On Mon, 17 Oct 2011 20:11:29 +0200, Werner Koch wrote:
of the whole system. We prepared a short paper; if you are interested
Some suggestions and questions, some are applicable to the paper while
others might be more suited for a FAQ section on the website:
* More pictures.
* You're
On Oct 25, 2011, gn...@lists.grepular.com wrote:
. . .
(*) there's a nasty privacy issue when you're able to trigger a
receiving email client to do arbitrary http lookups. It means the sender
is able to determine when the recipient downloaded the email, and what
IP address they were using at
.
-Devin
-Original Message-
From: Robert J. Hansen r...@sixdemonbag.org
Sender: gnupg-users-boun...@gnupg.org
Date: Tue, 25 Oct 2011 22:02:29
To: gnupg-users@gnupg.org
Subject: Re: STEED - Usable end-to-end encryption
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
On 10/25/11 6:46 PM
On 24/10/11 19:25, Robert J. Hansen wrote:
With respect to your question: what we offer is privacy, but most people
do not understand privacy, do not care about privacy, and would not care
about privacy even if they understood it.
So if we can't motivate users by showing the bad stuff that can
On 10/25/11 5:26 AM, Peter Lebbing wrote:
So if we can't motivate users by showing the bad stuff that can
happen if you have no privacy, then how to do it? I don't see any
other way.
Years ago W.D. Richter wrote a fictitious interview between the two
fictitious characters Reno Nevada and
d...@geer.org wrote:
With respect to your question: what we offer is privacy, but most
people do not understand privacy, do not care about privacy, and
would not care about privacy even if they understood it.
[snip]
You got that right, Brother.
To be more pointed, how many folks on this
On 25/10/11 14:54, Robert J. Hansen wrote:
Every now and again I'll meet someone who's interested in learning
about privacy and how to protect it. I do my best to help these
people along. That's what I can do, that's what's within my power,
that's the standard I judge myself by -- how well I
On 10/25/11 10:57 AM, Peter Lebbing wrote:
The problem with the current proposal in that respect is that it
requires co-operation of e-mail providers.
I disagree. The problem with the current proposal is it offers email
providers no payoff for their work. If it could credibly be said,
On Mon, 24 Oct 2011 23:02:32 -0400
d...@geer.org articulated:
To be more pointed, how many folks on this list carry a cell phone?
I carry one virtually all the time. It is sort of in my job
description. I have to be available 24/7.
--
Jerry ✌
gnupg.u...@seibercom.net
On 25/10/11 17:09, Robert J. Hansen wrote:
I disagree. The problem with the current proposal is it offers email
providers no payoff for their work. If it could credibly be said,
implement STEED and you'll get 25% less spam across your network,
email providers would be lining up around the
So, to summarize what I think I've been hearing: the problem which
remains to be solved (if it is a problem) is a nontechnical one, and
no amount of technical wizardry will solve it. The most that can be
done now is to be ready to help someone who fears for his privacy and
asks, what can I do?
On 10/25/11 5:17 PM, Robert J. Hansen wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
[rest of message, which *lacked* a signature, elided]
Wow, that's a wacky error. Time to file a bug report in Enigmail!
___
Gnupg-users mailing list
On 25/10/11 21:11, Mark H. Wood wrote:
So, to summarize what I think I've been hearing: the problem which
remains to be solved (if it is a problem) is a nontechnical one, and
no amount of technical wizardry will solve it. The most that can be
done now is to be ready to help someone who fears
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Hi
On Tuesday 25 October 2011 at 10:26:57 AM, in
mid:4ea680e1.6070...@digitalbrains.com, Peter Lebbing wrote:
On 24/10/11 19:25, Robert J. Hansen wrote:
With respect to your question: what we offer is privacy, but most people
do not
On 10/25/2011 15:46, MFPA wrote:
An oft-used analogy when promoting encrypted communication is to compare
it to sending a letter in an envelope rather than sending a postcard. If
people don't care about privavy, why did envelopes rather than postcards
develop as the default for sending
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
On 10/25/11 6:46 PM, MFPA wrote:
If people don't care about privavy, why did envelopes rather than
postcards develop as the default for sending messages through the
post?
