OpenPGP data in the CERT RR

Simon Josefsson jas at extundo.com
Wed Aug 7 19:09:02 CEST 2002


Werner Koch <wk at gnupg.org> writes:

> On Wed, 07 Aug 2002 13:12:08 +0200, Simon Josefsson said:
>
>> and storing all the revocation at all servers?  Size isn't a problem,
>> surely?
>
> A 100 million keys on one server?  Well not know but if it ever gets
> into really wide use this is not unrealistic.

If the average cert is 10kb, 100m keys is 1TB (if I'm calculating
properly) which is within reach even for end users today (you get
120GB for less than €200).  When there is 100m keys, hard drives will
probably not be smaller.

> Sure that is not a technical problem but it does not scale very well
> and one needs a lot of bandwidth.  I don't think that can be done by
> volunteers.  

If it is distributed between many servers (50?), DNS bandwidth won't
be a problem.  Syncing bandwidth may be a problem, but this is a
separate problem that will exist anyway.

OK, let's assume it should be solved in the DNS design.  Will
splitting it on 1 byte boundaries be enough?  Perhaps splitted several
times should be allowed.

E.g. 12.34.12.34....12.34.dnskeys.example.org.

I'm not convinced this is necessary though.

> Or does anyone want VeriSign & Co. to provide this service ;-)

If they do it for free, I won't argue but wouldn't use their server
anyway.





More information about the Gnupg-devel mailing list