Difference between revisions of "GPG guide/Public Review"

From LibrePlanet
Jump to: navigation, search
(Feedback)
(Feedback: PLEASE CHANGE VERSION OF GPG4WIN!)
(41 intermediate revisions by 18 users not shown)
Line 1: Line 1:
 
__NOTOC__
 
__NOTOC__
=Welcome, and thanks for giving feedback on Email Self-Defense=
+
Welcome, and thanks for giving feedback on [https://emailselfdefense.fsf.org Email Self-Defense].
''To our friends speaking languages other than English: you may leave non-English comments below, but it may take the FSF longer to respond to them. If you are commenting in English on a specific translation, be sure to let us know which one.''
 
  
===Instructions===
+
'''This page is for recording and seconding suggested improvements. If you have found an error, broken link or typo, or if one of the guide's links to external documentation is no longer linking to what it seems like it should be linking to, please contact the FSF at campaigns@fsf.org so we can fix it as soon as possible.'''
Follow the guide at [https://EmailSelfDefense.fsf.org https://EmailSelfDefense.fsf.org].
 
  
Please leave your feedback as bullets in the feedback section. Make sure to include: what step your feedback refers to (unless it's more general), how experienced you are with GPG, and what operating system you are using.  
+
When leaving feedback on this page, make sure to include: what step your feedback refers to (unless it's more general), how experienced you are with GPG, what version of the guide you are using (see the footer), and what operating system you are using.
  
For example:
+
To our friends speaking languages other than English: you may leave non-English comments below, but it may take the FSF longer to respond to them. If you are commenting in English on a specific translation, be sure to let us know which one.
 
 
* I couldn't find the "Key Management" menu item mentioned in step 3 of section 2. I'm using Windows 8 and I've used GPG a little bit before. [[User:Zakkai|Zakkai]] 18:30, 22 May 2014 (EDT)
 
  
 
Unless you're already a Free Software Foundation member, you'll need to make an account on this wiki to leave feedback. If you find that someone else has already said what you want to say, just add your name after theirs.
 
Unless you're already a Free Software Foundation member, you'll need to make an account on this wiki to leave feedback. If you find that someone else has already said what you want to say, just add your name after theirs.
  
When you are done, please, make a note here of your username and how far you got by typing four consecutive tildes in a bullet on a new line in the contributors section. Semantic MediaWiki will automatically insert your username.
+
Please sign your feedback by typing four consecutive tildes in a bullet on a new line in the contributors section. Semantic MediaWiki will automatically insert your username and a timestamp.
 
 
  
 
==Feedback==
 
==Feedback==
''If you left feedback during development and don't see it here, don't worry - the FSF made good use of it and has it saved. Thank you very much, you caught a lot of things.''
+
* I have dual boot desktop computer with Windows and Linux. Mozilla Thunderbird in Windows uses POP settings while the Thunderbird in Linux has IMAP settings. The email address is the same for both and Enigmail is set up in both with the same encryption keys. I send and receive message in both.  IMAP is also used in my mobile phone for the same email account. Could this set up lead to any problems? if, so could this be dealt with somewhere in the instructions?
 
 
* I love this guide! I think it would be good if there were more graphics and more detailed explanation of the Web of Trust. [[User:Kojakr|Kojakr]] 00:08, 5 June 2014 (EDT)
 
** Thank you, I'll take that into consideration. [[User:Zakkai|Zakkai]] 00:08, 5 June 2014 (EDT) (FSF campaigns manager)
 
 
 
* I think the instructions would be easier to follow if the steps were numbered and a diagram or screengrab for that step were used. A picture is worth a thousand words.
 
 
 
* While I got a reply from the Edwardbot that it had received my public key, when I then sent several encrypted messages to it, I didn't get a reply. Perhaps a troubleshooting point could be added explaining why that might happen?
 
 
 
* I have duel boot desktop computer with Windows and Linux. Mozilla Thunderbird in Windows uses POP settings while the Thunderbird in Linux has IMAP settings. The email address is the same for both and Enigmail is set up in both with the same encryption keys. I send and receive message in both.  IMAP is also used in my mobile phone for the same email account. Could this set up lead to any problems? if, so could this be dealt with somewhere in the instructions?
 
 
 
* I would like to see some tips for persuading family and friends who are sceptical about the need for encryption to start using it. It is like talking to a brick wall. Maybe someone needs to write a novel or commission a film spelling out why it is essential?
 
 
 
* The Defend Our Email instructions are excellent but the whole thing is still way too complicated for any but the most determined of people. A way must be found to simplify the whole thing so that it just "works". I can think of several people I know who are either too scatter-brained (in a nice way) and/or just not tech savvy enough to handle it.
 
