Add spare space to the keybox to always allow the import of revocations.
Open, NormalPublic

Description

The keybox has a hard limit on the size of a keyblock of currently 5 MiB. It may happen that the keyblock is just below that size and a user wants to import a revocation certificate - for any object of the key or for the keyblock itself. This may fail in this case. To fix this we should have a soft limit and a hard limit where the latter is used only when importing revocations.

Some thoughts:

  1. Entire key revocations: Only a few extra bytes are required.
  2. User id revocation: A bit more space require but the number of user ids can be assumed to be a low number for real keys
  3. Subkey revocation: There might be more subkeys than user ids but the number will still be low.
  4. key-signature revocations: This can be used for a DoS and thus they need to be capped at the soft-limit like all other objects.
dkg added a subscriber: dkg.Jul 4 2019, 10:21 PM

Once a revocation is added (to any part of the certificate), perhaps all the certification packets that are clearly made obsolete by the revocation could be dropped from the certificate? That would certainly free up space to be able to import additional revocations if needed.

werner moved this task from Backlog to Wishlist on the gnupg (gpg22) board.Fri, Aug 23, 10:51 AM