Closed Bug 2015416 Opened 1 month ago Closed 1 month ago

gpg encryption unreasonable limitations without option to turn off

Categories

(MailNews Core :: Security: OpenPGP, enhancement)

Product:
MailNews Core
Component:
Security: OpenPGP
Version:
Thunderbird 140
Type:
enhancement

Tracking

(Not tracked)

Status:
RESOLVED WONTFIX

People

(Reporter: lawmanukdc, Unassigned)

Details

User Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/144.0.0.0 Safari/537.36

Steps to reproduce:

gpg encryption fails if:

  1. recipient email doesn't match keys available (should allow me to select key manually like fairmail android does)

  2. all recipients don't have pgp key. I need to send to bcc: no-reply@addy.io (with their pgp key) who will decrypt and send in plain text to the recipient in original to: field. This allows all sent item copies to remain encrypted even if recipient doesn't have pgp key

  3. sender account doesn't match pgp keys available. This stops me using pgp key without an email id for multiple alias email account to send from. (again which fairmail android allows)

I think all these features used to exist under enigmail and still do in fairmail/claws but have been unhelpfully limited without option to allow by user in thunderbird.

I'm using version 140.7.0esr which is the latest in debian testing.

Actual results:

gpg encryption fails if:

  1. recipient email doesn't match keys available

  2. all recipients don't have pgp key.

  3. sender account email doesn't match pgp keys available.

Expected results:

allow options like fairmail/claws does:

  1. if recipient email doesn't match keys available, then allow to select from pgp key ring.

  2. allow encryption even if all recipients don't have pgp key, with warning. I need to send to bcc: no-reply@addy.io (with their pgp key) who will decrypt and send in plain text to the recipient in original to: field. This allows all sent item copies to remain encrypted even if recipient doesn't have pgp key

  3. allow user to assign pgp key to account regardless of pgp id having same email as account or no email in user id.

I think all these features used to exist under enigmail and still do in fairmail/claws but have been unhelpfully limited without option to allow by user in thunderbird

For #1, it is possible, using aliases. https://support.mozilla.org/en-US/kb/openpgp-recipient-alias-configuration

For #2, alias should do it as well I think.

For #3, I don't know why you'd do that, but you're in control of your identity so you can set up the correct keys for that.
If you don't have the correct keys yourself, you're just setting up the secure communication to be unreasonable for all parties.

Component: Untriaged → Security: OpenPGP
Product: Thunderbird → MailNews Core

For #1 -

a) aliases is one solution which is useful in some scenarios (although I can't get this work so far despite following instructions here: https://monogr.ph/6987e1d2d8a1cbd65d714719 and here https://support.mozilla.org/en-US/kb/openpgp-recipient-alias-configuration

b) The problem with above is that it doesn't let you select keys on the fly if needed for one off scenarios. Fairmail android and claws allows this. Could on the fly manual selection of encryption key be permitted?

For #2, in theory this should work with alias. So far not working for me despite creating json.

For #3, The reason for #3 is that a person can use multiple email addresses including alias emails from addy.io etc. with one pgp key. Its impractical to setup new pgp key for each alias. Claws lets you assign pgp key to account by key id rather than email address. Additionally, email address can't be left in pgp key if using alias emails to reduce junk mail, otherwise it discloses the original email address.

All of above are allowed by both fairmail android and claws email with on the fly selection of recipient and assigning pgp key id to account rather than by email address.

Would be extremely helpful in thunderbird too.

There is bug 1755646.

But other than that, I'm not sure what you try to achieve here. IMHO it means breakdown of how encrypted email is supposed to work. If you don't pair a key to an email you can only achieve some special scenarios and such practices are bad for the whole ecosystem.

As I understand it bug 1755646 related to a GUI to add additional identities with emails to a pgp key.

A pgp key is encrypted to a single controlling person, not a single email - hence the existence of feature to add multiple emails to single key already being in gnupg. This is also reason why bug 1755646 is needed by the user that raised it.

Users should have the choice of using their pgp key for multiple emails with privacy. Without this, alias services encryption becomes pointless.

Special scenarios like above allow user choice. Choice and freedom are good for privacy via anonymity and encryption.

I couldn't edit above response, but to clarify, this request isn't to add more emails to pgp key.

GnuPG already allows creating of pgp keys without email address which works perfectly for the privacy intended.

Claws email and fairmail android already allow assigning keys to sender/recipient without correlating email in pgp key.

This request is simply to match the current capabilities in claws/fairmail to allow greater privacy, use of alias email services and user choice.

If you use email alias services or such, it seems best to just set up a key for that anonymous alias.
Otherwise you're pushing a lot of problems onto the recipient, who would also have to take (if supported) steps to associate a random key with your throwaway email, to be able to reply. That seems a bad tradeoff for secure communications, sorry.

Status: UNCONFIRMED → RESOLVED
Closed: 1 month ago
Resolution: --- → WONTFIX

Hi Magnus,

Thanks for the response.

The objection has 2 logical flaws.

  1. If thunderbird allowed user choice, the problem wouldn't be pushed to recipient. Instead it be resolved for both sender and recipient alike who could use thunderbird. Fairmail and Claws already allow this, as do Neomutt, AERC and others I believe. I just happen to prefer thunderbird.

Not allowing user choice is whats limiting secure private communications.

  1. Alias services like addy.io aren't throwaway emails. They promote a tool against junk mail and greater privacy of real email address. To create a separate pgp key for each alias is impractical.

I do hope you reconsider the position. The very fact that GnuPG recognises multiple emails might be required by one controlling person, highlights that an email address should not be the limitation of a gpg key in principle.

On a separate note, I think thunderbird might already allow what I'm seeking albeit in a convoluted inaccessible way for most people.

a) Sending key can be untied from email address, by putting key id into the config editor. I have to test if this will work fully.
b) Receiving key can be untied from the alias email recipient, by using alias pgp config file in the config editor. This works for others but not me so far.

If the above works, then thunderbird already provides this so a principled objection couldn't be sustained. The request would then simply be to make this feature more accessible via easier gui as already available.

You need to log in before you can comment on or make changes to this bug.