Compare Revisions

If Thunderbird unexpectedly reports that an OpenPGP key is expired, or isn't showing some expected properties, the key might have unsafe properties.

When viewing the details of an OpenPGP key in Thunderbird, a warning might be shown that the key contains unsafe properties. OpenPGP uses private and public keys, which contain meta data such as usernames, email addresses, additional sub keys, validity and expiration information, and more. This additional information on a key uses digital signatures, to proof that these properties were really made by the owner of the key, and not by someone else. A digital signature uses cryptographic technology that combines multiple algorithms, in order to produce a proof that cannot be easily falsified. Because computers get more powerful over time, algorithms that were once consided secure in the past, may no longer be considered secure today. An example is the [https://en.wikipedia.org/wiki/SHA-1 SHA-1 hash algorithm]. Nowdays, it is recommended that it is no longer used, because certain attacks on the algorithm are possible. Signatures created with outdated OpenPGP software or with an oudated configuration, may be based on unsafe algorithms. For example, if a key owner has updated the expiration date property of an OpenPGP key, the modification involves a signature that is added to the OpenPGP key Thunderbird versions 91.8.0 and 91.8.1 contained a change that rejected a wide set of signatures that involved SHA-1. As a consequence, the affected keys were no longer usable in Thunderbird. Because the number of affected Thunderbird users was higher than anticipated, Thunderbird version 91.9.0 has been changed to be less strict. It will continue to accept signatures based on SHA-1 in scenarios that are considered less critical, and which should allow most users to continue using their key for another while. The Thunderbird developers still intend to deprecate the use of SHA-1 in OpenPGP keys, but we have learned that more time is required for a transition period, and that Thunderbird also should implement changes to assist users in the required transition. Note that other OpenPGP software might already reject a key based on these unsafe properties, or might do so in the future. If you are managing your OpenPGP private key outside of Thunderbird, you should research how you can upgrade your key, and start distributing an upgraded public key that no longer relies on SHA-1. If you are managing your OpenPGP secret key with Thunderbird, then a future version of Thunderbird will help you to upgrade your key.