-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 20.09.15 05:06, Robert J. Hansen wrote: > (Forgive the HTML: this is one of the few times where I think it’s > worthwhile. This email uses color to convey information.) > > So, while relaxing with a good stogie, I started mulling over the > UX problem of communicating information about encryption status, > signatures, validity, and more. I got nowhere, which is when I > decided to burn it all down and start from a clean sheet of paper. > > Enigmail and GnuPG exist to provide the CIA triad. No, not the > intelligence agency — Confidentiality, Integrity, and Assurance. > Those are the three metrics we need to communicate to the user. So > let’s throw out all the language about “untrusted good signature” > and start over from scratch: let’s communicate the triad. > > First things first: rename it, because only hardcore nerds > understand what CIA means. (“What’s the difference between > integrity and assurance?” is a really common question in > undergraduate computer security courses. Even computer science > majors who have an interest in this stuff, as evidenced by signing > up to take a class in it, generally don’t understand it.) I’m > going to rename the triad the PAI triad: Privacy, Authenticity, and > Identity. Further, instead of giving incredibly detailed “valid > signature but the certificate has not been validated” types of > messages, let’s reduce it to binary choices. People like binary > choices: they’re easy to understand. > > * *Privacy* is a binary state: yes the message was private > (encrypted), or no it was not. * *Authenticity*//is also a binary > state: we are confident the message is authentic, or we are not. * > *Identity* is also a binary state: we are confident it came from > the specified person, or we are not. > > > We can present this information to the user using just three > letters in different colors—green for yes, black for no. Imagine, > for instance, that we have an untrusted good signature on an > unencrypted message. We would then put at the top of the email: > > Privacy Authenticity Identity > > > > Immediately, at a glance, the user can see that the message is not > private, is authentic, but we don’t know who it came from. > > A good signature from a validated certificate, but no encryption, > would get marked up as— > > > Privacy Authenticity Identity > > > An encrypted message without a signature would get— > > > Privacy Authenticity Identity > > > An encrypted and signed message from an unknown certificate— > > > Privacy Authenticity Identity > > > And finally, an encrypted and signed message from a validated > certificate— > > > Privacy Authenticity Identity > > > Immediately, right at-a-glance, users get the information that’s of > most use to them: is this message private? Is it authentic? Did > it really come from the person I think it did? If the user wants > to know details about why a particular message was graded in a > particular way, they’d double-click on the header and get a > detailed breakdown of what factors went into each decision. For > instance, Enigmail might display a new window that contained > something like: > > ------------------------------------------------------------------------ > > * /*Privacy.*// This email was encrypted with your RSA key. > //_Click here_//to open this key in the Key Management window. > Camellia-256 was used for symmetric encryption./ * > /*Authenticity.*// This email was signed; however, the signature > did not check out. The message, the signature, or both, were > altered in transit. This is not necessarily a sign of hostile > action. Sometimes messages get garbled in the process of > transmitting from one system to the next. / * /*Identity.*// This > email claims to be from Robert J. Hansen <r...@enigmail.net> with > key ID 0xDEADBEEFDEADBEEF. However, we do not know the signing key > really belongs to this person. If you’re certain the signing key > belongs to this person, //_click here_//and Enigmail will remember > it for the future./ > > ------------------------------------------------------------------------ > > > > … Bam. A simple UX that everyone sees, which conveys the most > important information at-a-glance. If more detailed information is > needed, we present it in human-friendly language and embed within > the language links to help people do common tasks related to keys. > > Further, this UX is completely independent of the trust model used > by GnuPG. If you want to use the Web of Trust, no problem. If you > have --trust-model=always set, no problem. If you’re using TOFU, > no problem. > > What do y’all think?
I like this proposal very much. I can well imagine that we display 3 icons and if you click on any of them, you'll get the detailed information. But I'd suggest also to add the UID of the sender in the message reader pane if the signature can be verified. - -Patrick -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJV/o+qAAoJENsRh7ndX2k7chEP/06JhBID5qowHrz0u1CDTx+A Gjv+HSRanTyRD1HcfbSUJLW29ttZOYpqg/FMOKN8AdA/gCPB9w+M9ydDfsDBUX4I fS8IaxWCdHHIk8RuzsS8MEERwDCzIhRjkmGG69xn5oLvCIs3nAJCDIqCOdmyrW+L wIoJyORUKslmUe73QkSFaoZUhCLbSGovzy0nlQtppjnTW/AHk7E4oan2DZK+9EC6 qUcDEpJ/mLxwCZx5sjLPR1tTnkpa76ANLiLsddLcnvqhjdVxVy39yCmOzKu0ywKl lxvsN0B+WES1fXVvE21uFnODyEWzQ/94l/z7YepgBP6TCfAhXwYmP/tvEueGCSxW V8kI08u/TqTDP7+3jZ5ak3Wgu9iF4T5tcvuwkZSrVZNlI29iIifq9Cw2pym41zS/ 1yLMTjcRbhxVxu05x+sxACI5ZaWU1lw5tKlb1y2oMjLaukZXCyMaduLVaYihGGaY UQGnfoF26wrA0rjHcSvpjdATEsr+FKNHGTPc+SI/sljC3CXUX3nSCPwLrSIUJ355 A1G1I490QR2Hvuwp+CA7O02mdI/9iR2Kac/mmcXHZyPBIIHuo7htPp/6y3dwlXwB +AEFi9hWDGg5WAR7hQCkbqJ8Fj3NXDs+V6CY98/AvR4aPGAAwtE8FQp/evRgKYW+ 8SC04ob09D+QCmvyyGYD =D4h4 -----END PGP SIGNATURE----- _______________________________________________ enigmail-users mailing list enigmail-users@enigmail.net To unsubscribe or make changes to your subscription click here: https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net
