[User story] - As a user I would like to be able to send new public key after previously sent and confirmed key has been compromised or lost. #85
Labels
No Label
ANSIBLE
BUG
CODE
DEVELOPMENT
DOCUMENTATION
FEEDBACK
FIX
HOWTOs
IDEA
INFRA
ISSUE
MAILSERVER
TESTS
To-Be-Reviewed
WEB
WEBSITE
No Milestone
No Assignees
2 Participants
Notifications
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: Disroot/gpg-lacre#85
Loading…
Reference in New Issue
No description provided.
Delete Branch "%!s(<nil>)"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Currently upon new key submission, confirmation email from lacre is sent encrypted to the user as there is a public key for given user. This results in situation where user without access to the key (lost, compromised) cannot confirm email and thus upload new key.
[Test feedback] - Unable to upload new key if previous secret key lostto [User story] - As a user I would like to be able to send new public key after previously sent and confirmed key has been compromised or lost.What has been tested:
Possible solutions:
Giving it a brief moment I think delimiters should always be encrypted to avoid user confusion and to make it easier for lacre (always encrypt).
One extra solution would be to send emails to additional domain eg. plain.lacre.io but that means server operator would have to provide such domain for all users which is too restrictive imo, so one thing would be to make sure no-reply lacre's emails never get piped to lacre?
How about letting the user send a revokation certificate?
It could then be imported and therefore could revoke the public key. But of course that only helps when somebody had lost their passphrase, not the whole GnuPG setup / identities.
Another idea: we could accept an additional secret or a backup email that the user could use to revoke the key.
After a brainstorming session, @muppeth and I have decided to encrypt the confirmation email immediately (in front-end code) with the key received from the user.
With this approach, the user doesn't need access to the old key.
Consequence: the user must provide a key they can use to cancel encryption or change the key.
I had a short chat with a hacker I respect and he said that our solution seemed OK to him.