Mailing List Archive

Future OpenPGP Support in Thunderbird
The Thunderbird developers have announced that they will implement
OpenPGP support in Thunderbird 78 [1]. Support for Thunderbird in
Enigmail will therefore be discontinued.

I'd like to explain in the following paragraphs what this will mean for
Enigmail, and why this is an inevitable step.

The Future of Enigmail
----------------------
I will continue to support and maintain Enigmail for Thunderbird 68
until 6 months after Thunderbird 78 will have been released (i.e. a few
months beyond Thunderbird 68 EOL). Enigmail will not run anymore on
Thunderbird 72 beta and newer.

Will this be the end of Enigmail?

No! I will continue to maintain and support Enigmail for Postbox, which
is running on a different release schedule than Thunderbird for the
foreseeable future.

Why Is This Happening?
----------------------
The Mozilla developers have been and still are actively working on
removing old code from their code base. This affects not only
Thunderbird itself, but also add-ons. While it was possible for
Thunderbird to keep old "legacy" add-ons alive for a certain time, the
time has come for Thunderbird to stop supporting them [2]. Thunderbird
78 will no longer to support the APIs that Enigmail requires and only
allow new "WebExtensions".

WebExtensions have a completely different API than classical add-ons,
and a much reduced set of capabilities to hook into the user interface.
For Enigmail to continue to work, it would therefore be required to
rewrite it from scratch. However, that's beyond my available time
limitations.

The Thunderbird developers and I have therefore agreed that it's much
better to implement OpenPGP support directly in Thunderbird. The set of
functionalities will be different than what Enigmail offers, and at
least initially likely be less feature-rich. But in my eyes, this is by
far outweighed by the fact that OpenPGP will be part of Thunderbird and
no add-on and no third-party tool will be required.

-Patrick


[1]
https://blog.mozilla.org/thunderbird/2019/10/thunderbird-enigmail-and-openpgp/
[2] https://groups.google.com/forum/#!topic/tb-planning/-E8Yw6POxEE
Re: Future OpenPGP Support in Thunderbird [ In reply to ]
While having OpenPGP support directly in Thunderbird is probably a good
thing, I found it convenient to just use the gpg kerys for Email
encryption and signing (and conversely, being able to just use keys
imported via Enigmail to encrypt files using gpg).
It would be really nice, if Thunderbird could add an option to use the
gpg key storage instead of its own, but so far the developers want to
always keep the Thunderbird key storage separately (thoug they are
considering functionality to import keys from gpg to Thunderbird):

https://wiki.mozilla.org/Thunderbird:OpenPGP:2020

Philipp
Re: Future OpenPGP Support in Thunderbird [ In reply to ]
Patrick Brunschwig wrote:

> The Thunderbird developers have announced that they will implement
> OpenPGP support in Thunderbird 78 [1]. Support for Thunderbird in
> Enigmail will therefore be discontinued.

[snip]

> The Thunderbird developers and I have therefore agreed that it's much
> better to implement OpenPGP support directly in Thunderbird. The set of
> functionalities will be different than what Enigmail offers, and at
> least initially likely be less feature-rich. But in my eyes, this is by
> far outweighed by the fact that OpenPGP will be part of Thunderbird and
> no add-on and no third-party tool will be required.

Great news, Patrick. Thanks for sharing!

Regards
Stefan

--
box: 4a64758de9e8ceded2c481ee526440687fe2f3a828e3a813f87753ad30847b56
certified OpenPGP key blocks available on keybase.io/stefan_claas


_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Future OpenPGP Support in Thunderbird [ In reply to ]
Patrick Brunschwig <patrick@enigmail.net> wrote:
> The Thunderbird developers have announced that they will implement OpenPGP support in Thunderbird 78 [1].

A long awaited news indeed!

> Support for Thunderbird in Enigmail will therefore be discontinued.

Pity, but I hope it will be better that way. In particular I hope, that Mozilla will not follow your example and won’t entice users to proprietary isolated keyserver [0] instead of distributed SKS network thus splitting the keybase. And won’t promote standards [1] that suspiciously resemble embrace-extend-and-extinguish tactics employed against PGP either.

