Add possibility to temporarily trust keys
OpenPGP addon for Mozilla Thunderbird
Brought to you by:
pbrunschwig
Menu
▾
▴
#212 Add possibility to temporarily trust keys
I teach PGP e-mail encryption using Thunderbird and Enigmail every now and again. The first thing I tell people to do after installing Enigmail is to disable the setting “Always trust people’s keys”. I find this really insecure, as chances are quite high that someone accidentially imports an untrustworthy key either by clicking on an e-mail attachment or by refreshing a key from the keyserver with gpg using the short key ID by default. I teach people to always verify a key upon reception and then sign it so that it is marked as trusted.
Disabling this setting has the annoying side-effect that Enigmail won’t allow you at all to send encrypted e-mails to people whose keys you have not verified/signed yet. In some situations, sending such an e-mail makes sense though, for example when you haven’t had the chance to verify a key yet, or when you are actually trying to verify the key by sending a personal question to the person.
I would wish for a possibility to send an e-mail encrypted for an untrusted key. At the moment, when I try to send an e-mail to an address for which no trusted key has been found, a key selection dialogue comes up, where it is impossible to select untrusted keys. I think the best solution would be to have a dialog coming up instead that says “The key for test@example.com is not trusted. Would you like to send the e-mail anyways?”, having the buttons “Yes”, “No” and “Select different key”. I think with the existence of such a dialogue, the setting could be disabled by default to provide more security. Possibly the dialogue could contain a checkbox “Always trust people’s keys” that enables the setting.
I agree that this is confusing, especially for new/pnovice GPG users.
There are a few issues here: first, "always trust keys" probably should not be the default setting. second, it isn't obvious to a novice user that they should not use a key they haven't verified. third, I'm not entirely sure that Enigmail should enforce that policy if a user chooses to ignore it on per recipient basis.
I implemented a first part of this request: a new menu entry in the OpenPGP menu allows to trust all keys and only applies to the current message.