Re: [Enigmail] What about PGP/Header support?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 16/03/2014 12:21, Jean-David Beyer wrote: On 03/15/2014 02:28 PM, Egbert van der Wal wrote: I actually see encryption as less of an issue. When I send an encrypted message to someone, I need to know for sure that the recipient knows about PGP encryption and knows how to decode it. If I send an encrypted message to someone who does not use PGP, he/she cannot read it, no matter what. How do you send an encrypted message to someone who does not use PGP? You need his public key to do that. I think that is the point that he was making - his reason for thinking that encryption is a lesser issue. Anne -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.15 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlMmy28ACgkQj93fyh4cnBf5UwCfRG3ZvZE284lvqbFHOp58Qlak 4nIAn0AvB5SAhgXeGNFmxA3xZ/7fpm70 =tUD1 -END PGP SIGNATURE- ___ enigmail-users mailing list enigmail-users@enigmail.net https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net
Re: [Enigmail] What about PGP/Header support?
On 03/17/2014 12:08 PM, Jean-David Beyer wrote: On 03/17/2014 06:16 AM, Anne Wilson wrote: On 16/03/2014 12:21, Jean-David Beyer wrote: On 03/15/2014 02:28 PM, Egbert van der Wal wrote: I actually see encryption as less of an issue. When I send an encrypted message to someone, I need to know for sure that the recipient knows about PGP encryption and knows how to decode it. If I send an encrypted message to someone who does not use PGP, he/she cannot read it, no matter what. How do you send an encrypted message to someone who does not use PGP? You need his public key to do that. I think that is the point that he was making - his reason for thinking that encryption is a lesser issue. Anne When his sentence starts out If I send an encrypted message to someone who does not use PGP, ... he is already lacking understanding since he CANNOT send an encrypted message to someone using enigmail if he does not have that someone's public key. And if that someone does not use enigmail (or something very much like it), he better not send that message at all (if it really needed to be encrypted). I do understand the procedure of PGP encryption. And I explained in my previous mail that it is no problem to send an encrypted mail to someone even if I do not have their public key. It's just extremely unlikely that they'll be able to decrypt it, since I'd be using a different public key. I could just as well enable encryption for this particular message and select the PGP key of my colleage. You will not be able to read it, but it will be encrypted. This is all extremely beside the point I was trying to make. My point is that when I'm sending an encrypted mail, I must be certain that the person I'm sending it to knows what it is and is actually using PGP because otherwise they cannot decrypt the message. Therefore, for the type of person that I would send encrypted mails, it is no issue how and where any key or signature is transfered because I can assume that the recipient has a mailclient that knows what do do with this. However, when I do not encrypt a message, but simply sign it, I cannot make such an assumption. That is the point I was trying to make. Regards, Egbert signature.asc Description: OpenPGP digital signature ___ enigmail-users mailing list enigmail-users@enigmail.net https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net
Re: [Enigmail] What about PGP/Header support?
On 03/17/2014 07:26 AM, Robert J. Hansen wrote: or their cell phones to send me messages. And while I have SSL turned on with Facebook, I very much doubt that Facebook itself, on their servers, keeps my messages encrypted even though they seem to be during transmission. I know one of Facebook's senior security geeks; if you like, I'd be happy to ask about this for you. It would be interesting, but since I assume everything I put on Facebook can be seen by everyone (even though my settings may be more restrictive), it is of no practical importance to me. And I assume that anyone can see this message I am typing too, ... -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key:166D840A 0C610C8B Registered Machine 1935521. /( )\ Shrewsbury, New Jerseyhttp://linuxcounter.net ^^-^^ 09:40:01 up 4 days, 18:42, 2 users, load average: 4.12, 4.07, 4.11 ___ enigmail-users mailing list enigmail-users@enigmail.net https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net
