Re: [Enigmail] No more "Untrusted Good Signature"s

[ralph wozelka]

Hello,

On 2015-12-10 17:50, Robert J. Hansen wrote:
>> I think the deadline for the proposal is now definitely over. Rob, do
>> you mind creating a bug that describes the conclusions of this for a
>> developer to implement?
> 
> Will do so by the weekend.  It'll be a monster bug, I warn you.
> 
> The nice thing about leaving this open for so long: nobody's going to be
> able to claim we didn't consult the community and leave it open for
> discussion.  ;)

I checked the bug tracker on sf.net: I am assuming correctly that the
discussion's outcome has not made into a feature request, yet? :-)

If it did, it would be fantastic to get access! (there is humanpower
around engaging in development ;) )

thx!
cheers,
ralph



signature.asc
Description: OpenPGP digital signature
___
enigmail-users mailing list
enigmail-users@enigmail.net
To unsubscribe or make changes to your subscription click here:
https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net

Re: [Enigmail] No more "Untrusted Good Signature"s

[Patrick Brunschwig]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On 23.09.15 22:54, Patrick Brunschwig wrote:
> On 23.09.15 22:03, Robert J. Hansen wrote:
>>> ...but still maintain that there is a functional difference 
>>> between no signature (nothing to see here; move along) and
>>> failed or faked signature.  Either of the latter may need to
>>> be investigated.  The former need not be, unless you were 
>>> *expecting* a signature and didn't get it.
> 
>> I'd very much like for this discussion to continue, but I also
>> want some finality to the discussion, too, so that Patrick can
>> have a fixed target to implement (instead of trying to make it
>> match an ever-changing discussion).  It's really easy for good
>> discussions to turn into bikeshedding arguments: at some time the
>> points have all been made and a decision needs to be reached.
> 
>> So.  Assuming for the moment the power of moderating this 
>> discussion -- I think we should aim for, shall we say, October 1
>> to close this?  On October 1 I write up a sense-of-the-list, give
>> it to Nico and Patrick, and then we call it done until/unless
>> someone can come up with new and compelling arguments?
> 
> I'm fine with this approach. I'd suggest that once the deadline is 
> over, you create a bug that describes to conclusions.

I think the deadline for the proposal is now definitely over. Rob, do
you mind creating a bug that describes the conclusions of this for a
developer to implement?

Thanks a lot

- -Patrick
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQIcBAEBCAAGBQJWaanUAAoJENsRh7ndX2k7x9AP/0lvJ2VjAUEu1aBFroYBSzl0
JZ2B5g6GSfDclwVSrz6HXumUbPN2dVxVhoFt5ZWF/bUISVfNfdcy2Snay8zvBhZU
WvBHpHb9BRotBf6RD+Eb5TVjA6cSFTbn1aJ5VwQ6zOin8SjFjAlLIF7iovLay/p+
f51TLDBC2yeWcCGlUKI0PyNeBL0Wc+qUq7NTaz05JAy/sCxSvLSDayKnzUBjgK3Z
BzX4FSmgAMaSw+Z2FwjMQqKpu6JkHmI+F0FTS3QqoCx389bPQJnxMESpkuPnTMrb
9zZDzVkXdrL4Are2fBxHXfeK2OpBpgYVboO8kaHhliqkJFc4JUxvbzaemCbjdURd
JF497457jGYD/d40r9TL3PkwcjBYlHHLJIuc25RE9lZhKMhUt+mINtYyK6Gx9xZX
9pIRpqPFMDTOL53UWSN6AvK4SWZeZa8fsGZukfZHZuMcS22QFRcCM+Hd596BgMgv
4m8q9zNlBZguGXyOF/VIGF/pctBwanH/OUmzNFQi1bzmo17sRK28MQMOOkUAIg8H
yusaV3ww7DwxjDxdStDUvFLGW6Im09lo93yC7XbNqOPGjvaWEgpXYrx1otWUuCl3
7jG9bfPlS9tuD4B0toQAZY8eNw8+h/vuJx3kUv5uGrNeoePj3H08GnapatyqiHnQ
fHyo3F+KHSXKztMfzpm3
=nMW3
-END PGP SIGNATURE-

___
enigmail-users mailing list
enigmail-users@enigmail.net
To unsubscribe or make changes to your subscription click here:
https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net

Re: [Enigmail] No more "Untrusted Good Signature"s

[Anne Wilson]

On 23/09/2015 10:07, Ludwig Hügelschäfer wrote:
> On 23.09.15 10:53, Anne Wilson wrote:
>> On 22/09/2015 19:43, Doug Barton wrote:
>>> On 9/22/15 11:30 AM, Patrick Brunschwig wrote:
 The state doesn't depend on whetherthe key is expired or 
 revoked_today_. What matters is whether the key was valid at
 the time of signature creation.
>> 
>>> ... unless the key was revoked because it was compromised.
>> 
>> The Details box tells me that part of it was signed by an
>> untrusted good signature from Douglas Barton.
>> 
>> OK - I understand - I think.  But a new user?  Part of the
>> message? What part?
> 
> Enigmail shows the following markers:
> 
> | * *BEGIN ENCRYPTED or SIGNED PART* * | (...) |
> ** *END ENCRYPTED or SIGNED PART* **
> 
I've seen similar, though I can't recall exactly how/where :-)  Call it
a senior moment.  Anyway, I read in Thunderbird, and what I see is the
attached.  (If the attachment is too big I'll put it elsewhere - I don't
have much in the way of image editing installed.)

> Anything between is part of the signature. Anything else is not 
> protected by the OpenPGP-signature (including the message headers!).
> 
>> Why part?
> 
> Because the mailing list software automatically adds the following
> footer:
>> ___ enigmail-users
>> mailing list enigmail-users@enigmail.net To unsubscribe or make
>> changes to your subscription click here: 
>> https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net
>
>> 
> This is not part of Dougs message when sent and therefore cannot be
> part of his signature.
> 
Makes sense.  In the older times I have seen some mailing list footers
completely invalidate signatures.  On one mailing list I stopped signing
because over and over people asked why they were seeing "bad signature".

Anne


signature.asc
Description: OpenPGP digital signature
___
enigmail-users mailing list
enigmail-users@enigmail.net
To unsubscribe or make changes to your subscription click here:
https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net

Re: [Enigmail] No more "Untrusted Good Signature"s

[LeRoy]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 09/22/2015 03:22 PM, Olav Seyfarth wrote:
> Patrick wrote:
>> The state should depend on whether the key was valid at the time
>>  of signature creation.
> 
> True, but if we change to that, we rely on a (non-signed) header to
> deduct the date.
> 
> Olav

It is my impression that part of the signature contains the time stamp
of the signers computer.

When you use gpg --verify filename on a signed file or a detached
signature you see a plethora of information including whether the
signature verifies or not.

gpg: Signature made Sat 28 Jun 2014 12:48:22 PM EDT using RSA key ID...

Enigmail should not rely on an email header date when verifying a
signature since time of signing the email and sending could be different


- -- 
 Rev. LeRoy D. Cressy  mailto:le...@lrcressy.com   /\_/\
   http://lrcressy.com( o.o )
   > ^ <
   Cell Phone:  267-307-3527

See My posts on facebook and googleplus

Open PGP Key: C34B77CC
gpg fingerprint:  8AD5 35EF 1FDF F1A7 E483  8CCE A50D 4E81 C34B 77CC

For info on enigmail:http://enigmail.mozdev.org/
For info on gpg: http://www.gnupg.org/

Jesus saith unto him, I am the way, the truth, and the life:
no man cometh unto the Father, but by me. (John 14:6)
-BEGIN PGP SIGNATURE-
Version: GnuPG v2
Comment: Using GnuPG with Icedove - http://www.enigmail.net/

iQIcBAEBCgAGBQJWAn4sAAoJEMKLVzZGLW1V4GMQAJY2/mFwYMIqioDDq+khBXVK
qpUuA1xY+2WplJ6xZMvxOMoKNOVb4L7DIfHwzyjpr6ofuUEZJJ78Pri57XDgTdWp
Sm18kHZAcnMMKZwQmEtLzeicGzhoiD4c0E99uRcWYmJMPrbc6dUtA6hWm8bV9141
T0I4R2yrTfaDKMgXiwRG4Na6r/5fqSrfeoKU1b9F4YVR2iGEj0wkfEN9CSdRb7ZA
8ffEdaua6ib0haafcT8o5oTpQe3/jdcRCh3J5px+5a9vsJTRUzu762Mntcl6Sk6s
P/wmvK+r4TDRHc7bbcvz/aEvH+ecJrHRanaNvuAbxZcd8j07sIpAcx/J9naFAY/j
AD06KBWWcQF6usT9k5yAA9E90sK9uRMJy+EhbnMXK8wGiXDnvE/gXdgm1W55QmW1
oyaRvKIJ6As9g0NlsLoEonrcdbHJtGjMPW1CbuWHoWhHh9Gzxtw7rVvVEqZ0h+Lu
RUY49mFzRNvqhNZfCQyVn7v3DVRUe/kPyZILYgrlinXrHSXmZYJkQFFVImgoH0oB
SjRNgjAk1BJlowEVtwkSTWIF2PfyQClBv0hDrqtaRD5gHNbsPwzcPO016A1BnP6/
Rt79WCgv+emYuv6/l9KYmPir6M40n6+0p3LF2WC6STDSk1jzDrcans15Y3vHZNGm
ZuQ3+EvWHiGXkg1GUs94
=z57s
-END PGP SIGNATURE-

___
enigmail-users mailing list
enigmail-users@enigmail.net
To unsubscribe or make changes to your subscription click here:
https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net

Re: [Enigmail] No more "Untrusted Good Signature"s

[Mike Acker]

On 09/22/2015 05:59 PM, Robert J. Hansen wrote:
{ snip }
>> it is critical not to cripple this thing by trying to make things too
>> automatic.   we'll end up like SSL/TLS
> By which you mean, what -- we'll become a largely-invisible and
> largely-effective part of the information security ecosystem that's
> responsible for securing billions of dollars a day, and on balance does
> it surprisingly well?
>
> Man, I *hope* we wind up like TLS.  :)
yuk
ssl/tls is a mess: they pass out x.509 certificates like fliers at the
fair and there is no way to tell which are right and which are fake just
by looking at them.everyone is told "don't worry; be happy; you CA
has your back"

but as we know now counterfeits have been introduced into their system
and this is successful because users do not vet their x.509
certificates. it is certainly the case not everyone will want to vet
their x.509 certificates so a configurable option should be made
available.   but it isn't .   and we don't want to end up like ssl/tls:
we want to be able to retain control over what has been authenticated
and what is un-trusted .
>
> ___
> enigmail-users mailing list
> enigmail-users@enigmail.net
> To unsubscribe or make changes to your subscription click here:
> https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net

-- 
/Mike




signature.asc
Description: OpenPGP digital signature
___
enigmail-users mailing list
enigmail-users@enigmail.net
To unsubscribe or make changes to your subscription click here:
https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net

Re: [Enigmail] No more "Untrusted Good Signature"s

[Matthew Woehlke]

On 2015-09-22 14:30, Patrick Brunschwig wrote:
> I think that expired and revoked are mostly irrelevant, and actually 
> ill displayed in Enigmail today. The state doesn't depend on whether
> the key is expired or revoked _today_. What matters is whether the
> key was valid at the time of signature creation.

