How much load are keyservers willing to handle?

Robert J. Hansen rjh at sixdemonbag.org
Thu Dec 19 03:44:48 CET 2013


> I am planing to write a script, which will refresh the apt signing key
> before updating using "apt-get update".

The question I have is, "What problem are you trying to solve?"  I am
certain that Debian Security already has a protocol in place for how to
handle compromised certificates.  Is this protocol flawed or lacking?
What problem does it not address which this idea will solve?

The next question is, "Why is it important the certificate be retrieved
from the keyserver network?"  When talking about the global apt
repositories, it's likely they have access to multiple of orders of
magnitude more bandwidth than the keyserver network.  Why not host the
signing key on the apt repo server?

> Could keyservers cope up with the load?

Good question.  Probably, but some keyserver operators might view it as
rude.  Best to ask on sks-devel at nongnu.org.





More information about the Gnupg-users mailing list