Web Feed

Nanoman's Company News: Migration to OpenPGP for Protecting Email Messages

Migration to OpenPGP for Protecting Email Messages

2020-12-19 00:00:00 -05:00 by Nanoman

Sending an email message is as risky as sending a postcard. Anybody can send a message that appears to come from your email address, and anybody can read and/or modify any message that you send if they can access anything that's used to relay it from you to your recipients.

If you and/or your correspondents need to be able to trust the authenticity of an email message, then the message should be "digitally" (cryptographically) signed. If the contents of an email message need to be secret, then the message should be encrypted.

For digitally signing and/or encrypting email messages, the two most popular standards are OpenPGP and S/MIME. We used and recommended S/MIME from 2006-07-02 until 2020-03-17 because Mozilla Thunderbird had built-in support for it, and we believed that it would be easier to deploy and support.

S/MIME itself worked very well for us and our customers, but there were external problems that severely diminished its practicality. By 2020-03-17, these external problems made S/MIME practically unusable for us, so we switched to OpenPGP, and we began to migrate all our S/MIME customers to OpenPGP.

On 2020-07-17, Mozilla Thunderbird version 78.0 was released with built-in support for OpenPGP. There were problems with this version that made Thunderbird's OpenPGP implementation unusable for our customers, and these problems persisted until the 2020-12-15 release of version 78.6.0. Thunderbird now supports the minimum requirements of our OpenPGP customers, and more improvements are being developed.

We've updated our Mozilla Thunderbird guide to include instructions for configuring it with OpenPGP. We've also created our OpenPGP page to introduce OpenPGP concepts to people who have never used it, and to describe how to use these in Thunderbird. We created these pages to better serve our customers, so please contact us if you're a customer of ours who has any problems with these guides.

All our S/MIME certificates are now expired, and we've revoked them too. If you're a customer or a supplier of ours who needs to verify the authenticity of something that claims to have been digitally signed by us, or if you need to email us something encrypted, please contact us to request a copy of our OpenPGP public key.