If we already have a public key, allow importing a key update, even if the update has no user ID
Categories
(MailNews Core :: Security: OpenPGP, enhancement)
Tracking
(thunderbird_esr91+ fixed)
People
(Reporter: KaiE, Assigned: KaiE)
References
(Blocks 2 open bugs)
Details
Attachments
(1 file)
|
(deleted),
text/x-phabricator-request
|
wsmwk
:
approval-comm-esr91+
|
Details |
A public key is a data package with attributes, and over time, more attributes can be attached to it. It's also possible to strip some attributes, without invalidating the key completely.
With bug 1633605, we'll require that imported keys contain a valid user ID, because otherwise they aren't usable in a user friendly way.
However, for convenience, it can be useful to pull key updates from a public key server, for example to retrieve updated meta information made by the key owner, such as an extended validity period or a revocation.
Some users might deny exposing their user name and email address information in a public directory (e.g. a key server), but nevertheless, sharing the other meta data publicly can be useful.
Therefore a key server might strip all user ID from a key, and offer it when searching for the key's technical ID (key ID or fingerprint).
Thunderbird should support obtaining updated meta information from keys offered by public directories, even if those keys don't contain any user ID information.
This makes sense, only if we have already imported a version of the public key that includes the user ID information.
|
Assignee | |
Comment 1•3 years ago
|
||
|
||
Updated•3 years ago
|
|
|
Assignee | |
Comment 2•3 years ago
|
||
I would recommend that we backport this to the stable esr91 branch.
I've learned that this affects revoked keys. Once a key is revoked, the keyserver keys.openpgp.org strips away all user IDs. This means we cannot import revocation information from that server. That's bad.
|
|
||
Updated•3 years ago
|
|
||
Updated•3 years ago
|
Pushed by kaie@kuix.de:
https://hg.mozilla.org/comm-central/rev/41bf7f1609b9
Allow updating a key with no user ID, if we already have that key, to allow revocation. r=mkmelin
|
|
Assignee | |
Updated•3 years ago
|
|
|
Assignee | |
Comment 4•3 years ago
|
||
Comment on attachment 9261005 [details]
Bug 1634524 - Allow updating a key with no user ID, if we already have that key, to allow revocation. r=mkmelin
[Approval Request Comment]
Regression caused by (bug #): no
User impact if declined: cannot import revoked key from keyserver
Testing completed (on c-c, etc.): yes
Risk to taking this patch (and alternatives if risky): Although I cannot think of a specific side effect, there may be a small risk, but the benefit is more important.
|
|
Assignee | |
Comment 5•3 years ago
|
||
Comment on attachment 9261005 [details]
Bug 1634524 - Allow updating a key with no user ID, if we already have that key, to allow revocation. r=mkmelin
Removing request. Too early. It needs beta testing.
|
|
Assignee | |
Comment 6•3 years ago
|
||
Comment on attachment 9261005 [details]
Bug 1634524 - Allow updating a key with no user ID, if we already have that key, to allow revocation. r=mkmelin
Restoring the previous approval request.
After more discussions, we consider this low risk, and important functionality to uplift.
|
|
Assignee | |
Comment 7•3 years ago
|
||
Requesting for 91.8.0
|
||
Comment 8•3 years ago
|
||
Comment on attachment 9261005 [details]
Bug 1634524 - Allow updating a key with no user ID, if we already have that key, to allow revocation. r=mkmelin
[Triage Comment]
Approved for esr91
|
||
Comment 9•3 years ago
|
||
| bugherder uplift | ||
Thunderbird 91.8.0:
https://hg.mozilla.org/releases/comm-esr91/rev/b873663fedd4
Description
•