Future OpenPGP Support in Thunderbird

Mark H. Wood mwood at iupui.edu
Sat Oct 12 14:07:58 CEST 2019 

On Sat, Oct 12, 2019 at 10:13:59AM +0300, Teemu Likonen via Gnupg-users wrote:
> Philipp Klaus Krause [2019-10-08T15:34:28+02] wrote:
> 
> > It would be really nice, if Thunderbird could add an option to use the
> > gpg key storage instead of its own, [...]
> 
> I agree with that even though I have never really used Thunderbird.
> 
> But using a custom key storage and implementation (or do they use
> Sequoia PGP library?) is an interesting choice in the world of Unix-like
> systems. It's pretty much the normal way elsewhere, though.
> 
> PGP and GnuPG and the related communities have tried really hard to
> build a system based on person's long-term identity keys. All that web
> of trust thing relies on keys that are used relatively long time. But as
> we know this doesn't work for most people. People are really bad at
> maintaining long-term identity keys. I think this is the most important
> reason why other software just auto-generate "device keys" or
> "application keys" and exchange them. They just forget about the
> identity part and keys' usage in the long term. Change your phone or
> just reinstall the application and you'll have new keys. Keys come and
> go and it's perfectly normal.

That would be one of the reasons why I tend to avoid "other software".
My primary use-case is identity, not secrecy.  I am not alone: quite a
few employers are at last discovering crypto signatures in their
efforts to combat spear-phishing, and spending quite a bit of money
and effort to deploy them.  (I accept that most of them are using
S/MIME rather than OpenPGP, but that's a detail; identity is important.)

> Thunderbird seems to be going to that direction and it is probably a
> good thing. From the mindset of crypto nerds (like us) or Unixy tool box
> this can be a barrier, obviously.

Humph, I was already grumpy about Mozilla products' insistence on
having their own insular X.509 store, meaning that I have to install
certificates twice (once for Firefox, again for *everything else*.)

Maybe there will be an add-on, so that those who care can choose to
integrate Thunderbird into their systems rather than having it still
standing off to one side haughtily awaiting special treatment.

-- 
Mark H. Wood
Lead Technology Analyst

University Library
Indiana University - Purdue University Indianapolis
755 W. Michigan Street
Indianapolis, IN 46202
317-274-0749
www.ulib.iupui.edu
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20191012/cce4f262/attachment.sig>

More information about the Gnupg-users mailing list