Closed Bug 1663406 Opened 4 years ago Closed 4 years ago

OpenPGP: Add feature to map an email address (or a whole domain) to a specific key (accept address mismatch)

Categories

(MailNews Core :: Security: OpenPGP, enhancement)

Product:
MailNews Core
Component:
Security: OpenPGP
Type:
enhancement

Tracking

(Not tracked)

Status:
RESOLVED WORKSFORME

People

(Reporter: Thunderbird_Mail_DE, Assigned: KaiE)

References

Details

In Enigmail it was possible to select a (one) key for several different company mail addresses. This seems not to be possible with the integrated PGP feature in 78.* and would be a regression against Enigmail.

It is reported in German support forums:

https://www.thunderbird-mail.de/forum/thread/85099-nicht-funktionierende-konzern-pgp-keys-im-neuen-integrierten-openpgp-key-manager/

Yes, we don't support that currently.

We have a similar feature request in bug 1644085.

Type: defect → enhancement
See Also: → 1644085

Alex, in your scenario, do all employees own a copy of the secret key to decrypt those messages?

Summary: It's not possible to use a (one) company wide PGP key for multiple company mail addresses → OpenPGP: Add feature to map an email address (or a whole domain) to a specific key (accept address mismatch)

Kai,
I enquired from the company referenced above regarding use of "company Keys" and they replied: "encrypted mails are decrypted on a separate system before they enter the user’s mailboxes. So there’s no key distribution needed on our side."

I´m having exactly the same issue. An option to manually select the public key that is used for encryption would do the job.

@Kai: Most companies decrypt the messages at a central gateway (which holds the public / private key pair) and then forward it internally to the desired recipient (the then decrypted message). This happens very often in the finance sector to comply with regulation. But it´s also an "easy" way to handle mail encryption without bothering the end user.

As far as I remember PGP keys can handle aliases but that would require you to renew / update your keys everytime someone joins / leaves your organization.

Anyway...I really need this feature too. Until then I have to revert to 68 :-/

(In reply to Kai Engert (:KaiE:) from comment #2)

Alex, in your scenario, do all employees own a copy of the secret key to decrypt those messages?

It is not necessary to share the secret key. You can have a list email address and an alias rule for gpg/pgp that assigns the key IDs of the list members to the list email address. Then emails to the list email address will be encrypted for all the members in this list. The disadvantage is, of course, everyone in the list has to manually maintain this alias rule. But in our scenario with ~10 members it is working very well.

Assignee: nobody → kaie

See bug 1644085 comment 32, which suggests a solution that could also cover the scenario described in this bug.

I think alias rules (bug 1644085) has this covered.

Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.