Enhance validation of keys with multiple email addresses #120
Labels
No Label
ANSIBLE
BUG
CODE
DEVELOPMENT
DOCUMENTATION
FEEDBACK
FIX
HOWTOs
IDEA
INFRA
ISSUE
MAILSERVER
TESTS
To-Be-Reviewed
WEB
WEBSITE
No Milestone
No Assignees
2 Participants
Notifications
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: Disroot/gpg-lacre#120
Loading…
Reference in New Issue
No description provided.
Delete Branch "%!s(<nil>)"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
When a key is registered, we only verify the email address specified while the key was submitted.
We should validate all other emails found in the key.
Scenario
mallory@example.org
andalice@example.org
.mallory@example.org
.alice@example.org
are now encrypted with Mallory's key.i'm not sure i recall all the details, but i remember the decision to restrict to single identifies for the start. iirc one issue if not restricted to single identity is that u can do something like that:
it would be nice to be able to upload multi identies keys. but u'd need to tell lacre somehow which identity to use and verify.
A possible approach would be to send more than one verification email.
If we received an email for identities
alice@exmple.org
,bob@example.org
andcharlie@example.org
, we'd just send 3 verification emails and only trust a key if all of them were verified.We'd need to change the store for submitted keys to track several emails though.
As noted by avg_joe on MUC:
and:
If we sent confirmation requests to each of the emails linked to a key/identity, we'd need to make sure this couldn't be abused.
One way of dealing with keys with multiple emails would be to confirm them step by step: confirm next email only if all previous have been successfully confirmed.