On Mon, 17 Oct 2011 20:11:29 +0200, Werner Koch wrote:
> of the whole system. We prepared a short paper; if you are interested
Some suggestions and questions, some are applicable to the paper while
others might be more suited for a FAQ section on the website:
* More pictures.
* You're suggesti
On Oct 25, 2011, gn...@lists.grepular.com wrote:
. . .
(*) there's a nasty privacy issue when you're able to trigger a
receiving email client to do arbitrary http lookups. It means the sender
is able to determine when the recipient downloaded the email, and what
IP address they were using at the
accessible" and "available".
-Devin
-Original Message-
From: "Robert J. Hansen"
Sender: gnupg-users-boun...@gnupg.org
Date: Tue, 25 Oct 2011 22:02:29
To:
Subject: Re: STEED - Usable end-to-end encryption
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
On 10/25/11 6:4
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
On 10/25/11 6:46 PM, MFPA wrote:
> If people don't care about privavy, why did envelopes rather than
> postcards develop as the default for sending messages through the
> post?
This one should be obvious: because a postcard doesn't allow you to
wri
On 10/25/2011 15:46, MFPA wrote:
> An oft-used analogy when promoting encrypted communication is to compare
> it to sending a letter in an envelope rather than sending a postcard. If
> people don't care about privavy, why did envelopes rather than postcards
> develop as the default for sending mess
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Hi
On Tuesday 25 October 2011 at 10:26:57 AM, in
, Peter Lebbing wrote:
> On 24/10/11 19:25, Robert J. Hansen wrote:
>> With respect to your question: what we offer is privacy, but most people
>> do not understand privacy, do not care about priva
On 25/10/11 21:11, Mark H. Wood wrote:
> So, to summarize what I think I've been hearing: the problem which
> remains to be solved (if it is a problem) is a nontechnical one, and
> no amount of technical wizardry will solve it. The most that can be
> done now is to be ready to help someone who fe
On 10/25/11 5:17 PM, Robert J. Hansen wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
[rest of message, which *lacked* a signature, elided]
Wow, that's a wacky error. Time to file a bug report in Enigmail!
___
Gnupg-users mailing list
Gnupg
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
On 10/25/11 4:11 PM, Mark H. Wood wrote:
> So, to summarize what I think I've been hearing: the problem which
> remains to be solved (if it is a problem) is a nontechnical one,
> and no amount of technical wizardry will solve it.
This is what I thi
So, to summarize what I think I've been hearing: the problem which
remains to be solved (if it is a problem) is a nontechnical one, and
no amount of technical wizardry will solve it. The most that can be
done now is to be ready to help someone who fears for his privacy and
asks, "what can I do?"
On 25/10/11 17:09, Robert J. Hansen wrote:
> I disagree. The problem with the current proposal is it offers email
> providers no payoff for their work. If it could credibly be said,
> "implement STEED and you'll get 25% less spam across your network,"
> email providers would be lining up around t
On Mon, 24 Oct 2011 23:02:32 -0400
d...@geer.org articulated:
> To be more pointed, how many folks on this list carry a cell phone?
I carry one virtually all the time. It is sort of in my job
description. I have to be available 24/7.
--
Jerry ✌
gnupg.u...@seibercom.net
_
On 10/25/11 10:57 AM, Peter Lebbing wrote:
> The problem with the current proposal in that respect is that it
> requires co-operation of e-mail providers.
I disagree. The problem with the current proposal is it offers email
providers no payoff for their work. If it could credibly be said,
"imple
On 25/10/11 14:54, Robert J. Hansen wrote:
> Every now and again I'll meet someone who's interested in learning
> about privacy and how to protect it. I do my best to help these
> people along. That's what I can do, that's what's within my power,
> that's the standard I judge myself by -- how wel
d...@geer.org wrote:
>> With respect to your question: what we offer is privacy, but most
>> people do not understand privacy, do not care about privacy, and
>> would not care about privacy even if they understood it.
>>
[snip]
>
> You got that right, Brother.
>
> To be more pointed, how many fo
On 10/25/11 5:26 AM, Peter Lebbing wrote:
> So if we can't motivate users by showing the bad stuff that can
> happen if you have no privacy, then how to do it? I don't see any
> other way.
Years ago W.D. Richter wrote a fictitious interview between the two
fictitious characters Reno Nevada and B
On 24/10/11 19:25, Robert J. Hansen wrote:
> With respect to your question: what we offer is privacy, but most people
> do not understand privacy, do not care about privacy, and would not care
> about privacy even if they understood it.