For *signing*, yes. For *encryption*... then it gets a bit weird.

Encryption with a revoked key should be flagged as a problem *no matter
what*, even for old messages. If the key was revoked because it was
compromised, then any messages sent with that key are potentially
readable by an attacker, regardless if they were sent before the key was
revoked.

Encryption with an expired key is more debatable; expiration doesn't
necessarily mean that the key is compromised, but it also doesn't
necessarily mean that it isn't.

It's probably easiest to show IA state based on the state of the keys
when the message was sent, and show P state based on the *current* state
of the keys.

(There really ought to be a user-adjustable revocation date when
revoking a key, so that one can identify the time at which a key became
compromised.)

-- 
Matthew


___
enigmail-users mailing list
enigmail-users@enigmail.net
To unsubscribe or make changes to your subscription click here:
https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net

Re: [Enigmail] No more "Untrusted Good Signature"s

[Robert J. Hansen]

> ssl/tls is a mess: they pass out x.509 certificates like fliers at the
> fair and there is no way to tell which are right and which are fake just
> by looking at them.everyone is told "don't worry; be happy; you CA
> has your back"

Sure.  But where is this a flaw of TLS?  It isn't TLS's fault the
browser vendors trust too many CAs, or unreliable CAs.  Your objections
boil down to, "OS vendors and browser manufacturers give trust to CAs
that are not trustworthy, and end-users don't validate certificates."
Both of which are true, and neither of which has anything to do with TLS.

> available.   but it isn't .   and we don't want to end up like ssl/tls:
> we want to be able to retain control over what has been authenticated
> and what is un-trusted .

You might.  Other people might not.  Remember that the Web of Trust is
completely compatible with a CA-style approach.  It was specifically
designed that way.



signature.asc
Description: OpenPGP digital signature
___
enigmail-users mailing list
enigmail-users@enigmail.net
To unsubscribe or make changes to your subscription click here:
https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net

Re: [Enigmail] No more "Untrusted Good Signature"s

[Robert J. Hansen]

> the flaw is in assigning FULL trust to the CA without the user's
> permission.

Might want to bring this up on GnuPG-Users, then, since a future version
of GnuPG is going to switch from WoT to TOFU, and that's *exactly* what
you're talking about here.



signature.asc
Description: OpenPGP digital signature
___
enigmail-users mailing list
enigmail-users@enigmail.net
To unsubscribe or make changes to your subscription click here:
https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net

Re: [Enigmail] No more "Untrusted Good Signature"s

[Daniel Kahn Gillmor]

On Tue 2015-09-22 12:22:03 -0700, Olav Seyfarth  wrote:
> Patrick wrote:
>> The state should depend on whether the key was valid at the time
>> of signature creation.
>
> True, but if we change to that, we rely on a (non-signed) header to
> deduct the date.

OpenPGP signatures have timestamps in them that are covered by the
cryptographic signature.  This timestamp may or may not align with the
Date: header in the signed e-mail, but that's all the more reason to
use Memory-Hole-style protected e-mail headers.

--dkg

___
enigmail-users mailing list
enigmail-users@enigmail.net
To unsubscribe or make changes to your subscription click here:
https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net

Re: [Enigmail] No more "Untrusted Good Signature"s

[Daniel Kahn Gillmor]

On Sat 2015-09-19 20:06:39 -0700, "Robert J. Hansen"  
wrote:
>   * *Privacy* is a binary state: yes the message was private
> (encrypted), or no it was not.
>   * *Authenticity*//is also a binary state: we are confident the message
> is authentic, or we are not.
>   * *Identity* is also a binary state: we are confident it came from the
> specified person, or we are not.

The term "authenticity" usually refers to the provenance of something,
or to its origin, at least among the english-speakers i talk to.  I
think the term "integrity" is a closer match to the question "has
something been tampered with or not?"

"authenticity" is also related to the term "authentication", which
refers to establishing someone's identity.

"privacy" is also multiply-defined: for example, for many people,
"privacy" refers to the ability to hide relationships and activity from
someone snooping -- OpenPGP doesn't provide any protection for this sort
of metadata.  Confidentiality is a clearer, narrower word that more
accurately describes the sort of guarantees that OpenPGP tries to
provide.

The triad OpenPGP claims to offer for messages is:

 * message confidentiality (could anyone else have read its contents?)

 * message integrity (was it tampered with?)
 
 * message authenticity (do we know for sure that it came from the
   supposed sender?)

But OpenPGP systems (GnuPG in particular) also offer information ("User
ID validity") about the certificates that hold keying material as well
-- this is tied to the authenticity question, and we have not done a
great job of either:

 (a) explaining how GnuPG understands and models User ID validity, and

 (b) helping users to interact with GnuPG's User ID validity model to
 make GnuPG better reflect the users' actual conception of which key
 belongs to which person they correspond with.

It seems like GnuPG's upcoming work on TOFU might help with (b) at
least, if projects like enigmail can give it a good UI/UX shim.

Other representations of the keyring might also be helpful, as well as
integrating keyring management with the addressbook.

I'm glad we're having these sorts of discussions -- we need them!  But i
think it smells like trouble to use the term "authentic" to mean
"integrity-protected" or the term "private" to mean "confidential".

 --dkg

___
enigmail-users mailing list
enigmail-users@enigmail.net
To unsubscribe or make changes to your subscription click here:
https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net

Re: [Enigmail] No more "Untrusted Good Signature"s

[Daniel Kahn Gillmor]

On Sun 2015-09-20 11:13:36 -0700, Phil Stracchino  wrote:
> A failed or invalid signature is *cryptographically* equivalent to no
> signature; but it is not *functionally* equivalent.  Because a failed
> or invalid signature means that the sender *tried* to authenticate the
> message, implying that it may have been important to do so.

But it doesn't mean this either.  a failed or invalid signature could
also mean that someone else (an attacker) tried to convince you that the
supposed sender did something, even though you have no idea what it is.

I'm with Robert here on the idea that we should not strive to provide a
strong visual distinction between "bad signature" and "no signature" --
they offer the same level of cryptographic assurance.  If we provide
scary UI that says "signature failed, consider checking with the sender"
and nothing scary when there is no signature at all, then an attacker
who tampers with the message can just strip all indications of a
signature before sending it on to avoid triggering the scary UI.

  --dkg

___
enigmail-users mailing list
enigmail-users@enigmail.net
To unsubscribe or make changes to your subscription click here:
https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net

Re: [Enigmail] No more "Untrusted Good Signature"s

[Daniel Kahn Gillmor]

On Sun 2015-09-20 05:38:06 -0700, Mike Acker  wrote:
> if you want a third light it could be for the trust level established
> for the senders key:

Please do not confuse the "ownertrust" (which answers the question "am i
willing to rely on identity certifications made by this key?") with any
belief that the keyholder is "trustworthy" in some other sense.  My
friend Alice might be trustworthy in terms of certifying identities
reliably, but she might be a terrible person to rely on to bake a
delicious cake or to write a sensible e-mail.

The user's current task when reading an e-mail is reading e-mail.
Displaying the ownertrust of the keyholder that signed a given e-mail is
a distraction from the user's current task and really has no place in
the default UI.

  --dkg

___
enigmail-users mailing list
enigmail-users@enigmail.net
To unsubscribe or make changes to your subscription click here:
https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net

Re: [Enigmail] No more "Untrusted Good Signature"s

[Matthew Woehlke]

On 2015-09-23 14:17, Robert J. Hansen wrote:
> I already don't like "authenticity", so you'll have an easy time with
> this one.  I'm not sure "integrity" is a better alternative, though.
> From Google:
> 
> "Integrity: (n) 1. the quality of being honest and having strong moral
> principles; moral uprightness. 2. the state of being whole and undivided."
> 
> dictionary.reference.com gives these three: "1. adherence to moral and
> ethical principles; soundness of moral character; honesty.  2. the state
> of being whole, entire, or undiminished.  3. a sound, unimpaired, or
> perfect condition."

Wiktionary:

2. The state of being wholesome; unimpaired
3. The quality or condition of being complete; pure
4. (cryptography) With regards to data encryption, ensuring that
information is not altered by unauthorized persons in a way that is not
detectable by authorized users.

Now I realize the point of this exercise is to use a *non*-technical
term... but still...

That said, wiktionary defines authenticity as:

1. The quality of being genuine or not corrupted from the original.

-- 
Matthew


___
enigmail-users mailing list
enigmail-users@enigmail.net
To unsubscribe or make changes to your subscription click here:
https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net

Re: [Enigmail] No more "Untrusted Good Signature"s

[Daniel Kahn Gillmor]

On Wed 2015-09-23 13:28:05 -0400, Robert J. Hansen wrote:
>> the flaw is in assigning FULL trust to the CA without the user's
>> permission.
>
> Might want to bring this up on GnuPG-Users, then, since a future version
> of GnuPG is going to switch from WoT to TOFU, and that's *exactly* what
> you're talking about here.

I think the plan isn't to enforce a switch from the classic GnuPG trust
model to TOFU, but to offer TOFU as a mechanism that can augment the
classic GnuPG trust model.

At any rate, TOFU is definitely *not* the X.509 CA model.

   --dkg

___
enigmail-users mailing list
enigmail-users@enigmail.net
To unsubscribe or make changes to your subscription click here:
https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net

Re: [Enigmail] No more "Untrusted Good Signature"s

[Robert J. Hansen]

> That said, wiktionary defines authenticity as:
> 
> 1. The quality of being genuine or not corrupted from the original.

Yep, which is why as much as I dislike a five-syllable word it seems to
me (IMO) to be the best option right now.

"Fidelity" would also work and save us a syllable, but it's a more
exotic word, so I'm not sure that's a shift that would help us much.

"Validity" would be best (in the plain English sense of the word), but
that phrase has been so corrupted in the OpenPGP community that it's
best avoided altogether, I think...


___
enigmail-users mailing list
enigmail-users@enigmail.net
To unsubscribe or make changes to your subscription click here:
https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net

Re: [Enigmail] No more "Untrusted Good Signature"s

[Anne Wilson]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 22/09/2015 19:43, Doug Barton wrote:
> On 9/22/15 11:30 AM, Patrick Brunschwig wrote:
>> The state doesn't depend on whetherthe key is expired or 
>> revoked_today_. What matters is whether the key was valid at the 
>> time of signature creation.
> 
> ... unless the key was revoked because it was compromised.
> 
The Details box tells me that part of it was signed by an untrusted
good signature from Douglas Barton.

OK - I understand - I think.  But a new user?  Part of the message?
What part?  Why part?  Then there's the "untrusted good signature"
which has already had a long discussion.

Anne

-BEGIN PGP SIGNATURE-
Version: GnuPG v2
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlYCaJsACgkQj93fyh4cnBekewCfUrcREYGSKSiTbODwrfngfd+C
RKUAoIF7q8M/XTKRV/iUc1TOC8fGWRWk
=vXxY
-END PGP SIGNATURE-

___
enigmail-users mailing list
enigmail-users@enigmail.net
To unsubscribe or make changes to your subscription click here:
https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net

Re: [Enigmail] No more "Untrusted Good Signature"s

[Robert J. Hansen]

> The term "authenticity" usually refers to the provenance of something,
> or to its origin, at least among the english-speakers i talk to.

I already don't like "authenticity", so you'll have an easy time with
this one.  I'm not sure "integrity" is a better alternative, though.
>From Google:

"Integrity: (n) 1. the quality of being honest and having strong moral
principles; moral uprightness. 2. the state of being whole and undivided."

dictionary.reference.com gives these three: "1. adherence to moral and
ethical principles; soundness of moral character; honesty.  2. the state
of being whole, entire, or undiminished.  3. a sound, unimpaired, or
perfect condition."

Neither reference suggests that integrity is a better choice.  Among
computer security geeks, yes, integrity clearly is the right word to
use; but we have to be careful to speak to regular users in regular
English, not our jargon-heavy security dialect.

But that said, yes, I would love to find an improvement over
authenticity!  :)

(Why do I dislike "authenticity"?  Because it's five syllables long.  A
good principle in UX design is to use shorter words whenever possible:
they frighten people less.  Look at the Thunderbird mail compose window.
 "File", "Edit", "View", "Options", "Enigmail", "Tools", "Help", "Send",
"Spelling", "Attach", "Save", "From", "To", "Subject".  The longest word
in the UI is Enigmail at three syllables.)

> "authenticity" is also related to the term "authentication", which
> refers to establishing someone's identity.

I've never heard anyone outside of the computer security community use
the word "authentication", even in law-enforcement.  When a cop asks me
for my driver's license he says "identify yourself," not "authenticate
yourself".  When sysadmins ask me to authenticate myself to the system,
they usually just tell me to login.  :)

> Confidentiality is a clearer, narrower word that more
> accurately describes the sort of guarantees that OpenPGP tries to
> provide.

Seven syllables.  "Privacy" is three.  If I could find a two-syllable
word, I'd use it.

___
enigmail-users mailing list
enigmail-users@enigmail.net
To unsubscribe or make changes to your subscription click here:
https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net

Re: [Enigmail] No more "Untrusted Good Signature"s

[Mike Acker]

  
  
I agree.   it is critical
  that good terminology be adopted and then held constant so that
  people can learn to use it.
  
  historically IT had a bad habit of constantly trying new words in
  their attempt to communicate with the un-initiated. that made
  matters worse: people will get hip in their own due time .

On 09/23/2015 04:03 PM, Robert J.
  Hansen wrote:


  
...but still maintain that there is a functional difference between no
signature (nothing to see here; move along) and failed or faked
signature.  Either of the latter may need to be investigated.  The
former need not be, unless you were *expecting* a signature and didn't
get it.

  
  
I'd very much like for this discussion to continue, but I also want some
finality to the discussion, too, so that Patrick can have a fixed target
to implement (instead of trying to make it match an ever-changing
discussion).  It's really easy for good discussions to turn into
bikeshedding arguments: at some time the points have all been made and a
decision needs to be reached.

So.  Assuming for the moment the power of moderating this discussion --
I think we should aim for, shall we say, October 1 to close this?  On
October 1 I write up a sense-of-the-list, give it to Nico and Patrick,
and then we call it done until/unless someone can come up with new and
compelling arguments?


  
  
  
  ___
enigmail-users mailing list
enigmail-users@enigmail.net
To unsubscribe or make changes to your subscription click here:
https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net



-- 
/Mike
  




signature.asc
Description: OpenPGP digital signature
___
enigmail-users mailing list
enigmail-users@enigmail.net
To unsubscribe or make changes to your subscription click here:
https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net

Re: [Enigmail] No more "Untrusted Good Signature"s

[Phil Stracchino]

On 09/23/15 17:04, Robert J. Hansen wrote:
> It's because, 99.9% of the time, a bad signature doesn't mean a hostile
> adversary -- it means a noisy network.  It means an MTA may have mangled
> a PGP/MIME attachment, it means a cosmic ray flipped a bit, whatever.

The former of which is enormously more likely than the latter...   :)

(Since a cosmic bit-flip is likely to affect only a single message,
while a misconfigured MTA will most likely mangle every susceptible
message that passes through it.)

> I need to think about this some.  I think you're right, but not for the
> reasons you set out.  I think the functional difference comes from what
> a bad signature can tell us about the traffic channel itself -- not what
> it tells us about the traffic.

I wasn't thinking about "what it tells us about the traffic" so much as
"even a failed signature conveys information about the sender's intent".
 Whatever the reason for the failure.  But your point about it telling
us about failures in the traffic channel is well made.


-- 
  Phil Stracchino
  Babylon Communications
  ph...@caerllewys.net
  p...@co.ordinate.org
  Landline: 603.293.8485



signature.asc
Description: OpenPGP digital signature
___
enigmail-users mailing list
enigmail-users@enigmail.net
To unsubscribe or make changes to your subscription click here:
https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net

Re: [Enigmail] No more "Untrusted Good Signature"s

[Mike Acker]

  
  
having spent 30 years in
  the US Army Signal Corps I can tell you that when you challenge
  some one to "Authenticate" you want them to prove they are who
  they say they are .
  
  authenticate is the right word.

On 09/23/2015 03:16 PM, Robert J.
  Hansen wrote:


  
That said, wiktionary defines authenticity as:

1. The quality of being genuine or not corrupted from the original.

  
  
Yep, which is why as much as I dislike a five-syllable word it seems to
me (IMO) to be the best option right now.

"Fidelity" would also work and save us a syllable, but it's a more
exotic word, so I'm not sure that's a shift that would help us much.

"Validity" would be best (in the plain English sense of the word), but
that phrase has been so corrupted in the OpenPGP community that it's
best avoided altogether, I think...


___
enigmail-users mailing list
enigmail-users@enigmail.net
To unsubscribe or make changes to your subscription click here:
https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net



-- 
/Mike
  




signature.asc
Description: OpenPGP digital signature
___
enigmail-users mailing list
enigmail-users@enigmail.net
To unsubscribe or make changes to your subscription click here:
https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net

Re: [Enigmail] No more "Untrusted Good Signature"s

[Robert J. Hansen]

> ...but still maintain that there is a functional difference between no
> signature (nothing to see here; move along) and failed or faked
> signature.  Either of the latter may need to be investigated.  The
> former need not be, unless you were *expecting* a signature and didn't
> get it.

You know, Phil, I wrote up a long email explaining why I disagreed, and
along the way realized why I agree.  But it's not for the reasons you
specified.

It's because, 99.9% of the time, a bad signature doesn't mean a hostile
adversary -- it means a noisy network.  It means an MTA may have mangled
a PGP/MIME attachment, it means a cosmic ray flipped a bit, whatever.

I don't like the language "bad signature" because people tend to leap
straight to believing Vladimir Putin is reading their emails.  The
Russian Foreign Intelligence Service isn't going to be tampering with
your email and leaving a bad signature on it -- they're going to remove
the signature altogether.  So a bad signature is, in reality, a *really
really awful* way of detecting malicious interference.  And that's what
motivates me to say that, from an attack perspective, we shouldn't draw
much distinction between no signature and a bad signature.

But the information that "the network is mangling things" might be
really useful, particularly for PGP/MIME, which is prone to
network-mangling.

I need to think about this some.  I think you're right, but not for the
reasons you set out.  I think the functional difference comes from what
a bad signature can tell us about the traffic channel itself -- not what
it tells us about the traffic.

