Future OpenPGP Support in Thunderbird

Binarus lists at binarus.de
Mon Oct 14 09:40:30 CEST 2019

On 13.10.2019 22:27, Jeff Allen via Gnupg-users wrote:
> On 10/13/19 2:21 AM, Patrick Brunschwig wrote:
>> The vast majority of users of Enigmail (somewhere around 98%) don't use
>> external built keys.
> How do you know this?

I don't know either, but perhaps it is in the debug logs the Enigmail
team analyzes?

>> The vast majority of users also don't use GnuPG for
>> anything else than email. These users don't care where their key is
>> stored, nor which software under the hood is used for the crypto. All
>> they care is that encryption works smoothly.
> And this?

I am also not sure about this. As far as it concerns Windows, the first
part of the statement may be true. There is plenty of software to
encrypt single files or directories for Windows, including the software
which is part of the O/S. People probably tend to go the easiest way,
even if another solution would be safer and technically superior. I
don't know the situation under Linux well enough to comment.

I disagree with the second part of the statement, though. Most of the
people who think about privacy and email encryption / authentication at
all are educated, non-average users who want to be sure that there are
no backdoors in their software and that they use it as safely as
possible (meaning that they care about software, algorithms and
ciphers), and who want to backup their keys (meaning that they care
where the keys are stored). And yes, I want to decide on my own if my
key is ED25519, RSA1024 or RSA4096 :-)

>> The most important aspects from our side are the following: The chosen
>> solution must run smoothly for the ~20M users of Thunderbird without
>> causing a large amount of support/setup issues.
> Presumably those ~20,000,000 will have to opt-in to use Thunderbird
> encryption.  Most won't for the same reason they don't install and use
> Enigmail now.  They don't particularly care about privacy, and the few
> who do care correspond with people who don't.

I am not sure where this will lead to. It sounds as if you were
suggesting to give up on privacy, encryption and authentication for that

While I agree with you that this problem exists and is quite difficult
to solve (eventually it needs another decade), I am absolutely sure that
bad and difficult software will make it worse, but good and usable
software will help in solving it. The fact that the problem exists does
not mean that nobody should try to solve it by providing easier-to-use,
fully integrated software with reasonable default settings.

>> We want to have
>> something that satisfies as many users of Enigmail as possible. We
>> certainly don't want to have people run away from Thunderbird because of
>> OpenPGP.
> [Snip]
> Is there any reason to think that folks who object to easy-to-use
> proprietary encrypted email solutions from ProtonMail and Tutanota will
> embrace a proprietary encrypted email solution from Thunderbird?

There are many reasons to think so (the following applies to ProtonMail
as well as Tutanota):

1) To actually use those services in a reasonable manner, you have to
opt-in for a paid contract. For most of us, this is a matter of
principle. Why should we pay for a thing that used to be free all the
time? (Note: I don't want to judge that attitude - I am just stating how
it is).

2) None of that services supports IMAP or POP3. I would be totally crazy
if I would make myself totally dependent on companies or services which
won't let me download my messages and integrate them into my email client.

What happens if those companies suddenly stop their service and you
haven't downloaded your messages yet (which anyway seems to be
impossible)? Or if you decide that you want to use another service? How
long will you be able to access your messages after you have stopped
paying your old service? Will they delete your messages until the quota
for free usage is reached again?

I insist on having all important data, including email messages,
in-house and under my complete control, and I strongly advise each of my
customers to do the same. So far, all of them are following that advice.
Therefore, such services never will have any chance to do business with
my customers.

3) I have several email addresses. I am definitely not ready to use a
different website or different software for each of them. That is, there
is absolutely no chance that I ever will use a service which does not
provide POP3 or IMAP (or, for the protocol, their successors).

I want *one* MUA (like Thunderbird) to be able to manage *all* of my
email messages in *one* place (For example, ever needed to search for a
message for which you can't remember the account it was received on? -
The global search in TB is very handy here. Further reasons: junk
filtering, action filters (automatically moving certain messages in
subfolders) and so on, all managed at one place, public folders, shared
folders and so on).

4) I doubt that these services can be legally used by businesses in
Germany. We are having some weird rules here, one of them saying that we
have to keep *each* (electronic) message we are receiving and sending in
a separate archive where users don't have access to. That is, users of
course may do anything they want in their normal email account, but all
messages which are ever sent or received must first be copied somewhere
where they cannot be manipulated or deleted.

I can't imagine how this could be achieved when using those services.

These are only a few of the many reasons against using a purely
cloud-based email system.



More information about the Gnupg-users mailing list