Bugzilla

Because in comment 10 and comment 17 several example scenarios were given, and it was requested to have strong protection, for users who risk their life and their liberty, I think it's necessary to again describe what level of protection we're discussing in the scope of this bugzilla ticket.

For at risk users, who risk their life or their liberty, who must use a machine on which they cannot enable full disk encryption, the protection mechanism requested here will NOT protect them against an sophisticated attacker, who can confiscate the device while it's turned on, who can keep the confiscated device active, and who can do a forensic analysis of system memory to find copies of entered passphrases or secret keys (from a time when they were previously unlocked).

It means, users who are willing to risk life and liberty, need to be aware that having a passphrase for the secret keys as the only level of protection may only help against less sophisticated attackers, who only try to copy files found on the disk, or try to use Thunderbird interactively.

If we offer this functionality, will it be clear to affected users that this risk remains, and do you think the users would accept this remaining risk? Would they be willing to accept the risk, based on an assumption or hope that they'd only ever encounter less sophisticated attackers?

In my understanding, the intention of the request here is to provide a basic level of protection, that will help against simple attacks, only. It would protect encrypted data from a friend or colleague or family member who is allowed to use the same device, but who will not perform a forensic analysis, who will not collaborate with a sophisticated attacker, and who will not install a key logger. It would protect against a random person who is able to momentarily access your device and could be tempted to look at encrypted messages or use the device to send out digitally signed messages in your name.

Do we all agree on this?

Because in comment 10 and comment 17 several example scenarios were given, and it was requested to have strong protection, for users who risk their life and their liberty, I think it's necessary to again describe what level of protection we're discussing in the scope of this bugzilla ticket.

For at risk users, who risk their life or their liberty, who must use a machine on which they cannot enable full disk encryption, the protection mechanism requested here will NOT protect them against an sophisticated attacker, who can confiscate the device while it's turned on, who can keep the confiscated device active, and who can do a forensic analysis of system memory to find copies of entered passphrases or secret keys (from a time when they were previously unlocked).

It means, users who are willing to risk life and liberty, need to be aware that having a passphrase for the secret keys as the only level of protection may only help against less sophisticated attackers, who only try to copy files found on the disk, or try to use Thunderbird interactively.

If we offer this functionality, will it be clear to affected users that this risk remains, and do you think the users would accept this remaining risk? Would they be willing to accept the risk, based on an assumption or hope that they'd only ever encounter less sophisticated attackers?

In my understanding, the intention of the request here is to provide a basic level of protection, that will help against simple attacks, only. It would protect encrypted data from a friend or colleague or family member who is allowed to use the same device, but who will not perform a forensic analysis, who will not collaborate with a sophisticated attacker, and who will not install a key logger. It would protect against a random person who is able to momentarily access your device and could be tempted to look at encrypted messages or use the device to send out digitally signed messages in your name.

Do we all agree on the scope?