___
enigmail-users mailing list
enigmail-users@enigmail.net
To unsubscribe or make changes to your subscription click here:
https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net

Re: [Enigmail] No more "Untrusted Good Signature"s

[Robert J. Hansen]

> ...but still maintain that there is a functional difference between no
> signature (nothing to see here; move along) and failed or faked
> signature.  Either of the latter may need to be investigated.  The
> former need not be, unless you were *expecting* a signature and didn't
> get it.

I'd very much like for this discussion to continue, but I also want some
finality to the discussion, too, so that Patrick can have a fixed target
to implement (instead of trying to make it match an ever-changing
discussion).  It's really easy for good discussions to turn into
bikeshedding arguments: at some time the points have all been made and a
decision needs to be reached.

So.  Assuming for the moment the power of moderating this discussion --
I think we should aim for, shall we say, October 1 to close this?  On
October 1 I write up a sense-of-the-list, give it to Nico and Patrick,
and then we call it done until/unless someone can come up with new and
compelling arguments?



signature.asc
Description: OpenPGP digital signature
___
enigmail-users mailing list
enigmail-users@enigmail.net
To unsubscribe or make changes to your subscription click here:
https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net

Re: [Enigmail] No more "Untrusted Good Signature"s

[Robert J. Hansen]

> authenticate is the right word.

If we were in the Army, I'd agree. I'd also insist we start calling OpenPGP's 
cipher feedback mode by its Signal Corps term: it's ciphertext autokey mode, 
dammit. :)
___
enigmail-users mailing list
enigmail-users@enigmail.net
To unsubscribe or make changes to your subscription click here:
https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net

Re: [Enigmail] No more "Untrusted Good Signature"s

[Ian Mann]

On 24/09/2015 6:54 AM, Patrick Brunschwig wrote:
> I'm fine with this approach. I'd suggest that once the deadline is
> over, you create a bug that describes to conclusions.

As a non technically minded user I would like a conclusion and summary so I can 
understand where this is heading, once this discussion is finalised. 

Ian

___
enigmail-users mailing list
enigmail-users@enigmail.net
To unsubscribe or make changes to your subscription click here:
https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net

Re: [Enigmail] No more "Untrusted Good Signature"s

[Matthew Woehlke]

On 2015-09-22 13:18, Robert J. Hansen wrote:
> When processing a message for which there's no corresponding
> certificate, Enigmail should try and fetch the certificate
> automagically.  If successful, great.  90% or more of the time it'll
> succeed, and thus 90% of this problem goes away.
> 
> If the message is signed, there's no local copy of the sender's public
> key, and it can't be found on the keyservers -- then that's a critical
> and unrecoverable problem, and gets the big red X.

Hmm... I feel like this has come up before, and there have been noises
made by people that don't want keys to be fetched automatically.
Similarly, some people may not upload their keys to public servers.

That said, maybe it's okay using the same icon for an invalid signature
as for a signature that can't be verified.

-- 
Matthew


___
enigmail-users mailing list
enigmail-users@enigmail.net
To unsubscribe or make changes to your subscription click here:
https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net

Re: [Enigmail] No more "Untrusted Good Signature"s

[Patrick Brunschwig]

- Original Message -
From: Matthew Woehlke <mwoehlke.fl...@gmail.com>
Sent: 22.09.2015 - 16:43
To: enigmail-users@enigmail.net
Subject: Re: [Enigmail] No more "Untrusted Good Signature"s

> On 2015-09-21 17:28, Mike Acker wrote:
>> On 2015-09-21 16:57, Robert J. Hansen wrote:
>>> Privacy: a lock.  If the message was encrypted, the lock icon is in
>>> color; if it wasn't, the icon is grayed-out; if it was encrypted to an
>>> expired certificate, the lock icon is in color but has a red X over it.
>
> ("Expired *or revoked*"?)

I think that expired and revoked are mostly irrelevant, and actually ill 
displayed in Enigmail today. The state doesn't depend on whetherthe key is 
expired or revoked _today_. What matters is whether the key was valid at the 
time of signature creation.

-Patrick




signature.asc
Description: PGP/MIME digital signature
___
enigmail-users mailing list
enigmail-users@enigmail.net
To unsubscribe or make changes to your subscription click here:
https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net

Re: [Enigmail] No more "Untrusted Good Signature"s

[Matthew Woehlke]

On 2015-09-21 17:28, Mike Acker wrote:
> On 2015-09-21 16:57, Robert J. Hansen wrote:
>> Privacy: a lock.  If the message was encrypted, the lock icon is in
>> color; if it wasn't, the icon is grayed-out; if it was encrypted to an
>> expired certificate, the lock icon is in color but has a red X over it.

("Expired *or revoked*"?)

> the element you are missing is:
> 
>* message is signed
>* no local copy of sender's Public Key
>* what action do you want to take ?

As much as I'm inclined to agree with limiting the number of states,
it's hard to argue this point. What about a pen with '?' over it?

-- 
Matthew


___
enigmail-users mailing list
enigmail-users@enigmail.net
To unsubscribe or make changes to your subscription click here:
https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net

Re: [Enigmail] No more "Untrusted Good Signature"s

[Mike Acker]

  
  
i disagree with this:
  1. i might not want to download the key: the message may be in the
  "macht nichts" category
  2. there are 3 options available to the user:
  2a do nothing
  2b try to get the key from the keyserver    ( which keyserver, btw
  )
  2c ask the sender to send his|her key
  
  it is critical not to cripple this thing by trying to make things
  too automatic.   we'll end up like SSL/TLS
  
  i like the idea of a pen with a ? mark over it for those messages
  which are signed but for which we do not have a local copy of the
  sender's public key

On 09/22/2015 01:18 PM, Robert J.
  Hansen wrote:


  
("Expired *or revoked*"?)

  
  
My list wasn't meant to be comprehensive.

The red-X would mean "there is a critical and unrecoverable problem,
click for more details."


  

  the element you are missing is:

   * message is signed
   * no local copy of sender's Public Key
   * what action do you want to take ?



As much as I'm inclined to agree with limiting the number of states,
it's hard to argue this point. What about a pen with '?' over it?

  
  
When processing a message for which there's no corresponding
certificate, Enigmail should try and fetch the certificate
automagically.  If successful, great.  90% or more of the time it'll
succeed, and thus 90% of this problem goes away.

If the message is signed, there's no local copy of the sender's public
key, and it can't be found on the keyservers -- then that's a critical
and unrecoverable problem, and gets the big red X.


___
enigmail-users mailing list
enigmail-users@enigmail.net
To unsubscribe or make changes to your subscription click here:
https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net



-- 
/Mike
  




signature.asc
Description: OpenPGP digital signature
___
enigmail-users mailing list
enigmail-users@enigmail.net
To unsubscribe or make changes to your subscription click here:
https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net

Re: [Enigmail] No more "Untrusted Good Signature"s

[Robert J. Hansen]

> 1. i might not want to download the key: the message may be in the
> "macht nichts" category

So you disable the auto-download in the configuration menu.

> 2. there are 3 options available to the user:

And they can all be taken care of once the user expresses enough
interest in the signature to find out what the problem is.

> 2b try to get the key from the keyserver( which keyserver, btw )

Whichever one they've configured Enigmail to use.  We've had a keyserver
setting for years.

> it is critical not to cripple this thing by trying to make things too
> automatic.   we'll end up like SSL/TLS

By which you mean, what -- we'll become a largely-invisible and
largely-effective part of the information security ecosystem that's
responsible for securing billions of dollars a day, and on balance does
it surprisingly well?

Man, I *hope* we wind up like TLS.  :)

> i like the idea of a pen with a ? mark over it for those messages which
> are signed but for which we do not have a local copy of the sender's
> public key

I don't.  It's unnecessary.  The red X says everything that needs to be
said: "There's a problem.  Click here for more details."

You've already got trinary icons (full color, grayed-out, and Xed).  I
draw the line there.

___
enigmail-users mailing list
enigmail-users@enigmail.net
To unsubscribe or make changes to your subscription click here:
https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net

Re: [Enigmail] No more "Untrusted Good Signature"s

[Matthew Woehlke]

On 2015-09-20 12:58, Phil Stracchino wrote:
> A Privacy red-flag is a little harder to quantify.  About the only case
> I can think of is if a message is encrypted, but with a key that has
> been revoked or does not match the claimed sender.  But this should
> probably be considered an Authenticity failure.

No, actually you were right the first time. Authentication is based on
the integrity of the SENDER'S private key. Encryption is based on the
integrity of the RECEIVER'S private key(s). So, if I send a signed,
encrypted message one or more recipients, one of whom has a compromised
key, the message may well be authentic (which we can verify if the
sender's key is trusted), but an attacker may be able to read it.

I could certainly imagine this happening if someone sends you a message
encrypted using an old public key of yours that you happen to know is
compromised, because the sender is not aware that it is compromised /
revoked.

(In fact, privacy is the only state that can change after the fact. If I
send you a message and it is authentic, that is a past event that cannot
be changed. If an encryption key is compromised, a message that was
previously private may no longer be private.)

> Should a message that is encrypted but unsigned be considered an
> Authenticity failure - or at least an authenticity warning?

Encrypting a message and authenticity (signing) are orthogonal; ergo,
whether or not a message is encrypted should not affect reporting of
authenticity.

-- 
Matthew


___
enigmail-users mailing list
enigmail-users@enigmail.net
To unsubscribe or make changes to your subscription click here:
https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net

Re: [Enigmail] No more "Untrusted Good Signature"s

[Ludwig Hügelschäfer]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Hi Lyle,

On 21.09.15 21:11, Lyle wrote:
> How can I stop this email and many many others that I keep
> receiving. I get 5-10 a day to different peoples and I have tried
> to find a place to unsubscribed and have had no luck. I don't have
> a clue what this even about. Thanks in advance.

please go to
https://admin.hostpoint.ch/mailman/options/enigmail-users_enigmail.net,
enter
your mail address and click on "Unsubscibe".

