Using the "preferred keyserver URL" in GnuPG 1.4

Simon Josefsson jas at extundo.com
Wed Dec 22 02:22:21 CET 2004 

David Shaw <dshaw at jabberwocky.com> writes:

> I'll make you a deal - if you write the DNS handler to properly handle
> a flag passed from gpg to do a revocation-only search, I'll write the
> code in gpg to pass that flag when appropriate.  Since a
> revocation-only check can also be fulfilled (though slower) by a
> regular check, this would be nicely backwards compatible.

I tried my Perl version, and it still worked.  Is Perl acceptable, or
do I have to rewrite it in C?

Get http://josefsson.org/gpgkeys_jkp/gpgkeys_jkp, and install it in
the keyserver directory, add

keyserver jkp://josefsson.org

The server knows the 57548DCD and b565716f keys only:

jas at latte:~$ gpg gnupg-1.4.0.tar.bz2.sig
gpg: WARNING: using insecure memory!
gpg: please see http://www.gnupg.org/faq.html for more information
gpg: Signature made Thu 16 Dec 2004 11:50:52 AM CET using DSA key ID 57548DCD
gpg: requesting key 57548DCD from jkp server josefsson.org
gpgkeys: attempting key 0x68B7AB8957548DCD from jkp://josefsson.org
gpgkeys: querying for (0x57548DCD.josefsson.org, CERT)
gpgkeys: key 0x57548DCD retrieved from josefsson.org
gpg: key 57548DCD: public key "Werner Koch (gnupg sig) <dd9jn at gnu.org>" importedgpg: 3 marginal(s) needed, 1 complete(s) needed, classic trust model
gpg: depth: 0  valid:   3  signed:   3  trust: 0-, 0q, 0n, 0m, 0f, 3u
gpg: depth: 1  valid:   3  signed:   5  trust: 2-, 0q, 0n, 1m, 0f, 0u
gpg: next trustdb check due at 2005-04-13
gpg: Total number processed: 1
gpg:               imported: 1
gpg: Good signature from "Werner Koch (gnupg sig) <dd9jn at gnu.org>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 6BD9 050F D8FC 941B 4341  2DCC 68B7 AB89 5754 8DCD
jas at latte:~$

How will you design the protocol for revocation checks only?

When is it appropriate to do the revocation check?  It sounds as if
this should be configurable?  Maybe add a parameter:

revocationserver jkp://josefsson.org

or something?

Or would revocation only be done through the "preferred key server"
field from the owner's key?

Perhaps revocation checks shouldn't be done too often?  Might be some
work in remembering when the last check was done, though...

Thanks.

PS.  I'll take care of the paper work as well, of course.

More information about the Gnupg-users mailing list