This one should be obvious: because a postcard doesn't allow you to
write
On Fri, Oct 21, 2011 at 01:46:02AM +0200, Marcus Brinkmann wrote:
On 10/20/2011 10:25 PM, Matthias-Christian Ott wrote:
But who are the providers? Except for people who work in computer
science, physics or similar fields I don't know people who run their own
mail servers or are part of a
On Fri, Oct 21, 2011 at 06:55:47PM +0100, MFPA wrote:
If you are trying to get people to think about privacy, maybe
suggesting Diaspora as an alternative to Facebook is a direction to
consider...
I would suggest that, if you are trying to get people to think about
privacy, about the only thing
On 10/24/11 11:15 AM, Mark H. Wood wrote:
No one can desire salvation until he believes that he is in jeopardy.
Although hellfire-and-damnation preachers are a popular cultural idea,
they're really quite rare: most preachers go more for the John 10:10
angle [*]. They've found through centuries
On Mon, Oct 24, 2011 at 11:24:40AM -0400, Robert J. Hansen wrote:
On 10/24/11 11:15 AM, Mark H. Wood wrote:
No one can desire salvation until he believes that he is in jeopardy.
Although hellfire-and-damnation preachers are a popular cultural idea,
they're really quite rare: most preachers
With respect to your question: what we offer is privacy, but most people
do not understand privacy, do not care about privacy, and would not care
about privacy even if they understood it.
During graduate school the politically-active members of the Computer
Science department were up in
Hi Matthias-Christian,
thanks for your comments, I think they are entirely correct. With respect to
convincing ISPs, STEED is not a complete proposal yet. The STEED paper covers
the technical aspects of making email encryption usable for the user. It does
not cover the policies of the parties
On Fri, 21 Oct 2011 01:46, marcus.brinkm...@ruhr-uni-bochum.de said:
not ask for data that is not available for whatever reason. I think your
interpretation of the regulations in that area is overly pessimistic, but I
could be wrong. Maybe you can verify this?
Actually the German Federal
On Thu, Oct 20, 2011 at 04:16:01AM +0200, Marcus Brinkmann wrote:
On 10/19/2011 09:30 PM, Peter Lebbing wrote:
However, I think you're not ambitious enough when you opt for using DNS for
key
distribution. Yes, the infrastructure and RR types[1] are already there.
But it
brings this
On 20-10-2011 22:25, Matthias-Christian Ott wrote:
What about making everyone their own provider?
Is that technically equivalent to running your own mailserver? Because
that also gives some problems: I run my own server at vulcan.xs4all.nl
(bsmtp at a subdomain of my provider) but get some
Matthias-Christian Ott wrote:
What about making everyone their own provider? The efforts in this
direction intiated by Eben Moglen that lead to the FreedomBox and other
projects seem to go in the right direction. It doesn't seem to me less
realistic than requiring cooperation from
Le 21/10/2011 16:12, Jean-David Beyer a écrit :
Matthias-Christian Ott wrote:
What about making everyone their own provider? The efforts in this
direction intiated by Eben Moglen that lead to the FreedomBox and other
projects seem to go in the right direction. It doesn't seem to me less
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Hi
On Thursday 20 October 2011 at 10:04:15 AM, in
mid:87hb34xcds@vigenere.g10code.de, Werner Koch wrote:
Most users don't have personal web pages. So what now?
