Difference between revisions of "GPG guide/Public Review"

From LibrePlanet
Jump to: navigation, search
(Added feedback)
(Despite the guide's advice, there are e-mail addresses without public key fingerprints everywhere.)
 
(128 intermediate revisions by 48 users not shown)
Line 1: Line 1:
 
__NOTOC__
 
__NOTOC__
 +
Welcome, and thanks for giving feedback on [https://emailselfdefense.fsf.org Email Self-Defense].
  
=Welcome, and thanks for offering to try out the FSF's draft guide to email encryption=
+
'''This page is for recording and seconding suggested improvements. If you have found an error, broken link or typo, or if one of the guide's links to external documentation is no longer linking to what it seems like it should be linking to, please contact the FSF at campaigns@fsf.org so we can fix it as soon as possible.'''
===Instructions===
 
Follow the draft [[GPG_guide/Textual_Draft | guide]] to using GnuPG. **'''Please don't edit any of the pages except this one.'''** It's still in development, so it may be missing bits or have parts that say "coming soon." In the final version, this text will be interspersed with beautiful and informative graphics.
 
  
Please leave your feedback as bullets in the feedback section. Make sure to include: what step your feedback refers to (unless it's more general), how experienced you are with GPG, and what operating system you are using.  
+
When leaving feedback on this page, make sure to include: what step your feedback refers to (unless it's more general), how experienced you are with GPG, what version of the guide you are using (see the footer), and what operating system you are using.
  
For example:
+
To our friends speaking languages other than English: you may leave non-English comments below, but it may take the FSF longer to respond to them. If you are commenting in English on a specific translation, be sure to let us know which one.
  
* I couldn't find the "Key Management" menu item mentioned in step 3 of section 2. I'm using Windows 8 and I've used GPG a little bit before. [[User:Zakkai|Zakkai]] 18:30, 22 May 2014 (EDT)
+
Unless you're already a Free Software Foundation member, you'll need to make an account on this wiki to leave feedback. If you find that someone else has already said what you want to say, just add your name after theirs.
  
Unless you're already a Free Software Foundation member, you'll need to make an account on this wiki to leave feedback. If you find that someone else has already said what you want to say, just add your name after theirs.
+
Please sign your feedback by typing four consecutive tildes in a bullet on a new line in the contributors section. Semantic MediaWiki will automatically insert your username and a timestamp.
 +
 
 +
==Feedback==
 +
* encrypted mail to Edward-en@fsf.org could not be sent : KEY_CONSIDERED F357AA1A5B1FA42CFD9FE52A9FF2194CC09A61E8 0 INV_RECP 10 FAILURE sign-encrypt 53 (only one key found on 3 key servers, starting with F and not C as announced).
 +
 
 +
** Step 3.B: When I click "Download missing keys", Enigmail can't find the key at all. It's as if edward-en@fsf.org never uploaded his keys. Thunderbird does not give me a choice of keyserver.
 +
** ANSWER: first, make sure you do step 3A correctly. And then, if thunderbird cannot find the public key right away, go to "key management" then "Keyserver" "Search for keys", and from there you can choose the different servers, use this one: hkps://hkps.pool.sks-keyservers.net. [[User:Zoe|Zoe]] ([[User talk:Zoe|talk]])
 +
 
 +
* I have dual boot desktop computer with Windows and Linux. Mozilla Thunderbird in Windows uses POP settings while the Thunderbird in Linux has IMAP settings. The email address is the same for both and Enigmail is set up in both with the same encryption keys. I send and receive message in both.  IMAP is also used in my mobile phone for the same email account. Could this set up lead to any problems? if, so could this be dealt with somewhere in the instructions?
 +
** Both POP and IMAP will work with GPG. [[User:Mmcmahon|Mmcmahon]] ([[User talk:Mmcmahon|talk]]) 14:36, 5 May 2022 (EDT)
 +
 
 +
* The Windows page needs specific instructions for specific email providers and email clients.  Here's an example..  https://support.google.com/mail/troubleshooter/1668960?hl=en&ref_topic=3397500  See, first they tell the user how to enable IMAP or POP, then they offer specific setup instructions for specific mail clients.  We need to do that or link to it.  Can we find similar guides for Yahoo, Apple's mail thing, and Hotmail?  Does anybody have an up-to-date list of the most common email providers?  [[User:Sebboh|Sebboh]] 12:22, 5 June 2014 (EDT)
 +
 
