On 11/08/2015 11:34 AM, oshwm wrote:
So...
Click on the little options button (three lines) at the top right of Thunderbird. Hover over Enigmail and click on Key Management. A list of local copies of keys will appear, including my own private ones. I double click on my key to show the details about it. This includes the creation date of 23/07/15.
Well, that was quite simple, its almost as if someone created a not perfect but workable User Interface called Enigmail - it even has a Wizard for creating new keys and configuring Thunderbird.
It's gets more tricky if you have multiple email accounts in Thunderbird but not prohibitively so.
It's not created by Apple so the shiny things fanboi's will hate it.
That seems easy enough though that even a Windows user could manage it.
The tough bit is understanding crypto but with analogies about keys and shit then most people only need a superficial understanding of how to USE GPG rather than Prime Numbery stuff - they should be able to cope.
I include my public key as a signature. I DO NOT give out the password to decode messages sent under that sig, nor would I find it efficacious to do so with a separate encrypt-for-a-PUBLIC-list key. It makes no sense whatsoever to encrypt messages to a public listserv. RR
On 08/11/15 18:58, oshwm wrote:
On 08/11/15 13:41, Joseph Gentle wrote:
On 08/11/15 08:40, Peter Gutmann wrote:
oshwm <oshwm@openmailbox.org> writes:
Can GPG be easier to use, I think so, is it too difficult to use by ordinary people - no, they're just too fucking lazy and lack motivation. ... and this is pretty much the poster child for why we have so much unusable crypto today.
Or, why we have such a fucking retarded human race with the attention span of a knat who expect everything to be given to them on a plate. People have to stop being lazy and start taking an interest and responsibility for what goes on in the world around them - your point of view re-inforces the dumbing down of the population and the increase in power of the Government and big Corps. Even if thats all true, its still also true that nobody is using PGP. Its easier to make a slick UI than convince people to do work. Is it so much to ask that people who make software try to make life easy for
On Sun, Nov 8, 2015 at 7:45 PM, oshwm <oshwm@openmailbox.org> wrote: their users?
Slick UI would be cool, just a shame that's being used as an excuse by ppl who can't be arsed to do a bit of work. What's the excuse once it has a nice UI?
As for nobody is using PGP, I think that may be a little overstated - what you mean is nobody who doesn't give a fuck about privacy is using it.
For all your talk of doing hard work oshwm, it looks like you only created that PGP key yesterday: $ gpg --list-packets signature.asc hashed subpkt 2 len 4 (sig created 2015-11-08) [...] except the key has been around for quite some time, I did re-sync with the sks servers yesterday.
And as far as I can tell it hasn't been signed by anyone. At least I think so - after 15 minutes fighting with gpg I still can't find your actual key and I ran out of care.
No, it hasn't been signed by anyone as I don't have any friends in real life who give two shits about security as I mix with non-techies offline. This is not a difficulty issue, I can't even begin to talk about encryption with them without them changing the issue to great subjects such as what was on telly last night.
... Which leads me into my second point, which is that here in 2015 PGP is a terrible technical solution. It doesn't encrypt metadata (which is a non-starter these days - who you communicate with is some of the *most* valuable personal data for the NSA). It also leaks information about who signed your key. That means either:
Oh yeh, some bright spark came up with STARTTLS for encrypting comms with mail servers but made it optional, not a GPG issue. However, the metadata issue a big problem for everyone who connects to a server that isn't owned by them and I suspect really requires a new mail protocol to resolve.
- Your key gets signed by your friends, so now your friend network public or - Emails with PGP are provably from you, in a way that can be traced back to physically witnessed government ID.
1) friend network - can't be avoided if you want a system for vouching for email sender authenticity. 2) That's part of what PGP is about - sender authenticity. My PGP is not attached to a Gov Issued ID.
... Or both! Personally I would rather the possibility of forgery than either of those outcomes.
-J