Well many users have a facebook page - but this would
make facebook mandatory
On Thu, 20 Oct 2011 05:30, lists-gnupg...@lina.inka.de said:
the lowest efford are discovery via personal web pages like doing XDR or
maybe webfinger. Most users wont be able to have special RRs - not even
Most users don't have personal web pages. So what now? Well many users
have a facebook
On Wed, 19 Oct 2011 22:10, kloec...@kde.org said:
What NEW standard are you talking about? Werner wants to use OpenPGP.
and S/MIME! We actually don't care. For certain MUAs it is much
simpler to implement something on top of S/MIME than to trying to get
OpenPGP support. The actual protocol
Am 20.10.2011 04:16, schrieb Marcus Brinkmann:
You are right that it is a challenge to get the support in the providers
the lowest efford are discovery via personal web pages like doing XDR or
maybe webfinger. Most users wont be able to have special RRs - not even
for their own domains (which is
Hi,
I read this briefly, and I'd actually like to read it over later and maybe
contribute some ideas. The lack of people caring about cryptography is
quite apparent, and may be solved with some good ideas of making things less
annoying / hard to use.
I'd be happy to help.
On Mon, Oct 17, 2011
What proportion of consumer-grade ISPs have bothered to implement
DNSSEC for serving their customers? I don't think mine does, and
they're a big outfit. If I asked, I expect they'd think I was
speaking Aldebaranese or something.
--
Mark H. Wood, Lead System Programmer mw...@iupui.edu
Asking
On 10/20/2011 10:25 PM, Matthias-Christian Ott wrote:
But who are the providers? Except for people who work in computer
science, physics or similar fields I don't know people who run their own
mail servers or are part of a cooperative. Most other people use a
handful of providers who often
- Original Message -
From: Werner Koch w...@gnupg.org
To: Jerome Baum jer...@jeromebaum.com
Cc: gnupg-users@gnupg.org
Sent: Tuesday, October 18, 2011 7:00 PM
Subject: Re: STEED - Usable end-to-end encryption
On Tue, 18 Oct 2011 16:35, jer...@jeromebaum.com said:
operations
On 18 October 2011 12:00, Werner Koch w...@gnupg.org wrote:
On Tue, 18 Oct 2011 16:35, jer...@jeromebaum.com said:
operations will be the most important part to making that work, and the
ISPs don't have to help out there (modulo webmail which isn't even
end-point).
Even webmail. It is easy
Hi,
On 19.10.2011, at 15:11, Tom Ritter wrote:
Other Security Folks: Absolutely NO javascript cryptography. Zero, none.
well, JavaScript itself is just another programming language and combined with
modern technologies like HTML5 Web Storage there is nowadays technically no
need to implement
--- On Mon, 10/17/11, Werner Koch w...@gnupg.org wrote:
From: Werner Koch w...@gnupg.org
Subject: STEED - Usable end-to-end encryption
To: gnupg-de...@gnupg.org
Cc: Marcus Brinkmann mar...@gnu.org, gnupg-users@gnupg.org
Date: Monday, October 17, 2011, 2:11 PM
Hi!
http://g10code.com
Werner, Marcus,
Thank you for thinking about taking end-to-end e-mail encryption to the next
level. I really like your ideas.
However, I think you're not ambitious enough when you opt for using DNS for key
distribution. Yes, the infrastructure and RR types[1] are already there. But it
brings
On 19/10/11 21:30, Peter Lebbing wrote:
that is a really major hurdle; probably a too steep one, IMHO.
Given that all normal, literal hurdles are at right angles to the ground, they
are all equally steep. Obviously I meant high :D.
Peter.
--
I use the GNU Privacy Guard (GnuPG) in combination
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Hi
On Wednesday 19 October 2011 at 7:07:45 PM, in
mid:1319047665.75751.yahoomailclas...@web130223.mail.mud.yahoo.com,
Harakiri wrote:
Also - inventing just ANOTHER protocol for email
encryption that mail clients should implement? Heck,
the
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Hi
On Wednesday 19 October 2011 at 8:30:48 PM, in
mid:4e9f2568.6080...@digitalbrains.com, Peter Lebbing wrote:
If you could do something similar for
mapping e-mail addresses to certificates
It would be awesome if this could be achieved
If you could do something similar for
mapping e-mail addresses to certificates
It would be awesome if this could be achieved without revealing other
email addresses or UIDs that might happen to map to the same
key/certificate.
