then a new feature to do the "clean everything as it does now except stripping signatures for absent keys" would be ok too. The reason I'd like to see signatures for absent keys by default is that it gives me an idea of how well signed the key is. I've learned to use 3rd party tools like http://pgp.cs.uu.nl/ for this, but I can't always rely on 3rd party stuff to be completely up to date. In regards to Dan's other question (automatically fetch keys for checking signatures) one easy way to implement this would be for --check-sigs (and in fact, other gnupg commands generally) to honor --keyserver-options auto-key-retrieve. FWIW, Doug -- ... and that's just a little bit of history repeating. -- Propellerheads Improve the effectiveness of your Internet presence with a domain name makeover!http://SupersetSolutions.com/ ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Using the "clean" function (and the "PGP Global Directory")
On Jun 23, 2010, at 12:03 AM, Dan Mahoney, System Admin wrote: >>> Are you sure about that? "clean" strips off useless signatures (useless >>> being defined as an invalid signature, a superseded signature, a revoked >>> signature, and a signature from a key that isn't present on the keyring). >>> Signatures from keys that are present, but have no trust value are not >>> stripped off. >> >> Let me double check. I saw it earlier today when transferring my work sig >> to my personal one. But it might just have been that my coworkers did not >> have sigs present. It's entirely possible I mangled the windows. > > Yup, that's what happened. I had imported my work key to my personal > machine, but didn't have the keys of all my coworkers on my personal box, so > "clean" decided to be helpful. > > I pulled it off the keyserver again, and then pulled down the keys of all my > coworkers, and was good. Ah, good. I'm glad. > On a related subject, is there a way to say "pull down the keys of all keyids > who have signed key X"? Not directly, but you can do something like this: gpg --recv-keys `gpg --with-colons --fixed-list-mode --list-sigs $THE_KEY | egrep '^sig:' | cut -f5 -d: | sort -u` David ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Using the "clean" function (and the "PGP Global Directory")
On Tue, 22 Jun 2010, Dan Mahoney, System Admin wrote: On Tue, 22 Jun 2010, David Shaw wrote: On Jun 22, 2010, at 11:02 PM, Dan Mahoney, System Admin wrote: It seems there's two interesting problems which inter-relate. The first is PGP corporation's "global directory", which seems to operate orthogonally from every other keyserver I've seen. It's HTTP-only, not queryable by any of the open-source clients (in fact, it doesn't support wildcard searches at all, and returns a captcha before delivering results), and not SUBMITTABLE to from any of the open source clients. Not exactly. The GD speaks LDAP, so you can set your keyserver to ldap://keyserver.pgp.com and you can query and submit, etc. Interesting, I didn't see mention of that. I must try this (assuming I've built with LDAP support, that is, which under BSD is a bit obtuse). It's also the ONLY keyserver I've seen that supports photo IDs, and actually uses the web interface to show you the person. The SKS servers (i.e. pretty much everything that isn't the GD) do support photo IDs, but they do not use the web interface to show you the photo. That was what I meant to imply, perhaps I was unclear. Are you sure about that? "clean" strips off useless signatures (useless being defined as an invalid signature, a superseded signature, a revoked signature, and a signature from a key that isn't present on the keyring). Signatures from keys that are present, but have no trust value are not stripped off. Let me double check. I saw it earlier today when transferring my work sig to my personal one. But it might just have been that my coworkers did not have sigs present. It's entirely possible I mangled the windows. Yup, that's what happened. I had imported my work key to my personal machine, but didn't have the keys of all my coworkers on my personal box, so "clean" decided to be helpful. I pulled it off the keyserver again, and then pulled down the keys of all my coworkers, and was good. On a related subject, is there a way to say "pull down the keys of all keyids who have signed key X"? -Dan -- "Long live little fat girls!" -Recent Taco Bell Ad Slogan, Literally Translated. (Viva Gorditas) Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Using the "clean" function (and the "PGP Global Directory")
