Re: [Enigmail] Key Management Owner Trust

[Anne Wilson]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 19/09/2015 23:11, Robert J. Hansen wrote:
>> The more information that you add to the screens the less of it 
>> the 'average user' will read. The famous "Click next - next -
>> ok" effect.
> 
> Yes, I agree; this is why I'm suggesting reducing the presented 
> information to whether a signature is present, and how much 
> confidence Enigmail is placing in the signature.  Everything
> beyond that would be hidden from the user -- easy to discover
> (click on the security notice), but not something the user had to
> pay attention to unless they specifically wished.
> 
Another 2c from an average user -

In my opinion many (most?) people will only really need lsign - if
that means, as it does to me, "I know this person".  The full signing
("I have fully verified this person and his signature via official
documents") by those who don't understand the implications of it is
where the problem lies.  Personally, I'd make lsign the default.
Anyone who understands enough to know he has a real need for the full
signing can easily search menus to find the appropriate link.  IOW,
both need to be present, but lsign needs to be easiest found.

Or am I being too simplistic?

BTW, I do like the simplicity of the Details button.

Anne
-BEGIN PGP SIGNATURE-
Version: GnuPG v2
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlX+kTAACgkQj93fyh4cnBf1jACfWz9LdYpZ7xuXJsJPyW6CqWy0
zp4An2yjfgsm4OihOQcgCkxe+AZ1eANf
=MRJN
-END PGP SIGNATURE-

___
enigmail-users mailing list
enigmail-users@enigmail.net
To unsubscribe or make changes to your subscription click here:
https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net

Re: [Enigmail] No more "Untrusted Good Signature"s

[Anne Wilson]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 20/09/2015 04:06, Robert J. Hansen wrote:
> (Forgive the HTML: this is one of the few times where I think it’s 
> worthwhile.  This email uses color to convey information.)
> 


Sounds really good to me.  First impression is clear and to the point.
 Additional information boxes on request give full explanation.  I'm
100% in favour of this.  It separates the everyday want-to-know from
the "hell, I need to know more about that!".

Anne

-BEGIN PGP SIGNATURE-
Version: GnuPG v2
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlX+lNEACgkQj93fyh4cnBeExgCdGphr6AguJagPAzytpJPPQIM+
TsYAn3fo54aULwY6nYPO/ipyPI7GaReM
=QRkB
-END PGP SIGNATURE-

___
enigmail-users mailing list
enigmail-users@enigmail.net
To unsubscribe or make changes to your subscription click here:
https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net

Re: [Enigmail] No more "Untrusted Good Signature"s

[Mike Acker]

  
  
I like your message

the terms I've been using -- for this same thing --- are 
  

Public Key Encryption (PGP, GPG) provides more than just encryption:
it provides

  Authentication
  Integrity
  Security


Authentication allows the user to verify with good certainty that a
message is in fact from the person who claims to have sent it. i.e.
PGP/GPG can defeat attackers who are attempting to impersonate
friends, associates, businesses,  . this addresses "targeted
phishing", man-in-the-middle, and similar attacks

Integrity allows the user to be reasonably certain that a message
has not been altered either by error or by intent during
transmission

Security (encryption) allows the user to be reasonably certain that
the content of a message has not been disclosed to un-authorized
parties during transmission

for interested parties this thread will step through the procedures
needed to implement Public Key Encryption using GPG2, ENIGMAIL, and
Thunderbird. similar processing can be established using
Symantec/PGP and MSFT/Outlook.

one should note here that no security is possible if the end-point
operating software has been compromised by un-authorized
programming.

one of the critical key points that has been brought out several
times in this discussion is -- that we need to select good terms --
and then stick to them .   people will catch up and understand, --
given time.    one of the errors that has been made in IT over the
years is to continuously try to find the perfect words to describe
things .   we just need good words and then let people catch up and
learn what the implications are.

the debauch over fake filings if IRS forms 1040 is a perfect example
of how badly the entire communication industry needs to "get with
the program" her -- if I may avail myself of an old cliche 

keep up the good work ! this is a vital topic .
On 09/19/2015 11:06 PM, Robert J.
  Hansen wrote:


  
  (Forgive the HTML: this
is one of the few times where I think it’s worthwhile.  This
email uses color to convey information.)

So, while relaxing with a good stogie, I started mulling over
the UX problem of communicating information about encryption
status, signatures, validity, and more.  I got nowhere, which is
when I decided to burn it all down and start from a clean sheet
of paper.

