Closed Bug 1753446 Opened 2 years ago Closed 2 years ago

Revocation information is not retrieved from WKD

Categories

(MailNews Core :: Security: OpenPGP, defect)

Product:
MailNews Core
Component:
Security: OpenPGP
Version:
Thunderbird 91
Type:
defect

Tracking

(thunderbird_esr91 affected)

Status:
RESOLVED WORKSFORME
Tracking Flags:
Tracking Status
thunderbird_esr91 --- affected

People

(Reporter: johannes.koenig+bugzilla, Unassigned)

References

Details

(Whiteboard: [fixed by bug 1751885])

User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0

Steps to reproduce:

I use Thunderbird 91 with a corporate Web Key Directory. Someone published their public key on the WKD. I imported it into Thunderbird via "Discover Keys Online".
Later, the same person revoked their key and created a new one. Both the revoked and the new key were uploaded to the WKD.
I used "Discover Keys Online" again with the person's e-mail address.

Actual results:

The "Discover Keys Online"-dialogue reported that one key was found (not two): it only found the newly generated key. I imported it.
The problem is now that I have two "valid" keys in Thunderbird because Thunderbird ignores the revocation of the old key.

Expected results:

Thunderbird should import the old key's revocation information and not show it as valid.

To investigate it would help me to get a copy of the data that is returned by the WKD server, could you please send it to me?

If you don't want to attach, please send me email to kaie@kuix.de and I will keep it confidential.

IIUC, WKD allows us to download exactly one piece of data found by email address, I conclude that the returned data contains two keys in your scenario. I'd like to see how that is encoded.

I have sent the info via e-mail.

Thanks for the examples.

The old code use the following approach:

  • try to get a listing of the keys we retrieve
  • ignore keys that are no longer valid
  • offer valid keys to the user for import

This didn't consider the scenario that we should automatically import new revocation information.
We also try to keep the amount of keys in our permanent store small, and avoid broken/corrupted keys, which is why the above skips invalid keys.

In bug 1751885 we're currently working on improvements.
The intention is to automatically import revocation information, for keys that we already had previously imported.

That work isn't ready yet.
What we should do is:

  • import updates for existing keys automatically
  • ignore expired/revoked keys that aren't installed yet
  • offer remaining good keys for import

Those improvements will be made in bug 1751885, and they should cover your scenario.

Depends on: 1751885

That should solve our problem, thank you.

Johannes, the real reason for your issue should be fixed with Thunderbird version 91.8.0, as described here:
https://www.mozilla.org/en-US/security/advisories/mfsa2022-15/#CVE-2022-1197

Could you please test if it is indeed fixed for you?

Flags: needinfo?(johannes.koenig+bugzilla)

Yes, the problem is fixed. Thank you very much!

Flags: needinfo?(johannes.koenig+bugzilla)
Status: UNCONFIRMED → RESOLVED
Closed: 2 years ago
Resolution: --- → WORKSFORME
Whiteboard: [fixed by bug 1751885]
You need to log in before you can comment on or make changes to this bug.