Mailing List Archive

1 2  View All
Re: Certified OpenPGP-encryption after release of Thunderbird 78 [ In reply to ]
On 5/29/20 7:39 PM, Grzegorz Kulewski wrote:
> Time to check Claws I think.

i've found that claws, evolution, sylpheed and kmail all integrate
seamlessly with gpg2 (using standard debian packages for everything)

~c

--
Charlie Derr Director, Instructional Technology 413-528-7344
https://www.simons-rock.edu Bard College at Simon's Rock
Encryption key: http://hope.simons-rock.edu/~cderr/
Personal writing: https://medium.com/@cderr
pronouns: either he/him or they/them is acceptable
Home landline: 860-435-1427

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Certified OpenPGP-encryption after release of Thunderbird 78 [ In reply to ]
On 5/30/20 1:26 AM, Robert J. Hansen wrote:
>> 2. Is there any real plan to have working smartcard support in the
>> near future?
>
> No. There's some talk about supporting it, but as far as I know there's
> no plan to do it. It's still at the "you know, it'd be kind of nice
> if..." stage, not the "we really should do this" stage.

Smart card support is on the ToDo list.
https://wiki.mozilla.org/index.php?title=Thunderbird:OpenPGP:Status

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Certified OpenPGP-encryption after release of Thunderbird 78 [ In reply to ]
Robert J. Hansen wrote on 30.05.2020 01:07:
>> If TB 78 is going to have native support of openGPG encryption, then the
>> original person in the thread should be able to export all of the keys
>> in their key rings, and import all of those keys into TB 78, or am I
>> missing one of the gotchas with
>> TV 78 and it's openGPG encryption support.
>
> You're missing the gotcha of "as of -Beta3, the new Thunderbird *cannot
> even import a key*."

I'm sorry, but that is simply not true. There is a known bug in the
library used by Thunderbird (RNP) that leads to crashes when importing
_certain_ keys. But I succeeded in importing all of my keys without any
problems (more than 1.000), except for 5 V3-keys. I can definitely say
that it's not just broken, and it can import keys.

> I'm not kidding. It is so far from complete that Kai Englert, who leads
> the TB78 OpenPGP effort, recently proposed postponing OpenPGP support in
> TB until version 78.2, or about a three-month delay.

Again, that's oversimplified. OpenPGP will not be enabled _by_ _default_
but users may still enable it manually.

> At present, as of -Beta3, TB78's OpenPGP support is badly broken.

No, it's incomplete - work in progress. That's not quite the same.

-Patrick

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Certified OpenPGP-encryption after release of Thunderbird 78 [ In reply to ]
Robert J. Hansen wrote on 30.05.2020 01:26:
>> 1. Will key management and crypto happen in the same process as
>> IMAP/POP/SMTP, GUI, JavaScript and everything else? If so - do you
>> believe it's acceptable?
>
> It should be an easy learning curve for Enigmail users. That isn't the
> same as finding it acceptable, though.
>
> Back in the mid-'90s PGP came out with a GUI for PGP 5, and it's
> universally agreed at user interface was horrific. (See "Why Johnny
> Can't Encrypt" for a detailed teardown.) The problem was that this
> horrific user interface became the standard user interface, and most
> OpenPGP key managers ever since have adopted it. Those that haven't
> adopted it, nobody uses, because their UI is so different than
> everything else.
>
>> 2. Is there any real plan to have working smartcard support in the
>> near future?
>
> No. There's some talk about supporting it, but as far as I know there's
> no plan to do it. It's still at the "you know, it'd be kind of nice
> if..." stage, not the "we really should do this" stage.

The plan is to support smartcards (by using GnuPG for private key
operations). This is already working partially, and is foreseen to be
available in TB 78.

-Patrick

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Certified OpenPGP-encryption after release of Thunderbird 78 [ In reply to ]
So then do you have multiple pairs of key rings? One pair for TB78 and
its built in PGP and another pair as part of GNUPG?

If so how do you keep them synchronized?

