#256 Support explicit selection of subkeys (especially for encryption)

wont-fix
nobody
None
1.6.0
Enhancement
24.3.0
2.0.22
All
---
nobody
2016-04-13
2014-02-22
Yarny
No

For signing this is already possible by entering the id of a specific signing subkey in the format "0xdeadbeef!" in the openPGP identity settings box. However, it's not possible to select a specific subkey in the key choosing dialog boxes (for the identity or for encryption of mail). There is no way to select a specific subkey for email encryption, not even with recipient rules.

Support for explicit subkey selection would help the implementation of concepts like https://blog.dest-unreach.be/wp-content/uploads/2009/04/pgp-subkeys.html.
Maybe it's possible to extend the key selection dialog such that it shows subkeys in a tree-like structure.

Discussion

  • Patrick Brunschwig

    Enigmail aims to target "average" users, and I think this is a very specific request for a very small set of users.

    GnuPG does selection of subkeys automatically (e.g. revoked or expired subkeys are automatically ignored). I have not seen a single use-case where the automatic selection of subkeys in GnuPG would have been wrong.

     
  • Patrick Brunschwig

    • status: open --> wont-fix
     
  • Yankee

    Yankee - 2015-07-07

    Please reconsider implementing this feature. You've already added the ability to toggle "Expert Settings and Menus," I don't think it's too complicated for such an expert user to configure their own subkey selections. I was actually more confused that I could not select which subkey to use.

     
  • Giovanni Mascellani

    gpg2 is not able anymore to correctly choose subkeys (and developers do not want to fix this, see [1]: basically now gpg2 selects the most recent subkey, even if it is invalid, and of course it fails in that case). So it is enough to produce a new subkey and then revoke it to break enigmail. Can you please implement subkey selection?

    [1] https://bugs.gnupg.org/gnupg/issue1983

     
  • Giovanni Mascellani

    I wrote a small and stupid patch[1] to at least make me able to sign emails with Enigmail. I really cannot understand why this issue does not receive attention, given that it completely breaks everything for any situation just a little different from the standard one key with one subkey.

    [1] https://github.com/giomasce/enigmail/commit/6a3479673f91a1570eba1dbdcc4bfd379407c26e

    The patch is very crude and probably has a lot of problems, but at least you can select a signing subkey and have your outgoing email being signed even if you are not in the standard (often insecure) situation.

     

Log in to post a comment.