Future OpenPGP Support in Thunderbird

Werner Koch wk at gnupg.org
Sat Oct 12 13:14:24 CEST 2019


On Sat, 12 Oct 2019 02:23, Robert J. Hansen said:

> on Enigmail was very real.  It was created by an ambiguity in how GnuPG
> returns error states: just because GnuPG says "decryption OK" doesn't

Nope.  They did not read the documentation and did not checked error
codes.  We suggest for a reason to use GPGME to make error checking
easy.  You can't just code things down along some specs without thinking
over the implications.

Still, TB is still subject to those attacks because their primary
encryption protocol is S/MIME and the last time I checked S/MIME (well,
CMS for the nitpickers) does not supoport any kind of authenticated
encryption.  In contarst OpenPGP provides this nearly for 2 decades.
Mozilla has not even stepped forward and implemented one of the
meanwhile old proposal to move to AE.  So Microsoft had to take the lead
to do this (rumors are that the next OL version will allow for GCM mode)

After 20 years of strong resistance against implementing OpenPGP [1], they
finally seem to do it.  That is a good move.


Shalom-Salam,

   Werner


[1] Back in ~1999, when Mozilla rewrote the entire mail engine, I
implemented a first version of PGP/MIME code which was rejected due to
their policy of only supporting S/MIME.  For a term paper a German
student later took up on my code, extended and cleaned it up.  Again it
was rejected.  About 2005 we had a meeting with them to propose that we
implement S/MIME again in a way that would comply to the strong policy
requirements here in Germany and also to implement OpenPGP as an
additional protocol.  It was again rejected.

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20191012/637b9374/attachment-0001.sig>


More information about the Gnupg-users mailing list