Re: [Enigmail] feedback from initial enigmail setup (using wizard)
On Thu 2018-03-08 08:34:34 +0100, Patrick Brunschwig wrote: > Interestingly, *two* usability studies have suggested that the > explanations before were insufficient. The current text is actually the > suggested text from the last usability study. i wonder how the usability studies were framed that they came to that conclusion. from the discussions in the Autocrypt project, we seem to have a fairly robust user story that never mentions the concept of keys to the user at all. If the usability studies were expected to improve the outcome of "how well do you understand public key cryptography" then i agree tha tthe text is insufficient. If the question is "can you send encrypted mail" then maybe the answer is that it's too much text :/ i'm a big fan of letting explorers explore, but not a big fan of expecting people to click through stuff they don't understand while thinking "blah blah blah..." >> * When i click the "Create Revocation Certificate" button, i get a >>popup dialog box saying "The revocation certificate could not be >>created", with a "close" button. When i click "close", it takes me >>to a file chooser. Then i choose a file, and it shows me the same >>"revocation certificate could not be created" dialog box. I can >>cycle between these things indefinitely. >> >>When i finally tire of this, the only option left to me is to cancel >>the wizard. It prompts me with something like "are you sure you want >>to cancel the wizard?" with choices of "close" or "continue". I feel >>bad because i do want to continue, but i choose "close". Then, when >>i go back into the Setup Wizard via the Enigmail submenu, it just >>asks me to choose a key (my now-existent key is present, so i choose >>it), and then it tells me i'm done (without offering to create a >>revocation certificate). > > I'll look into this. Which version of gpg are you using exactly? this was gpg 2.2.5, but i realize now after trying to replicate it the problem appears to have come from a pinentry breakage on the specific account i was using. Not enigmail's fault, but it'd still be good to handle any failure to create a revocation certificate more gracefully, rather than leaving the user feeling stuck. > Strange. Is LC_ALL defined in your environment? If not, where is the > "locale" executable (/usr/bin/locale ?) 0 dkg@alice:~$ which locale /usr/bin/locale 0 dkg@alice:~$ locale LANG=en_US.UTF-8 LANGUAGE= LC_CTYPE="en_US.UTF-8" LC_NUMERIC="en_US.UTF-8" LC_TIME="en_US.UTF-8" LC_COLLATE="en_US.UTF-8" LC_MONETARY="en_US.UTF-8" LC_MESSAGES="en_US.UTF-8" LC_PAPER="en_US.UTF-8" LC_NAME="en_US.UTF-8" LC_ADDRESS="en_US.UTF-8" LC_TELEPHONE="en_US.UTF-8" LC_MEASUREMENT="en_US.UTF-8" LC_IDENTIFICATION="en_US.UTF-8" LC_ALL= 0 dkg@alice:~$ echo $LANG en_US.UTF-8 0 dkg@alice:~$ hth, --dkg ___ enigmail-users mailing list enigmail-users@enigmail.net To unsubscribe or make changes to your subscription click here: https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net
Re: [Enigmail] feedback from initial enigmail setup (using wizard)
On 07.03.18 19:22, Daniel Kahn Gillmor wrote: > Hi all-- > > Today i have done several trial run-throughs, thunderbird 1:52.6.0-1+b1 > + enigmail 2:2.0~beta2-1 on debian testing/unstable. I have a few > observations and recommendations about the setup wizard. > > I chose the "standard configuration (recommended for beginners)". all > the recommendations below are only for people using the wizard in > "standard mode". I did not change the setup wizards at all with respect to Autocrypt. I'm planning to do this for Enigmail 2.1 (or whatever the next version will be called). There are many things that should be improved, but at some point it's better to create a new release, than to continue development forever. That said, I agree with most of what you say below, but I won't change most of it for 2.0 anymore. > [...]> > * The "create key" part of the dialog box has scrollbars, which makes >it pretty awkward to use: > > > >Recommendation: resize the dialog box to not need the scrollbars That's platform-specific. I don't see that on macOS. I'll try to fix it. > * The text in the "create key" dialog box is quite a lot. It's much >more than any beginner who chose a standard configuration will >probably read. > >Recommendation: Remove all of the current text. Under the >"Account/User ID" dropdown box, include something like this: > >Enigmail lets you send and receive end-to-end encrypted messages >with this e-mail account. Only this Enigmail profile will be >able to read these encrypted messages. > >To protect these messages further, you can lock them with a >password below. All encrypted messages will be unreadable >without the password. > >Optionally, we could hide the entire password-setting UI inside a >collapsible frame labeled "Set end-to-end password" > >The text about umlauts and character classes should be shown only >when the user enters a password that has the properties that it is >warning about. (e.g. maybe the field that currently shows "passphrase >should contain at least 8 characters") Interestingly, *two* usability studies have suggested that the explanations before were insufficient. The current text is actually the suggested text from the last usability study. > * The circled red+white X that shows when one of the password fields is >bad is weirdly stretched. > >Recommendation: fix the aspect ratio of the image :) I'll check what I can do. > > > * When i click the "Create Revocation Certificate" button, i get a >popup dialog box saying "The revocation certificate could not be >created", with a "close" button. When i click "close", it takes me >to a file chooser. Then i choose a file, and it shows me the same >"revocation certificate could not be created" dialog box. I can >cycle between these things indefinitely. > >When i finally tire of this, the only option left to me is to cancel >the wizard. It prompts me with something like "are you sure you want >to cancel