Looking up keys from a massive store
Werner Koch
wk at gnupg.org
Thu Aug 31 18:30:30 CEST 2017
On Wed, 30 Aug 2017 21:06, rick at openfortress.nl said:
> for the number of keys. That would probably hit us too. If I've seen it
> correctly, the keybox format mentioned there is not part of today's gnupg.
The keybox is the default for new installations (that is if there is no
pubring.gpg) since 2.1. I implemented it so that (iirc) were able to do
20 signature verifications from a random set of keys out of 30000 keys
within a second. Unfortunately recent changes to internal workings
dropped the performance again.
> What key search method would you recommend that is scalable to many keys and
> to many signatures being placed in parallel? Or is it perhaps an idea to
> create public keyrings just for the purpose of one email being sent? [No
> idea if that is possible at all, let alone how, just thinking out loud.]
Try to use the fingerprint. That will be always be the fastest way to
access the key material.
> FWIW, the intention is to fill the LDAP store with keys that are submitted
> over email, and accepted based on DKIM signatures on the email. Email that
> is sent would be automatically encrypted with PGP, and DKIM would sign the
> entire message in the mail server.
If you want to encrypt only, there may be a simpler way: The new option
-F takes a file with a single key and encrypts to that key, without any
need to access the public keyring. We use it for example in our Web Key
Directory tools to do a run a challenge response protocol. See
gnupg/tools/gpg-wks-server.c for some hints but I can also explain usage
if you explain your protocol in more detail.
Shalom-Salam,
Werner
--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: </pipermail/attachments/20170831/ab8ddcd6/attachment.sig>
More information about the Gnupg-users
mailing list