-----BEGIN PGP SIGNED MESSAGE-----
Hi,
I had made this proposal last year but never heard anything back on it so
I thought I would bring it up again.
I would like to see the ability to retreive the hash of a key from the
database. This would be a hash of the complete key (key, userid's, sigs).
This hash would be used for comparing two keys without haveing to download
the key from a server.
The user would send the keyID to the server requesting the hash.
The server would return the hash of the key.
The user would compare the hash to a locally generated hash.
If the hashes match then no further action is needed.
If the hashes are different then:
The user downloads the key and updates his keyring.
The user then generates a new local hash of the key.
If the hashes are still different then the user uploads the key to the
server.
Calculations of local hashes:
Local hashes consist of:
Public Key
UserID's
Exportable Signatures (this includes self sigs and revocation sigs)
Trust packets and non-exportable sigs are not used in the local hash
calculations.
Preferably the server would accept a list of keyID's to query for hashes
to cut down on traffic. A maximum number of keys per query could be set by
the server to prevent it from being overloaded by large requests.
Key hashes would be stored in the server DB and hases would only be
calculated by the server when a key is added/updated. This will cause a
slight increase in the size of the DB but would be well compensated by the
saving of time in doing the calculations on a per request basis.
This could also be used for sync of the various servers. Periodically the
public servers could publish a index of all their keys and corresponding
hashes. Sync sites would use this list to compare to their current DB of
keys.
Some form of agreement between the sync sites should be made of when the
hash lists will be published and when the syncing of servers should take
place. It might be a good idea for two servers that are in the process of
syncing to go "off-line" during the sync process.
I have not done any time trials on this yet but IMHO such a sync process
should be relatively fast. Hash lists should be ~234k per 100,000 keys
(64bit keyID and 128bit MD5 hash). If the servers have pre-calculated and
stored the key hases and are working with sorted hash lists (by keyID)
then a quick diff of the list and then corresponding key exchange of the
keys should not take too much time or bandwidth.
The sync process should be of a master-slave relationship:
The master site publishes the hash list.
The slave site requests the list and compares to his local list.
The slave site requests keys based on the diff of the two lists.
The slave recalcs the hashes of the updated/new keys.
The slave compares the the new hashes to the master hash list.
The slave uploads keys based on second diff.
The master treats these uploads as it would any other key upload and
propagates them to his sync sites.
I think that a monthly sync to start with would work quite well for
keeping all the servers in sync and keeping the work involved in a sync to
a manageable level. Depending on how much time it takes to create a hash
list the master server may wish to create the hash list "on demand" of a
slave site.
I am going to CC this over to the OpenPGP list to see what they think of
this.
- --
- ---------------------------------------------------------------
William H. Geiger III http://users.invweb.net/~whgiii
Geiger Consulting Cooking With Warp 4.0
Author of E-Secure - PGP Front End for MR/2 Ice
PGP & MR/2 the only way for secure e-mail.
OS/2 PGP 5.0 at: http://users.invweb.net/~whgiii/pgp.html
- ---------------------------------------------------------------
Tag-O-Matic: PATH=C:\DOS;C:\DOS\RUN;C:\WIN\CRASH\DOS;C:\ME\DEL\WIN
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3a-sha1
Charset: cp850
Comment: Registered_User_E-Secure_v1.1b1_ES000000
iQCVAwUBNYU1iI9Co1n+aLhhAQFmAQP/VuKOVXAiT8XDaACazkzsU0y0NUW5pOfT
mEjbOt9DNePHB5qzHR9U8icWh1LZRWLWrq8Ko8ktevX86zpVIlsIEoyr8NVBGeC2
uzJkwhL551ZqbgZzwoJdVRIf3ODZkNMvZIlt3CNr6ib9mZ35z/uAvMyJ41wIN+xR
cLDs851LL1c=
=lwfa
-----END PGP SIGNATURE-----