Re: WKD Research: Measuring use. An mailinglist maintainers that would help?
Hi Erich, Am Freitag, 22. Oktober 2021, 19:17:07 CEST schrieb Erich Eckner via Gnupg- users: > There are two parts of the usage: The publishing part and the > search-for-and-use-if-available part. Both need separate measurements, I > think. Yes, though we want to focus on the latter part. > > One idea is: If we have a public email address where a lot of emails are > > send to, e.g. the submission address of a mailinglist > > we could set up an OpenPGP key for it via WKD > > and use a small tool to pipe each incoming mail through on the server > > to decrypt and count the mail. > > Wouldn't this break DKIM signatures on the mail? Good question. Mailman as a popular mailinglist software, already modifies mails, thus may break these DKIM signature. I need to do more research on this concern. (Here is an old Mailman Discussion https://wiki.list.org/DEV/DKIM) > Just to be clear: You intend to send the encrypted mail through the mailing > list as usual, right? Yes, unencrypted, of course. > Also: This would only cover mailing lists and thus skew the results. What > about organizations, that use WKD in-house, but whose members rarely write > to mailing lists? If you have any ideas how to do a direct or indirect measurement, I'd like to hear about them. > If you want to fiddle around with mailservers, I would prefer your second > approach: You measure the requests to the webserver, but actually don't > offer a key via WKD - thus, the email flow is undisturbed, but you still > get your metrics. True, using the weblogs may give some indications. However it does not measure if the clients later actually would understand the pubkey and send encrypted emails and an advanced client may cache the results of a WKD request for a limited time. > For measuring the publishing part, one could actively query for WKD on > known MX domains. (As written above, the work is more focused on the client, but following up your suggestion: That they offer a WKD in principle does not say much about how many email addresses actually offer a key, as we cannot walk them and need an email address before we could actually do a real query. Otherwise, would be interesting to see if there are more prominent WKD offers out there.) > For measuring the usage part, I think, it's more valuable to have a look > at available software and their features: How many people use mail client > X, and does X have WKD enabled by default or can it use WKD at all / as a > fallback / ... This is a good suggestion, Christoph is already doing this since a while. Thanks for your feedback! Best Regards, Bernhard ps.: I've chosen to have this discussion in gnupg-users, where me and Christoph are subscrubed. -- www.intevation.de/~bernhard +49 541 33 508 3-3 Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998 Geschäftsführer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: WKD Research: Measuring use. An mailinglist maintainers that would help?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Fri, 22 Oct 2021, Bernhard Reiter wrote: Hello friends of OpenPGP, Hi! as part of his Bachelor thesis [1], Christoph wants so to find out, which actions could increase the overall usage of WKD. There are two parts of the usage: The publishing part and the search-for-and-use-if-available part. Both need separate measurements, I think. Ideally we should be able to observe some changes in the usage of WKD over time and hopefully can credit something to some changes like measures tried during the research. So how do we observe WKD usage over time? Obviously this is hard to do, as we are in a decentral system, this is designed to keep things private. Thus our measurement could only be indirectly. One idea is: If we have a public email address where a lot of emails are send to, e.g. the submission address of a mailinglist we could set up an OpenPGP key for it via WKD and use a small tool to pipe each incoming mail through on the server to decrypt and count the mail. Wouldn't this break DKIM signatures on the mail? Just to be clear: You intend to send the encrypted mail through the mailing list as usual, right? Also: This would only cover mailing lists and thus skew the results. What about organizations, that use WKD in-house, but whose members rarely write to mailing lists? We can also count the number of request for the WKD address on the webserver serving the WKD. In both counts, no personal data is saved. So it is just about the safety of the decryption tool, which can be provided. Do you know email addresses, e.g. of mailinglists, where you know the server administrators would be potentially willing to help this academic research? An other ideas? If you want to fiddle around with mailservers, I would prefer your second approach: You measure the requests to the webserver, but actually don't offer a key via WKD - thus, the email flow is undisturbed, but you still get your metrics. For measuring the publishing part, one could actively query for WKD on known MX domains. For measuring the usage part, I think, it's more valuable to have a look at available software and their features: How many people use mail client X, and does X have WKD enabled by default or can it use WKD at all / as a fallback / ... Best Regards, Bernhard regards, Erich -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEE3p92iMrPBP64GmxZCu7JB1Xae1oFAmFy8hUACgkQCu7JB1Xa e1pl1g/9F7mEkQhHS6nT9lFOJb6qj+lbuRU33wAtqcUdY4VsuEZOiG0rjTQWwrkJ MkeC8Q09zNZu7xNEy4R86R9nhjyZjgohjqbxxntdSL5YCsJCVGVLLz6dvmzUIXTc xtEgIZp8Qi2ftOLZQaCc9qkp6RduuBoqJPbLIgan+XWvRIQE2X4/xaDljVuJUkqz m3I7tQzsdm6QFK+0w6WiWp4qigNpkxWe8j/LlOWzQROXymkymDOmnDVX+qPakoh0 P1q5rD9tlFvDSAEURHw3b9KpFgD0F9hvzquzl7T2t58zgXph/LXu5cHJqYJNdqgq t4J7ZM4bK6pRjwz1vlKyoqvK+7NS9HWr8f3b+9mr4nNpJtC8bgUmIBDnMPWkl490 OedA6I+mczhtCidJMEfU1QxE/CR3f8YlFbu7zkXZ++VAedm3uY5dyWltZSr7u+fw Swbuw3gYPIPUi0pN+LnXvDFDZCEkn7fzSrkwkMUa0nlMXMGzX3pAUooVVktZjnN1 JCf5Mg6hSr8giHhHzNcBN3FmFC6wTeXgUk/HLcgi/OrUClDHsCS2zB372ZhtxXWo EI++nbYBDGFMjt6CLl6bSqTPTQH4r9YHQvlOmA2D2VGhejskcZObbbM/C15JErKr fZf7sre8x7wvgALmRoDG2MK6Pk9j8VA0VCqn7sLIcA80gPbNk9k= =xoNe -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users