Hello Bardot,
please let me explain my original message in more detail, because there
might have been a misunderstanding.
We don't suggest to automatically enable encryption for emails.
The OpenPGP feature enhancement will allow the *optional* use of
encryption and digital signatures.
However, to offer the OpenPGP feature to users, the functionality should
be considered sufficiently stable and complete.
We're not there yet. We'd like to take two more months to develop
further improvements for the new OpenPGP feature.
The usual time to release new features is at the time of a new major
release. So the natural timing would be the 78.0 release, which is
scheduled for end of June.
However, because the schedule of the 78.0 release depends on external
factors (we don't want to change the schedule of the 78.0 release), and
because the new OpenPGP feature isn't yet sufficiently complete, we want
to deviate from that usual approach.
To prevent that users will discover and use a feature, we have the
technical ability to disable the feature, and hide it in the user interface.
That's what we suggest to do: For the initial Thunderbird 78.0 release,
don't yet offer the new OpenPGP feature by default. Keep it disabled by
default. Hide the related user interface by default. Make it impossible
for users to discover the new feature.
Nevertheless, the feature is included in the shipped product. It's just
disabled by default.
We'd also add a new (hidden) configuration option. Users of Thunderbird
78.0, who are willing to test the feature and accept the limitations,
would be able to change that hidden configuration option, and be able to
make use of the OpenPGP feature.
The suggestion is to keep the functionality fully turned off and hidden
by default, for both the Thunderbird 78.0 and 78.1 releases.
However, because the old Thunderbird 68.x version will no longer get
security updates after September, and because the Enigmail OpenPGP
Add-on can no longer be used with Thunderbird 78.x, we want to deliver
the new functionality in Thunderbird 78.x as soon as possible, this
year, before support for Thunderbird 68.x ends.
We hope that Thunderbird 78.2 will be the version that can enable the
new OpenPGP feature by default, meaning, that the related user interface
will be enabled, that the automatic processing of arriving messages will
work, and that users will be able to discover the new feature.
The user would still be required to opt in, by using the Mail account
preferences to configure and enable the active use of the OpenPGP
feature for a specific Mail account.
While it's not unproblematic to delay exposing the built-in OpenPGP functionality, existing Enigmail users would have to take that choice: enable the preference to enable OpenPGP (accepting it's a bit rough around the edges), or use 68.x until the pref is on by default.
Delaying will give us more time to verify things function as they
should as well as doing some basic UI improvements.
-Magnus
Hello Kai,
You say that the functionality will be disabled and hidden AND Enigmail can no longer be used. For users who use OpenPGP for some messages, that means they will see a major regression if they want to be early adopters of 78.x but can't assume risk of using beta.
I'm not sure I totally understand this point. Is it the new
encryption that you don't trust during beta, or Thunderbird code
that you don't trust?
You understand that what will soon be running during the 78 beta
period is not much different from what will actually ship in
78.0?
Do you also know that you can run two releases concurrently?
Another question is future use of GPG4Win, GPA & Kleopatra which are
companions of Enigmail for Windows OS. Will keyring be shared with OpenPGP?
Jacques
Le 28/05/2020 à 01:57, Kai Engert a écrit :
> Or we could try to add a check to Thunderbird 78 that is executed very
> early during the startup code (before any profile migration code
> runs), which checks if the Enigmail Add-on is present in the profile.
> If it is, show a warning "You have the Enigmail Add-on installed,
> which is no longer supported by this version of Thunderbird.
> Integrated OpenPGP support is under active development, and expected
> to be ready by August-25. Please continue to use TB 68 until
> August-25. Thunderbird will now quit."
_______________________________________________
So best practice would be for everything to leave a Thunderbird decrypted. But that needs to be very clear to the user.
I think I’d be more comfortable with an external private key, but I’m also really interested in a working configuration that’s maintainable.
T
Sent from my iPad
> On 28 May 2020, at 20:36, Kai Engert <ka...@kuix.de> wrote:
You will have the ability to import your existing secret key into
Thunderbird (export from GnuPG with --armor).
And also, if a user has initially created the secret key inside
Thunderbird, you will have the ability to backup/export your secret key,
and import it into GnuPG.
