public keyring management practices (was: Re: GPG Recipients List)

David Shaw dshaw at
Wed Dec 3 18:57:36 CET 2003

On Wed, Dec 03, 2003 at 11:04:19PM +0000, Neil Williams wrote:

> Lengthy trust rebuilds do slow down the email client with new keys
> and also slow down KGpg when it opens. However, another reason is
> refreshing keys - you can't be sure about a key not being revoked
> unless you refresh it so I refresh quite often. Certainly before I
> verify packages or encrypt messages to occassional contacts.

I've occasionally toyed with making an option to automatically do a
refresh before encrypting, and a different option to automatically do
a refresh when verifying.  I haven't done it because the load on the
keyservers would be brutal.  I'd be curious if someone has a different
take on that, or how they would want such a feature to work.

For me, I'd only really care to know if the key was revoked.  New sigs
are useful, but that's not something I generally need to know right
before I encrypt something.  Simon Josefsson's work with storing keys
in DNS might be useful here for really lightweight revocation checks.
Revocation certs are pretty small (~75 bytes for DSA), and can
generally be sent in one DNS packet.

If/when people start using the "preferred keyserver" packets on their
keys (partially implemented in 1.3.x now), it's possible to fetch the
revocation from there (which could be, for example, a file on their
web page).


More information about the Gnupg-users mailing list