Closed Bug 1633605 Opened 5 years ago Closed 5 years ago

Don't import OpenPGP keys without user ID

Categories

(MailNews Core :: Security: OpenPGP, enhancement)

Product:
MailNews Core
Component:
Security: OpenPGP
Type:
enhancement

Tracking

(Not tracked)

Status:
RESOLVED FIXED
Milestone:
Thunderbird 77.0

People

(Reporter: KaiE, Assigned: KaiE)

References

(Blocks 1 open bug)

Details

Attachments

(1 file)

Bug 1633605 - Don't import OpenPGP keys without user ID. r=PatrickBrunschwig
47 bytes, text/x-phabricator-request
Details | Review

The keyserver keys.openpgp.org strips keys. If a key owner hasn't opted in to have their user ID published, the keyserver will strip away all user ID information.

In order to show a good signature (either verified or verified), I'd like to require that an email's sender address matches one the signing key's user IDs. If there's no user ID, we cannot confirm a match, and there will never show a good signature.

Also, when sending encrypted email, we currently match recipient to key based on the email address seen inside a user ID. I'd like to require that this match is possible for simplification.

(Otherwise, we'd require a configuration system to map arbitrary keys to an email address. I'd prefer to avoid that for simplification purposes.)

If we agree on the requirement to have a matching user ID, then keys without a user ID don't help us.

I suggest that we don't import them at all.

I agree, importing a key without user IDs, if you don't have that key on the keyring already, does not make sense.

But updating an already existing key should be fine. In particular, it can be useful to import revocation certificates, or additional subkeys. One of the scenarios of keys.openpgp.org is that you can revoke your existing key and upload a new key for your email address. Your old key with the revocation certificate can still be found, but it won't contain any user IDs if you download it.

Blocks: 1595231
Blocks: 1634524

(In reply to Patrick Brunschwig from comment #1)

I agree, importing a key without user IDs, if you don't have that key on the keyring already, does not make sense.

I'd like to start with this part, to ensure early Thunderbird adopters won't run into this scenario, where they have imported keys with user ID (which currently is possible).

But updating an already existing key should be fine. In particular, it can be useful to import revocation certificates, or additional subkeys. One of the scenarios of keys.openpgp.org is that you can revoke your existing key and upload a new key for your email address. Your old key with the revocation certificate can still be found, but it won't contain any user IDs if you download it.

Good point. I have filed bug 1634524 to track that.

Assignee: nobody → kaie
Status: NEW → ASSIGNED

Pushed by kaie@kuix.de:
https://hg.mozilla.org/comm-central/rev/02a1f1405116
Don't import OpenPGP keys without user ID. r=PatrickBrunschwig DONTBUILD

Status: ASSIGNED → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → Thunderbird 77.0
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: