#500 can't save encrypted draft but can send encrypted to self

[Phillip Susi]

When thunderbird tries to auto save ( or I manually save ) a draft, enigmail complains that it can not find a non expired key for me to encrypt the message, yet I can send myself an encrypted mail and it has no trouble finding the key then.

[Phillip Susi]

Now this is weird. I poked around in gpg and noticed that my secondary identity had full trust but my primary had unknown ( why can two identities on the same key have different trust? ). I changed them both to ultimate and the problem saving drafts went away. Why does trust matter, and only for saving drafts, but not for sending encrypted mail?

[Ludwig Hügelschäfer]

What are your Enigmail preferences, especially in sending: "To send encrypted accept" (Only trusted keys | All usable keys)?

[Patrick Brunschwig]

I fixed this on master by unconditionally setting "trust-model always" for drafts. I'm not sure that this option was correctly handled before.

[Daniel Kahn Gillmor]

On Sun 2015-05-24 12:16:16 -0400, Patrick Brunschwig wrote:

I fixed this on master by unconditionally setting "trust-model always"
for drafts. I'm not sure that this option was correctly handled
before.

Out of curiosity, how is the targeted key selected for the draft? is it
by e-mail address or by full key fingerprint? or is it selected based
on the fact that the secret key is available?

If it is by e-mail address, consider the following case:

0) Alice sets up GnuPG and imports Bob's key (he's bob@example.org).
she's uses that to verify a message Bob posted elsewhere, and then
forgets all about GnuPG.

1) time passes:

2) Alice decides she needs a new GnuPG key, so she makes one with her
own e-mail address (she's alice@example.net) and she sets up
enigmail.

3) Bob updates his own key to add a (bogus) alice@example.net user ID.

4) Alice refreshes her keyring from the keyservers, pulling in Bob's
key's new alice@example.net user ID. Since it's earlier in the
keyring, gpg will select it first.

5) Alice starts writing a draft in enigmail (she hasn't even decided who
to send it to yet, so no address is in the To: line). the draft gets
saved in encrypted form.

If the choice of targeted key for the draft is by e-mail address, then
trust-model=always means that Bob can read the draft if he has access to
Alice's IMAP server.

This is not a great outcome.

   --dkg

[Patrick Brunschwig]

It depends on how the user specified the key in the account settings. If
a specific key is specified, then that's used; otherwise it's the
sender's email address.

The key ID is automatically set if you use the setup wizard or if you
create a key in Enigmail.

[Daniel Kahn Gillmor]

On Thu 2015-05-28 03:40:48 -0400, Patrick Brunschwig wrote:

It depends on how the user specified the key in the account settings. If
a specific key is specified, then that's used; otherwise it's the
sender's email address.

The key ID is automatically set if you use the setup wizard or if you
create a key in Enigmail.

if it's just the key ID, that sounds like another risky behavior. I've
opened #501 to track this other problem.

--dkg

[Phillip Susi]

Alice wouldn't have Bob's private key so it isn't an issue.

[Phillip Susi]

It was set to all usable keys.

[Patrick Brunschwig]

It may be an issue if Bob manages to create and send Alice a key or subkey containing the same ID. That's not so difficult with the short key ID anymore.