[openpgp-email] Thunderbird & OpenPGP smartcards

Andre Heinecke aheinecke at gnupg.org
Tue Dec 10 16:20:52 UTC 2019


Hi,

On Monday 9 December 2019 22:22:03 CET Kai Engert wrote:
> during the summit, some of you have asked that we support OpenPGP 
> smartcards in next year's Thunderbird release.
> 
> I'd like to make you aware of the following public message, which I sent 
> to the Thunderbird planning mailing list:
> https://mail.mozilla.org/pipermail/tb-planning/2019-December/007288.html

I've subscribed to this list now so that I can Aanswer better in the future on 
that list. Although to be honest, with the decision of Mozilla to throw away 
many man years of development done by the community I'm not inclined to 
volunteer much work and even responding / discussing is work. 

This might be the reason that there are few responsed to your questions. 
Mozilla is a big company and it is basically asking for free work. And even 
for volunteer work or work financed by other institutions there is currently no 
planning security in my opinion.

> I'm interested to hear your feedback on the presented idea to support 
> smartcards, as an avanced user feature - by potentially allowing users 
> to use external GnuPG for private key operations, only (signing + 
> decryption), while using the default, integrated OpenPGP processing 
> library for all other functionality, like encryption, decryption, trust 
> and public key management.
>
> Do you think that could work?

I think that this could work and is important because not having any token 
support might block users from updating to your version if they cannot use 
their keys anymore. We are currently planning to recommend Claws mail as a 
Free Software Windows MUA for such users.

Having it configurable / optional is OK in my opinion. You can decide to use 
the high level interface gpgme-json, which is for example used by mailvelope 
in Firefox through native messaging and installed with Gpg4win.  gpgme-json 
has a command line help when you start it interactively. There is also gpgme-
js as a javascript binding around the commands. You can find all that in the 
main gpgme repo.


Alternatively you can do socket communication but as this is low level you 
might not find all the documentation you need. Intresting for you would 
probably be the commands "PKSIGN" and "PKDECRYPT".

We recommend that you use the gpg-agent socket instead of the scd socket to 
ensure that a pinentry is available, the gpg-agent is avialable etc. Kleopatra 
and GPA also do it this way.

Any command sent to gpg-agent with the prefix "SCD" directly forwards the 
command to scdaemon.

You can use "gpg-connect-agent" on Windows and Linux to open a connection to 
the socket. You will then get a prompt. "help" will show you the possible 
commands.

E.g.:

> scd help getinfo
# GETINFO <what>
# 
# Multi purpose command to return certain information.  
# Supported values of WHAT are:
# 
#   version     - Return the version of the program.
#   pid         - Return the process id of the server.
#   socket_name - Return the name of the socket.
#   connections - Return number of active connections.
#   status      - Return the status of the current reader (in the future,
#                 may also return the status of all readers).  The status
#                 is a list of one-character flags.  The following flags
#                 are currently defined:
#                   'u'  Usable card present.
#                   'r'  Card removed.  A reset is necessary.
#                 These flags are exclusive.
#   reader_list - Return a list of detected card readers.  Does
#                 currently only work with the internal CCID driver.
#   deny_admin  - Returns OK if admin commands are not allowed or
#                 GPG_ERR_GENERAL if admin commands are allowed.
#   app_list    - Return a list of supported applications.  One
#                 application per line, fields delimited by colons,
#                 first field is the name.
#   card_list   - Return a list of serial numbers of active cards,
#                 using a status response.



g10code would offer consulting and development to help with such things. If 
Mozilla is interested in an offer please let us know.

Best Regards,
Andre

-- 
GnuPG.com - a brand of g10 Code, the GnuPG experts.

g10 Code GmbH, Erkrath/Germany, AG Wuppertal HRB14459
GF Werner Koch, USt-Id DE215605608, www.g10code.com.

GnuPG e.V., Rochusstr. 44, D-40479 Düsseldorf.  VR 11482 Düsseldorf
Vorstand: W.Koch, M.Gollowitzer, A.Heinecke.    Mail: board at gnupg.org
Finanzamt D-Altstadt, St-Nr: 103/5923/1779.   Tel: +49-2104-4938799
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: This is a digitally signed message part.
URL: <http://mail.mozilla.org/pipermail/tb-planning/attachments/20191210/7add1f36/attachment.sig>


More information about the tb-planning mailing list