Thunderbird 78, Enigmail and OpenPGP secure email

Kai Engert kaie at kuix.de
Tue Oct 8 11:51:41 UTC 2019


On 08.10.19 10:29, Ludovic Hirlimann wrote:
> Are you considering leveraging Pronto mail's PGP library (like bugzilla
> did a year or so ago) ?

Are you referring to https://github.com/ProtonMail/openpgpjs ?

That library is a potential candidate for a library that supports
OpenPGP message, its LGPL license could allow us to bundle it with
Thunderbird.

However, looking at the output of "npm-remote-ls openpgp", it has a
large set of dependencies.

In my understanding, if we decided to use OpenPGP.js we'd have to bundle
it together will all its dependencies. To keep those attack vectors
under control, we'd probably have to watch all those dependencies for
security issues, and publish an updated Thunderbird version for every
security incident related to any of those dependent libraries.

Also, bundling might not be acceptable for some downstream distributors,
like Debian, which distributes individual node packages. We'd have to
ensure our bundled OpenPGP.js works with the system module versions
available on downstream consumer system.

Because of the above, it seems preferable to use a C/C++ or Rust library
for OpenPGP message processing.


> Are we following
> https://latacora.singles/2019/07/16/the-pgp-problem.html to make sure
> gpg/pgp in thunderbird will follow the new standard and make the wot
> more usable ?

This article makes very critical statements about PGP in general, such
as not using PGP for encrypting email at all, which is obviously
contrary to our intention.

When you mention a new standard, can you please point out to which part
of the article you're reffering?

It's not yet clear if, or how, or how soon, we might support the Web Of
Trust.


> Regarding S/Mime the issue I had with it was renewing certs and these
> days Find a cert issuer - there's probably oportunities for TB to
> partner with someone and get some €€€ throught a S/mime partnersip (eg
> referal from tb - someone pays for a cert and Tb get's revenue from it).

It might be best to have a separate thread for discussing challenges
with S/MIME.

As a quick reply, I share the impression that the availability of
publicly trusted certificates for personal use with email security seems
to have decreased, especially when considering certificates available
for no cost. And Firefox has recently removed support for the HTML
keygen tag, which will make it more complicated to obtain such
certificates, as it will likely require the use of external command line
tools to create a key pair with the private key only being stored on the
user's own computer.

The use of S/MIME might be more appropriate for corporate or
organizational environments, while OpenPGP might be better suited for
communication between private users, because it doesn't require to
involve a third party CA to get started.

Kai


More information about the tb-planning mailing list