CRL checking in dirmngr (Was: Re: [PATCH 2/3] dirmngr: add system CAs if no hkp-cacert is given)
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Fri Nov 18 06:47:55 CET 2016
On Sat 2016-11-05 07:52:07 +0900, Kristian Fiskerstrand wrote:
> Since dirmngr already has CRL checking capabilities, at least OneCRL
> checking is likely a good idea to implement. I'd also be nice if CRL is
> checked for specific CA, e.g in the case of
> https://sks-keyservers.net/ca/crl.pem for hkps.pool.sks-keyservers.net
Kristian, do you have a patch for this? Now that the sks-keyservers
pool CA is being shipped and used automatically, this seems like an
important step.
how frequently do you think it should be checked? What if there were a
policy to refresh it infrequently? without creating something that
"phones home", we could have a simple policy like:
* if use-tor is enabled, and
* if the list of configured keyservers includes
hkps.pool.sks-keyservers.net, and
* the CRL "Next at" update check is expired
then refresh it?
--dkg
More information about the Gnupg-devel
mailing list