Addendum of a20141022.2

Introduction

This addendum contains the results of the research that was done into the background of the request filed by the SE.

Bug Tracker

There are 5 bugs (read: feature requests) in the Bug Tracker that express the desire to enhance the software with a possibility to revoke CAcert signatures on GPG/PGP keys. These bugs are listed in the table below. The first 4 bugs should be considered duplicates. The Bug Tracker specifically marks Bug 721 and Bug 1079 as duplicates. Bug 1210 differs from the other 4 listed in that it proposes to resolve 'the issue' by removing the date check on the GPG/PGP keys from the software.

Bug

Summary

Submitted

Last Update

Severity

Resolution

Status

0000075

GPG Signature revocation system needed

2005-10-21

2013-01-13

feature

won't fix

closed

0000251

PGP Certifikat revoken / löschen

2006-06-01

2012-12-20

feature

open

needs work

0000721

No way to revoke sigs on a OpenPGP key

2009-04-21

2012-12-20

feature

open

new

0001079

GPG key can not be revoked

2012-07-06

2014-07-16

minor

open

needs work

0001210

Problem with Delete account procedure

2013-09-14

2013-09-14

minor

open

new

The fix of Bug 794 added the visibility of all certificates of an account to the SE console and came with a Revoke button. The Revoke button however only applies to the X.509 Client and Server certificates. A (CAcert signature on a) GPG/PGP key can't be revoked through the software.

Bug

Summary

Submitted

Last Update

Severity

Resolution

Status

0000794

visibility over certificates for sysadm in account administration

2009-11-27

2013-01-15

feature

fixed

closed

Steps to reproduce the situation

The GPG/PGP signature lifetime on the test server is 1 year, contrary to the 1 day lifetime mentioned on the 03 Working With Testserver And Mgmt System Wiki page. This 1 year lifetime unfortunately renders further testing pointless until after the 'expiry date + 3 month CCA retention' period.

The result expected from this test therefore is an exact replica of situation the SE ran into. It should be impossible to delete the account as an SE and the following message should appear: 'The CCA retention time for at least one certificate is not over. Can't continue.'.

This is exactly the result that was achieved.

In a nutshell the steps to reproduce the situation comprise:

The detailed test steps below have been conducted on a Ubuntu-16.04 LTS Gnome Desktop local host with Chrome 52.0.2743.116 (64-bit):

Code base

The following code snippet shows the origin of the 'The CCA retention time for at least one certificate is not over. Can't continue.' notification. The function blocking the account deletion by returning true in both the test case and the case described by the SE is the check_gpg_cert_running() function.

The snippet below describes the check_gpg_cert_running() function and shows it only looks at the CAcert signature expiry on a GPG/PGP key. The result of the function is entirely independent of the actual status of the CAcert signed GPG/PKP key itself.



Arbitrations/a20141022.2/Addendum (last edited 2016-08-14 09:18:52 by PietStarreveld)