> Werner's implementation has an excellent reputation, and it's the only one
> I personally trust completely.
You state this so matter-of-factly, I feel compelled to point out that among
cryptographers, libgcrypt's reputation is not all that great...
>> GnuPG has steadfastly refused to create an OpenPGP library programmers
>> can use directly,
>
> I was under the impression that gpgme is just such a library.
It is not. Under the hood, GPGME works by launching an entirely new
process and directing it via interprocess communication.
> Actually, the Enigmail / GnuPG duo is one of the best examples of how
> different software parts could work together, thus increasing the
> prevalence of both parts by magnitudes, pushing a technique which the
> world really needs, and making it usable for the masses. Enigmail /
> GnuPG is by
On 19.10.2019 17:20, Patrick Brunschwig wrote:
>
>> Why not stick with that and focus on what has made Enigmail
>> successful?
> What is the reason in your eyes that made Enigmail successful?
>
It is the ingenious mixture of integration / ease-of-use on one hand
(setting it up (normally) is
On Sat, 2019-10-19 at 17:20 +0200, Patrick Brunschwig wrote:
> Jeff Allen via Gnupg-users wrote on 18.10.2019 16:02:
> [...]
> > My take on your original explanation of the reason for Enigmail's
> > pending demise is that a changed Thunderbird plug-in scheme makes
> > it
> > more efficient to
Jeff Allen via Gnupg-users wrote on 18.10.2019 16:02:
[...]
> My take on your original explanation of the reason for Enigmail's
> pending demise is that a changed Thunderbird plug-in scheme makes it
> more efficient to build Enigmail functionality into the MUA.
That's only the 2nd half of the
> which one). There are certainly good arguments for both.
>
I am a GnuPG user, not an expert and certainly not a developer, so you
may take my suggestions with a grain of salt.
Following this thread about future OpenPGP support in Thunderbird
prompted me to begin trying other MUAs. Why? Beca
On 16-10-2019 17:37, Binarus wrote:
> - either in understanding the APIs and command line parameters of a
> library / utility, and to keep up with changes, or
>
> - in re-inventing the wheel, which in this case for sure will cost much
> more time and eventually produce catastrophic security
Binarus wrote on 16.10.2019 17:37:
>
>
> On 16.10.2019 13:07, Patrick Brunschwig wrote:
>> worry for me. The main problem is the additional complexity that it
>> brings if you require an external component that you cannot *fully*
>> control. This covers topics like different behavior of
On 16.10.2019 13:07, Patrick Brunschwig wrote:
> worry for me. The main problem is the additional complexity that it
> brings if you require an external component that you cannot *fully*
> control. This covers topics like different behavior of different
> versions, but also configuration
Werner Koch wrote on 16.10.2019 13:54:
> On Wed, 16 Oct 2019 13:07, Patrick Brunschwig said:
>
>> something on their PC and more. Gpgme may handle some of these issues,
>> but the fact remains: an external component makes things a lot more
>> complex, especially for support.
>
> Right GPGME
On Wed, 16 Oct 2019 10:46, Martijn Brinkers said:
> I actually spend a lot of time investigating the impact of EFAIL on
> S/MIME and it's my opinion that the real impact has been overblown. In
> all my experiments, and I can tell you I have done a lot of them, I have
> not been able to force a
Binarus wrote on 16.10.2019 10:47:
>
> On 14.10.2019 16:15, Jeff Allen via Gnupg-users wrote:
>>> I don't know either, but perhaps it is in the debug logs the Enigmail
>>> team analyzes?
>>
>> I have used Enigmail since its inception and have never knowingly
>> submitted a log or answered a
> Efail-1 was what Werner is talking about here. It was a pretty bad
> blow to S/MIME, but far less so to OpenPGP, since OpenPGP has had
> countermeasures in place for almost twenty years. Efail-1's impact
> on OpenPGP was, is, minimal.
I actually spend a lot of time investigating the impact of
On 14.10.2019 16:15, Jeff Allen via Gnupg-users wrote:
>> I don't know either, but perhaps it is in the debug logs the Enigmail
>> team analyzes?
>
> I have used Enigmail since its inception and have never knowingly
> submitted a log or answered a survey and have always assumed Enigmail
> does
> I'm confused. I thought the whole efail thing was about crafting a
> plain text message that says "Good signature verified" and fools the
> user even though it was never run through pgp or had its signature
> verified with s/mime.
I'd suggest reading the Efail paper. The vast majority of the
Werner Koch writes:
> authenticated encryption is different from signed and encrypted mails.
