|
|
| Line 1: |
Line 1: |
| | =Random Notes= | | =Random Notes= |
| − | * Take credit for GPG as part of the GNU Project
| + | All dealt with. |
| − | * Include an estimate of how long it will take to complete the guide
| |
| − | * Figure out if GnuPG comes preinstalled in all GNU/Linux distros
| |
| − | * Do we want to check that anything in particular is up to date?
| |
| − | * Sweet article: Does Encryption Still Work? https://securityinabox.org/en/node/3291
| |
| − | * Oh MAN good idea - maybe we should have a little catchprase that goes with the GPG key, like “I’ll keep your secrets.”
| |
| − | * If you are using plugins in your email client, things might look a little different.
| |
| − | * ''The wizard claims to run automatically on the first install. Mention that the optimization will put your messages in plaintext, and that if you want to keep HTML as default you can hit Shift while you hit Write? Talk about the fact that any key pair generated using OpenPGP Setup Wizard is automatically based on a 2048-bit structure, and has a lifespan of 5 years. Both these characteristics cannot be changed after the key pair has been generated using this method. Revocation cert?''
| |
| − | * make the point about valuing other people's privacy
| |
| − | * What if someone already has the email client configured and it makes the wizard more complicated, like in <https://securityinabox.org/en/thuderbird_encryption#4.2>?
| |
| − | * '''Really think about ways that this will be about making the fact that you use GPG part of your online identity, and make this a vector for driving people to the guide. For example, have people put their GPG key up on their blogs and social media sites, with a link (perhaps with logo, graphic, embed code, something cool) to our guide. Is there a good standard way to list this on your FB? Twitter? We can get people to do this even if they are already using GPG.'''
| |
| − | * Audience: People who are excited about technology and involved in movements like ours, but don't already know how to use GPG. They are computer literate, though, and don't need their hands held through super basic stuff, like clicking next in a Wizard.
| |
| − | | |
| − | * Make it clear that there are two different ways that "signing" is used.
| |
| − | * For signing keys, you could say "and so, if you go on a keyserver and you see that someone has a lot of signatures on their key, you can probably trust them more, because someone has verified their identity." This segues well into an optional description of the need for the Web of Trust, starting with explaining the threat of someone making fake keys to sign their other fake key.
| |
| − | * Why you shouldn't leak your private key: because then someone could both read your mail AND impersonate you
| |
| − | * Does Enigmail automatically refresh keys?
| |
| − | * The default is to import keys without verifying the fingerprint, "locally sign key" is not intuitive at all and to actually verify the fingerprint you need to click yet another button
| |
| − | * Explain key loss
| |
| − | * Explain the need to refresh (is this necessary when using Enigmail?
| |
| − | * Explain expiration and making new keys
| |
| − | * 2048 bit key with 5 year expiration date
| |
| − | * Have a glossary?
| |
| − | * Mention that if you use Webmail, you won't be able to read yoru encrypted emails in it
| |
| − | * Saving unencrypted drafts to servers, as per Micah Lee's email to liberationtech. John says this is important.
| |
| − | * Link to dedicated keyserver for people to use, run by us, so that we can track who is getting started through our campaign.
| |
| − | * Other email client security settings, like in <https://securityinabox.org/en/thunderbird_security>
| |
| − | * A section on verifying incoming email, like on <http://en.flossmanuals.net/thunderbird-workbook/receive-encrypted-mail/>. Hopefully this can just be worked in to the try it out section
| |
| − | * Different ways of identifying keys.
| |
| − | * Right click Adele's public key and click View Signatures from the context menu. You should see your name at the bottom of the list.
| |
| − | * Credit the Adele Website if we end up using it: <http://www.g-n-u.de/>
| |
| − | * Explain that you can send a signed email to anyone but you can only send an encrypted email to someone who has a public key.
| |
| − | * GPG vulnerabilities from Paul Tag: http://debian-administration.org/users/dkg/weblog/108 and https://dkg.fifthhorseman.net/notes/inline-pgp-harmful/
| |
| − | * **You should really read these or put it somewhere: <http://arstechnica.com/security/2013/06/encrypted-e-mail-how-much-annoyance-will-you-tolerate-to-keep-the-nsa-away/>, <https://medium.com/p/f561c5260bf3>, <https://guardianproject.info/howto/chatsecurely/>, and <https://guardianproject.info/howto/browsefreely/>**
| |
