Looking up keys from a massive store

Werner Koch wk at gnupg.org
Thu Aug 31 18:30:30 CEST 2017

On Wed, 30 Aug 2017 21:06, rick at openfortress.nl said:

> for the number of keys.  That would probably hit us too.  If I've seen it
> correctly, the keybox format mentioned there is not part of today's gnupg.

The keybox is the default for new installations (that is if there is no
pubring.gpg) since 2.1.  I implemented it so that (iirc) were able to do
20 signature verifications from a random set of keys out of 30000 keys
within a second.  Unfortunately recent changes to internal workings
dropped the performance again.

> What key search method would you recommend that is scalable to many keys and
> to many signatures being placed in parallel?  Or is it perhaps an idea to
> create public keyrings just for the purpose of one email being sent?  [No
> idea if that is possible at all, let alone how, just thinking out loud.]

Try to use the fingerprint.  That will be always be the fastest way to
access the key material.

> FWIW, the intention is to fill the LDAP store with keys that are submitted
> over email, and accepted based on DKIM signatures on the email.  Email that
> is sent would be automatically encrypted with PGP, and DKIM would sign the
> entire message in the mail server.

If you want to encrypt only, there may be a simpler way: The new option
-F takes a file with a single key and encrypts to that key, without any
need to access the public keyring.  We use it for example in our Web Key
Directory tools to do a run a challenge response protocol.  See 
gnupg/tools/gpg-wks-server.c for some hints but I can also explain usage
if you explain your protocol in more detail.



Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: </pipermail/attachments/20170831/ab8ddcd6/attachment.sig>

More information about the Gnupg-users mailing list