(In reply to Kai Engert (:KaiE:) from comment #21)
It is great that you're looking at this and I understand the constraints you have to work through/around.
The solution I want to offer isn't based on what I consider ideal. It's based on pragmatism. It's what we might be able to implement quickly, and based on the technical constraints of our code.
However, security is never something that should be done "as quickly as possible" ; just look at Masterlock padlocks! Please consider that this "bug" has been open for 2years + and so an extra year or so to have this architecture constructed safely and securely would be what everyone who is aware of this bug would prefer over a quick-n-dirty fix just to get this ticked off the neverending list of things to fix.
Locking could be manual (click the button), or automatic, with an additional option to lock automatically after N minutes. For users who are worried, I'd suggest a value of 1 minute. I wouldn't recommend a value of zero, because then you'd have to unlock again when replying to a message. But if there's demand, we could allow that immediate lock after use.
I would suggest that timed locking (typically 3- or 5- minutes without access to the PGP keys being made) should be a REQUIREMENT rather than an option, so that even if they wanted to, someone can not unlock their PGP emails, then go and make a coffee, disable their screensaver and have anyone access their PGP emails 24 minutes later.
The default configuration would remain as it is today.
For a person who needs maximum protection, the workflow could be:
I read between the lines here that fundamentally the broad overview even after many, many years still hasn't been updated - it should be EVERYONE needs maximum protection, but most people are unaware of it. Being unaware you need something doesn't mean you don't need it (like, you know, medication, or email security). I would gently ask that the point of view can be adjusted that EVERYONE needs maximum protection and then build workarounds (if you wish) for people who are the exception -- who DO NOT want PGP security on their Thunderbird-based emails.
- start thunderbird, you're in locked state initially
- click an encrypted message, it's shown as "cannot decrypt, keys are locked"
- we might automatically trigger an unlock prompt
-- The flow would be logical that this notice is displayed along with a prompt to enter the PGP key unlock passphrase.
- if user enters passphrase successfully, decrypted message is shown
-- YES, further, (as I believe Enigmail did) if more than three bad passwords are given to unlock keys then an increment throttle timer is triggered (ie wait +10, +15, +20 seconds before retrying the master passphrase.
- user accepts that the keys remain unlocked, or know that it will be re-locked after N minutes,
-- Keys should always be relocked X minutes after unlocking or after key access is required to decode a message. This can be set in a setting for example between 1 and 15 minutes or another maximum time, with recommended/default something under 10 minutes (5 is advisory)
or notice the visually highlighted "keys are unlocked" button,
and could click it to immediately lock it again
When locked, and you try to send a signed message, you'd have to unlock, too.
Further, and I use several keys; I would like an option whereby to use a particular key (once the TB cabinet is unlocked), I MUST enter the PGP passphrase itself, as well as the Thunderbird Cabinet code -- because then I am forced to enter the PGP passphrase and memorise it, else I will maybe remember the Thunderbird code (through repetition) but will gradually loose memory of the actual PGP passphrase itself because of never actually needing to write it in, this can be a massive headache (literally) when using something else using the same keys, such as Kleopatra etc.
Would you consider this an improvement to what we have today?
It is a tall order, but Thunderbird MUST store a locker of PGP Keys as securely as the PGP keys themselves are; else if thunderbird can access and use the keys and they're not securely stored this is a HUGE reduction in the safety of PGP (which, by all standards is STILL one of the safest protections available), therefore Thunderbird needs to secue the keys at that level.
Thanks again for updating us and looking into this large and nuanced topic.