Page MenuHome GnuPG

Add spare space to the keybox to always allow the import of revocations.
Open, LowPublic


The keybox has a hard limit on the size of a keyblock of currently 5 MiB. It may happen that the keyblock is just below that size and a user wants to import a revocation certificate - for any object of the key or for the keyblock itself. This may fail in this case. To fix this we should have a soft limit and a hard limit where the latter is used only when importing revocations.

Some thoughts:

  1. Entire key revocations: Only a few extra bytes are required.
  2. User id revocation: A bit more space require but the number of user ids can be assumed to be a low number for real keys
  3. Subkey revocation: There might be more subkeys than user ids but the number will still be low.
  4. key-signature revocations: This can be used for a DoS and thus they need to be capped at the soft-limit like all other objects.

Event Timeline

Once a revocation is added (to any part of the certificate), perhaps all the certification packets that are clearly made obsolete by the revocation could be dropped from the certificate? That would certainly free up space to be able to import additional revocations if needed.

werner lowered the priority of this task from Normal to Low.Oct 28 2022, 9:19 AM