Re: [Enigmail] What about PGP/Header support?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 03/15/2014 02:28 PM, Egbert van der Wal wrote: I actually see encryption as less of an issue. When I send an encrypted message to someone, I need to know for sure that the recipient knows about PGP encryption and knows how to decode it. If I send an encrypted message to someone who does not use PGP, he/she cannot read it, no matter what. How do you send an encrypted message to someone who does not use PGP? You need his public key to do that. - -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key:166D840A 0C610C8B Registered Machine 1935521. /( )\ Shrewsbury, New Jerseyhttp://linuxcounter.net ^^-^^ 08:20:01 up 3 days, 17:22, 2 users, load average: 4.44, 4.35, 4.41 -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.14 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJTJZdhAAoJEBZthAoMYQyLUmsH/0u3IEQiqCJGoMBicr5XGiQh ciflEIZ6EC7XI4YtPwyqWIKm98iUqZTPr/f2wZVBJO6IZE7+d6Y9RJghV6ZDn2gI Fr8jyTu+g4PtCzj2VWycKKP9ok8ZgRfcAMOtCmWFRK+5ErGt7qDOLw6B/TAmUlsc 7arfGsUh39lLFpPo9xfWpFc0qMlIwmaM+TZIzl+xbUbq6tsXujZ0M1JSM3lq9r21 z1pQJuUQazHg2BnVxLz2TInVkuwZoSWzi+8XROmLa+SQQSgFusYGeo0D3QM73jJM 3Elqr8DI6R8pYaFhS0qwFml+f+Ry5BrPdtI3Oc/Rf5UZGkLCxeJvtpOTh2Exspg= =AzgD -END PGP SIGNATURE- ___ enigmail-users mailing list enigmail-users@enigmail.net https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net
Re: [Enigmail] What about PGP/Header support?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 03/16/14 08:21, Jean-David Beyer wrote: On 03/15/2014 02:28 PM, Egbert van der Wal wrote: I actually see encryption as less of an issue. When I send an encrypted message to someone, I need to know for sure that the recipient knows about PGP encryption and knows how to decode it. If I send an encrypted message to someone who does not use PGP, he/she cannot read it, no matter what. How do you send an encrypted message to someone who does not use PGP? You need his public key to do that. Exactly. How are you going to send an encrypted message to someone who does not have a public key? You can't. Period. Unless you separately arrange a symmetric encryption key to use or pre-arrange to send a symmetric encryption key out-of-band. It's a non-issue from the point of view of Enigmail. If you *can* send someone an encrypted message, you have their public key. If they don't have one, you don't have it either, and you can't. End of story. - -- Phil Stracchino Babylon Communications ph...@caerllewys.net p...@co.ordinate.org Landline: 603.293.8485 -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEAREIAAYFAlMl+d4ACgkQ0DfOju+hMkkmPACglLEX3Ck6PjsHRz9j0unq6maY mhIAoMbURRphgGtl9mzuhQlFCmWPjJ8b =8A5S -END PGP SIGNATURE- ___ enigmail-users mailing list enigmail-users@enigmail.net https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net
Re: [Enigmail] What about PGP/Header support?
Oh, I most definitely can send an encrypted message to anyone. The recipient will not be able to decrypt it since I don't have his public key so I'll have to use some random other key, but I can send him an encrypted message. Anyway, these things confirm my point: the way the PGP signature is transfered is only relevant for signed but unencrypted mails as you may as well send these mails to people that do know know, understand or use PGP. And those people may get confused by the way that the signature is transfered: either inline or as an attachment. Embedding this in the header solves this issue. Of course, it will require further specification in an RFC and it will require more broad support than from just one client (although I personally don't know anyone that does use PGP and does not use Enigmail to do so but that's just my personal circle, of course). But it has to start somewhere, right? Regards, Egbert On 03/16/2014 08:22 PM, Phil Stracchino wrote: On 03/16/14 08:21, Jean-David Beyer wrote: On 03/15/2014 02:28 PM, Egbert van der Wal wrote: I actually see encryption as less of an issue. When I send an encrypted message to someone, I need to know for sure that the recipient knows about PGP encryption and knows how to decode it. If I send an encrypted message to someone who does not use PGP, he/she cannot read it, no matter what. How do you send an encrypted message to someone who does not use PGP? You need his public key to do that. Exactly. How are you going to send an encrypted message to someone who does not have a public key? You can't. Period. Unless you separately arrange a symmetric encryption key to use or pre-arrange to send a symmetric encryption key out-of-band. It's a non-issue from the point of view of Enigmail. If you *can* send someone an encrypted message, you have their public key. If they don't have one, you don't have it either, and you can't. End of story. ___ enigmail-users mailing list enigmail-users@enigmail.net https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net signature.asc Description: OpenPGP digital signature ___ enigmail-users mailing list enigmail-users@enigmail.net https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net
[Enigmail] What about PGP/Header support?