So if we can't motivate users by showing the bad stuff that c
>
> With respect to your question: what we offer is privacy, but most people
> do not understand privacy, do not care about privacy, and would not care
> about privacy even if they understood it.
>
> During graduate school the politically-active members of the Computer
> Science department were
(There are two anecdotes here: the first is purely for amusement, the
latter is actually meant to be on-point.)
On 10/24/11 12:02 PM, Mark H. Wood wrote:
> The cited passage asserts that the hearer is missing out -- he could
> have more than he has now. How much more can I get out of email by
> u
On Mon, Oct 24, 2011 at 11:24:40AM -0400, Robert J. Hansen wrote:
> On 10/24/11 11:15 AM, Mark H. Wood wrote:
> > No one can desire salvation until he believes that he is in jeopardy.
>
> Although hellfire-and-damnation preachers are a popular cultural idea,
> they're really quite rare: most preac
On 10/24/11 11:15 AM, Mark H. Wood wrote:
> No one can desire salvation until he believes that he is in jeopardy.
Although hellfire-and-damnation preachers are a popular cultural idea,
they're really quite rare: most preachers go more for the John 10:10
angle [*]. They've found through centuries
On Fri, Oct 21, 2011 at 06:55:47PM +0100, MFPA wrote:
> If you are trying to get people to think about privacy, maybe
> suggesting Diaspora as an alternative to Facebook is a direction to
> consider...
I would suggest that, if you are trying to get people to think about
privacy, about the only thi
On Fri, Oct 21, 2011 at 01:46:02AM +0200, Marcus Brinkmann wrote:
> On 10/20/2011 10:25 PM, Matthias-Christian Ott wrote:
> > But who are the providers? Except for people who work in computer
> > science, physics or similar fields I don't know people who run their own
> > mail servers or are part o
Hi Matthias-Christian,
thanks for your comments, I think they are entirely correct. With respect to
convincing ISPs, STEED is not a complete proposal yet. The STEED paper covers
the technical aspects of making email encryption usable for the user. It does
not cover the policies of the parties i
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Hi
On Thursday 20 October 2011 at 10:04:15 AM, in
, Werner Koch wrote:
> Most users don't have personal web pages. So what now?
> Well many users have a facebook page - but this would
> make facebook mandatory and we woold need support from
> th
Le 21/10/2011 16:12, Jean-David Beyer a écrit :
> Matthias-Christian Ott wrote:
>
>> What about making everyone their own provider? The efforts in this
>> direction intiated by Eben Moglen that lead to the FreedomBox and other
>> projects seem to go in the right direction. It doesn't seem to me les
Matthias-Christian Ott wrote:
>
> What about making everyone their own provider? The efforts in this
> direction intiated by Eben Moglen that lead to the FreedomBox and other
> projects seem to go in the right direction. It doesn't seem to me less
> realistic than requiring cooperation from provi
On 20-10-2011 22:25, Matthias-Christian Ott wrote:
> What about making everyone their own provider?
Is that technically equivalent to running your own mailserver? Because
that also gives some problems: I run my own server at vulcan.xs4all.nl
(bsmtp at a subdomain of my provider) but get some mail
On Thu, Oct 20, 2011 at 04:16:01AM +0200, Marcus Brinkmann wrote:
> On 10/19/2011 09:30 PM, Peter Lebbing wrote:
> > However, I think you're not ambitious enough when you opt for using DNS for
> > key
> > distribution. Yes, the infrastructure and RR types[1] are already there.
> > But it
> > brin
On Fri, 21 Oct 2011 01:46, marcus.brinkm...@ruhr-uni-bochum.de said:
> not ask for data that is not available for whatever reason. I think your
> interpretation of the regulations in that area is overly pessimistic, but I
> could be wrong. Maybe you can verify this?
Actually the German Federal
On 10/20/2011 10:25 PM, Matthias-Christian Ott wrote:
> But who are the providers? Except for people who work in computer
> science, physics or similar fields I don't know people who run their own
> mail servers or are part of a cooperative. Most other people use a
> handful of providers who often
What proportion of consumer-grade ISPs have bothered to implement
DNSSEC for serving their customers? I don't think mine does, and
they're a big outfit. If I asked, I expect they'd think I was
speaking Aldebaranese or something.
--
Mark H. Wood, Lead System Programmer mw...@iupui.edu
Asking w
Hi,
I read this briefly, and I'd actually like to read it over later and maybe
contribute some ideas. The lack of people caring about cryptography is
quite apparent, and may be solved with some good ideas of making things less
annoying / hard to use.
