Remove or provide method to disable "encrypt message" and "verify signature" functionality #142
Labels
No Label
bug
contribution welcome
duplicate
enhancement
good first issue
help wanted
invalid
question
upstream
No Milestone
No project
No Assignees
4 Participants
Notifications
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: keyoxide/keyoxide-web#142
Loading…
Reference in New Issue
There is no content yet.
Delete Branch "%!s(<nil>)"
Deleting a branch is permanent. Although the deleted branch may exist for a short time before cleaning up, in most cases it CANNOT be undone. Continue?
Currently, https://keyoxide.org allows for encryption and signature verification using the public key you searched for without any way for the keypair owner to disable this functionality. This may be alright with a credible service such as yours that uses OpenPGP.js and does every operation locally within the webbrowser.
Like online password generators, however, online encryption is a service that shouldn't be legitimised in any way (IMHO). Imagine other (possibly dubious) services coming around the corner with the same promise of encrypting confidential data for the visitor. Thus, I would prefer for this functionality to be removed entirely from your site. If that's not feasible for you, you could apply either of these two options:
A. Disable the service by default and allow for the public key owner to opt-in via notation.
B. Check whether the public key comes with an "encrypt" and "sign" capability. If that's not the case, the website doesn't show the "encrypt message" and "verify signature" buttons.
Of both options, I prefer the first one.
If it comes down to option B, I plan to create an additional keypair issued under my name and for the email address noreply@example.org with a primary key, that has only the "cert" capability, and without any subkeys. Said public key will be provided over self-hosted WKD. In contrast to my "main" public key, whose keypair has all capabilities and is used for daily work, this "noreply" key can also be queried without the "l" parameter and can thus be found by Keyoxide.
Overall, I think your reasoning here is sound.
With each iteration of the Keyoxide web interface, the Encrypt/Verify functionality has taken a step back. Keyoxide should focus on identity verification. The rest is optional. And so should Encrypt/Verify be.
Overall, I prefer opt-in over opt-out and I think that should be the way to go here. Creating a profile is an active process so when doing that, one can make their own decisions on what functionality they want on their profile page or not.
I thank you for saying my service is credible but I always try to design it as if people did not think so. Therefore, Keyoxide servers should know as little as possible.
People have no say over what Keyoxide instances can verify their profile: all instances can! In that light, it makes especially sense to make Encrypt/Verify opt-in to avoid malicious people logging sensitive material. Instances could of course ignore the config and show Encrypt/Verify anyway but I don't believe that's a reason to do nothing on our end.
There are multiple ways of accomplishing configurable profiles:
config@ariadne.id=enable-encrypt-button=trueconfig@ariadne.id=enable-encrypt-buttonenable-encrypt-button@ariadne.id=trueI think solution 2 has my preference. Only works for on-off configuration though, we could fall back to solution 1 for config that needs more precise info, such as:
config@ariadne.id=theme-color=#4ab4abSolution 3 does not make it clear it's a configuration setting.
I would provide:
config@ariadne.id=enable-button=verifyconfig@ariadne.id=enable-button=encryptconfig@ariadne.id=enable-button=encrypt-and-verifyI dunno whether only
...=verifyand...=encryptshould be provided, and...=encryptimplicitly enables the "verify" button. Perhaps, it's best to provide all three options as I don't know the plethora of use cases out there.Maybe we should think broader then and consider them "modules" or "functions" (or a better word I can't think of rn).
config@ariadne.id=enable-module=encrypt verifyThis will of course allow us to add more modules in the future.
As for arrays, I would go with space separation.
Pinging @wiktor for his opinion. We had similar discussions a while ago.
Independent of the profile config, it would be good to check the keypair's capabilities and disable the buttons if provided capabilities are insufficient, e.g. only primary key with "cert".
Hi folks!
Of course this is internet so I also have a couple of opinions :)
This definitely needs to be fixed. If the key doesn't have an encryption subkey the encryption will fail either way. Not sure if the button should be disabled or hidden (if it's hidden it's not obvious why it doesn't work, if it's disabled the reason can be added as
titleattribute).Looks dangerous if you add more directives (like
enable-modules). If you want to go this route I'd suggestconfig@ariadne.id=enable-module=encrypt,verify(comma instead of space). Then the additional directives can be separated by spaces:config@ariadne.id=enable-module=encrypt,verify theme-color=#123456.By the way maybe
enableis superfluous? How aboutconfig@ariadne.id=modules=encrypt,verify?I've mentioned that using two
=can be confusing soconfig@ariadne.id=modules:encrypt,verifyis also an option.Also since this is about UI maybe make the notation
ui@ariadne.id? (Not sure if there will be any non-ui settings :))Phew, that's it for now I guess. Really interesting issue! 👋
Agreed with
ui@ariadne.id. Agreed withenable-module:encrypt,verify.Not sure if
modulesalone will cut it, I prefer config to have action verbs. But then, shouldn't it beset-theme-color. All in all, working with notations is still annoying so let's keep it as short as possible. I'll go withmodulesas well.Interesting you want to combine configs:
ui@ariadne.id=modules:encrypt,verify theme-color:#123456. People can still put them in separate notations if they wish.So, from all the feedback:
ui@ariadne.id=modules:encrypt,verify theme-color=#123456(not theme-color yet, that will require some more research and work)
One thing that comes to mind for
ui@ariadne.id=modules:...:I prefer explicitly setting avatar images (for GitHub, Mastodon, etc.). Thus, I would love to have s.th. like
ui@ariadne.id=modules:avatar-img=https://duxsco.de/avatar.png. That way, setting avatar images doesn't depend on a third-party service. But, that's a topic for another day 😉. I am fine with being able to disable the buttons in some way. Then, I can prepare my keypair for Keyoxide 🙂.Setting the avatar is a great use-case to keep in mind when designing the notation IMO :)
The one thing to keep in mind is that allowing random URLs for avatars allows people to keep track on who's checking their profile (set the avatar URL to https://my-domain.com/track-viewer.php ;) ). This might have privacy implications.
I'm not a big fan of random URLs for necessary things like avatars. We currently have a good system that deduces avatar URLs from the OpenPGP key's email address.
That being said, there is going to be more focus soon on Keyoxide profiles based on signatures. And then there won't be any email addresses to query libravatar. A configurable avatar URL is unavoidable.
We could fetch avatars through the proxy to limit tracking.
As for the notation, I'd be ok to give it its own one:
avatar@ariadne.id=URL, just as I hopebio@ariadne.id=Hey there, this is my keywill become a thing. I don't think these should be part ofui@ariadne.id=but where to draw the line?Actually, I might prefer:
profile@ariadne.id=avatar-img:URLprofile@ariadne.id=bio:"This is my key"It's been two months since this has been removed from the profiles, and I've run into it three times since then. Being able to link my PGP key to people in a way where I'm sure that even the least tech competent people will be able to encrypt something for me was one of the most useful things in keyoxide (and keybase before it) for me. I could self host a keyoxide frontend for this where I enable those buttons again, but that is just too much maintenance overhead in the long run.
@jcgruenhage would something like this suit your need? https://tencrypt.org/#hkp;9f0048ac0b23301e1f77e994909f6bd6f80f485d
One could imagine with some form of opt-in setting Keyoxide could link to tencrypt to enable message encryption for those that want it!
That's perfect. Thanks!