Re: Certified OpenPGP-encryption after release of Thunderbird 78
Am 31.05.2020 um 12:35 schrieb Patrick Brunschwig: > Andreas Boehlk Computer-Service wrote on 31.05.2020 11:09: >> Hello Patrick, >> >> >> Am 31.05.2020 um 10:01 schrieb Patrick Brunschwig: >>> Mark wrote on 31.05.2020 01:28: Doesn't TB also need your secret keys to decrypt messages? >>> >>> With smartcard support via GnuPG, all secret key operations are handled >>> by GnuPG, and all public key operations are handled by TB (Note: the >>> standard case, without smartcard support, will be that all keys are in >>> Thunderbird). >>> >>> The use-cases are clearly distinct: >>> - encryption: you only need public keys >>> - decryption: you only need secret keys >>> - signing: you only need secret keys >>> - verification: you only need public keys >>> >> The standard user will not be able to work with that "solution". >> Compared to the "enigmail-solution" this is the hell and bound to fail. > > Let's first define Standard users. The majority of users who use > smartcards that *I* know are expert or power users. They can handle this. > > The "Standard users" I have in mind don't use GnuPG for anything else > than encrypting mails, and they don't use smartcards either. They won't > have this issue in any way. > Also what if you need your public keys outside of TB such as encrypting a file? >>> >>> That's not supported by Thunderbird. The idea of OpenPGP in Thunderbird >>> is that you use it for email. >>> >> That is correct, but nevertheless it is mandatory to have and use a >> single key-store. > > For which use-case precisely? If you only use OpenPGP for emails (and > given the users I know who had support cases in the past, this is true > for the majority of the Enigmail users), then this is irrelevant. > The use cases are clear and I myself and some of my clients use them. And when I speak from my point of view it is enough work to take care of one key store and I personally do not want to have a second one; and this second one has to be synchronized on every single endpoint as well. That is twice the work. > To be quite clear: Thunderbird will not support GnuPG for scenarios > other than handling secret keys. And that's only because the OpenPGP > library they use can't handle smartcards yet. Once the library will > support smartcards, I expect that GnuPG support will be removed entirely. > From then on PGP and the second key store will be mandatory for the purpose of signing and decrypting. > Note: I'm not a Thunderbird developer and I don't drive Thunderbird > decisions -- this is simply my expectation of what will happen. > Yes, I got that of course. It is just my lack of understanding TB's decision to not trying to adapt a running system in a proper way. > -Patrick > Andreas signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Certified OpenPGP-encryption after release of Thunderbird 78
Hello Patrick, > Let's first define Standard users. The majority of users who use > smartcards that *I* know are expert or power users. They can handle this. > > The "Standard users" I have in mind don't use GnuPG for anything else > than encrypting mails, and they don't use smartcards either. They won't > have this issue in any way. I'm sorry but I have to contradict you in that topic. I found out that more 'standard users' than I thought are using Smartcards or Tokens like Nitrokey or Yubikey (or anything similiar). It is requested in security/gpg workshops more and more, and in the last 3 or 4 workshops I've held, each of the 15 participiants already had a Smartcard or Token and wanted to know how to use them. So I think this is not just a topic for 'professional or power users' but also for so called standard users. best regards from Austria Juergen -- Juergen M. Bruckner smime.p7s Description: S/MIME Cryptographic Signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Certified OpenPGP-encryption after release of Thunderbird 78
On Sun, 31 May 2020 12:35, Patrick Brunschwig said: > Let's first define Standard users. The majority of users who use > smartcards that *I* know are expert or power users. They can handle this. I have a different experience here and we are actually promoting the use of smartcards because they better protect your private key and it is easy to explain why users need to take care of their card than of a bunch of files in the GnuPG home directory. > The "Standard users" I have in mind don't use GnuPG for anything else > than encrypting mails, and they don't use smartcards either. They won't > have this issue in any way. The standard user clicks right on a file icon, encrypts the file, and sends it as attachment using his MUA. That is an easy to teach and understand workflow and does not require any special MUA. Well, Outlook users are more and more using the well integrated support we provide in Gpg4win. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Certified OpenPGP-encryption after release of Thunderbird 78
On Sun, 31 May 2020 11:10, David Flory said: > How does one identify a v3 key? By trying to import it with gpg; you should get a hint that v3 keys are not anymore supported. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Certified OpenPGP-encryption after release of Thunderbird 78
On Fri, 29 May 2020 14:43, karel-v_g--- said: > But it's a pity that Thunderbird developed its own solution because of > licensing issues while we have a proven working solution with GnuPG... For the records: There is no licensing issue; it is just a Mozilla policy issue not to use or depend on software which is not fully under their policy control. We have had long discussions with them more than 15 years ago with the result: no OpenPGP support and no improvements to their (back then) not very well working S/MIME code. This decision forced us to implement S/MIME in GnuPG and is also one of the reasons why Patrick does not use GPGME has interface to GnuPG, despite that it is a well tested, maintained, and widely used (think Windows) interface to GnuPG. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Certified OpenPGP-encryption after release of Thunderbird 78
Patrick Brunschwig writes: > Andreas Boehlk Computer-Service wrote on 31.05.2020 11:09: > ... Also what if you need your public keys outside of TB such as encrypting a file? >>> >>> That's not supported by Thunderbird. The idea of OpenPGP >>> in Thunderbird is that you use it for email. >>> >> That is correct, but nevertheless it is mandatory to have >> and use a single key-store. > > For which use-case precisely? If you only use OpenPGP for emails > (and given the users I know who had support cases in the past, > this is true for the majority of the Enigmail users), then > this is irrelevant. > > To be quite clear: Thunderbird will not support GnuPG for scenarios > other than handling secret keys. And that's only because the > OpenPGP library they use can't handle smartcards yet. Once > the library will support smartcards, I expect that GnuPG support > will be removed entirely. Just out of curiosity, but knowing that this is not relevant to standard users. As encrypted mails cannot easily be malware scanned and even if they were might contain really hard-to-detect social engineering attacks, therefore systems running mail software are at a higher. Hence to avoid full system compromise, running mail software in virtual machines. With Enigmail I used some simple tool [0] to act instead of gnupg, intercept all calls to forward them over network and then filter all requests via whitelists before passing the real requests to gnupg. Thus no private keys were available on the risky desktop system (same as with smartcards), the desktop system had never full access to the private key (each whitelisted sign/encrypt operation had also to be reviewed and confirmed outside the virtual machine) and thus even full system compromise on root level would not compromise the keys the same way as a directly attached smart-card could be (pin stolen on desktop system or card used by Mallory while being unlocked). With smartcard support fully built into TB, which method for external filtering would you deem most appropriate? Have a custom virtual-smartcard library, that forwards the requests over network? Have a virtual-smartcard reader device attached to the virtual machine, that intercepts requests and forwards them to a real smartcard reader? hd [0] https://www.halfdog.net/Projects/CryptoTools/RemoteGnupg/ (outdated!) ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Certified OpenPGP-encryption after release of Thunderbird 78