On 5/30/2020 9:17 AM, Patrick Brunschwig wrote:
> Robert J. Hansen wrote on 30.05.2020 01:07:
>>> If TB 78 is going to have native support of openGPG encryption, then the
>>> original person in the thread should be able to export all of the keys
>>> in their key rings, and import all of those keys into TB 78, or am I
>>> missing one of the gotchas with
>>> TV 78 and it's openGPG encryption support.
>> You're missing the gotcha of "as of -Beta3, the new Thunderbird *cannot
>> even import a key*."
> I'm sorry, but that is simply not true. There is a known bug in the
> library used by Thunderbird (RNP) that leads to crashes when importing
> _certain_ keys. But I succeeded in importing all of my keys without any
> problems (more than 1.000), except for 5 V3-keys. I can definitely say
> that it's not just broken, and it can import keys.
>
>> I'm not kidding. It is so far from complete that Kai Englert, who leads
>> the TB78 OpenPGP effort, recently proposed postponing OpenPGP support in
>> TB until version 78.2, or about a three-month delay.
> Again, that's oversimplified. OpenPGP will not be enabled _by_ _default_
> but users may still enable it manually.
>
>> At present, as of -Beta3, TB78's OpenPGP support is badly broken.
> No, it's incomplete - work in progress. That's not quite the same.
>
> -Patrick
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Certified OpenPGP-encryption after release of Thunderbird 78 [ In reply to ]
Mark wrote on 30.05.2020 20:54:
> So then do you have multiple pairs of key rings? One pair for TB78 and
> its built in PGP and another pair as part of GNUPG?

No exactly. You have your secret keys with GnuPG, and your public keys
with Thunderbird. No synchronization required.

-Patrick
>
> If so how do you keep them synchronized?
>
> On 5/30/2020 9:17 AM, Patrick Brunschwig wrote:
>> Robert J. Hansen wrote on 30.05.2020 01:07:
>>>> If TB 78 is going to have native support of openGPG encryption, then the
>>>> original person in the thread should be able to export all of the keys
>>>> in their key rings, and import all of those keys into TB 78, or am I
>>>> missing one of the gotchas with
>>>> TV 78 and it's openGPG encryption support.
>>> You're missing the gotcha of "as of -Beta3, the new Thunderbird *cannot
>>> even import a key*."
>> I'm sorry, but that is simply not true. There is a known bug in the
>> library used by Thunderbird (RNP) that leads to crashes when importing
>> _certain_ keys. But I succeeded in importing all of my keys without any
>> problems (more than 1.000), except for 5 V3-keys. I can definitely say
>> that it's not just broken, and it can import keys.
>>
>>> I'm not kidding. It is so far from complete that Kai Englert, who leads
>>> the TB78 OpenPGP effort, recently proposed postponing OpenPGP support in
>>> TB until version 78.2, or about a three-month delay.
>> Again, that's oversimplified. OpenPGP will not be enabled _by_ _default_
>> but users may still enable it manually.
>>
>>> At present, as of -Beta3, TB78's OpenPGP support is badly broken.
>> No, it's incomplete - work in progress. That's not quite the same.
>>
>> -Patrick
>>
>> _______________________________________________
>> Gnupg-users mailing list
>> Gnupg-users@gnupg.org
>> http://lists.gnupg.org/mailman/listinfo/gnupg-users

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Certified OpenPGP-encryption after release of Thunderbird 78 [ In reply to ]
> I'm sorry, but that is simply not true. There is a known bug in the
> library used by Thunderbird (RNP) that leads to crashes when importing
> _certain_ keys. But I succeeded in importing all of my keys without any
> problems (more than 1.000), except for 5 V3-keys. I can definitely say
> that it's not just broken, and it can import keys.

I have yet to talk to anyone who's been able to import their keyring,
which is the absolute minimum use case. When it fails it does so
silently. If the minimum use case of "average users should be able to
import their keyrings" leads to RNP crashing, no keys being imported,
and no error message being generated, I have no problem calling key
importation broken.

> Again, that's oversimplified. OpenPGP will not be enabled _by_ _default_
> but users may still enable it manually.

According to Kai's post on one of the TB mailing lists, he wants the
version in 78 to be a technology preview, hidden from the user, and only
accessible to power users. I don't consider that to be shipping it for 78.

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Certified OpenPGP-encryption after release of Thunderbird 78 [ In reply to ]
Doesn't TB also need your secret keys to decrypt messages?  

Also what if you need your public keys outside of TB such as encrypting
a file?

The reason I'm asking is that awhile ago I posted about unknown files in
my GNUPG directory. PAPubring.gpg and PAsecring.gpg. I eventually found
out those are key rings used by a program I have called Power Archiver.
I'm not sure why it has it own set of keys, still awaiting an
explanation from support. If every app is not using the same pair of key
rings (and there is no synchronization between them) could that not lead
to problems?

Thanks

On 5/30/2020 12:57 PM, Patrick Brunschwig wrote:
> Mark wrote on 30.05.2020 20:54:
>> So then do you have multiple pairs of key rings? One pair for TB78 and
>> its built in PGP and another pair as part of GNUPG?
> No exactly. You have your secret keys with GnuPG, and your public keys
> with Thunderbird. No synchronization required.
>
> -Patrick
>> If so how do you keep them synchronized?
>>
>> On 5/30/2020 9:17 AM, Patrick Brunschwig wrote:
>>> Robert J. Hansen wrote on 30.05.2020 01:07:
>>>>> If TB 78 is going to have native support of openGPG encryption, then the
>>>>> original person in the thread should be able to export all of the keys
>>>>> in their key rings, and import all of those keys into TB 78, or am I
>>>>> missing one of the gotchas with
>>>>> TV 78 and it's openGPG encryption support.
>>>> You're missing the gotcha of "as of -Beta3, the new Thunderbird *cannot
>>>> even import a key*."
>>> I'm sorry, but that is simply not true. There is a known bug in the
>>> library used by Thunderbird (RNP) that leads to crashes when importing
>>> _certain_ keys. But I succeeded in importing all of my keys without any
>>> problems (more than 1.000), except for 5 V3-keys. I can definitely say
>>> that it's not just broken, and it can import keys.
>>>
>>>> I'm not kidding. It is so far from complete that Kai Englert, who leads
>>>> the TB78 OpenPGP effort, recently proposed postponing OpenPGP support in
>>>> TB until version 78.2, or about a three-month delay.
>>> Again, that's oversimplified. OpenPGP will not be enabled _by_ _default_
>>> but users may still enable it manually.
>>>
>>>> At present, as of -Beta3, TB78's OpenPGP support is badly broken.
>>> No, it's incomplete - work in progress. That's not quite the same.
>>>
>>> -Patrick
>>>
>>> _______________________________________________
>>> Gnupg-users mailing list
>>> Gnupg-users@gnupg.org
>>> http://lists.gnupg.org/mailman/listinfo/gnupg-users

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Certified OpenPGP-encryption after release of Thunderbird 78 [ In reply to ]
Mark wrote on 31.05.2020 01:28:
> Doesn't TB also need your secret keys to decrypt messages? 

With smartcard support via GnuPG, all secret key operations are handled
by GnuPG, and all public key operations are handled by TB (Note: the
standard case, without smartcard support, will be that all keys are in
Thunderbird).

The use-cases are clearly distinct:
- encryption: you only need public keys
- decryption: you only need secret keys
- signing: you only need secret keys
- verification: you only need public keys

> Also what if you need your public keys outside of TB such as encrypting
> a file?

That's not supported by Thunderbird. The idea of OpenPGP in Thunderbird
is that you use it for email.

> The reason I'm asking is that awhile ago I posted about unknown files in
> my GNUPG directory. PAPubring.gpg and PAsecring.gpg. I eventually found
> out those are key rings used by a program I have called Power Archiver.
> I'm not sure why it has it own set of keys, still awaiting an
> explanation from support. If every app is not using the same pair of key
> rings (and there is no synchronization between them) could that not lead
> to problems?

The only "problem" might be that you have different keys on different
key rings. But this is not necessarily a problem - you use different
keys for different purposes and you can import and export the keys
between the tools if needed.

-Patrick

> On 5/30/2020 12:57 PM, Patrick Brunschwig wrote:
>> Mark wrote on 30.05.2020 20:54:
>>> So then do you have multiple pairs of key rings? One pair for TB78 and
>>> its built in PGP and another pair as part of GNUPG?
>> No exactly. You have your secret keys with GnuPG, and your public keys
>> with Thunderbird. No synchronization required.
>>
>> -Patrick
>>> If so how do you keep them synchronized?
>>>
>>> On 5/30/2020 9:17 AM, Patrick Brunschwig wrote:
>>>> Robert J. Hansen wrote on 30.05.2020 01:07:
>>>>>> If TB 78 is going to have native support of openGPG encryption, then the
>>>>>> original person in the thread should be able to export all of the keys
>>>>>> in their key rings, and import all of those keys into TB 78, or am I
>>>>>> missing one of the gotchas with
>>>>>> TV 78 and it's openGPG encryption support.
>>>>> You're missing the gotcha of "as of -Beta3, the new Thunderbird *cannot
>>>>> even import a key*."
>>>> I'm sorry, but that is simply not true. There is a known bug in the
>>>> library used by Thunderbird (RNP) that leads to crashes when importing
>>>> _certain_ keys. But I succeeded in importing all of my keys without any
>>>> problems (more than 1.000), except for 5 V3-keys. I can definitely say
>>>> that it's not just broken, and it can import keys.
>>>>
>>>>> I'm not kidding. It is so far from complete that Kai Englert, who leads
>>>>> the TB78 OpenPGP effort, recently proposed postponing OpenPGP support in
>>>>> TB until version 78.2, or about a three-month delay.
>>>> Again, that's oversimplified. OpenPGP will not be enabled _by_ _default_
>>>> but users may still enable it manually.
>>>>
>>>>> At present, as of -Beta3, TB78's OpenPGP support is badly broken.
>>>> No, it's incomplete - work in progress. That's not quite the same.
>>>>
>>>> -Patrick
Re: Certified OpenPGP-encryption after release of Thunderbird 78 [ In reply to ]
Hello Mark,

