GPG guide/Public Review

From LibrePlanet
< GPG guide
Revision as of 04:45, 1 June 2014 by Micsch (talk | contribs)
Jump to: navigation, search


Welcome, and thanks for offering to try out the FSF's draft guide to email encryption

Instructions

Follow the draft guide to using GnuPG. **Please don't edit any of the pages except this one.** It's still in development, so it may be missing bits or have parts that say "coming soon." In the final version, this text will be interspersed with beautiful and informative graphics.

Please leave your feedback as bullets in the feedback section. Make sure to include: what step your feedback refers to (unless it's more general), how experienced you are with GPG, and what operating system you are using.

For example:

  • I couldn't find the "Key Management" menu item mentioned in step 3 of section 2. I'm using Windows 8 and I've used GPG a little bit before. Zakkai 18:30, 22 May 2014 (EDT)

Unless you're already a Free Software Foundation member, you'll need to make an account on this wiki to leave feedback. If you find that someone else has already said what you want to say, just add your name after theirs.

When you are done, please, make a note here of your username and how far you got by typing four consecutive tildes in a bullet on a new line in the contributors section. Semantic MediaWiki will automatically insert your username.

Contributors

We'd love to give you credit for your work. If you'd like to be attributed in the final version of the guide, please send an email to campaigns@fsf.org with the name you'd like to be attributed with and your username on this Wiki, so that we can verify your contribution.

  • Zakkai 16:33, 22 May 2014 (EDT) did the whole guide (wrote it, in fact)
  • Adietric 13:03, 30 May 2014 (EDT) - Did up to "Testers, stop here" with FossaMail (32-bit) on Windows 8.1, comments below.

Feedback

  • Please provide a more detailed explanation of the web of trust. I think it would help if there were some drawings or graphs to help teach the concept. I'm an experienced GnuPG user running Debian. Kojakr 18:20, 23 May 2014 (EDT)
  • I'm concerned that the Windows workflow might not work well. I hope lots of people test this on Windows. I'm an intermediate GnuPG user running Trisquel GNU/Linux. Zakkai 18:17, 23 May 2014 (EDT)
  • Is an 8-letter password current best practice for crypto key passwords?

Here are some guidelines that suggest at least 12 characters:

http://en.wikipedia.org/wiki/Password_strength#Guidelines_for_strong_passwords

Here is a guide to the amount of time it takes to break passwords of various lengths:

http://www.lockdown.co.uk/?pg=combi&s=articles

Passphrases may be slightly better than passwords:

https://www.schneier.com/blog/archives/2012/03/the_security_of_5.html

Althought as I understand it entropy is the real guiding factor.

--Robmyers 20:53, 23 May 2014 (EDT)

  • Please don't ask people to support Mozilla financially. They are currently attacking user freedom with their DRM infection vector for Firefox. --Robmyers 20:53, 23 May 2014 (EDT)
  • The article recommends making it "a part of your online identity"---this is fine/ideal (as it allows the creation of a web of trust), but a necessary prerequisite is knowing how to properly protect a private key. Average users will likely go for convenience, but especially on Windows systems, maleware is prevalent---if the system holding the private key is compromised, then the private key should be considered compromised and should be revoked. Considering that most users will be unaware of a compromise, more emphasis should also be placed upon the password strength, including links to resources (e.g. what was posted above); otherwise, all parties involved have a false sense of security and the compromised identity can be used for impersonation. Mgerwitz 23:33, 23 May 2014 (EDT)
  • How many people read email on the web or on their devices? Should the Guide include instructions or recommendations of apps for devices? How might a webmail user read/send encrypted email? Lpb 09:01, 24 May 2014 (EDT), GNU/Linux and GPG user.
  • Intro: "emails that are coded" - "encrypted" would be clearer, IMHO. Adietric 07:28, 30 May 2014 (EDT)
  • Intro: "surveillance agent or thief" - maybe phrase it more neutral: "make sure that only the intended recipient can read it". Adietric 07:28, 30 May 2014 (EDT)
  • Intro: "when you need to send something sensitive" - I think it's a bad idea to train users to think of encryption only for "sensitive" communication. I'd remove this whole paragraph. Adietric 07:28, 30 May 2014 (EDT)
  • Intro: "you'll actually do it more often" - Personally, I hardly ever sign my email. Maybe let the users decide and drop this sentence. Adietric 07:28, 30 May 2014 (EDT)
  • Section 1: It seems that Enigmail is not compatible with the 64-bit version of FossaMail (Enigmail was "disabled" right after installation). Adietric 12:14, 30 May 2014 (EDT)
  • Section 2a: "the Enigmail set-up wizard automatically uploaded it to a keyserver" - which one? I checked all the ones included in Enigmail, but my key wasn't there. Consequently Adele failed to find my key later on. (Next I tried using "Key Management -> Send Public Keys by Email", since the reply said "If you send me your public key along with another encrypted message", but unfortunately Adele doesn't support attachments. It only works if the public key is sent in the message body, probably not suitable for many users.) Adietric 12:46, 30 May 2014 (EDT)
  • Section 3a: You may want to show Adele's full key ID, in case some joker uploads a conflicting key. Adietric 12:46, 30 May 2014 (EDT)
  • Section 3b: You should mention that the subject line will not be encrypted. Adietric 13:03, 30 May 2014 (EDT)
  • Section 3b: "Notice the bar" - maybe include more information, where is the bar usually, what does it say? Adietric 12:46, 30 May 2014 (EDT)

A few comments from Srevilak 20:22, 29 May 2014 (EDT):

  • Perhaps add a step 1.b.1: If you're using Mac OS X, download GPGTools. I've never tried to set up Enigmail + GPG tools on a macintosh, but I do know that GPGTools has good integration with Apple Mail. GPGTools is probably the most accessible distribution of GnuPG command line tools for macintosh.
  • Step 2.a: "In your email program's menu, select OpenPGP -> Setup Wizard". Perhaps this should explicitly say "In Thunderbird's program menu". (Thunderbird has an OpenPGP menu, but other mail programs may not)
  • Step 2.a: "The program will take a little while to finish the next step". Perhaps say "OpenPGP's Wizard" rather than "the program".
  • Step 2.a: "After creating your key, the Enigmail set-up wizard automatically uploaded it to a keyserver". "Uploads" (rather than uploaded) may be the correct tense here.
  • Section 3a: "Check the first result (Key ID starting with 9) and hit OK." It might be nice if the tutorial included Adele's fingerprint. Introducing the concept of fingerprints here sets you up to elaborate in Section 4. "it requires a way to verify that a person's keypair is actually theirs." Fingerprints are the best way to do that verification. (Agreed, how to view your own fingerprint and check other people's fingerprints should appear somewhere in the guide. Adietric 13:03, 30 May 2014 (EDT))
  • Step 3.c: "After you click send, Enigmail will ask you for your password. It will do this any time it needs to use your public key". I think it should read: "After you click send, Enigmail will ask you for your password. It will do this any time it needs to use your PRIVATE key"
Retrieved from "https://libreplanet.org/wiki?title=GPG_guide/Public_Review&oldid=35086"