 
 
* Novalis sez: I think it needs to mention fingerprint checking (and that checking key ids is insufficient) [[User:Johns|Johns]] 00:47, 5 June 2014 (EDT)
 
** I agree with this.  This guide should [https://we.riseup.net/debian/openpgp-best-practices#dont-rely-on-the-keyid not refer to the Key ID at all]. [[User:Dkg|Dkg]] 12:58, 9 June 2014 (EDT)
 
** I also agree. See the links in dkg's article for more. [http://zimmerman.mayfirst.org/pks/lookup?op=vindex&search=0xDEADBEEF&fingerprint=on There are five keys with the key ID DEADBEEF]. --[[User:Gpcf|Gpcf]] 15:08, 12 June 2014 (EDT)
 
 
 
* I couldn't download the [https://emailselfdefense.fsf.org/gnupg-infographic.zip source files for the infographic], it gives a "404 Not Found" error --[[User:Tekrei|Tekrei]] 05:47, 5 June 2014 (EDT)
 
** Fixed, thanks [[User:Zakkai|Zakkai]] 12:50, 5 June 2014 (EDT) (FSF campaigns manager)
 
 
 
* Is there a plan on translating the website for non English speakers ? -- [[User:lsix|lsix]] 15:48, 5 June 2014
 
** The Free Software Foundation doesn't have the staff to do it in house, but we'd gladly collaborate with anyone who'd like to help. If you are interested in working on it, send an email to campaigns@fsf.org. [[User:Zakkai|Zakkai]] 13:29, 5 June 2014 (EDT) (FSF campaigns manager)
 
** I have [http://selbstverteidigung.gpcf.eu translated the guide into German]. --[[User:Gpcf|Gpcf]] 08:43, 13 June 2014 (EDT)
 
* As I faced it, maybe add to section 2B troubleshooting: Q:"My key doesnt appear in the list", A:"clic on the Checkbox 'Show default keys' " --[[User:jdedev|jdedev]]16:26, 5 June 2014  (Paris time)
 
** Added, thanks [[User:Zakkai|Zakkai]] 13:05, 5 June 2014 (EDT) (FSF campaigns manager)
 
 
 
* Step 3.A: "From here one," should be "From here on,". --[[User:Mtraceur|Mtraceur]] 10:33, 5 June 2014 (EDT)
 
** Fixed, thanks [[User:Zakkai|Zakkai]] 13:05, 5 June 2014 (EDT) (FSF campaigns manager)
 
 
 
* In the "be wary of invalid keys" section, "which which might have fallen into the wrong hands" should only have one "which". --[[User:Mtraceur|Mtraceur]] 10:37, 5 June 2014 (EDT)
 
** Fixed, thanks [[User:Zakkai|Zakkai]] 13:05, 5 June 2014 (EDT) (FSF campaigns manager)
 
 
 
* Step 3.A: the Adele mail address isnt indicated, first notice of it is in section 3.B --> maybe make it very clear : "Put at least one word (whatever you want) in the subject and body of the email, ''address your mail to adele-en@gnupp.de'' then hit send" --[[User:jdedev|jdedev]]16:42, 5 June 2014  (Paris time)
 
** Fixed, thanks [[User:Zakkai|Zakkai]] 13:05, 5 June 2014 (EDT) (FSF campaigns manager)
 
 
 
* The Windows and Mac OS pages don't explain how to obtain and install GnuPG itself, which is not available by default on these operating systems. [[User:Jmorahan|Jmorahan]] 11:28, 5 June 2014 (EDT)
 
** Yikes! That was there earlier and somehow got deleted. Fixed now, thanks [[User:Zakkai|Zakkai]] 13:05, 5 June 2014 (EDT) (FSF campaigns manager)
 
 
 
* The Windows page (step 6.B) points out that Mac OS (rather than Windows, as presumably intended) is a nonfree operating system. [[User:Jmorahan|Jmorahan]] 11:28, 5 June 2014 (EDT)
 
** Fixed, thanks [[User:Zakkai|Zakkai]] 13:05, 5 June 2014 (EDT) (FSF campaigns manager)
 
 
 
* You have to be logged in to edit this wiki.  How will we get feedback from muggles? [[User:Sebboh|Sebboh]] 12:22, 5 June 2014 (EDT)
 
** Haha, I think they can figure it out. I mentioned it in the instructions above. [[User:Zakkai|Zakkai]] 13:05, 5 June 2014 (EDT) (FSF campaigns manager)
 
 
 
 
* The Windows page needs specific instructions for specific email providers and email clients.  Here's an example..  https://support.google.com/mail/troubleshooter/1668960?hl=en&ref_topic=3397500  See, first they tell the user how to enable IMAP or POP, then they offer specific setup instructions for specific mail clients.  We need to do that or link to it.  Can we find similar guides for Yahoo, Apple's mail thing, and Hotmail?  Does anybody have an up-to-date list of the most common email providers?  [[User:Sebboh|Sebboh]] 12:22, 5 June 2014 (EDT)
 
* The Windows page needs specific instructions for specific email providers and email clients.  Here's an example..  https://support.google.com/mail/troubleshooter/1668960?hl=en&ref_topic=3397500  See, first they tell the user how to enable IMAP or POP, then they offer specific setup instructions for specific mail clients.  We need to do that or link to it.  Can we find similar guides for Yahoo, Apple's mail thing, and Hotmail?  Does anybody have an up-to-date list of the most common email providers?  [[User:Sebboh|Sebboh]] 12:22, 5 June 2014 (EDT)
 
* When running the enigmail wizard, it wants to modify some email client preferences.  The average user might not be familiar enough with these preferences to allow enigmail to modify them.  Perhaps the guide could have some notes about this?  Maybe buried in the troubleshooting dialog.  <average_joe> What if I want to read/send HTML emails?  What's this 8-bit encoding thingy? </average_joe> The specific preferences I refer to are:
 
**"Disable loading IMAP parts on demand"
 
**"Disable flowed text (RFC 2646)"
 
**"View message body as plain text"
 
**"Use 8-bit encoding for message sending"
 
**"Do not compose HTML messages" [[User:Whizbo|Whizbo]] 14:09, 5 June 2014 (EDT)
 
 
**In Step 3B, the instructions say, "Click Download Missing Keys and use the default in the pop-up that asks you to choose a keyserver." But where is "Download Missing Keys" in Mac>Thunderbird? (I'm a newbie w. GPG.)
 
 
* The Enigmail plugin is very difficult for a common user.  Cant we do all the key generation and all other stuff in the background?  The user should be only required to provide a password for the GPG.  All other things should happen in the background.  The fingerprint checking and all other stuff is over rated.  Ofcourse.. some one can impersonate if we dont verify a public key.  But that can happen even now.  The millions of emails being sent and received daily, do you think all of them are impersonations because there is no public key to be verified?  No.  People generally get to know if the real person is sending the mail or not.  Users, when they slowly get to know the definitions and meaning of PGP, they will start to verify the public key and such.  As of now, our aim must to be get millions of people to start using PGP, even without they knowing anything about it.  fake emails ... we should let the users to sort out(as they do it now).
 
** True.  If you want something that is easier to use, use SMIME.  SMIME does not have the same verification of identity that PGP has.  [[User:Notme|Notme]] 13:43, 12 June 2014 (EDT)
 
 
 
* I received the following feedback from a friend: "Finally :-) [But,] I kind of wish it mentioned the fact that the email even encrypted still sends some information to the surveillance empire. Like the so called 'metadata' which often is enough to interpolate extra information, at the very least, social structure." --[[User:Jgay|Jgay]] 10:41, 6 June 2014 (EDT)
 
** Yes. When using PGP you are making more Metadata publicly available than when not using encryption.  The most important information the "surveillance empire" wants to know is "who you are" and "who you know".  For this reason, you should never answer the question about whether or not you know a key is associated with a person.  [[User:Notme|Notme]] 19:50, 12 June 2014 (EDT)
 
** I agree with [[User:Jgay|Jgay]], the warning in STEP 3.B should be red, cap-lock and blinking and also a warning that the bcc can be seen. And maybe, in the 6 NEXT STEPS, highlight that prism-break.org presents tools that will make subject, sender and receivers anonymous, like the Bitmessage or TorChat (e.g. see [[https://bitmessage.org/wiki/FAQ#How_does_Bitmessage_compare_to_other_messaging_methods|bitessage wiki]]).
 
 
* I have translated the infographic into German ([http://de.gpcf.eu/selbstverteidigung]). I have also seen it translated into Spanish ([http://victorhckinthefreeworld.wordpress.com/2014/06/06/defiende-la-privacidad-en-tu-correo-electronico-usa-gnupg/]). I am now translating the guide into German.
 
--[[User:Gpcf|Gpcf]] 05:27, 9 June 2014 (EDT)
 
** The finished version of the [http://selbstverteidigung.gpcf.eu German translation] is available. --[[User:Gpcf|Gpcf]] 08:43, 13 June 2014 (EDT)
 
** I need the svg file for this picture ([https://static.fsf.org/nosvn/enc-dev0/img/infographic-button.png]) to translate the text into German. Can you publish it?
 
** I got some really good feedback from non-technical people. They said that it was very easy to understand and very preety. You have done a good job!
 
--[[User:Gpcf|Gpcf]] 07:00, 10 June 2014 (EDT)
 
 
 
* the [https://emailselfdefense.fsf.org/#step-sign_real_keys "check people's identification before signing their keys" section] says 'Answer honestly in the window that pops up and asks "How carefully have you verified that the key you are about to sign actually belongs to the person(s) named above?".'  This is the equivalent of gpg --ask-cert-level.  But [https://www.debian-administration.org/users/dkg/weblog/98 ask-cert-level is a bad idea].  People should leave that choice as "I will not answer" [[User:Dkg|Dkg]] 12:50, 9 June 2014 (EDT)
 
* the [https://emailselfdefense.fsf.org/#step-sign_real_keys "check people's identification before signing their keys" section] says 'Answer honestly in the window that pops up and asks "How carefully have you verified that the key you are about to sign actually belongs to the person(s) named above?".'  This is the equivalent of gpg --ask-cert-level.  But [https://www.debian-administration.org/users/dkg/weblog/98 ask-cert-level is a bad idea].  People should leave that choice as "I will not answer" [[User:Dkg|Dkg]] 12:50, 9 June 2014 (EDT)
 
 
** Guide is limited in that it mentions only a few environments, clients, and encryption methods.  For example: no mention there exists other clients for Windows, no mention of clients for Android, and no mention there exists other forms of encryption such as SMIME.
 
** Guide is limited in that it mentions only a few environments, clients, and encryption methods.  For example: no mention there exists other clients for Windows, no mention of clients for Android, and no mention there exists other forms of encryption such as SMIME.
 
 
** The guide asks for money for "promotion", but there is no mention various encryption projects need money and are asking for donations.  For example, some crowd source funding for Enigmail:  https://freedomsponsors.org/core/issue/435/decrypt-messages-permanently, Thunderbird:  https://freedomsponsors.org/core/issue/434/encrypted-email-messages-should-be-stored-decrypted-in-the-local-folders, and K9: https://freedomsponsors.org/core/issue/346/pgpmime-support [[User:Notme|Notme]] 20:19, 11 June 2014 (EDT)
 
** The guide asks for money for "promotion", but there is no mention various encryption projects need money and are asking for donations.  For example, some crowd source funding for Enigmail:  https://freedomsponsors.org/core/issue/435/decrypt-messages-permanently, Thunderbird:  https://freedomsponsors.org/core/issue/434/encrypted-email-messages-should-be-stored-decrypted-in-the-local-folders, and K9: https://freedomsponsors.org/core/issue/346/pgpmime-support [[User:Notme|Notme]] 20:19, 11 June 2014 (EDT)
 
* In the Step 3D, which was commented out, it should say that you need the password to use your private key, not your public key.
 
