Difference between revisions of "GPG guide/Public Review"
m (→Feedback) |
|||
Line 65: | Line 65: | ||
* The Enigmail plugin is very difficult for a common user. Cant we do all the key generation and all other stuff in the background? The user should be only required to provide a password for the GPG. All other things should happen in the background. The fingerprint checking and all other stuff is over rated. Ofcourse.. some one can impersonate if we dont verify a public key. But that can happen even now. The millions of emails being sent and received daily, do you think all of them are impersonations because there is no public key to be verified? No. People generally get to know if the real person is sending the mail or not. Users, when they slowly get to know the definitions and meaning of PGP, they will start to verify the public key and such. As of now, our aim must to be get millions of people to start using PGP, even without they knowing anything about it. fake emails ... we should let the users to sort out(as they do it now). | * The Enigmail plugin is very difficult for a common user. Cant we do all the key generation and all other stuff in the background? The user should be only required to provide a password for the GPG. All other things should happen in the background. The fingerprint checking and all other stuff is over rated. Ofcourse.. some one can impersonate if we dont verify a public key. But that can happen even now. The millions of emails being sent and received daily, do you think all of them are impersonations because there is no public key to be verified? No. People generally get to know if the real person is sending the mail or not. Users, when they slowly get to know the definitions and meaning of PGP, they will start to verify the public key and such. As of now, our aim must to be get millions of people to start using PGP, even without they knowing anything about it. fake emails ... we should let the users to sort out(as they do it now). | ||
** True. If you want something that is easier to use, use SMIME. SMIME does not have the same verification of identity that PGP has. [[User:Notme|Notme]] 13:43, 12 June 2014 (EDT) | ** True. If you want something that is easier to use, use SMIME. SMIME does not have the same verification of identity that PGP has. [[User:Notme|Notme]] 13:43, 12 June 2014 (EDT) | ||
+ | |||
* I received the following feedback from a friend: "Finally :-) [But,] I kind of wish it mentioned the fact that the email even encrypted still sends some information to the surveillance empire. Like the so called 'metadata' which often is enough to interpolate extra information, at the very least, social structure." --[[User:Jgay|Jgay]] 10:41, 6 June 2014 (EDT) | * I received the following feedback from a friend: "Finally :-) [But,] I kind of wish it mentioned the fact that the email even encrypted still sends some information to the surveillance empire. Like the so called 'metadata' which often is enough to interpolate extra information, at the very least, social structure." --[[User:Jgay|Jgay]] 10:41, 6 June 2014 (EDT) | ||
Line 79: | Line 80: | ||
** Guide is limited in that it mentions only a few environments, clients, and encryption methods. For example: no mention there exists other clients for Windows, no mention of clients for Android, and no mention there exists other forms of encryption such as SMIME. | ** Guide is limited in that it mentions only a few environments, clients, and encryption methods. For example: no mention there exists other clients for Windows, no mention of clients for Android, and no mention there exists other forms of encryption such as SMIME. | ||
+ | |||