Hash the UID many times. (Didn't someone propose that a while
On Wednesday 19 October 2011, Harakiri wrote:
--- On Mon, 10/17/11, Werner Koch w...@gnupg.org wrote:
From: Werner Koch w...@gnupg.org
Subject: STEED - Usable end-to-end encryption
To: gnupg-de...@gnupg.org
Cc: Marcus Brinkmann mar...@gnu.org, gnupg-users@gnupg.org
Date: Monday, October
On 2011-10-19 22:49, Peter Lebbing wrote:
On 19/10/11 22:22, Jerome Baum wrote:
It would be awesome if this could be achieved without revealing other
email addresses or UIDs that might happen to map to the same
key/certificate.
Hash the UID many times. (Didn't someone propose that a while
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Hi
On Wednesday 19 October 2011 at 9:49:20 PM, in
mid:4e9f37d0.50...@digitalbrains.com, Peter Lebbing wrote:
By default the STEED system as proposed creates a new
certificate for every e-mail address. So unless
manually overridden, there is
On Wednesday 19 of October 2011 22:10:30 Ingo Klöcker wrote:
On Wednesday 19 October 2011, Harakiri wrote:
Also - inventing just ANOTHER protocol for email encryption that mail
clients should implement? Heck, the only protocol available in all
major mail clients right now for out of the
Hi Peter,
thanks for your feedback.
On 10/19/2011 09:30 PM, Peter Lebbing wrote:
However, I think you're not ambitious enough when you opt for using DNS for
key
distribution. Yes, the infrastructure and RR types[1] are already there. But
it
brings this nasty dependency on the provider.
On 17 October 2011 20:11, Werner Koch w...@gnupg.org wrote:
Hi!
Over the last year Marcus and me discussed ideas on how to make
encryption easier for non-crypto geeks. We explained our plans to
several people and finally decided to start a project to develop such a
system. Obviously it is
Skimmed over this. You say that you need ISP support to get the
system adopted (for the DNS-based distribution). Wouldn't that
hinder adoption?
Please look at how most people use mail: They get a mail address from
their ISP, a preinstalled MUA and so on. Mail works for them
instantly;
I don't see why the ISP has to be the entity providing DNS lookup.
The one I use won't even allocate me a static address, let alone
accept RRs from me to serve out to others. I'm not sure I'd trust
them to get it right and *keep* it right anyway.
If the ISPs won't cooperate, maybe the antivirus
On Mon, Oct 17, 2011 at 05:50:42PM -0600, Aaron Toponce wrote:
[snip]
At any rate, I would love to see more client-to-client encryption in email.
I've always wondered if there could be an OTR approach to mail, somehow,
so people don't need to generate and manage their own sets of keys, as that
On 18/10/11 16:00, Mark H. Wood wrote:
I don't see why the ISP has to be the entity providing DNS lookup.
Because it is the e-mail address of the recipient you look up; that's all the
data you have in this scenario. Thus, for me you would look up a key
corresponding to user peter at the domain
In fact to my knowledge outside of webmail and inside private email
(so drop companies, universities, schools) it's usual to configure your
own MUA, with the help of instructions from your ISP.
Well, so we need to convince them to change those instructions.
Yes and this is what I said: It's
On Tue, 18 Oct 2011 15:30, jer...@jeromebaum.com said:
In fact to my knowledge outside of webmail and inside private email
(so drop companies, universities, schools) it's usual to configure your
own MUA, with the help of instructions from your ISP.
Well, so we need to convince them to change
... We can remove *needless* complexity, but security could be said
to be the art of *introducing* specific complexity that's a lot worse
for the attacker than it is for you. It can't be automagical.
Anyway, key generation is already automated. All you have to do is
(1) choose to employ
I don't see why the ISP has to be the entity providing DNS lookup.
The one I use won't even allocate me a static address, let alone
accept RRs from me to serve out to others. I'm not sure I'd trust
them to get it right and *keep* it right anyway.
