-
Notifications
You must be signed in to change notification settings - Fork 686
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
It is (probably) okay to decrypt a message with a revoked, expired or weak key #6991
Comments
In the current context of SecureDrop it's a bit theoretical. Source keypairs are fully created and managed by SecureDrop, so there should never be a scenario with an expired or revoked key. AFAIK SecureDrop has always generated keys that are compliant with the current standard policy, but I agree with you that it doesn't make sense to prevent decryption of messages because of that. |
legoktm
added a commit
that referenced
this issue
Oct 12, 2023
Even if a source key is no longer valid per policy, we still want them to be able to decrypt a previously valid message for them. We can also drop the revocation/expiry filters, which were mostly theoretical in the SecureDrop context anyways. Fixes #6991.
legoktm
added a commit
that referenced
this issue
Oct 12, 2023
Even if a source key is no longer valid per policy, we still want them to be able to decrypt a previously valid message for them. We can also drop the revocation/expiry filters, which were mostly theoretical in the SecureDrop context anyways. Fixes #6991.
legoktm
added a commit
that referenced
this issue
Oct 12, 2023
Even if a source key is no longer valid per policy, we still want them to be able to decrypt a previously valid message for them. We can also drop the revocation/expiry filters, which were mostly theoretical in the SecureDrop context anyways. Fixes #6991.
2 tasks
legoktm
added a commit
that referenced
this issue
Oct 13, 2023
Even if a source key is no longer valid per policy, we still want them to be able to decrypt a previously valid message for them. We can also drop the revocation/expiry filters, which were mostly theoretical in the SecureDrop context anyways. We first try validating the key with the StandardPolicy before trying again with a NullPolicy to avoid downgrade attacks. Since we now have another type of policy being used, the constant has been renamed to STANDARD_POLICY to be clearer what kind it is. Fixes #6991.
legoktm
added a commit
that referenced
this issue
Oct 27, 2023
Even if a source key is no longer valid per policy, we still want them to be able to decrypt a previously valid message for them. We can also drop the revocation/expiry filters, which were mostly theoretical in the SecureDrop context anyways. We first try validating the key with the StandardPolicy before trying again with a NullPolicy to avoid downgrade attacks. Since we now have another type of policy being used, the constant has been renamed to STANDARD_POLICY to be clearer what kind it is. Fixes #6991.
zenmonkeykstop
pushed a commit
that referenced
this issue
Oct 27, 2023
Even if a source key is no longer valid per policy, we still want them to be able to decrypt a previously valid message for them. We can also drop the revocation/expiry filters, which were mostly theoretical in the SecureDrop context anyways. We first try validating the key with the StandardPolicy before trying again with a NullPolicy to avoid downgrade attacks. Since we now have another type of policy being used, the constant has been renamed to STANDARD_POLICY to be clearer what kind it is. Fixes #6991. (cherry picked from commit 3596bb0)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
secret_key_from_cert
is used bydecrypt
to decrypt a message:securedrop/redwood/src/keys.rs
Lines 40 to 48 in 8d00ba5
But, there is no reason to not decrypt a message if it key is expired, revoked, the policy says the algorithms are no longer strong enough. Is there?
The text was updated successfully, but these errors were encountered: