Yes, I know, Thunderbird doesn't use GnuPG. However, for those who do:
apparently, Thunderbird is a big fan of attaching public certificates
(and/or revocation certificates, for revoked keys) to outgoing emails
for *every private certificate on your keyring*, regardless of whether
that private key is actually associated with the account in question.
This has the potential to leak personal information, especially if
you're in a use case where you have two or more keys presenting
different pseudonymous identities. Without knowing it, you might
accidentally reveal you're the common actor behind both.
I apologize for bringing the non-GnuPG content to the list, but please
make sure your correspondents are aware of the possible risk in how
Thunderbird likes to attach public certificates. That's all. Thank you!
apparently, Thunderbird is a big fan of attaching public certificates
(and/or revocation certificates, for revoked keys) to outgoing emails
for *every private certificate on your keyring*, regardless of whether
that private key is actually associated with the account in question.
This has the potential to leak personal information, especially if
you're in a use case where you have two or more keys presenting
different pseudonymous identities. Without knowing it, you might
accidentally reveal you're the common actor behind both.
I apologize for bringing the non-GnuPG content to the list, but please
make sure your correspondents are aware of the possible risk in how
Thunderbird likes to attach public certificates. That's all. Thank you!