> There are relative easy attacks on the encryption layer if standard
> encryption modes like CBC (as in S/MIME) are used. Whether this really
> affects users is a different question but they can be
On 14.10.2019 22:45, Werner Koch wrote:
> On Mon, 14 Oct 2019 20:43, Kristian Fiskerstrand said:
>
>> was suggested by Kristian and Andre: talking to SCDaemon (scd) with IPC.
>> Details need to be discussed, but it would be an optional solution, that
>
> Given that TB already has smartcard
> I have used Enigmail since its inception and have never knowingly
> submitted a log or answered a survey and have always assumed Enigmail
> does not phone home.
It does not.
> Here we disagree. I believe that existing software is not that
> difficult to use. The problem, if there is one, is
On Mon, 14 Oct 2019 20:43, Kristian Fiskerstrand said:
> was suggested by Kristian and Andre: talking to SCDaemon (scd) with IPC.
> Details need to be discussed, but it would be an optional solution, that
Given that TB already has smartcard support it would be easy if the new
code just makes use
On 14.10.2019 18:54, Juergen Bruckner via Gnupg-users wrote:
> Hello to all,
>
> well it's a good thing, that openPGP shall be included to TB directly.
>
> But ... as the Mozilla wiki [1] states in the FAQ-Section the following:
>
>
> Q: Will OpenPGP cards be supported for private key storage
Hello to all,
well it's a good thing, that openPGP shall be included to TB directly.
But ... as the Mozilla wiki [1] states in the FAQ-Section the following:
Q: Will OpenPGP cards be supported for private key storage ?
A: Probably not, because we don't use the GnuPG software that's usually
On Mon, 14 Oct 2019 10:54, Phillip Susi said:
>> encryption protocol is S/MIME and the last time I checked S/MIME (well,
>> CMS for the nitpickers) does not supoport any kind of authenticated
>> encryption. In contarst OpenPGP provides this nearly for 2 decades.
>
> What do you mean? S/MIME
Werner Koch via Gnupg-users writes:
> Still, TB is still subject to those attacks because their primary
> encryption protocol is S/MIME and the last time I checked S/MIME (well,
> CMS for the nitpickers) does not supoport any kind of authenticated
> encryption. In contarst OpenPGP provides
On 10/14/19 3:40 AM, Binarus wrote:
>
> On 13.10.2019 22:27, Jeff Allen via Gnupg-users wrote:
>> On 10/13/19 2:21 AM, Patrick Brunschwig wrote:
>>> The vast majority of users of Enigmail (somewhere around 98%) don't use
>>> external built keys.
>>
>> How do you know this?
>>
>
> I don't know
On 14.10.2019 09:17, Patrick Brunschwig wrote:
> Binarus wrote on 13.10.2019 18:27:
> [...]
>> 1) The schedule
>>
>> We have all been educated to update our applications (notably, "internet
>> applications" like browser and email clients) as soon as updates are
>> available; at least, this is
On 13.10.2019 22:27, Jeff Allen via Gnupg-users wrote:
> On 10/13/19 2:21 AM, Patrick Brunschwig wrote:
>> The vast majority of users of Enigmail (somewhere around 98%) don't use
>> external built keys.
>
> How do you know this?
>
I don't know either, but perhaps it is in the debug logs the
Binarus wrote on 13.10.2019 18:27:
[...]
> 1) The schedule
>
> We have all been educated to update our applications (notably, "internet
> applications" like browser and email clients) as soon as updates are
> available; at least, this is true for security updates.
>
> Despite release plans, I
On 10/13/19 2:21 AM, Patrick Brunschwig wrote:
> The vast majority of users of Enigmail (somewhere around 98%) don't use
> external built keys.
How do you know this?
> The vast majority of users also don't use GnuPG for
> anything else than email. These users don't care where their key is
>
On 13.10.2019 18:51, Werner Koch wrote:
> On Sun, 13 Oct 2019 18:27, Binarus said:
>
>> keys' IDs were formally wrong so that key servers didn't accept the
>> keys. The easiest possible solution was to re-generate these keys using
>
> For the records: Not /keyservers/ but one specific
On Sun, 13 Oct 2019 18:27, Binarus said:
> keys' IDs were formally wrong so that key servers didn't accept the
> keys. The easiest possible solution was to re-generate these keys using
For the records: Not /keyservers/ but one specific keyserver which runs
on a not yet matured enough code base
On 08.10.2019 09:08, Patrick Brunschwig wrote:
> The Thunderbird developers have announced that they will implement
> OpenPGP support in Thunderbird 78 [1]. Support for Thunderbird in
> Enigmail will therefore be discontinued.