I should clarify. An email provider is also
On Tue, 18 Oct 2011 16:30, pe...@digitalbrains.com said:
Because it is the e-mail address of the recipient you look up; that's all the
data you have in this scenario. Thus, for me you would look up a key
corresponding to user peter at the domain digitalbrains.com. The only logical
Right.
On Tue, 18 Oct 2011 15:42, mw...@iupui.edu said:
To be secure without being involved in the process is an unreasonable
expectation which can never be met. We need to teach our kids to
expect to protect themselves online the same way we teach them to look
We did this for about 15 years -
Even webmail. It is easy to write a browser extension to do the crypto
stuff. Installing browser extensions is even easier than installing
most other software.
I'd make it a point of discussion whether it's still webmail proper then.
But you could also use Javascript, Java or Flash, so yes
On 10/18/2011 11:58 AM, Werner Koch wrote:
We did this for about 15 years - without any success. If you look
at some of the studies you will see that you can't teach that stuff
to non-techies - sometimes not even to engineers.
As a data point from 2005:
I was teaching computer literacy at
On Tue, 18 Oct 2011 16:35, jer...@jeromebaum.com said:
operations will be the most important part to making that work, and the
ISPs don't have to help out there (modulo webmail which isn't even
end-point).
Even webmail. It is easy to write a browser extension to do the crypto
stuff.
On Mon, Oct 17, 2011 at 05:50:42PM -0600, Aaron Toponce wrote:
.snip..
At any rate, I would love to see more client-to-client encryption in email.
I've always wondered if there could be an OTR approach to mail, somehow,
so people don't need to generate and manage
* Robert Holtzman hol...@cox.net [111018 21:43,
mID 20111018185035.gb4...@cox.net]:
The greatest hindrance to widespread adoption is the phrase I often
hear...I've got nothing to hide It drives me up a wall.
+1
Martin
smime.p7s
Description: S/MIME cryptographic signature
http://g10code.com/docs/steed-usable-e2ee.pdf
Skimmed over this. You say that you need ISP support to get the system
adopted (for the DNS-based distribution). Wouldn't that hinder adoption?
hotmail and the like still don't support POP3 or IMAP in a standard
account, and they are still popular
On 2011-10-17 23:00, Ben McGinnes wrote:
On 18/10/11 7:32 AM, Aaron Toponce wrote:
I like the idea, but how are you setting the header? I see you're
using Thunderbird, and I don't believe that setting that header is
part of Enigmail. Further, it appears your mail isn't signed. Just
curious.
On Mon, 17 Oct 2011 20:25:04 +0200
Jerome Baum articulated:
Skimmed over this. You say that you need ISP support to get the system
adopted (for the DNS-based distribution). Wouldn't that hinder
adoption? hotmail and the like still don't support POP3 or IMAP in a
standard account, and they are
http://windowslivehelp.com/solution.aspx?solutionid=a485233f-206d-491e-941b-118e45a7cf1b
Wow, since 2009 (I haven't checked back in a while -- stay clear of
strange hosts like hotmail).
I think the point still stands though. I don't think email providers are
the right place to look for
On 10/17/11 5:21 PM, Jerome Baum wrote:
So enabling _Enigmail_'s Send 'OpenPGP' header option is difficult now?
Unquestionably, indubitably, beyond doubt, *yes*. You are assuming a
level of computer literacy that is beyond 95% of the computing public.
Remember, under 10% of the computing public
On 2011-10-17 23:59, Robert J. Hansen wrote:
On 10/17/11 5:21 PM, Jerome Baum wrote:
So enabling _Enigmail_'s Send 'OpenPGP' header option is difficult now?
[long rant about Enigmail]
The emphasis was clearly on Enigmail, not on whether it's difficult or
not. If you hadn't misquoted me you
On Mon, Oct 17, 2011 at 08:25:04PM +0200, Jerome Baum wrote:
How about an opportunistic approach? This email should include the
following header:
OpenPGP: id=C58C753A;
url=https://jeromebaum.com/pgp
The MUA could recognize a header like this one and remember that there's
a
71 matches
Mail list logo