I totally agree. It is not possible to have more than one key store.
Synchronization always fails some time and the standard user cannot
handle it. So the only solution for TB will be to use GNUPG, because it
has the only key store for all platforms and has proved to work for
years. That results in the only possible solution for TB to integrate
the enigmail functionality into the code directly or live with the
enigmail plug-in. All other solutions are defective by design from start.

Andreas




Am 31.05.2020 um 01:28 schrieb Mark:
> Doesn't TB also need your secret keys to decrypt messages?  
>
> Also what if you need your public keys outside of TB such as encrypting
> a file?
>
> The reason I'm asking is that awhile ago I posted about unknown files in
> my GNUPG directory. PAPubring.gpg and PAsecring.gpg. I eventually found
> out those are key rings used by a program I have called Power Archiver.
> I'm not sure why it has it own set of keys, still awaiting an
> explanation from support. If every app is not using the same pair of key
> rings (and there is no synchronization between them) could that not lead
> to problems?
>
> Thanks
>
> On 5/30/2020 12:57 PM, Patrick Brunschwig wrote:
>> Mark wrote on 30.05.2020 20:54:
>>> So then do you have multiple pairs of key rings? One pair for TB78 and
>>> its built in PGP and another pair as part of GNUPG?
>> No exactly. You have your secret keys with GnuPG, and your public keys
>> with Thunderbird. No synchronization required.
>>
>> -Patrick
>>> If so how do you keep them synchronized?
>>>
>>> On 5/30/2020 9:17 AM, Patrick Brunschwig wrote:
>>>> Robert J. Hansen wrote on 30.05.2020 01:07:
>>>>>> If TB 78 is going to have native support of openGPG encryption, then the
>>>>>> original person in the thread should be able to export all of the keys
>>>>>> in their key rings, and import all of those keys into TB 78, or am I
>>>>>> missing one of the gotchas with
>>>>>> TV 78 and it's openGPG encryption support.
>>>>> You're missing the gotcha of "as of -Beta3, the new Thunderbird *cannot
>>>>> even import a key*."
>>>> I'm sorry, but that is simply not true. There is a known bug in the
>>>> library used by Thunderbird (RNP) that leads to crashes when importing
>>>> _certain_ keys. But I succeeded in importing all of my keys without any
>>>> problems (more than 1.000), except for 5 V3-keys. I can definitely say
>>>> that it's not just broken, and it can import keys.
>>>>
>>>>> I'm not kidding. It is so far from complete that Kai Englert, who leads
>>>>> the TB78 OpenPGP effort, recently proposed postponing OpenPGP support in
>>>>> TB until version 78.2, or about a three-month delay.
>>>> Again, that's oversimplified. OpenPGP will not be enabled _by_ _default_
>>>> but users may still enable it manually.
>>>>
>>>>> At present, as of -Beta3, TB78's OpenPGP support is badly broken.
>>>> No, it's incomplete - work in progress. That's not quite the same.
>>>>
>>>> -Patrick
>>>>
>>>> _______________________________________________
>>>> Gnupg-users mailing list
>>>> Gnupg-users@gnupg.org
>>>> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>
Re: Certified OpenPGP-encryption after release of Thunderbird 78 [ In reply to ]
Hello Patrick,


Am 31.05.2020 um 10:01 schrieb Patrick Brunschwig:
> Mark wrote on 31.05.2020 01:28:
>> Doesn't TB also need your secret keys to decrypt messages? 
>
> With smartcard support via GnuPG, all secret key operations are handled
> by GnuPG, and all public key operations are handled by TB (Note: the
> standard case, without smartcard support, will be that all keys are in
> Thunderbird).
>
> The use-cases are clearly distinct:
> - encryption: you only need public keys
> - decryption: you only need secret keys
> - signing: you only need secret keys
> - verification: you only need public keys
>
The standard user will not be able to work with that "solution".
Compared to the "enigmail-solution" this is the hell and bound to fail.

