2 Q's
Andrew Gallagher
andrewg at andrewg.com
Wed Aug 17 16:36:05 CEST 2016
On 17/08/16 14:52, Robert J. Hansen wrote:
>> That sounds like an argument for marking downloaded local copies of
>> public keys stale after a certain period, similarly to DNS TTL...
>
> That suggestion fills me with horror. Key management is *already* a
> nightmare without adding this to it.
;-) Key management is a nightmare whether you add tests or not. At
least with tests you *know* how bad it is...!
The above suggestion would only be workable in combination with
auto-key-locate, of course. A prompt to proceed with a stale key in the
case of limited network access might also be useful. But the
substantial point is that a) regular key refreshes should be default
behaviour and b) failure to refresh keys on time should be an error.
> Better by far to provide a cronjob that can do the refreshing
> automatically -- or, on Windows, to write a service to do it.
Parcimonie already exists. But it's an optional extra that most people
don't install (or even know of). People shouldn't be expected to
install or configure extras before they have a (safely) usable system.
A
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20160817/5aa2a454/attachment.sig>
More information about the Gnupg-users
mailing list