On Wed, 23 Nov 2016 18:19, dkg@fifthhorseman.net said: > 0) turn off CRL updates entirely during s/mime signature verification The gpgsm option is --disable-crl-checks. > 1) do s/mime signature verification without CRL updates, but schedule > CRL checks to happen in the background for dirmngr, so that future > verifications will reflect the cert validity As above but use dirmngr-client--url --load-crl URLOFCRL You need to known the URL of the CRL, though. > 2) have dirmngr avoid checking CRLs that it knows it has already > updated recently A CRL carries a next-update date which is homored by dirmngr. Further dirmngr doesn't avoids to download a CRL unless 30 minutes have passed since the lassed download. > 3) tell dirmngr to use much shorter CRL fetch timeouts gpgsm -k --enable-crl-check --force-crl-refresh USERID > that's a 20-second lag between each failed check, adding up to 80 That seems to be caused by DNS lookups. For example ADNS keeps on trying even if it has received an ENETUNREACH and thus no UDP query packet has been sent out. We will very likely replace ADNS by a more flexible library in the next GnuPG version. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.