Bugzilla

We must make a decision for the following scenario.

Today, with manual encryption control, when replying to an encrypted message, we already enable encryption for the reply. (The idea is, because we're quoting the original message by default, sending a reply unencrypted would leak the original message.)

Today, if the reply cannot be sent encrypted, the user is forced to manually and deliberately disable encryption.

What should happen in automatic mode?
If we automatically disabled encryption because of a missing/unusable recipient key, we'd leak the original message automatically.

To find a decision, we should ask, what's the purpose of this automatic encryption mode?

In my opinion, the intention is to have an automatic upgrade to more security, if easily possible. But the mode shouldn't result in a downgrade of security for existing conversations.

In my opinion, even in automatic mode, we should require the user to manually disable encryption, when replying to an encrypted message.

We must make a decision for the following scenario.

Today, with manual encryption control, when replying to an encrypted message, we automatically enable encryption for the reply. (The idea is, because we're quoting the original message by default, sending a reply unencrypted would leak the original message.)

Today, if the reply cannot be sent encrypted, the user is forced to manually and deliberately disable encryption.

What should happen in automatic mode?
If we automatically disabled encryption because of a missing/unusable recipient key, we'd leak the original message automatically.

To find a decision, we should ask, what's the purpose of this automatic encryption mode?

In my opinion, the intention is to have an automatic upgrade to more security, if easily possible. But the mode shouldn't result in a downgrade of security for existing conversations.

In my opinion, even in automatic mode, we should require the user to manually disable encryption, when replying to an encrypted message.