How are public keys trusted?
Currently the client trust all the keys that are sent from the passbolt server. The server also trust the key sent by the client during setup. While we believe this setup can be sufficient for most organisations, since the keys are sent over https, we also acknowledge that it is far from ideal.
Our solution on the long term would be to implement key signatures, synchronization with public key repositories and the possibility for users to manually accept or reject keys.
Other frequently asked questions in the same category
- How can I report a security vulnerability?
- What data is encrypted in passbolt?
- What kind of encryption does passbolt use?
- How does authentication work in passbolt?
- Is open source software less secure?
- Does passbolt support revocation certificates?
- How are public keys trusted?
- What is the security token?
- How can I change my passphrase?
- My secret key and passphrase are compromised, what do I do?
- How to extend a user expired key
- Is it secure to use passbolt?
- Has the code been reviewed?