>> Also what if you need your public keys outside of TB such as encrypting
>> a file?
>
> That's not supported by Thunderbird. The idea of OpenPGP in Thunderbird
> is that you use it for email.
>
That is correct, but nevertheless it is mandatory to have and use a
single key-store.

>> The reason I'm asking is that awhile ago I posted about unknown files in
>> my GNUPG directory. PAPubring.gpg and PAsecring.gpg. I eventually found
>> out those are key rings used by a program I have called Power Archiver.
>> I'm not sure why it has it own set of keys, still awaiting an
>> explanation from support. If every app is not using the same pair of key
>> rings (and there is no synchronization between them) could that not lead
>> to problems?
>
> The only "problem" might be that you have different keys on different
> key rings. But this is not necessarily a problem - you use different
> keys for different purposes and you can import and export the keys
> between the tools if needed.
>
As I stated before: This is a real problem. Multiple keys-stores are not
manageable and this planned solution is much more complicated than the
current with enigmail. Therefore it is bound to be a non-starter.

> -Patrick
>
>> On 5/30/2020 12:57 PM, Patrick Brunschwig wrote:
>>> Mark wrote on 30.05.2020 20:54:
>>>> So then do you have multiple pairs of key rings? One pair for TB78 and
>>>> its built in PGP and another pair as part of GNUPG?
>>> No exactly. You have your secret keys with GnuPG, and your public keys
>>> with Thunderbird. No synchronization required.
>>>
>>> -Patrick
>>>> If so how do you keep them synchronized?
>>>>
>>>> On 5/30/2020 9:17 AM, Patrick Brunschwig wrote:
>>>>> Robert J. Hansen wrote on 30.05.2020 01:07:
>>>>>>> If TB 78 is going to have native support of openGPG encryption, then the
>>>>>>> original person in the thread should be able to export all of the keys
>>>>>>> in their key rings, and import all of those keys into TB 78, or am I
>>>>>>> missing one of the gotchas with
>>>>>>> TV 78 and it's openGPG encryption support.
>>>>>> You're missing the gotcha of "as of -Beta3, the new Thunderbird *cannot
>>>>>> even import a key*."
>>>>> I'm sorry, but that is simply not true. There is a known bug in the
>>>>> library used by Thunderbird (RNP) that leads to crashes when importing
>>>>> _certain_ keys. But I succeeded in importing all of my keys without any
>>>>> problems (more than 1.000), except for 5 V3-keys. I can definitely say
>>>>> that it's not just broken, and it can import keys.
>>>>>
>>>>>> I'm not kidding. It is so far from complete that Kai Englert, who leads
>>>>>> the TB78 OpenPGP effort, recently proposed postponing OpenPGP support in
>>>>>> TB until version 78.2, or about a three-month delay.
>>>>> Again, that's oversimplified. OpenPGP will not be enabled _by_ _default_
>>>>> but users may still enable it manually.
>>>>>
>>>>>> At present, as of -Beta3, TB78's OpenPGP support is badly broken.
>>>>> No, it's incomplete - work in progress. That's not quite the same.
>>>>>
>>>>> -Patrick
>
>
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>
Re: Certified OpenPGP-encryption after release of Thunderbird 78 [ In reply to ]
Andreas Boehlk Computer-Service wrote on 31.05.2020 11:09:
> Hello Patrick,
>
>
> Am 31.05.2020 um 10:01 schrieb Patrick Brunschwig:
>> Mark wrote on 31.05.2020 01:28:
>>> Doesn't TB also need your secret keys to decrypt messages? 
>>
>> With smartcard support via GnuPG, all secret key operations are handled
>> by GnuPG, and all public key operations are handled by TB (Note: the
>> standard case, without smartcard support, will be that all keys are in
>> Thunderbird).
>>
>> The use-cases are clearly distinct:
>> - encryption: you only need public keys
>> - decryption: you only need secret keys
>> - signing: you only need secret keys
>> - verification: you only need public keys
>>
> The standard user will not be able to work with that "solution".
> Compared to the "enigmail-solution" this is the hell and bound to fail.

Let's first define Standard users. The majority of users who use
smartcards that *I* know are expert or power users. They can handle this.

The "Standard users" I have in mind don't use GnuPG for anything else
than encrypting mails, and they don't use smartcards either. They won't
have this issue in any way.

>>> Also what if you need your public keys outside of TB such as encrypting
>>> a file?
>>
>> That's not supported by Thunderbird. The idea of OpenPGP in Thunderbird
>> is that you use it for email.
>>
> That is correct, but nevertheless it is mandatory to have and use a
> single key-store.