HTH

Ludwig

-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQIcBAEBCgAGBQJWAFgRAAoJEDrb+m0Aoeb+jFgQANlM4a3oZ/YgUQ6xqbyvRNuW
rH2B/6eeGl7e3GBkvxKp8WKlFnZs16htii858Nf0RJt/E2v2ddiPlw48MnRCZDRw
gV1giWGiyL/KRIA5rTbkWnLQuUYufL8jdKxljKU2Oexv+vgC9xXaVDxsToQ3vDmj
QuOY7BccX3hS/jrhJ1eFJcKlsHTHeMfHRk4NPF8r39iRGIEzVI+OuTdRC5zkkJWj
HjQevZTO/F8BLMehhQseT5VEMw0uzn44L6qNC68cXCx0jg5tdqU4FzFc711N6xKl
fB5nDNcbC37K6yihG9H/IQQ/ovZAQlWEr/Qrglwa0Q5FLAsR6+VaEaRnizkUOJP/
ygCCP4IelkHc1DW9K2uojDSobe/SKOZ4P8xjHAybwY3GJUWXhi/v32SrAxpuTYkk
7VV+VOWkNW33n2zW1+JeMMCBO1lqKJ6pgpw9gx/Ner4ax5L0nEjEdkV3eVMtrdk1
w+oZZXtBn1eG35EhfCOchYGdlBcsWabVJ5SRG0GXYQsuw6UwomVojYNABim34it/
a2/4pHLARN6RJIRSXLiz60KZkof7Y53JtaLL9diwJincD3188F7ektiThn2wRyWS
UtsAML5GFaJuZr/R/UDjxt6p8dlQdZn2wxRr/chdUzCldfYatT+JWu2NFbDm5ful
aG+NamXgIVD4sss5188i
=1b8x
-END PGP SIGNATURE-

___
enigmail-users mailing list
enigmail-users@enigmail.net
To unsubscribe or make changes to your subscription click here:
https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net

Re: [Enigmail] No more "Untrusted Good Signature"s

[John Dose]

Hey, you war mongerer...bringing war to the world since eternity...but
too stupid to unsub??

It's true, USAns are degenerated, and AOL is the best provider for them

On 09/21/2015 09:11 PM, Lyle wrote:
> How can I stop this email and many many others that I keep receiving.
> I get 5-10 a day to different peoples and I have tried to find a place
> to unsubscribed and have had no luck. I don't have a clue what this
> even about. Thanks in advance.
>
> *"GOD BLESS AMERICA PLEASE"
> Lyle Hensley
>  Enjoying Every Breath
> Retired US Army
> 1957 – 1978
> "NEVER GIVE UP"
> *
>
>
> **
> *  *
>
>  
> 
>
>
> On Mon, Sep 21, 2015 at 10:20 AM, Matthew Woehlke
> > wrote:
>
> On 2015-09-20 12:58, Phil Stracchino wrote:
> > A Privacy red-flag is a little harder to quantify.  About the
> only case
> > I can think of is if a message is encrypted, but with a key that has
> > been revoked or does not match the claimed sender.  But this should
> > probably be considered an Authenticity failure.
>
> No, actually you were right the first time. Authentication is based on
> the integrity of the SENDER'S private key. Encryption is based on the
> integrity of the RECEIVER'S private key(s). So, if I send a signed,
> encrypted message one or more recipients, one of whom has a
> compromised
> key, the message may well be authentic (which we can verify if the
> sender's key is trusted), but an attacker may be able to read it.
>
> I could certainly imagine this happening if someone sends you a
> message
> encrypted using an old public key of yours that you happen to know is
> compromised, because the sender is not aware that it is compromised /
> revoked.
>
> (In fact, privacy is the only state that can change after the
> fact. If I
> send you a message and it is authentic, that is a past event that
> cannot
> be changed. If an encryption key is compromised, a message that was
> previously private may no longer be private.)
>
> > Should a message that is encrypted but unsigned be considered an
> > Authenticity failure - or at least an authenticity warning?
>
> Encrypting a message and authenticity (signing) are orthogonal; ergo,
> whether or not a message is encrypted should not affect reporting of
> authenticity.
>
> --
> Matthew
>
>
> ___
> enigmail-users mailing list
> enigmail-users@enigmail.net 
> To unsubscribe or make changes to your subscription click here:
> https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net
>
>
>
>
> ___
> enigmail-users mailing list
> enigmail-users@enigmail.net
> To unsubscribe or make changes to your subscription click here:
> https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net

___
enigmail-users mailing list
enigmail-users@enigmail.net
To unsubscribe or make changes to your subscription click here:
https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net

Re: [Enigmail] No more "Untrusted Good Signature"s

[Lyle]

How can I stop this email and many many others that I keep receiving. I get
5-10 a day to different peoples and I have tried to find a place to
unsubscribed and have had no luck. I don't have a clue what this even
about. Thanks in advance.[?]







*"GOD BLESS AMERICA PLEASE"Lyle Hensley Enjoying Every BreathRetired US
Army1957 – 1978"NEVER GIVE UP"*








On Mon, Sep 21, 2015 at 10:20 AM, Matthew Woehlke 
wrote:

> On 2015-09-20 12:58, Phil Stracchino wrote:
> > A Privacy red-flag is a little harder to quantify.  About the only case
> > I can think of is if a message is encrypted, but with a key that has
> > been revoked or does not match the claimed sender.  But this should
> > probably be considered an Authenticity failure.
>
> No, actually you were right the first time. Authentication is based on
> the integrity of the SENDER'S private key. Encryption is based on the
> integrity of the RECEIVER'S private key(s). So, if I send a signed,
> encrypted message one or more recipients, one of whom has a compromised
> key, the message may well be authentic (which we can verify if the
> sender's key is trusted), but an attacker may be able to read it.
>
> I could certainly imagine this happening if someone sends you a message
> encrypted using an old public key of yours that you happen to know is
> compromised, because the sender is not aware that it is compromised /
> revoked.
>
> (In fact, privacy is the only state that can change after the fact. If I
> send you a message and it is authentic, that is a past event that cannot
> be changed. If an encryption key is compromised, a message that was
> previously private may no longer be private.)
>
> > Should a message that is encrypted but unsigned be considered an
> > Authenticity failure - or at least an authenticity warning?
>
> Encrypting a message and authenticity (signing) are orthogonal; ergo,
> whether or not a message is encrypted should not affect reporting of
> authenticity.
>
> --
> Matthew
>
>
> ___
> enigmail-users mailing list
> enigmail-users@enigmail.net
> To unsubscribe or make changes to your subscription click here:
> https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net
>
___
enigmail-users mailing list
enigmail-users@enigmail.net
To unsubscribe or make changes to your subscription click here:
https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net

Re: [Enigmail] No more "Untrusted Good Signature"s

[Robert J. Hansen]

After some more thought, I came up with three icons for privacy,
authenticity, and integrity.



Privacy: a lock.  If the message was encrypted, the lock icon is in
color; if it wasn't, the icon is grayed-out; if it was encrypted to an
expired certificate, the lock icon is in color but has a red X over it.

Authenticity: a fountain pen.  If there's a valid signature the pen is
in full color.  If there's no signature the icon is grayed-out.  If
there's a bad signature, the pen icon is in color but has a red X over it.

Identity: an icon of a passport.  (Not an ID card -- there's too many
different kinds of them throughout the world -- but passports look much
the same worldwide.)  If the identity is confirmed, in color; if it's
not, grayed.



These icons are all simple, so they could probably get shrunk down a lot
and still be recognizable.  SVG icons would give us the best range of
display values.

If we decide to go this route (the PAI route), I think we should agree
on an icon set and talk to a professional graphic designer about
creating icons for us.  Most icons in FOSS software are honestly pretty
bad; I'd like for us to stand out from the pack.  And yes, I'm willing
to contribute to paying for the work.  :)



signature.asc
Description: OpenPGP digital signature
___
enigmail-users mailing list
enigmail-users@enigmail.net
To unsubscribe or make changes to your subscription click here:
https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net

Re: [Enigmail] No more "Untrusted Good Signature"s

[Mike Acker]

  
  
the element you are missing is:

  * message is signed
  * no local copy of sender's Public Key
  * what action do you want to take ?


On 09/21/2015 04:57 PM, Robert J. Hansen wrote:
> After some more thought, I came up with three icons for privacy,
> authenticity, and integrity.
>
>
>
> Privacy: a lock.  If the message was encrypted, the lock icon is in
> color; if it wasn't, the icon is grayed-out; if it was encrypted to an
> expired certificate, the lock icon is in color but has a red X over it.
>
> Authenticity: a fountain pen.  If there's a valid signature the pen is
> in full color.  If there's no signature the icon is grayed-out.  If
> there's a bad signature, the pen icon is in color but has a red X over it.
>
> Identity: an icon of a passport.  (Not an ID card -- there's too many
> different kinds of them throughout the world -- but passports look much
> the same worldwide.)  If the identity is confirmed, in color; if it's
> not, grayed.
>
>
>
> These icons are all simple, so they could probably get shrunk down a lot
> and still be recognizable.  SVG icons would give us the best range of
> display values.
>
> If we decide to go this route (the PAI route), I think we should agree
> on an icon set and talk to a professional graphic designer about
> creating icons for us.  Most icons in FOSS software are honestly pretty
> bad; I'd like for us to stand out from the pack.  And yes, I'm willing
> to contribute to paying for the work.  :)
>
>
>
> ___
> enigmail-users mailing list
> enigmail-users@enigmail.net
> To unsubscribe or make changes to your subscription click here:
> https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net

-- 
/Mike

  




signature.asc
Description: OpenPGP digital signature
___
enigmail-users mailing list
enigmail-users@enigmail.net
To unsubscribe or make changes to your subscription click here:
https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net

Re: [Enigmail] No more "Untrusted Good Signature"s

[Mike Acker]

  
  
I like this
  
  the one concern I'm still mulling over though is this: if we want
  to make ENIGMAIL self-teching then for every status there needs to
  be an easy way to get a list of possible responses   . a pull down
  list I would think .

