LibrePGP in Thunderbird, maybe treat it as optional

[Kai Engert]

On 13.02.24 08:26, Bernhard Reiter via LibrePGP-discuss wrote:
> It is good if GnuPG were to be used as crypto backend

GnuPG cannot be used as Thunderbird's default crypto backend. Because 
the licenses are incompatible, Thunderbird must not bundle GnuPG. But 
Thunderbird (TB) wants an easy out-of-the-box experience, that's why it 
needs a crypto backend with a compatible license that can be bundled. 
That's why TB currently uses RNP.


> (though there is RNP which also plans to support v5 AFAIK).

At this time, RNP doesn't yet support smartcards. Also, we have users 
who want to use private keys from GnuPG's software keyring.

If TB offers optional support for GnuPG anyway, then we already have a 
way to (optionally) cover v5.

Because v5 is incompatible with the other parts of the ecosystem, 
handling it needs to be treated separately anyway. And if we already 
have a way to handle v5 separately (with GnuPG), then RNP's support for 
v5 wouldn't be necessary.


> The important part is to integrate the pubkey management
> and the trust display into the user interface
> to make end to end cryptography usable.

Thunderbird already has that integrated.

But users shouldn't be required to learn that owning two separate 
keypairs of different versions is necessary for being compatible with 
any potential correspondent (who might be using a client that supports 
only v5 keys or supports only v6 keys).

If Alice doesn't know which client Bob is using, and Alice wants to send 
her public key to Bob (to enable Bob to send an encrypted reply), then 
Alice shouldn't be required to send both a v5 key and a v6 key.

If Bob wants to verify Alice's fingerprint, then it should be obvious 
which fingerprint Alice needs to give to Bob. She should haven't to 
guess, and she shouldn't have to ask "which of my fingerprints do you 
need?", and she shouldn't have to say "here is the list of my 
fingerprints, please check if one of them matches".

If v5 and v6 keys are incompatible, then I want to limit TB's integrated 
key management to one type of new key, only.


> Like that a search for the pubkey including trying WKD automatically if an
> email address is entered. And a display if for a recipient a pubkey is found
> and at which "confidence".

And the key returned by WKD should be in a format that all PGP email 
clients can use easily, not just a subset of clients.

If the supporters of LibrePGP want to benefit from this convenience, 
they could consider to adopt the v6 key format, or work with the OpenPGP 
IETF working group to define a common key format, that's acceptable to 
both groups.

Kai