Enigmail and GnuPG exist to provide the CIA triad.  No, not the
intelligence agency — Confidentiality, Integrity, and
Assurance.  Those are the three metrics we need to communicate
to the user.  So let’s throw out all the language about
“untrusted good signature” and start over from scratch: let’s
communicate the triad.

First things first: rename it, because only hardcore nerds
understand what CIA means.  (“What’s the difference between
integrity and assurance?” is a really common question in
undergraduate computer security courses.  Even computer science
majors who have an interest in this stuff, as evidenced by
signing up to take a class in it, generally don’t understand
it.)  I’m going to rename the triad the PAI triad: Privacy,
Authenticity, and Identity.  Further, instead of giving
incredibly detailed “valid signature but the certificate has not
been validated” types of messages, let’s reduce it to binary
choices.  People like binary choices: they’re easy to
understand.

  
  
Privacy is
a binary state: yes the message was private (encrypted), or
no it was not.
Authenticity
is also a binary state: we are confident the message is
authentic, or we are not.
Identity
is also a binary state: we are confident it came from the
specified person, or we are not.
  
  
We can present this information to the user using just three
letters in different colors—green for yes, black for no. 
Imagine, for instance, that we have an untrusted good signature
on an unencrypted message.  We would then put at the top of the
email:
  
  

  

  
Privacy
  
Authenticity
  
Identity
  
  

  
  

Immediately, at a glance, the user can see that the message is
not private, is authentic, but we don’t know who it came from.

A good signature from a validated certificate, but no
encryption, would get marked up as—

  
  

   
  

  
  

Re: [Enigmail] Key Management Owner Trust

[Anne Wilson]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 20/09/2015 03:17, Phil Stracchino wrote:
> On 09/19/15 21:16, David wrote:
>>> On 9/19/2015 7:31 PM, Robert J. Hansen wrote:
> With respect to your grandma-and-grandpa comment: we are
> not interested in aiming Enigmail at people who do not care
> about email privacy and have no interest in it.  Why would
> we?  We're not medieval priests preaching the Gospel to the
> heathens, infidels, unchurched and unconverted.
>>> 
>>> 
>>> I see. So instead of a utility that is simple enough for
>>> potentially everyone to use for private emails you are looking
>>> for a 'just for us really paranoid really smart geeks'
>>> application.
> Did you really misunderstand the previous statement that badly, or
> are you deliberately trolling (again)?
> 
Why is it that whenever someone puts a point of view that is
definitively user-level he is accused of trolling?  Robert's reply was
insulting in the extreme.  Like David, I wonder why I try to help by
explaining the non-geek viewpoint.  Like David, I'll shut up.

Anne
-BEGIN PGP SIGNATURE-
Version: GnuPG v2
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlX+kv8ACgkQj93fyh4cnBfPegCfTmDAc30D7OhZ0x78nsB3cRUj
Ic0Amwesv2sz8AtGOVV6AjkmaMMZERBz
=Nxqg
-END PGP SIGNATURE-

___
enigmail-users mailing list
enigmail-users@enigmail.net
To unsubscribe or make changes to your subscription click here:
https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net

Re: [Enigmail] No more "Untrusted Good Signature"s

[Ludwig Hügelschäfer]

Hi,

On 20.09.15 05:06, Robert J. Hansen wrote:
> (Forgive the HTML: this is one of the few times where I think it’s
> worthwhile.  This email uses color to convey information.)
>
> (...)
>
> … Bam.  A simple UX that everyone sees, which conveys the most important
> information at-a-glance.  If more detailed information is needed, we
> present it in human-friendly language and embed within the language
> links to help people do common tasks related to keys.
> 
> Further, this UX is completely independent of the trust model used by
> GnuPG.  If you want to use the Web of Trust, no problem.  If you have
> --trust-model=always set, no problem.  If you’re using TOFU, no problem. 
> 
> What do y’all think?

Wow, I like that very much! This goes into the same direction of the two
buttons (sign/encrypt) in the compose window which got really good
feedback. It's logical, consequent and simple. You get an overview on
first glance.

Don't know yet how to display these three items withing the message
header, in a graphical sense. I'll make a suggestion.

This UI change covers about 90% of daily use and Enigmail can implement
it independently and instantly.

But I think, we've still got to look into the wording of key details.
One of the most misunderstood terms there is "ownertrust". Also - as
already pointed out - "validity" is not clear. And: We "sign" messages,
but until today we also "sign" a key/certificate, expressing that it
belongs to the promised person. The double use of the term "signature"
has led to quite frequent misunderstandings. We really should use
"certify" for the latter.

These new terms should also be used within GnuPG and other OpenPGP clients.

