On Fri, Sep 13, 2013 at 12:22 AM, Daniel Kahn Gillmor <d...@fifthhorseman.net> wrote: > GnuPG is currently not able to create a non-exportable self-sig. If you > try to do this, it gives an error: > > WARNING: the signature will not be marked as non-exportable. > > But: some people might never want their keys to be published to the public > keyservers, or have some User IDs that they keep locally that they do > not want to be transmitted via the keyserver network. > > AIUI, keyservers should reject keys that do not have a self-signature. > Keyservers should also honor the "non-exportable" marker by rejecting > OpenPGP certification packets that have the "exportable" subpacket > included and set to 0. > > So the sensible thing for a keyholder who wants their key to stay off > the keyservers would be to issue a non-exportable self-signature.
I don't think this is sensible. What is the point of a UID that cannot be used by someone else? If the UID is shared with anyone else (even privately), it must have a self-signature, and so that signature must be exportable. If gpg starts --exporting keys with non-self-signed UIDs, this will be a step backwards. I see what you are trying to achieve, but I don't think this is the right way to do it. The correct way would be to have keyservers honour the no-modify flag, or perhaps have some notation on the ID that prevents uploading to a public keyserver. I myself would favour the latter approach. N. _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