** The guide asks for money for "promotion", but there is no mention various encryption projects need money and are asking for donations. For example, some crowd source funding for Enigmail: https://freedomsponsors.org/core/issue/435/decrypt-messages-permanently, Thunderbird: https://freedomsponsors.org/core/issue/434/encrypted-email-messages-should-be-stored-decrypted-in-the-local-folders, and K9: https://freedomsponsors.org/core/issue/346/pgpmime-support [[User:Notme|Notme]] 20:19, 11 June 2014 (EDT) | ** The guide asks for money for "promotion", but there is no mention various encryption projects need money and are asking for donations. For example, some crowd source funding for Enigmail: https://freedomsponsors.org/core/issue/435/decrypt-messages-permanently, Thunderbird: https://freedomsponsors.org/core/issue/434/encrypted-email-messages-should-be-stored-decrypted-in-the-local-folders, and K9: https://freedomsponsors.org/core/issue/346/pgpmime-support [[User:Notme|Notme]] 20:19, 11 June 2014 (EDT) | ||
Line 85: | Line 87: | ||
* Step 6 Next Steps/Keysigning - What happens next after signing another person's public key? Do I have to upload the signed key to a key server? Will I send back the signed key to his/her owner? I understand that the concept of "Web of Trust" is elementary but following the manual I don't unterstand how to manage by personal web of trust. I really hope that I won't be the only one who doesn't understand this part. [[User:treje|treje]] 11:21, 16 June 2014 | * Step 6 Next Steps/Keysigning - What happens next after signing another person's public key? Do I have to upload the signed key to a key server? Will I send back the signed key to his/her owner? I understand that the concept of "Web of Trust" is elementary but following the manual I don't unterstand how to manage by personal web of trust. I really hope that I won't be the only one who doesn't understand this part. [[User:treje|treje]] 11:21, 16 June 2014 | ||
− | + | ** The best idea is to send the key back to the owner in an encrypted email. That way, if the owner does not have access to the email address they won't be able to get the signed key. You manage the web of trust by setting ''ownertrust'' in a key. There are 3 levels: no trust, marginal trust, full trust and ultimate trust (This level should only be used on your own keys). A key needs to be signed by 3 marginally trusted keys or one fully or ultimately trusted key to be valid. Valid means that you can be sure that the key really belongs to its owner. You can set the level of trust by right-clicking on a key and selecting "Owner Trust" or something similar. --[[User:Gpcf|Gpcf]] 12:12, 16 June 2014 (EDT) | |
{{featured resource|month=June|year=2014}} | {{featured resource|month=June|year=2014}} |
Revision as of 11:12, 16 June 2014
Welcome, and thanks for giving feedback on Email Self-Defense
Instructions
Follow the guide at https://EmailSelfDefense.fsf.org.
Please leave your feedback as bullets in the feedback section. Make sure to include: what step your feedback refers to (unless it's more general), how experienced you are with GPG, and what operating system you are using.
For example:
- I couldn't find the "Key Management" menu item mentioned in step 3 of section 2. I'm using Windows 8 and I've used GPG a little bit before. Zakkai 18:30, 22 May 2014 (EDT)
Unless you're already a Free Software Foundation member, you'll need to make an account on this wiki to leave feedback. If you find that someone else has already said what you want to say, just add your name after theirs.
When you are done, please, make a note here of your username and how far you got by typing four consecutive tildes in a bullet on a new line in the contributors section. Semantic MediaWiki will automatically insert your username.
Feedback
If you left feedback during development and don't see it here, don't worry - the FSF made good use of it and has it saved. Thank you very much, you caught a lot of things.
- I love this guide! I think it would be good if there were more graphics and more detailed explanation of the Web of Trust. Kojakr 00:08, 5 June 2014 (EDT)
- Thank you, I'll take that into consideration. Zakkai 00:08, 5 June 2014 (EDT) (FSF campaigns manager)
- Novalis sez: I think it needs to mention fingerprint checking (and that checking key ids is insufficient) Johns 00:47, 5 June 2014 (EDT)
