Automatic check for ultimate owner trust for own key(s)
OpenPGP addon for Mozilla Thunderbird
Brought to you by:
pbrunschwig
Menu
▾
▴
#489 Automatic check for ultimate owner trust for own key(s)
fixed
None
1.8.1
Minor
All
2.0
nobody
2016-06-05
2015-04-15
No
Enigmail should check that owner trust is set to ultimate for all key pair(s) set for use with all OpenPGP enabled TB accounts/identities. This could be done at startup. Maybe this could be combined with the (still missing) check for expiry.
Related
While this assumption is a nice simple one, i'm not sure it's always the correct one. Just because i use a key doesn't mean i want to rely on its OpenPGP certifications.
For example, a team of people could share a role key (e.g. "security@example.net" or "support@example.com") and use it to read and reply to a common mailbox. If i were a member of that team, i would not want to have this key set to ultimate ownertrust.
In another example, i could have a key set up for normal correspondence that i expect to never make any identity certifications with (i could keep the OpenPGP key i use for certifications on a completely separate machine).
It would be sensible to recommend (require?) that the key for an enigmail account has full (or marginal?) validity for the matching User ID, and one way to provide that is to set ultimate ownertrust on the key. But if the user ID is valid and the key is not trusted, I think it would be a mistake to push the user into setting ownertrust on it.
I think, more than 90% of the use cases are dealing with missing "owner trust" on individually owned keys. Therefore, we should do:
This alert should also have a "Don't show this warning again" to provide minimal disturbance for other cases where "no owner trust" is a distinct decision.
I think the general idea is good, and worth thinking about. I would think we should not offer to open the "trust" dialog, but the Key Properties dialog.
Fixed on master by Ludwig