Certified OpenPGP-encryption after release of Thunderbird 78

Mark azbigdogs at gmx.com
Sun May 31 20:25:10 CEST 2020


So for all of us that don't use a smart card to store our keys, they are
stored in TB?  What if we also have need for that key outside of email
such as signing or decrypting files? We still need that key in GNUPG as
well. If we change the key at all then we have to make sure it has been
updated in both areas?? 

I could see a similar situation could develop with the public keys where
the ones stored in TB are not in sync with the ones stored in GNUPG. 
What happens with keys that are obtained from websites for places like
Apple, Microsoft, etc that are not being directly imported from an email?

Maybe I am overthinking it or just missing something but I see potential
problems with this. If they are not using the same data (key rings) or
in constant synchronization, the "wrong key" could be used.   Hopefully
they have a way to address this.

On 5/31/2020 1:01 AM, Patrick Brunschwig wrote:
> Mark wrote on 31.05.2020 01:28:
>> Doesn't TB also need your secret keys to decrypt messages? 
> With smartcard support via GnuPG, all secret key operations are handled
> by GnuPG, and all public key operations are handled by TB (Note: the
> standard case, without smartcard support, will be that all keys are in
> Thunderbird).
>
> The use-cases are clearly distinct:
> - encryption: you only need public keys
> - decryption: you only need secret keys
> - signing: you only need secret keys
> - verification: you only need public keys
>
>> Also what if you need your public keys outside of TB such as encrypting
>> a file?
> That's not supported by Thunderbird. The idea of OpenPGP in Thunderbird
> is that you use it for email.
>
>> The reason I'm asking is that awhile ago I posted about unknown files in
>> my GNUPG directory. PAPubring.gpg and PAsecring.gpg. I eventually found
>> out those are key rings used by a program I have called Power Archiver.
>> I'm not sure why it has it own set of keys, still awaiting an
>> explanation from support. If every app is not using the same pair of key
>> rings (and there is no synchronization between them) could that not lead
>> to problems?
> The only "problem" might be that you have different keys on different
> key rings. But this is not necessarily a problem - you use different
> keys for different purposes and you can import and export the keys
> between the tools if needed.
>
> -Patrick
>
>> On 5/30/2020 12:57 PM, Patrick Brunschwig wrote:
>>> Mark wrote on 30.05.2020 20:54:
>>>> So then do you have multiple pairs of key rings? One pair for TB78 and
>>>> its built in PGP and another pair as part of GNUPG?
>>> No exactly. You have your secret keys with GnuPG, and your public keys
>>> with Thunderbird. No synchronization required.
>>>
>>> -Patrick
>>>> If so how do you keep them synchronized?
>>>>
>>>> On 5/30/2020 9:17 AM, Patrick Brunschwig wrote:
>>>>> Robert J. Hansen wrote on 30.05.2020 01:07:
>>>>>>> If TB 78 is going to have native support of openGPG encryption, then the
>>>>>>> original person in the thread should be able to export all of the keys
>>>>>>> in their key rings, and import all of those keys into TB 78, or am I
>>>>>>> missing one of the gotchas with
>>>>>>> TV 78 and it's openGPG encryption support.
>>>>>> You're missing the gotcha of "as of -Beta3, the new Thunderbird *cannot
>>>>>> even import a key*."
>>>>> I'm sorry, but that is simply not true. There is a known bug in the
>>>>> library used by Thunderbird (RNP) that leads to crashes when importing
>>>>> _certain_ keys. But I succeeded in importing all of my keys without any
>>>>> problems (more than 1.000), except for 5 V3-keys. I can definitely say
>>>>> that it's not just broken, and it can import keys.
>>>>>
>>>>>> I'm not kidding.  It is so far from complete that Kai Englert, who leads
>>>>>> the TB78 OpenPGP effort, recently proposed postponing OpenPGP support in
>>>>>> TB until version 78.2, or about a three-month delay.
>>>>> Again, that's oversimplified. OpenPGP will not be enabled _by_ _default_
>>>>> but users may still enable it manually.
>>>>>
>>>>>> At present, as of -Beta3, TB78's OpenPGP support is badly broken.
>>>>> No, it's incomplete - work in progress. That's not quite the same.
>>>>>
>>>>> -Patrick
>



More information about the Gnupg-users mailing list