 +
* The [https://emailselfdefense.fsf.org/#step-sign_real_keys "check people's identification before signing their keys" section] says 'Answer honestly in the window that pops up and asks "How carefully have you verified that the key you are about to sign actually belongs to the person(s) named above?".'  This is the equivalent of gpg --ask-cert-level.  But [https://www.debian-administration.org/users/dkg/weblog/98 ask-cert-level is a bad idea].  People should leave that choice as "I will not answer" [[User:Dkg|Dkg]] 12:50, 9 June 2014 (EDT)
  
When you are done, please, make a note here of your username and how far you got by typing four consecutive tildes in a bullet on a new line in the contributors section. Semantic MediaWiki will automatically insert your username.
+
** Guide is limited in that it mentions only a few environments, clients, and encryption methods.  For example: no mention there exists other clients for Windows, no mention of clients for Android, and no mention there exists other forms of encryption such as SMIME.
  
==Contributors==
+
** The guide asks for money for "promotion", but there is no mention various encryption projects need money and are asking for donations. For example, some crowd source funding for Thunderbird:  https://freedomsponsors.org/core/issue/434/encrypted-email-messages-should-be-stored-decrypted-in-the-local-folders, and K9: https://freedomsponsors.org/core/issue/346/pgpmime-support [[User:Notme|Notme]] 20:19, 11 June 2014 (EDT)
We'd love to give you credit for your work. If you'd like to be attributed in the final version of the guide, please send an email to campaigns@fsf.org with the name you'd like to be attributed with and your username on this Wiki, so that we can verify your contribution.
 
  
* [[User:Zakkai|Zakkai]] 16:33, 22 May 2014 (EDT) did the whole guide (wrote it, in fact)
+
* Step 6 Next Steps/Keysigning - What happens next after signing another person's public key? Do I have to upload the signed key to a key server? Will I send back the signed key to his/her owner? I understand that the concept of "Web of Trust" is elementary but following the manual I don't understand how to manage by personal web of trust. I really hope that I won't be the only one who doesn't understand this part. [[User:treje|treje]] 11:21, 16 June 2014
  
==Feedback==
+
** The best idea is to send the key back to the owner in an encrypted email. That way, if the owner does not have access to the email address they won't be able to get the signed key. You manage the web of trust by setting ''ownertrust'' in a key. There are 3 levels: no trust, marginal trust, full trust and ultimate trust (This level should only be used on your own keys). A key needs to be signed by 3 marginally trusted keys or one fully or ultimately trusted key to be valid. Valid means that you can be sure that the key really belongs to its owner. You can set the level of trust by right-clicking on a key and selecting "Owner Trust" or something similar. --[[User:Gpcf|Gpcf]] 12:12, 16 June 2014 (EDT)
  
* Please provide a more detailed explanation of the web of trust. I think it would help if there were some drawings or graphs to help teach the concept. I'm an experienced GnuPG user running Debian. [[User:Kojakr|Kojakr]] 18:20, 23 May 2014 (EDT)
+
** Thank you for the reply, Gpcf. As far as I understand it your way of processing signed keys adds a further tier of security to the process. Additionally I found a paragraph in the gpg manual which is also an answer to my issue ("Distributing Keys"). And I also realized that step 4.A on emailselfdefense answers my question, too. I obviously overlooked that step on my first attempt. Both sources suggest to upload the signed key to a public key server. The process of uploading signed keys raises other questions in my opinion. Newbie questions perhaps. Do the public key server sync their stored keys? Could be good to know to retrieve keys of new recipients. --[[User:treje|treje]] 17:55, 17 June 2014 (CEST)
  
* I'm concerned that the Windows workflow might not work well. I hope lots of people test this on Windows. I'm an intermediate GnuPG user running Trisquel GNU/Linux. [[User:Zakkai|Zakkai]] 18:17, 23 May 2014 (EDT)
+
** Yes, all SKS pool keyservers syncronize. It may take a few minutes until the changes have spread over all keyservers. --[[User:Gpcf|Gpcf]] 13:00, 17 June 2014 (EDT)  Modified by [[User:Mmcmahon|Mmcmahon]] ([[User talk:Mmcmahon|talk]]) 14:36, 5 May 2022 (EDT)
  