[[User:Gpcf|Gpcf]] 14:34, 12 June 2014 (EDT)
 
 
 
* Step 6 Next Steps/Keysigning - What happens next after signing another person's public key? Do I have to upload the signed key to a key server? Will I send back the signed key to his/her owner? I understand that the concept of "Web of Trust" is elementary but following the manual I don't unterstand how to manage by personal web of trust. I really hope that I won't be the only one who doesn't understand this part. [[User:treje|treje]] 11:21, 16 June 2014
 
* Step 6 Next Steps/Keysigning - What happens next after signing another person's public key? Do I have to upload the signed key to a key server? Will I send back the signed key to his/her owner? I understand that the concept of "Web of Trust" is elementary but following the manual I don't unterstand how to manage by personal web of trust. I really hope that I won't be the only one who doesn't understand this part. [[User:treje|treje]] 11:21, 16 June 2014
 
** The best idea is to send the key back to the owner in an encrypted email. That way, if the owner does not have access to the email address they won't be able to get the signed key. You manage the web of trust by setting ''ownertrust'' in a key. There are 3 levels: no trust, marginal trust, full trust and ultimate trust (This level should only be used on your own keys). A key needs to be signed by 3 marginally trusted keys or one fully or ultimately trusted key to be valid. Valid means that you can be sure that the key really belongs to its owner. You can set the level of trust by right-clicking on a key and selecting "Owner Trust" or something similar. --[[User:Gpcf|Gpcf]] 12:12, 16 June 2014 (EDT)
 
** The best idea is to send the key back to the owner in an encrypted email. That way, if the owner does not have access to the email address they won't be able to get the signed key. You manage the web of trust by setting ''ownertrust'' in a key. There are 3 levels: no trust, marginal trust, full trust and ultimate trust (This level should only be used on your own keys). A key needs to be signed by 3 marginally trusted keys or one fully or ultimately trusted key to be valid. Valid means that you can be sure that the key really belongs to its owner. You can set the level of trust by right-clicking on a key and selecting "Owner Trust" or something similar. --[[User:Gpcf|Gpcf]] 12:12, 16 June 2014 (EDT)
 
** Thank you for the reply, Gpcf. As far as I understand it your way of processing signed keys adds a further tier of security to the process. Additionally I found a paragraph in the gpg manual which is also an answer to my issue ("Distributing Keys"). And I also realized that step 4.A on emailselfdefense answers my question, too. I obviously overlooked that step on my first attempt. Both sources suggest to upload the signed key to a public key server. The process of uploading signed keys raises other questions in my opinion. Newbie questions perhaps. Do the public key server sync their stored keys? Could be good to know to retrieve keys of new recipients. --[[User:treje|treje]] 17:55, 17 June 2014 (CEST)
 
** Thank you for the reply, Gpcf. As far as I understand it your way of processing signed keys adds a further tier of security to the process. Additionally I found a paragraph in the gpg manual which is also an answer to my issue ("Distributing Keys"). And I also realized that step 4.A on emailselfdefense answers my question, too. I obviously overlooked that step on my first attempt. Both sources suggest to upload the signed key to a public key server. The process of uploading signed keys raises other questions in my opinion. Newbie questions perhaps. Do the public key server sync their stored keys? Could be good to know to retrieve keys of new recipients. --[[User:treje|treje]] 17:55, 17 June 2014 (CEST)
 
** Yes, all keyservers except keyserver.pgp.com (which is rarely used) syncronize. It may take a few minutes until the changes have spread over all keyservers. --[[User:Gpcf|Gpcf]] 13:00, 17 June 2014 (EDT)
 
** Yes, all keyservers except keyserver.pgp.com (which is rarely used) syncronize. It may take a few minutes until the changes have spread over all keyservers. --[[User:Gpcf|Gpcf]] 13:00, 17 June 2014 (EDT)
 
* The guide (including 4 replies from Adele) and infographics are now translated into French, by [http://framasoft.net Framasoft]'s and [http://april.org April]'s translation teams. The translation is not uploaded anywhere yet. We used the PO system to regenerate the page, including translated footer, etc. The POT (PO-template) could be used for any other translation.  We hope ours can be hosted on emailselfdefense.fsf.org. Who is the contact person for that?
 
** You should contact campaigns@fsf.org. I have done that for my German translation. --[[User:Gpcf|Gpcf]] 09:38, 17 June 2014 (EDT)
 
 
 
* On Step 6 of the Windows version of the guide, under "Switch to GNU/Linux for maximum safety", it speaks to a Mac OS audience like it does for the Mac version of the guide. I checked to see if it was only about Mac for all versions of the guide, and the Linux version is not the same since it doesn't even have a section for "Switch to GNU/Linux for maximum safety". I think the guide should be changed to mention how Windows is a nonfree operating system instead of Mac OS when viewing the Windows version of the guide. Credentials: I use Windows because my college uses Windows software, but I've had years of user experience with various Linux distributions. This guide is my very first introduction to using GPG for email purposes, but I've used it to check the integrity of packaged software before. --[[User:Flaurs|Flaurs]] 16:21, 18 June 2014 (EDT)
 
