Difference between revisions of "GPG guide/Public Review"
(→Feedback) |
|||
Line 51: | Line 51: | ||
* How many people read email on the web or on their devices? Should the Guide include instructions or recommendations of apps for devices? How might a webmail user read/send encrypted email? [[User:Lpb|Lpb]] 09:01, 24 May 2014 (EDT), GNU/Linux and GPG user. | * How many people read email on the web or on their devices? Should the Guide include instructions or recommendations of apps for devices? How might a webmail user read/send encrypted email? [[User:Lpb|Lpb]] 09:01, 24 May 2014 (EDT), GNU/Linux and GPG user. | ||
+ | |||
+ | A few comments from [[User:Srevilak|Srevilak]] 20:22, 29 May 2014 (EDT): | ||
+ | |||
+ | * Perhaps add a step 1.b.1: If you're using Mac OS X, download [https://gpgtools.org GPGTools]. I've never tried to set up Enigmail + GPG tools on a macintosh, but I do know that GPGTools has good integration with Apple Mail. GPGTools is probably the most accessible distribution of GnuPG command line tools for macintosh. | ||
+ | |||
+ | * Step 2.a: "In your email program's menu, select OpenPGP -> Setup Wizard". Perhaps this should explicitly say "In Thunderbird's program menu". (Thunderbird has an OpenPGP menu, but other mail programs may not) | ||
+ | |||
+ | * Step 2.a: "The program will take a little while to finish the next step". Perhaps say "OpenPGP's Wizard" rather than "the program". | ||
+ | |||
+ | * Step 2.a: "After creating your key, the Enigmail set-up wizard automatically uploaded it to a keyserver". "Uploads" (rather than uploaded) may be the correct tense here. | ||
+ | |||
+ | * Section 3a: "Check the first result (Key ID starting with 9) and hit OK." It might be nice if the tutorial included Adele's fingerprint. Introducing the concept of fingerprints here sets you up to elaborate in Section 4. "it requires a way to verify that a person's keypair is actually theirs." Fingerprints are the best way to do that verification. |
Revision as of 20:22, 29 May 2014
Welcome, and thanks for offering to try out the FSF's draft guide to email encryption
Instructions
Follow the draft guide to using GnuPG. **Please don't edit any of the pages except this one.** It's still in development, so it may be missing bits or have parts that say "coming soon."
Please leave your feedback as bullets in the feedback section. Make sure to include: what step your feedback refers to (unless it's more general), how experienced you are with GPG, and what operating system you are using.
For example:
- I couldn't find the "Key Management" menu item mentioned in step 3 of section 2. I'm using Windows 8 and I've used GPG a little bit before. Zakkai 18:30, 22 May 2014 (EDT)
Unless you're already a Free Software Foundation member, you'll need to make an account on this wiki to leave feedback. If you find that someone else has already said what you want to say, just add your name after theirs.
When you are done, please, make a note here of your username and how far you got by typing four consecutive tildes in a bullet on a new line in the contributors section. Semantic MediaWiki will automatically insert your username.
Contributors
We'd love to give you credit for your work. If you'd like to be attributed in the final version of the guide, please send an email to campaigns@fsf.org with the name you'd like to be attributed with and your username on this Wiki, so that we can verify your contribution.
- Zakkai 16:33, 22 May 2014 (EDT) did the whole guide (wrote it, in fact)
Feedback
- Please provide a more detailed explanation of the web of trust. I think it would help if there were some drawings or graphs to help teach the concept. I'm an experienced GnuPG user running Debian. Kojakr 18:20, 23 May 2014 (EDT)
- I'm concerned that the Windows workflow might not work well. I hope lots of people test this on Windows. I'm an intermediate GnuPG user running Trisquel GNU/Linux. Zakkai 18:17, 23 May 2014 (EDT)
- Is an 8-letter password current best practice for crypto key passwords?
Here are some guidelines that suggest at least 12 characters:
http://en.wikipedia.org/wiki/Password_strength#Guidelines_for_strong_passwords
Here is a guide to the amount of time it takes to break passwords of various lengths:
http://www.lockdown.co.uk/?pg=combi&s=articles
Passphrases may be slightly better than passwords:
https://www.schneier.com/blog/archives/2012/03/the_security_of_5.html
Althought as I understand it entropy is the real guiding factor.
--Robmyers 20:53, 23 May 2014 (EDT)
- Please don't ask people to support Mozilla financially. They are currently attacking user freedom with their DRM infection vector for Firefox. --Robmyers 20:53, 23 May 2014 (EDT)
- The EFF provides some useful information via their Surveillance Self Defense site that may be worth referencing/including. Mgerwitz 23:33, 23 May 2014 (EDT)
- The article recommends making it "a part of your online identity"---this is fine/ideal (as it allows the creation of a web of trust), but a necessary prerequisite is knowing how to properly protect a private key. Average users will likely go for convenience, but especially on Windows systems, maleware is prevalent---if the system holding the private key is compromised, then the private key should be considered compromised and should be revoked. Considering that most users will be unaware of a compromise, more emphasis should also be placed upon the password strength, including links to resources (e.g. what was posted above); otherwise, all parties involved have a false sense of security and the compromised identity can be used for impersonation. Mgerwitz 23:33, 23 May 2014 (EDT)
- How many people read email on the web or on their devices? Should the Guide include instructions or recommendations of apps for devices? How might a webmail user read/send encrypted email? Lpb 09:01, 24 May 2014 (EDT), GNU/Linux and GPG user.
A few comments from Srevilak 20:22, 29 May 2014 (EDT):
- Perhaps add a step 1.b.1: If you're using Mac OS X, download GPGTools. I've never tried to set up Enigmail + GPG tools on a macintosh, but I do know that GPGTools has good integration with Apple Mail. GPGTools is probably the most accessible distribution of GnuPG command line tools for macintosh.
- Step 2.a: "In your email program's menu, select OpenPGP -> Setup Wizard". Perhaps this should explicitly say "In Thunderbird's program menu". (Thunderbird has an OpenPGP menu, but other mail programs may not)
- Step 2.a: "The program will take a little while to finish the next step". Perhaps say "OpenPGP's Wizard" rather than "the program".
- Step 2.a: "After creating your key, the Enigmail set-up wizard automatically uploaded it to a keyserver". "Uploads" (rather than uploaded) may be the correct tense here.
- Section 3a: "Check the first result (Key ID starting with 9) and hit OK." It might be nice if the tutorial included Adele's fingerprint. Introducing the concept of fingerprints here sets you up to elaborate in Section 4. "it requires a way to verify that a person's keypair is actually theirs." Fingerprints are the best way to do that verification.