Ludwig




signature.asc
Description: OpenPGP digital signature
___
enigmail-users mailing list
enigmail-users@enigmail.net
To unsubscribe or make changes to your subscription click here:
https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net

Re: [Enigmail] No more "Untrusted Good Signature"s

[Patrick Brunschwig]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On 20.09.15 05:06, Robert J. Hansen wrote:
> (Forgive the HTML: this is one of the few times where I think it’s 
> worthwhile.  This email uses color to convey information.)
> 
> So, while relaxing with a good stogie, I started mulling over the
> UX problem of communicating information about encryption status, 
> signatures, validity, and more.  I got nowhere, which is when I
> decided to burn it all down and start from a clean sheet of paper.
> 
> Enigmail and GnuPG exist to provide the CIA triad.  No, not the 
> intelligence agency — Confidentiality, Integrity, and Assurance.
> Those are the three metrics we need to communicate to the user.  So
> let’s throw out all the language about “untrusted good signature”
> and start over from scratch: let’s communicate the triad.
> 
> First things first: rename it, because only hardcore nerds
> understand what CIA means.  (“What’s the difference between
> integrity and assurance?” is a really common question in
> undergraduate computer security courses.  Even computer science
> majors who have an interest in this stuff, as evidenced by signing
> up to take a class in it, generally don’t understand it.)  I’m
> going to rename the triad the PAI triad: Privacy, Authenticity, and
> Identity.  Further, instead of giving incredibly detailed “valid
> signature but the certificate has not been validated” types of
> messages, let’s reduce it to binary choices.  People like binary
> choices: they’re easy to understand.
> 
> * *Privacy* is a binary state: yes the message was private 
> (encrypted), or no it was not. * *Authenticity*//is also a binary
> state: we are confident the message is authentic, or we are not. *
> *Identity* is also a binary state: we are confident it came from
> the specified person, or we are not.
> 
> 
> We can present this information to the user using just three
> letters in different colors—green for yes, black for no.  Imagine,
> for instance, that we have an untrusted good signature on an
> unencrypted message.  We would then put at the top of the email:
> 
> Privacy Authenticity Identity
> 
> 
> 
> Immediately, at a glance, the user can see that the message is not 
> private, is authentic, but we don’t know who it came from.
> 
> A good signature from a validated certificate, but no encryption,
> would get marked up as—
> 
> 
> Privacy Authenticity Identity
> 
> 
> An encrypted message without a signature would get—
> 
> 
> Privacy Authenticity Identity
> 
> 
> An encrypted and signed message from an unknown certificate—
> 
> 
> Privacy Authenticity Identity
> 
> 
> And finally, an encrypted and signed message from a validated
> certificate—
> 
> 
> Privacy Authenticity Identity
> 
> 
> Immediately, right at-a-glance, users get the information that’s of
> most use to them: is this message private?  Is it authentic?  Did
> it really come from the person I think it did?  If the user wants
> to know details about why a particular message was graded in a
> particular way, they’d double-click on the header and get a
> detailed breakdown of what factors went into each decision.  For
> instance, Enigmail might display a new window that contained
> something like:
> 
> 
>
>  * /*Privacy.*//  This email was encrypted with your RSA key. 
> //_Click here_//to open this key in the Key Management window. 
> Camellia-256 was used for symmetric encryption./ *
> /*Authenticity.*//  This email was signed; however, the signature
> did not check out.  The message, the signature, or both, were
> altered in transit.  This is not necessarily a sign of hostile
> action.  Sometimes messages get garbled in the process of
> transmitting from one system to the next. / * /*Identity.*//  This
> email claims to be from Robert J. Hansen  with
> key ID 0xDEADBEEFDEADBEEF.  However, we do not know the signing key
> really belongs to this person.  If you’re certain the signing key
> belongs to this person, //_click here_//and Enigmail will remember
> it for the future./
> 
> 
>
> 
> 
> … Bam.  A simple UX that everyone sees, which conveys the most
> important information at-a-glance.  If more detailed information is
> needed, we present it in human-friendly language and embed within
> the language links to help people do common tasks related to keys.
> 
> Further, this UX is completely independent of the trust model used
> by GnuPG.  If you want to use the Web of Trust, no problem.  If you
> have --trust-model=always set, no problem.  If you’re using TOFU,
> no problem.
> 
> What do y’all think?

I like this proposal very much. I can well imagine that we display 3
icons and if you click on any of them, you'll get the detailed
information. But I'd suggest also to add the UID of the sender in the
message reader pane if the signature can be verified.