Would that work for your scenario?
Jacques
Le 28/05/2020 à 23:59, Matt Connell a écrit :
> Apologies if this is an obvious question; I may have missed the answer
> in the thread.
>
> Does this affect Linux users?
>
> That is to say, will there be an option to use GnuPG, as I am doing
> now with Enigmail? I would guess that I am not alone in using my GPG
> keys for other uses/applications other than Thunderbird, and I would
> hate to have to maintain a separate subkey if Thunderbird can't
> utilize the existing GPG agent.
Le 29/05/2020 à 12:33, TT Mooney a écrit :
> What about the use case of people saving GPG encrypted attachments (or email archives) out of Thunderbird? They won’t be able to decrypt them externally, I take it.
>
> So best practice would be for everything to leave a Thunderbird decrypted. But that needs to be very clear to the user.
>
> I think I’d be more comfortable with an external private key, but I’m also really interested in a working configuration that’s maintainable.
>
> T
On 28.05.20 01:03, Ben Bucksch wrote:
What about those Enigmail users who *do* manually install TB 78.0? They cannot use Enigmail anymore. They cannot downgrade anymore, because TB blocks profile downgrades. They are stuck without any encryption. They cannot even read their encrypted mail. I am talking specifically about those.
You're right that we should think about those users, and try to minimize the number of users who will run into that situation, but it seems difficult to completely avoid it.
Yes, we will wan to reduce that risk and provide a KB to get out of it if they find themselves in that predicament.
Enigmail could open a tab (each time Thunderbird gets started) with a warning that says "reminder, please continue to use Thunderbird 68.x until August-25 because ...".
Or we could try to add a check to Thunderbird 78 that is executed very early during the startup code (before any profile migration code runs), which checks if the Enigmail Add-on is present in the profile. If it is, show a warning "You have the Enigmail Add-on installed, which is no longer supported by this version of Thunderbird. Integrated OpenPGP support is under active development, and expected to be ready by August-25. Please continue to use TB 68 until August-25. Thunderbird will now quit."
Delaying the stable 78.x release until OpenPGP is sufficiently complete would be an easier and more reliable approach (e.g. declare 78.0 and 78.1 as beta versions), but in my understanding this isn't an option.
Kai
So Kai, Patrick, myself and others have discussed release
planning and the following is a draft plan (emphasis on draft,
subject to change). There will certainly also be point releases
as needed along the way which are not listed. Apologies for the
strange outline numbering, that's how it copied from the doc and
it's too painful to fix.
Steps (dates approximate, provided for planning purposes):
77 beta May 5
OpenPGP landed and available for testing
78 beta June 2
OpenPGP testing goals
Migration of keys and settings from Enigmail (that’s a good test case for TB/RNP because it tests the broad variety of keys that people have)
Key import & export
Email encryption
Email decryption
Testing instructions will be listed at https://wiki.mozilla.org/Thunderbird:OpenPGP - can be enabled by user.
OpenPGP documentation and location for user support will be provided at https://wiki.mozilla.org/Thunderbird:OpenPGP.
Have we gotten enough encryption beta testers and what is the quality of the feedback? Do we need to ask testers for something different? And where do we communicate to ask them?
68.9.0 (concurrent with 78 beta)
Enigmail x.y informs users not to attempt manual update via strongly worded notification
78.0 June 30 (concurrent with 68.10.0)
OpenPGP support disabled by default - can be enabled by user. Enigmail migrator migrates user data to OpenPGP.
68 to 78 background update rate set to 0
Have we gotten enough new encryption testers and feedback?
78.1.0 July 28 (concurrent with 68.11.0)
OpenPGP support disabled by default - can be enabled by user. Enigmail migrator migrates user data to OpenPGP.
68 to 78 background update rate set to 0(?)
Have we gotten enough new encryption testers and feedback?
78.2.0 August 25 (concurrent with 68.12.0)
OpenPGP support enabled by default
Enigmail migrator migrates user data to OpenPGP.
68 to 78 background update rate set to <TBD>?