the wizard?" with choices of "close" or "continue". I feel >bad because i do want to continue, but i choose "close". Then, when >i go back into the Setup Wizard via the Enigmail submenu, it just >asks me to choose a key (my now-existent key is present, so i choose >it), and then it tells me i'm done (without offering to create a >revocation certificate). I'll look into this. Which version of gpg are you using exactly? [...] > > * System charset: > >looking at the logs, i see the following: > > 2018-03-07 19:18:18.293 [DEBUG] system.jsm: determineSystemCharset: > charset='iso-8859-1' > >This is just wrong. Everything about my operating system is >configured with UTF-8, not iso-8859-1. I haven't read system.jsm to >see how it determines this result, but it's 2018. > >Recommendation: enigmail should default to UTF-8 if there is any >uncertainty about the system charset. Strange. Is LC_ALL defined in your environment? If not, where is the "locale" executable (/usr/bin/locale ?) > I hope this is useful feedback! It surely is :-) Thanks, Patrick signature.asc Description: OpenPGP digital signature ___ enigmail-users mailing list enigmail-users@enigmail.net To unsubscribe or make changes to your subscription click here: https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net
[Enigmail] feedback from initial enigmail setup (using wizard)
Hi all-- Today i have done several trial run-throughs, thunderbird 1:52.6.0-1+b1 + enigmail 2:2.0~beta2-1 on debian testing/unstable. I have a few observations and recommendations about the setup wizard. I chose the "standard configuration (recommended for beginners)". all the recommendations below are only for people using the wizard in "standard mode". * New key creation password requirement. Currently the wizard requires that the user enter a password of at least 8 characters. It's not clear that treating this as a hard requirement is a good idea. Having the "password strength" meter gives the user some sense of how good their password is. But perhaps we can let users make their own decisions about when their password is chosen. There are legitimate "opportunistic" e-mail encryption approachs that discourage the use of passwords entirely. Recommendation: remove the hard requirement of 8 chars minimum. * The "create key" part of the dialog box has scrollbars, which makes it pretty awkward to use: Recommendation: resize the dialog box to not need the scrollbars * The text in the "create key" dialog box is quite a lot. It's much more than any beginner who chose a standard configuration will probably read. Recommendation: Remove all of the current text. Under the "Account/User ID" dropdown box, include something like this: Enigmail lets you send and receive end-to-end encrypted messages with this e-mail account. Only this Enigmail profile will be able to read these encrypted messages. To protect these messages further, you can lock them with a password below. All encrypted messages will be unreadable without the password. Optionally, we could hide the entire password-setting UI inside a collapsible frame labeled "Set end-to-end password" The text about umlauts and character classes should be shown only when the user enters a password that has the properties that it is warning about. (e.g. maybe the field that currently shows "passphrase should contain at least 8 characters") * The circled red+white X that shows when one of the password fields is bad is weirdly stretched. Recommendation: fix the aspect ratio of the image :) * The "passphrase should contain at least 8 characters" warning appears only after the user's focus *leaves* the password field, which is confusing. Recommendation: that warning box should be dynamically updated as the user types. * "Revocation Certificate Creation" -- it's awesome that enigmail encourages good key management practices, for those people who want to explicitly mangae their keys, but it's really frustrating for a "standard" configuration to not be able to proceed until a revocation certificate is generated. Recommendation: make "Create a revocation certificate" an optional button available during an earlier phase of the dialog box (maybe next to the "Set end-to-end password" collapsible choice recommended above?). This would allow the user to choose a location for the revocation cert early in the process if they want it. Do not force the user to generate a revocation certificate (modern versions of GnuPG auto-generate a revocation certificate anyway). * When i click the "Create Revocation Certificate" button, i get a popup dialog box saying "The revocation certificate could not be created", with a "close" button. When i click "close", it takes me to a file chooser. Then i choose a file, and it shows me the same "revocation certificate could not be created" dialog box. I can cycle between these things indefinitely. When i finally tire of this, the only option left to me is to cancel the wizard. It prompts me with something like "are you sure you want to cancel the wizard?" with choices of "close" or "continue". I feel bad because i do want to continue, but i choose "close". Then, when i go back into the Setup Wizard via the Enigmail submenu, it just asks me to choose a key (my now-existent key is present, so i choose it), and then it tells me i'm done (without offering to create a revocation certificate). Recommendation: for those people who want to save a revocation certificate, make sure that the file save actually works. Looking in the debug log, i don't see any problem with revocation cert generation on the GnuPG side, and i don't see anything else in the enigmail logs after revocation to indicate why things are failing: 2018-03-07 19:07:52.001 [CONSOLE] enigmail> /usr/bin/gpg --charset utf-8 --display-charset utf-8 --no-auto-check-trustdb --no-tty --status-fd 1 --logger-fd 1 --command-fd 0 -a -o /home/tester/xx.asc --gen-revoke 0xF730CBF596C0AFB4 2018-03-07 19:07:52.033 [DEBUG] keyEdit.jsm: GpgEditorInterface.processLine: '[GNUPG:] KEY_CONSIDERED