Closed Bug 1692625 Opened 4 years ago Closed 3 years ago

Thunderbird's UI should explain that it expects that a correspondent's OpenPGP encryption key must contain the correspondent's email address to be used immediately, and that alternatively the Alias feature could be used

Categories

(MailNews Core :: Security: OpenPGP, enhancement)

Product:
MailNews Core
Component:
Security: OpenPGP
Type:
enhancement

Tracking

(Not tracked)

Status:
RESOLVED DUPLICATE of bug 1718802

People

(Reporter: dscotese, Unassigned)

References

Details

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.152 Safari/537.36

Steps to reproduce:

I composed an email to firstname and hit send while requiring encryption. Thunderbird first says "Unable to send this message with end-to-end encryption, because there are problems with the keys of the following recipients: firstname@domain.com ... OK?"

OK! (I click) and then it says "In order to send... you must obtain and accept..." and doesn't even present the list of certs (which I have already obtained and accepted) so that I can choose one.

Actual results:

It lists the recipient (there's only firstname@domain.com) and I can select it and click "Manage Keys for selected recipient." There are no keys to manage, and no clue as to how one (which is already in my certificate list) can be selected!

Expected results:

In the "Manage Keys for selected recipient" box, there should be a button to select an existing certificate, or one of the buttons before you get there should have said "Choose existing key." Then it should present all the keys for others that I already have in my keychain.

I did update Thunderbird twice, thinking this might already be addressed, and I see versions 79 - 87 in the version dropdown. I'd be happy to download and try a later version if it were convenient, but Thunderbird's About Box says it's up to date and has no link to try a version not yet released. I'd really like to attach firstname@domain.com to firstname's certificate (which is in my keystore under the name "firstname," so that could be an easy way for the code to find it. I have 21 keys that have no email attached to them, and they all have a name. "firstname" is one of them.

Component: Untriaged → Security: OpenPGP
Product: Thunderbird → MailNews Core

In the Write window make sure S/MIME is selected:
Security drop-down - Encryption Technology - S/MIME

If S/MIME is greyed out after entering the recipients email into the To: field, import a valid cert for the intended recipient.

The intended recipient's valid certificate has already been imported. The reason S/MIME is greyed out (it is) is that the certificate does not have email attached to it, so the user (me) must make that association manually. I don't know why I don't see it here, but someone sent me instructions to create and tell Thunderbird to use a separate file that maps existing valid certificates to email addresses that aren't in them, and I did that and it seems to have worked. I guess the GUI that handled that was part of Enigma and when they removed Enigma, they didn't include it :-(.

Thanks for the pointer though!

I'm not aware of any mechanism where a cert needs to be assigned to an email address, except for your own personal cert.
In any case, the cert must contain an email address.
If there are any further questions I'd suggest you start a new support topic at https://support.mozilla.org/questions/new

(In reply to Christian Riechers from comment #3)

I'm not aware of any mechanism where a cert needs to be assigned to an email address, except for your own personal cert.
In any case, the cert must contain an email address.
If there are any further questions I'd suggest you start a new support topic at https://support.mozilla.org/questions/new

https://wiki.mozilla.org/Thunderbird:OpenPGP:Aliases explains it.

I don't know what you mean by "the cert must contain an email address." I have and use several certificates that do not contain any email address, and some are now automatically used for some of my correspondents, using the aliases.json file.

I'm sorry if I misrepresented my intention here. I did not intend to collect answers to questions. My intent was to report a difference between (reasonably, I argue) expected behavior and the actual behavior of the software. If there is a reason NOT to open the key management software so the user can select a key to assign to the selected recipient, then it would be helpful to simply add a message to the dialog that says "To use other keys, please see https://wiki.mozilla.org/Thunderbird:OpenPGP:Aliases"

The terms used in this bug are ambiguous, we need to clarify what we're talking about.

The subject talks about "certificate", a term that is typically used with S/MIME. I guess that's the reason why Christian talked about S/MIME.

dscotese: What kind of encrypted email are you trying to send, S/MIME or OpenPGP ?

Flags: needinfo?(dscotese)

Ok, after reading comment 4, it seems clear that you are talking about OpenPGP.

It seems are you using the term "certificate" for what Thunderbird OpenPGP usually calls "OpenPGP public key".

Currently the interactive user interface of Thunderbird OpenPGP requires that a correspondent's key must contain the email address you're sending the email to, or Thunderbird won't offer you to use the key.

You are already aware of the OpenPGP Alias feature. I understand you're asking that it should be easier to discover this advanced mechanism, and that Thunderbird should interactively explain its requirement.

Type: defect → enhancement
Summary: Connecting an email address to a certificate seems impossible. → Thunderbird's UI should explain that it expects that a correspondent's encryption key must contain the correspondent's email address to be used immediately, and that alternatively the Alias feature could be used
Summary: Thunderbird's UI should explain that it expects that a correspondent's encryption key must contain the correspondent's email address to be used immediately, and that alternatively the Alias feature could be used → Thunderbird's UI should explain that it expects that a correspondent's OpenPGP encryption key must contain the correspondent's email address to be used immediately, and that alternatively the Alias feature could be used

(In reply to Kai Engert (:KaiE:) from comment #5)

The terms used in this bug are ambiguous, we need to clarify what we're talking about.

The subject talks about "certificate", a term that is typically used with S/MIME. I guess that's the reason why Christian talked about S/MIME.

dscotese: What kind of encrypted email are you trying to send, S/MIME or OpenPGP ?

Open PGP.

Also, I use Kleopatra for key management, and it calls the PGP Public Keys "Certificates." Hence the naming mismatch. I don't know if other software calls public keys "certificates." If so, we could help educate users by pointing out that "certificate" has both meanings and to mind the difference.

Flags: needinfo?(dscotese)

Wasn't this already resolved in Bug#1718802? If not, what's the difference?

See Also: → 1718802

(In reply to nf from comment #8)

Wasn't this already resolved in Bug#1718802? If not, what's the difference?

agreed

Status: UNCONFIRMED → RESOLVED
Closed: 3 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.