* Is an 8-letter password current best practice for crypto key passwords?
+
* The styles of the "join" and "donate" buttons are not quite the same. This departs from the elegant style of the page. Besides, the buttons are difficult to localize because the background of the svg is a bitmap (i.e. the circle with the FSF logo can't move). FWIW, I redrew the background in Inkscape; the only bitmap element is "FSF" (from the FSF logo). The result is here: https://static.fsf.org/nosvn/enc-dev0/svg/fr/
  
Here are some guidelines that suggest at least 12 characters:
+
* As for the guide itself, I think it is a pity that you don't give us detailed information on how to use '''GNUPG ''and'' Claws-Mail''' (not simply GNUPG ''in'' Claws Mail). Apparently, Enigmail (Thunderbird Add-on) is far from perfect, and doesn't follow the PGP standard, and may be misleading as it offers too many and useless options.
  
http://en.wikipedia.org/wiki/Password_strength#Guidelines_for_strong_passwords
+
* Would be good to include a configuration for also encrypting the email for yourself, so that you can read it.
  
Here is a guide to the amount of time it takes to break passwords of various lengths:
+
* Section 1.a) How about a link to https://www.mozilla.org/thunderbird/ or a text like "Open whatever program you usually use for installing software, and search for Thunderbird, then install it." for people who haven't installed Thunderbird/Icedove. --[[User:Rr|raff]] 08:56, 13 July 2014 (EDT) (feedback via mail)
  
http://www.lockdown.co.uk/?pg=combi&s=articles
+
** '''+1''' --[[User:Ignoble|Ignoble]] ([[User talk:Ignoble|talk]]) 04:39, 29 December 2015 (EST)
  
Passphrases may be slightly better than passwords:
+
* Enigmail-Plugin for Windows (v1.6) has a bug concerning the OpenPGP-Assistant: at one step, the Assistant wants to change the defaults - but apparently nothing happens. This happens when Enigmail has not found the correct Binary for gpg - in my case, it tried "gpgv2.exe" instead of "gpg2.exe". Please mention this in the explanations. I'll also append my explanation to the bug report on sourceforge regarding Enigmail. --[[User:Rince|Rince]] 15:33, 13 July 2014 (MEST)
  
https://www.schneier.com/blog/archives/2012/03/the_security_of_5.html
+
* Someone contacted the FSF and said it would be good to put in a recommendation of how often to remake one's keys [[User:Zakkai|Zakkai]] 16:32, 7 August 2014 (EDT)
  
Althought as I understand it entropy is the real guiding factor.  
+
* In the 'when should I encrypt' I was worried how it will go for people that don't use PGP (I've first thought that because encrypting is default I'll have to know myself about who of my friends use it + enable disable manually OR that they will receive encrypted messages with no clues and could just delete them). It should be good to add a sentence saying that Enigmail will check if the person have a key and then will let you decide. Maybe adding a good practice sentence too about sending your public key + signing in that case. --[[User:NicolasWeb|NicolasWeb]] 17:04, 8 October 2015 (EDT)
  
--[[User:Robmyers|Robmyers]] 20:53, 23 May 2014 (EDT)
+
* Step 1b for Windows links to an outdated version of GPG4Win. --[[User:Ignoble|Ignoble]] ([[User talk:Ignoble|talk]]) 03:44, 29 December 2015 (EST)
 +
** It still links to an - now even more - outdated version. --[[User:Ignoble|Ignoble]] ([[User talk:Ignoble|talk]]) 16:08, 19 October 2016 (EDT)
  
* Please don't ask people to support Mozilla financially. They are currently attacking user freedom with their DRM infection vector for Firefox. --[[User:Robmyers|Robmyers]] 20:53, 23 May 2014 (EDT)
+
* Step 1b, says in an outdated message: "Note: As of June 18, 2018, GnuPG 2.2.8 is unavailable for Debian stable and testing.  It should say, "There is a GnuPG 2.2.12 backport available for Debian Stretch. Run apt-get -t stretch-backports install gnupg."  (I'll admit that I have no confidence that my addition to this wiki will be taken seriously by anyone, so please prove me wrong.  Thanks. ... Isn't this sort of a disorganized way to get anything done.  Just say'n.)
  
* The EFF provides some useful information via their [https://ssd.eff.org/tech Surveillance Self Defense site] that may be worth referencing/including. [[User:Mgerwitz|Mgerwitz]] 23:33, 23 May 2014 (EDT)
+
* Step 3a for all OSs says the encryption symbol is in the bottom right of the composition window. For the current version of Enigmail this is in the top toolbar. --[[User:Ignoble|Ignoble]] ([[User talk:Ignoble|talk]]) 04:01, 29 December 2015 (EST)
  
* The article recommends making it "a part of your online identity"---this is fine/ideal (as it allows the creation of a web of trust), but a necessary prerequisite is knowing how to properly [https://www.gnupg.org/gph/en/manual/c481.html protect a private key]. Average users will likely go for convenience, but especially on Windows systems, maleware is prevalent---if the system holding the private key is compromised, then the private key should be considered compromised and should be revoked. Considering that most users will be unaware of a compromise, more emphasis should also be placed upon the password strength, including links to resources (e.g. what was posted above); otherwise, all parties involved have a false sense of security and the compromised identity can be used for impersonation. [[User:Mgerwitz|Mgerwitz]] 23:33, 23 May 2014 (EDT)
+
** Same problem in Step 3b. --[[User:Ignoble|Ignoble]] ([[User talk:Ignoble|talk]]) 04:07, 29 December 2015 (EST)
  
* How many people read email on the web or on their devices? Should the Guide include instructions or recommendations of apps for devices? How might a webmail user read/send encrypted email? [[User:Lpb|Lpb]] 09:01, 24 May 2014 (EDT), GNU/Linux and GPG user.
+
* Surveillance of metadata raises a concern to dissociate keys and their fingerprints from any identity, online or offline, other than the singular e-mail address or other intention for which the key is created. The guide skips over pros and cons of generating a key with your name, with your e-mail address, only one of the two, or false information. Users of e-mail would maintain their pseudonymity by entering only their e-mail address and not their name when creating a key. Users intending to sign software may benefit from entering different information that associates or does not associate the key to their identity, other accounts, other pseudonyms, the name of a project, etc. Key signing threatens anonymity as well by voluntarily publishing users' associations to the web of trust.  
  
* Intro: "emails that are coded" - "encrypted" would be clearer, IMHO. [[User:Adietric|Adietric]] 07:28, 30 May 2014 (EDT)
+
Step #4, "What to consider when signing keys," recklessly recommends to "ask them to show you their government identification, and make sure the name on the ID matches the name on the public key." Where e-mail is concerned, pseudonymity can be maintained by only verifying that the keyholder has access to the e-mail account. It would require no other information but for them to read the contents of a message you encrypt and e-mail to them in person verbally back to you in person at the same meeting. Encouraging government IDs renounces anonymity across all pseudonyms associated with a key as well as misleads users into believing that the person presenting the ID has access to the account.  
  
* Intro: "surveillance agent or thief" - maybe phrase it more neutral: "make sure that only the intended recipient can read it". [[User:Adietric|Adietric]] 07:28, 30 May 2014 (EDT)
+
Step #5 says, "Unless you don't want to reveal your own identity (which requires other protective measures)..." What other protective measures? PGP is for privacy, and privacy usually implies or necessitates anonymity. Bulk metadata collection pressures this guide to be amended. --[[User:KE8Au7s|KE8Au7s]] ([[User talk:KE8Au7s|talk]]) 18:07, 24 June 2016 (EDT)
  
* Intro: "when you need to send something sensitive" - I think it's a bad idea to train users to think of encryption only for "sensitive" communication. I'd remove this whole paragraph. [[User:Adietric|Adietric]] 07:28, 30 May 2014 (EDT)
+
Thanks I enjoyed your guide! For Step 3E, though when signing I didn't get Edward to verify with his signature,"Your signature was verified." I also found that his public key began with F, as a heads up to anyone! [[User:Fruitbat|Fruitbat]] ([[User talk:Fruitbat|talk]]) 16:27, 12 October 2020 (EDT)
  
* Intro: "you'll actually do it more often" - Personally, I hardly ever sign my email. Maybe let the users decide and drop this sentence. [[User:Adietric|Adietric]] 07:28, 30 May 2014 (EDT)
+
* Section 2: Why make it so complicated and not use the built in feature of thunderbird to generate a new key? Was this a conscious decision (if so, do you have nice resources about why it's not good to use it) or is the guide just too old and this functionality did not exist when it was last updated?  [[User:Fanti|Fanti]] ([[User talk:Fanti|talk]]) 4 May 2023
 +
** You can use Thunderbird to generate PGP keys. This guide is to use GPG keys, which have many uses outside of Thunderbird, with Thunderbird. [[User:Mmcmahon|Mmcmahon]] ([[User talk:Mmcmahon|talk]]) 13:25, 5 May 2023 (EDT)
  
* Section 1: It seems that Enigmail is not compatible with the 64-bit version of FossaMail (Enigmail was "disabled" right after installation). [[User:Adietric|Adietric]] 12:14, 30 May 2014 (EDT)
+
* 'Start writing your public key fingerprint anywhere someone would see your email address ... We need to get our culture to the point that we feel like something is missing when we see an email address without a public key fingerprint.'
 +
: Despite this advice, there are e-mail addresses without public key fingerprints everywhere: in step 4.A (Edward), in the section at the end about contributing (FSF campaigns team), in the footer (Edward's authors), in the newsletter and mailing list sign-up sections (the user). In order to create an account to post this feedback, I also had to enter an e-mail address (without a key, of course), and received an (unencrypted and unsigned) confirmation e-mail. [[User:BrianDrake|BrianDrake]] ([[User talk:BrianDrake|talk]]) 09:42, 4 October 2023 (EDT)
  
* Section 2a: "the Enigmail set-up wizard automatically uploaded it to a keyserver" - which one? I checked all the ones included in Enigmail, but my key wasn't there. Consequently Adele failed to find my key later on. (Next I tried using "Key Management -> Send Public Keys by Email", since the reply said "If you send me your public key along with another encrypted message", but that didn't work either.) [[User:Adietric|Adietric]] 12:46, 30 May 2014 (EDT)
 
  
* Section 3: You may want to show Adele's full key ID, in case some joker uploads a conflicting key. [[User:Adietric|Adietric]] 12:46, 30 May 2014 (EDT)
+
=== Accessibility ===
  
* Section 3: "Notice the bar" - maybe include more information, where is the bar usually, what does it say? [[User:Adietric|Adietric]] 12:46, 30 May 2014 (EDT)
+
* full-infographic.png (gnupg-infographic.svg) provides a lot of information that is inaccessible to screen readers, unless you extract the svg from the source package and weed through it. We could write a text description of the images, and intercalate the explanations. The description could be linked from the main page. -- [[User:Tgodef|Tgodef]] 09:44, 25 July 2014 (EDT)
  
A few comments from [[User:Srevilak|Srevilak]] 20:22, 29 May 2014 (EDT):
+
* Likewise, smaller images could use more descriptive alt attributes. -- [[User:Tgodef|Tgodef]] 09:51, 25 July 2014 (EDT)
  
* Perhaps add a step 1.b.1:  If you're using Mac OS X, download [https://gpgtools.org GPGTools]. I've never tried to set up Enigmail + GPG tools on a macintosh, but I do know that GPGTools has good integration with Apple Mail. GPGTools is probably the most accessible distribution of GnuPG command line tools for macintosh.
+
* I find the less important text extremely difficult to read (for example "The program will take a little while to finish the next step...") Indeed, the luminosity-contrast ratio is only 2.45 (http://springmeier.org/www/contrastcalculator/index.php, text #999, background #f4eed7). In the French version, the text color is #707070 instead of #999. The contrast is better, but still not sufficient to satisfy W3C criteria. -- [[User:Tgodef|Tgodef]] 09:44, 25 July 2014 (EDT)
  
* Step 2.a: "In your email program's menu, select OpenPGP -> Setup Wizard".  Perhaps this should explicitly say "In Thunderbird's program menu".  (Thunderbird has an OpenPGP menu, but other mail programs may not)
+
=== German and French versions ===
  
* Step 2.a: "The program will take a little while to finish the next step". Perhaps say "OpenPGP's Wizard" rather than "the program".
+
* Encoding in Edwards reply is wrong. The source is UTF8 (Linux CR/LF).
 +
* There are problems with accents in the French version too.
  
* Step 2.a: "After creating your key, the Enigmail set-up wizard automatically uploaded it to a keyserver".  "Uploads" (rather than uploaded) may be the correct tense here.
 
  
* Section 3a: "Check the first result (Key ID starting with 9) and hit OK."  It might be nice if the tutorial included Adele's fingerprint.  Introducing the concept of fingerprints here sets you up to elaborate in Section 4.  "it requires a way to verify that a person's keypair is actually theirs."  Fingerprints are the best way to do that verification.
+
{{featured resource|month=June|year=2014}}

Latest revision as of 09:42, 4 October 2023

Welcome, and thanks for giving feedback on Email Self-Defense.

This page is for recording and seconding suggested improvements. If you have found an error, broken link or typo, or if one of the guide's links to external documentation is no longer linking to what it seems like it should be linking to, please contact the FSF at campaigns@fsf.org so we can fix it as soon as possible.

When leaving feedback on this page, make sure to include: what step your feedback refers to (unless it's more general), how experienced you are with GPG, what version of the guide you are using (see the footer), and what operating system you are using.

To our friends speaking languages other than English: you may leave non-English comments below, but it may take the FSF longer to respond to them. If you are commenting in English on a specific translation, be sure to let us know which one.

Unless you're already a Free Software Foundation member, you'll need to make an account on this wiki to leave feedback. If you find that someone else has already said what you want to say, just add your name after theirs.

Please sign your feedback by typing four consecutive tildes in a bullet on a new line in the contributors section. Semantic MediaWiki will automatically insert your username and a timestamp.