78.3.0 Sept 22 (no 68.x to be released)
OpenPGP enabled / further refinement
68 to 78 background update rate set to <TBD>?
68 EOL
Enigmail EOL - at least 6 months after TB 68 EOL
Hello Kai,
While a commandline would work for me, I don't think it would work for
the majority of users. Most users never use the commandline. Any
features available there simply don't exist for them. This applies to
many of the Enigmail users. There are journalists, Amnesty
International, and many others who need encryption, but are not deep
into computers.
I think an import/export feature would be important. It doesn't have to
be complicated technically. You could just invoke gpg on the
commandline, run the export --armor command that you think the user
should do, catch the output on stdout, and process it to import the keys
into our / OpenPGP key store. And probably vise versa.
That would allow users to have a seamless and interruption free mail
experience would be important. If not, the user might find herself in a
situation where she cannot decrypt her own mail. Either because she uses
K9 Mail on Android, or because she wants to decrypt old mail. Also, you
are surely aware that the PGP world is particularly dependent on key
continuity, and creating new keys for our users is about the worst thing
we can do for the PGP ecosystem. So, key import and export are crucially
important for the health of the system, from day 1. Once the user has 2
separate keys, the mess is there, and it's difficult to undo. Alice has
to eternally deal with 2 decryption keys, and the trust is shaken.
I think a GPG import/export feature is actually more important than a
key management UI for OpenPGP. As long as you can only import the GPG
keys and decrypt/verify and encrypt/sign mail this way, the user can
already be productive, and mail exchange is not disturbed. If you create
new keys, mail exchange is disturbed massively, and the user might still
get mail that she cannot decrypt.
Instead of asking the user to make some simply commandline commands, I
think it's a good time investment to implement that in software.
Enigmail already has the path to the gpg executable, so you just need to
invoke a shell command from JS and redirect stdout.
For existing Enigmail users the plan is to auto-import their existing
keys. This will happen through the Enigmail78 version which will just be
a migrator.
I think Kai was just referring to what one can do at the moment.
-Magnus
Correct, delaying releasing 78 for 1-2 months isn't an option.
It seems to me the idea you mention above is a very good one, give users an opportunity to opt out when starting up 78 and be able to go back to 68. But we are now past string freeze, so we need to very quickly navigate that issue.
I would not include dates - dates can change. I wouldn't even
mention releases. We can communicate that information in the
existing enigmail add-on when we know everything is ready.
give users an opportunity to opt out when starting up 78 and be able to go back to 68.
So the steps for 78.0 and 78.1 need to add
d. Inform engimail users that they might not want to be using
version 78, and offer link to instructions of how to get back to
version 68.
68.9.0 (concurrent with 78 beta)
Enigmail x.y informs users not to attempt manual update via strongly worded notification
This made the frontpage of the largest IT news site in Germany:
https://www.heise.de/news/Enigmail-warnt-Nutzer-vor-manuellem-Update-auf-Thunderbird-78-4799240.html
The biggest security threat these days is that people or vendors do not make updates. Many Thunderbird users are reluctant to make updates, because they fear regressions. I am scared that this message will reinforce the idea of users that updates are bad. It is this idea in the user's minds that causes the security disasters.
I don't see anything in that article that is incorrect. The
message we wanted to get out is that in no uncertain terms should
Enigmail users update to 78 on their own at this time. When the
time is right, the messaging in Engimail will change as will our
external messaging, and users will be automatically updated to 78.
Enigmail is mentioned in the heise article several times, thankfully. If non-Enigmail users think from that article that they shouldn't update then apparently they don't know how to read.
That said, if there is better messaging then now is the time to
provide it. Ryan's blog post will be going out soon.
Am 26.05.20 um 19:36 schrieb Kai Engert:
We hope that Thunderbird 78.2 will be the version that can enable the
new OpenPGP feature by default, meaning, that the related user interface
will be enabled, that the automatic processing of arriving messages will
work, and that users will be able to discover the new feature.
Can I kindly ask, what the status of the OpenPGP implementation is, now
that ESR had reached 78.2.0?
We decided to take one more important pgp patch for 78.2.0, and
therefore have delayed the enabling of OpenPGP by default to
78.2.1.