[0] https://keys.openpgp.org
[1] https://pep.security
Re: Future OpenPGP Support in Thunderbird [ In reply to ]
Hi Patrick,

>The Thunderbird developers and I have therefore agreed that it's much
>better to implement OpenPGP support directly in Thunderbird. The set of
>functionalities will be different than what Enigmail offers, and at
>least initially likely be less feature-rich. But in my eyes, this is by
>far outweighed by the fact that OpenPGP will be part of Thunderbird and
>no add-on and no third-party tool will be required.

Great news overall and thanks for the announcement. Thunderbird with direct OpenPGP integration has long been overdue IMHO.

So according to the wiki page [1] I understand that the secret keys will be managed by Thunderbird. That is quite a limitation I think, in contrast to reusing a GPG agent of some sort. Depending on the chosen alternative, it might offer better OS integration, a long time proven secure process architecture, possible reuse with only one central key store and most of all integration with hardware tokens. I personally would not entrust my private keys to a mail application that also displays HTML and possibly executes JavaScript etc. after what we have seen with Efail for example.

So could you please elaborate or extend the wiki page to clear up how hardware tokens fit into the new picture?

Thanks and kind regards.
André

[1]: https://wiki.mozilla.org/Thunderbird:OpenPGP:2020
--
Greetings...
From: Andre Colomb <acolomb@schickhardt.org>

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Future OpenPGP Support in Thunderbird [ In reply to ]
> On 9 Oct 2019, at 04:47, Philipp Klaus Krause <pkk@spth.de> wrote:
>
> It would be really nice, if Thunderbird could add an option to use the
> gpg key storage instead of its own, but so far the developers want to
> always keep the Thunderbird key storage separately (thoug they are
> considering functionality to import keys from gpg to Thunderbird):

Agreed. Such functionality is vital for those of us who use smartcards.

A

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Future OpenPGP Support in Thunderbird [ In reply to ]
Hello

I think it is an good Idea for such OSes as Windows or MAC that mainly depends on closed completely integrated Software.
But for Linux/Unix and alike it goes against the main principles of that Software.
And I think it will disturb the Development and Evolution of Software such as PeP, PGP, OpenPGP and so on what´s bad.

Am 2019-10-09 um 08:23 schrieb Andrew Gallagher:
On 9 Oct 2019, at 04:47, Philipp Klaus Krause <pkk@spth.de> wrote: It would be really nice, if Thunderbird could add an option to use the gpg key storage instead of its own, but so far the developers want to always keep the Thunderbird key storage separately (thoug they are considering functionality to import keys from gpg to Thunderbird):
Agreed. Such functionality is vital for those of us who use smartcards. A _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users"]http://lists.gnupg.org/mailman/listinfo/gnupg-users
I hope Mozilla will rethink that.
Thanks,
-- <pre> -========================== Jan-Peter Rühmann & Kuma =========================- Gubkower Str.7 [ Tel.: +49 38205 65484 ] jan-Peter@ruehmann.name 18195 Cammin / Prangendorf [ FAX: +49 38205 65212 ] https://www.ruehmann.name"]https://www.ruehmann.name WhatsApp: 491621316054 [ Tel.: +49 38205 65215 ] Twitter: @JPRuehmann [ Mobil: +49 162 1316054 ] IT-Servicetechniker -=============================================================================- Die Verwendung der Daten zu Werbezwecken ist verboten. </pre>
Re: Future OpenPGP Support in Thunderbird [ In reply to ]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 10/8/19 9:34 AM, Philipp Klaus Krause wrote:
> It would be really nice, if Thunderbird could add an option to use the
> gpg key storage instead of its own, but so far the developers want to
> always keep the Thunderbird key storage separately (thoug they are
> considering functionality to import keys from gpg to Thunderbird):

It doesn't do that? Why would they choose to tightly couple TB with
OpenPGP? If I have to maintain two key databases, that's a dealbreaker for me.
Welp, looks like I won't be upgrading. Thanks Mozilla.
-----BEGIN PGP SIGNATURE-----

iLgEARMKAB0WIQQWZv6JZKxO310TWtXo8fj9gx4T0wUCXZ2G+QAKCRDo8fj9gx4T
04hBAgkBa3KJriiIvDBG91RKezHEYrPK10Y8Rcc4rYa4RSTq266MGgNu8R0lY8q9
dSYL6JgM+aRvfvD56bclhkTVl/mROJECBiIeo/CBtU78+RFq8hbgpb+4hI5GKt+R
s2/Oabhg+t5i9TZ4c3pG9y30A6Ih01bFgeX6FMA7HliGPGKr3PuWG0QO
=AwFo
-----END PGP SIGNATURE-----

