Page MenuHome GnuPG
Create Task
Maniphest T5847

Kleopatra: New Feature for bulk certify
Open, WishlistPublic
Actions

Description

I would like to have the possibility to certify multiple keys at once. It should let me select the cerification key and then below list all selected keys fingerprints and below each fingerprint all the user ids one would sign.

One usecase for this is the crypto party where I leave with a list of fingerprints to sign and probably a file with all the keys.

Another usecase is when I switch my primary key. I select all keys that are valid in Kleopatra and certify them with my new case.

The most common, but not fully secure, use case will probably be that users import mutliple keys for a project or from collegues from an internal file system and certify them because they have received it through the filesystem. This is probably OK in low threat enviorments.

Related Objects
Search...

Event Timeline

aheinecke triaged this task as Wishlist priority.Feb 18 2022, 10:03 AM
aheinecke created this task.
ikloecker added a project: kleopatra.Dec 5 2022, 8:14 AM
aheinecke merged a task: T4064: Kleopatra: Bulk import and certify.Apr 24 2023, 1:56 PM
aheinecke added a project: Restricted Project.Apr 24 2023, 2:05 PM

I recently had a workshop with a customer that shared the same secret key inside her organization of about >1000 users and even handed it out to external users to avoid having any hassle with public key management. They did not have the highest security requirements and were mostly concerned about transport encryption.

With Actium not yet ready and not for everyone she asked me how should she bootstrap her organization and get every key certified.

I thought about this some more:

The most common, but not fully secure, use case will probably be that users import mutliple keys for a project or from collegues from an internal file system and certify them because they have received it through the filesystem. This is probably OK in low threat enviorments.

They could restrict a directory so that only users of a specific group have write access. If an employee in that case inserts a malicious key there that would be detectable through file system auditing and they can just organisationally define that this can't happen. In that case why not import 1000 keys, do some sanity checks.

In that case the signature should even be exportable. The dialog should allow at least for "Tags" and an expiry date of the certificate.

  • Add a warning if keys contain different domains.
  • Add a warning if keys contain multiple user ids.

Maybe more.

aheinecke added a subtask: T6469: Kleopatra: Certify a group.Apr 24 2023, 2:15 PM
ikloecker changed the status of subtask T6469: Kleopatra: Certify a group from Open to Testing.Oct 16 2023, 12:09 PM
ikloecker mentioned this in T6771: Kleopatra: Offer users to certify exportable when exporting keys.Oct 23 2023, 8:17 PM
ebo closed subtask T6469: Kleopatra: Certify a group as Resolved.Nov 3 2023, 3:49 PM