Re: Thunderbird and end-to-end email encryption – summary of responses and proposed policy

Tanstaafl tanstaafl at libertytrek.org
Tue Sep 1 11:27:17 UTC 2015


Hi Kent,

I didn't respond to the initial thread, but this gets a huge +1 from me.

The last time I tried to use enigmail - admittedly, many moons ago -
like, maybe 8 or 10 years - it was so difficult to get working just for
myself, that I gave up, because I knew that no one I communicated with
regularly would be willing or able to even get it working, much less
understand the pieces enough to properly maintain/manage/use it.

That said, I now have on my list to give this another shot when I have
time - but not sure when, I have a new baby daughter that well, I've
used the term 'time-blackhole' more than once... ;)

So, anything that can be done to make it easier to use, especially in
the area of key management, and 'inviting' people you communicate with
to start using it with you, would be most welcome.

On 8/31/2015 7:49 PM, R Kent James <kent at caspia.com> wrote:
> The blog post and tb-planning thread on encryption had over 100 
> responses, which at the very least shows a lot of interest in the 
> subject. I'd like to try to summarize all of this, and how I think we 
> should react.
> 
> First, I would like to acknowledge that those who are hesitant to 
> endorse an emphasis on end-to-end email encryption (which I'll call 
> e2e3) all have valid points. That is, e2e3 has the real issues as 
> pointed out in the responses:
> 
> 1)    It can cause significant degradation to the user experience for 
> the vast majority of users for which e2e3 is not an important priority. 
> That takes many forms, including risk of content loss if password or key 
> is lost, challenges in using webmail and search, and complex setups.
> 
> 2)    The current Thunderbird development community does not have any 
> significant expertise in e2e3.
> 
> 3)    Given our total community and product, there are other issues that 
> are more important that are not getting enough attention.
> 
> While all of this is true, there is an important counterbalance that 
> motivates me. There is a significant community of people to whom e2e3 is 
> very important, for a variety of reasons. Within that community, 
> Thunderbird plays a vital role. I've heard it said a couple of times 
> that when users of PGP get together, a majority of the people use the 
> Thunderbird addon Enigmail as their PGP client. Also, client apps are 
> uniquely suited to support e2e3 compared to web apps, and as the leading 
> open-source multi-platform client email application, Thunderbird has a 
> responsibility to be receptive to e2e3 issues unless we are opposed to 
> the whole concept (which I did not see anybody propose).
> 
> We also have point 4 of the Mozilla Manifesto, which is still the 
> guiding document of our affiliation with Mozilla: "Individuals’ security 
> and privacy on the Internet are fundamental and must not be treated as 
> optional."
> 
> So I propose the following statements and plans concerning our support 
> of e2e3, which I believe is a reasonable response to the consensus of 
> opinions I have heard over the last week:
> 
> 1.    We should investigate including Enigmail as a shipped addon in 
> future versions of Thunderbird.
> 
> 2.    We would welcome partnering with individual developers, or 
> organizations, who have a focus on security and privacy, and can provide 
> some of the missing expertise and effort to allow us to better support 
> communication security, privacy, and e2e3 in our product. As a 
> corollary, we don't reasonably expect the existing core team to begin to 
> emphasize e2e3 at the expense of other product priorities.
> 
> 3.    We are open to proposals to incorporate within our core product 
> improvements that would ease some of the user experience problems with 
> e2e3 as long as they do not significantly detract from the user 
> experience of those to whom e2e3 is not a priority.
> 
> These are not radical proposals, but they could move us in the right 
> direction. Although comments are welcome, please before you are overly 
> critical ask yourself if you can't just get behind this. Community 
> consensus is a precious thing that would be great if we could achieve.
> 
> Kent James




More information about the tb-planning mailing list