On Tue, 22 Jun 2010, David Shaw wrote: On Jun 22, 2010, at 11:02 PM, Dan Mahoney, System Admin wrote: It seems there's two interesting problems which inter-relate. The first is PGP corporation's "global directory", which seems to operate orthogonally from every other keyserver I've seen. It's HTTP-only, not queryable by any of the open-source clients (in fact, it doesn't support wildcard searches at all, and returns a captcha before delivering results), and not SUBMITTABLE to from any of the open source clients. Not exactly. The GD speaks LDAP, so you can set your keyserver to ldap://keyserver.pgp.com and you can query and submit, etc. Interesting, I didn't see mention of that. I must try this (assuming I've built with LDAP support, that is, which under BSD is a bit obtuse). It's also the ONLY keyserver I've seen that supports photo IDs, and actually uses the web interface to show you the person. The SKS servers (i.e. pretty much everything that isn't the GD) do support photo IDs, but they do not use the web interface to show you the photo. That was what I meant to imply, perhaps I was unclear. Are you sure about that? "clean" strips off useless signatures (useless being defined as an invalid signature, a superseded signature, a revoked signature, and a signature from a key that isn't present on the keyring). Signatures from keys that are present, but have no trust value are not stripped off. Let me double check. I saw it earlier today when transferring my work sig to my personal one. But it might just have been that my coworkers did not have sigs present. It's entirely possible I mangled the windows. -Dan -- "GO HOME AND COOK!!!" Donielle Cocossa, Taco Bell, 2:30 AM Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Using the "clean" function (and the "PGP Global Directory")
On Jun 22, 2010, at 11:02 PM, Dan Mahoney, System Admin wrote: > It seems there's two interesting problems which inter-relate. > > The first is PGP corporation's "global directory", which seems to operate > orthogonally from every other keyserver I've seen. It's HTTP-only, not > queryable by any of the open-source clients (in fact, it doesn't support > wildcard searches at all, and returns a captcha before delivering results), > and not SUBMITTABLE to from any of the open source clients. Not exactly. The GD speaks LDAP, so you can set your keyserver to ldap://keyserver.pgp.com and you can query and submit, etc. > It's also the ONLY keyserver I've seen that supports photo IDs, and actually > uses the web interface to show you the person. The SKS servers (i.e. pretty much everything that isn't the GD) do support photo IDs, but they do not use the web interface to show you the photo. > Finally, it will sign your non-photo-uids. With a very short signature time, > and pollute them so they look like this: > > uid Dan Mahoney > sig 3E919EC51 2008-11-22 Dan Mahoney > sig 3E8048D08 2009-10-15 Peter Losher > sig 68D482E2 2009-08-31 Guy Sisalli > sig CF9890F8 2009-07-01 Mark Andrews > sig 08F13AD2 2009-10-14 Evan Hunt > sig 3294EC062 2009-06-30 Paul Vlaar > sig 2DC6FF82 2009-10-14 Rob Austein > sig 8FA50232 2010-06-13 Emma Smith > sig X CA57AD7C 2009-12-16 PGP Global Directory Verification Key > sig X CA57AD7C 2009-12-29 PGP Global Directory Verification Key > sig X CA57AD7C 2010-01-12 PGP Global Directory Verification Key > sig X CA57AD7C 2010-01-25 PGP Global Directory Verification Key > sig X CA57AD7C 2010-02-07 PGP Global Directory Verification Key > sig X CA57AD7C 2010-02-20 PGP Global Directory Verification Key > sig B38DB1BE 2010-06-13 Francisco Obispo (ISC) > uid Dan Mahoney > > Yes, I'm sure I need a signature added to my key EVERY TWO WEEKS. From the > same ENTITY. > > So, to correct this, gpg has the "clean" function, except that it seems to be > broken. I can then re-upload my key. > > "clean" kills off any local signature and uid that is expired, but it also > removes keys I have