So for all of us that don't use a smart card to store our keys, they are stored in TB? What if we also have need for that key outside of email such as signing or decrypting files? We still need that key in GNUPG as well. If we change the key at all then we have to make sure it has been updated in both areas?? I could see a similar situation could develop with the public keys where the ones stored in TB are not in sync with the ones stored in GNUPG. What happens with keys that are obtained from websites for places like Apple, Microsoft, etc that are not being directly imported from an email? Maybe I am overthinking it or just missing something but I see potential problems with this. If they are not using the same data (key rings) or in constant synchronization, the "wrong key" could be used. Hopefully they have a way to address this. On 5/31/2020 1:01 AM, Patrick Brunschwig wrote: > Mark wrote on 31.05.2020 01:28: >> Doesn't TB also need your secret keys to decrypt messages? > With smartcard support via GnuPG, all secret key operations are handled > by GnuPG, and all public key operations are handled by TB (Note: the > standard case, without smartcard support, will be that all keys are in > Thunderbird). > > The use-cases are clearly distinct: > - encryption: you only need public keys > - decryption: you only need secret keys > - signing: you only need secret keys > - verification: you only need public keys > >> Also what if you need your public keys outside of TB such as encrypting >> a file? > That's not supported by Thunderbird. The idea of OpenPGP in Thunderbird > is that you use it for email. > >> The reason I'm asking is that awhile ago I posted about unknown files in >> my GNUPG directory. PAPubring.gpg and PAsecring.gpg. I eventually found >> out those are key rings used by a program I have called Power Archiver. >> I'm not sure why it has it own set of keys, still awaiting an >> explanation from support. If every app is not using the same pair of key >> rings (and there is no synchronization between them) could that not lead >> to problems? > The only "problem" might be that you have different keys on different > key rings. But this is not necessarily a problem - you use different > keys for different purposes and you can import and export the keys > between the tools if needed. > > -Patrick > >> On 5/30/2020 12:57 PM, Patrick Brunschwig wrote: >>> Mark wrote on 30.05.2020 20:54: So then do you have multiple pairs of key rings? One pair for TB78 and its built in PGP and another pair as part of GNUPG? >>> No exactly. You have your secret keys with GnuPG, and your public keys >>> with Thunderbird. No synchronization required. >>> >>> -Patrick If so how do you keep them synchronized? On 5/30/2020 9:17 AM, Patrick Brunschwig wrote: > Robert J. Hansen wrote on 30.05.2020 01:07: >>> If TB 78 is going to have native support of openGPG encryption, then the >>> original person in the thread should be able to export all of the keys >>> in their key rings, and import all of those keys into TB 78, or am I >>> missing one of the gotchas with >>> TV 78 and it's openGPG encryption support. >> You're missing the gotcha of "as of -Beta3, the new Thunderbird *cannot >> even import a key*." > I'm sorry, but that is simply not true. There is a known bug in the > library used by Thunderbird (RNP) that leads to crashes when importing > _certain_ keys. But I succeeded in importing all of my keys without any > problems (more than 1.000), except for 5 V3-keys. I can definitely say > that it's not just broken, and it can import keys. > >> I'm not kidding. It is so far from complete that Kai Englert, who leads >> the TB78 OpenPGP effort, recently proposed postponing OpenPGP support in >> TB until version 78.2, or about a three-month delay. > Again, that's oversimplified. OpenPGP will not be enabled _by_ _default_ > but users may still enable it manually. > >> At present, as of -Beta3, TB78's OpenPGP support is badly broken. > No, it's incomplete - work in progress. That's not quite the same. > > -Patrick > ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Certified OpenPGP-encryption after release of Thunderbird 78
On 5/30/2020 10:17 AM, Patrick Brunschwig wrote: [snip] > I'm sorry, but that is simply not true. There is a known bug in the > library used by Thunderbird (RNP) that leads to crashes when importing > _certain_ keys. But I succeeded in importing all of my keys without any > problems (more than 1.000), except for 5 V3-keys. I can definitely say > that it's not just broken, and it can import keys. [snip] How does one identify a v3 key? David OpenPGP_0xE334A5C93AE58BA6.asc Description: application/pgp-keys OpenPGP_signature Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Certified OpenPGP-encryption after release of Thunderbird 78
That is what I see happening too. When you start having multiple key stores, which one contains the "correct" keys? I saw that happening in just my very limited usage where another program has its own key rings... On 5/31/2020 1:28 AM, Andreas Boehlk Computer-Service wrote: > Hello Mark, > > I totally agree. It is not possible to have more than one key store. > Synchronization always fails some time and the standard user cannot > handle it. So the only solution for TB will be to use GNUPG, because it > has the only key store for all platforms and has proved to work for > years. That results in the only possible solution for TB to integrate > the enigmail functionality into the code directly or live with the > enigmail plug-in. All other solutions are defective by design from start. > > Andreas > > ://lists.gnupg.org/mailman/listinfo/gnupg-users ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Certified OpenPGP-encryption after release of Thunderbird 78
Andreas Boehlk Computer-Service wrote on 31.05.2020 11:09: > Hello Patrick, > > > Am 31.05.2020 um 10:01 schrieb Patrick Brunschwig: >> Mark wrote on 31.05.2020 01:28: >>> Doesn't TB also need your secret keys to decrypt messages? >> >> With smartcard support via GnuPG, all secret key operations are handled >> by GnuPG, and all public key operations are handled by TB (Note: the >> standard case, without smartcard support, will be that all keys are in >> Thunderbird). >> >> The use-cases are clearly distinct: >> - encryption: you only need public keys >> - decryption: you only need secret keys >> - signing: you only need secret keys >> - verification: you only need public keys >> > The standard user will not be able to work with that "solution". > Compared to the "enigmail-solution" this is the hell and bound to fail. Let's first define Standard users. The majority of users who use smartcards that *I* know are expert or power users. They can handle this. The "Standard users" I have in mind don't use GnuPG for anything else than encrypting mails, and they don't use smartcards either. They won't have this issue in any way. >>> Also what if you need your public keys outside of TB such as encrypting >>> a file? >> >> That's not supported by Thunderbird. The idea of OpenPGP in Thunderbird >> is that you use it for email. >> > That is correct, but nevertheless it is mandatory to have and use a > single key-store. For which use-case precisely? If you only use OpenPGP for emails (and given the users I know who had support cases in the past, this is true for the majority of the Enigmail users), then this is irrelevant. To be quite clear: Thunderbird will not support GnuPG for scenarios other than handling secret keys. And that's only because the OpenPGP library they use can't handle smartcards yet. Once the library will support smartcards, I expect that GnuPG support will be removed entirely. Note: I'm not a Thunderbird developer and I don't drive Thunderbird decisions -- this is simply my expectation of what will happen. -Patrick ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Certified OpenPGP-encryption after release of Thunderbird 78
