Future OpenPGP Support in Thunderbird

Jeff Allen jrallen at runbox.com
Fri Oct 18 16:02:51 CEST 2019

On Thu, 2019-10-17 at 17:40 +0200, Patrick Brunschwig wrote:
> In all cases, we certainly won't re-write GnuPG or similar. The
> question
> on the table is: do we continue to use GnuPG (be it directly or via
> gpgme), or do we use a different OpenPGP implementation (and if yes
> which one). There are certainly good arguments for both.

I am a GnuPG user, not an expert and certainly not a developer, so you
may take my suggestions with a grain of salt.

Following this thread about future OpenPGP support in Thunderbird
prompted me to begin trying other MUAs.  Why?  Because if Thunderbird
implements its own OpenPGP scheme, I wonder whether it will include
features I consider important like smartcard support.  It is unlikely
to have a configuration file like gpg.conf that enables me to fine-tune 
both email and file encryption.

For the past couple of days I have been using Evolution.  It just works
with GnuPG.  I don't know or care how.  It encrypts, decrypts and
verifies signatures.  There was no set-up required.  My Yubikey works
because Evolution calls GnuPG instead of using a proprietary
implementation.  AFAIK only GPG does that.  Protonmail, Mailvelope,
FlowCrypt, and Mailfence do not.  You could probably build in smartcard
support and any other feature I can name, but why grapple with what
GnuPG already does well?  Why spend your time trying to head off the
next security threat when Werner & Co. will do it for you?

Enigmail has great features like the key manager and per-recipient
rules.  Focus on those.  Make Thunderbird encryption easy to use for
novices without driving off more experienced users.  Like Enigmail, I
use only a tiny fraction of GPG's commands and options. The fact that
GPG can do things I find esoteric is of little concern to me, but I'm
glad those features are there for people who need them.  The complexity
of GnuPG does not make its use complex the average users or for apps
providing GPG front-ends.  They simply ignore what they don't need.

The only thing I see that internal OpenPGP accomplishes is saving the
Windows user the task of installing GnuPG.  Anyone who uses Thunderbird
knows how to install software.  You can probably arrange with Werner
for a permanent link to the latest simple installer.  Automatically
check for GnuPG when Thunderbird is installed on Windows.  If it isn't
there, offer one-click installation.

I started using Thunderbird because of Enigmail, not the other way
around.  I haven't been a fan of some recent developments like pEp and
defaulting to "junior" mode, but I recognize their usefulness to new
users and can easily work around them myself.  My take on your original
explanation of the reason for Enigmail's pending demise is that a
changed Thunderbird plug-in scheme makes it more efficient to build
Enigmail functionality into the MUA.  Why not stick with that and focus
on what has made Enigmail successful?

Jeff Allen
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 862 bytes
Desc: This is a digitally signed message part
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20191018/2824bc26/attachment-0001.sig>

More information about the Gnupg-users mailing list