#StackBounty: #email #pgp #enigmail #thunderbird How to workaround Thunderbird 78's lack of support for encrypted mailing lists?

Bounty: 50

As of Thunderbird 78, the support for PGP plugins such as Enigmail has been dropped in favour of a native implementation of pgp in Thunderbird’s core. But some features of Enigmail are still missing. One of those features is to create something akin to Enigmail’s per-recipent rules.[1]

This makes it impossible for people to use encrypted mailing lists, where subscribers encrypt messages with everybody else’s public key.

Although people seem to be working on creating a patch for this, it seems unclear when this will be available in mainline given that it is being worked on for over 4 months. Hence, people with an up-to-date Thunderbird will not be able to write to the list, and I read on the Thunderbird blog that the old Thunderbird 68 will not receive further security updates.

So, I’m trying to come up with a workaround.

One idea I have is to create a new key-pair specifically for the mailing list’s address and distribute both private and public keys to all subscribers of the list. Assuming that there are no removals from the mailing list in the near future, are there any security problems with this scheme? Intuitively it seems wrong to give several people access to a private key but I cannot think of a new attack that would be possible compared to the old scheme.

Or is there a better workaround?


[1]: This allows the subscribers of a mailing list to create a rule for the address of the mailing list and instruct Enigmail to encrypt any mail for a specific list of people on the list. It requires all users to maintain a copy of the subscriber list, adding and removing keys if the (managed) subscribers of the list proper change but it works reasonably well for small lists that don’t change too often.


Get this bounty!!!

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.