Hello Mark, I totally agree. It is not possible to have more than one key store. Synchronization always fails some time and the standard user cannot handle it. So the only solution for TB will be to use GNUPG, because it has the only key store for all platforms and has proved to work for years. That results in the only possible solution for TB to integrate the enigmail functionality into the code directly or live with the enigmail plug-in. All other solutions are defective by design from start. Andreas Am 31.05.2020 um 01:28 schrieb Mark: > Doesn't TB also need your secret keys to decrypt messages? > > Also what if you need your public keys outside of TB such as encrypting > a file? > > The reason I'm asking is that awhile ago I posted about unknown files in > my GNUPG directory. PAPubring.gpg and PAsecring.gpg. I eventually found > out those are key rings used by a program I have called Power Archiver. > I'm not sure why it has it own set of keys, still awaiting an > explanation from support. If every app is not using the same pair of key > rings (and there is no synchronization between them) could that not lead > to problems? > > Thanks > > On 5/30/2020 12:57 PM, Patrick Brunschwig wrote: >> Mark wrote on 30.05.2020 20:54: >>> So then do you have multiple pairs of key rings? One pair for TB78 and >>> its built in PGP and another pair as part of GNUPG? >> No exactly. You have your secret keys with GnuPG, and your public keys >> with Thunderbird. No synchronization required. >> >> -Patrick >>> If so how do you keep them synchronized? >>> >>> On 5/30/2020 9:17 AM, Patrick Brunschwig wrote: Robert J. Hansen wrote on 30.05.2020 01:07: >> If TB 78 is going to have native support of openGPG encryption, then the >> original person in the thread should be able to export all of the keys >> in their key rings, and import all of those keys into TB 78, or am I >> missing one of the gotchas with >> TV 78 and it's openGPG encryption support. > You're missing the gotcha of "as of -Beta3, the new Thunderbird *cannot > even import a key*." I'm sorry, but that is simply not true. There is a known bug in the library used by Thunderbird (RNP) that leads to crashes when importing _certain_ keys. But I succeeded in importing all of my keys without any problems (more than 1.000), except for 5 V3-keys. I can definitely say that it's not just broken, and it can import keys. > I'm not kidding. It is so far from complete that Kai Englert, who leads > the TB78 OpenPGP effort, recently proposed postponing OpenPGP support in > TB until version 78.2, or about a three-month delay. Again, that's oversimplified. OpenPGP will not be enabled _by_ _default_ but users may still enable it manually. > At present, as of -Beta3, TB78's OpenPGP support is badly broken. No, it's incomplete - work in progress. That's not quite the same. -Patrick ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users > > ___ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Certified OpenPGP-encryption after release of Thunderbird 78
Hello Patrick, Am 31.05.2020 um 10:01 schrieb Patrick Brunschwig: > Mark wrote on 31.05.2020 01:28: >> Doesn't TB also need your secret keys to decrypt messages? > > With smartcard support via GnuPG, all secret key operations are handled > by GnuPG, and all public key operations are handled by TB (Note: the > standard case, without smartcard support, will be that all keys are in > Thunderbird). > > The use-cases are clearly distinct: > - encryption: you only need public keys > - decryption: you only need secret keys > - signing: you only need secret keys > - verification: you only need public keys > The standard user will not be able to work with that "solution". Compared to the "enigmail-solution" this is the hell and bound to fail. >> Also what if you need your public keys outside of TB such as encrypting >> a file? > > That's not supported by Thunderbird. The idea of OpenPGP in Thunderbird > is that you use it for email. > That is correct, but nevertheless it is mandatory to have and use a single key-store. >> The reason I'm asking is that awhile ago I posted about unknown files in >> my GNUPG directory. PAPubring.gpg and PAsecring.gpg. I eventually found >> out those are key rings used by a program I have called Power Archiver. >> I'm not sure why it has it own set of keys, still awaiting an >> explanation from support. If every app is not using the same pair of key >> rings (and there is no synchronization between them) could that not lead >> to problems? > > The only "problem" might be that you have different keys on different > key rings. But this is not necessarily a problem - you use different > keys for different purposes and you can import and export the keys > between the tools if needed. > As I stated before: This is a real problem. Multiple keys-stores are not manageable and this planned solution is much more complicated than the current with enigmail. Therefore it is bound to be a non-starter. > -Patrick > >> On 5/30/2020 12:57 PM, Patrick Brunschwig wrote: >>> Mark wrote on 30.05.2020 20:54: So then do you have multiple pairs of key rings? One pair for TB78 and its built in PGP and another pair as part of GNUPG? >>> No exactly. You have your secret keys with GnuPG, and your public keys >>> with Thunderbird. No synchronization required. >>> >>> -Patrick If so how do you keep them synchronized? On 5/30/2020 9:17 AM, Patrick Brunschwig wrote: > Robert J. Hansen wrote on 30.05.2020 01:07: >>> If TB 78 is going to have native support of openGPG encryption, then the >>> original person in the thread should be able to export all of the keys >>> in their key rings, and import all of those keys into TB 78, or am I >>> missing one of the gotchas with >>> TV 78 and it's openGPG encryption support. >> You're missing the gotcha of "as of -Beta3, the new Thunderbird *cannot >> even import a key*." > I'm sorry, but that is simply not true. There is a known bug in the > library used by Thunderbird (RNP) that leads to crashes when importing > _certain_ keys. But I succeeded in importing all of my keys without any > problems (more than 1.000), except for 5 V3-keys. I can definitely say > that it's not just broken, and it can import keys. > >> I'm not kidding. It is so far from complete that Kai Englert, who leads >> the TB78 OpenPGP effort, recently proposed postponing OpenPGP support in >> TB until version 78.2, or about a three-month delay. > Again, that's oversimplified. OpenPGP will not be enabled _by_ _default_ > but users may still enable it manually. > >> At present, as of -Beta3, TB78's OpenPGP support is badly broken. > No, it's incomplete - work in progress. That's not quite the same. > > -Patrick > > > > ___ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Certified OpenPGP-encryption after release of Thunderbird 78
Mark wrote on 31.05.2020 01:28: > Doesn't TB also need your secret keys to decrypt messages? With smartcard support via GnuPG, all secret key operations are handled by GnuPG, and all public key operations are handled by TB (Note: the standard case, without smartcard support, will be that all keys are in Thunderbird). The use-cases are clearly distinct: - encryption: you only need public keys - decryption: you only need secret keys - signing: you only need secret keys - verification: you only need public keys > Also what if you need your public keys outside of TB such as encrypting > a file? That's not supported by Thunderbird. The idea of OpenPGP in Thunderbird is that you use it for email. > The reason I'm asking is that awhile ago I posted about unknown files in > my GNUPG directory. PAPubring.gpg and PAsecring.gpg. I eventually found > out those are key rings used by a program I have called Power Archiver. > I'm not sure why it has it own set of keys, still awaiting an > explanation from support. If every app is not using the same pair of key > rings (and there is no synchronization between them) could that not lead > to problems? The only "problem" might be that you have different keys on different key rings. But this is not necessarily a problem - you use different keys for different purposes and you can import and export the keys between the tools if needed. -Patrick > On 5/30/2020 12:57 PM, Patrick Brunschwig wrote: >> Mark wrote on 30.05.2020 20:54: >>> So then do you have multiple pairs of key rings? One pair for TB78 and >>> its built in PGP and