Open Bug 1595233 Opened 5 years ago Updated 2 years ago

[OpenPGP tracker] Retrieval mechanisms for public keys and revocations

Categories

(MailNews Core :: Security: OpenPGP, enhancement)

enhancement

Tracking

(Not tracked)

People

(Reporter: KaiE, Unassigned)

References

Details

(Keywords: meta)

No description provided.

We have:

  • attachments of files to outgoing e-mails.
    This is privacy preserving and doesn't need a central place to work. Some people might be confused about the attached keys if their mail client doesn't hide it from them. You don't want to hide encrypted attachments though.
  • DANE/PGPKEY (and SMIMEA) -Records, requires DNSSEC Support and support from the receivers mail-provider.
  • WKD (Web Key Directory), also under the authority of the mail provider domain, just different protocl and well known directory this time.
  • classic PGP keyservers. Leaks the intended recipient of your mail and you might suffer from dos and outdated keys depending on the keyserver.
  • AutoCrypt, creates a stripped version of your key and puts it into the mail headers.

I think we should go with the first option by default and allow the users to opt into the others if needed.
This ensures compatibility with existing solutions for encrypted mails while maintaining the users privacy and being independent of provider support.

Great, that Autocrypt (this is the correct spelling) is on the list!

Importing of a public key that is attached to a received email is working (without trust assignment yet).

Keywords: meta

According to bug1631198, manual import of Autocrypt public key (from received mail header) should work.

Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.