a Question about Key Servers

Robert J. Hansen rjh at sixdemonbag.org
Thu Aug 25 17:22:41 CEST 2011


On 8/25/2011 10:28 AM, Daniel Kahn Gillmor wrote:
> Except that, quite clearly, most users have no idea it is their problem
> and the problem remains unsolved.

Now that you mention it, I'd like to reject the premise outright: that
this is a problem.  How do we know it's a problem?  I don't doubt that
for some people it's a serious problem, but does the average user have a
problem with certificates that need refreshing?

I'm willing to stipulate that it is good that certificates be
periodically refreshed, but I'm unconvinced we need much in the way of
customization here.  It would be fairly simple for GnuPG to keep a
"last-refreshed" file in the ~/.gnupg dir, and upon invocation check to
see if more than 30 days had passed since refreshing.  Pop up a small
dialog box (ala pinentry) and say, hey, it's been six months since we've
refreshed your certificates, would you like to do this now? (or click
here to disable reminders).

Even if it's computationally intensive and takes an hour to run, a
process that runs in the background once every six months isn't all that
onerous.  In fact, by moving to just checking a file's touchdate, it
makes it possible for third parties to write solutions without relying
on GnuPG at all.

So, yeah -- I don't really see the problem, nor why this needs to be
solved within GnuPG.  It appears to me (at my current levels of
ignorance and prejudice) that it's possible to hit the 95% usecase
without very much effort at all.  Given the choice of hitting the 99.9%
usecase, or hitting the 95% usecase with only a tenth the effort, I
think the latter is the way to go.

Heck, if people want I'd be happy to take a stab at writing a Windows
service to do this.

> Please read https://bugs.g10code.com/gnupg/issue1235 for decent
> arguments about why this is the right thing to do.

I have.  I'm unconvinced.



More information about the Gnupg-users mailing list