* On Step 6 of the Windows version of the guide, under "Switch to GNU/Linux for maximum safety", it speaks to a Mac OS audience like it does for the Mac version of the guide. I checked to see if it was only about Mac for all versions of the guide, and the Linux version is not the same since it doesn't even have a section for "Switch to GNU/Linux for maximum safety". I think the guide should be changed to mention how Windows is a nonfree operating system instead of Mac OS when viewing the Windows version of the guide. Credentials: I use Windows because my college uses Windows software, but I've had years of user experience with various Linux distributions. This guide is my very first introduction to using GPG for email purposes, but I've used it to check the integrity of packaged software before. --[[User:Flaurs|Flaurs]] 16:21, 18 June 2014 (EDT)
 
* I think there should be a section explaining why the guide says signing the email is optional as it declares in the grey text section of 3.B ("Next to the key, you'll notice an icon of a pencil. Clicking this tells Enigmail to add a special, uniqe signature to your message, generated using your private key. This is a separate feature from encryption, and '''you don't have to use it for this guide'''." Unique is misspelled as uniqe in the guide. I'm not trying to offend anyone, but I noticed it underlined red when I copied it into here.), and why the guide says to not automatically sign outgoing mail in the email wizard from section 2.A ('On the second screen, titled "Signing," select "No, I want to create per-recipient rules for emails that need to be signed."') which is equivalent to manually pressing the pencil button when composing an email. I think the reason why is because the guide says "add your key ID to your email signature" in section 5 under subsection "Make your public key part of your online identity". If the reason why opting out of automatically signing each email or manually signing them by pressing the pencil button during composition is because the users of the guide are supposed to add a key id to their email signatures, so that the recipient of the user's emails can start the encryption process in the same step but in an easier way by opting for searching keyservers for the key id in email signatures rather than importing the signatures manually from the body of the email, then it should be explained as such early on at step 3.B, not waiting until step 5 subsection "Make your public key part of your online identity". Credentials: I use Windows because my college uses Windows software, but I've had years of user experience with various Linux distributions. This guide is my very first introduction to using GPG for email purposes, but I've used it to check the integrity of packaged software before. --[[User:Flaurs|Flaurs]] 22:36, 22 June 2014 (EDT)
 
 
* The grey text portion of Section 3.B ("Next to the key, you'll notice an icon of a pencil. Clicking this tells Enigmail to add a special, uniqe signature to your message, generated using your private key. This is a separate feature from encryption, and '''you don't have to use it for this guide'''.") makes it seem like it is unnecessary to sign an email with the pencil button to send an encrypted email to Adele, so when Adele responds that there was no key signature present, users might think they failed to learn GPG from the guide. Adele cannot use key ids, only whole signatures with either pressing the pencil button during email composition or automatic key signing during the email wizard, so the guide should warn that users should not expect to successfully encrypt emails to it; unless, one of these conditions is met. Credentials: I use Windows because my college uses Windows software, but I've had years of user experience with various Linux distributions. This guide is my very first introduction to using GPG for email purposes, but I've used it to check the integrity of packaged software before. --[[User:Flaurs|Flaurs]] 23:12, 22 June 2014 (EDT)
 
 
* In the new version on http://enc-dev0.fsf.org/en/, I see that "numbers" has been replaced by "numbers and letters" (section 2). That's a good thing, but in section 3, the fingerprint and ID are defined as "strings digits". Why not use "numbers and letters" too? In fact, it may be more appropriate to say "digits" instead of "numbers" (not being a mathematician, I don't really know).
 
 
 
* In mac.html, Windows is given as an example of proprietary software. Why not say "Mac OS and Windows" in all 3 guides?
 
