The machine readable, verbose index should show signatures.

Issue #34 new
Peter TheOne
created an issue

The machine readable, verbose index (?op=vindex&options=mr) should show signatures, just like the non machine readable index. I think this is only logical.

I hope this does not conflict with https://tools.ietf.org/html/draft-shaw-openpgp-hkp-00#section-5.2 that defines Machine Readable Indexes.

Comments (3)

  1. Kristian Fiskerstrand

    I'm a bit unsure whether this makes sense, can you provide a use case for it?

    Immediately I see two arguments against adding such information, (i) increased bandwidth requirement when doing keyserver searches that might slow down this operation (this can be mitigated if we make this an option to show sigs and don't enable it by default) (ii) people getting the impression that the signatures are validated. There is little use getting these from the keyservers as they will anyways have to be downloaded to a local keyring and be verified before being used for anything.

  2. Peter TheOne reporter

    Use case: I want to look up who signed a key. But instead of doing it manually (view html) I want to do it in a machine readable way. Before I import the key and check if it is valid.

    Concretely I have two applications in mind: (1) Grab this information and visualize a small part of the web of trust. (2) Or a RSS feed, irc bot, twitter bot, jabber bot, etc. that grabs and posts this information.

    (i) I'm suggesting: Show signatures with op=vindex and don't show them with op=index. Just like it was historically for the human readable view as I understand. Alternatively you could define an additional option to view signatures.

    (ii) Ironic Question: So why show them in the human readable view, as they will have to be verified anyway?

    What speaks for this feature:

    (a) Consistency with the machine readable version.

    (b) A way to get a sense of who signed who before having to validate it or for minimal risk applications.

  3. Log in to comment