CRL checking in dirmngr (Was: Re: [PATCH 2/3] dirmngr: add system CAs if no hkp-cacert is given)

Daniel Kahn Gillmor dkg at
Fri Nov 18 06:47:55 CET 2016

On Sat 2016-11-05 07:52:07 +0900, Kristian Fiskerstrand wrote:
> Since dirmngr already has CRL checking capabilities, at least OneCRL
> checking is likely a good idea to implement. I'd also be nice if CRL is
> checked for specific CA, e.g in the case of
> for

Kristian, do you have a patch for this?  Now that the sks-keyservers
pool CA is being shipped and used automatically, this seems like an
important step.

how frequently do you think it should be checked?  What if there were a
policy to refresh it infrequently?  without creating something that
"phones home", we could have a simple policy like:

 * if use-tor is enabled, and
 * if the list of configured keyservers includes, and
 * the CRL "Next at" update check is expired

then refresh it?


More information about the Gnupg-devel mailing list