Content of security alert email when new cert is issued

[Liblor]

What should the email say? Should it have a link to a form where the employee can report malicious behaviour? Keep in mind that his/her old certificate has been revoked, and the employee can not send a signed & encrypted email to the administrators.

[Miro-H]

What about a link to the certificate revocation page? And write that if he did not request a new certificate himself, he should immediately generate a new certificate (which revokes the old one) and then report malicious behaviour with a signed email to the administrators.

Or another idea: Provide a report form in the web API after the user logged in, maybe combined with requesting a new certificate. E.g. as radio buttons where he gives the reason for requesting a new certificate (lost key/passphrase, expired, suspected malicious behaviour, other) and a text field for further details depending on the chosen option.

[Liblor]

Hm, the attacker could just create another certificate, which revokes the newly issued valid certificate again. So the email that the administrator received is signed with a revoked certificate again. This means the admin would have to check the logs if anything suspicious has happened which is a hassle. It would also mean that an admin would always have to look at emails with an revoked signature. Furthermore, if the user has to login to get a new certificate, he might be unable to do so, as the attacker has changed the password.

[Miro-H]

If you consider the attacker to be so powerful, then I guess there is no other solution than that system administrators have to investigate unsigned messages.

Except if we give the user some pre-shared one-time emergency token when he creates a certificate that can be used once to contact system administrators independent of whether the certificate is revoked or not.

But I don't know if that's really worth it. I think this is a rare case and it should be feasible to look at every request, signed or not, because even if the real user did not initiate that request, something fishy is happening and that too should raise some alarm bells.

[keyctl]

Just as reminder, any automated message introduces vulnerability for phishing. So that e-mail has to be signed by a system certificate, to let the users know the e-mail is legit.

One thought, as the communication is not only signed but encrypted: if the attacker creates a new key pair, the user will not be able to read the e-mail anyway, since the corresponding private key of the key used for encrypting the e-mail is in the hands of the attacker, not our user.

So the policy should be, if a user cannot read e-mails or login to the web interface, they have to go to physically claim new access.

Hm, the attacker could just create another certificate, which revokes the newly issued valid certificate again. So the email that the administrator received is signed with a revoked certificate again.

The signature of the e-mail would still be valid, because the revocation happend after the e-mail was signed.