another pair as part of GNUPG? >> No exactly. You have your secret keys with GnuPG, and your public keys >> with Thunderbird. No synchronization required. >> >> -Patrick >>> If so how do you keep them synchronized? >>> >>> On 5/30/2020 9:17 AM, Patrick Brunschwig wrote: Robert J. Hansen wrote on 30.05.2020 01:07: >> If TB 78 is going to have native support of openGPG encryption, then the >> original person in the thread should be able to export all of the keys >> in their key rings, and import all of those keys into TB 78, or am I >> missing one of the gotchas with >> TV 78 and it's openGPG encryption support. > You're missing the gotcha of "as of -Beta3, the new Thunderbird *cannot > even import a key*." I'm sorry, but that is simply not true. There is a known bug in the library used by Thunderbird (RNP) that leads to crashes when importing _certain_ keys. But I succeeded in importing all of my keys without any problems (more than 1.000), except for 5 V3-keys. I can definitely say that it's not just broken, and it can import keys. > I'm not kidding. It is so far from complete that Kai Englert, who leads > the TB78 OpenPGP effort, recently proposed postponing OpenPGP support in > TB until version 78.2, or about a three-month delay. Again, that's oversimplified. OpenPGP will not be enabled _by_ _default_ but users may still enable it manually. > At present, as of -Beta3, TB78's OpenPGP support is badly broken. No, it's incomplete - work in progress. That's not quite the same. -Patrick signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Certified OpenPGP-encryption after release of Thunderbird 78
Doesn't TB also need your secret keys to decrypt messages? Also what if you need your public keys outside of TB such as encrypting a file? The reason I'm asking is that awhile ago I posted about unknown files in my GNUPG directory. PAPubring.gpg and PAsecring.gpg. I eventually found out those are key rings used by a program I have called Power Archiver. I'm not sure why it has it own set of keys, still awaiting an explanation from support. If every app is not using the same pair of key rings (and there is no synchronization between them) could that not lead to problems? Thanks On 5/30/2020 12:57 PM, Patrick Brunschwig wrote: > Mark wrote on 30.05.2020 20:54: >> So then do you have multiple pairs of key rings? One pair for TB78 and >> its built in PGP and another pair as part of GNUPG? > No exactly. You have your secret keys with GnuPG, and your public keys > with Thunderbird. No synchronization required. > > -Patrick >> If so how do you keep them synchronized? >> >> On 5/30/2020 9:17 AM, Patrick Brunschwig wrote: >>> Robert J. Hansen wrote on 30.05.2020 01:07: > If TB 78 is going to have native support of openGPG encryption, then the > original person in the thread should be able to export all of the keys > in their key rings, and import all of those keys into TB 78, or am I > missing one of the gotchas with > TV 78 and it's openGPG encryption support. You're missing the gotcha of "as of -Beta3, the new Thunderbird *cannot even import a key*." >>> I'm sorry, but that is simply not true. There is a known bug in the >>> library used by Thunderbird (RNP) that leads to crashes when importing >>> _certain_ keys. But I succeeded in importing all of my keys without any >>> problems (more than 1.000), except for 5 V3-keys. I can definitely say >>> that it's not just broken, and it can import keys. >>> I'm not kidding. It is so far from complete that Kai Englert, who leads the TB78 OpenPGP effort, recently proposed postponing OpenPGP support in TB until version 78.2, or about a three-month delay. >>> Again, that's oversimplified. OpenPGP will not be enabled _by_ _default_ >>> but users may still enable it manually. >>> At present, as of -Beta3, TB78's OpenPGP support is badly broken. >>> No, it's incomplete - work in progress. That's not quite the same. >>> >>> -Patrick >>> >>> ___ >>> Gnupg-users mailing list >>> Gnupg-users@gnupg.org >>> http://lists.gnupg.org/mailman/listinfo/gnupg-users ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Certified OpenPGP-encryption after release of Thunderbird 78
> I'm sorry, but that is simply not true. There is a known bug in the > library used by Thunderbird (RNP) that leads to crashes when importing > _certain_ keys. But I succeeded in importing all of my keys without any > problems (more than 1.000), except for 5 V3-keys. I can definitely say > that it's not just broken, and it can import keys. I have yet to talk to anyone who's been able to import their keyring, which is the absolute minimum use case. When it fails it does so silently. If the minimum use case of "average users should be able to import their keyrings" leads to RNP crashing, no keys being imported, and no error message being generated, I have no problem calling key importation broken. > Again, that's oversimplified. OpenPGP will not be enabled _by_ _default_ > but users may still enable it manually. According to Kai's post on one of the TB mailing lists, he wants the version in 78 to be a technology preview, hidden from the user, and only accessible to power users. I don't consider that to be shipping it for 78. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Certified OpenPGP-encryption after release of Thunderbird 78
Mark wrote on 30.05.2020 20:54: > So then do you have multiple pairs of key rings? One pair for TB78 and > its built in PGP and another pair as part of GNUPG? No exactly. You have your secret keys with GnuPG, and your public keys with Thunderbird. No synchronization required. -Patrick > > If so how do you keep them synchronized? > > On 5/30/2020 9:17 AM, Patrick Brunschwig wrote: >> Robert J. Hansen wrote on 30.05.2020 01:07: If TB 78 is going to have native support of openGPG encryption, then the original person in the thread should be able to export all of the keys in their key rings, and import all of those keys into TB 78, or am I missing one of the gotchas with TV 78 and it's openGPG encryption support. >>> You're missing the gotcha of "as of -Beta3, the new Thunderbird *cannot >>> even import a key*." >> I'm sorry, but that is simply not true. There is a known bug in the >> library used by Thunderbird (RNP) that leads to crashes when importing >> _certain_ keys. But I succeeded in importing all of my keys without any >> problems (more than 1.000), except for 5 V3-keys. I can definitely say >> that it's not just broken, and it can import keys. >> >>> I'm not kidding. It is so far from complete that Kai Englert, who leads >>> the TB78 OpenPGP effort, recently proposed postponing OpenPGP support in >>> TB until version 78.2, or about a three-month delay. >> Again, that's oversimplified. OpenPGP will not be enabled _by_ _default_ >> but users may still enable it manually. >> >>> At present, as of -Beta3, TB78's OpenPGP support is badly broken. >> No, it's incomplete - work in progress. That's not quite the same. >> >> -Patrick >> >> ___ >> Gnupg-users mailing list >> Gnupg-users@gnupg.org >> http://lists.gnupg.org/mailman/listinfo/gnupg-users ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Certified OpenPGP-encryption after release of Thunderbird 78
So then do you have multiple pairs of key rings? One pair for TB78 and its built in PGP and another pair as part of GNUPG? If so how do you keep them synchronized? On 5/30/2020 9:17 AM, Patrick Brunschwig wrote: > Robert J. Hansen wrote on 30.05.2020 01:07: >>> If TB 78 is going to have native support of openGPG encryption, then the >>> original person in the thread should be able to export all of the keys >>> in their key rings, and import all of those keys into TB 78, or am I >>> missing one of the gotchas with >>> TV 78 and it's openGPG encryption support. >> You're missing the gotcha of "as of -Beta3, the new Thunderbird *cannot >> even import a key*." > I'm sorry, but that is simply not true. There is a known bug in the > library used by Thunderbird (RNP) that leads to crashes when importing > _certain_ keys. But I succeeded in importing all of my keys without any > problems (more than 1.000), except for 5 V3-keys. I can definitely say > that it's not just broken, and it can import keys. > >> I'm not kidding. It is so far from complete that Kai Englert, who leads >> the TB78 OpenPGP effort, recently proposed postponing OpenPGP support in >> TB until version 78.2, or about a three-month delay. > Again, that's oversimplified. OpenPGP will not be enabled _by_ _default_ > but users may still enable it manually. > >> At present, as of -Beta3, TB78's OpenPGP support is badly broken. > No, it's incomplete - work in progress. That's not quite the same. > > -Patrick > > ___ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Certified OpenPGP-encryption after release of Thunderbird 78
