On 11/11/20 12:38 PM, Andrei Borzenkov wrote:
11.11.2020 22:45, Lew Wolfgang пишет:
Considering the PGP problems we've been hearing about, it was a relief to see that the smartcard ecosystem still works with the new Thunderbird version. All of my hundreds of saved public certs are still there and usable too!
You mean that a) you have (a lot of) public keys on smartcard and b) Thunderbird actually uses these keys and not public keys imported and managed by Thunderbird? While I somehow doubt the former[1], but I guess it is possible - the latter is simply impossible according to all available information. Either you misinterpret what you see or I would be really interested to know how to configure Thunderbird to use externally managed public keys.
Or you are talking about pre-78 version of Thunderbird that used external GnuPG which continues to use existing keyring and smartcard for existing *secret* keys.
[1] Smartcards usually do not store public keys at all, and certainly not "hundreds" of them. They store URL to fetch public key corresponding to secret key.
Sorry to be confusing. Correct, I was referring to public certs collected and stored by Thunderbird. The smartcard can store multiple public/private keysets, but only for the card owner. I've seen them store four, used for different purposes. ID, email encryption, and software-signing are some of the purposes. Thunderbird has collected and stored hundreds of smartcard public certs for me. It can harvest them from signed emails, LDAP, or on-line cert stores. You can also manually load and trust them using Thunderbird's certificate manager. It will also allow management of root certs, for example, untrusting and/or removing the Hong Kong Post Office root cert. Note that Thunderbird maintains its own cert store, separate from Firefox. Chrome stores its own on Linux too. But in the Windows world, the operating system stores the certs in the registry. Firefox and Thunderbird for Windows maintain their own, as on Linux. Chrome currently uses Microsoft's cert store, but I just heard that Chrome will start using its own in a future release. They want to control their trust environment, not wanting to trust Microsoft to do it for them. Regards, Lew