Thunderbird and OpenPGP - Various questions

Kai Engert kaie at
Thu Dec 5 16:40:19 UTC 2019

Eric Moore wrote:
> Tutanota, ProtonMail and MailFence claim to provide true OpenPGP end-to-end encryption. That’s more than just supporting OpenPGP. 

The Tutanota web site says they don't use OpenPGP. Unless Tutanota 
starts to support one of the mechanisms that Thunderbird supports, they 
won't be compatible.

We intend to implement OpenPGP end-to-end encryption in Thunderbird. 
It's not clear what you intended to emphasize by adding the word "true". 
If your question isn't yet answered, could you please clarify?

> Is there any explicit goal of interoperability with them? I’m thinking of stuff like how web of trust is handled ...

I'm not an expert with the ProtonMail and MailFence webmail services, so 
I cannot speak for them. As long as they send and process standard 
OpenPGP email, interoperability should be possible.

Regarding the web of trust, it's currently undecided if we'll support 
indirect trust.

> ... and whether there are the necessary hooks so that IMAP/SMTP glue such as the ProtonMail bridge could work.

It's not clear to me why you would want to combine Thunderbird with an 
encrypting message gateway technology like the ProtonMail bridge 
software. Once Thunderbird is able to process OpenPGP message itself, 
combining them seems like doing the same thing twice. Could you explain 
why this combination might be necessary, and how Thunderbird would need 
to support it?

> Is Thunderbird going to use a open source encryption library ...

Yes, we intend to use open source libraries, only.

> that has passed an independent security audit? One of the reasons why I ask is that several of them (such as OpenPGP.js) have licenses incompatible with MPL.

Yes, we'd prefer to use encryption technology that has been audited.

> Its tough finding free S/MIME certificates nowadays. Actalis seems to be the only source for one that will last a year, the rest seem to be 30 day trials. Is S/MIME’s future in Thunderbird mainly for corporate use?

S/MIME can be interesting for organizations that wish to implement their 
own PKI for their controlled group of users. For individual users, and 
for everyone else who wishes to communicate across organizational 
borders, it seems easier to use the OpenPGP technology, as it can be 
used without involving third parties, and without requiring that 
everyone involved trusts the same third party authorities.


More information about the tb-planning mailing list