Robert J. Hansen wrote on 30.05.2020 01:07: >> If TB 78 is going to have native support of openGPG encryption, then the >> original person in the thread should be able to export all of the keys >> in their key rings, and import all of those keys into TB 78, or am I >> missing one of the gotchas with >> TV 78 and it's openGPG encryption support. > > You're missing the gotcha of "as of -Beta3, the new Thunderbird *cannot > even import a key*." I'm sorry, but that is simply not true. There is a known bug in the library used by Thunderbird (RNP) that leads to crashes when importing _certain_ keys. But I succeeded in importing all of my keys without any problems (more than 1.000), except for 5 V3-keys. I can definitely say that it's not just broken, and it can import keys. > I'm not kidding. It is so far from complete that Kai Englert, who leads > the TB78 OpenPGP effort, recently proposed postponing OpenPGP support in > TB until version 78.2, or about a three-month delay. Again, that's oversimplified. OpenPGP will not be enabled _by_ _default_ but users may still enable it manually. > At present, as of -Beta3, TB78's OpenPGP support is badly broken. No, it's incomplete - work in progress. That's not quite the same. -Patrick ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Certified OpenPGP-encryption after release of Thunderbird 78
Robert J. Hansen wrote on 30.05.2020 01:26: >> 1. Will key management and crypto happen in the same process as >> IMAP/POP/SMTP, GUI, JavaScript and everything else? If so - do you >> believe it's acceptable? > > It should be an easy learning curve for Enigmail users. That isn't the > same as finding it acceptable, though. > > Back in the mid-'90s PGP came out with a GUI for PGP 5, and it's > universally agreed at user interface was horrific. (See "Why Johnny > Can't Encrypt" for a detailed teardown.) The problem was that this > horrific user interface became the standard user interface, and most > OpenPGP key managers ever since have adopted it. Those that haven't > adopted it, nobody uses, because their UI is so different than > everything else. > >> 2. Is there any real plan to have working smartcard support in the >> near future? > > No. There's some talk about supporting it, but as far as I know there's > no plan to do it. It's still at the "you know, it'd be kind of nice > if..." stage, not the "we really should do this" stage. The plan is to support smartcards (by using GnuPG for private key operations). This is already working partially, and is foreseen to be available in TB 78. -Patrick ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Certified OpenPGP-encryption after release of Thunderbird 78
On 5/30/20 1:26 AM, Robert J. Hansen wrote: 2. Is there any real plan to have working smartcard support in the near future? No. There's some talk about supporting it, but as far as I know there's no plan to do it. It's still at the "you know, it'd be kind of nice if..." stage, not the "we really should do this" stage. Smart card support is on the ToDo list. https://wiki.mozilla.org/index.php?title=Thunderbird:OpenPGP:Status ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Certified OpenPGP-encryption after release of Thunderbird 78
On 5/29/20 7:39 PM, Grzegorz Kulewski wrote: > Time to check Claws I think. i've found that claws, evolution, sylpheed and kmail all integrate seamlessly with gpg2 (using standard debian packages for everything) ~c -- Charlie Derr Director, Instructional Technology 413-528-7344 https://www.simons-rock.edu Bard College at Simon's Rock Encryption key: http://hope.simons-rock.edu/~cderr/ Personal writing: https://medium.com/@cderr pronouns: either he/him or they/them is acceptable Home landline: 860-435-1427 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Certified OpenPGP-encryption after release of Thunderbird 78
> I wasn't asking if GUI is acceptable. I was asking if crypto and GUI > happen in the same process (the main TB process). Since they seem to > be using a library for PGP it's quite probable. And if so - is that > acceptable in your opinion? Oh! When you said "process", I read that as "workflow". My apologies. Yes, it's all part of the main family of processes. There's no spawning off of a GnuPG instance and setting up a communications channel to it. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Certified OpenPGP-encryption after release of Thunderbird 78
W dniu 30.05.2020 o 01:26, Robert J. Hansen pisze: >> 1. Will key management and crypto happen in the same process as >> IMAP/POP/SMTP, GUI, JavaScript and everything else? If so - do you >> believe it's acceptable? > > It should be an easy learning curve for Enigmail users. That isn't the > same as finding it acceptable, though. > > Back in the mid-'90s PGP came out with a GUI for PGP 5, and it's > universally agreed at user interface was horrific. (See "Why Johnny > Can't Encrypt" for a detailed teardown.) The problem was that this > horrific user interface became the standard user interface, and most > OpenPGP key managers ever since have adopted it. Those that haven't > adopted it, nobody uses, because their UI is so different than > everything else. I wasn't asking if GUI is acceptable. I was asking if crypto and GUI happen in the same process (the main TB process). Since they seem to be using a library for PGP it's quite probable. And if so - is that acceptable in your opinion? >> 2. Is there any real plan to have working smartcard support in the >> near future? > > No. There's some talk about supporting it, but as far as I know there's > no plan to do it. It's still at the "you know, it'd be kind of nice > if..." stage, not the "we really should do this" stage. Double nice. Time to check Claws I think. -- Grzegorz Kulewski g...@leniwiec.biz +48 663 92 88 95 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Certified OpenPGP-encryption after release of Thunderbird 78
> 1. Will key management and crypto happen in the same process as > IMAP/POP/SMTP, GUI, JavaScript and everything else? If so - do you > believe it's acceptable? It should be an easy learning curve for Enigmail users. That isn't the same as finding it acceptable, though. Back in the mid-'90s PGP came out with a GUI for PGP 5, and it's universally agreed at user interface was horrific. (See "Why Johnny Can't Encrypt" for a detailed teardown.) The problem was that this horrific user interface became the standard user interface, and most OpenPGP key managers ever since have adopted it. Those that haven't adopted it, nobody uses, because their UI is so different than everything else. > 2. Is there any real plan to have working smartcard support in the > near future? No. There's some talk about supporting it, but as far as I know there's no plan to do it. It's still at the "you know, it'd be kind of nice if..." stage, not the "we really should do this" stage. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Certified OpenPGP-encryption after release of Thunderbird 78
W dniu 30.05.2020 o 01:07, Robert J. Hansen pisze: >> If TB 78 is going to have native support of openGPG encryption, then the >> original person in the thread should be able to export all of the keys >> in their key rings, and import all of those keys into TB 78, or am I >> missing one of the gotchas with >> TV 78 and it's openGPG encryption support. > > You're missing the gotcha of "as of -Beta3, the new Thunderbird *cannot > even import a key*." > > I'm not kidding. It is so far from complete that Kai Englert, who leads > the TB78 OpenPGP effort, recently proposed postponing OpenPGP support in > TB until version 78.2, or about a three-month delay. > > At present, as of -Beta3, TB78's OpenPGP support is badly broken. Nice. Since you seem to be following OpenPGP-in-TB78 development: 1. Will key management and crypto happen in the same process as IMAP/POP/SMTP, GUI, JavaScript and everything else? If so - do you believe it's acceptable? 2. Is there any real plan to have working smartcard support in the near future? -- Grzegorz Kulewski ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Certified OpenPGP-encryption after release of Thunderbird 78