Hi, Sorry if this has been asked before, I searched the archives and found no references to the same thing. I'm looking into setting up PGP signing and encryption. Especially the signing is a difficult issue. The two options I have bother me: * Inline PGP attaches random cruft (to laymen) to the text messages and this may actually make them distrust my messages instead of trusting them * PGP/Mime adds an attachment that is visible to people that do not have PGP support, with the same thing: people distrust unknown attachments. I recently set up my mailserver to use DKIM signing and I think the solution for embedding the DKIM signature is really elegant: adding a DKIM-Signature header. Since mail clients that do not understand this header just ignore it, it is basically invisible to people inexperienced with mail and/or DKIM. It is still embedded in the message. I then started looking for any possibilities to use this and came across someone who wrote about this same idea: http://beza1e1.tuxen.de/articles/pgp_header.html I really like this solution to the problem. What are the thoughts of the Enigmail people on this solution? Thanks, Egbert van der Wal signature.asc Description: OpenPGP digital signature ___ enigmail-users mailing list enigmail-users@enigmail.net https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net
Re: [Enigmail] What about PGP/Header support?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 15.03.14 16:41, Egbert van der Wal wrote: Hi, Sorry if this has been asked before, I searched the archives and found no references to the same thing. I'm looking into setting up PGP signing and encryption. Especially the signing is a difficult issue. The two options I have bother me: * Inline PGP attaches random cruft (to laymen) to the text messages and this may actually make them distrust my messages instead of trusting them * PGP/Mime adds an attachment that is visible to people that do not have PGP support, with the same thing: people distrust unknown attachments. I recently set up my mailserver to use DKIM signing and I think the solution for embedding the DKIM signature is really elegant: adding a DKIM-Signature header. Since mail clients that do not understand this header just ignore it, it is basically invisible to people inexperienced with mail and/or DKIM. It is still embedded in the message. I then started looking for any possibilities to use this and came across someone who wrote about this same idea: http://beza1e1.tuxen.de/articles/pgp_header.html I really like this solution to the problem. What are the thoughts of the Enigmail people on this solution? I think the idea is not quite thoroughly thought through. It is only an idea for signing data; it does not mention encryption. In addition, it does not cover anything like multi-part emails (attachments, HTML mails) and partially signed mails. I think the far bigger issue these days is encryption, not signing. - -Patrick -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.22 (Darwin) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEVAwUBUySJZck25cDiHiw+AQgVDgf+NOaBR2VNXfyvhRolEYN5A5TUS/TPZHp7 b5M1DXAlGGXjhZ2ca4zpWRXrNaSXo+f82La15twa1RxcUt+mbrchrLKZHaAGgdRF t7xmQaLd9UyP71EpTN8gB05CjAhQeq5/xMrPm/IOhOJn3KhxJutkRyV/TM0QSoY/ LC4IfJSLDoFnRZcvSOXk8kkGhGZbZOd6SufHWLmRu5jm0NWK62h0iaKNVuijM3PW 6anf4unX0xJozz2S4qEKajJ3eQ6DSsal8dqWQ1ZO/mq5HDaTbDzvGPU+POY7bPmm lkTIzkwhuQyltHD/AWpgvoxaQXxgCPHx/QGNAsetPjFB2e+Qjfb7oA== =3K0B -END PGP SIGNATURE- ___ enigmail-users mailing list enigmail-users@enigmail.net https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net
Re: [Enigmail] What about PGP/Header support?
Hi Patrick, I realize that the link I posted does not give any details. However, this all solved for DKIM by specifying exactly which parts of the message have been signed within the header. For PGP, you may want to sign the body of the message instead, but this may just be done in the same way as it is done in PGP/Mime with the only exception that the PGP signature is not an attachment to the message but posted in the header. I actually see encryption as less of an issue. When I send an encrypted message to someone, I need to know for sure that the recipient knows about PGP encryption and knows how to decode it. If I send an encrypted message to someone who does not use PGP, he/she cannot read it, no matter what. For signing, it is a different story because I'd like to set up my client to sign all my outgoing messages and people can either verify the signature or don't care. However, currently, it's working counterproductive as people start to distrust the unknown attachments or appended incomprehensible code in my messages. Regards, Egbert On 03/15/2014 06:10 PM, Patrick Brunschwig wrote: On 15.03.14 16:41, Egbert van der Wal wrote: Hi, Sorry if this has been asked before, I searched the archives and found no references to the same thing. I'm looking into setting up PGP signing and