I'd be happy to help.
On Mon, Oct 17, 2011
Am 20.10.2011 04:16, schrieb Marcus Brinkmann:
> You are right that it is a challenge to get the support in the providers
the lowest efford are discovery via personal web pages like doing XDR or
maybe webfinger. Most users wont be able to have special RRs - not even
for their own domains (which is
On Wed, 19 Oct 2011 22:10, kloec...@kde.org said:
> What NEW standard are you talking about? Werner wants to use OpenPGP.
and S/MIME! We actually don't care. For certain MUAs it is much
simpler to implement something on top of S/MIME than to trying to get
OpenPGP support. The actual protocol
On Thu, 20 Oct 2011 05:30, lists-gnupg...@lina.inka.de said:
> the lowest efford are discovery via personal web pages like doing XDR or
> maybe webfinger. Most users wont be able to have special RRs - not even
Most users don't have personal web pages. So what now? Well many users
have a faceboo
Hi Peter,
thanks for your feedback.
On 10/19/2011 09:30 PM, Peter Lebbing wrote:
> However, I think you're not ambitious enough when you opt for using DNS for
> key
> distribution. Yes, the infrastructure and RR types[1] are already there. But
> it
> brings this nasty dependency on the provider
On Wednesday 19 of October 2011 22:10:30 Ingo Klöcker wrote:
> On Wednesday 19 October 2011, Harakiri wrote:
> >
> > Also - inventing just ANOTHER protocol for email encryption that mail
> > clients should implement? Heck, the only protocol available in all
> > major mail clients right now for out
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Hi
On Wednesday 19 October 2011 at 9:49:20 PM, in
, Peter Lebbing wrote:
> By default the STEED system as proposed creates a new
> certificate for every e-mail address. So unless
> manually overridden, there is a one-to-one relation
> between e-
On 2011-10-19 22:49, Peter Lebbing wrote:
> On 19/10/11 22:22, Jerome Baum wrote:
>>> It would be awesome if this could be achieved without revealing other
>>> email addresses or UIDs that might happen to map to the same
>>> key/certificate.
>>
>> Hash the UID many times. (Didn't someone propose th
On Wednesday 19 October 2011, Harakiri wrote:
> --- On Mon, 10/17/11, Werner Koch wrote:
> > From: Werner Koch
> > Subject: STEED - Usable end-to-end encryption
> > To: gnupg-de...@gnupg.org
> > Cc: "Marcus Brinkmann" , gnupg-users@gnupg.org
> > Dat
On 19/10/11 22:22, Jerome Baum wrote:
>> It would be awesome if this could be achieved without revealing other
>> email addresses or UIDs that might happen to map to the same
>> key/certificate.
>
> Hash the UID many times. (Didn't someone propose that a while ago?)
By default the STEED system as
>> If you could do something similar for
>> mapping e-mail addresses to certificates
>
> It would be awesome if this could be achieved without revealing other
> email addresses or UIDs that might happen to map to the same
> key/certificate.
Hash the UID many times. (Didn't someone propose that a
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Hi
On Wednesday 19 October 2011 at 8:30:48 PM, in
, Peter Lebbing wrote:
> If you could do something similar for
> mapping e-mail addresses to certificates
It would be awesome if this could be achieved without revealing other
email addresses or
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Hi
On Wednesday 19 October 2011 at 7:07:45 PM, in
,
Harakiri wrote:
> Also - inventing just ANOTHER protocol for email
> encryption that mail clients should implement? Heck,
> the only protocol available in all major mail clients
> right now for
On 19/10/11 21:30, Peter Lebbing wrote:
> that is a really major hurdle; probably a too steep one, IMHO.
Given that all normal, literal hurdles are at right angles to the ground, they
are all equally steep. Obviously I meant high :D.
Peter.
--
I use the GNU Privacy Guard (GnuPG) in combination
Werner, Marcus,
Thank you for thinking about taking end-to-end e-mail encryption to the next
level. I really like your ideas.
However, I think you're not ambitious enough when you opt for using DNS for key
distribution. Yes, the infrastructure and RR types[1] are already there. But it
brings this
--- On Mon, 10/17/11, Werner Koch wrote:
> From: Werner Koch
> Subject: STEED - Usable end-to-end encryption
> To: gnupg-de...@gnupg.org
> Cc: "Marcus Brinkmann" , gnupg-users@gnupg.org
> Date: Monday, October 17, 2011, 2:11 PM
> Hi!
