Hi David, Daniel, Daniel Kahn Gillmor <[email protected]> writes:
> On Tue 2025-10-28 06:43:16 -0300, David Bremner wrote: >> The usual problem is CRL revokation checks. You can disable these in >> ~/.gnupgu/gpgsm.conf with >> >> disable-crl-checks > > David means ~/.gnupg/gpgsm.conf of course! > Thanks! This solved my problem. >> There is obviously a security tradeoff, but I guess it's better than >> disabling gpgsm completely > > fwiw, *doing* crl checks is effectively a privacy problem (e.g., it's > easy to build a a "phone home" mechanism out of a CRL if you control the > certificate issuer), as well as the efficiency problem that Xiyue Deng > is experiencing. And it's not clear that CRL checks are a particularly > strong security measure (e.g., a powerful attacker could simply block > network traffic to the CRL server). > > On balance, i recommend setting disable-crl-checks by default. > And thanks for the background info of CRL! Now I can set it with more ease of mind :) > --dkg -- Regards, Xiyue Deng
signature.asc
Description: PGP signature
_______________________________________________ notmuch mailing list -- [email protected] To unsubscribe send an email to [email protected]