On 09/21/2015 04:57 PM, Robert J.
  Hansen wrote:


  After some more thought, I came up with three icons for privacy,
authenticity, and integrity.



Privacy: a lock.  If the message was encrypted, the lock icon is in
color; if it wasn't, the icon is grayed-out; if it was encrypted to an
expired certificate, the lock icon is in color but has a red X over it.

Authenticity: a fountain pen.  If there's a valid signature the pen is
in full color.  If there's no signature the icon is grayed-out.  If
there's a bad signature, the pen icon is in color but has a red X over it.

Identity: an icon of a passport.  (Not an ID card -- there's too many
different kinds of them throughout the world -- but passports look much
the same worldwide.)  If the identity is confirmed, in color; if it's
not, grayed.



These icons are all simple, so they could probably get shrunk down a lot
and still be recognizable.  SVG icons would give us the best range of
display values.

If we decide to go this route (the PAI route), I think we should agree
on an icon set and talk to a professional graphic designer about
creating icons for us.  Most icons in FOSS software are honestly pretty
bad; I'd like for us to stand out from the pack.  And yes, I'm willing
to contribute to paying for the work.  :)


  
  
  
  ___
enigmail-users mailing list
enigmail-users@enigmail.net
To unsubscribe or make changes to your subscription click here:
https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net



-- 
/Mike
  




signature.asc
Description: OpenPGP digital signature
___
enigmail-users mailing list
enigmail-users@enigmail.net
To unsubscribe or make changes to your subscription click here:
https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net

Re: [Enigmail] No more "Untrusted Good Signature"s

[Anne Wilson]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 20/09/2015 04:06, Robert J. Hansen wrote:
> (Forgive the HTML: this is one of the few times where I think it’s 
> worthwhile.  This email uses color to convey information.)
> 


Sounds really good to me.  First impression is clear and to the point.
 Additional information boxes on request give full explanation.  I'm
100% in favour of this.  It separates the everyday want-to-know from
the "hell, I need to know more about that!".

Anne

-BEGIN PGP SIGNATURE-
Version: GnuPG v2
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlX+lNEACgkQj93fyh4cnBeExgCdGphr6AguJagPAzytpJPPQIM+
TsYAn3fo54aULwY6nYPO/ipyPI7GaReM
=QRkB
-END PGP SIGNATURE-

___
enigmail-users mailing list
enigmail-users@enigmail.net
To unsubscribe or make changes to your subscription click here:
https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net

Re: [Enigmail] No more "Untrusted Good Signature"s

[Mike Acker]

  
  
I like your message

the terms I've been using -- for this same thing --- are 
  

Public Key Encryption (PGP, GPG) provides more than just encryption:
it provides

  Authentication
  Integrity
  Security


Authentication allows the user to verify with good certainty that a
message is in fact from the person who claims to have sent it. i.e.
PGP/GPG can defeat attackers who are attempting to impersonate
friends, associates, businesses,  . this addresses "targeted
phishing", man-in-the-middle, and similar attacks

Integrity allows the user to be reasonably certain that a message
has not been altered either by error or by intent during
transmission

Security (encryption) allows the user to be reasonably certain that
the content of a message has not been disclosed to un-authorized
parties during transmission

for interested parties this thread will step through the procedures
needed to implement Public Key Encryption using GPG2, ENIGMAIL, and
Thunderbird. similar processing can be established using
Symantec/PGP and MSFT/Outlook.

one should note here that no security is possible if the end-point
operating software has been compromised by un-authorized
programming.

one of the critical key points that has been brought out several
times in this discussion is -- that we need to select good terms --
and then stick to them .   people will catch up and understand, --
given time.    one of the errors that has been made in IT over the
years is to continuously try to find the perfect words to describe
things .   we just need good words and then let people catch up and
learn what the implications are.

the debauch over fake filings if IRS forms 1040 is a perfect example
of how badly the entire communication industry needs to "get with
the program" her -- if I may avail myself of an old cliche 

keep up the good work ! this is a vital topic .
On 09/19/2015 11:06 PM, Robert J.
  Hansen wrote:


  
  (Forgive the HTML: this
is one of the few times where I think it’s worthwhile.  This
email uses color to convey information.)

So, while relaxing with a good stogie, I started mulling over
the UX problem of communicating information about encryption
status, signatures, validity, and more.  I got nowhere, which is
when I decided to burn it all down and start from a clean sheet
of paper.

Enigmail and GnuPG exist to provide the CIA triad.  No, not the
intelligence agency — Confidentiality, Integrity, and
Assurance.  Those are the three metrics we need to communicate
to the user.  So let’s throw out all the language about
“untrusted good signature” and start over from scratch: let’s
communicate the triad.

First things first: rename it, because only hardcore nerds
understand what CIA means.  (“What’s the difference between
integrity and assurance?” is a really common question in
undergraduate computer security courses.  Even computer science
majors who have an interest in this stuff, as evidenced by
signing up to take a class in it, generally don’t understand
it.)  I’m going to rename the triad the PAI triad: Privacy,
Authenticity, and Identity.  Further, instead of giving
incredibly detailed “valid signature but the certificate has not
been validated” types of messages, let’s reduce it to binary
choices.  People like binary choices: they’re easy to
understand.

  
  
Privacy is
a binary state: yes the message was private (encrypted), or
no it was not.
Authenticity
is also a binary state: we are confident the message is
authentic, or we are not.
Identity
is also a binary state: we are confident it came from the
specified person, or we are not.
  
  
We can present this information to the user using just three
letters in different colors—green for yes, black for no. 
Imagine, for instance, that we have an untrusted good signature
on an unencrypted message.  We would then put at the top of the
email:
  
  

  

  
Privacy
  
Authenticity
  
Identity
  
  

  
  

Immediately, at a glance, the user can see that the message is
not private, is authentic, but we don’t know who it came from.

A good signature from a validated certificate, but no
encryption, would get marked up as—

  
  

   
  

  
  

Re: [Enigmail] No more "Untrusted Good Signature"s

[Ludwig Hügelschäfer]

Hi,

On 20.09.15 05:06, Robert J. Hansen wrote:
> (Forgive the HTML: this is one of the few times where I think it’s
> worthwhile.  This email uses color to convey information.)
>
> (...)
>
> … Bam.  A simple UX that everyone sees, which conveys the most important
> information at-a-glance.  If more detailed information is needed, we
> present it in human-friendly language and embed within the language
> links to help people do common tasks related to keys.
> 
> Further, this UX is completely independent of the trust model used by
> GnuPG.  If you want to use the Web of Trust, no problem.  If you have
> --trust-model=always set, no problem.  If you’re using TOFU, no problem. 
> 
> What do y’all think?

Wow, I like that very much! This goes into the same direction of the two
buttons (sign/encrypt) in the compose window which got really good
feedback. It's logical, consequent and simple. You get an overview on
first glance.

Don't know yet how to display these three items withing the message
header, in a graphical sense. I'll make a suggestion.

This UI change covers about 90% of daily use and Enigmail can implement
it independently and instantly.

But I think, we've still got to look into the wording of key details.
One of the most misunderstood terms there is "ownertrust". Also - as
already pointed out - "validity" is not clear. And: We "sign" messages,
but until today we also "sign" a key/certificate, expressing that it
belongs to the promised person. The double use of the term "signature"
has led to quite frequent misunderstandings. We really should use
"certify" for the latter.

These new terms should also be used within GnuPG and other OpenPGP clients.

Ludwig




signature.asc
Description: OpenPGP digital signature
___
enigmail-users mailing list
enigmail-users@enigmail.net
To unsubscribe or make changes to your subscription click here:
https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net

Re: [Enigmail] No more "Untrusted Good Signature"s

[Patrick Brunschwig]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On 20.09.15 05:06, Robert J. Hansen wrote:
> (Forgive the HTML: this is one of the few times where I think it’s 
> worthwhile.  This email uses color to convey information.)
> 
> So, while relaxing with a good stogie, I started mulling over the
> UX problem of communicating information about encryption status, 
> signatures, validity, and more.  I got nowhere, which is when I
> decided to burn it all down and start from a clean sheet of paper.
> 
> Enigmail and GnuPG exist to provide the CIA triad.  No, not the 
> intelligence agency — Confidentiality, Integrity, and Assurance.
> Those are the three metrics we need to communicate to the user.  So
> let’s throw out all the language about “untrusted good signature”
> and start over from scratch: let’s communicate the triad.
> 
> First things first: rename it, because only hardcore nerds
> understand what CIA means.  (“What’s the difference between
> integrity and assurance?” is a really common question in
> undergraduate computer security courses.  Even computer science
> majors who have an interest in this stuff, as evidenced by signing
> up to take a class in it, generally don’t understand it.)  I’m
> going to rename the triad the PAI triad: Privacy, Authenticity, and
> Identity.  Further, instead of giving incredibly detailed “valid
> signature but the certificate has not been validated” types of
> messages, let’s reduce it to binary choices.  People like binary
> choices: they’re easy to understand.
> 
> * *Privacy* is a binary state: yes the message was private 
> (encrypted), or no it was not. * *Authenticity*//is also a binary
> state: we are confident the message is authentic, or we are not. *
> *Identity* is also a binary state: we are confident it came from
> the specified person, or we are not.
> 
> 
> We can present this information to the user using just three
> letters in different colors—green for yes, black for no.  Imagine,
> for instance, that we have an untrusted good signature on an
> unencrypted message.  We would then put at the top of the email:
> 
> Privacy Authenticity Identity
> 
> 
> 
> Immediately, at a glance, the user can see that the message is not 
> private, is authentic, but we don’t know who it came from.
> 
> A good signature from a validated certificate, but no encryption,
> would get marked up as—
> 
> 
> Privacy Authenticity Identity
> 
> 
> An encrypted message without a signature would get—
> 
> 
> Privacy Authenticity Identity
> 
> 
> An encrypted and signed message from an unknown certificate—
> 
> 
> Privacy Authenticity Identity
> 
> 
> And finally, an encrypted and signed message from a validated
> certificate—
> 
> 
> Privacy Authenticity Identity
> 
> 
> Immediately, right at-a-glance, users get the information that’s of
> most use to them: is this message private?  Is it authentic?  Did
> it really come from the person I think it did?  If the user wants
> to know details about why a particular message was graded in a
> particular way, they’d double-click on the header and get a
> detailed breakdown of what factors went into each decision.  For
> instance, Enigmail might display a new window that contained
> something like:
> 
> 
>
>  * /*Privacy.*//  This email was encrypted with your RSA key. 
> //_Click here_//to open this key in the Key Management window. 
> Camellia-256 was used for symmetric encryption./ *
> /*Authenticity.*//  This email was signed; however, the signature
> did not check out.  The message, the signature, or both, were
> altered in transit.  This is not necessarily a sign of hostile
> action.  Sometimes messages get garbled in the process of
> transmitting from one system to the next. / * /*Identity.*//  This
> email claims to be from Robert J. Hansen  with
> key ID 0xDEADBEEFDEADBEEF.  However, we do not know the signing key
> really belongs to this person.  If you’re certain the signing key
> belongs to this person, //_click here_//and Enigmail will remember
> it for the future./
> 
> 
>
> 
> 
> … Bam.  A simple UX that everyone sees, which conveys the most
> important information at-a-glance.  If more detailed information is
> needed, we present it in human-friendly language and embed within
> the language links to help people do common tasks related to keys.
> 
> Further, this UX is completely independent of the trust model used
> by GnuPG.  If you want to use the Web of Trust, no problem.  If you
> have --trust-model=always set, no problem.  If you’re using TOFU,
> no problem.
> 
> What do y’all think?

