Hi, At Tue, 20 Jun 2017 15:34:44 +0200, martin f krafft wrote: > I've spent some time trying to figure out how to make actual use of > the web-of-trust (the "pgp" trust-model), and I am turning to this > list for some advice, related to a couple of questions: > > 1. My public keyring has several thousand keys and "weighs" almost > 500Mb. Every couple of runs, I'm told to run --check-trustdb, > which takes several minutes to complete, then tells me that the > next run will be in like 2 weeks, but three operations later, I'm > again being asked to run --check-trustdb. The funny thing is that > these operations are just message signing and authentication, > sometimes decryption. However, parcimonie is running in the > background, updating the keyring one key at a time. Is that the > reason? If yes, is there any way to mitigate this? I've sketched > out an idea under (3.) below, but maybe there's another way…?
You figured it out: whenever your keyring is updated, 'gpg --check-trustdb' needs to be run. This is normally done on demand, which is annoying for even moderately sized keyrings. You can disable this behavior by setting no-auto-check-trustdb in your gpg.conf file. In that case, you'll want to run 'gpg --check-trustdb' periodically to integrate new keys, expiry information, revocations, etc. You can do this in the background via e.g. a cron job. > 2. I've also tried running --update-trustdb, but it seems that this > process is *endless*. I have no idea how many keys remain, and > I also got the impression that I keep seeing keys I already > processed. How do you approach this? Or does everyone just use > tofu these days? Since I don't trust most people to sign keys correctly, I just invoke 'gpg --edit-key' (and use the trust subcommand) on the specific keys that I want to have as trusted introducers. > 3. Is there a way to run --check-trustdb or --update-trustdb not > over the entire key graph, but only traversing to a certain depth > starting from a specific key? Then I could tell parcimonie to run > --check-trustdb for every key it imports, or have mutt run > --update-trustdb for every key I want to use. This would > iteratively achieve the job with the benefit that no cycles would > be wasted processing trust for keys I never use. I understand > --edit-key can be used to change the ownertrust, but I don't > think it recomputes the WoT on change, does it? > > If there's no way to do this yet, would this be a useful addition > to the UI, assuming it's technically possible? This isn't easy given the current implementation: GnuPG doesn't store the graph, but traverses the graph and only saves whether a particular key is trusted. > 4. Is there a tool to visualise or explain the computed validity of > a key? I.e. one saying that e.g. Werner's key is valid because > Daniel signed it, and I fully trust Daniel? There's wotsap, but > I want to analyse my own keyring, not a .wot file… See my answer to #3: this is not currently possible. > 5. Has anyone come up with a smart way to keep pubring/trustdb > synchronised between multiple workstations? This is a pain. Something along the lines of the following should work: gpg --export | ssh host gpg --import :) Neal _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