> If TB 78 is going to have native support of openGPG encryption, then the > original person in the thread should be able to export all of the keys > in their key rings, and import all of those keys into TB 78, or am I > missing one of the gotchas with > TV 78 and it's openGPG encryption support. You're missing the gotcha of "as of -Beta3, the new Thunderbird *cannot even import a key*." I'm not kidding. It is so far from complete that Kai Englert, who leads the TB78 OpenPGP effort, recently proposed postponing OpenPGP support in TB until version 78.2, or about a three-month delay. At present, as of -Beta3, TB78's OpenPGP support is badly broken. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Certified OpenPGP-encryption after release of Thunderbird 78
Robert. I am a long-time version of many different versions of Thunderbird, enigmail, and multiple packages of gpg. If TB 78 is going to have native support of openGPG encryption, then the original person in the thread should be able to export all of the keys in their key rings, and import all of those keys into TB 78, or am I missing one of the gotchas with TV 78 and it's openGPG encryption support. On Fri, May 29, 2020, 17:35 Robert J. Hansen wrote: > > Since you mention that you did support for Enigmail, do you have also > > infos about the current status of Thunderbird development, i.e. > > beta testing etc., regarding OpenPGP support, so that you may can tell > > us what people can expect? > > Enigmail development has ended. The upcoming 2.2 is the final release > and introduces no new features. It exists only to help people migrate > to TB78's OpenPGP support. > > TB68 is being EOLed this fall. We've promised to continue to support > users for six months after that, including giving emergency security > fixes to Enigmail if they become necessary: but at six months and one > day we're going to mop the floor, tally up the cash register, shut off > the lights, and lock up as we leave. > > (The only exception is a commercial email company that has a signed > support contract with Patrick -- their contract will be fulfilled.) > > ___ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Certified OpenPGP-encryption after release of Thunderbird 78
Robert J. Hansen wrote: > > Since you mention that you did support for Enigmail, do you have > > also infos about the current status of Thunderbird development, i.e. > > beta testing etc., regarding OpenPGP support, so that you may can > > tell us what people can expect? > > Enigmail development has ended. The upcoming 2.2 is the final release > and introduces no new features. It exists only to help people migrate > to TB78's OpenPGP support. > > TB68 is being EOLed this fall. We've promised to continue to support > users for six months after that, including giving emergency security > fixes to Enigmail if they become necessary: but at six months and one > day we're going to mop the floor, tally up the cash register, shut off > the lights, and lock up as we leave. > > (The only exception is a commercial email company that has a signed > support contract with Patrick -- their contract will be fulfilled.) Thanks for the info, much appreciated. Regards Stefan -- my 'hidden' service gopherhole: gopher://iria2xobffovwr6h.onion ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Certified OpenPGP-encryption after release of Thunderbird 78
> Since you mention that you did support for Enigmail, do you have also > infos about the current status of Thunderbird development, i.e. > beta testing etc., regarding OpenPGP support, so that you may can tell > us what people can expect? Enigmail development has ended. The upcoming 2.2 is the final release and introduces no new features. It exists only to help people migrate to TB78's OpenPGP support. TB68 is being EOLed this fall. We've promised to continue to support users for six months after that, including giving emergency security fixes to Enigmail if they become necessary: but at six months and one day we're going to mop the floor, tally up the cash register, shut off the lights, and lock up as we leave. (The only exception is a commercial email company that has a signed support contract with Patrick -- their contract will be fulfilled.) ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Certified OpenPGP-encryption after release of Thunderbird 78
One of the potential problems I can see is multiple key rings. which I have just recently discovered in my own setup. I have the "standard" key rings that GPG4Win/Enigmail use and then I discovered 2 unknown files in my gnupg directory. PAPubring.gpg and PAsecring.gpg. I eventually deduced they came from an archiving program I use that has PGP built in called Power Archiver. Granted I am a newbie with PGP but the thought of having to make sure multiple key rings are all synced sounds like a hassle. On 5/29/2020 1:32 PM, Robert J. Hansen wrote: >>> But it's a pity that >>> Thunderbird developed its own solution because of licensing issues >>> while we have a proven working solution with GnuPG... >> We never know, maybe in the future someone writes again a fully working >> solution for Thunderbird/GnuPG users. > Over the last fifteen years of providing email support to Enigmail > users, I can say 95% of the Enigmail problems were caused by needing to > call out to GnuPG. The pipeline was (still is) fragile and the source > of many errors. Distributing GnuPG separately from Enigmail was also a > headache and a half. > > You may think Enigmail is a proven working solution because it works for > you and the people you know. I'm very happy it works so well for you! > But from my perspective, with literally almost two thousand emails over > the last fifteen years from people asking for help, I'm reluctant to > call it that. > > It works well for many people and I'm really glad it exists. But > there's still an unfortunate amount of work involved in getting it set > up and working. > > ___ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Certified OpenPGP-encryption after release of Thunderbird 78
Robert J. Hansen wrote: > >> But it's a pity that > >> Thunderbird developed its own solution because of licensing issues > >> while we have a proven working solution with GnuPG... > > > > We never know, maybe in the future someone writes again a fully > > working solution for Thunderbird/GnuPG users. > > Over the last fifteen years of providing email support to Enigmail > users, I can say 95% of the Enigmail problems were caused by needing > to call out to GnuPG. The pipeline was (still is) fragile and the > source of many errors. Distributing GnuPG separately from Enigmail > was also a headache and a half. > > You may think Enigmail is a proven working solution because it works > for you and the people you know. I'm very happy it works so well for > you! But from my perspective, with literally almost two thousand > emails over the last fifteen years from people asking for help, I'm > reluctant to call it that. > > It works well for many people and I'm really glad it exists. But > there's still an unfortunate amount of work involved in getting it set > up and working. I can only say from my side, when using Enigmail many moons ago, with a Mac, it was ok. Since you mention that you did support for Enigmail, do you have also infos about the current status of Thunderbird development, i.e. beta testing etc., regarding OpenPGP support, so that you may can tell us what people can expect? Regards Stefan -- my 'hidden' service gopherhole: gopher://iria2xobffovwr6h.onion ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Certified OpenPGP-encryption after release of Thunderbird 78
