Page MenuHome GnuPG
Create Task
Maniphest T7833

GpgOL: Security level 2 shown for manually imported and certified cert
Open, NormalPublic
Actions

Description

Edit 2025-11-27: This is now a documentation-only ticket, for what needs to be documented see T7833#209062

Our website states for security level 2:

The key was automatically delivered by the mail domain owner (the provider) via HTTPS. This is only possible if the provider uses the WKD (Web Key Directory) service

This works, but can also be triggered by manual import + certification of an openpgp key:

  1. Download my cert:

ablumATgnupgDOTcom-5DBD56CEEBD8D7D1F97580C588E1AF88A319D98B.asc1 KBDownload

  1. Make sure, the cert is not in keyring
  2. Import my cert in Kleopatra (e.g. drag and drop)
  3. Select Certify and certify all uids
  4. Open Outlook
  5. Check the security level of ted:INBOX/Sicherheitslevel/2 security levle2 (wkd) => level 2

Details

Version
vsd-3.3.90.16-beta

Related Objects

Event Timeline

timegrid created this task.Oct 2 2025, 10:24 AM
timegrid created this object in space Restricted Space.
timegrid created this object with edit policy "g10code (Project)".
timegrid added a comment.Oct 2 2025, 10:40 AM

see also https://dev.gnupg.org/T7609

ebo triaged this task as Normal priority.Oct 9 2025, 9:46 AM
ebo moved this task from Backlog to Triage on the gpgol board.
ebo shifted this object from the Restricted Space space to the S1 Public space.Nov 12 2025, 12:16 PM
timegrid added a comment.Tue, Nov 25, 4:25 PM

This seems to apply only for non vsd compliant algos. Importing and certifying a

  • rsa/brainpool cert results in security level 4
  • cv25519 cert results in security level 2

Is this intended? If yes, the documentation should be more precise.

ebo added projects: Unknown Object (Project), Documentation.Thu, Nov 27, 11:13 AM
ebo moved this task from Triage to Done on the gpgol board.

Ok, then this is only an issue in the VSD versions. (I confirmed with a quick test with Gpg4win-5.0.0-beta413)

Security Level 2 is defined as "Limited Identity Validation" and as we say in the documentation "security levels for received mails are not VS-NfD relevant, but give a clue for assessing the authenticity of the mail." one can argue that we can ignore the algorithm or this check.

But the manual which was created during the approval process states:

During signature verification and decryption, a compliant email achieves at least GpgOL security level 3 (out of four levels).

-> We have to fix our documentation instead to make clear that signatures with certificates using a not compliant algorithm will not rise above level 2.

ebo updated the task description. (Show Details)Thu, Nov 27, 11:16 AM
ebo mentioned this in T7609: GpgOL: Certificates imported from WKD are always shown as level 2.Thu, Nov 27, 11:32 AM