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Future OpenPGP Support in Thunderbird [ In reply to ]
Philipp Klaus Krause writes:

> While having OpenPGP support directly in Thunderbird is probably a good
> thing, I found it convenient to just use the gpg kerys for Email
> encryption and signing (and conversely, being able to just use keys
> imported via Enigmail to encrypt files using gpg).
> It would be really nice, if Thunderbird could add an option to use the
> gpg key storage instead of its own, but so far the developers want to
> always keep the Thunderbird key storage separately (thoug they are
> considering functionality to import keys from gpg to Thunderbird):

Why the heck don't they just run gpg the way enigmail did?

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Future OpenPGP Support in Thunderbird [ In reply to ]
Am 11.10.19 um 20:15 schrieb Phillip Susi:

> Why the heck don't they just run gpg the way enigmail did?
>

They don't want users to require to install gpg first. And they don't
want to ship gpg with Windows installers, since it isn't MPL.

Philipp
Re: Future OpenPGP Support in Thunderbird [ In reply to ]
On 11/10/2019 19:15, Phillip Susi wrote:
> Why the heck don't they just run gpg the way enigmail did?

They don't want to bundle GnuPG because of GnuPG licence:

https://wiki.mozilla.org/Thunderbird:OpenPGP:2020#OpenPGP_engine

Requiring user to set up GnuPG separately is out of question if
they want to achieve any sensible level of adoption.

There is another matter of key distribution and I guess they plan
on taking control over it to provide acceptable level of UX.

Cheers,
Chris

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Future OpenPGP Support in Thunderbird [ In reply to ]
>
>> On 9 Oct 2019, at 04:47, Philipp Klaus Krause <pkk@spth.de> wrote:
>>
>> It would be really nice, if Thunderbird could add an option to use the
>> gpg key storage instead of its own, but so far the developers want to
>> always keep the Thunderbird key storage separately (thoug they are
>> considering functionality to import keys from gpg to Thunderbird):
>
> Agreed. Such functionality is vital for those of us who use smartcards.
>
> A
>

I would like to second this.

Storing private keys on a smartcard is a noteworthy security
enhancement, and I would like to see smartcard support being available
in Thunderbird. Either via GnuPG or some other mechanism.

Mis

> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Future OpenPGP Support in Thunderbird [ In reply to ]
On 09/10/2019 08:06, Tony Lane via Gnupg-users wrote:> It doesn't do
that? Why would they choose to tightly couple TB with
> OpenPGP? If I have to maintain two key databases, that's a dealbreaker
for me.

Dealing with GnuPG complexity is a deal breaker for ordinary users,
preventing adoption. You need to look at it from product/business
development perspective and it makes perfect sense that they want to
ship their own UX.

Also, they mention that the key management workflow is something they
plan to address.

Cheers,
Chris

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Future OpenPGP Support in Thunderbird [ In reply to ]
> Why the heck don't they just run gpg the way enigmail did?

Three major reasons:

1. License incompatibility. GnuPG is GPLv3, and Mozilla uses the
Mozilla Public License. They're not compatible. Arguably (and I
believe _correctly_) distributing GnuPG with Moz wouldn't be a
dealbreaker, as mere aggregation is different from actually linking, but
lawyers are by nature conservative. Moz has already said their lawyers
won't let them do this.

2. Dependencies. Mozilla will not accept responsibility for users
doing foolish things with their gpg.conf files, because those users will
expect Mozilla to fix it for them. It's a dealbreaker. This is also
why Mozilla has declared they won't even support using GnuPG keyrings --
they're going to insist on running their own keyring internal to
Thunderbird which isn't shared with anything else. (I imagine
*importing* from a GnuPG keyring will be supported, but *sharing* a
keyring is right out.)