>> But it's a pity that >> Thunderbird developed its own solution because of licensing issues >> while we have a proven working solution with GnuPG... > > We never know, maybe in the future someone writes again a fully working > solution for Thunderbird/GnuPG users. Over the last fifteen years of providing email support to Enigmail users, I can say 95% of the Enigmail problems were caused by needing to call out to GnuPG. The pipeline was (still is) fragile and the source of many errors. Distributing GnuPG separately from Enigmail was also a headache and a half. You may think Enigmail is a proven working solution because it works for you and the people you know. I'm very happy it works so well for you! But from my perspective, with literally almost two thousand emails over the last fifteen years from people asking for help, I'm reluctant to call it that. It works well for many people and I'm really glad it exists. But there's still an unfortunate amount of work involved in getting it set up and working. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Certified OpenPGP-encryption after release of Thunderbird 78
karel-v_g--- via Gnupg-users wrote: Hi, > But it's a pity that > Thunderbird developed its own solution because of licensing issues > while we have a proven working solution with GnuPG... We never know, maybe in the future someone writes again a fully working solution for Thunderbird/GnuPG users. > But why should > I take the discussion personal?? :-) Karel Well, because sometimes people may not like what I write. :-) Regards Stefan -- my 'hidden' service gopherhole: gopher://iria2xobffovwr6h.onion ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Certified OpenPGP-encryption after release of Thunderbird 78
Hello! No, I don't work for an Aufsichtsbehörde and (fortunately) I don't have to deal with them directly most time. But the Aufsichtsbehörde defines how my work has to be done and they have the right to inspect it. And one of the things they require is use recommended (e.g. BSI) software for mailencryption. Of course there is no way knowing for them whether I comply or not without intercepting my mail or visiting my office. But as always it might cause problems when not complying. So I think I will continue use Thunderbird as MTA and use GPG4Win with copy and paste for the encryption part. But it's a pity that Thunderbird developed its own solution because of licensing issues while we have a proven working solution with GnuPG... But why should I take the discussion personal?? :-) Karel 28. Mai 2020, 23:21 von s...@300baud.de: > karel-v_g--- via Gnupg-users wrote: > > >> Hello! >> The German translation should be "Aufsichtsbehörde" (or even better >> "Rechtsfähige Anstalt des öffentlichen Rechts"). In fact I don't know >> the exact translation and didn't find any appropriate in >> Google-Translate or deepl. So "supervising authorities" was my best >> guess without being a native speaker... Does this change the meaning >> or anything else? Karel >> > > Hi, > > while it is not my business, I do not understand why you have to take > care about the Thunderbird issue, as a users and not the > Aufsichtsbehörde ... If for example you have a job at the > Aufsichtsbehörde then ok, like I said, I would contact gnupg.com and > ask them if GnuPG Desktop (A Windows app) fits for your working > environment and in case not what they would suggest, because the > Aufsichtsbehörde should have IMHO funds to issue a professional > licensed working solution for their employees. > > In case you only have to deal as a gpg4win user with the > Aufsichtsbehörde via email, then I don't understand how would they > detect if you would not comply by using later the new Thunderbird, > without BSI approval. > > P.S. please don't take it personal! > > Regards > Stefan > ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Certified OpenPGP-encryption after release of Thunderbird 78
On Fri 29/May/2020 12:29:48 +0200 Stefan Claas wrote: > Binarus wrote: >> On 28.05.2020 23:21, Stefan Claas wrote: >>> >>> while it is not my business, I do not understand why you have to >>> take care about the Thunderbird issue, as a users and not the >>> Aufsichtsbehörde ... If for example you have a job at the >>> Aufsichtsbehörde then ok, like I said, I would contact gnupg.com and >>> ask them if GnuPG Desktop (A Windows app) fits for your working >>> environment and in case not what they would suggest, because the >>> Aufsichtsbehörde should have IMHO funds to issue a professional >>> licensed working solution for their employees. >>> >>> In case you only have to deal as a gpg4win user with the >>> Aufsichtsbehörde via email, then I don't understand how would they >>> detect if you would not comply by using later the new Thunderbird, >>> without BSI approval. >> >> This is not my field, but I believe that (besides authorities) there >> are companies or other institutions which *must* use certified >> encryption solutions. Some ideas: > > [...] > > Yes, understand. But then if those institutions have no funds or > are not willing to invested in their IT security infrastructure > then they may ask the BSI how to proceed. Maybe the BSI has funds > to let gnupg.com develope a custom Windows solution for them. > > The other option would be that the OP and others continue using > their current Thunderbird/Enigmail/gpg4win setup. Any chance that the BSI will approve the RNP library that Thunderbird is going to use? Best Ale -- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Certified OpenPGP-encryption after release of Thunderbird 78
On Tue, 26 May 2020 12:27, karel-v_g--- said: > Because of this I have been using a combination of Thunderbird, > Enigmail and Gpg4Win, as the latter one is certified by German BSI. Well, it is not certified but approved to handle data at the EU RESTRICTED level (BSI-VSA-10400 and 10412). There a lot of side condition you have to meet to use that which are detailed in the SecOPs. TB has not been approved to handle restricted data because it does not clearly show whether important conditions are met. GpgOL and KMail are able to meet these requirements for email; Kleopatra for file encryption. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Certified OpenPGP-encryption after release of Thunderbird 78
Binarus wrote: > > > On 28.05.2020 23:21, Stefan Claas wrote: > > > > while it is not my business, I do not understand why you have to > > take care about the Thunderbird issue, as a users and not the > > Aufsichtsbehörde ... If for example you have a job at the > > Aufsichtsbehörde then ok, like I said, I would contact gnupg.com and > > ask them if GnuPG Desktop (A Windows app) fits for your working > > environment and in case not what they would suggest, because the > > Aufsichtsbehörde should have IMHO funds to issue a professional > > licensed working solution for their employees. > > > > In case you only have to deal as a gpg4win user with the > > Aufsichtsbehörde via email, then I don't understand how would they > > detect if you would not comply by using later the new Thunderbird, > > without BSI approval. > > This is not my field, but I believe that (besides authorities) there > are companies or other institutions which *must* use certified > encryption solutions. Some ideas: [...] Yes, understand. But then if those institutions have no funds or are not willing to invested in their IT security infrastructure then they may ask the BSI how to proceed. Maybe the BSI has funds to let gnupg.com develope a custom Windows solution for them. The other option would be that the OP and others continue using their current Thunderbird/Enigmail/gpg4win setup. Regards Stefan ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Certified OpenPGP-encryption after release of Thunderbird 78
