Mailpile icon indicating copy to clipboard operation
Mailpile copied to clipboard
verified publisher icon mailpile

Make it possible to re-import a PGP key if details have changed

Open BjarniRunar opened this issue 7 years ago • 2 comments

Currently it's relatively common for people to take an OpenPGP key which is expiring, and simply change the expiration date and start sending that around. Other details, such as UIDs (names, e-mails) may also change over time.

Mailpile should ideally automatically import such an updated key from incoming e-mail (Autocrypt headers or attachments), if it is on the keychain already. As a weaker fall-back, the manual tools for importing keys should also recognize the updated key as "new" and worthy of attention.

Relates to #1869 and #733.

BjarniRunar avatar Oct 15 '18 19:10 BjarniRunar

At present, keys are imported only when the user composes an email to a user. The user has to click on a Find Encryption Keys or Show Encryption Keys button to display a list of keys and press on an Import Key button to explicitly accept a key. This ensures that the user has control over keys that are accepted for use by Mailpile.

Those buttons can be accessed in two ways from the Compose screen:

  • If the user enters an email address in the To:, Cc: or Bcc: field, then hovers over the email address, a pop-up containing the button appears.
  • If the user requests encryption by clicking on the open lock icon at the bottom right, and one or more of the email addresses in the To:, Cc: or Bcc: fields does not have a key available for use (as defined by the VCard for that email address; note that simply having the key on the keychain does not make it available for use by Mailpile), then a Cannot Encrypt pop-up appears listing the addresses for which keys are required and showing a button for each.

Automatic key import or update would substantially change the way that Mailpile handles keys. Also there's a potential vulnerability to an attacker who can add many bogus signatures to an otherwise legitimate key so that it is becomes big enough to cause problems. (Note that Autocrypt mitigates this vulnerability by requiring minimal keys containing self-signatures only. So automation could be possible within the Autocrypt part of Mailpile.)

It is therefore suggested that a "re-import" capability be initiallly implemented by having the existing Show Encryption Keys button list the new version of a key so that the user can choose to accept it. Preferably it could concisely state how the updated key is different.

JackDca avatar Aug 01 '19 14:08 JackDca

This is better now.

Autocrypt will re-import keys if they've changed. The keytofu mechanism will also try to import new keys for a user if their key has expired; if it happens to get back the same key with an updated expiration date, that should work just fine.

I am not sure we need a manual re-import mechanism (power users can still interact with gpg directly), but I'll leave this open a bit longer to let us mull that over, and to see how well the new logic works in practice.

BjarniRunar avatar Oct 24 '19 16:10 BjarniRunar