Hi Stefan-- I'm glad that you're thinking about this stuff. The enigmail team (i'm just a follower, not a member) has been making great strides in the directions you describe...
On Wed 2015-01-21 16:53:50 -0500, Stefan Koch wrote: > Thus, I think we'd have to move the key generation to an easier > locatable place. Currently it's hidden in "Key management" at the top > right side and "key management" itself is hidden in the middle of a lot > of options, when we open the Enigmail menu. Have you looked at the "Setup wizard" ? that is intended to walk the normal user through standard setup. > Then the Key Generation process could be designed with more UX in mind. > At the moment it's mainly a bunch of input fields jumping onto the user > without any comments. The most minor thing is probably that many users > do not know the term "Passphrase" opposed to "Password" (I know the > reasons for the discussion between those two and why GPG prefers > passphrase). there was discussion recently about doing away with the "Password" field during key generation entirely, since users are commonly confused about what the password applies to. I'd love to see the "Comment" field go away as well; that's a frequent cause of trouble: https://www.debian-administration.org/users/dkg/weblog/97 > Then we'd need more explaining texts. Most newcomers will not know what > to choose when seeing "Key expires in X years". Here we should explain > why this has to be chosen. E.g. we can explain what happens if the key > is lost or stolen (not mentioning revocation certificate, because it > would introduce another difficult term too early, but thinking > ourselves, that this is also lost). We could also explain that all > credit cards, personal identity cards (at least in Germany and Austria) > have a valid date. Such officia important documents are not issued > forever, in case of loss. I'm wary of explaining texts, unless they're hidden behind a "tell me moreā¦" button. I agree that we should have good defaults and that most users should have very little to do besides saying "yes, set me up with a key". > And then I'd go on as normal with displaying a message, that the user > should create a revocation certificate. Don't know now if it explains > what a rev certificate is. If yes: everything fine; if not: let us > explain it. the revocation certificate should be created automatically and placed in a known, retreivable location. gpg 2.1 already does this at key generation time in ~/.gnupg/opnpgp-revocs.d/ If an attacker steals your revocation certificate, they can probably steal your secret key too, and publishing the revocation certificate is about the nicest thing they can do for you. > I also know we have documentations and stuff, but modern / good UI > should be self-explanatory. agreed, which is why i'm wary of the "more explaining texts". :) Enigmail devs, y'all have done a lot of work in this direction already. Is there a roadmap about further UI/UX cleanup plans that other people can read and possibly plug into? --dkg _______________________________________________ enigmail-users mailing list [email protected] To unsubscribe or make changes to your subscription click here: https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net