>
> http://g10c
Hi,
On 19.10.2011, at 15:11, Tom Ritter wrote:
> Other Security Folks: Absolutely NO javascript cryptography. Zero, none.
well, JavaScript itself is just another programming language and combined with
modern technologies like HTML5 Web Storage there is nowadays technically no
need to implement
On 18 October 2011 12:00, Werner Koch wrote:
> On Tue, 18 Oct 2011 16:35, jer...@jeromebaum.com said:
>
>> operations will be the most important part to making that work, and the
>> ISPs don't have to help out there (modulo webmail which isn't even
>> end-point).
>
> Even webmail. It is easy to w
- Original Message -
From: "Werner Koch"
To: "Jerome Baum"
Cc:
Sent: Tuesday, October 18, 2011 7:00 PM
Subject: Re: STEED - Usable end-to-end encryption
On Tue, 18 Oct 2011 16:35, jer...@jeromebaum.com said:
operations will be the most important part to m
* Robert Holtzman [111018 21:43,
mID <20111018185035.gb4...@cox.net>]:
> The greatest hindrance to widespread adoption is the phrase I often
> hear..."I've got nothing to hide" It drives me up a wall.
+1
Martin
smime.p7s
Description: S/MIME cryptographic signature
_
On Mon, Oct 17, 2011 at 05:50:42PM -0600, Aaron Toponce wrote:
.snip..
>
> At any rate, I would love to see more client-to-client encryption in email.
> I've always wondered if there could be an "OTR" approach to mail, somehow,
> so people don't need to generate and manag
On Tue, 18 Oct 2011 16:35, jer...@jeromebaum.com said:
> operations will be the most important part to making that work, and the
> ISPs don't have to help out there (modulo webmail which isn't even
> end-point).
Even webmail. It is easy to write a browser extension to do the crypto
stuff. Insta
On 10/18/2011 11:58 AM, Werner Koch wrote:
> We did this for about 15 years - without any success. If you look
> at some of the studies you will see that you can't teach that stuff
> to non-techies - sometimes not even to engineers.
As a data point from 2005:
I was teaching computer literacy at
> Even webmail. It is easy to write a browser extension to do the crypto
> stuff. Installing browser extensions is even easier than installing
> most other software.
I'd make it a point of discussion whether it's still webmail proper then.
But you could also use Javascript, Java or Flash, so ye
On Tue, 18 Oct 2011 15:42, mw...@iupui.edu said:
> To be secure without being involved in the process is an unreasonable
> expectation which can never be met. We need to teach our kids to
> expect to protect themselves online the same way we teach them to look
We did this for about 15 years - wi
On Tue, 18 Oct 2011 16:30, pe...@digitalbrains.com said:
> Because it is the e-mail address of the recipient you look up; that's all the
> data you have in this scenario. Thus, for me you would look up a key
> corresponding to user peter at the domain digitalbrains.com. The only logical
Right. T
> I don't see why the ISP has to be the entity providing DNS lookup.
> The one I use won't even allocate me a static address, let alone
> accept RRs from me to serve out to others. I'm not sure I'd trust
> them to get it right and *keep* it right anyway.
I should clarify. An email provider is als
> ... We can remove *needless* complexity, but security could be said
> to be the art of *introducing* specific complexity that's a lot worse
> for the attacker than it is for you. It can't be automagical.
>
> Anyway, key generation is already automated. All you have to do is
> (1) choose to em
On Tue, 18 Oct 2011 15:30, jer...@jeromebaum.com said:
> In fact to my knowledge outside of webmail and inside "private email"
> (so drop companies, universities, schools) it's usual to configure your
> own MUA, with the help of instructions from your ISP.
Well, so we need to convince them to cha
>> In fact to my knowledge outside of webmail and inside "private email"
>> (so drop companies, universities, schools) it's usual to configure your
>> own MUA, with the help of instructions from your ISP.
>
> Well, so we need to convince them to change those instructions.
Yes and this is what I s
On 18/10/11 16:00, Mark H. Wood wrote:
> I don't see why the ISP has to be the entity providing DNS lookup.
Because it is the e-mail address of the recipient you look up; that's all the
data you have in this scenario. Thus, for me you would look up a key
corresponding to user peter at the domain d
On Mon, Oct 17, 2011 at 05:50:42PM -0600, Aaron Toponce wrote:
[snip]
> At any rate, I would love to see more client-to-client encryption in email.
> I've always wondered if there could be an "OTR" approach to mail, somehow,
> so people don't need to generate and manage their own sets of keys, as t
I don't see why the ISP has to be the entity providing DNS lookup.
