Limit the number of revoked OpenPGP keys included when attaching the user's public key.
Categories
(MailNews Core :: Security: OpenPGP, enhancement)
Tracking
(Not tracked)
People
(Reporter: KaiE, Unassigned)
References
Details
Bug 1650591 adds code that will include the user's revoked keys, when sending the current OpenPGP public key as an attachment.
We should limit the set of attached keys by age.
A suggestion is to limit it by 12-13 months, so one year mailings can still include the revocation information.
However, to implement that, we need an RNP API that allows us to obtain the revocation date. I've requested that here: https://github.com/rnpgp/rnp/issues/1200
In addition, keys that have already expired can also be skipped.
Comment 1•4 years ago
|
||
We have to be careful with this. The revocation date could have been ages ago - you can create a revocation cert while creating the key (or at any later point in time), but wait with applying it until for example an emergency situation. That is, the creation date for the revocation cert cannot be used. I'd recommend to create a limit by number of keys (based on their creation date) plus expiry date.
Comment 2•4 years ago
|
||
We updated our API via the following PR: https://github.com/rnpgp/rnp/pull/1342
That would allow to retrieve the revocation signature for the key/userid.
Potentially related to https://bugzilla.mozilla.org/show_bug.cgi?id=1743248
Any updates?
Description
•