- -Patrick

Re: [Enigmail] No more "Untrusted Good Signature"s

[Robert J. Hansen]

> if you want a third light it could be for the trust level established
> for the senders key:

I'm giving a big 'no' to this.  White, red, yellow, green, blue?  We've
just reintroduced "untrusted good signature".  We can expect people to
understand a binary state, maybe a trinary state -- but a pentastate is
just a bad idea.



signature.asc
Description: OpenPGP digital signature
___
enigmail-users mailing list
enigmail-users@enigmail.net
To unsubscribe or make changes to your subscription click here:
https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net

Re: [Enigmail] Key Management Owner Trust

[Robert J. Hansen]

> That said, it's necessary to keep in mind what Enigmail's target 
> audience is, and that is people who want a simple, usable tool to 
> encrypt or authenticate their email.

I think it should also be said: Enigmail is not an advocacy
organization.  We don't push anyone to encrypt their email.  We don't
travel around the country giving speeches about the importance of email
encryption.  There are groups that do this: the Electronic Frontier
Foundation, the Free Software Foundation, the Electronic Privacy
Information Center, the Stanford Cybersecurity Center, and more.

These groups do excellent work.  We're happy they exist.  They've got
the media contacts, they know how to reach out and evangelize... they do
great work for the cause of email privacy.  But what all of these groups
have in common is: they're lousy at building tools.

We're pretty good at building tools, but our rolodex is pretty thin.  So
we're happy to let these groups evangelize, and we're going to build a
great tool for the newly-converted.  But we're not interested in doing
evangelization ourselves: that's not what we do.  Sure, we'll speak at
conferences and talk to journalists -- but that's about talking to
interested parties, not trying to persuade the uninterested.

So when I say we're not interested in converting grandma and grandpa,
who currently don't care about email crypto?  Absolutely true.  We're
not.  But we wish the EFF, the FSF, EPIC, SCC, and other groups all the
luck in the world in convincing grandma and grandpa to start caring.

When they do, we'll be here for them.  :)



signature.asc
Description: OpenPGP digital signature
___
enigmail-users mailing list
enigmail-users@enigmail.net
To unsubscribe or make changes to your subscription click here:
https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net

Re: [Enigmail] No more "Untrusted Good Signature"s

[Mike Acker]

  
  
very good question
  
  to my thinking: if the message is not signed then we do not show
  any ENIGMAIL information, i.e. ENIGMAIL status information is not
  presented.
  
  if the message is signed then I'm concerned with, first of all did
  the signature verify, and secondly -- was the signature made by
  someone I know?
  
  
  the white or the green depends on whether or not I have previously
  authenticated ("vetted") the senders key.   after that I might
  want to check the trust level I have assigned to that user;
  perhaps that should be a click-up dialog   ( Robert did not like
  my multi color stack,...
  
  and -- that's OK: we are brain-storming here: all ideas need to
  get onto the table and get discussed so that we can work out what
  we think will be the best language and display format .   I love
  contributing -- and I don't mind getting stomped on )

On 09/20/2015 01:00 PM, Phil Stracchino
  wrote:


  On 09/20/15 08:00, Mike Acker wrote:

  
I'm not sure you need 3 greens though,-- a message for which the
signature verifies becomes "authenticated",-- i.e. we are3 assured the
message is from the person we think it is from --

the key is when the signature authenticates you, perforce, have also
verified integrity ( the accuracy of the document content )

the option of course is PRIVACY, aka encryption

I think two greens are enough, then:



  
  
With no integrity indicator, how do you distinguish between an unsigned
message, and one which has been signed but the content of the message
has been altered post-signature?


  
  
  
  ___
enigmail-users mailing list
enigmail-users@enigmail.net
To unsubscribe or make changes to your subscription click here:
https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net



-- 
/Mike
  



signature.asc
Description: OpenPGP digital signature
___
enigmail-users mailing list
enigmail-users@enigmail.net
To unsubscribe or make changes to your subscription click here:
https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net

Re: [Enigmail] No more "Untrusted Good Signature"s

[Phil Stracchino]

On 09/20/15 08:00, Mike Acker wrote:
> I'm not sure you need 3 greens though,-- a message for which the
> signature verifies becomes "authenticated",-- i.e. we are3 assured the
> message is from the person we think it is from --
>
> the key is when the signature authenticates you, perforce, have also
> verified integrity ( the accuracy of the document content )
>
> the option of course is PRIVACY, aka encryption
>
> I think two greens are enough, then:
>
>

With no integrity indicator, how do you distinguish between an unsigned
message, and one which has been signed but the content of the message
has been altered post-signature?

