When using OpenPGP, although not ideal, people are often tempted to use "optimistic acceptance" of a key. In other words, they might receive (or find) a correspondent's OpenPGP key, and decide to accept it, without performing fingerprint verification. (This is a form of TOFU, trust on first use.)
As long as the same correspondent keeps using the same key for signing emails (with or without additional encryption), the user may feel confident that they are still talking to the same person.
Problematic scenario:
What happens if an email is received that was signed with a new key (or simply has a new key attached) for the correspondent's email address?
It could mean that the sender has legitimately decided to use a fresh key (new computer, lost old key, etc.).
Or it could mean that an attacker is sending an email with a falsified email sender header, and has a fake key in the victim's name attached. (In the hope that the recipient will import and accept that new fake key, and start using it for encryption, enabling the attacker to read those email.)
Intention:
In the past, I had introduced a warning message for that scenario.
We are able to detect that scenario, and immediately notify the user that something unusual is going on with a received email.
The text of that warning is:
```Warning: The new OpenPGP public key in this message differs from the public keys that you previously accepted for { $email }.```
(openpgp-be-careful-new-key)
Bug:
This message is no longer shown immediately.
In the past, all OpenPGP notifications were hidden behind the OpenPGP label. In order to see this label, you have to first click the OpenPGP label.
And when clicked, this warning text is combined and added after a different text, which makes it less noticeable. (It's shown after the text "this message claims to contain the sender's key".)
I consider this a functional regression. In my opinion, the original intention to immediately warn the user about such an incoming email, is no longer sufficiently achieved.
Expected behavior:
The warning text of string "openpgp-be-careful-new-key" should be immediately visible in the email (without having to click the OpenPGP label), and it should be shown separately from other information text.
Bug 1814003 Comment 0 Edit History
Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.
When using OpenPGP, although not ideal, people are often tempted to use "optimistic acceptance" of a key. In other words, they might receive (or find) a correspondent's OpenPGP key, and decide to accept it, without performing fingerprint verification. (This is a form of TOFU, trust on first use.)
As long as the same correspondent keeps using the same key for signing emails (with or without additional encryption), the user may feel confident that they are still talking to the same person.
Problematic scenario:
What happens if an email is received that was signed with a new key (or simply has a new key attached) for the correspondent's email address?
It could mean that the sender has legitimately decided to use a fresh key (new computer, lost old key, etc.).
Or it could mean that an attacker is sending an email with a falsified email sender header, and has a fake key in the victim's name attached. (In the hope that the recipient will import and accept that new fake key, and start using it for encryption, enabling the attacker to read those email.)
Intention:
In the past, I had introduced a warning message for that scenario.
We are able to detect that scenario, and immediately notify the user that something unusual is going on with a received email.
The text of that warning is:
```Warning: The new OpenPGP public key in this message differs from the public keys that you previously accepted for { $email }.```
(openpgp-be-careful-new-key)
Bug:
This message is no longer shown immediately.
In bug 1647039, a change was made to hide all OpenPGP notifications behind the OpenPGP label. In order to see this warning message, you have to first click the OpenPGP label.
And when clicked, this warning text is combined and added after a different text, which makes it less noticeable. (It's shown after the text "this message claims to contain the sender's key".)
I consider this a functional regression. In my opinion, the original intention to immediately warn the user about such an incoming email, is no longer sufficiently achieved.
Expected behavior:
The warning text of string "openpgp-be-careful-new-key" should be immediately visible in the email (without having to click the OpenPGP label), and it should be shown separately from other information text.