* In mac.html, Windows is given as an example of proprietary software. Why not say "Mac OS and Windows" in all 3 guides?
 +
* The styles of the "join" and "donate" buttons are not quite the same. This departs from the elegant style of the page. Besides, the buttons are difficult to localize because the background of the svg is a bitmap (i.e. the circle with the FSF logo can't move). FWIW, I redrew the background in Inkscape; the only bitmap element is "FSF" (from the FSF logo). The result is here: https://static.fsf.org/nosvn/enc-dev0/svg/fr/
 +
* As for the guide itself, I think it is a pity that you don't give us detailed information on how to use '''GNUPG ''and'' Claws-Mail''' (not simply GNUPG ''in'' Claws Mail). Apparently, Enigmail (Thunderbird Add-on) is far from perfect, and doesn't follow the PGP standard, and may be misleading as it offers too many and useless options.
 +
* Would be good to include a configuration for also encrypting the email for yourself, so that you can read it.
 +
* Section 1.a) How about a link to https://www.mozilla.org/thunderbird/ or a text like "Open whatever program you usually use for installing software, and search for Thunderbird, then install it." for people who haven't installed Thunderbird/Icedove. --[[User:Rr|raff]] 08:56, 13 July 2014 (EDT) (feedback via mail)
 +
** '''+1''' --[[User:Ignoble|Ignoble]] ([[User talk:Ignoble|talk]]) 04:39, 29 December 2015 (EST)
 +
* Enigmail-Plugin for Windows (v1.6) has a bug concerning the OpenPGP-Assistant: at one step, the Assistant wants to change the defaults - but apparently nothing happens. This happens when Enigmail has not found the correct Binary for gpg - in my case, it tried "gpgv2.exe" instead of "gpg2.exe". Please mention this in the explanations. I'll also append my explanation to the bug report on sourceforge regarding Enigmail. --[[User:Rince|Rince]] 15:33, 13 July 2014 (MEST)
 +
* Someone contacted the FSF and said it would be good to put in a recommendation of how often to remake one's keys [[User:Zakkai|Zakkai]] 16:32, 7 August 2014 (EDT)
 +
* In the 'when should I encrypt' I was worried how it will go for people that don't use PGP (I've first thought that because encrypting is default I'll have to know myself about who of my friends use it + enable disable manually OR that they will receive encrypted messages with no clues and could just delete them). It should be good to add a sentence saying that Enigmail will check if the person have a key and then will let you decide. Maybe adding a good practice sentence too about sending your public key + signing in that case. --[[User:NicolasWeb|NicolasWeb]] 17:04, 8 October 2015 (EDT)
 +
* Step 1b for Windows links to an outdated version of GPG4Win. --[[User:Ignoble|Ignoble]] ([[User talk:Ignoble|talk]]) 03:44, 29 December 2015 (EST)
 +
** It still links to an - now even more - outdated version. --[[User:Ignoble|Ignoble]] ([[User talk:Ignoble|talk]]) 16:08, 19 October 2016 (EDT)
 +
* Step 3a for all OSs says the encryption symbol is in the bottom right of the composition window. For the current version of Enigmail this is in the top toolbar. --[[User:Ignoble|Ignoble]] ([[User talk:Ignoble|talk]]) 04:01, 29 December 2015 (EST)
 +
** Same problem in Step 3b. --[[User:Ignoble|Ignoble]] ([[User talk:Ignoble|talk]]) 04:07, 29 December 2015 (EST)
 +
* Surveillance of metadata raises a concern to dissociate keys and their fingerprints from any identity, online or offline, other than the singular e-mail address or other intention for which the key is created. The guide skips over pros and cons of generating a key with your name, with your e-mail address, only one of the two, or false information. Users of e-mail would maintain their pseudonymity by entering only their e-mail address and not their name when creating a key. Users intending to sign software may benefit from entering different information that associates or does not associate the key to their identity, other accounts, other pseudonyms, the name of a project, etc. Key signing threatens anonymity as well by voluntarily publishing users' associations to the web of trust. Step #4, "What to consider when signing keys," recklessly recommends to "ask them to show you their government identification, and make sure the name on the ID matches the name on the public key." Where e-mail is concerned, pseudonymity can be maintained by only verifying that the keyholder has access to the e-mail account. It would require no other information but for them to read the contents of a message you encrypt and e-mail to them in person verbally back to you in person at the same meeting. Encouraging government IDs renounces anonymity across all pseudonyms associated with a key as well as misleads users into believing that the person presenting the ID has access to the account. Step #5 says, "Unless you don't want to reveal your own identity (which requires other protective measures)..." What other protective measures? PGP is for privacy, and privacy usually implies or necessitates anonymity. Bulk metadata collection pressures this guide to be amended. --[[User:KE8Au7s|KE8Au7s]] ([[User talk:KE8Au7s|talk]]) 18:07, 24 June 2016 (EDT)
  
* In mac.html and windows.html, the alt of the 3 screenshots of Enigmail installation are labeled "Step 1.B: Tools -> Add-ons", "Step 1.B: Search Add-ons" and "Step 1.B: Install Add-ons", but in fact they belong to Step 1.C.
+
=== Accessibility ===
** fixed --[[User:Rr|raff]] 17:51, 26 June 2014 (EDT)
 
 
 
* At the beginning of Section 4, there is a reference to "Step 3" (download Adele's public key from the server). It would be more logical to refer to either "Section 3" or "Step 3.b".
 
  
* In next_steps.html, the link to #section4 doesn't work. It should be index.html#section4.
+
* full-infographic.png (gnupg-infographic.svg) provides a lot of information that is inaccessible to screen readers, unless you extract the svg from the source package and weed through it. We could write a text description of the images, and intercalate the explanations. The description could be linked from the main page. -- [[User:Tgodef|Tgodef]] 09:44, 25 July 2014 (EDT)
** fixed --[[User:Rr|raff]] 17:57, 26 June 2014 (EDT)
+
* Likewise, smaller images could use more descriptive alt attributes. -- [[User:Tgodef|Tgodef]] 09:51, 25 July 2014 (EDT)
 +
* I find the less important text extremely difficult to read (for example "The program will take a little while to finish the next step...") Indeed, the luminosity-contrast ratio is only 2.45 (http://springmeier.org/www/contrastcalculator/index.php, text #999, background #f4eed7). In the French version, the text color is #707070 instead of #999. The contrast is better, but still not sufficient to satisfy W3C criteria. -- [[User:Tgodef|Tgodef]] 09:44, 25 July 2014 (EDT)
  
* A typo in Section 1: If you _are_ already have one of these...
+
=== German and French versions ===
** fixed --[[User:Rr|raff]] 18:03, 26 June 2014 (EDT)
 
  
* I find the less important text extremely difficult to read (for example "The program will take a little while to finish the next step...") Indeed, the luminosity-contrast ratio is only 2.45 (http://springmeier.org/www/contrastcalculator/index.php, text #999, background #f4eed7). A decent contrast would be 7, according to the W3C guidelines. To get this number, you need #505050 for the unimportant text. This leaves a contrast difference of 2 with the important text (#222), which is sufficient to tell them apart.
+
* Encoding in Edwards reply is wrong. The source is UTF8 (Linux CR/LF).
 +
* There are problems with accents in the French version too.
  