3. Enigmail has shown them the limitations of GnuPG. The Efail attack
on Enigmail was very real. It was created by an ambiguity in how GnuPG
returns error states: just because GnuPG says "decryption OK" doesn't
mean it was decrypted okay. (Whether Enigmail should've understood
this, or whether GnuPG should have not returned such an ambiguous
message, is an open question and not one I'm interested in discussing.)
Rather than repeat Enigmail's interface, which historically had its
fair share of security problems, Mozilla has decided to go a different
route.

More power to 'em. I love Enigmail, but it's the nature of all software
that at some point we learn how to do things better. When we learn how
to do things better, we should elect to do them better rather than stay
mired in the past.

(... and that principle, applied to OpenPGP, suggests throwing out a
whole lot of cruft. Which is another open question I'm not interested
in discussing, except to throw it out there for people to think about.)

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Future OpenPGP Support in Thunderbird [ In reply to ]
Which ccomplexity?

Creating the Key is the only thing that the normal User has to do, That is possible via a Menue Entry.
I don´t see the Problem.

Am 2019-10-11 um 21:49 schrieb Chris Narkiewicz via Gnupg-users:
On 09/10/2019 08:06, Tony Lane via Gnupg-users wrote:> It doesn't do that? Why would they choose to tightly couple TB with
OpenPGP? If I have to maintain two key databases, that's a dealbreaker
for me. Dealing with GnuPG complexity is a deal breaker for ordinary users, preventing adoption. You need to look at it from product/business development perspective and it makes perfect sense that they want to ship their own UX. Also, they mention that the key management workflow is something they plan to address. Cheers, Chris _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users"]http://lists.gnupg.org/mailman/listinfo/gnupg-users
Thanks,
-- <pre> -========================== Jan-Peter Rühmann & Kuma =========================- Gubkower Str.7 [ Tel.: +49 38205 65484 ] jan-Peter@ruehmann.name 18195 Cammin / Prangendorf [ FAX: +49 38205 65212 ] https://www.ruehmann.name"]https://www.ruehmann.name WhatsApp: 491621316054 [ Tel.: +49 38205 65215 ] Twitter: @JPRuehmann [ Mobil: +49 162 1316054 ] IT-Servicetechniker -=============================================================================- Die Verwendung der Daten zu Werbezwecken ist verboten. </pre>
Re: Future OpenPGP Support in Thunderbird [ In reply to ]
Philipp Klaus Krause [2019-10-08T15:34:28+02] wrote:

> It would be really nice, if Thunderbird could add an option to use the
> gpg key storage instead of its own, [...]

I agree with that even though I have never really used Thunderbird.

But using a custom key storage and implementation (or do they use
Sequoia PGP library?) is an interesting choice in the world of Unix-like
systems. It's pretty much the normal way elsewhere, though.

PGP and GnuPG and the related communities have tried really hard to
build a system based on person's long-term identity keys. All that web
of trust thing relies on keys that are used relatively long time. But as
we know this doesn't work for most people. People are really bad at
maintaining long-term identity keys. I think this is the most important
reason why other software just auto-generate "device keys" or
"application keys" and exchange them. They just forget about the
identity part and keys' usage in the long term. Change your phone or
just reinstall the application and you'll have new keys. Keys come and
go and it's perfectly normal.

Thunderbird seems to be going to that direction and it is probably a
good thing. From the mindset of crypto nerds (like us) or Unixy tool box
this can be a barrier, obviously.

--
/// OpenPGP key: 4E1055DC84E9DFF613D78557719D69D324539450
// https://keys.openpgp.org/search?q=tlikonen@iki.fi
/ https://keybase.io/tlikonen https://github.com/tlikonen
Re: Future OpenPGP Support in Thunderbird [ In reply to ]
Hej all,

Am 12.10.19 um 08:23 schrieb Robert J. Hansen:
> they're going to insist on running their own keyring internal to
> Thunderbird which isn't shared with anything else. (I imagine
> *importing* from a GnuPG keyring will be supported, but *sharing* a
> keyring is right out.)

_They_ can insist on whatever they want. If they close their shop
towards external built keys (for example with xca), they hopefully won't
find much acceptance.....

regards,

B.

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Future OpenPGP Support in Thunderbird [ In reply to ]
> PGP and GnuPG and the related communities have tried really hard to
> build a system based on person's long-term identity keys. All that web
> of trust thing relies on keys that are used relatively long time. But as
> we know this doesn't work for most people. People are really bad at
> maintaining long-term identity keys.

