On Nov 27, 2020, at 18:15, openpgp(_at_)couldbe(_dot_)nulluser(_dot_)com
wrote:
This seems so fundamentally wrong I'm having trouble understanding why the
developer insists on doing it.
You seem to have different expectations from a mail client than the
thunderbird people (and me)
PGP passwords should not be stored on disk. (Security Issue)
That was agree on. There should be a one time master password unlock on
startup and then it should remain n memory (maybe indirectly so the pgp key
isn’t unencrypted into memory all the time)
-----------------------------
Keeping PGP Private Key Passwords in memory per session is reasonable but
saving them for automatic decryption along with account passwords is NOT!
It might be keeping the pin, not the password. At least I think it should do
that.
There is a big difference in expected privacy and security levels between
an account password and a PGP Private Key Password!
That I don’t see because I want my email
client to be able to read, index and search all (decrypted) email.
PGP passwords should not reside on disk anywhere! By rights, they should
also be explicitly purged from memory upon exiting Thunderbird.
Yes.
Actual results:
Private PGP key automatically accessed without having to enter password
after first use.
That is required for any usable mail client.
Expected results:
PGP Private Key Password should be solicited for manual entry upon every
session.
Then you should maybe not use a mail client. If you can trust the mail client
briefly, you might as well trust it while running.
PGP Private Key Password should reside only in memory per session.
Yes.
PGP Private Key Password should be explicitly wiped from memory upon
Thunderbird exit.
Yes
PGP passwords should not be stored on disk. (Security Issue)
Pins can be stored behind a master password.
-----------------------------
Using the master password will give you that. (See bug 1662272).
Of course, if you really care about what's written to disk, you should not
rely on that, but use full disk encryption.
Status: UNCONFIRMED → RESOLVED
Closed: 1 hour ago
Resolution: --- → INVALID
-----------------------------
No the master password does NOT "give me that," you are degrading security!
I disagree. Having hundreds of emails encrypted with pgp without being able
to search them makes the whole email setup useless. So to make it useful, use
full disk encryption and a master password to unlock the pgp passphrase for
new incoming emails or outgoing ones. Keep all emails decrypted.
OpenPGP already has a strong security mechanism in the form of a Private
Key Pass Phrase. Normal use of PGP/GPG/OpenPGP never involves writing that
private key pass phrase to disk.
Unencrypted I agree. Encrypted by thunderbird is fine to me.
First -- I do not want ALL of my secure email unlocked and exposed
everytime I run Thunderbird.
You want a feature where to read 100 emails you need to type 100 passphrases
? I don’t think that is a reasonable email client feature.
Second -- Full disk encryption only provides protection to dead systems.
The drive is effectively decrypted while in use and it's contents are
subject to the same live access as any other drive.
Yes, so that you can read, index and search emails. Otherwise you have a
graphical interface to pgp - which is far from an email client experience.
Third -- The Master password groups everything together at the same level.
PGP Private keys demand a considerably higher level of security than access
to Youtube or Reddit.
You seem to mistake thunderbird for Firefox.
I believe the master password is as secure as the pgp passphrase method from
a cryptographic point of view.
Fourth -- People have more than one Private Key. Recording all the private
key pass phrases together yet again degrades security.
Thunderbird has different profiles. Don’t those have different master
passwords?
Ironically this doesn't require custom code development, Thunderbird
already does the proper thing if there is no known private key. Simply
remove the extra code that subverts everything by saving the Pass Phrase.
That’s not what the majority wants for their email client. They want it to
store, index, read and search ALL emails without having to guess between 100
individually encrypted emails and needing to type their passphrase 100 times.
I agree the pgp passphrase or pgp private key should not be written to disk
ever, regardless of full disk encryption. But on your other points I
disagree. Pgp email is already too unusable. If it was usable, we all would
be defaulting to use it already. Even we don’t do that - let alone average
endusers.
Paul
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp