Future OpenPGP Support in Thunderbird

Jeff Allen jrallen at runbox.com
Mon Oct 14 16:15:21 CEST 2019

On 10/14/19 3:40 AM, Binarus wrote:
> On 13.10.2019 22:27, Jeff Allen via Gnupg-users wrote:
>> On 10/13/19 2:21 AM, Patrick Brunschwig wrote:
>>> The vast majority of users of Enigmail (somewhere around 98%) don't use
>>> external built keys.
>> How do you know this?
> I don't know either, but perhaps it is in the debug logs the Enigmail
> team analyzes?

I have used Enigmail since its inception and have never knowingly
submitted a log or answered a survey and have always assumed Enigmail
does not phone home.

>>> The vast majority of users also don't use GnuPG for
>>> anything else than email. These users don't care where their key is
>>> stored, nor which software under the hood is used for the crypto. All
>>> they care is that encryption works smoothly.
>> And this?
> I am also not sure about this. As far as it concerns Windows, the first
> part of the statement may be true.

All the statements might be true.  My question was "How do you know?"


> I disagree with the second part of the statement, though. Most of the
> people who think about privacy and email encryption / authentication at
> all are educated, non-average users who want to be sure that there are
> no backdoors in their software and that they use it as safely as
> possible (meaning that they care about software, algorithms and
> ciphers), and who want to backup their keys (meaning that they care
> where the keys are stored). And yes, I want to decide on my own if my
> key is ED25519, RSA1024 or RSA4096 :-)

I agree and think Patrick underestimates the number of GnuPG/Enigmail
users who care a lot about the details.  My argument in the other thread
was that folks who value privacy and encryption but can't be burdened by
the details have reasonably secure easy-to-use options available.
Enigmail is, of course, one of them.

>>> The most important aspects from our side are the following: The chosen
>>> solution must run smoothly for the ~20M users of Thunderbird without
>>> causing a large amount of support/setup issues.
>> Presumably those ~20,000,000 will have to opt-in to use Thunderbird
>> encryption.  Most won't for the same reason they don't install and use
>> Enigmail now.  They don't particularly care about privacy, and the few
>> who do care correspond with people who don't.
> I am not sure where this will lead to. It sounds as if you were
> suggesting to give up on privacy, encryption and authentication for that
> reason.

Not at all.  My point was that I doubt OpenPGP's inclusion in
Thunderbird will have a major impact on the number of people encrypting
their email.

> While I agree with you that this problem exists and is quite difficult
> to solve (eventually it needs another decade), I am absolutely sure that
> bad and difficult software will make it worse, but good and usable
> software will help in solving it. The fact that the problem exists does
> not mean that nobody should try to solve it by providing easier-to-use,
> fully integrated software with reasonable default settings.

Here we disagree.  I believe that existing software is not that
difficult to use.  The problem, if there is one, is that most people
simply aren't interested.  Twenty years ago I thought that everyone
would soon be using end-to-end encrypted email.  Twenty years from now
they still won't be.

>>> We want to have
>>> something that satisfies as many users of Enigmail as possible. We
>>> certainly don't want to have people run away from Thunderbird because of
>>> OpenPGP.
>> [Snip]
>> Is there any reason to think that folks who object to easy-to-use
>> proprietary encrypted email solutions from ProtonMail and Tutanota will
>> embrace a proprietary encrypted email solution from Thunderbird?
> There are many reasons to think so (the following applies to ProtonMail
> as well as Tutanota):
> 1) To actually use those services in a reasonable manner, you have to
> opt-in for a paid contract. For most of us, this is a matter of
> principle. Why should we pay for a thing that used to be free all the
> time? (Note: I don't want to judge that attitude - I am just stating how
> it is).


But "free" email has never been free from the likes of Gmail, Yahoo,
GMX, etc.  While you don't pay a yearly fee, you trade your privacy for
a few bucks.  You open yourself to tracking and targeted advertising.
Your email is anything but private.  A couple years back both Google and
Yahoo claimed to be working on E2EE.  I wonder why it never happened?

The free versions of ProtonMail, Tutanota and Mailfence at least
preserve your privacy.  They aren't monetized through advertising and
tracking.  Instead they sell premium services to people who want more
capacity or features.  Many people I know do email exclusively on their
smart phones.  They don't use an MUA and don't care about POP3, IMAP or
SMTP. Their view of using email services in a reasonable manner doesn't
comport with yours or mine.


I hope I am wrong and Thunderbird's OpenPGP implementation is a complete
success encouraging many more people to encrypt their email.  I would,
however, personally prefer that Thunderbird directly implement GnuPG
integration instead of going it alone.  That would satisfy both casual
and power users as Enigmail does now.

Will Thunderbird OpenPGP support smart cards like my Yubikey?  How about
a feature like GnuPG's group line or Enigmail's per-recipient rules?
In-line PGP as well as PGP/MIME?  Encrypted subject and the ability to
turn it on or off?  As far as I know, they are all features of GnuPG or
Enigmail and not required by the OpenPGP specification.

Patrick and company deserve our thanks for many years splendid service
to the OpenPGP community.  So does Werner and his team who created and
maintain a tool that has satisfied a wide range of users for decades. I
doubt that yet another proprietary OpenPGP system is what the world needs.

Jeff Allen

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20191014/9332a3b8/attachment-0001.sig>

More information about the Gnupg-users mailing list