Thunderbird and OpenPGP - Various questions
kaie at kuix.de
Thu Dec 5 16:40:19 UTC 2019
Eric Moore wrote:
> Tutanota, ProtonMail and MailFence claim to provide true OpenPGP end-to-end encryption. That’s more than just supporting OpenPGP.
The Tutanota web site says they don't use OpenPGP. Unless Tutanota
starts to support one of the mechanisms that Thunderbird supports, they
won't be compatible.
We intend to implement OpenPGP end-to-end encryption in Thunderbird.
It's not clear what you intended to emphasize by adding the word "true".
If your question isn't yet answered, could you please clarify?
> Is there any explicit goal of interoperability with them? I’m thinking of stuff like how web of trust is handled ...
I'm not an expert with the ProtonMail and MailFence webmail services, so
I cannot speak for them. As long as they send and process standard
OpenPGP email, interoperability should be possible.
Regarding the web of trust, it's currently undecided if we'll support
> ... and whether there are the necessary hooks so that IMAP/SMTP glue such as the ProtonMail bridge could work.
It's not clear to me why you would want to combine Thunderbird with an
encrypting message gateway technology like the ProtonMail bridge
software. Once Thunderbird is able to process OpenPGP message itself,
combining them seems like doing the same thing twice. Could you explain
why this combination might be necessary, and how Thunderbird would need
to support it?
> Is Thunderbird going to use a open source encryption library ...
Yes, we intend to use open source libraries, only.
> that has passed an independent security audit? One of the reasons why I ask is that several of them (such as OpenPGP.js) have licenses incompatible with MPL.
Yes, we'd prefer to use encryption technology that has been audited.
> Its tough finding free S/MIME certificates nowadays. Actalis seems to be the only source for one that will last a year, the rest seem to be 30 day trials. Is S/MIME’s future in Thunderbird mainly for corporate use?
S/MIME can be interesting for organizations that wish to implement their
own PKI for their controlled group of users. For individual users, and
for everyone else who wishes to communicate across organizational
borders, it seems easier to use the OpenPGP technology, as it can be
used without involving third parties, and without requiring that
everyone involved trusts the same third party authorities.
More information about the tb-planning