GPG guide/Public Review
Welcome, and thanks for offering to try out the FSF's draft guide to email encryption
Instructions
Follow the draft guide to using GnuPG. **Please don't edit any of the pages except this one.** It's still in development, so it may be missing bits or have parts that say "coming soon."
Please leave your feedback as bullets in the feedback section. Make sure to include: what step your feedback refers to (unless it's more general), how experienced you are with GPG, and what operating system you are using.
For example:
- I couldn't find the "Key Management" menu item mentioned in step 3 of section 2. I'm using Windows 8 and I've used GPG a little bit before. Zakkai 18:30, 22 May 2014 (EDT)
Unless you're already a Free Software Foundation member, you'll need to make an account on this wiki to leave feedback. If you find that someone else has already said what you want to say, just add your name after theirs.
When you are done, please, make a note here of your username and how far you got by typing four consecutive tildes in a bullet on a new line in the contributors section. Semantic MediaWiki will automatically insert your username.
Contributors
We'd love to give you credit for your work. If you'd like to be attributed in the final version of the guide, please send an email to campaigns@fsf.org with the name you'd like to be attributed with and your username on this Wiki, so that we can verify your contribution.
- Zakkai 16:33, 22 May 2014 (EDT) did the whole guide (wrote it, in fact)
Feedback
- Please provide a more detailed explanation of the web of trust. I think it would help if there were some drawings or graphs to help teach the concept. I'm an experienced GnuPG user running Debian. Kojakr 18:20, 23 May 2014 (EDT)
- I'm concerned that the Windows workflow might not work well. I hope lots of people test this on Windows. I'm an intermediate GnuPG user running Trisquel GNU/Linux. Zakkai 18:17, 23 May 2014 (EDT)
- Is an 8-letter password current best practice for crypto key passwords?
Here are some guidelines that suggest at least 12 characters:
http://en.wikipedia.org/wiki/Password_strength#Guidelines_for_strong_passwords
Here is a guide to the amount of time it takes to break passwords of various lengths:
http://www.lockdown.co.uk/?pg=combi&s=articles
Passphrases may be slightly better than passwords:
https://www.schneier.com/blog/archives/2012/03/the_security_of_5.html
Althought as I understand it entropy is the real guiding factor.
--Robmyers 20:53, 23 May 2014 (EDT)
- Please don't ask people to support Mozilla financially. They are currently attacking user freedom with their DRM infection vector for Firefox. --Robmyers 20:53, 23 May 2014 (EDT)
- The EFF provides some useful information via their Surveillance Self Defense site that may be worth referencing/including. Mgerwitz 23:33, 23 May 2014 (EDT)
- The article recommends making it "a part of your online identity"---this is fine/ideal (as it allows the creation of a web of trust), but a necessary prerequisite is knowing how to properly protect a private key. Average users will likely go for convenience, but especially on Windows systems, maleware is prevalent---if the system holding the private key is compromised, then the private key should be considered compromised and should be revoked. Considering that most users will be unaware of a compromise, more emphasis should also be placed upon the password strength, including links to resources (e.g. what was posted above); otherwise, all parties involved have a false sense of security and the compromised identity can be used for impersonation. Mgerwitz 23:33, 23 May 2014 (EDT)