-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 08/12/13 22:11, Hauke Laging wrote: > IIRC this has been discussed here a while ago and there is no way to get > this information from GnuPG. I would like to know whether there is already > software available which does this; no need to reinvent the wheel.
The Debian package signing-party has some tools working on this info, but I don't think you can get the information you're really after, unfortunately. It goes some way towards achieving it, though. $ gpg --list-sig|sig2dot >sigs.dot will create a .dot file for Graphviz and similar tools that has keys as nodes and signatures as edges. $ springgraph <sigs.dot >sigs.png will create a picture of that graph; it's an alternative tool to the ones provided by Graphviz. Some other statistics can be had by: $ pgpring -S -k ~/.gnupg/pubring.gpg|process_keys >preprocess.keys $ keyanalyze The first command will create a file preprocess.keys and the second a directory called 'output' with distance analysis and stuff on the keys. None of these commands take the trust database into account, AFAIK[1]. A program that would take the output of --export-trustdb and the sigs.dot file and annotates it with validity information would be cool. Perhaps pruning sigs.dot to only include valid signatures. > If there isn't any I would do this (but maybe there is a better approach): I think the better approach is to write a tool combining --export-trustdb and the sigs.dot file ;). > BTW: I noticed that a key becomes invalid if its certifying key expires and > has complete trust. But if it has ultimate trust then the expiration does > not make the certification invalid. Is this intentional? I think it's intentional. You would typically use ultimate trust for your own keys. And if your own key expires, you might still very well trust the certifications you made with that key. If the key of a fully trusted person expires, that key no longer "validly represents" that person, and perhaps its certifications can't be trusted anymore. I suppose the bond between you and an ultimately trusted key is so strong that you are supposed to know all there is to know about that key, and you should revoke the ultimate trust if you no longer have ultimate trust in that key. Ultimate trust: I don't care what anybody says, I believe in you. > Another, related question: I was surprised to read the recommendation to > create a local certification for keys which have been validated via the > WoT. But the one who wrote that seems extremely competent to me with > respect to OpenPGP. Is there a general concensus on that? What are your > opinions? In and of itself, it sounds unnecessary. The most important reason you would make a local sig, is to make a key valid, but if it's already valid through the Web of Trust, that's no longer necessary. It also creates the burden of maintenance: through expiry or revocation of keys and signatures, your WoT might at some point no longer consider a key to be valid. But you did a local sig, so the key stays valid. You might not notice that the validity has diminished. But suppose that in certain scenario's, you consider a key (which isn't valid yet) as "valid enough", but don't want to announce this to the world. I've been pressing my point lately that I strongly believe your exportable signatures should represent verification effort, not a belief of validity. Still, you might want to use that belief of validity that you have to make a key valid in your own keyring. This sounds like a perfect use case for a local signature. There might well be a scenario where you local-sign a key that's already valid through the Web-of-Trust, but I can't think of one just now. HTH, Peter. [1] Since you give either the public keyring file, or the output of gpg - --list-sig, very explicit input that doesn't include trust, it seems highly unlikely that those programs also access the trust database on their own. - -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at <http://digitalbrains.com/2012/openpgp-key-peter> _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users