[prev in list] [next in list] [prev in thread] [next in thread]
List: kmail-devel
Subject: KMail / GnuPG integration
From: Michel Bouissou <michel () bouissou ! net>
Date: 2001-10-19 10:35:33
[Download RAW message or body]
Hi folks,
This message is a mix of questions / comments / wishlist about GnuPG
integration in KMail.
(I won't discuss PGP/MIME issues here, just general issues regarding the
current support of GnuPG in KMail)
1) Security question
=================
When KMail is configured to "remember GnuPG passphrase", is the passphrase
stored in a non-swappable area of memory, or is there a risk that the
passphrase could be swapped to disk in the clear, or compromised in any other
way ?
2) Security Improvements
=====================
2a) About passphrase conservation (wishlist):
---------------------------------------------------
- I'd love an optional timeout that would allow the passphrase to be
remembered for a certain duration, then automatically forgotten if it hasn't
been used (for decryption or signature) for this amount of time.
Justification: It's nice to be able to remember passphrase when it is long
and complex, but it's dangerous to have it remembered "forever" as long as
KMail is left open.
- I'd love a toolbar button that would appear in every KMail window when a
passphrase is kept in memory (thus showing this state) and would allow to
cause the passphrase to be immediately forgotten when clicked.
Justification: To be able to see at a glimpse whether the passphrase is
currently in memory or not. To be able to erase it when leaving my desk for
some minutes without needing to change KMail configuration each time.
- I'd love that passphrase conservation could be configured on a mail folder
basis, with a folder option such as "Forget GPG passphrase when entering this
folder" with maybe an optional timeout as well, allowing to shift quickly
between folders without entering the passphrase everytime. That would make an
option like:
- Forget passphrase when entering this folder
- Optionally "If this folder hasn't been accessed for <n> minutes"
Justification: To allow a higher level of protection for folders that would
contain very sensitive material. If I'm in a "relatively trusted" environment
and leave my desk for some minutes without thinking of erasing the
passphrase, some other people that would enter such a folder would cause the
passphrase to be fogotten immediately. That would be great!
2b) About key validity
-------------------------
It is IMHO very DANGEROUS that KMail encrypts messages to untrusted
GnuPG public keys without any kind of warning.
KMail SHOULD warn the user when encryptin to an untrusted key, giving him the
choice to continue or cancel.
2c) About signatures validity
--------------------------------
Upon receipt of a signed message, KMail shows "The message has been signed by
Wolfgang Mozart <mozart@requiem.com>"
But KMail doesn't state whether this key is trusted or not. IMHO, it SHOULD
give more details by appending (TRUSTED) or (UNTRUSTED), especially because
GnuPG can retrieve by itself the signing key from a keyserver, and we will
have no idea in KMail whether the signing key is good or fake.
When analyzing signatures, KMail should display:
- The status (GOOD / BAD / TRUSTED / UNTRUSTED)
- The Key ID
- The date and time of the signature
2d) About messages reception
----------------------------------
Upon receipt of an encrypted message, KMail should display the Key IDs (and
name if available) to whom the message has been encrypted.
Justification:
- To make visible the list of keys that could be able to decrypt the message
(possible additional recipents)
- To make visible the software / version that encrypted the message
2e) SUMMARY
------------------
To summarize, when I receive an encrypted message, I would like KMail to show
something like:
<<<<<
Encrypted message
The message has been signed by W.A Mozart <mozart@requiem.com>
GOOD signature from TRUSTED key ID 0x12345678
Made on Fri, 12 Oct 2001 17:33:31 +0200
The message has been encrypted to:
Michel Bouissou <michel@bouissou.net> ID 0x5C2BEE8F (TRUSTED)
Albert Einstein <albert@emc2.org> ID 0x9ABCDEF0 (UNTRUSTED)
Uknown key ID 0x147AD036 (UNKNOWN)
Message made with: Version: GnuPG v1.0.6 (GNU/Linux)
>>>>>>
2f) Key selection when encrypting a message
----------------------------------------------------
Past versions of KMail showed strange behaviours in situation such as:
- There are several possible keys for the same recipient;
- There are enabled and disabled keys for the same recipient;
- There is a revoked key for a given recipient.
I had described some of the problems that I had encoutered in bug report
#25762, for KMail 1.2, but I'm not sure of the current status of these
problems.
In my bug report for KMail 1.2, I wrote:
<<<<<
- When the recipient's key has been revoked, Kmail sends the message in the
clear, with no warning at all, instead of warning that the recipient's key
has been revoked. This is extremely bad.
- When there are several keys that match the recipient's e-mail address,
Kmail encrypts to all of them, where it should ask the user to choose.
- When there are two keys that match the recipient's e-mail address, but one
of them has been disabled in GnuPG, Kmail encrypts to none of them, where
Kmail should encrypt to the "valid" key, or ask the user if there are several
valid keys.
>>>>>
3) Usability wishlist
================
Weeeeellll... There are some other little things that I'd love...
3a) Easy import of GnuPG public key from KMail
3b) A toolbar button in KMail for launching GPA
3c) A configuration option to automatically encrypt messages (even if the
"encrypt" button has not been clicked) everytime you have a public key for
every recipient of the message (Possibly with a confirmation popup box, such
as:
"We have a valid public key for evey recipient of this message. Do you want
to send the message encrypted ? [Encrypted] [Encrypted + signed] [Cleartext]"
3d) A configuration option for "Always automatically encrypt messages", that
would cause messages to be always encrypted if possible (without
confirmation), but with a warning if some recipients keys are missing:
"We have no public key for encrypting message to <john@doe.org>. Do you wish
to send the message in the clear ? [Send in clear] [Cancel]"
3e) When listing a choice to public keys to encrypt to:
- Sort keys alphabetically
- Differentiate trusted keys from untrusted ones (color? icon?)
- Allow KMail to locally associate and remember association between a given
email address and a given key, for cases where you own a key that doesn't
match the actual owner's email address.
3f) Encryption / Decryption of file attachments
Well, that's all.... ;-)))
I've been thinking of all these features for a while, and thought I should
write a wishlist about them... Now it's done.
Hope this can help.
Best regards.
--
Michel Bouissou - OpenPGP DH/DSS ID 0x5C2BEE8F
michel@bouissou.net
Faites plaisir à votre ordinateur:
Offrez-lui un pingouin !
_______________________________________________
kmail Developers mailing list
kmail@mail.kde.org
http://mail.kde.org/mailman/listinfo/kmail
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic