Auto Key Refresh

Mark H. Wood mwood@IUPUI.Edu
Thu Jul 10 15:37:04 2003


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Thu, 10 Jul 2003, Neil Williams wrote:
[snip interior quote]
> Would it be that much extra work? It would be needed when I select to encrypt
> an email - that key could be auto-retrieved and an alert generated if revoked
> - but that's only one key refresh per message.
>
> When I --refresh-keys on one of my public rings, some 300 keys pass by!
> Depending on my connection, it doesn't seem that I get any delays at the
> keyserver end.

Yeah, my pubring.gpg is over a megabyte.  I don't want to refresh the
whole thing every time I do business with my bank.  (I know, I know, I
should weed out stuff I don't use....)

> The keyserver would still receive updates at the usual rate and if the bank
> operates a local keyserver for their own keys, it means that the lag time to
> other keyservers is also eliminated. That does require something that was
> discussed here a little while ago - intelligent fallbacks when using multiple
> keyservers in the gpg.conf file. The bank keyserver is hardly going to want
> to keep keys of non-customers/employees so it needs to be the default for
> those keys that it does hold but gpg needs some way to know not to use it for
> other keys. Could be fun to devise!

It sounds like key entries in keyrings need two more attributes:  a
"refresh before each use" bit, and a list of the best places from which to
refresh this entry.  If there's no server list, use the master list from
gpg.conf .

I forgot to mention the reason I think the bank will want its own
keyserver:  would *you* trust billions of dollars a day in transactions to
a server not under your control?  I don't think your banker will.

- -- 
Mark H. Wood, Lead System Programmer   mwood@IUPUI.Edu
MS Windows *is* user-friendly, but only for certain values of "user".
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: pgpenvelope 2.10.2 - http://pgpenvelope.sourceforge.net/

iD8DBQE/DWxms/NR4JuTKG8RAqCeAJ4wQh1FZCCKZp3euWkrId/jvtymlgCcDBaH
t3hrRtHCogp2cchwNs9BV9c=
=lm5V
-----END PGP SIGNATURE-----