Page MenuHome GnuPG

Kleopatra: Add refresh button in certificatedetails
Open, NormalPublic

Description

When certificate details are open we do an online check for S/MIME to validate the certificate. Semantically we should in that case also do a refresh-key for the OpenPGP certificate.

At least we should have a refresh button in the certificatedetails to refresh it from the server. But I would like to have this also behind a configuration setting for automatic refresh in which case the button should be invisible. I think an auto refresh would be the best solution from a usability standpoint but from a privacy standpoint an explicit action is better. That way we keep kleoptra never doing network connections if the user does not explicitly trigger them.

I think this issue should have some priority so I classified is as normal and not wishlist because an OpenPGP key refresh is important from a security standpoint.

Details

Version
master

Event Timeline

aheinecke triaged this task as Normal priority.Mar 28 2022, 11:55 AM
aheinecke created this task.

I wonder if we even should change gpgme to do a key refresh when you call it in VALIDATE mode and online? Semantically this makes sense to me as this is where CRL checks for S/MIME are done. But from a conserviative standpoint this could be considered an API change if the API then does something differently and that even does a network connection. So while I consider it I don't think this is a very good idea.

ikloecker moved this task from Restricted Project Column to Restricted Project Column on the Restricted Project board.
ikloecker changed the task status from Open to Testing.May 5 2022, 3:22 PM
ikloecker removed ikloecker as the assignee of this task.
ikloecker moved this task from Restricted Project Column to Restricted Project Column on the Restricted Project board.
ikloecker added a project: Restricted Project.
ikloecker added a subscriber: ikloecker.

The Certificate Details window now has an Update button.

I don't think that it makes much sense to do an auto refresh (only) when the details are opened. If the automatic refresh is really important, then it needs to be performed in the background for all keys all of the time. If people want to encrypt a file, then they won't look at the certificate details for all recipients to make sure that all keys have been refreshed. They will expect that all keys are up-to-date without them having to care about this.

Please add a separate task for an automatic refresh.

For an OpenPGP key, Update now performs a simple "retrieve key" operation for the existing key, i.e. it refreshes the key with the public key found on the configured key server.

werner removed a project: Restricted Project.Sep 22 2022, 11:04 AM
ebo renamed this task from Kleopatra: Add refresh button in certificatedetails and an auto refresh to Kleopatra: Add refresh button in certificatedetails .Dec 5 2022, 1:07 PM
ikloecker changed the task status from Testing to Open.Dec 7 2022, 11:42 AM
ikloecker moved this task from Restricted Project Column to Restricted Project Column on the Restricted Project board.
ikloecker added a subscriber: ebo.

Ok. So after further discussion. It is good that you kept a WKDRefreshJob copy :)

I would suggest the following, if it is somehow possible. I think we have the API for this now that we can search for WKD keys without importing them. We should additionally check WKD, if the key from WKD has the same fingerprint, we update, if it has not, we show the user something like a search result. Give indication that a different key was found for these UserIDs and then let the user decide to import them?

ikloecker moved this task from Restricted Project Column to Restricted Project Column on the Restricted Project board.
werner moved this task from Restricted Project Column to Restricted Project Column on the Restricted Project board.Dec 12 2022, 11:47 AM
ikloecker moved this task from Restricted Project Column to Restricted Project Column on the Restricted Project board.Tue, May 16, 12:11 PM