How are public keys trusted?
Currently the client trust all the keys that are sent from the passbolt server. The server also trust the key sent by the client during setup. While we believe this setup can be sufficient for most organisations, since the keys are sent over https, we also acknowledge that it is far from ideal.
Our solution on the long term would be to implement key signatures, synchronization with public key repositories and the possibility for users to manually accept or reject keys.
Other frequently asked questions in the same category
- How can I report a security vulnerability?
- What data is encrypted in passbolt?
- What kind of encryption does passbolt use?
- Has the code been reviewed?
- How does authentication work in passbolt?
- How can I change my passphrase?
- Is open source software less secure?
- My secret key and passphrase are compromised, what do I do?
- Does passbolt support revocation certificates?
- How are public keys trusted?
- What is the security token?
- Is it secure to use passbolt in its current version?