public keyring management practices (was: Re: GPG Recipients
List)
David Shaw
dshaw at jabberwocky.com
Wed Dec 3 18:57:36 CET 2003
On Wed, Dec 03, 2003 at 11:04:19PM +0000, Neil Williams wrote:
> Lengthy trust rebuilds do slow down the email client with new keys
> and also slow down KGpg when it opens. However, another reason is
> refreshing keys - you can't be sure about a key not being revoked
> unless you refresh it so I refresh quite often. Certainly before I
> verify packages or encrypt messages to occassional contacts.
I've occasionally toyed with making an option to automatically do a
refresh before encrypting, and a different option to automatically do
a refresh when verifying. I haven't done it because the load on the
keyservers would be brutal. I'd be curious if someone has a different
take on that, or how they would want such a feature to work.
For me, I'd only really care to know if the key was revoked. New sigs
are useful, but that's not something I generally need to know right
before I encrypt something. Simon Josefsson's work with storing keys
in DNS might be useful here for really lightweight revocation checks.
Revocation certs are pretty small (~75 bytes for DSA), and can
generally be sent in one DNS packet.
If/when people start using the "preferred keyserver" packets on their
keys (partially implemented in 1.3.x now), it's possible to fetch the
revocation from there (which could be, for example, a file on their
web page).
David
More information about the Gnupg-users
mailing list