For which use-case precisely? If you only use OpenPGP for emails (and
given the users I know who had support cases in the past, this is true
for the majority of the Enigmail users), then this is irrelevant.

To be quite clear: Thunderbird will not support GnuPG for scenarios
other than handling secret keys. And that's only because the OpenPGP
library they use can't handle smartcards yet. Once the library will
support smartcards, I expect that GnuPG support will be removed entirely.

Note: I'm not a Thunderbird developer and I don't drive Thunderbird
decisions -- this is simply my expectation of what will happen.

-Patrick

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Certified OpenPGP-encryption after release of Thunderbird 78 [ In reply to ]
On 5/30/2020 10:17 AM, Patrick Brunschwig wrote:

[snip]

> I'm sorry, but that is simply not true. There is a known bug in the
> library used by Thunderbird (RNP) that leads to crashes when importing
> _certain_ keys. But I succeeded in importing all of my keys without any
> problems (more than 1.000), except for 5 V3-keys. I can definitely say
> that it's not just broken, and it can import keys.

[snip]

How does one identify a v3 key?

David
Re: Certified OpenPGP-encryption after release of Thunderbird 78 [ In reply to ]
That is what I see happening too. When you start having multiple key
stores, which one contains the "correct" keys?  I saw that happening in
just my very limited usage where another program has its own key rings... 

On 5/31/2020 1:28 AM, Andreas Boehlk Computer-Service wrote:
> Hello Mark,
>
> I totally agree. It is not possible to have more than one key store.
> Synchronization always fails some time and the standard user cannot
> handle it. So the only solution for TB will be to use GNUPG, because it
> has the only key store for all platforms and has proved to work for
> years. That results in the only possible solution for TB to integrate
> the enigmail functionality into the code directly or live with the
> enigmail plug-in. All other solutions are defective by design from start.
>
> Andreas
>
> ://lists.gnupg.org/mailman/listinfo/gnupg-users

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Certified OpenPGP-encryption after release of Thunderbird 78 [ In reply to ]
So for all of us that don't use a smart card to store our keys, they are
stored in TB?  What if we also have need for that key outside of email
such as signing or decrypting files? We still need that key in GNUPG as
well. If we change the key at all then we have to make sure it has been
updated in both areas?? 

I could see a similar situation could develop with the public keys where
the ones stored in TB are not in sync with the ones stored in GNUPG. 
What happens with keys that are obtained from websites for places like
Apple, Microsoft, etc that are not being directly imported from an email?

Maybe I am overthinking it or just missing something but I see potential
problems with this. If they are not using the same data (key rings) or
in constant synchronization, the "wrong key" could be used.   Hopefully
they have a way to address this.

On 5/31/2020 1:01 AM, Patrick Brunschwig wrote:
> Mark wrote on 31.05.2020 01:28:
>> Doesn't TB also need your secret keys to decrypt messages? 
> With smartcard support via GnuPG, all secret key operations are handled
> by GnuPG, and all public key operations are handled by TB (Note: the
> standard case, without smartcard support, will be that all keys are in
> Thunderbird).
>
> The use-cases are clearly distinct:
> - encryption: you only need public keys
> - decryption: you only need secret keys
> - signing: you only need secret keys
> - verification: you only need public keys
>
>> Also what if you need your public keys outside of TB such as encrypting
>> a file?
> That's not supported by Thunderbird. The idea of OpenPGP in Thunderbird
> is that you use it for email.
>
>> The reason I'm asking is that awhile ago I posted about unknown files in
>> my GNUPG directory. PAPubring.gpg and PAsecring.gpg. I eventually found
>> out those are key rings used by a program I have called Power Archiver.
>> I'm not sure why it has it own set of keys, still awaiting an
>> explanation from support. If every app is not using the same pair of key
>> rings (and there is no synchronization between them) could that not lead
>> to problems?
> The only "problem" might be that you have different keys on different
> key rings. But this is not necessarily a problem - you use different
> keys for different purposes and you can import and export the keys
> between the tools if needed.
>
> -Patrick
>
>> On 5/30/2020 12:57 PM, Patrick Brunschwig wrote:
>>> Mark wrote on 30.05.2020 20:54:
>>>> So then do you have multiple pairs of key rings? One pair for TB78 and
>>>> its built in PGP and another pair as part of GNUPG?
>>> No exactly. You have your secret keys with GnuPG, and your public keys
>>> with Thunderbird. No synchronization required.
>>>
>>> -Patrick
>>>> If so how do you keep them synchronized?
>>>>
>>>> On 5/30/2020 9:17 AM, Patrick Brunschwig wrote:
>>>>> Robert J. Hansen wrote on 30.05.2020 01:07:
>>>>>>> If TB 78 is going to have native support of openGPG encryption, then the
>>>>>>> original person in the thread should be able to export all of the keys
>>>>>>> in their key rings, and import all of those keys into TB 78, or am I
>>>>>>> missing one of the gotchas with
>>>>>>> TV 78 and it's openGPG encryption support.
>>>>>> You're missing the gotcha of "as of -Beta3, the new Thunderbird *cannot
>>>>>> even import a key*."
>>>>> I'm sorry, but that is simply not true. There is a known bug in the
>>>>> library used by Thunderbird (RNP) that leads to crashes when importing
>>>>> _certain_ keys. But I succeeded in importing all of my keys without any
>>>>> problems (more than 1.000), except for 5 V3-keys. I can definitely say
>>>>> that it's not just broken, and it can import keys.
>>>>>
>>>>>> I'm not kidding. It is so far from complete that Kai Englert, who leads
>>>>>> the TB78 OpenPGP effort, recently proposed postponing OpenPGP support in
>>>>>> TB until version 78.2, or about a three-month delay.
>>>>> Again, that's oversimplified. OpenPGP will not be enabled _by_ _default_
>>>>> but users may still enable it manually.
>>>>>
>>>>>> At present, as of -Beta3, TB78's OpenPGP support is badly broken.
>>>>> No, it's incomplete - work in progress. That's not quite the same.
>>>>>
>>>>> -Patrick
>

