Daniel Kahn Gillmor <d...@fifthhorseman.net> writes: > > 0) turn off CRL updates entirely during s/mime signature verification > > 1) do s/mime signature verification without CRL updates, but schedule > CRL checks to happen in the background for dirmngr, so that future > verifications will reflect the cert validity > > 2) have dirmngr avoid checking CRLs that it knows it has already > updated recently > > 3) tell dirmngr to use much shorter CRL fetch timeouts >
> > Any thoughts on the best way to pursue this? > > --dkg Maybe the issue is in gmime's usage of gpgme. If I understand correctly (which is far from a sure thing), pkcs7_verify calls gpgme_op_verify which is synchronous, and (apparently) does not support timeouts. An alternate strategy would be to call gpgme_op_verify_start, and then call gpgme_wait, which has a nonblocking mode. I don't really understand the S/MIME model, but naively it seems OK for signature verification to fail if the CRL check doesn't finish quickly. d _______________________________________________ notmuch mailing list notmuch@notmuchmail.org https://notmuchmail.org/mailman/listinfo/notmuch