Page MenuHome GnuPG
Create Task
Maniphest T4612

Add spare space to the keybox to always allow the import of revocations.
Open, LowPublic
Actions

Description

The keybox has a hard limit on the size of a keyblock of currently 5 MiB. It may happen that the keyblock is just below that size and a user wants to import a revocation certificate - for any object of the key or for the keyblock itself. This may fail in this case. To fix this we should have a soft limit and a hard limit where the latter is used only when importing revocations.

Some thoughts:

  1. Entire key revocations: Only a few extra bytes are required.
  2. User id revocation: A bit more space require but the number of user ids can be assumed to be a low number for real keys
  3. Subkey revocation: There might be more subkeys than user ids but the number will still be low.
  4. key-signature revocations: This can be used for a DoS and thus they need to be capped at the soft-limit like all other objects.

Related Objects

Event Timeline

werner created this task.Jul 4 2019, 4:23 PM
werner mentioned this in T4591: gpg drops flooded certificates entirely if the certficate is too large, and gpg is using `pubring.kbx`.
dkg added a subscriber: dkg.Jul 4 2019, 10:21 PM

Once a revocation is added (to any part of the certificate), perhaps all the certification packets that are clearly made obsolete by the revocation could be dropped from the certificate? That would certainly free up space to be able to import additional revocations if needed.

werner moved this task from Backlog to Wishlist on the gnupg (gpg22) board.Aug 23 2019, 10:51 AM
werner edited projects, added gnupg (gpg23); removed gnupg (gpg22).Mar 18 2020, 2:23 PM

Won't happen for 2.2

werner lowered the priority of this task from Normal to Low.Oct 28 2022, 9:19 AM
werner added a project: gnupg24.Dec 13 2022, 11:21 AM