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Certified OpenPGP-encryption after release of Thunderbird 78 [ In reply to ]
Patrick Brunschwig writes:
> Andreas Boehlk Computer-Service wrote on 31.05.2020 11:09:
> ...
>>>> Also what if you need your public keys outside of TB such
>>>> as encrypting a file?
>>>
>>> That's not supported by Thunderbird. The idea of OpenPGP
>>> in Thunderbird is that you use it for email.
>>>
>> That is correct, but nevertheless it is mandatory to have
>> and use a single key-store.
>
> For which use-case precisely? If you only use OpenPGP for emails
> (and given the users I know who had support cases in the past,
> this is true for the majority of the Enigmail users), then
> this is irrelevant.
>
> To be quite clear: Thunderbird will not support GnuPG for scenarios
> other than handling secret keys. And that's only because the
> OpenPGP library they use can't handle smartcards yet. Once
> the library will support smartcards, I expect that GnuPG support
> will be removed entirely.

Just out of curiosity, but knowing that this is not relevant
to standard users.

As encrypted mails cannot easily be malware scanned and even
if they were might contain really hard-to-detect social engineering
attacks, therefore systems running mail software are at a higher.
Hence to avoid full system compromise, running mail software
in virtual machines. With Enigmail I used some simple tool [0]
to act instead of gnupg, intercept all calls to forward them
over network and then filter all requests via whitelists before
passing the real requests to gnupg. Thus no private keys were
available on the risky desktop system (same as with smartcards), the
desktop system had never full access to the private key (each
whitelisted sign/encrypt operation had also to be reviewed and
confirmed outside the virtual machine) and thus even full system
compromise on root level would not compromise the keys the same
way as a directly attached smart-card could be (pin stolen on
desktop system or card used by Mallory while being unlocked).

With smartcard support fully built into TB, which method for
external filtering would you deem most appropriate? Have a custom
virtual-smartcard library, that forwards the requests over network?
Have a virtual-smartcard reader device attached to the virtual
machine, that intercepts requests and forwards them to a real
smartcard reader?

hd

[0] https://www.halfdog.net/Projects/CryptoTools/RemoteGnupg/ (outdated!)


_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Certified OpenPGP-encryption after release of Thunderbird 78 [ In reply to ]
On Fri, 29 May 2020 14:43, karel-v_g--- said:

> But it's a pity that Thunderbird developed its own solution because of
> licensing issues while we have a proven working solution with GnuPG...

For the records: There is no licensing issue; it is just a Mozilla
policy issue not to use or depend on software which is not fully under
their policy control. We have had long discussions with them more than
15 years ago with the result: no OpenPGP support and no improvements to
their (back then) not very well working S/MIME code. This decision
forced us to implement S/MIME in GnuPG and is also one of the reasons
why Patrick does not use GPGME has interface to GnuPG, despite that it
is a well tested, maintained, and widely used (think Windows) interface
to GnuPG.


Shalom-Salam,

Werner

--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
Re: Certified OpenPGP-encryption after release of Thunderbird 78 [ In reply to ]
On Sun, 31 May 2020 12:35, Patrick Brunschwig said:

> Let's first define Standard users. The majority of users who use
> smartcards that *I* know are expert or power users. They can handle this.

