* hkp.c (hkp_search): Return proper error code on failure.

* keyedit.c (sign_uids): Do not allow signing a user ID without a
self-signature.  --expert overrides.

* options.skel: Use subkeys.pgp.net as the default keyserver.

* trustdb.c (validate_one_keyblock): Certifications on revoked or expired
uids do not count in the web of trust.

g10/trustdb.c

@@ -1329,10 +1329,14 @@ validate_one_keyblock (KBNODE kb, struct key_item *klist,
 	 signed (but not self-signed) uid does carry trust, of a sort,
 	 even if it is a statement being made by people other than the
 	 key owner "through" the uids on the key owner's key.  I'm
-	 going with the latter. -dshaw */
+	 going with the latter.  However, if the user ID was
+	 explicitly revoked, or passively allowed to expire, that
+	 should stop validity through the user ID until it is
+	 resigned.  -dshaw */
 
-      /* && node->pkt->pkt.user_id->created) */
-      if (node->pkt->pkttype == PKT_USER_ID)
+      if (node->pkt->pkttype == PKT_USER_ID
+	  && !node->pkt->pkt.user_id->is_revoked
+	  && !node->pkt->pkt.user_id->is_expired)
         {
           if (uidnode && issigned)
             {
@@ -1346,12 +1350,11 @@ validate_one_keyblock (KBNODE kb, struct key_item *klist,
             }
           uidnode = node;
 	  uid=uidnode->pkt->pkt.user_id;
-#if 0
-	  /* If the selfsig is going to expire...  This is disabled as
-	     we do count un-self-signed uids in the web of trust. */
+
+	  /* If the selfsig is going to expire... */
 	  if(uid->expiredate && uid->expiredate<*next_expire)
 	    *next_expire = uid->expiredate;
-#endif
+
           issigned = 0;
 	  get_validity_counts(pk,uid);
           mark_usable_uid_certs (kb, uidnode, main_kid, klist,