-- 
  Phil Stracchino
  Babylon Communications
  ph...@caerllewys.net
  p...@co.ordinate.org
  Landline: 603.293.8485




signature.asc
Description: OpenPGP digital signature
___
enigmail-users mailing list
enigmail-users@enigmail.net
To unsubscribe or make changes to your subscription click here:
https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net

Re: [Enigmail] No more "Untrusted Good Signature"s

[Phil Stracchino]

On 09/20/15 14:01, Robert J. Hansen wrote:
> The arguments in favor of trinary:
> 
> * Many users are going to want three states even though, IMO, the third
> state is useless.
> 
> A bad signature on an email message, contrary to popular belief in the
> community, doesn't mean the message was tampered with.  99% of the time
> it's evidence the *signature* was tampered with.  PGP/MIME is infamous
> here: MUAs play hob with attachments and repackage the signature up in
> weird ways.  So a bad signature, by itself, doesn't tell you anything
> about whether the message has been changed.  All that a bad signature
> tells you is the sender thought the message was important enough to add
> an authenticity/identity measure, but authenticity/identity cannot be
> assured.  And if we're saying "authenticity/identity cannot be assured",
> then really, that's no different from no signature at all -- so it
> should use the same black text as no signature at all.

Actually, I dispute this.  There is an important functional, not just
human, distinction between 'Sender made no attempt to provide
authentication on this message' and 'Sender attempted to provide
authentication on this message, *but something went wrong*'.  In the
latter case, if it is an important communication, you may wish to
contact the sender by other means to verify authenticity.  In the former
case, there is no reason to do so.  It could be crucial to know which
case is in effect, but we can't expect users to look at the authenticity
details on every message to find out whether there was *no* signature or
a *failed* (for whatever reason) signature.  So we need the interface to
let them distinguish at a glance between no signature and failed
signature.  It is then up to the user to decide whether or not they need
to investigate a failed signature further.


> So... yeah.  My inner crypto nerd says the binary choice is a more
> accurate representation of reality.  My inner UX geek says the trinary
> choice is what users will want and feel more comfortable with.  The nerd
> and the geek are fighting for control of my soul.  :)

In this case, I think the crypto nerd has overlooked an important
aspect.  :)  A failed or invalid signature is *cryptographically*
equivalent to no signature; but it is not *functionally* equivalent.
Because a failed or invalid signature means that the sender *tried* to
authenticate the message, implying that it may have been important to do so.


-- 
  Phil Stracchino
  Babylon Communications
  ph...@caerllewys.net
  p...@co.ordinate.org
  Landline: 603.293.8485



signature.asc
Description: OpenPGP digital signature
___
enigmail-users mailing list
enigmail-users@enigmail.net
To unsubscribe or make changes to your subscription click here:
https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net

Re: [Enigmail] Key Management Owner Trust

[Phil Stracchino]

On 09/20/15 14:05, Anne Wilson wrote:
> It's a sad fact that a huge proportion of computer users are woefully
> ignorant of security - we'd not be plagued by so many viruses,
> trojans, keystroke-recorders and the like if this were not so.

Very true.  I have encountered problems of this type frequently in a
professional capacity.  (And also its counterpart, users who throw up
all kinds of obfuscation and security-through-obscurity measures that
accomplish nothing except to make them *think* that they must now be
secure, while making it difficult to maintain their infrastructure and
therefore often actually making them *less* secure because security
patching doesn't get done.)

>  Don't
> be put off, either, by the grandma and grandpa image - just for the
> record, I'm 75 and a great-grandma.  That's by the way, though.  I was
> once asked to do a "using the internet safely" talk to a group of
> women, almost all retired or soon to be retired people from
> responsible jobs who had used computers in their work for years.  It
> was a shock to all of us, me as the leader of the group, and them as
> the listeners.  They were stunned by the number of things I pointed
> out to them (with screenshots showing where to look) of which they had
> been completely unaware.

More power to you!  My hat is off to you.  :)


-- 
  Phil Stracchino
  Babylon Communications
  ph...@caerllewys.net
  p...@co.ordinate.org
  Landline: 603.293.8485



signature.asc
Description: OpenPGP digital signature
___
enigmail-users mailing list
enigmail-users@enigmail.net
To unsubscribe or make changes to your subscription click here:
https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net

Re: [Enigmail] No more "Untrusted Good Signature"s

[Mike Acker]

  
  
if you want a third light it could be for the trust level
established for the senders key:



not signature: pgp wasn't used
unknown: message is signed but we have no information about the
signer
untrusted: messages is signed by a person we recognize but we are
not sure if her or she is trustworthy
marginal: marginal trust -- ( I don't like this one )
trusted: full trust -- we are willing to accept authentication and
trust level information from this source
ultimate: show for messages signed by local user usually in the SENT
box



