auto refresh for expired certificates

Hauke Laging mailinglisten at
Sat Oct 25 20:09:13 CEST 2014


I would like to suggest a new option for GnuPG (mainly intended for the 
config file) which would automatically try to import an update for the 
certificate if it has expired (both from the standard key server and 
from the preferred one if set).

I guess that many users don't understand that in case of certificate 
expiration it is often the solution to just refresh the certificate. 
This feature would avoid problems for these users (and encourage the use 
of expiration dates which IMHO is useful). Of course, this could be done 
in the GUIs but this seems to be a trivial extension and would avoid 
having to wait for all GUIs to care. And it's not on "high GUI level" 
but relevant for console usage, too.

In the long term each certificate should get a timestamp entry in 
trustdb for the last update check. With that a new option could be 
defined which causes gpg to check for updates of a certain certificate 
if it is to be used and has not been checked for updates for more than x 
days. Refresh discipline seems to me to be a serious problem. And just 
checking the whole key ring every x days would be a waste of resources 
(especially on the key servers).

Crypto für alle:
OpenPGP: 7D82 FB9F D25A 2CE4 5241 6C37 BF4B 8EEF 1A57 1DF5
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20141025/d4744b32/attachment.sig>

More information about the Gnupg-users mailing list