== Proper OpenPGP support for bugzilla a possible GSOC project? ==

= Description of problem =
Currently the OpenPGP bugzilla support is defunct in at least three ways; 
	(i)   It encrypts to the first public key it considers viable[0], not
	      respecting usage flags[1], leading to scenarios where the message
	      is un-decryptable,
	(ii)  there is no mechanism for refreshing public keys from known public
	      sources (e.g HKP keyservers) leading to a situation where subkey
	      rotation or changers to primary certificate  (e.g due to expiry 
	      or revocation) is not picked up automatically and needs to be
	      manually adjusted, failure to do so can lead to encryption to
	      a known non-viable certificate
	(iii) there is no group definition where multiple public keys can be
              assigned e.g to an alias account (security@) in bugzilla.

Having support for OpenPGP is necessary[a] to retain confidentiality of
restricted bugs in bugzilla, a lack of this results in information leakage.

= Implementation details =
Bugzilla implements OpenPGP for secureEmail using Crypt::OpenPGP and an issue
is reported at [2]

= Mentor requirements =
I can offer advise on the OpenPGP related aspects as well as keyserver access,
however my proficiency of perl is not sufficient to fully mentor such
development. Anyone with a sufficient skill level wanting to help out is much
appreciated

References:
[0] https://bugzilla.mozilla.org/show_bug.cgi?id=790487
[1] http://tools.ietf.org/html/rfc4880#section-5.2.3.21
[2] https://github.com/btrott/Crypt-OpenPGP/issues/9

Endnotes:
[a] Alternatively, bug emails for group restricted bugs should not include
metadata or data that can identify the issue, but merely report e.g "bug XXX
has been updated, please log in to see the changes"