>
> On 09/20/2015 06:51 AM, Patrick Brunschwig wrote:
>> On 20.09.15 05:06, Robert J. Hansen wrote:
>> > (Forgive the HTML: this is one of the few times where I think it’s
>> > worthwhile.  This email uses color to convey information.)
>>
>> > So, while relaxing with a good stogie, I started mulling over the
>> > UX problem of communicating information about encryption status,
>> > signatures, validity, and more.  I got nowhere, which is when I
>> > decided to burn it all down and start from a clean sheet of paper.
> { snip }
>
> -- 
> /Mike
>
>
>
> ___
> enigmail-users mailing list
> enigmail-users@enigmail.net
> To unsubscribe or make changes to your subscription click here:
> https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net

-- 
/Mike

  



signature.asc
Description: OpenPGP digital signature
___
enigmail-users mailing list
enigmail-users@enigmail.net
To unsubscribe or make changes to your subscription click here:
https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net

Re: [Enigmail] Key Management Owner Trust

[Olav Seyfarth]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Please, folks. I appreciate that discussion very much. Each single
statement. Those of kypto pros, enthusiasts, plain users and noobs.
Because the product will be used by all of them. So: stay polite!
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.22 (GNU/Linux)

iQGcBAEBAgAGBQJV/tTdAAoJEKGX32tq4e9WSUQMAKDpCqEtVehSmc0Umd4Q9yox
aVld7xYewGnrIKVMu5dnUmEbJRteFO62KxEVSmHIwWX8/GXxtui9NI59GmOm37H5
I84Ak3os+vg74BlQy5w8NRvEmQ1JUGRGNP0qC4+m57qzrfzWW4AjqL9F8n6Ge5ks
9EOYDUmf4yZ9BWTyi009xJrPljmWjmpJI9+2zf02n8EgMApXYKGB+U197wljkS6r
fD8vGKrHF/bFrUCL9KmmFGxCpaKL4XlKt8JyvNKoQ7UuUpweEoV4NdPxPvewrE3d
/TpU3AK44uHr+49Kzsg56qq8KIjA2zeD+cKLOUHjaCvCPtcv8OEk2qdTG95vA+cQ
DxWUBP6ho2fbYJgvEKZgTfru5rGgoTQsHLgJurXVvuk1gS6NwKwle88Yeax+DMRW
k+Y3kWHd0WaES+KpNpxuqbDd1dGz17akIRjF3HaCfFqe6PuBpAtdA/lPR3GGR6iG
AkDKZMQyIDesopkBn/B3QzZCLS9mgRVGIpN25vjjVg==
=uAIE
-END PGP SIGNATURE-

___
enigmail-users mailing list
enigmail-users@enigmail.net
To unsubscribe or make changes to your subscription click here:
https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net

Re: [Enigmail] Key Management Owner Trust

[Phil Stracchino]

On 09/20/15 07:05, Anne Wilson wrote:
> On 20/09/2015 03:17, Phil Stracchino wrote:
>> On 09/19/15 21:16, David wrote:
 On 9/19/2015 7:31 PM, Robert J. Hansen wrote:
>> With respect to your grandma-and-grandpa comment: we are
>> not interested in aiming Enigmail at people who do not care
>> about email privacy and have no interest in it.  Why would
>> we?  We're not medieval priests preaching the Gospel to the
>> heathens, infidels, unchurched and unconverted.


 I see. So instead of a utility that is simple enough for
 potentially everyone to use for private emails you are looking
 for a 'just for us really paranoid really smart geeks'
 application.
>> Did you really misunderstand the previous statement that badly, or
>> are you deliberately trolling (again)?
> 
> Why is it that whenever someone puts a point of view that is
> definitively user-level he is accused of trolling?  Robert's reply was
> insulting in the extreme.  Like David, I wonder why I try to help by
> explaining the non-geek viewpoint.

Anne,

It's not a question of geek vs. non-geek viewpoint.  If the "non-geek"
viewpoint didn't matter, we wouldn't be having this whole terminology
and user interface discussion right now.  That's the whole point of the
discussion:  to try to devise ways to make Enigmail and its use clearer
and simpler to the non-technically-inclined.