no trust value for. This might make sense on someone > ELSE'S key in my homedir. But I want EVERY nonexpired signature to stay on > my public key, even if I don't have an explicit trust value for the person. Are you sure about that? "clean" strips off useless signatures (useless being defined as an invalid signature, a superseded signature, a revoked signature, and a signature from a key that isn't present on the keyring). Signatures from keys that are present, but have no trust value are not stripped off. > A workaround is to assign some trust value to every other person who's signed > my key, then run --clean, but this seems broken. > > So, all that said, two questions. > > 1) Is there some option I'm missing that will just remove expired signatures, > and not other things? Assume I'm still interested in the social networking > aspect of who-knows-who and who-trusts-who, but not interested in this > automated "I figured out a web url three years ago" noise. Hard to answer since you seem to be reporting behavior (signatures from keys that have no trust value being stripped off) that is not in accordance with what I'm seeing. What version of GPG are you seeing it on? Can you demonstrate the problem? > 2) If I find the magic way to do #1, and upload it to a keyserver, will they > accept it, or will they just re-merge the expired sigs in? (For most common > keyservers). SKS servers will re-merge. The GD won't re-merge, but will take the new key whole. David ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Using the "clean" function (and the "PGP Global Directory")
It seems there's two interesting problems which inter-relate. The first is PGP corporation's "global directory", which seems to operate orthogonally from every other keyserver I've seen. It's HTTP-only, not queryable by any of the open-source clients (in fact, it doesn't support wildcard searches at all, and returns a captcha before delivering results), and not SUBMITTABLE to from any of the open source clients. It's also the ONLY keyserver I've seen that supports photo IDs, and actually uses the web interface to show you the person. Finally, it will sign your non-photo-uids. With a very short signature time, and pollute them so they look like this: uid Dan Mahoney sig 3E919EC51 2008-11-22 Dan Mahoney sig 3E8048D08 2009-10-15 Peter Losher sig 68D482E2 2009-08-31 Guy Sisalli sig CF9890F8 2009-07-01 Mark Andrews sig 08F13AD2 2009-10-14 Evan Hunt sig 3294EC062 2009-06-30 Paul Vlaar sig 2DC6FF82 2009-10-14 Rob Austein sig 8FA50232 2010-06-13 Emma Smith sig X CA57AD7C 2009-12-16 PGP Global Directory Verification Key sig X CA57AD7C 2009-12-29 PGP Global Directory Verification Key sig X CA57AD7C 2010-01-12 PGP Global Directory Verification Key sig X CA57AD7C 2010-01-25 PGP Global Directory Verification Key sig X CA57AD7C 2010-02-07 PGP Global Directory Verification Key sig X CA57AD7C 2010-02-20 PGP Global Directory Verification Key sig B38DB1BE 2010-06-13 Francisco Obispo (ISC) uid Dan Mahoney Yes, I'm sure I need a signature added to my key EVERY TWO WEEKS. From the same ENTITY. So, to correct this, gpg has the "clean" function, except that it seems to be broken. I can then re-upload my key. "clean" kills off any local signature and uid that is expired, but it also removes keys I have no trust value for. This might make sense on someone ELSE'S key in my homedir. But I want EVERY nonexpired signature to stay on my public key, even if I don't have an explicit trust value for the person. A workaround is to assign some trust value to every other person who's signed my key, then run --clean, but this seems broken. So, all that said, two questions. 1) Is there some option I'm missing that will just remove expired signatures, and not other things? Assume I'm still interested in the social networking aspect of who-knows-who and who-trusts-who, but not interested in this automated "I figured out a web url three years ago" noise. 2) If I find the magic way to do #1, and upload it to a keyserver, will they accept it, or will they just re-merge the expired sigs in? (For most common keyservers). -Dan -- "Ca. Tas. Tro. Phy." -John Smedley, March 28th 1998, 3AM Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