encryption. Especially the signing is a difficult issue. The two options I have bother me: * Inline PGP attaches random cruft (to laymen) to the text messages and this may actually make them distrust my messages instead of trusting them * PGP/Mime adds an attachment that is visible to people that do not have PGP support, with the same thing: people distrust unknown attachments. I recently set up my mailserver to use DKIM signing and I think the solution for embedding the DKIM signature is really elegant: adding a DKIM-Signature header. Since mail clients that do not understand this header just ignore it, it is basically invisible to people inexperienced with mail and/or DKIM. It is still embedded in the message. I then started looking for any possibilities to use this and came across someone who wrote about this same idea: http://beza1e1.tuxen.de/articles/pgp_header.html I really like this solution to the problem. What are the thoughts of the Enigmail people on this solution? I think the idea is not quite thoroughly thought through. It is only an idea for signing data; it does not mention encryption. In addition, it does not cover anything like multi-part emails (attachments, HTML mails) and partially signed mails. I think the far bigger issue these days is encryption, not signing. -Patrick ___ enigmail-users mailing list enigmail-users@enigmail.net https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net signature.asc Description: OpenPGP digital signature ___ enigmail-users mailing list enigmail-users@enigmail.net https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net
Re: [Enigmail] What about PGP/Header support?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 03/15/2014 10:10 AM, Patrick Brunschwig wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 15.03.14 16:41, Egbert van der Wal wrote: I recently set up my mailserver to use DKIM signing and I think the solution for embedding the DKIM signature is really elegant: adding a DKIM-Signature header. Since mail clients that do not understand this header just ignore it, it is basically invisible to people inexperienced with mail and/or DKIM. It is still embedded in the message. I then started looking for any possibilities to use this and came across someone who wrote about this same idea: http://beza1e1.tuxen.de/articles/pgp_header.html It is important to be clear about the nature of the problem so as to address it properly. The problem is part social and part technical. First, as to the social, I have been signing my emails for many years now, and I find some people are disturbed when they can't do anything with the attachment. I explain, sometimes they don't understand, but the important thing for them is to just ignore the attachment, and eventually they get that. Life goes on. Next is the technical. This divides into two problems. First is that the current methods of signing have been in use for quite a long period of time. Enigmail is far from the only piece of software involved. Compatibility is an issue. But I believe this is what the RFC process is for. The other issue is the question of what to sign/encrypt. I'm not seeing this as a problem. Just sign/encrypt the entire body, including attachments and leave it to the sender, as we already have been doing for years, to make obvious which bits are from previous messages. This does seem to me to be 'clean' and 'elegant'. It also seems to me that it would address another problem previously reported on this list in which a signed attachment could lead a receiver to believe that the entire message had been signed. It's important to remember here what a signature is supposed to mean: strictly that I sent this. It means nothing more. And it strikes me that the practice of encrypting pieces of a message and leaving other pieces unencrypted is dubious, that leaving portions unencrypted might offer clues as to the encrypted content. - -- David Benfell see https://parts-unknown.org/node/2 if you don't understand the attachment -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCgAGBQJTJLpxAAoJEBV64x4SNmArnN4P/iUxhalEbYElYO9S2nAV/kQ7 9Hd5PjM0cA2zOccGh5kWF69ftO44A0UMT2wAprLrOgfKFkXZLIKhb591lGjgpqAf vVeEQUshIHp4kioJBq+VMxh6tDDP8ZDttJQF5a7rHrPV7F7gGnc6IztcbA6bwmGo 5tdRAWH3Xc72R/6kfRWEHAoyaNH2BRdrVZx+T/MsGTdIk/dul020pzjHe7Uk7LUd QtpFrGBCtHfN9xM+RvkmVky1e+5UNj7yR/XATeqzKYoVAbj5zoDdIScR25YnewfM TDE6Qe1oGcQFKitNhmji7eq/CbwVT5kG0rfW25PLRLS7CH0nM7Y/bqK+w6Uxnn0Q 3dF2WqztrRa0ugFnF5ZY2b2SKXcSJCAN3dcHSc1HTpC7HI2L+zo7AKOceOMHQU3X SU+uucEUhJ1p+mUu5lxoBLsTNWe+iNcBhd0ydk8mfc0Zt6HSRRamCVYLJlsoksG2 rEBChvYQ8zPM0N+ZgDwC8MzCD1HJVCPy8b5vuT12MdOPUng3E8A8RphKSapPrQHI sgJbBLY3lMsVzbtKoPy6ksmF8YyIHci5uKu+cjOH60ygX1LpZupsU2Ft8vrxnVtF xWF/XtBy7qkuK62ZesYdvYVskNnSHbeziqQGE4tVdOWCcWshiLksd/q4RR4Fs6fw PA5YXrl8Yu33GBuVA8p7 =I6/e -END PGP SIGNATURE- attachment: benfell.vcf___ enigmail-users mailing list enigmail-users@enigmail.net https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net