0

As of Thunderbird 78, the support for PGP plugins such as Enigmail has been dropped in favour of a native implementation of pgp in Thunderbird's core. But some features of Enigmail are still missing. One of those features is to create something akin to Enigmail's per-recipent rules.[1]

This makes it impossible for people to use encrypted mailing lists, where subscribers encrypt messages with everybody else's public key.

People with an up-to-date Thunderbird will not be able to write to the list for a while, and I read on the Thunderbird blog that the old Thunderbird 68 will not receive further security updates.

So, I'm trying to come up with a workaround.

One idea I have is to create a new key-pair specifically for the mailing list's address and distribute both private and public keys to all subscribers of the list. Assuming that there are no removals from the mailing list in the near future, are there any security problems with this scheme?

Or is there a better solution?


[1]: This allows the subscribers of a mailing list to create a rule for the address of the mailing list and instruct Enigmail to encrypt any mail for a specific list of people on the list. It requires all users to maintain a copy of the subscriber list, adding and removing keys if the (managed) subscribers of the list proper change but it works reasonably well for small lists that don't change too often.

bitmask
  • 585
  • 1
  • 5
  • 12
  • Regarding the VTC, this question is about the security aspect of a workaround. I'm not sure if this would be on topic on SU. – bitmask Oct 15 '20 at 17:15
  • Write a Bug Report. In the mean time you may have to simply perform the encryption outside of Thunderbird. simply append many **--recipient** values via GPG command line, or whatever front-end you may be using. – user10216038 Nov 24 '20 at 22:02

1 Answers1

0

Schleuder is a group's email-gateway: subscribers can exchange OpenPGP-encrypted emails among themselves, receive emails from non-subscribers and send emails to non-subscribers via the list.

The consequence of this approach is that you need to really trust the provider that runs Schleuder: they could store and decrypt all emails that pass the lists, if they wanted.

For more information please take a look at this URL = https://schleuder.org/schleuder/docs/concept.html

  • Yes, I am aware of schleuder, although I haven't deployed it yet. The issue is, as you note, that it has to run on a fully trusted server, which is a single point of failure and requires maintenance work and a dedicated server. The latter of which cannot necessarily be provided by a given mailing list. – bitmask Oct 22 '20 at 17:08