- I agree with this. This guide should not refer to the Key ID at all. Dkg 12:58, 9 June 2014 (EDT)
- I also agree. See the links in dkg's article for more. There are five keys with the key ID DEADBEEF. --Gpcf 15:08, 12 June 2014 (EDT)
- I couldn't download the source files for the infographic, it gives a "404 Not Found" error --Tekrei 05:47, 5 June 2014 (EDT)
- Fixed, thanks Zakkai 12:50, 5 June 2014 (EDT) (FSF campaigns manager)
- Is there a plan on translating the website for non English speakers ? -- lsix 15:48, 5 June 2014
- The Free Software Foundation doesn't have the staff to do it in house, but we'd gladly collaborate with anyone who'd like to help. If you are interested in working on it, send an email to campaigns@fsf.org. Zakkai 13:29, 5 June 2014 (EDT) (FSF campaigns manager)
- I have translated the guide into German. --Gpcf 08:43, 13 June 2014 (EDT)
- As I faced it, maybe add to section 2B troubleshooting: Q:"My key doesnt appear in the list", A:"clic on the Checkbox 'Show default keys' " --jdedev16:26, 5 June 2014 (Paris time)
- Added, thanks Zakkai 13:05, 5 June 2014 (EDT) (FSF campaigns manager)
- Step 3.A: "From here one," should be "From here on,". --Mtraceur 10:33, 5 June 2014 (EDT)
- Fixed, thanks Zakkai 13:05, 5 June 2014 (EDT) (FSF campaigns manager)
- In the "be wary of invalid keys" section, "which which might have fallen into the wrong hands" should only have one "which". --Mtraceur 10:37, 5 June 2014 (EDT)
- Fixed, thanks Zakkai 13:05, 5 June 2014 (EDT) (FSF campaigns manager)
- Step 3.A: the Adele mail address isnt indicated, first notice of it is in section 3.B --> maybe make it very clear : "Put at least one word (whatever you want) in the subject and body of the email, address your mail to adele-en@gnupp.de then hit send" --jdedev16:42, 5 June 2014 (Paris time)
- Fixed, thanks Zakkai 13:05, 5 June 2014 (EDT) (FSF campaigns manager)
- The Windows and Mac OS pages don't explain how to obtain and install GnuPG itself, which is not available by default on these operating systems. Jmorahan 11:28, 5 June 2014 (EDT)
- Yikes! That was there earlier and somehow got deleted. Fixed now, thanks Zakkai 13:05, 5 June 2014 (EDT) (FSF campaigns manager)
- The Windows page (step 6.B) points out that Mac OS (rather than Windows, as presumably intended) is a nonfree operating system. Jmorahan 11:28, 5 June 2014 (EDT)
- Fixed, thanks Zakkai 13:05, 5 June 2014 (EDT) (FSF campaigns manager)
- You have to be logged in to edit this wiki. How will we get feedback from muggles? Sebboh 12:22, 5 June 2014 (EDT)
- Haha, I think they can figure it out. I mentioned it in the instructions above. Zakkai 13:05, 5 June 2014 (EDT) (FSF campaigns manager)
- The Windows page needs specific instructions for specific email providers and email clients. Here's an example.. https://support.google.com/mail/troubleshooter/1668960?hl=en&ref_topic=3397500 See, first they tell the user how to enable IMAP or POP, then they offer specific setup instructions for specific mail clients. We need to do that or link to it. Can we find similar guides for Yahoo, Apple's mail thing, and Hotmail? Does anybody have an up-to-date list of the most common email providers? Sebboh 12:22, 5 June 2014 (EDT)
- When running the enigmail wizard, it wants to modify some email client preferences. The average user might not be familiar enough with these preferences to allow enigmail to modify them. Perhaps the guide could have some notes about this? Maybe buried in the troubleshooting dialog. <average_joe> What if I want to read/send HTML emails? What's this 8-bit encoding thingy? </average_joe> The specific preferences I refer to are:
- "Disable loading IMAP parts on demand"
- "Disable flowed text (RFC 2646)"
- "View message body as plain text"
- "Use 8-bit encoding for message sending"
- "Do not compose HTML messages" Whizbo 14:09, 5 June 2014 (EDT)
- In Step 3B, the instructions say, "Click Download Missing Keys and use the default in the pop-up that asks you to choose a keyserver." But where is "Download Missing Keys" in Mac>Thunderbird? (I'm a newbie w. GPG.)