A few years ago at Circumvention (the first Internet Freedom Festival),
I was asked to give an impromptu talk on Things You're Doing Wrong With
OpenPGP.

The first thing on my list was certificate lifetime. We teach people
the importance of maintaining their certificate for the long haul, but
we also know very few people are capable of doing that. What we *don't*
teach them is how to rebuild their trust network after a
loss-of-certificate event. So when someone loses their cert, or has a
system compromise, or their YubiKey goes through the laundry, or
what-have-you, they get a double whammy of failure: they feel like a
failure because they didn't do this thing that was expected of them
(keep the cert for 20+ years, never mind how unreasonable that it), and
they feel like a failure for not knowing how to recover from it.

So instead: teach people that it's okay to lose a cert, so long as you
have a plan to come back from it. Then if their Yubi goes through the
laundry they (a) don't feel like a failure and (b) already have a plan
for how to move forward.

Seriously, ending the Cult of the Long-Term Certificate is one of the
simple but good things I think we should be embracing for the sake of users.

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Future OpenPGP Support in Thunderbird [ In reply to ]
On Fri, 11 Oct 2019 20:18, Philipp Klaus Krause said:

> They don't want users to require to install gpg first. And they don't
> want to ship gpg with Windows installers, since it isn't MPL.

The latter is just plain bullshit. There are even many proprietary
products which bundle gpg or other GPL code with their proprietary or
MPL licensed code. Not just small companies but large ones with huge
and conservative legal departments. The actual requirements for
distribution are easy to fulfill and are actually easier with the GPLv3
than with the v2.


Salam-Shalom,

Werner

--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
Re: Future OpenPGP Support in Thunderbird [ In reply to ]
On Sat, 12 Oct 2019 02:23, Robert J. Hansen said:

> on Enigmail was very real. It was created by an ambiguity in how GnuPG
> returns error states: just because GnuPG says "decryption OK" doesn't

Nope. They did not read the documentation and did not checked error
codes. We suggest for a reason to use GPGME to make error checking
easy. You can't just code things down along some specs without thinking
over the implications.

Still, TB is still subject to those attacks because their primary
encryption protocol is S/MIME and the last time I checked S/MIME (well,
CMS for the nitpickers) does not supoport any kind of authenticated
encryption. In contarst OpenPGP provides this nearly for 2 decades.
Mozilla has not even stepped forward and implemented one of the
meanwhile old proposal to move to AE. So Microsoft had to take the lead
to do this (rumors are that the next OL version will allow for GCM mode)

After 20 years of strong resistance against implementing OpenPGP [1], they
finally seem to do it. That is a good move.


Shalom-Salam,

Werner


[1] Back in ~1999, when Mozilla rewrote the entire mail engine, I
implemented a first version of PGP/MIME code which was rejected due to
their policy of only supporting S/MIME. For a term paper a German
student later took up on my code, extended and cleaned it up. Again it
was rejected. About 2005 we had a meeting with them to propose that we
implement S/MIME again in a way that would comply to the strong policy
requirements here in Germany and also to implement OpenPGP as an
additional protocol. It was again rejected.

--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
Re: Future OpenPGP Support in Thunderbird [ In reply to ]
On Fri, 11 Oct 2019 21:48, qwrd said:

> Storing private keys on a smartcard is a noteworthy security
> enhancement, and I would like to see smartcard support being available
> in Thunderbird. Either via GnuPG or some other mechanism.

Take a Yubikey or an OpenPGP smartcard, install Scute (pcks#11
provider) and GnuPG and you are done. Either S/MIME or OpenPGP.


Salam-Shalom,

Werner

--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
Re: Future OpenPGP Support in Thunderbird [ In reply to ]
On 12/10/2019 12:14, Werner Koch via Gnupg-users wrote:
> After 20 years of strong resistance against implementing OpenPGP [1], they
> finally seem to do it. That is a good move.

Do you know why they resited OpenPGP adoption it so much?