I like this proposal very much. I can well imagine that we display 3
icons and if you click on any of them, you'll get the detailed
information. But I'd suggest also to add the UID of the sender in the
message reader pane if the signature can be verified.

- -Patrick

Re: [Enigmail] No more "Untrusted Good Signature"s

[Robert J. Hansen]

> if you want a third light it could be for the trust level established
> for the senders key:

I'm giving a big 'no' to this.  White, red, yellow, green, blue?  We've
just reintroduced "untrusted good signature".  We can expect people to
understand a binary state, maybe a trinary state -- but a pentastate is
just a bad idea.



signature.asc
Description: OpenPGP digital signature
___
enigmail-users mailing list
enigmail-users@enigmail.net
To unsubscribe or make changes to your subscription click here:
https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net

Re: [Enigmail] No more "Untrusted Good Signature"s

[Mike Acker]

  
  
very good question
  
  to my thinking: if the message is not signed then we do not show
  any ENIGMAIL information, i.e. ENIGMAIL status information is not
  presented.
  
  if the message is signed then I'm concerned with, first of all did
  the signature verify, and secondly -- was the signature made by
  someone I know?
  
  
  the white or the green depends on whether or not I have previously
  authenticated ("vetted") the senders key.   after that I might
  want to check the trust level I have assigned to that user;
  perhaps that should be a click-up dialog   ( Robert did not like
  my multi color stack,...
  
  and -- that's OK: we are brain-storming here: all ideas need to
  get onto the table and get discussed so that we can work out what
  we think will be the best language and display format .   I love
  contributing -- and I don't mind getting stomped on )

On 09/20/2015 01:00 PM, Phil Stracchino
  wrote:


  On 09/20/15 08:00, Mike Acker wrote:

  
I'm not sure you need 3 greens though,-- a message for which the
signature verifies becomes "authenticated",-- i.e. we are3 assured the
message is from the person we think it is from --

the key is when the signature authenticates you, perforce, have also
verified integrity ( the accuracy of the document content )

the option of course is PRIVACY, aka encryption

I think two greens are enough, then:



  
  
With no integrity indicator, how do you distinguish between an unsigned
message, and one which has been signed but the content of the message
has been altered post-signature?


  
  
  
  ___
enigmail-users mailing list
enigmail-users@enigmail.net
To unsubscribe or make changes to your subscription click here:
https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net



-- 
/Mike
  



signature.asc
Description: OpenPGP digital signature
___
enigmail-users mailing list
enigmail-users@enigmail.net
To unsubscribe or make changes to your subscription click here:
https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net

Re: [Enigmail] No more "Untrusted Good Signature"s

[Phil Stracchino]

On 09/20/15 08:00, Mike Acker wrote:
> I'm not sure you need 3 greens though,-- a message for which the
> signature verifies becomes "authenticated",-- i.e. we are3 assured the
> message is from the person we think it is from --
>
> the key is when the signature authenticates you, perforce, have also
> verified integrity ( the accuracy of the document content )
>
> the option of course is PRIVACY, aka encryption
>
> I think two greens are enough, then:
>
>

With no integrity indicator, how do you distinguish between an unsigned
message, and one which has been signed but the content of the message
has been altered post-signature?

-- 
  Phil Stracchino
  Babylon Communications
  ph...@caerllewys.net
  p...@co.ordinate.org
  Landline: 603.293.8485




signature.asc
Description: OpenPGP digital signature
___
enigmail-users mailing list
enigmail-users@enigmail.net
To unsubscribe or make changes to your subscription click here:
https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net

Re: [Enigmail] No more "Untrusted Good Signature"s

[Phil Stracchino]

On 09/20/15 14:01, Robert J. Hansen wrote:
> The arguments in favor of trinary:
> 
> * Many users are going to want three states even though, IMO, the third
> state is useless.
> 
> A bad signature on an email message, contrary to popular belief in the
> community, doesn't mean the message was tampered with.  99% of the time
> it's evidence the *signature* was tampered with.  PGP/MIME is infamous
> here: MUAs play hob with attachments and repackage the signature up in
> weird ways.  So a bad signature, by itself, doesn't tell you anything
> about whether the message has been changed.  All that a bad signature
> tells you is the sender thought the message was important enough to add
> an authenticity/identity measure, but authenticity/identity cannot be
> assured.  And if we're saying "authenticity/identity cannot be assured",
> then really, that's no different from no signature at all -- so it
> should use the same black text as no signature at all.

Actually, I dispute this.  There is an important functional, not just
human, distinction between 'Sender made no attempt to provide
authentication on this message' and 'Sender attempted to provide
authentication on this message, *but something went wrong*'.  In the
latter case, if it is an important communication, you may wish to
contact the sender by other means to verify authenticity.  In the former
case, there is no reason to do so.  It could be crucial to know which
case is in effect, but we can't expect users to look at the authenticity
details on every message to find out whether there was *no* signature or
a *failed* (for whatever reason) signature.  So we need the interface to
let them distinguish at a glance between no signature and failed
signature.  It is then up to the user to decide whether or not they need
to investigate a failed signature further.


> So... yeah.  My inner crypto nerd says the binary choice is a more
> accurate representation of reality.  My inner UX geek says the trinary
> choice is what users will want and feel more comfortable with.  The nerd
> and the geek are fighting for control of my soul.  :)

In this case, I think the crypto nerd has overlooked an important
aspect.  :)  A failed or invalid signature is *cryptographically*
equivalent to no signature; but it is not *functionally* equivalent.
Because a failed or invalid signature means that the sender *tried* to
authenticate the message, implying that it may have been important to do so.


-- 
  Phil Stracchino
  Babylon Communications
  ph...@caerllewys.net
  p...@co.ordinate.org
  Landline: 603.293.8485



signature.asc
Description: OpenPGP digital signature
___
enigmail-users mailing list
enigmail-users@enigmail.net
To unsubscribe or make changes to your subscription click here:
https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net

Re: [Enigmail] No more "Untrusted Good Signature"s

[Mike Acker]

  
  
if you want a third light it could be for the trust level
established for the senders key:



not signature: pgp wasn't used
unknown: message is signed but we have no information about the
signer
untrusted: messages is signed by a person we recognize but we are
not sure if her or she is trustworthy
marginal: marginal trust -- ( I don't like this one )
trusted: full trust -- we are willing to accept authentication and
trust level information from this source
ultimate: show for messages signed by local user usually in the SENT
box



>
> On 09/20/2015 06:51 AM, Patrick Brunschwig wrote:
>> On 20.09.15 05:06, Robert J. Hansen wrote:
>> > (Forgive the HTML: this is one of the few times where I think it’s
>> > worthwhile.  This email uses color to convey information.)
>>
>> > So, while relaxing with a good stogie, I started mulling over the
>> > UX problem of communicating information about encryption status,
>> > signatures, validity, and more.  I got nowhere, which is when I
>> > decided to burn it all down and start from a clean sheet of paper.
> { snip }
>
> -- 
> /Mike
>
>
>
> ___
> enigmail-users mailing list
> enigmail-users@enigmail.net
> To unsubscribe or make changes to your subscription click here:
> https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net

-- 
/Mike

  



signature.asc
Description: OpenPGP digital signature
___
enigmail-users mailing list
enigmail-users@enigmail.net
To unsubscribe or make changes to your subscription click here:
https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net

Re: [Enigmail] No more "Untrusted Good Signature"s

[Mike Acker]

  
  
I'm not sure you need 3 greens though,-- a message for which the
signature verifies becomes "authenticated",-- i.e. we are3 assured
the message is from the person we think it is from -- 

the key is when the signature authenticates you, perforce, have also
verified integrity ( the accuracy of the document content )

the option of course is PRIVACY, aka encryption

I think two greens are enough, then:





On 09/20/2015 06:51 AM, Patrick Brunschwig wrote:
On 20.09.15 05:06, Robert J. Hansen wrote:
  > (Forgive the HTML: this is one of the few times where I think
  it’s 
  > worthwhile.  This email uses color to convey information.)
  
  > So, while relaxing with a good stogie, I started mulling over
  the
  > UX problem of communicating information about encryption
  status, 
  > signatures, validity, and more.  I got nowhere, which is when
  I
  > decided to burn it all down and start from a clean sheet of
  paper.

