Suggestions to Thunderbird users

[PetRoh]

> I haven't tested this myself but from a quick check with someone who uses
> Thunderbird they couldn't verify this claim. Maybe this just happens on some
> versions? Either way I wouldn't assume it's intended behavior.

Other than an annoying inability to turn off "by default"
attachment of public key and signing each encrypted message,
I did not notice this behaviour.

Thunderbird is by far the best openPGP cross-platform
mail-client application around. However, my suggestion to
Thunderbird mail encryption users is to avoid any
"gnupg integration". In particular:

- If you really need to import some gnupg generated keys into
   Thunderbird, clean them of any WOT crud first and treat that
   as a one-way, one-time copy/transfer. Much better approach
   is to consider the public/private key pair as an e-mail
   address/application specific item, generated directly in,
   and used only by Thunderbird.

- Devise you own method of getting public keys into the hands of
   your correspondents and of their authentication and termination.

- Even if you use a mail attachment to initially send public key
   to a correspondent, remember to turn off default "attach key"
   for all subsequent messages. Likewise, do not sign messages by
   default, but only when there is a good reason to do so.

- If at all possible, do not depend on Thunderbird to protect
   your private key; instead, place your complete mail profile
   directory hierarchy in an encrypted container.

With the above, and due to its popularity, Thunderbird has a
reasonable chance to increase that minuscule fraction of
encrypted e-mails.