Cheers,
Chris

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Future OpenPGP Support in Thunderbird [ In reply to ]
On Sat, Oct 12, 2019 at 10:13:59AM +0300, Teemu Likonen via Gnupg-users wrote:
> Philipp Klaus Krause [2019-10-08T15:34:28+02] wrote:
>
> > It would be really nice, if Thunderbird could add an option to use the
> > gpg key storage instead of its own, [...]
>
> I agree with that even though I have never really used Thunderbird.
>
> But using a custom key storage and implementation (or do they use
> Sequoia PGP library?) is an interesting choice in the world of Unix-like
> systems. It's pretty much the normal way elsewhere, though.
>
> PGP and GnuPG and the related communities have tried really hard to
> build a system based on person's long-term identity keys. All that web
> of trust thing relies on keys that are used relatively long time. But as
> we know this doesn't work for most people. People are really bad at
> maintaining long-term identity keys. I think this is the most important
> reason why other software just auto-generate "device keys" or
> "application keys" and exchange them. They just forget about the
> identity part and keys' usage in the long term. Change your phone or
> just reinstall the application and you'll have new keys. Keys come and
> go and it's perfectly normal.

That would be one of the reasons why I tend to avoid "other software".
My primary use-case is identity, not secrecy. I am not alone: quite a
few employers are at last discovering crypto signatures in their
efforts to combat spear-phishing, and spending quite a bit of money
and effort to deploy them. (I accept that most of them are using
S/MIME rather than OpenPGP, but that's a detail; identity is important.)

> Thunderbird seems to be going to that direction and it is probably a
> good thing. From the mindset of crypto nerds (like us) or Unixy tool box
> this can be a barrier, obviously.

Humph, I was already grumpy about Mozilla products' insistence on
having their own insular X.509 store, meaning that I have to install
certificates twice (once for Firefox, again for *everything else*.)

Maybe there will be an add-on, so that those who care can choose to
integrate Thunderbird into their systems rather than having it still
standing off to one side haughtily awaiting special treatment.

--
Mark H. Wood
Lead Technology Analyst

University Library
Indiana University - Purdue University Indianapolis
755 W. Michigan Street
Indianapolis, IN 46202
317-274-0749
www.ulib.iupui.edu
Re: Future OpenPGP Support in Thunderbird [ In reply to ]
On Sat, Oct 12, 2019 at 08:07:58AM -0400, Mark H. Wood wrote:
>Humph, I was already grumpy about Mozilla products' insistence on
>having their own insular X.509 store, meaning that I have to install
>certificates twice (once for Firefox, again for *everything else*.)

Slightly off-topic for this list, but on unix-like systems, you can
force Firefox to use the system store of X.509 certificates (in
/etc/ssl/certs) by replacing Firefox’s libnssckbi.so library by the
libp11-kit.so library from the p11-kit project [1,2].

This also works with Thunderbird and with LibreOffice.

- Damien


[1] https://p11-glue.github.io/p11-glue/p11-kit.html
[2]
https://askubuntu.com/questions/244582/add-certificate-authorities-system-wide-on-firefox/1036637#1036637
Re: Future OpenPGP Support in Thunderbird [ In reply to ]
BruderB wrote on 12.10.2019 10:43:
> Hej all,
>
> Am 12.10.19 um 08:23 schrieb Robert J. Hansen:
>> they're going to insist on running their own keyring internal to
>> Thunderbird which isn't shared with anything else. (I imagine
>> *importing* from a GnuPG keyring will be supported, but *sharing* a
>> keyring is right out.)
>
> _They_ can insist on whatever they want. If they close their shop
> towards external built keys (for example with xca), they hopefully won't
> find much acceptance.....

The vast majority of users of Enigmail (somewhere around 98%) don't use
external built keys. The vast majority of users also don't use GnuPG for
anything else than email. These users don't care where their key is
stored, nor which software under the hood is used for the crypto. All
they care is that encryption works smoothly.

I'm sorry, but everything written here is pure speculation. We are still
in the phase of considering our options. Depending on the chosen
approach, we may just as well end up with something completely different
than what you'd imagine.

The most important aspects from our side are the following: The chosen
solution must run smoothly for the ~20M users of Thunderbird without
causing a large amount of support/setup issues. We want to have
something that satisfies as many users of Enigmail as possible. We
certainly don't want to have people run away from Thunderbird because of
OpenPGP.

-Patrick

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

1 2 3  View All