GPG guide/Textual Draft

From LibrePlanet
< GPG guide
Revision as of 13:44, 21 May 2014 by Zakkai (talk | contribs)
Jump to: navigation, search

Random Notes

  • Really think about ways that this will be about making the fact that you use GPG part of your online identity, and make this a vector for driving people to the guide. For example, have people put their GPG key up on their blogs and social media sites, with a link (perhaps with logo, graphic, embed code, something cool) to our guide. Is there a good standard way to list this on your FB? Twitter? We can get people to do this even if they are already using GPG.
  • Audience: People who are excited about technology and involved in movements like ours, but don't already know how to use GPG. They are computer literate, though, and don't need their hands held through super basic stuff, like clicking next in a Wizard.
  • Think about licensing
  • How do we visually do the troubleshooting? The different operating systems?
  • Name ideas
    • Safe email 101
    • Encryption 101
    • Encrypt your email
    • Safe email
  • Make it clear that there are two different ways that "signing" is used.
  • For signing keys, you could say "and so, if you go on a keyserver and you see that someone has a lot of signatures on their key, you can probably trust them more, because someone has verified their identity." This segues well into an optional description of the need for the Web of Trust, starting with explaining the threat of someone making fake keys to sign their other fake key.
  • Why you shouldn't leak your private key: because then someone could both read your mail AND impersonate you
  • Does Enigmail automatically refresh keys?
  • The default is to import keys without verifying the fingerprint, "locally sign key" is not intuitive at all and to actually verify the fingerprint you need to click yet another button
  • Explain key loss
  • Explain the need to refresh (is this necessary when using Enigmail?
  • Explain expiration and making new keys
  • 2048 bit key with 5 year expiration date
  • Adele's key is 0x92AB3FF7 not 0x4D486CC8.
  • Explain encryption, then signing keys, then signing messages. Most people teach messages, then keys, but this order flows more naturally?
  • Rationale for technical recommendations that we make (like key size and which keyserver to use)
  • Links to more detailed descriptions of things on other pages (like how to use keyservers)
  • RSA versus DSA
  • Saving unencrypted drafts to servers, as per Micah Lee's email to liberationtech
  • Link to dedicated keyserver for people to use, run by us, so that we can track who is getting started through our campaign.
  • Other email client security settings, like in <https://securityinabox.org/en/thunderbird_security>
  • A section on verifying incoming email, like on <http://en.flossmanuals.net/thunderbird-workbook/receive-encrypted-mail/>. Hopefully this can just be worked in to the try it out section
  • Different ways of identifying keys.

Page elements

  • Infographic
  • Intro paragraph
    • Says it's great to do this with a friend, but we designed it so that it also works fine for one person.
  • Step-by-step guide
  • Next steps section

Infographic breakdown

See separate page

Guide breakdown (based loosely on <https://www.enigmail.net/documentation/quickstart.php>)

The idea is for the guide to be broken down into concise steps, with a focus on the actual steps, r=== ather than in-depth explanations of why or how things work. The guide will have a series of sections, each with introductory text. Each section will have a series of steps, each with a number and concise but descriptive name, to make it easy to refer to different parts of it. Each step will have an FAQ-style troubleshooting section, and each entry in the troubleshooting will have a name and a body, which consists of help text. We need to think about the visual presentation of the versions for different operating systems and of the troubleshooting. One possibility is tabs for the operating system and expanding boxes that start collapsed for troubleshooting. Troubleshooting could also be in a separate section at the bottom of the page that looks like an FAQ. Keep in mind that the order and content of the steps may change a lot in development.

Global intro paragraph

The goal of this guide is to make GPG as simple as possible.

Section 1: Get the pieces

Do we want to have people check if they have them first? If so, what's the best way to do it? Alternately, do we want to check that the client is up to date?

Step: Get an Icedove-like email client if you don't already have it

  • Check if you have Icedove installed. A variant of this program, like Thunderbird or SeaMonkey will also work. If you have one of these, skip this step.
  • If you don't have it, install it.