*  In Step 3b, the second paragraph reads: "Click the icon of the key in the bottom right of the composition window (it should turn yellow). This tells Enigmail to encrypt the email with the key you downloaded in the last step." But at this point, Adele's public key hasn't been downloaded yet. The last part of the sentence whould be deleted -> "... This tells Enigmail to encrypt the email."
 
  
* The styles of the "join" and "donate" buttons are not quite the same. This departs from the elegant style of the page. Besides, the buttons are difficult to localize because the background of the svg is a bitmap (i.e. the circle with the FSF logo can't move). FWIW, I redrew the background in Inkscape; the only bitmap element is "FSF" (from the FSF logo). The result is here: https://static.fsf.org/nosvn/enc-dev0/svg/fr/
 
 
 
 
{{featured resource|month=June|year=2014}}
 
{{featured resource|month=June|year=2014}}

Revision as of 16:08, 19 October 2016

Welcome, and thanks for giving feedback on Email Self-Defense.

This page is for recording and seconding suggested improvements. If you have found an error, broken link or typo, or if one of the guide's links to external documentation is no longer linking to what it seems like it should be linking to, please contact the FSF at campaigns@fsf.org so we can fix it as soon as possible.

When leaving feedback on this page, make sure to include: what step your feedback refers to (unless it's more general), how experienced you are with GPG, what version of the guide you are using (see the footer), and what operating system you are using.

To our friends speaking languages other than English: you may leave non-English comments below, but it may take the FSF longer to respond to them. If you are commenting in English on a specific translation, be sure to let us know which one.

Unless you're already a Free Software Foundation member, you'll need to make an account on this wiki to leave feedback. If you find that someone else has already said what you want to say, just add your name after theirs.

Please sign your feedback by typing four consecutive tildes in a bullet on a new line in the contributors section. Semantic MediaWiki will automatically insert your username and a timestamp.

