Opened 8 years ago

Last modified 8 years ago

#3656 new Bug/Something is broken

red web interface talks about GPG keys and GPG User IDs -- should probably be OpenPGP, and needs more documentation

Reported by: Daniel Kahn Gillmor Owned by: Jamie McClelland
Priority: Medium Component: Tech
Keywords: red gpg openpgp Cc:
Sensitive: no


The current control panel interface for User Accounts shows two fields that sound interesting to me:

  • GPG Public Key
  • GPG User IDs (one per line)

There are no explanations of what these fields are used for, or even if they are actually GPG-specific somehow. I suspect that it is actually OK to use material from any OpenPGP-compliant implementation (and, actually, that it is probably *not* acceptable to use other things like S/MIME which are supported by parts of the GnuPG suite), so perhaps the terminology should change to "OpenPGP" instead of "GPG".

Some documentation (the new style of help text?) might be useful explaining why/when these fields might come in handy.

For example, i think it would be nice if the second field were to add a name to ~/.monkeysphere/authorized_user_ids -- but that might be a surprising result if it's not what the user expects.

Change History (2)

comment:1 Changed 8 years ago by Jamie McClelland

Those fields were added during a burst of OpenPGP inspiration a few years ago with the idea that a useful implementation would soon be figured out. My original idea was to somehow use that information for user-authentication perhaps in combination with firegpg, however, now that firegpg is discontinued, I'm not sure this is still viable (enigform is another alternative, however, development does not seem active there).

I think the idea of putting user ids in ~/.monkeysphere/authorized_user_ids would be better handled via the Server Access service (where you can currently put your ssh public key), since most user accounts don't have ssh access.

I'm wondering if these fields would make more sense for the membership contact. Each member can list one or many contacts and designate one or more as billing contacts. There are the contacts that get password reset emails whenever someone requests a password reset for a given user account. These are also the email addresses used to send membership invoices.

By designating a gpg public key for these email addresses (and a checkbox saying please encrypt all traffic sent) we could only send password reset emails in an encrypted form for people who want that.

I'm not sure our members will leap at this opportunity, but seems like an obvious place to use OpenPGP.

In the meantime, maybe these fields should just be hidden to avoid confusion?


comment:2 Changed 8 years ago by Jamie McClelland

See #3696 about making the server access service monkeysphere aware.

Please login to add comments to this ticket.

Note: See TracTickets for help on using tickets.