Page MenuHome GnuPG

Kleopatra: New Feature for bulk certify
Open, WishlistPublic

Description

I would like to have the possibility to certify multiple keys at once. It should let me select the cerification key and then below list all selected keys fingerprints and below each fingerprint all the user ids one would sign.

One usecase for this is the crypto party where I leave with a list of fingerprints to sign and probably a file with all the keys.

Another usecase is when I switch my primary key. I select all keys that are valid in Kleopatra and certify them with my new case.

The most common, but not fully secure, use case will probably be that users import mutliple keys for a project or from collegues from an internal file system and certify them because they have received it through the filesystem. This is probably OK in low threat enviorments.

Event Timeline

aheinecke created this task.

I recently had a workshop with a customer that shared the same secret key inside her organization of about >1000 users and even handed it out to external users to avoid having any hassle with public key management. They did not have the highest security requirements and were mostly concerned about transport encryption.

With Actium not yet ready and not for everyone she asked me how should she bootstrap her organization and get every key certified.

I thought about this some more:

The most common, but not fully secure, use case will probably be that users import mutliple keys for a project or from collegues from an internal file system and certify them because they have received it through the filesystem. This is probably OK in low threat enviorments.

They could restrict a directory so that only users of a specific group have write access. If an employee in that case inserts a malicious key there that would be detectable through file system auditing and they can just organisationally define that this can't happen. In that case why not import 1000 keys, do some sanity checks.

In that case the signature should even be exportable. The dialog should allow at least for "Tags" and an expiry date of the certificate.

  • Add a warning if keys contain different domains.
  • Add a warning if keys contain multiple user ids.

Maybe more.