The one I use won't even allocate me a static address, let alone
accept RRs from me to serve out to others. I'm not sure I'd trust
them to get it right and *keep* it right anyway.
If the ISPs won't cooperate, maybe the antivirus v
>> Skimmed over this. You say that you need ISP support to get the
>> system adopted (for the DNS-based distribution). Wouldn't that
>> hinder adoption?
>
> Please look at how most people use mail: They get a mail address from
> their ISP, a preinstalled MUA and so on. Mail works for them
> in
On 17 October 2011 20:11, Werner Koch wrote:
> Hi!
>
> Over the last year Marcus and me discussed ideas on how to make
> encryption easier for non-crypto geeks. We explained our plans to
> several people and finally decided to start a project to develop such a
> system. Obviously it is based on
Aaron Toponce writes:
> I've added it with "my_hdr OpenPGP id=${pgp_sign_as}\;url=...". The only
> question remaining, for me, is whether or not it should be "X-OpenPGP" or
> "OpenPGP" as the header field name. I've heard various positions on this,
> but nothing definitive.
No X-OpenPGP please.
On Mon, 17 Oct 2011 20:25, jer...@jeromebaum.com said:
> Skimmed over this. You say that you need ISP support to get the system
> adopted (for the DNS-based distribution). Wouldn't that hinder adoption?
Please look at how most people use mail: They get a mail address from
their ISP, a preinstalle
On 10/17/2011 6:07 PM, Jerome Baum wrote:
>>> So enabling _Enigmail_'s "Send 'OpenPGP' header" option is difficult now?
>
> The emphasis was clearly on "Enigmail", not on whether it's difficult or
> not.
And the answer to your question is obviously, "Yes."
> If you hadn't misquoted me you might
On Mon, Oct 17, 2011 at 08:25:04PM +0200, Jerome Baum wrote:
> How about an opportunistic approach? This email should include the
> following header:
>
> OpenPGP: id=C58C753A;
> url=https://jeromebaum.com/pgp
>
> The MUA could recognize a header like this one and remember that there's
> a cer
On 2011-10-17 23:59, Robert J. Hansen wrote:
> On 10/17/11 5:21 PM, Jerome Baum wrote:
>> So enabling _Enigmail_'s "Send 'OpenPGP' header" option is difficult now?
>
> [long rant about Enigmail]
The emphasis was clearly on "Enigmail", not on whether it's difficult or
not. If you hadn't misquoted
On 10/17/11 5:21 PM, Jerome Baum wrote:
> So enabling _Enigmail_'s "Send 'OpenPGP' header" option is difficult now?
Unquestionably, indubitably, beyond doubt, *yes*. You are assuming a
level of computer literacy that is beyond 95% of the computing public.
Remember, under 10% of the computing publ
> http://windowslivehelp.com/solution.aspx?solutionid=a485233f-206d-491e-941b-118e45a7cf1b
Wow, since 2009 (I haven't checked back in a while -- stay clear of
strange hosts like hotmail).
I think the point still stands though. I don't think email providers are
the right place to look for end-to-e
On Mon, 17 Oct 2011 20:25:04 +0200
Jerome Baum articulated:
> Skimmed over this. You say that you need ISP support to get the system
> adopted (for the DNS-based distribution). Wouldn't that hinder
> adoption? hotmail and the like still don't support POP3 or IMAP in a
> standard account, and they
On 2011-10-17 23:00, Ben McGinnes wrote:
> On 18/10/11 7:32 AM, Aaron Toponce wrote:
>>
>> I like the idea, but how are you setting the header? I see you're
>> using Thunderbird, and I don't believe that setting that header is
>> part of Enigmail. Further, it appears your mail isn't signed. Just
>>
On 18/10/11 7:32 AM, Aaron Toponce wrote:
>
> I like the idea, but how are you setting the header? I see you're
> using Thunderbird, and I don't believe that setting that header is
> part of Enigmail. Further, it appears your mail isn't signed. Just
> curious.
No, but it is part of Thunderbird:
> http://g10code.com/docs/steed-usable-e2ee.pdf
Skimmed over this. You say that you need ISP support to get the system
adopted (for the DNS-based distribution). Wouldn't that hinder adoption?
hotmail and the like still don't support POP3 or IMAP in a standard
account, and they are still popular
Hi!
Over the last year Marcus and me discussed ideas on how to make
encryption easier for non-crypto geeks. We explained our plans to
several people and finally decided to start a project to develop such a
system. Obviously it is based on GnuPG but this is only one component
of the whole system.
79 matches
Mail list logo