On 9/7/20 3:57 PM, li...@datenritter.de wrote: > Hi all, > > So, Thunderbird will finally implement OpenPGP. Great! \o/ > > Unfortunately, Mozilla as usual have their own way... /o\ > > TB will store PGP-Keys without encryption - unless you use a master > password. Which... must be entered on every start anyway. > > One password for everything might seem comfortable, but doesn't that > mean our keys will be kept in memory without any protection? Sounds like > a terrible idea to keep sensitive information like this in a complex and > most probably still buggy application like TB. > > Enigmail asks for pasphrases on demand and comes with a timeout option. > Keys are protected by gpg, which also handles decryption, so it would > never spit out any key data unless there's a bug in the pgp binary. With > enigmail and gpg a memory leak in TB would not compromise your keys. Am > I right? (Or is gpg executed in TB's address space?) > > Looks like a certain loss of security to me. > > Also, in the future we have to maintain two separate key storages, > because TB has to have it's Extrawurst*. > > The web of trust is basically dead - but keysigning by all means is not. > TB will replace enigmail before WoT functionality has been implemented. > If ever. > > ATM, this is the scariest change to deal with in the FOSS world. > Please tell me I got it all wrong.
There is an advanced option for Thunderbird to delegate to an external GnuPG installation to perform secret key operations, which is needed to handle smartcards but also permits storing your own private key in gpg. You'll still need to maintain public keys in Thunderbird's private keystore, but the thing that gets protected with a password will be in gpg and use the standard gpg unlock dialog. -- Eli Schwartz Arch Linux Bug Wrangler and Trusted User
signature.asc
Description: OpenPGP digital signature
_______________________________________________ enigmail-users mailing list enigmail-users@enigmail.net To unsubscribe or make changes to your subscription click here: https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net
