Future OpenPGP Support in Thunderbird

Robert J. Hansen rjh at sixdemonbag.org
Mon Oct 21 11:57:54 CEST 2019


> Actually, the Enigmail / GnuPG duo is one of the best examples of how
> different software parts could work together, thus increasing the
> prevalence of both parts by magnitudes, pushing a technique which the
> world really needs, and making it usable for the masses. Enigmail /
> GnuPG is by fare more than its sum.

And at the same time, less.  Remember what Efail showed us: that the
interface between GnuPG and clients calling it is remarkably subtle and
prone to misinterpretation.  It isn't just Enigmail which got bit by
this, either: a *lot* of email clients got hit.

GnuPG has steadfastly refused to create an OpenPGP library programmers
can use directly, on the grounds that security is improved by adding
process separation between the application process and the GnuPG
process.  There's a lot to be said for this argument.  There's a lot to
be said for the counterargument: that the additional complexity involved
in communicating across a process boundary turns it into a false savings.

I'm not sure which one I believe, myself.



More information about the Gnupg-users mailing list