Open Bug 1743248 Opened 4 years ago Updated 2 years ago

[RFE] Make automatic addition of revoked keys optional when attaching public OpenPGP-keys

Categories

(MailNews Core :: Security: OpenPGP, enhancement)

Product:
MailNews Core
Component:
Security: OpenPGP
Version:
Thunderbird 91
Platform:
x86_64
Windows 10
Type:
enhancement

Tracking

(Not tracked)

People

(Reporter: lhk, Unassigned)

Details

Steps to reproduce:

I have an account with in old revoked OpenPGP-key and a current one. Both are present in Thunderbird. I select to (automatically) attach my public key to outgoing mails from that account.

Actual results:

Tunderbird 91.x automatically includes both, the current AND the revoked key into the attached public-key-file instead of only sending the current one. The resulting attachment is called OpenPGP_[key-id-here]and_old_rev.asc instead of OpenPGP[key-id-here].asc accordingly.

Expected results:

There is no option to switch this automatic behaviour off and send the current key only.
While in most circumstances it should be useful for key distribution and management to widely and quickly spread revokation certificates there are some casese where it is not.
So I propose to make this behaviour optional either by a switch directly within the account settings or elsewhere within the UI or at least as a variable within the advanced settings.

Component: Untriaged → Security: OpenPGP
OS: Unspecified → Windows 10
Product: Thunderbird → MailNews Core
Hardware: Unspecified → x86_64
Status: UNCONFIRMED → NEW
Ever confirmed: true

I was made aware that we're including the full revoked key. This wasn't the original intention. The intention was to only include a revocation statement (which should be less problematic I assume).

(In reply to Kai Engert (:KaiE:) from comment #1)

I was made aware that we're including the full revoked key. This wasn't the original intention. The intention was to only include a revocation statement (which should be less problematic I assume).

Hello Kai!
Thanks for taking care of my report!
Yes, that sounds better an would mitigate the situation.
But as a mere user I still would prefer to have an option to just send the key currently used for the account (and associated with it in TB) without anything else. Additional sending of old or revoked keys, notifications about them or possible other keys carrying a user id associated with the account should be optional!
Cheers
Sten

One more thing:
As you may have noticed I am new to bug reporting here. So please forgive me if my followin remark is stupid:
Why were the bugs properties changed to x86_64, Windows 10 ?
To the best of my knowledge the porblem also occurs on other architectures as well?!

I agree very much with OP.
Still present in 115.6.0 on 64-bit Linux.
Any updates on this?

You need to log in before you can comment on or make changes to this bug.