Feedback

  • encrypted mail to Edward-en@fsf.org could not be sent : KEY_CONSIDERED F357AA1A5B1FA42CFD9FE52A9FF2194CC09A61E8 0 INV_RECP 10 FAILURE sign-encrypt 53 (only one key found on 3 key servers, starting with F and not C as announced).
    • Step 3.B: When I click "Download missing keys", Enigmail can't find the key at all. It's as if edward-en@fsf.org never uploaded his keys. Thunderbird does not give me a choice of keyserver.
    • ANSWER: first, make sure you do step 3A correctly. And then, if thunderbird cannot find the public key right away, go to "key management" then "Keyserver" "Search for keys", and from there you can choose the different servers, use this one: hkps://hkps.pool.sks-keyservers.net. Zoe (talk)
  • I have dual boot desktop computer with Windows and Linux. Mozilla Thunderbird in Windows uses POP settings while the Thunderbird in Linux has IMAP settings. The email address is the same for both and Enigmail is set up in both with the same encryption keys. I send and receive message in both. IMAP is also used in my mobile phone for the same email account. Could this set up lead to any problems? if, so could this be dealt with somewhere in the instructions?
    • Both POP and IMAP will work with GPG. Mmcmahon (talk) 14:36, 5 May 2022 (EDT)
  • The Windows page needs specific instructions for specific email providers and email clients. Here's an example.. https://support.google.com/mail/troubleshooter/1668960?hl=en&ref_topic=3397500 See, first they tell the user how to enable IMAP or POP, then they offer specific setup instructions for specific mail clients. We need to do that or link to it. Can we find similar guides for Yahoo, Apple's mail thing, and Hotmail? Does anybody have an up-to-date list of the most common email providers? Sebboh 12:22, 5 June 2014 (EDT)
    • Guide is limited in that it mentions only a few environments, clients, and encryption methods. For example: no mention there exists other clients for Windows, no mention of clients for Android, and no mention there exists other forms of encryption such as SMIME.
  • Step 6 Next Steps/Keysigning - What happens next after signing another person's public key? Do I have to upload the signed key to a key server? Will I send back the signed key to his/her owner? I understand that the concept of "Web of Trust" is elementary but following the manual I don't understand how to manage by personal web of trust. I really hope that I won't be the only one who doesn't understand this part. treje 11:21, 16 June 2014
    • The best idea is to send the key back to the owner in an encrypted email. That way, if the owner does not have access to the email address they won't be able to get the signed key. You manage the web of trust by setting ownertrust in a key. There are 3 levels: no trust, marginal trust, full trust and ultimate trust (This level should only be used on your own keys). A key needs to be signed by 3 marginally trusted keys or one fully or ultimately trusted key to be valid. Valid means that you can be sure that the key really belongs to its owner. You can set the level of trust by right-clicking on a key and selecting "Owner Trust" or something similar. --Gpcf 12:12, 16 June 2014 (EDT)
    • Thank you for the reply, Gpcf. As far as I understand it your way of processing signed keys adds a further tier of security to the process. Additionally I found a paragraph in the gpg manual which is also an answer to my issue ("Distributing Keys"). And I also realized that step 4.A on emailselfdefense answers my question, too. I obviously overlooked that step on my first attempt. Both sources suggest to upload the signed key to a public key server. The process of uploading signed keys raises other questions in my opinion. Newbie questions perhaps. Do the public key server sync their stored keys? Could be good to know to retrieve keys of new recipients. --treje 17:55, 17 June 2014 (CEST)
    • Yes, all SKS pool keyservers syncronize. It may take a few minutes until the changes have spread over all keyservers. --Gpcf 13:00, 17 June 2014 (EDT) Modified by Mmcmahon (talk) 14:36, 5 May 2022 (EDT)
  • The styles of the "join" and "donate" buttons are not quite the same. This departs from the elegant style of the page. Besides, the buttons are difficult to localize because the background of the svg is a bitmap (i.e. the circle with the FSF logo can't move). FWIW, I redrew the background in Inkscape; the only bitmap element is "FSF" (from the FSF logo). The result is here: https://static.fsf.org/nosvn/enc-dev0/svg/fr/
  • As for the guide itself, I think it is a pity that you don't give us detailed information on how to use GNUPG and Claws-Mail (not simply GNUPG in Claws Mail). Apparently, Enigmail (Thunderbird Add-on) is far from perfect, and doesn't follow the PGP standard, and may be misleading as it offers too many and useless options.
  • Would be good to include a configuration for also encrypting the email for yourself, so that you can read it.
  • Section 1.a) How about a link to https://www.mozilla.org/thunderbird/ or a text like "Open whatever program you usually use for installing software, and search for Thunderbird, then install it." for people who haven't installed Thunderbird/Icedove. --raff 08:56, 13 July 2014 (EDT) (feedback via mail)
  • Enigmail-Plugin for Windows (v1.6) has a bug concerning the OpenPGP-Assistant: at one step, the Assistant wants to change the defaults - but apparently nothing happens. This happens when Enigmail has not found the correct Binary for gpg - in my case, it tried "gpgv2.exe" instead of "gpg2.exe". Please mention this in the explanations. I'll also append my explanation to the bug report on sourceforge regarding Enigmail. --Rince 15:33, 13 July 2014 (MEST)
  • Someone contacted the FSF and said it would be good to put in a recommendation of how often to remake one's keys Zakkai 16:32, 7 August 2014 (EDT)
  • In the 'when should I encrypt' I was worried how it will go for people that don't use PGP (I've first thought that because encrypting is default I'll have to know myself about who of my friends use it + enable disable manually OR that they will receive encrypted messages with no clues and could just delete them). It should be good to add a sentence saying that Enigmail will check if the person have a key and then will let you decide. Maybe adding a good practice sentence too about sending your public key + signing in that case. --NicolasWeb 17:04, 8 October 2015 (EDT)
  • Step 1b for Windows links to an outdated version of GPG4Win. --Ignoble (talk) 03:44, 29 December 2015 (EST)
    • It still links to an - now even more - outdated version. --Ignoble (talk) 16:08, 19 October 2016 (EDT)
  • Step 1b, says in an outdated message: "Note: As of June 18, 2018, GnuPG 2.2.8 is unavailable for Debian stable and testing. It should say, "There is a GnuPG 2.2.12 backport available for Debian Stretch. Run apt-get -t stretch-backports install gnupg." (I'll admit that I have no confidence that my addition to this wiki will be taken seriously by anyone, so please prove me wrong. Thanks. ... Isn't this sort of a disorganized way to get anything done. Just say'n.)
  • Step 3a for all OSs says the encryption symbol is in the bottom right of the composition window. For the current version of Enigmail this is in the top toolbar. --Ignoble (talk) 04:01, 29 December 2015 (EST)
    • Same problem in Step 3b. --Ignoble (talk) 04:07, 29 December 2015 (EST)
  • Surveillance of metadata raises a concern to dissociate keys and their fingerprints from any identity, online or offline, other than the singular e-mail address or other intention for which the key is created. The guide skips over pros and cons of generating a key with your name, with your e-mail address, only one of the two, or false information. Users of e-mail would maintain their pseudonymity by entering only their e-mail address and not their name when creating a key. Users intending to sign software may benefit from entering different information that associates or does not associate the key to their identity, other accounts, other pseudonyms, the name of a project, etc. Key signing threatens anonymity as well by voluntarily publishing users' associations to the web of trust.

