Re: TB weirdness
When I want to sign or encrypt a message, I am still a fan of writing it out and performing these actions from within gpa, and then cutting and pasting the encrypted text into my messages. Any other method leaves you to trust third parties to handle your keys responsibly which has been proven time and again unreliable, as is being pointed out here. No, it doesn't encrypt MIME data or attachments, and I feel like that is desirable. I don't personally want my MIME data or signature to be encrypted. They are predictable anyway and that is a major liability. You can encrypt your attachments independently. Unfortunately, Thunderbird has for a while now flagged "inline encryption" as of questionable integrity, partly since the MIME data isn't verifiable. -- __ _ _ _ _ _ __ _ | \| |--| | |___ |--| |\/| | | \| |=== ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: TB weirdness
Am 24.02.2022 17:59, schrieb Robert J. Hansen via Gnupg-users: Sounds like a defect to me, do you have a problem report ticket with Thunderbird or a forum entry which described the problem in more detail (like which version is affected). It turns out the actual behavior is a little different than I originally described. If you have a valid certificate with a given email address, and a revoked certificate (or certificates) with that same email address, it will silently add the revoked certificates, as well as the valid one, to your email. This is still a bad idea. On the other hand, Thunderbird now says it's a deliberate choice on their part, so... In one word: broken by design. :-( ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: TB weirdness
On 24/02/2022 16:59, Robert J. Hansen via Gnupg-users wrote: Sounds like a defect to me, do you have a problem report ticket with Thunderbird or a forum entry which described the problem in more detail (like which version is affected). It turns out the actual behavior is a little different than I originally described. If you have a valid certificate with a given email address, and a revoked certificate (or certificates) with that same email address, it will silently add the revoked certificates, as well as the valid one, to your email. This is still a bad idea. I can confirm this happened to me when I specifically ticked "Attach my public key" in TB's composer - it also attached the revocation cert for an ancient key that I still have in my keyring but never used for anything. -- Andrew Gallagher OpenPGP_signature Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: TB weirdness
Sounds like a defect to me, do you have a problem report ticket with Thunderbird or a forum entry which described the problem in more detail (like which version is affected). It turns out the actual behavior is a little different than I originally described. If you have a valid certificate with a given email address, and a revoked certificate (or certificates) with that same email address, it will silently add the revoked certificates, as well as the valid one, to your email. This is still a bad idea. On the other hand, Thunderbird now says it's a deliberate choice on their part, so... ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: TB weirdness
Hi Vincent, Am Donnerstag 24 Februar 2022 13:27:08 schrieb Vincent Breitmoser via Gnupg-users: > > Overall I believe that attaching pubkeys (like autocrypt proposes) is not > > a good idea (the arguments put forward elsewhere). > > For the record, Autocrypt does not attach public keys, it includes them in > headers. Thanks for the correction. > I concur that attaching public keys is a bad idea. I've meant that conveying the pubkey with each email is suboptimal, may it be in the header, as attachment or elsewhere. This is what autocrypt does if I remember correctly. > I haven't tested this myself but from a quick check with someone who uses > Thunderbird they couldn't verify this claim. Maybe this just happens on > some versions? Either way I wouldn't assume it's intended behavior. This is helpful information, I agree that we should have more specific information because we can "warn" about the behaviour. Do you know which version was tested by chance? Best Regards, Bernhard -- www.intevation.de/~bernhard +49 541 33 508 3-3 Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998 Geschäftsführer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: TB weirdness
> Overall I believe that attaching pubkeys (like autocrypt proposes) is not a > good idea (the arguments put forward elsewhere). For the record, Autocrypt does not attach public keys, it includes them in headers. I concur that attaching public keys is a bad idea. > apparently, Thunderbird is a big fan of attaching public certificates > (and/or revocation certificates, for revoked keys) to outgoing emails > for *every private certificate on your keyring*, regardless of whether > that private key is actually associated with the account in question. I haven't tested this myself but from a quick check with someone who uses Thunderbird they couldn't verify this claim. Maybe this just happens on some versions? Either way I wouldn't assume it's intended behavior. - V ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: TB weirdness
Am Donnerstag 17 Februar 2022 17:35:53 schrieb Robert J. Hansen via Gnupg-users: > Thunderbird doesn't use GnuPG. For some operations it still can (be configured to do so). Anyway, we do have a wiki page for hints https://wiki.gnupg.org/EMailClients/Thunderbird > However, for those who do: > apparently, Thunderbird is a big fan of attaching public certificates > (and/or revocation certificates, for revoked keys) to outgoing emails > for *every private certificate on your keyring*, regardless of whether > that private key is actually associated with the account in question. > > This has the potential to leak personal information, especially if > you're in a use case where you have two or more keys presenting > different pseudonymous identities. Without knowing it, you might > accidentally reveal you're the common actor behind both. Sounds like a defect to me, do you have a problem report ticket with Thunderbird or a forum entry which described the problem in more detail (like which version is affected). Overall I believe that attaching pubkeys (like autocrypt proposes) is not a good idea (the arguments put forward elsewhere). Thanks for your warning, what about if we put it on our wiki page? Regards, Bernhard -- www.intevation.de/~bernhard +49 541 33 508 3-3 Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998 Geschäftsführer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
TB weirdness
Yes, I know, Thunderbird doesn't use GnuPG. However, for those who do: apparently, Thunderbird is a big fan of attaching public certificates (and/or revocation certificates, for revoked keys) to outgoing emails for *every private certificate on your keyring*, regardless of whether that private key is actually associated with the account in question. This has the potential to leak personal information, especially if you're in a use case where you have two or more keys presenting different pseudonymous identities. Without knowing it, you might accidentally reveal you're the common actor behind both. I apologize for bringing the non-GnuPG content to the list, but please make sure your correspondents are aware of the possible risk in how Thunderbird likes to attach public certificates. That's all. Thank you! OpenPGP_signature Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users