>
> [Snip]
>
> I will continue to support and maintain Enigmail for
Werner Koch via Gnupg-users wrote on 13.10.2019 11:56:
> On Sat, 12 Oct 2019 12:43, Chris Narkiewicz said:
>
>> Do you know why they resited OpenPGP adoption it so much?
>
> iirc, they said that they want to support only one protocol and settled
> for S/MIME. This still did not explain why they
On Sat, 12 Oct 2019 12:43, Chris Narkiewicz said:
> Do you know why they resited OpenPGP adoption it so much?
iirc, they said that they want to support only one protocol and settled
for S/MIME. This still did not explain why they rejected our proposal
to clean up their S/MIME code and implement
By the Way, this goes for the vast
Majority of People that drives, heats aso. by Oil and Gas as well.
Am 2019-10-13 um 08:21 schrieb Patrick
Brunschwig:
BruderB wrote on 12.10.2019 10:43:
Hej all,
Am 12.10.19 um 08:23 schrieb
BruderB wrote on 12.10.2019 10:43:
> Hej all,
>
> Am 12.10.19 um 08:23 schrieb Robert J. Hansen:
>> they're going to insist on running their own keyring internal to
>> Thunderbird which isn't shared with anything else. (I imagine
>> *importing* from a GnuPG keyring will be supported, but
On Sat, Oct 12, 2019 at 08:07:58AM -0400, Mark H. Wood wrote:
Humph, I was already grumpy about Mozilla products' insistence on
having their own insular X.509 store, meaning that I have to install
certificates twice (once for Firefox, again for *everything else*.)
Slightly off-topic for this
On Sat, Oct 12, 2019 at 10:13:59AM +0300, Teemu Likonen via Gnupg-users wrote:
> Philipp Klaus Krause [2019-10-08T15:34:28+02] wrote:
>
> > It would be really nice, if Thunderbird could add an option to use the
> > gpg key storage instead of its own, [...]
>
> I agree with that even though I
On 12/10/2019 12:14, Werner Koch via Gnupg-users wrote:
> After 20 years of strong resistance against implementing OpenPGP [1], they
> finally seem to do it. That is a good move.
Do you know why they resited OpenPGP adoption it so much?
Cheers,
Chris
On Fri, 11 Oct 2019 21:48, qwrd said:
> Storing private keys on a smartcard is a noteworthy security
> enhancement, and I would like to see smartcard support being available
> in Thunderbird. Either via GnuPG or some other mechanism.
Take a Yubikey or an OpenPGP smartcard, install Scute (pcks#11
On Sat, 12 Oct 2019 02:23, Robert J. Hansen said:
> on Enigmail was very real. It was created by an ambiguity in how GnuPG
> returns error states: just because GnuPG says "decryption OK" doesn't
Nope. They did not read the documentation and did not checked error
codes. We suggest for a reason
On Fri, 11 Oct 2019 20:18, Philipp Klaus Krause said:
> They don't want users to require to install gpg first. And they don't
> want to ship gpg with Windows installers, since it isn't MPL.
The latter is just plain bullshit. There are even many proprietary
products which bundle gpg or other GPL
Hej all,
Am 12.10.19 um 08:23 schrieb Robert J. Hansen:
> they're going to insist on running their own keyring internal to
> Thunderbird which isn't shared with anything else. (I imagine
> *importing* from a GnuPG keyring will be supported, but *sharing* a
> keyring is right out.)
_They_ can
Which ccomplexity?
Creating the Key is the only thing that the normal User has to do,
That is possible via a Menue Entry.
I don´t see the Problem.
Am 2019-10-11 um 21:49 schrieb Chris
Narkiewicz via Gnupg-users:
On 09/10/2019
> PGP and GnuPG and the related communities have tried really hard to
> build a system based on person's long-term identity keys. All that web
> of trust thing relies on keys that are used relatively long time. But as
> we know this doesn't work for most people. People are really bad at
>
Philipp Klaus Krause [2019-10-08T15:34:28+02] wrote:
> It would be really nice, if Thunderbird could add an option to use the
> gpg key storage instead of its own, [...]
I agree with that even though I have never really used Thunderbird.
But using a custom key storage and implementation (or do
> Why the heck don't they just run gpg the way enigmail did?