That said, it's necessary to keep in mind what Enigmail's target
audience is, and that is people who want a simple, usable tool to
encrypt or authenticate their email.  But a crucial part of that is the
word *want*.  No matter what we do to improve or clarify Enigmail's
interface, we're never going to get people to use it who don't *want* to
encrypt or authenticate their email in the first place.  I may be able
to build the world's finest and simplest-to-use artificially-intelligent
six-axis CNC milling machine, capable of making things you never even
knew you wanted made, but I'm never going to sell you one if you *don't
want* a milling machine.  And so it is with Enigmail.  To try to aim
Enigmail at meeting the wants and needs of people who have no interest
in email cryptography and don't want to be bothered with it is an effort
that is doomed to fail.  We can never make Enigmail meet what they want
from it, because what they want from it is *not to have to use it*.

If we do not start out by recognizing that fact, then we are doomed to
fail, because we are aiming at the wrong target.

You have declared yourself to be non-technical, a "non-geek".  But you
are here.  You're participating in the discussion.  You're trying to
present your viewpoint.  And your viewpoint is exactly what we want,
because *you are the target audience*.  Because you *want* what Enigmail
can do for you, done for you.  If you didn't, you wouldn't be here.

But our hypothetical grandma and grandpa who have no interest in any of
this new-fangled encryption stuff are not part of the target audience.
*Not* because they are non-technical.  *Not* because Enigmail does not
do simply enough the things that it can do for them.  But because *they
don't want those things done* in the first place.  No matter how hard
you work at it, you cannot build the perfect lawnmower for somebody
whose principal desire about lawnmowers is to *not own a lawnmower*.
Because the only perfect lawnmower for somebody who wants to not own a
lawnmower, is no lawnmower.


Does this help clarify Robert's point?



-- 
  Phil Stracchino
  Babylon Communications
  ph...@caerllewys.net
  p...@co.ordinate.org
  Landline: 603.293.8485



signature.asc
Description: OpenPGP digital signature
___
enigmail-users mailing list
enigmail-users@enigmail.net
To unsubscribe or make changes to your subscription click here:
https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net

Re: [Enigmail] No more "Untrusted Good Signature"s

[Mike Acker]

  
  
I'm not sure you need 3 greens though,-- a message for which the
signature verifies becomes "authenticated",-- i.e. we are3 assured
the message is from the person we think it is from -- 

the key is when the signature authenticates you, perforce, have also
verified integrity ( the accuracy of the document content )

the option of course is PRIVACY, aka encryption

I think two greens are enough, then:





On 09/20/2015 06:51 AM, Patrick Brunschwig wrote:
On 20.09.15 05:06, Robert J. Hansen wrote:
  > (Forgive the HTML: this is one of the few times where I think
  it’s 
  > worthwhile.  This email uses color to convey information.)
  
  > So, while relaxing with a good stogie, I started mulling over
  the
  > UX problem of communicating information about encryption
  status, 
  > signatures, validity, and more.  I got nowhere, which is when
  I
  > decided to burn it all down and start from a clean sheet of
  paper.

{ snip }

-- 
/Mike

  



signature.asc
Description: OpenPGP digital signature
___
enigmail-users mailing list
enigmail-users@enigmail.net
To unsubscribe or make changes to your subscription click here:
https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net

Re: [Enigmail] No more "Untrusted Good Signature"s

[Mike Acker]

  
  
a few more words about
  "marginal" tust
  
  I would assign marginal trust to (e.g.) x.509 certificates which
  are signed by "certificate authorities".    these are passed out
  like fliers at the fair creating a huge attack surface. each
  of us needs only a few of these,  one for the credit union, one
  for (e.g.) Amazon -- just those sites that we do commercial
  business with .    Marginal trust might be OK to browse a news
  site but that's another topic .
  
  getting from marginal trust to full trust requires a SECOND
  VERIFICATION. In my view this service should be available at
  local credit unions, perhaps the DMV office -- places that already
  need to vet and authenticate identification records.
  
  we need to extend this to the individual as well, while we're at
  it -- ENIGMAIL should be able to export a public key onto a USB
  Thumb drive that the use can take to the Credit Union or DMV -- to
  get it countersigned -- and uploaded to the key server.    this is
  neede to proceed with PGP security for things like IRS Forms 1040
  filings ...    a PGP signature is rather more secure than simply knowing
  the AGI on line 22 from last year's form -- which is a total
  kindergarten effort at security .

