Disroot
/
gpg-lacre
9
15
Fork 4
Code Issues 29 Pull Requests 1 Releases 2 Wiki Activity

Enhance validation of keys with multiple email addresses #120

New Issue
Open
opened 2023-03-11 11:29:42 +01:00 by pfm · 6 comments
pfm commented 2023-03-11 11:29:42 +01:00
Collaborator
Copy Link

When a key is registered, we only verify the email address specified while the key was submitted.

We should validate all other emails found in the key.

Scenario

  1. Mallory submits a key with two email addresses: mallory@example.org and alice@example.org.
  2. Lacre validates only the first address: mallory@example.org.
  3. Messages sent to alice@example.org are now encrypted with Mallory's key.
When a key is registered, we only verify the email address specified while the key was submitted. We should validate all other emails found in the key. # Scenario 1. Mallory submits a key with two email addresses: `mallory@example.org` and `alice@example.org`. 2. Lacre validates only the first address: `mallory@example.org`. 3. Messages sent to `alice@example.org` are now encrypted with Mallory's key.
pfm added this to the Test deployment findings milestone 2023-03-11 11:29:42 +01:00
pfm added the
BUG
ISSUE
 labels 2023-03-11 11:29:42 +01:00
avg_joe commented 2023-03-11 12:02:44 +01:00
Owner
Copy Link

i'm not sure i recall all the details, but i remember the decision to restrict to single identifies for the start. iirc one issue if not restricted to single identity is that u can do something like that:

  1. alice uploads key for alice@lacre.io and verfies it
  2. bob uploads a multi identity key with bob@lacre.io and alice@lacrio.io for alice@lacre.io and is able to verfify it from bob@lacre.io
i'm not sure i recall all the details, but i remember the decision to restrict to single identifies for the start. iirc one issue if not restricted to single identity is that u can do something like that: 1) alice uploads key for alice@lacre.io and verfies it 2) bob uploads a multi identity key with bob@lacre.io and alice@lacrio.io for alice@lacre.io and is able to verfify it from bob@lacre.io
avg_joe commented 2023-03-11 12:03:11 +01:00
Owner
Copy Link

it would be nice to be able to upload multi identies keys. but u'd need to tell lacre somehow which identity to use and verify.

it would be nice to be able to upload multi identies keys. but u'd need to tell lacre somehow which identity to use and verify.
pfm commented 2023-03-11 12:17:06 +01:00
Author
Collaborator
Copy Link

A possible approach would be to send more than one verification email.

If we received an email for identities alice@exmple.org, bob@example.org and charlie@example.org, we'd just send 3 verification emails and only trust a key if all of them were verified.

We'd need to change the store for submitted keys to track several emails though.

A possible approach would be to send more than one verification email. If we received an email for identities `alice@exmple.org`, `bob@example.org` and `charlie@example.org`, we'd just send 3 verification emails and only trust a key if all of them were verified. We'd need to change the store for submitted keys to track several emails though.
pfm commented 2023-03-11 12:22:37 +01:00
Author
Collaborator
Copy Link

As noted by avg_joe on MUC:

i think there are two ways to solve:

  • either verify all identies on multi keys
  • or restrict to one identity on multi keys

and:

note: restricted identity must match target address!

As noted by avg_joe on MUC: > i think there are two ways to solve: > - either verify all identies on multi keys > - or restrict to one identity on multi keys and: > note: restricted identity *must* match target address!
pfm commented 2023-07-08 02:13:48 +02:00
Author
Collaborator
Copy Link

If we sent confirmation requests to each of the emails linked to a key/identity, we'd need to make sure this couldn't be abused.

If we sent confirmation requests to each of the emails linked to a key/identity, we'd need to make sure this couldn't be abused.
pfm commented 2023-12-03 23:21:04 +01:00
Author
Collaborator
Copy Link

One way of dealing with keys with multiple emails would be to confirm them step by step: confirm next email only if all previous have been successfully confirmed.

One way of dealing with keys with multiple emails would be to confirm them step by step: confirm next email only if all previous have been successfully confirmed.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
main
error-handling
uncoupleFE
fe_theme_st
php_update
muppdev
v0.2.2
v0.2.1
v0.2
v0.2-RC3
v0.2-RC2
v0.2-RC1
PII-2
PII-1
v0.1
v0.1-RC2
v0.1-RC1
failed-tests
Labels
Clear labels   
ANSIBLE

   
BUG

Something that's not working properly

  
CODE

   
DEVELOPMENT

   
DOCUMENTATION

Documentation

  
FEEDBACK

Suggestions and comments

  
FIX

A solution or patch for an issue

  
HOWTOs

Guides and tutorials

  
IDEA

Potential improvements and things to consider when time allows

  
INFRA

   
ISSUE

A problem

  
MAILSERVER

   
TESTS

   
To-Be-Reviewed

We should discuss these issues and decide what to do about them. They are candidates to be closed without further action or their scope might change.

  
WEB

   
WEBSITE

Lacre website related

No Label
ANSIBLE
BUG
CODE
DEVELOPMENT
DOCUMENTATION
FEEDBACK
FIX
HOWTOs
IDEA
INFRA
ISSUE
MAILSERVER
TESTS
To-Be-Reviewed
WEB
WEBSITE
Milestone
Clear milestone
No items
No Milestone
Test deployment findings
Assignees
Clear assignees
No Assignees
2 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: Disroot/gpg-lacre#120
No description provided.
Delete Branch "%!s(<nil>)"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?