Bug 329546

Summary: open validly signed emails only
Product: [Applications] kmail2 Reporter: Hauke Laging <hauke>
Component: cryptoAssignee: kdepim bugs <pim-bugs-null>
Status: REPORTED ---    
Severity: wishlist    
Priority: NOR    
Version First Reported In: 4.10.5   
Target Milestone: ---   
Platform: openSUSE   
OS: Linux   
URL: http://www.crypto-fuer-alle.de/wishlist/securitylevel/
Latest Commit: Version Fixed In:
Sentry Crash Report:

Description Hauke Laging 2014-01-03 01:33:58 UTC 
Email is an important attack vector. Now in the post-Snowden era that we all are discussing how to make computers more secure I think it's time to make crypto more useful.

On high security level systems it should be possible to disable the handling of such emails completely (OK except for showing the header data which isn't signed anyway) which do not have a valid PGP/MIME signature by a key which has been explicitly marked trustworthy for this security level (no matter if the email is encrypted or not). This may be done by creating a separate keyring and call gpg with --no-default-keyring or by checking the normal gpg result against a fingerprint whitelist.

Instead of the mail content a message like "The KMail configuration requires all emails to be signed by a key from the secure keys list. This email is not opened because it lacks a valid signature / has a correct signature but from a key which is not on the secure keys list."

Such a configuration probably makes sense only as a global option. But it may make sense to have a secure keys list per mailbox.

This may be a nice feature from the admin perspective (even more if the user cannot disable it and cannot modify the secure keys list) because it limits the users possibilities to make mistakes. These signatures could also be made by antivirus software so this feature could as a side effect ensure that only such email is read which has been checked.

Reproducible: Always