Three major reasons:
1. License incompatibility. GnuPG is GPLv3, and Mozilla uses the
Mozilla Public License. They're not compatible. Arguably (and I
believe _correctly_) distributing GnuPG with Moz wouldn't be a
dealbreaker, as
>
>> On 9 Oct 2019, at 04:47, Philipp Klaus Krause wrote:
>>
>> It would be really nice, if Thunderbird could add an option to use the
>> gpg key storage instead of its own, but so far the developers want to
>> always keep the Thunderbird key storage separately (thoug they are
>> considering
Am 11.10.19 um 20:15 schrieb Phillip Susi:
> Why the heck don't they just run gpg the way enigmail did?
>
They don't want users to require to install gpg first. And they don't
want to ship gpg with Windows installers, since it isn't MPL.
Philipp
signature.asc
Description: OpenPGP digital
On 09/10/2019 08:06, Tony Lane via Gnupg-users wrote:> It doesn't do
that? Why would they choose to tightly couple TB with
> OpenPGP? If I have to maintain two key databases, that's a dealbreaker
for me.
Dealing with GnuPG complexity is a deal breaker for ordinary users,
preventing adoption. You
On 11/10/2019 19:15, Phillip Susi wrote:
> Why the heck don't they just run gpg the way enigmail did?
They don't want to bundle GnuPG because of GnuPG licence:
https://wiki.mozilla.org/Thunderbird:OpenPGP:2020#OpenPGP_engine
Requiring user to set up GnuPG separately is out of question if
they
Philipp Klaus Krause writes:
> While having OpenPGP support directly in Thunderbird is probably a good
> thing, I found it convenient to just use the gpg kerys for Email
> encryption and signing (and conversely, being able to just use keys
> imported via Enigmail to encrypt files using gpg).
>
Hello
I think it is an good Idea for such OSes as Windows or MAC that
mainly depends on closed completely integrated Software.
But for Linux/Unix and alike it goes against the main principles
of that Software.
And I think it will disturb the
Patrick Brunschwig wrote:
> The Thunderbird developers have announced that they will implement OpenPGP
> support in Thunderbird 78 [1].
A long awaited news indeed!
> Support for Thunderbird in Enigmail will therefore be discontinued.
Pity, but I hope it will be better that way. In particular
"Hernâni Marques (p≡p foundation)" wrote:
> On 08.10.19 18:37, Dmitry Alexandrov wrote:
>
>> Pity, but I hope it will be better that way. In particular I hope, that
>> Mozilla will not follow your example and won’t entice users to proprietary
>> isolated keyserver [0] instead of distributed
On 08.10.19 18:37, Dmitry Alexandrov wrote:
> Pity, but I hope it will be better that way. In particular I hope, that
> Mozilla will not follow your example and won’t entice users to proprietary
> isolated keyserver [0] instead of distributed SKS network thus splitting the
> keybase. And
Hi Patrick,
>The Thunderbird developers and I have therefore agreed that it's much
>better to implement OpenPGP support directly in Thunderbird. The set of
>functionalities will be different than what Enigmail offers, and at
>least initially likely be less feature-rich. But in my eyes, this is
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
On 10/8/19 9:34 AM, Philipp Klaus Krause wrote:
> It would be really nice, if Thunderbird could add an option to use the
> gpg key storage instead of its own, but so far the developers want to
> always keep the Thunderbird key storage separately
> On 9 Oct 2019, at 04:47, Philipp Klaus Krause wrote:
>
> It would be really nice, if Thunderbird could add an option to use the
> gpg key storage instead of its own, but so far the developers want to
> always keep the Thunderbird key storage separately (thoug they are
> considering
While having OpenPGP support directly in Thunderbird is probably a good
thing, I found it convenient to just use the gpg kerys for Email
encryption and signing (and conversely, being able to just use keys
imported via Enigmail to encrypt files using gpg).
It would be really nice, if Thunderbird
Patrick Brunschwig wrote:
> The Thunderbird developers have announced that they will implement
> OpenPGP support in Thunderbird 78 [1]. Support for Thunderbird in
> Enigmail will therefore be discontinued.
[snip]
> The Thunderbird developers and I have therefore agreed that it's much
> better
The Thunderbird developers have announced that they will implement
OpenPGP support in Thunderbird 78 [1]. Support for Thunderbird in
Enigmail will therefore be discontinued.
I'd like to explain in the following paragraphs what this will mean for
Enigmail, and why this is an inevitable step.
The
62 matches
Mail list logo
