Open Bug 1652312 Opened 4 years ago Updated 10 months ago

Limit the number of revoked OpenPGP keys included when attaching the user's public key.

Categories

(MailNews Core :: Security: OpenPGP, enhancement)

enhancement

Tracking

(Not tracked)

People

(Reporter: KaiE, Unassigned)

References

Details

Bug 1650591 adds code that will include the user's revoked keys, when sending the current OpenPGP public key as an attachment.

We should limit the set of attached keys by age.

A suggestion is to limit it by 12-13 months, so one year mailings can still include the revocation information.

However, to implement that, we need an RNP API that allows us to obtain the revocation date. I've requested that here: https://github.com/rnpgp/rnp/issues/1200

In addition, keys that have already expired can also be skipped.

We have to be careful with this. The revocation date could have been ages ago - you can create a revocation cert while creating the key (or at any later point in time), but wait with applying it until for example an emergency situation. That is, the creation date for the revocation cert cannot be used. I'd recommend to create a limit by number of keys (based on their creation date) plus expiry date.

We updated our API via the following PR: https://github.com/rnpgp/rnp/pull/1342
That would allow to retrieve the revocation signature for the key/userid.

Potentially related to https://bugzilla.mozilla.org/show_bug.cgi?id=1743248
Any updates?

You need to log in before you can comment on or make changes to this bug.