- The Enigmail plugin is very difficult for a common user. Cant we do all the key generation and all other stuff in the background? The user should be only required to provide a password for the GPG. All other things should happen in the background. The fingerprint checking and all other stuff is over rated. Ofcourse.. some one can impersonate if we dont verify a public key. But that can happen even now. The millions of emails being sent and received daily, do you think all of them are impersonations because there is no public key to be verified? No. People generally get to know if the real person is sending the mail or not. Users, when they slowly get to know the definitions and meaning of PGP, they will start to verify the public key and such. As of now, our aim must to be get millions of people to start using PGP, even without they knowing anything about it. fake emails ... we should let the users to sort out(as they do it now).
- True. If you want something that is easier to use, use SMIME. SMIME does not have the same verification of identity that PGP has. Notme 13:43, 12 June 2014 (EDT)
- I received the following feedback from a friend: "Finally :-) [But,] I kind of wish it mentioned the fact that the email even encrypted still sends some information to the surveillance empire. Like the so called 'metadata' which often is enough to interpolate extra information, at the very least, social structure." --Jgay 10:41, 6 June 2014 (EDT)
- Yes. When using PGP you are making more Metadata publicly available than when not using encryption. The most important information the "surveillance empire" wants to know is "who you are" and "who you know". For this reason, you should never answer the question about whether or not you know a key is associated with a person. Notme 19:50, 12 June 2014 (EDT)
- I have translated the infographic into German ([1]). I have also seen it translated into Spanish ([2]). I am now translating the guide into German.
--Gpcf 05:27, 9 June 2014 (EDT)
- The finished version of the German translation is available. --Gpcf 08:43, 13 June 2014 (EDT)
- I need the svg file for this picture ([3]) to translate the text into German. Can you publish it?
- I got some really good feedback from non-technical people. They said that it was very easy to understand and very preety. You have done a good job!
--Gpcf 07:00, 10 June 2014 (EDT)
- the "check people's identification before signing their keys" section says 'Answer honestly in the window that pops up and asks "How carefully have you verified that the key you are about to sign actually belongs to the person(s) named above?".' This is the equivalent of gpg --ask-cert-level. But ask-cert-level is a bad idea. People should leave that choice as "I will not answer" Dkg 12:50, 9 June 2014 (EDT)
- Guide is limited in that it mentions only a few environments, clients, and encryption methods. For example: no mention there exists other clients for Windows, no mention of clients for Android, and no mention there exists other forms of encryption such as SMIME.
- The guide asks for money for "promotion", but there is no mention various encryption projects need money and are asking for donations. For example, some crowd source funding for Enigmail: https://freedomsponsors.org/core/issue/435/decrypt-messages-permanently, Thunderbird: https://freedomsponsors.org/core/issue/434/encrypted-email-messages-should-be-stored-decrypted-in-the-local-folders, and K9: https://freedomsponsors.org/core/issue/346/pgpmime-support Notme 20:19, 11 June 2014 (EDT)
- In the Step 3D, which was commented out, it should say that you need the password to use your private key, not your public key.
Gpcf 14:34, 12 June 2014 (EDT)
- Step 6 Next Steps/Keysigning - What happens next after signing another person's public key? Do I have to upload the signed key to a key server? Will I send back the signed key to his/her owner? I understand that the concept of "Web of Trust" is elementary but following the manual I don't unterstand how to manage by personal web of trust. I really hope that I won't be the only one who doesn't understand this part. treje 11:21, 16 June 2014
- The best idea is to send the key back to the owner in an encrypted email. That way, if the owner does not have access to the email address they won't be able to get the signed key. You manage the web of trust by setting ownertrust in a key. There are 3 levels: no trust, marginal trust, full trust and ultimate trust (This level should only be used on your own keys). A key needs to be signed by 3 marginally trusted keys or one fully or ultimately trusted key to be valid. Valid means that you can be sure that the key really belongs to its owner. You can set the level of trust by right-clicking on a key and selecting "Owner Trust" or something similar. --Gpcf 12:12, 16 June 2014 (EDT)
This page was a featured resource in June 2014.