On 28.05.2020 23:21, Stefan Claas wrote: > > while it is not my business, I do not understand why you have to take > care about the Thunderbird issue, as a users and not the > Aufsichtsbehörde ... If for example you have a job at the > Aufsichtsbehörde then ok, like I said, I would contact gnupg.com and > ask them if GnuPG Desktop (A Windows app) fits for your working > environment and in case not what they would suggest, because the > Aufsichtsbehörde should have IMHO funds to issue a professional > licensed working solution for their employees. > > In case you only have to deal as a gpg4win user with the > Aufsichtsbehörde via email, then I don't understand how would they > detect if you would not comply by using later the new Thunderbird, > without BSI approval. This is not my field, but I believe that (besides authorities) there are companies or other institutions which *must* use certified encryption solutions. Some ideas: - The OP might be employed at a city administration of a small village where the full set of regulations is relevant, but where there is no money (as in many small villages) to buy support. - The OP might be employed at a company like a hospital, a nuclear plant, a company which develops or sells military goods, a law office, a tax office, a (medical) insurance, a bank, and so on - you get the idea :-) While I actually don't know in detail which sort of company is bound by which regulation, I am sure that there are dozens of company types and hundreds, if not thousands of companies which are legally restricted to use only BSI-certified encryption software, especially companies which handle sensitive personal data or which compromise public safety if they let leak data. Even more, since the arrival of the GPDR, each company -even the smallest one- has to put significant effort into protecting personal data, and has to document in detail their respective policies and methods. When implementing the respective concepts and explaining / documenting why they are safe and how they protect personal data, it is of great help when the BSI has certified as many parts of the software as possible. Furthermore, to me, the OP sounds if he is not only employed at a company as a normal user, but as a part-time admin who has been asked to implement the email infrastructure for his colleagues besides his normal work (because the management as usual does not understand the importance and value of such work and the expertise and time which is needed). Regards, Binarus ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Certified OpenPGP-encryption after release of Thunderbird 78
karel-v_g--- via Gnupg-users wrote: > Hello! > The German translation should be "Aufsichtsbehörde" (or even better > "Rechtsfähige Anstalt des öffentlichen Rechts"). In fact I don't know > the exact translation and didn't find any appropriate in > Google-Translate or deepl. So "supervising authorities" was my best > guess without being a native speaker... Does this change the meaning > or anything else? Karel Hi, while it is not my business, I do not understand why you have to take care about the Thunderbird issue, as a users and not the Aufsichtsbehörde ... If for example you have a job at the Aufsichtsbehörde then ok, like I said, I would contact gnupg.com and ask them if GnuPG Desktop (A Windows app) fits for your working environment and in case not what they would suggest, because the Aufsichtsbehörde should have IMHO funds to issue a professional licensed working solution for their employees. In case you only have to deal as a gpg4win user with the Aufsichtsbehörde via email, then I don't understand how would they detect if you would not comply by using later the new Thunderbird, without BSI approval. P.S. please don't take it personal! Regards Stefan ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Certified OpenPGP-encryption after release of Thunderbird 78
Hello! The German translation should be "Aufsichtsbehörde" (or even better "Rechtsfähige Anstalt des öffentlichen Rechts"). In fact I don't know the exact translation and didn't find any appropriate in Google-Translate or deepl. So "supervising authorities" was my best guess without being a native speaker... Does this change the meaning or anything else? Karel 27. Mai 2020, 23:41 von s...@300baud.de: > karel-v_g--- via Gnupg-users wrote: > > >> Hello! >> > > [...] > >> Aside from advising to use BSI-certified products the authorities are >> not of any help unfortunately... >> > > In your previous post you spoke about *supervising* authorities. > > https://en.wikipedia.org/wiki/Supervisor > > > Regards > Stefan > ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Certified OpenPGP-encryption after release of Thunderbird 78
karel-v_g--- via Gnupg-users wrote: > Hello! [...] > Aside from advising to use BSI-certified products the authorities are > not of any help unfortunately... In your previous post you spoke about *supervising* authorities. https://en.wikipedia.org/wiki/Supervisor Regards Stefan ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Certified OpenPGP-encryption after release of Thunderbird 78
Hello! >I just checked the BSI's list of certified products. Gpg4Win andGpg4KDE are >currently listed until >2022-06-30, and you can continueusing them. >Thunderbird and Enigmail are not included in that list,so >you are apparently >using your own software mix anyway. Indeed, the only certified component of my mix is GPG4Win, while Enigmail and Thunderbird aren't. But I had checked that before I implemented that combination: the authorities said that only the part of the software that handles the encryption process needs to be certified while the used mail-client and plugins only need to meet general security requirements (TLS-Connections, latest patch-level, ...). Aside from advising to use BSI-certified products the authorities are not of any help unfortunately... So, to be a bit more precise: is there any mailclient working directly with GPG4win or other certified OpenPGP-solution aside from Outlook or copy and paste with Thunderbird 78ff? Thanks! Karel ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Certified OpenPGP-encryption after release of Thunderbird 78
> I just checked the BSI's list of certified products[1]. Sorry, I forgot to include the URL: [1] https://www.bsi.bund.de/DE/Themen/Sicherheitsberatung/ZugelasseneProdukte/Liste_Produkte/Liste_Produkte_node.html ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Certified OpenPGP-encryption after release of Thunderbird 78
* karel-v: > With the approaching release of Thunderbird 78 Gpg4Win and Enigmail > won't be available any longer and the new OpenPGP-implementation of > Thunderbird won't be certified to the best of my knowledge. I just checked the BSI's list of certified products[1]. Gpg4Win and Gpg4KDE are currently listed until 2022-06-30, and you can continue using them. Thunderbird and Enigmail are not included in that list, so you are apparently using your own software mix anyway. Enigmail will no longer be available for Thunderbird 78, but you can copy message bodies between Thunderbird and GPG using the clipboard. Of course, this is a major inconvenience, but currently it seems that it's either this method or sticking with the current Thunderbird version and Enigmail. -Ralph ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Certified OpenPGP-encryption after release of Thunderbird 78
karel-v_g--- via Gnupg-users wrote: > Hello! > I am required to use certified encryption for mails by my supervising > authorities and good practise. Because of this I have been using a > combination of Thunderbird, Enigmail and Gpg4Win, as the latter one > is certified by German BSI. With the approaching release of > Thunderbird 78 Gpg4Win and Enigmail won't be available any longer and > the new OpenPGP-implementation of Thunderbird won't be certified to > the best of my knowledge. Hi, I would ask my supervising authorities if they can contact gnupg.com and see if GnuPG Desktop fits for your companies purposes. At least I strongly assume that they are aware of the Thunderbird situation and are able to offer custom solutions or proper advise. https://gnupg.com/gnupg-desktop.de.html Regards Stefan ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Certified OpenPGP-encryption after release of Thunderbird 78
Hello! I am required to use certified encryption for mails by my supervising authorities and good practise. Because of this I have been using a combination of Thunderbird, Enigmail and Gpg4Win, as the latter one is certified by German BSI. With the approaching release of Thunderbird 78 Gpg4Win and Enigmail won't be available any longer and the new OpenPGP-implementation of Thunderbird won't be certified to the best of my knowledge. I am aware this might be slightly OT for this list, but are there any suggestions what can be done to keep up a certified encrypted mail communication? I am afraid Outlook which should work easily with Gpg4Win is not an option. Thanks for suggestions and help! Karel ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users