Step: Configure your email client for your email account if it isn't already

  • Check if you have Thunderbird configured for the email account you want to use. If you do, skip this step.
  • Configure it. We may need to link out to another tutorial to avoid covering a huge number of different questions about various mail server configurations.

Step: Get GnuPG if you don't already have it

  • Check if you have GnuPG installed. If you do, skip this step.
  • Download and install

Step: Install Enigmail

  • Check if you have Enigmail installed. If you do, skip this step.
  • In your email client, select Tools -> Add-ons, then search "Enigmail" with the search bar in the upper right. You can take it from here. Your email client may require that you restart it to finish installing.


Section 2: Make your keys

What if someone already has the email client configured and it makes the wizard more complicated, like in <https://securityinabox.org/en/thuderbird_encryption#4.2>?

Intro text

Explains the difference between signing and encryption with example cases.

Step: Make a keypair

The wizard claims to run automatically on the first install. Mention that the optimization will put your messages in plaintext? Talk about the fact that any key pair generated using OpenPGP Setup Wizard is automatically based on a 2048-bit structure, and has a lifespan of 5 years. Both these characteristics cannot be changed after the key pair has been generated using this method. Revocation cert?

  • In your email client, select OpenPGP -> Setup Wizard. You don't need to read the text in the window that pops up unless you'd like to, but it's good to read the text on the later screens of the wizard.
  • On the second screen, titled "Signing," select "No, I want to create per-recipient rules for emails that need to be signed."
  • Use the default options until you reach the screen titled "Create Key"
  • On the screen titled "Create Key," pick a strong password! Your password should be at least 8 characters and include at least one lower case and upper case letter and at least one punctuation mark. Don't forget it, or all this work will be wasted!

Troubleshooting

  • Enigmail detected an existing key on my computer
  • I can't find the OpenPGP menu

Step: Upload it to a server

I think the Wizard already does this

  • Upload it to this specific server.

Section 3: Try it out!

Now you'll try a test correspondence with a computer program named Adele, which knows how to use encryption. You'd follow the same steps if communicating with a real person.

Step: Download the test bot's key from a keyserver

  • In your email client, go to OpenPGP -> Key Management -> Keyserver -> Search for Keys
  • In the "Search for keys" field, type adele-en@gnupp.de. That's Adele's email address.
  • Check the first result (Key ID starting with 9) and hit OK.

Step: Send a test encrypted email

  • Write a new email in your mail client, addressed to adele-en@gnupp.de. The subject and body can be whatever you like, but they shouldn't be empty.
  • In the bottom right of the email composition window, click the icon of the key. This tells Enigmail to encrypt the email.

Step: Sign a key

Step: Send a test signed email

  • Send it to the bot at this address and wait for this confirmation.


Section 4: Use it well

Intro paragraph

Everyone uses this a little differently. Send signed emails in this context. Send encrypted emails in this context. Talk about the Web of Trust.

Step: Make it part of your online identity

  • Publish it to your email signature, social media profile, blog, Website, business card in these ways. Put it anywhere that you put your email address.
  • Tell your friends about it

Step: Get your key signed by people

  • Refer them to the instructions in the previous step

Step: Sign other peoples' keys

  • Download them or get them on a flash drive.
  • Sign them
  • Upload them

Step: Keep it up to date

  • Refresh your keys, especially after some kind of signing has happened that necessitates it
  • Keep track of expiration dates
  • How to exchange public keys

Next steps breakdown

    • Attend or host a keysigning party (is there a good way to find them?)
    • An encrypted email group where people talk about encryption: <http://groups.yahoo.com/neo>/groups/PGPNET/info
    • Try other encryption technologies: OTR, encrypting your hard drive, Tor
    • Link to surveillance collection in directory, or prism-break with free software filter, if that has been set up
    • Donate to the FSF or GnuPG, Thunderbird or Enigmail!