I have a different experience here and we are actually promoting the use
of smartcards because they better protect your private key and it is
easy to explain why users need to take care of their card than of a
bunch of files in the GnuPG home directory.

> The "Standard users" I have in mind don't use GnuPG for anything else
> than encrypting mails, and they don't use smartcards either. They won't
> have this issue in any way.

The standard user clicks right on a file icon, encrypts the file, and
sends it as attachment using his MUA. That is an easy to teach and
understand workflow and does not require any special MUA. Well, Outlook
users are more and more using the well integrated support we provide in
Gpg4win.


Salam-Shalom,

Werner

--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
Re: Certified OpenPGP-encryption after release of Thunderbird 78 [ In reply to ]
On Sun, 31 May 2020 11:10, David Flory said:

> How does one identify a v3 key?

By trying to import it with gpg; you should get a hint that v3 keys are
not anymore supported.


Salam-Shalom,

Werner

--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
Re: Certified OpenPGP-encryption after release of Thunderbird 78 [ In reply to ]
Hello Patrick,

> Let's first define Standard users. The majority of users who use
> smartcards that *I* know are expert or power users. They can handle this.
>
> The "Standard users" I have in mind don't use GnuPG for anything else
> than encrypting mails, and they don't use smartcards either. They won't
> have this issue in any way.

I'm sorry but I have to contradict you in that topic.
I found out that more 'standard users' than I thought are using
Smartcards or Tokens like Nitrokey or Yubikey (or anything similiar).
It is requested in security/gpg workshops more and more, and in the last
3 or 4 workshops I've held, each of the 15 participiants already had a
Smartcard or Token and wanted to know how to use them.

So I think this is not just a topic for 'professional or power users'
but also for so called standard users.

best regards from Austria
Juergen

--
Juergen M. Bruckner
Re: Certified OpenPGP-encryption after release of Thunderbird 78 [ In reply to ]
Am 31.05.2020 um 12:35 schrieb Patrick Brunschwig:
> Andreas Boehlk Computer-Service wrote on 31.05.2020 11:09:
>> Hello Patrick,
>>
>>
>> Am 31.05.2020 um 10:01 schrieb Patrick Brunschwig:
>>> Mark wrote on 31.05.2020 01:28:
>>>> Doesn't TB also need your secret keys to decrypt messages? 
>>>
>>> With smartcard support via GnuPG, all secret key operations are handled
>>> by GnuPG, and all public key operations are handled by TB (Note: the
>>> standard case, without smartcard support, will be that all keys are in
>>> Thunderbird).
>>>
>>> The use-cases are clearly distinct:
>>> - encryption: you only need public keys
>>> - decryption: you only need secret keys
>>> - signing: you only need secret keys
>>> - verification: you only need public keys
>>>
>> The standard user will not be able to work with that "solution".
>> Compared to the "enigmail-solution" this is the hell and bound to fail.
>
> Let's first define Standard users. The majority of users who use
> smartcards that *I* know are expert or power users. They can handle this.
>
> The "Standard users" I have in mind don't use GnuPG for anything else
> than encrypting mails, and they don't use smartcards either. They won't
> have this issue in any way.
>
>>>> Also what if you need your public keys outside of TB such as encrypting
>>>> a file?
>>>
>>> That's not supported by Thunderbird. The idea of OpenPGP in Thunderbird
>>> is that you use it for email.
>>>
>> That is correct, but nevertheless it is mandatory to have and use a
>> single key-store.
>
> For which use-case precisely? If you only use OpenPGP for emails (and
> given the users I know who had support cases in the past, this is true
> for the majority of the Enigmail users), then this is irrelevant.
>
The use cases are clear and I myself and some of my clients use them.
And when I speak from my point of view it is enough work to take care of
one key store and I personally do not want to have a second one; and
this second one has to be synchronized on every single endpoint as well.
That is twice the work.

> To be quite clear: Thunderbird will not support GnuPG for scenarios
> other than handling secret keys. And that's only because the OpenPGP
> library they use can't handle smartcards yet. Once the library will
> support smartcards, I expect that GnuPG support will be removed entirely.
>
From then on PGP and the second key store will be mandatory for the
purpose of signing and decrypting.

> Note: I'm not a Thunderbird developer and I don't drive Thunderbird
> decisions -- this is simply my expectation of what will happen.
>
Yes, I got that of course.
It is just my lack of understanding TB's decision to not trying to adapt
a running system in a proper way.
> -Patrick
>
Andreas

1 2  View All