Page MenuHome GnuPG
Create Task
Maniphest T6645

Kleopatra: add column with info if certificate is exportably signed
Closed, DuplicatePublic
Actions

Description

We recommend Kleopatra groups as a possibility to distribute already certified public keys, so that a recipient would only have to verify and trust the signer of those certificates.

But if the certificates are only signed locally (which is the default in Kleopatra) this will not work. Therefore it would be good if we had this info not only in the details of the certifications of a certificate...

An optional column in the certificate (and the group editor) would be logical. In the group editor it should be displayed by default, I think, so that you immediately see if you forgot to sign the certificate you want to add.

Details

Version
3.1.26

Related Objects

Event Timeline

ebo created this task.Aug 11 2023, 3:25 PM
aheinecke added subscribers: ikloecker, aheinecke.Aug 14 2023, 10:57 AM

Thinking about this, I don't think offering the information exportable or not will help users much. The concept of "exportable or local signatures" should be a technical details that we should not require our users to understand. The intention of defaulting to local signatures and hiding the export under "Advanced" was to give users a way to basically use "Trust on first use" to certify a key for their personal use and honestly without checking the fingerprint. Even though they "should" not do that. If this makes sense for GnuPG VSD is arguable since we have now better spelled it out what "certification trust (ownertrust)" means. So maybe exportable signatures should become the default for GnuPG VS-D? With the classical SKS style keyservers in Gpg4win I tend to keep local signatures the default.

With our current way of certifications just offering this information would then result in users having to go into each of the keys, redo their certification as exportable and so on, which would be quite an annoying task. So for just showing it, I am against this, we as a software basically know that the user wants to export this group. And if there are exportable certifications missing this would be much better implemented in a quick way to add them with a bulk certify or certification of a group. While we have talked about this in Erkrath we did not do a good job of writing down our conclusions. But I think for one of the next releases and one of the next larger jobs for ingo we should aim for an improved certification workflow together with groups.
So I am closing this as a duplicate of T6469 and will add a note in one of the related issues there that we should inform the user if a group they are about to export contains just local signatures.

I remember this one customer who said "Do you really want me to click through the 100 certificates of my employees and communication partners and certify each manually" and then to redo that work if they forgot to set the exportable flag. That would be just mean. And yes the theory is that they should do that and confirm each fingerprint but in practice what they do is have a shared folder and just grab and certify the keys from there as needed.

aheinecke closed this task as a duplicate of T6469: Kleopatra: Certify a group.Aug 14 2023, 10:57 AM
aheinecke mentioned this in T6469: Kleopatra: Certify a group.