Feature #9800: Only allow OpenPGP keys that match the provided email in WhisperBack

Feature #9800

Only allow OpenPGP keys that match the provided email in WhisperBack

Added by BitingBird 2015-07-24 03:21:29 . Updated 2019-03-08 15:44:46 .

Status:

Confirmed

Priority:

Low

Assignee:

Category:

Target version:

Start date:

2015-07-24

Due date:

% Done:

Feature Branch:

Type of work:

User interface design

Blueprint:

https://tails.boum.org/blueprint/whisperback_for_frontdesk/

Starter:

Affected tool:

WhisperBack

Deliverable for:

Description

Only allow GPG keys that match the provided email, because Schleuder doesn’t allow to write encrypted emails to an address with a different key.

Force user to provide armored public GPG key instead of just key ID (the keys are sometimes hard or impossible to fetch on the keyservers, and sometimes two keys share the same ID).

Those improvements would greatly simplify Frontdesk work.

Team: alan (code), sajolida (ux), emmapeel (?)

Subtasks

Related issues

Related to Tails - Bug #11200: More feedback when adding OpenPGP key to WhisperBack report	Confirmed	2016-03-08
Related to Tails - Feature #12254: Explicit the need of armored (instead of binary) key in WhisperBack	Confirmed	2017-02-19

History

#1 Updated by BitingBird 2015-07-24 03:23:16

Description updated

#2 Updated by sajolida 2015-07-28 07:07:11

Assignee set to sajolida
Priority changed from Elevated to Normal
Type of work changed from Code to User interface design

I’ll work on this with Alan in 2016.

Next step is to propose a wireframe and interactions for that.

#3 Updated by intrigeri 2015-08-03 04:52:16

Subject changed from Add some GPG checks to Whisperback to Add some OpenPGP key checks to WhisperBack

#4 Updated by intrigeri 2015-08-03 04:53:54

> * Force user to provide armored public GPG key instead of just key ID (the keys are sometimes hard or impossible to fetch on the keyservers).

This feels like it might be a burden for those who are regularly reporting bugs and/or know their key is on the keyservers. Has it been considered to instead check for the key’s availability on keyservers, when a key ID is provided by the user, before it’s considered to be valid?

#5 Updated by sajolida 2015-08-04 06:44:24

That’s a valid idea as well, thanks. I think this feature hasn’t been careful design yet, so any input is welcome.

#6 Updated by BitingBird 2015-08-04 07:12:54

If we already have their key, they don’t need to provide one at all.

#7 Updated by sajolida 2015-08-14 11:42:54

Description updated
Target version set to 2016

#8 Updated by sajolida 2015-08-14 11:46:22

Tracker changed from Bug to Feature
Description updated

#9 Updated by sajolida 2015-08-17 08:22:08

Description updated

#10 Updated by sajolida 2015-08-25 09:04:11

Description updated

#11 Updated by alant 2015-11-08 07:49:28

Proposal: when someons clicks “Add optional OpenPGP key”:

- search the keyring for keys that corresponds to the provided email address and propose it. If there are several, let the user choose one, else, just ask for confirmation;

- if it fails, propose the user to search the key in the keyservers. If there are multiple matches, let the user choose one, else, just ask for confirmation;
- if it fails or the user discards the proposal, let the user enter an armored key block.

Then, read the key with a OpenPGP library, and verify it matches the email address.

#12 Updated by intrigeri 2015-11-16 04:41:00

Status changed from Confirmed to In Progress

#13 Updated by sajolida 2016-03-09 11:13:20

related to Bug #11200: More feedback when adding OpenPGP key to WhisperBack report added

#14 Updated by sajolida 2016-04-28 06:27:26

Feature Branch set to https://tails.boum.orgblueprint/whisperback_for_frontdesk/

#15 Updated by intrigeri 2016-04-28 13:10:03

Blueprint set to https://tails.boum.org/blueprint/whisperback_for_frontdesk/

#16 Updated by intrigeri 2016-04-28 13:10:43

Feature Branch deleted (~~https://tails.boum.orgblueprint/whisperback_for_frontdesk/~~)

#17 Updated by Dr_Whax 2016-08-20 13:32:53

Description updated

#18 Updated by intrigeri 2016-08-27 10:09:50

Target version changed from 2016 to 2017

#19 Updated by BitingBird 2017-08-26 10:52:21

Target version deleted (~~2017~~)

removed from roadmap

#20 Updated by sajolida 2018-05-28 14:16:44

Assignee deleted (~~sajolida~~)
Priority changed from Normal to Low
Starter set to Yes

We have no plans of implementing this any time soon, so I’ll remove it from my plate.

#21 Updated by Anonymous 2018-08-18 11:35:24

related to Feature #12254: Explicit the need of armored (instead of binary) key in WhisperBack added

#22 Updated by Anonymous 2018-08-18 11:37:04

Subject changed from Add some OpenPGP key checks to WhisperBack to Only allow GPG keys that match the provided email in WhisperBack

BitingBird wrote:
> * Only allow GPG keys that match the provided email, because Schleuder doesn’t allow to write encrypted emails to an address with a different key.

I’m rephrasing the ticket title accordingly.

> * Force user to provide armored public GPG key instead of just key ID (the keys are sometimes hard or impossible to fetch on the keyservers, and sometimes two keys share the same ID).

This is tackled in Feature #12254.

#23 Updated by sajolida 2019-02-04 21:02:21

See feedback from http://lists.autistici.org/message/20160312.174226.1eea624f.en.html.

#24 Updated by intrigeri 2019-03-08 15:44:46

Subject changed from Only allow GPG keys that match the provided email in WhisperBack to Only allow OpenPGP keys that match the provided email in WhisperBack
Status changed from In Progress to Confirmed

Tails