On 09/20/2015 08:38 AM, Mike Acker
  wrote:


  
  if you want a third light it could be for the trust level
  established for the senders key:
  
  
  
  not signature: pgp wasn't used
  unknown: message is signed but we have no information about the
  signer
  untrusted: messages is signed by a person we recognize but we are
  not sure if her or she is trustworthy
  marginal: marginal trust -- ( I don't like this one )
  trusted: full trust -- we are willing to accept authentication and
  trust level information from this source
  ultimate: show for messages signed by local user usually in the
  SENT box
  
  
  
>
> On 09/20/2015 06:51 AM, Patrick Brunschwig wrote:
>> On 20.09.15 05:06, Robert J. Hansen wrote:
>> > (Forgive the HTML: this is one of the few times where I think it’s
>> > worthwhile.  This email uses color to convey information.)
>>
>> > So, while relaxing with a good stogie, I started mulling over the
>> > UX problem of communicating information about encryption status,
>> > signatures, validity, and more.  I got nowhere, which is when I
>> > decided to burn it all down and start from a clean sheet of paper.
> { snip }
>
> -- 
> /Mike
>
>
>
> ___
> enigmail-users mailing list
> enigmail-users@enigmail.net
> To unsubscribe or make changes to your subscription click here:
> https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net
  
  -- 
  /Mike
  
  
  
  
  ___
enigmail-users mailing list
enigmail-users@enigmail.net
To unsubscribe or make changes to your subscription click here:
https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net



-- 
/Mike
  



signature.asc
Description: OpenPGP digital signature
___
enigmail-users mailing list
enigmail-users@enigmail.net
To unsubscribe or make changes to your subscription click here:
https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net

Re: [Enigmail] No more "Untrusted Good Signature"s

[Philip Jackson]

On 20/09/15 05:06, Robert J. Hansen wrote:
> First things first: rename it, because only hardcore nerds understand what CIA
> means.  (“What’s the difference between integrity and assurance?” is a really
> common question in undergraduate computer security courses.  Even computer
> science majors who have an interest in this stuff, as evidenced by signing up 
> to
> take a class in it, generally don’t understand it.)  I’m going to rename the
> triad the PAI triad: Privacy, Authenticity, and Identity.  Further, instead of
> giving incredibly detailed “valid signature but the certificate has not been
> validated” types of messages, let’s reduce it to binary choices.  People like
> binary choices: they’re easy to understand.
> 
>   * *Privacy* is a binary state: yes the message was private (encrypted), or 
> no
> it was not.
>   * *Authenticity*//is also a binary state: we are confident the message is
> authentic, or we are not.
>   * *Identity* is also a binary state: we are confident it came from the
> specified person, or we are not.
> 
> 
> We can present this information to the user using just three letters in
> different colors—green for yes, black for no.  Imagine, for instance, that we
> have an untrusted good signature on an unencrypted message.  We would then put
> at the top of the email:
> 
> Privacy   AuthenticityIdentity
> 

Clear thinking and well presented.  I like this idea.

Philip



signature.asc
Description: OpenPGP digital signature
___
enigmail-users mailing list
enigmail-users@enigmail.net
To unsubscribe or make changes to your subscription click here:
https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net

Re: [Enigmail] No more "Untrusted Good Signature"s

[Phil Stracchino]

On 09/19/15 23:06, Robert J. Hansen wrote:
> (Forgive the HTML: this is one of the few times where I think it’s
> worthwhile.  This email uses color to convey information.)
> 
> So, while relaxing with a good stogie, I started mulling over the UX
> problem of communicating information about encryption status,
> signatures, validity, and more.  I got nowhere, which is when I decided
> to burn it all down and start from a clean sheet of paper.


And very successfully.  Sometimes the clean sheet of paper is exactly
what's needed.  I like this suggestion a lot.  It is simple,
unambiguous, and readable at a glance.  Any further information wanted
by more technically sophisticated users can be obtained by clicking the
item of interest to see more details.

I would suggest one slight extension to the scheme:  The indicators
should be tri-state, not binary.  Add a red error state as well as a
green 'OK' state and the black 'not present' state.  A message which is
signed, but by a key that does not match the declared sender, or by a
revoked key, would display red Identity.  A message which has been
signed but the signature does not match the content (i.e, the content
has been altered post-signature) would display red for Authenticity.

A Privacy red-flag is a little harder to quantify.  About the only case
I can think of is if a message is encrypted, but with a key that has
been revoked or does not match the claimed sender.  But this should
probably be considered an Authenticity failure.

Should a message that is encrypted but unsigned be considered an
Authenticity failure - or at least an authenticity warning?


-- 
  Phil Stracchino
  Babylon Communications
  ph...@caerllewys.net
  p...@co.ordinate.org
  Landline: 603.293.8485



signature.asc
Description: OpenPGP digital signature
___
enigmail-users mailing list
enigmail-users@enigmail.net
To unsubscribe or make changes to your subscription click here:
https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net