I like this proposal generally, but I'd like to suggest two modifications:
1. Take the semantic that you proposed for the wax seal (greyed out,
"lit" for positive integrity, broken for integrity failure) and extend
it to the other two icons.
For the foreseeable future the overwhelming majority of messages will
not be private. I don't need to see Guy Fawkes masks for 99.9% of my
e-mail. Also, messages to mailing lists (which I realize affect a small
percentage of e-mail users) will by their nature always be public. Still
don't need to see a mask to alert me to that.
2. Consider placement for these icons in a manner similar to the way
tbird handles S/MIME currently. I don't need a separate bar for this
feature, and don't want to take up precious screen real estate for it.
Alternatively (and arguably better, I haven't finished thinking through
it yet), place the three icons next to the icons for reply, etc. In
other words, use the same icon strategy as is currently being used for
the compose window, minus the extra bar.
hth,
Doug
On 3/23/2016 1:56 AM, Robert J. Hansen wrote:
Apologies for being so tardy on this. I wanted to hold off until I had
the chance to run these ideas past some people at the Internet Freedom
Festival, but then I contracted a violent case of the flu at IFF and I
have literally just in the past couple of days completed my recovery.
The good news: my proposal is far better now thanks to the feedback I
received from IFF attendees.
===
1. WHAT'S THE PROBLEM?
There are two answers to this:
* Nothing. Enigmail's probably the most commonly used
OpenPGP-enabled email platform in the world today.
* Lots. It's still hard to use. We can do better. Let's
try!
I'm going to assume you're in the second camp. :)
In a nutshell, the language that we use to talk about privacy-enhanced
email is awful. Our language is fundamentally divorced from the way
real users want to talk about things.
Us: "Privacy? Sure, I used my correspondent's 4096-bit RSA key -- after
downloading a fresh copy from the keyserver to make sure there hadn't
been any revocations -- and included my own 3072-bit Elgamal key as an
additional recipient. Camellia256 was used for the session key, and I
signed it with my airgapped smartcard using Zarbunlaxian quantum
technology."
Real people: "Well, the Privacy icon says it's good..."
2. TECHNOLOGIES AREN'T PROPERTIES.
Some users care an awful lot about which specific technologies get used
in the process of securing email, but the vast majority of normal users
genuinely don't care. They don't want to learn about cryptographic
algorithms, or the difference between 4096-bit and 256-bit cryptography,
or why 256-bit crypto is stronger than 4096-bit crypto.
They care about *properties*, not *technologies*. Was my email private?
Am I sure it's from who I think it is?
3. WHAT ARE WE REALLY FOCUSING ON?
I'm going to call it the PAIR system. This is just for developmental
purposes; users should never need to know what we call it. (This is
also a win for internationalization, as some of these concepts don't
translate easily into, e.g., Russian, according to some of the IFF folk.)
We want to provide information on four different aspects of privacy:
Privacy
Accountability
Integrity
Reliability
4. PRIVACY
Privacy is provided by encryption algorithms like RSA and TWOFISH, but
there's no reason the user needs to understand that. In fact, the user
doesn't even need to know the message was encrypted. The user cares
about whether the message is private; everything else is a detail that
should be hidden from the casual user, but easily available to the power
user.
For this reason, I'm proposing two icons. For email that is not
reasonably believed to be private (for whatever reason), we flag it with
the icon of a postcard. For email that is believed to be private, we
flag it with the icon of an envelope.
People intuitively understand postcards aren't private, and people
intuitively understand envelopes provide privacy. I think this metaphor
is simple, straightforward, and accurate. It sure beats hearing new
users say "so the message was encrypted, but ... what does that mean,
really?"
5. ACCOUNTABILITY
Accountability is built on top of integrity. For technically skilled
users, this is basically the same as key validity -- how sure we are
that this key really belongs to a real user. Can this message be
positively identified as coming from a specific person? Can they be
held accountable for what they say?
For this, I propose two different icons. One is a Guy Fawkes mask, and
the other is a passport. The Guy Fawkes mask pretty much screams
anonymity and unaccountability; a passport gives the impression that
yes, we really know who's speaking.
6. INTEGRITY
Integrity reflects whether the message was tampered with in transit.
This is normally provided by digital signatures. I'm proposing a wax
seal, since that's commonly understood as a sign of integrity. An
intact seal means the message was properly signed; a broken seal means
the message has a bad signature; grayed-out means there was no signature.
7. RELIABILITY
Enigmail is a complicated piece of software with a lot of different
moving parts. We need to provide some way for users to get detailed
information about what went into each of these decisions. And it has to
be really easy, too.
8. PUTTING IT ALL TOGETHER
I propose replacing our current Enigmail bar in the Message View with an
"Enigmal Privacy Readout". Forget messages about "UNTRUSTED Good
Signature from..." etc. We reduce it down to three icons, representing
the status of the message privacy, the message accountability, and the
message integrity.
Clicking on an icon will bring up a window that contains a notebook
widget. One tab will read "Summary", and the other will read "Details".
For instance: if the user is alarmed by a Guy Fawkes mask ("no
accountability") and clicks on it, the Summary pane might read:
* This message claims to be from Robert J. Hansen
<[email protected]>
* There is no guarantee it's actually from this person
* If you're certain this message is from Robert J. Hansen
<[email protected]>, click 'Trust This Key' to have
Enigmail trust this key in the future.
In the Detail pane, we might see:
* This message was signed with key whose fingerprint is:
[insert my fingerprint here]
* There is no valid trust path to the key
* TOFU mode disabled -- using classic Web of Trust
Etc., etc.
9. CLOSING REMARKS
Three icons, representing the three aspects of email security that users
care about: privacy, accountability, and integrity. It's simple, it
avoids a lot of technological nonsense, and with wise choices for icons
should be a lot easier for newcomers to understand.
10. THANKS TO
Harlo at IFF was invaluable, as was her Russian friend whose name I'm
currently blanking on. I was feverish and in full-on flu symptoms, but
they still were eager to hear these ideas. Her Russian friend in
particular encouraged me towards simplicity, and it's thanks to his
vigorous feedback that this system is as simple as it is.
_______________________________________________
enigmail-users mailing list
[email protected]
To unsubscribe or make changes to your subscription click here:
https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net
_______________________________________________
enigmail-users mailing list
[email protected]
To unsubscribe or make changes to your subscription click here:
https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net