Feedback

  • I have dual boot desktop computer with Windows and Linux. Mozilla Thunderbird in Windows uses POP settings while the Thunderbird in Linux has IMAP settings. The email address is the same for both and Enigmail is set up in both with the same encryption keys. I send and receive message in both. IMAP is also used in my mobile phone for the same email account. Could this set up lead to any problems? if, so could this be dealt with somewhere in the instructions?
  • The Windows page needs specific instructions for specific email providers and email clients. Here's an example.. https://support.google.com/mail/troubleshooter/1668960?hl=en&ref_topic=3397500 See, first they tell the user how to enable IMAP or POP, then they offer specific setup instructions for specific mail clients. We need to do that or link to it. Can we find similar guides for Yahoo, Apple's mail thing, and Hotmail? Does anybody have an up-to-date list of the most common email providers? Sebboh 12:22, 5 June 2014 (EDT)
  • the "check people's identification before signing their keys" section says 'Answer honestly in the window that pops up and asks "How carefully have you verified that the key you are about to sign actually belongs to the person(s) named above?".' This is the equivalent of gpg --ask-cert-level. But ask-cert-level is a bad idea. People should leave that choice as "I will not answer" Dkg 12:50, 9 June 2014 (EDT)
  • Step 6 Next Steps/Keysigning - What happens next after signing another person's public key? Do I have to upload the signed key to a key server? Will I send back the signed key to his/her owner? I understand that the concept of "Web of Trust" is elementary but following the manual I don't unterstand how to manage by personal web of trust. I really hope that I won't be the only one who doesn't understand this part. treje 11:21, 16 June 2014
    • The best idea is to send the key back to the owner in an encrypted email. That way, if the owner does not have access to the email address they won't be able to get the signed key. You manage the web of trust by setting ownertrust in a key. There are 3 levels: no trust, marginal trust, full trust and ultimate trust (This level should only be used on your own keys). A key needs to be signed by 3 marginally trusted keys or one fully or ultimately trusted key to be valid. Valid means that you can be sure that the key really belongs to its owner. You can set the level of trust by right-clicking on a key and selecting "Owner Trust" or something similar. --Gpcf 12:12, 16 June 2014 (EDT)
    • Thank you for the reply, Gpcf. As far as I understand it your way of processing signed keys adds a further tier of security to the process. Additionally I found a paragraph in the gpg manual which is also an answer to my issue ("Distributing Keys"). And I also realized that step 4.A on emailselfdefense answers my question, too. I obviously overlooked that step on my first attempt. Both sources suggest to upload the signed key to a public key server. The process of uploading signed keys raises other questions in my opinion. Newbie questions perhaps. Do the public key server sync their stored keys? Could be good to know to retrieve keys of new recipients. --treje 17:55, 17 June 2014 (CEST)
    • Yes, all keyservers except keyserver.pgp.com (which is rarely used) syncronize. It may take a few minutes until the changes have spread over all keyservers. --Gpcf 13:00, 17 June 2014 (EDT)
  • On Step 6 of the Windows version of the guide, under "Switch to GNU/Linux for maximum safety", it speaks to a Mac OS audience like it does for the Mac version of the guide. I checked to see if it was only about Mac for all versions of the guide, and the Linux version is not the same since it doesn't even have a section for "Switch to GNU/Linux for maximum safety". I think the guide should be changed to mention how Windows is a nonfree operating system instead of Mac OS when viewing the Windows version of the guide. Credentials: I use Windows because my college uses Windows software, but I've had years of user experience with various Linux distributions. This guide is my very first introduction to using GPG for email purposes, but I've used it to check the integrity of packaged software before. --Flaurs 16:21, 18 June 2014 (EDT)
  • In mac.html, Windows is given as an example of proprietary software. Why not say "Mac OS and Windows" in all 3 guides?
  • The styles of the "join" and "donate" buttons are not quite the same. This departs from the elegant style of the page. Besides, the buttons are difficult to localize because the background of the svg is a bitmap (i.e. the circle with the FSF logo can't move). FWIW, I redrew the background in Inkscape; the only bitmap element is "FSF" (from the FSF logo). The result is here: https://static.fsf.org/nosvn/enc-dev0/svg/fr/
  • As for the guide itself, I think it is a pity that you don't give us detailed information on how to use GNUPG and Claws-Mail (not simply GNUPG in Claws Mail). Apparently, Enigmail (Thunderbird Add-on) is far from perfect, and doesn't follow the PGP standard, and may be misleading as it offers too many and useless options.
  • Would be good to include a configuration for also encrypting the email for yourself, so that you can read it.
  • Section 1.a) How about a link to https://www.mozilla.org/thunderbird/ or a text like "Open whatever program you usually use for installing software, and search for Thunderbird, then install it." for people who haven't installed Thunderbird/Icedove. --raff 08:56, 13 July 2014 (EDT) (feedback via mail)
  • Enigmail-Plugin for Windows (v1.6) has a bug concerning the OpenPGP-Assistant: at one step, the Assistant wants to change the defaults - but apparently nothing happens. This happens when Enigmail has not found the correct Binary for gpg - in my case, it tried "gpgv2.exe" instead of "gpg2.exe". Please mention this in the explanations. I'll also append my explanation to the bug report on sourceforge regarding Enigmail. --Rince 15:33, 13 July 2014 (MEST)
  • Someone contacted the FSF and said it would be good to put in a recommendation of how often to remake one's keys Zakkai 16:32, 7 August 2014 (EDT)
  • In the 'when should I encrypt' I was worried how it will go for people that don't use PGP (I've first thought that because encrypting is default I'll have to know myself about who of my friends use it + enable disable manually OR that they will receive encrypted messages with no clues and could just delete them). It should be good to add a sentence saying that Enigmail will check if the person have a key and then will let you decide. Maybe adding a good practice sentence too about sending your public key + signing in that case. --NicolasWeb 17:04, 8 October 2015 (EDT)
  • Step 1b for Windows links to an outdated version of GPG4Win. --Ignoble (talk) 03:44, 29 December 2015 (EST)
    • It still links to an - now even more - outdated version. --Ignoble (talk) 16:08, 19 October 2016 (EDT)
  • Step 3a for all OSs says the encryption symbol is in the bottom right of the composition window. For the current version of Enigmail this is in the top toolbar. --Ignoble (talk) 04:01, 29 December 2015 (EST)
    • Same problem in Step 3b. --Ignoble (talk) 04:07, 29 December 2015 (EST)
  • Surveillance of metadata raises a concern to dissociate keys and their fingerprints from any identity, online or offline, other than the singular e-mail address or other intention for which the key is created. The guide skips over pros and cons of generating a key with your name, with your e-mail address, only one of the two, or false information. Users of e-mail would maintain their pseudonymity by entering only their e-mail address and not their name when creating a key. Users intending to sign software may benefit from entering different information that associates or does not associate the key to their identity, other accounts, other pseudonyms, the name of a project, etc. Key signing threatens anonymity as well by voluntarily publishing users' associations to the web of trust. Step #4, "What to consider when signing keys," recklessly recommends to "ask them to show you their government identification, and make sure the name on the ID matches the name on the public key." Where e-mail is concerned, pseudonymity can be maintained by only verifying that the keyholder has access to the e-mail account. It would require no other information but for them to read the contents of a message you encrypt and e-mail to them in person verbally back to you in person at the same meeting. Encouraging government IDs renounces anonymity across all pseudonyms associated with a key as well as misleads users into believing that the person presenting the ID has access to the account. Step #5 says, "Unless you don't want to reveal your own identity (which requires other protective measures)..." What other protective measures? PGP is for privacy, and privacy usually implies or necessitates anonymity. Bulk metadata collection pressures this guide to be amended. --KE8Au7s (talk) 18:07, 24 June 2016 (EDT)

Accessibility

  • full-infographic.png (gnupg-infographic.svg) provides a lot of information that is inaccessible to screen readers, unless you extract the svg from the source package and weed through it. We could write a text description of the images, and intercalate the explanations. The description could be linked from the main page. -- Tgodef 09:44, 25 July 2014 (EDT)
  • Likewise, smaller images could use more descriptive alt attributes. -- Tgodef 09:51, 25 July 2014 (EDT)
  • I find the less important text extremely difficult to read (for example "The program will take a little while to finish the next step...") Indeed, the luminosity-contrast ratio is only 2.45 (http://springmeier.org/www/contrastcalculator/index.php, text #999, background #f4eed7). In the French version, the text color is #707070 instead of #999. The contrast is better, but still not sufficient to satisfy W3C criteria. -- Tgodef 09:44, 25 July 2014 (EDT)

German and French versions

  • Encoding in Edwards reply is wrong. The source is UTF8 (Linux CR/LF).
  • There are problems with accents in the French version too.


This page was a featured resource in June 2014.