Step #4, "What to consider when signing keys," recklessly recommends to "ask them to show you their government identification, and make sure the name on the ID matches the name on the public key." Where e-mail is concerned, pseudonymity can be maintained by only verifying that the keyholder has access to the e-mail account. It would require no other information but for them to read the contents of a message you encrypt and e-mail to them in person verbally back to you in person at the same meeting. Encouraging government IDs renounces anonymity across all pseudonyms associated with a key as well as misleads users into believing that the person presenting the ID has access to the account.

Step #5 says, "Unless you don't want to reveal your own identity (which requires other protective measures)..." What other protective measures? PGP is for privacy, and privacy usually implies or necessitates anonymity. Bulk metadata collection pressures this guide to be amended. --KE8Au7s (talk) 18:07, 24 June 2016 (EDT)

Thanks I enjoyed your guide! For Step 3E, though when signing I didn't get Edward to verify with his signature,"Your signature was verified." I also found that his public key began with F, as a heads up to anyone! Fruitbat (talk) 16:27, 12 October 2020 (EDT)

  • Section 2: Why make it so complicated and not use the built in feature of thunderbird to generate a new key? Was this a conscious decision (if so, do you have nice resources about why it's not good to use it) or is the guide just too old and this functionality did not exist when it was last updated? Fanti (talk) 4 May 2023
    • You can use Thunderbird to generate PGP keys. This guide is to use GPG keys, which have many uses outside of Thunderbird, with Thunderbird. Mmcmahon (talk) 13:25, 5 May 2023 (EDT)
  • 'Start writing your public key fingerprint anywhere someone would see your email address ... We need to get our culture to the point that we feel like something is missing when we see an email address without a public key fingerprint.'
Despite this advice, there are e-mail addresses without public key fingerprints everywhere: in step 4.A (Edward), in the section at the end about contributing (FSF campaigns team), in the footer (Edward's authors), in the newsletter and mailing list sign-up sections (the user). In order to create an account to post this feedback, I also had to enter an e-mail address (without a key, of course), and received an (unencrypted and unsigned) confirmation e-mail. BrianDrake (talk) 09:42, 4 October 2023 (EDT)


Accessibility

  • full-infographic.png (gnupg-infographic.svg) provides a lot of information that is inaccessible to screen readers, unless you extract the svg from the source package and weed through it. We could write a text description of the images, and intercalate the explanations. The description could be linked from the main page. -- Tgodef 09:44, 25 July 2014 (EDT)
  • Likewise, smaller images could use more descriptive alt attributes. -- Tgodef 09:51, 25 July 2014 (EDT)
  • I find the less important text extremely difficult to read (for example "The program will take a little while to finish the next step...") Indeed, the luminosity-contrast ratio is only 2.45 (http://springmeier.org/www/contrastcalculator/index.php, text #999, background #f4eed7). In the French version, the text color is #707070 instead of #999. The contrast is better, but still not sufficient to satisfy W3C criteria. -- Tgodef 09:44, 25 July 2014 (EDT)

German and French versions

  • Encoding in Edwards reply is wrong. The source is UTF8 (Linux CR/LF).
  • There are problems with accents in the French version too.


This page was a featured resource in June 2014.