{ snip }

-- 
/Mike

  



signature.asc
Description: OpenPGP digital signature
___
enigmail-users mailing list
enigmail-users@enigmail.net
To unsubscribe or make changes to your subscription click here:
https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net

Re: [Enigmail] No more "Untrusted Good Signature"s

[Mike Acker]

  
  
a few more words about
  "marginal" tust
  
  I would assign marginal trust to (e.g.) x.509 certificates which
  are signed by "certificate authorities".    these are passed out
  like fliers at the fair creating a huge attack surface. each
  of us needs only a few of these,  one for the credit union, one
  for (e.g.) Amazon -- just those sites that we do commercial
  business with .    Marginal trust might be OK to browse a news
  site but that's another topic .
  
  getting from marginal trust to full trust requires a SECOND
  VERIFICATION. In my view this service should be available at
  local credit unions, perhaps the DMV office -- places that already
  need to vet and authenticate identification records.
  
  we need to extend this to the individual as well, while we're at
  it -- ENIGMAIL should be able to export a public key onto a USB
  Thumb drive that the use can take to the Credit Union or DMV -- to
  get it countersigned -- and uploaded to the key server.    this is
  neede to proceed with PGP security for things like IRS Forms 1040
  filings ...    a PGP signature is rather more secure than simply knowing
  the AGI on line 22 from last year's form -- which is a total
  kindergarten effort at security .

On 09/20/2015 08:38 AM, Mike Acker
  wrote:


  
  if you want a third light it could be for the trust level
  established for the senders key:
  
  
  
  not signature: pgp wasn't used
  unknown: message is signed but we have no information about the
  signer
  untrusted: messages is signed by a person we recognize but we are
  not sure if her or she is trustworthy
  marginal: marginal trust -- ( I don't like this one )
  trusted: full trust -- we are willing to accept authentication and
  trust level information from this source
  ultimate: show for messages signed by local user usually in the
  SENT box
  
  
  
>
> On 09/20/2015 06:51 AM, Patrick Brunschwig wrote:
>> On 20.09.15 05:06, Robert J. Hansen wrote:
>> > (Forgive the HTML: this is one of the few times where I think it’s
>> > worthwhile.  This email uses color to convey information.)
>>
>> > So, while relaxing with a good stogie, I started mulling over the
>> > UX problem of communicating information about encryption status,
>> > signatures, validity, and more.  I got nowhere, which is when I
>> > decided to burn it all down and start from a clean sheet of paper.
> { snip }
>
> -- 
> /Mike
>
>
>
> ___
> enigmail-users mailing list
> enigmail-users@enigmail.net
> To unsubscribe or make changes to your subscription click here:
> https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net
  
  -- 
  /Mike
  
  
  
  
  ___
enigmail-users mailing list
enigmail-users@enigmail.net
To unsubscribe or make changes to your subscription click here:
https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net



-- 
/Mike
  



signature.asc
Description: OpenPGP digital signature
___
enigmail-users mailing list
enigmail-users@enigmail.net
To unsubscribe or make changes to your subscription click here:
https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net

Re: [Enigmail] No more "Untrusted Good Signature"s

[Philip Jackson]

On 20/09/15 05:06, Robert J. Hansen wrote:
> First things first: rename it, because only hardcore nerds understand what CIA
> means.  (“What’s the difference between integrity and assurance?” is a really
> common question in undergraduate computer security courses.  Even computer
> science majors who have an interest in this stuff, as evidenced by signing up 
> to
> take a class in it, generally don’t understand it.)  I’m going to rename the
> triad the PAI triad: Privacy, Authenticity, and Identity.  Further, instead of
> giving incredibly detailed “valid signature but the certificate has not been
> validated” types of messages, let’s reduce it to binary choices.  People like
> binary choices: they’re easy to understand.
> 
>   * *Privacy* is a binary state: yes the message was private (encrypted), or 
> no
> it was not.
>   * *Authenticity*//is also a binary state: we are confident the message is
> authentic, or we are not.
>   * *Identity* is also a binary state: we are confident it came from the
> specified person, or we are not.
> 
> 
> We can present this information to the user using just three letters in
> different colors—green for yes, black for no.  Imagine, for instance, that we
> have an untrusted good signature on an unencrypted message.  We would then put
> at the top of the email:
> 
> Privacy   AuthenticityIdentity
> 

Clear thinking and well presented.  I like this idea.

Philip



signature.asc
Description: OpenPGP digital signature
___
enigmail-users mailing list
enigmail-users@enigmail.net
To unsubscribe or make changes to your subscription click here:
https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net

Re: [Enigmail] No more "Untrusted Good Signature"s

[Phil Stracchino]

On 09/19/15 23:06, Robert J. Hansen wrote:
> (Forgive the HTML: this is one of the few times where I think it’s
> worthwhile.  This email uses color to convey information.)
> 
> So, while relaxing with a good stogie, I started mulling over the UX
> problem of communicating information about encryption status,
> signatures, validity, and more.  I got nowhere, which is when I decided
> to burn it all down and start from a clean sheet of paper.


And very successfully.  Sometimes the clean sheet of paper is exactly
what's needed.  I like this suggestion a lot.  It is simple,
unambiguous, and readable at a glance.  Any further information wanted
by more technically sophisticated users can be obtained by clicking the
item of interest to see more details.

I would suggest one slight extension to the scheme:  The indicators
should be tri-state, not binary.  Add a red error state as well as a
green 'OK' state and the black 'not present' state.  A message which is
signed, but by a key that does not match the declared sender, or by a
revoked key, would display red Identity.  A message which has been
signed but the signature does not match the content (i.e, the content
has been altered post-signature) would display red for Authenticity.

A Privacy red-flag is a little harder to quantify.  About the only case
I can think of is if a message is encrypted, but with a key that has
been revoked or does not match the claimed sender.  But this should
probably be considered an Authenticity failure.

Should a message that is encrypted but unsigned be considered an
Authenticity failure - or at least an authenticity warning?


-- 
  Phil Stracchino
  Babylon Communications
  ph...@caerllewys.net
  p...@co.ordinate.org
  Landline: 603.293.8485



signature.asc
Description: OpenPGP digital signature
___
enigmail-users mailing list
enigmail-users@enigmail.net
To unsubscribe or make changes to your subscription click here:
https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net

[Enigmail] No more "Untrusted Good Signature"s

[Robert J. Hansen]

(Forgive the HTML: this is one of the few times where I think it’s
worthwhile.  This email uses color to convey information.)

So, while relaxing with a good stogie, I started mulling over the UX
problem of communicating information about encryption status,
signatures, validity, and more.  I got nowhere, which is when I decided
to burn it all down and start from a clean sheet of paper.

Enigmail and GnuPG exist to provide the CIA triad.  No, not the
intelligence agency — Confidentiality, Integrity, and Assurance.  Those
are the three metrics we need to communicate to the user.  So let’s
throw out all the language about “untrusted good signature” and start
over from scratch: let’s communicate the triad.

First things first: rename it, because only hardcore nerds understand
what CIA means.  (“What’s the difference between integrity and
assurance?” is a really common question in undergraduate computer
security courses.  Even computer science majors who have an interest in
this stuff, as evidenced by signing up to take a class in it, generally
don’t understand it.)  I’m going to rename the triad the PAI triad:
Privacy, Authenticity, and Identity.  Further, instead of giving
incredibly detailed “valid signature but the certificate has not been
validated” types of messages, let’s reduce it to binary choices.  People
like binary choices: they’re easy to understand.

  * *Privacy* is a binary state: yes the message was private
(encrypted), or no it was not.
  * *Authenticity*//is also a binary state: we are confident the message
is authentic, or we are not.
  * *Identity* is also a binary state: we are confident it came from the
specified person, or we are not.


We can present this information to the user using just three letters in
different colors—green for yes, black for no.  Imagine, for instance,
that we have an untrusted good signature on an unencrypted message.  We
would then put at the top of the email:

Privacy
Authenticity
Identity



Immediately, at a glance, the user can see that the message is not
private, is authentic, but we don’t know who it came from.

A good signature from a validated certificate, but no encryption, would
get marked up as—


Privacy
Authenticity
Identity


An encrypted message without a signature would get—


Privacy
Authenticity
Identity


An encrypted and signed message from an unknown certificate—


Privacy
Authenticity
Identity


And finally, an encrypted and signed message from a validated certificate—


Privacy
Authenticity
Identity


Immediately, right at-a-glance, users get the information that’s of most
use to them: is this message private?  Is it authentic?  Did it really
come from the person I think it did?  If the user wants to know details
about why a particular message was graded in a particular way, they’d
double-click on the header and get a detailed breakdown of what factors
went into each decision.  For instance, Enigmail might display a new
window that contained something like:



  * /*Privacy.*//  This email was encrypted with your RSA key. 
//_Click here_//to open this key in the Key Management window. 
Camellia-256 was used for symmetric encryption./
  * /*Authenticity.*//  This email was signed; however, the
signature did not check out.  The message, the signature, or
both, were altered in transit.  This is not necessarily a sign
of hostile action.  Sometimes messages get garbled in the
process of transmitting from one system to the next.
/
  * /*Identity.*//  This email claims to be from Robert J. Hansen
 with key ID 0xDEADBEEFDEADBEEF.  However, we
do not know the signing key really belongs to this person.  If
you’re certain the signing key belongs to this person, //_click
here_//and Enigmail will remember it for the future./




… Bam.  A simple UX that everyone sees, which conveys the most important
information at-a-glance.  If more detailed information is needed, we
present it in human-friendly language and embed within the language
links to help people do common tasks related to keys.

Further, this UX is completely independent of the trust model used by
GnuPG.  If you want to use the Web of Trust, no problem.  If you have
--trust-model=always set, no problem.  If you’re using TOFU, no problem. 

What do y’all think?



signature.asc
Description: OpenPGP digital signature
___
enigmail-users mailing list
enigmail-users@enigmail.net
To unsubscribe or make changes to your subscription click here:
https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net