Mailing List Archive

On Wed, 1 Feb 2012 13:37:56 -0500
MichaelQuigley@TheWay.Org articulated:

> However, I've written scripts to
> routinely sign files for transmission to our bank.

Does your bank actually verify those signed documents? I have sent
documents to various organizations, both signed and unsigned and never
heard a word spoken from any of them regarding it.

--
Jerry â™”

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the Reply-To header.
__________________________________________________________________


_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

On 2/1/12 2:23 PM, Jerry wrote:
> Does your bank actually verify those signed documents?

I can't vouch for financial institutions. I can tell you that when I
was working in electronic voting, whenever I asked questions about "do
you verify signatures?" I was always assured that yes, yes they did.
Whenever I asked, "when was the last time you had a bad signature?" I
always received an answer of either "gee, look at the time, gotta go,"
or "we've never had a bad signature on data from a real election, after
all, our systems are reliable and trustworthy."

>From the perspective of the voting authority, if they say "no we don't
check signatures" it undercuts confidence, therefore they always say
they check signatures. If they say "yeah, we had a bad sig last week, a
byte got dropped somewhere, we re-sent the data and it was fine," that,
too, undercuts confidence: they're admitting the system isn't perfect.

I liked hearing the "Gee, look at the time, gotta go" answer. It seemed
to be the most honest.

YMMV, and banks are definitely different beasts from voting authorities.

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

On Wed, 01 Feb 2012 14:40:23 -0500
Robert J. Hansen articulated:

> I liked hearing the "Gee, look at the time, gotta go" answer. It
> seemed to be the most honest.
>
> YMMV, and banks are definitely different beasts from voting
> authorities.

I used to get the "Gee" bit to when I asked for a raise. Anyhow, I am
willing to bet that most, if not all banking establishments do not
verify signed mail, or if they do they want S/MIME since their user
base is vastly Microsoft orientated and S/MIME is favored on that
architecture.

An unverified signed document is about as useful as tits on a bull. I
receive from time to time a signed document on various forums that is
shown as bad by my MUA (claws-mail). Usually, it is just out of date.
Occasionally, I get a revoked one though. Again, it is usually due to
the PEBKC phenomenon. In any case, I have never considered the
signature to be of any importance in a mail forum environment. I know
that some users do, and that is their right. The only problem I have
is with those friggin "inliners" whose signature Spams up the page and
makes a "sig-delimiter" impotent. Then, of course, there are
those intellectually challenged who fail to trim out that superfluous
crap before replying to it.

--
Jerry â™”

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the Reply-To header.

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Am Mittwoch, 1. Februar 2012, 19:37:56 schrieb MichaelQuigley@theway.org:

> I would be one who fits in the other case. I've never signed an
> e-mail--no one at our organization does. (Not that I wouldn't like to,
> but nearly all those with whom I communicate wouldn't have any use for nor
> comprehension of the signature.) However, I've written scripts to
> routinely sign files for transmission to our bank. I would definitely
> count us as serious users.

And you perfectly fit the description I gave for "serious users" from my
perspective.


> I'm sure there are plenty of others who also
> sign their business transmissions using GPG.

I don't doubt that. I just don't understand why someone who has understood the
concept and is capable of validating keys of others, encrypting, decrypting
and signing should not use that technology for his email (neither professional
nor private). The people I know who are interested in security technology are
generally interested in spreading this technology (not limited to OpenPGP).

Thus I assume that you are an exception, whatever your reasons may be.


Hauke
--
PGP: D44C 6A5B 71B0 427C CED3 025C BD7D 6D27 ECCB 5814

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi


On Wednesday 1 February 2012 at 5:19:41 PM, in
<mid:20120201121941.5e100a23@scorpio>, Jerry wrote:


> Windows users prefer S/MIME.

Seems likely to me that the majority of Windows users use neither
S/MIME nor openPGP.

- --
Best regards

MFPA mailto:expires2012@rocketmail.com

Never lean forward to push an invisible object.
-----BEGIN PGP SIGNATURE-----

iQCVAwUBTymwH6ipC46tDG5pAQpJQwP+J8BlHs9NJg1K7hbN4mzSeYYhdCaX9g61
aHANyVvhX8kqW0O+tFNFzXOQ3O3tsjI9uhbxaOJ8mW5SkbkF2tHlGEZlSgAcghHL
QvOjNMRQhf7yxHkNXCbvDT6bJtcVN02Jf0Q0AHzSfEg4K5cWP/o04puYv/iJK5K9
wrYHlw4Xldc=
=I0FH
-----END PGP SIGNATURE-----


_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

On 2/1/12 4:14 PM, Hauke Laging wrote:
> I just don't understand why someone who has understood the
> concept and is capable of validating keys of others, encrypting, decrypting
> and signing should not use that technology for his email.

I have referred to this paper probably five times or more on this list
and other lists. I really wish people would read it. I'm getting tired
of answering this -- it's my least-favorite OpenPGP-related question.

Shirley Gaw, Edward W. Felten, Patricia Fernandez-Kelly. Secrecy,
Flagging and Paranoia: Adoption Criteria in Encrypted Email.
Proceedings of CHI 2006 Conference on Human Factors in Computing
Systems, 2006.

http://www.cs.princeton.edu/~sgaw/publications/01Feb-Activists-sgaw-CHI2006.pdf

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 2/1/2012 04:35 PM, MFPA wrote:
> Seems likely to me that the majority of Windows users use neither
> S/MIME nor openPGP.

This is an assumption. I, personally, have a dual-boot system with a GNU/Linux
OS and Windows 7. Ever since I discovered GnuPG and the OpenPGP standard, I
have used them on both systems. I cannot, however, speak for the "majority" of
Windows users, as I share the same assumption, though my support is the fallacy
of leaning on personal experience.

Regards,
Christopher J. Walters
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJPKbHuAAoJEJ6vdel2qM1cPPgP/RuUigH6eie++kSCBqBdpg0y
VAPrPk3Dsj9wbt6oVyeT1rpa0LDQg486p85Kw8VHkqFFjGrtCrtYsGABbCjqzfFG
yug7MR37pRu9O2esy+4dU0Jd1ousYDtGDD1rwBn5V1tHdGhat9H2BGVu4EFk+ZTs
/o8OtpquXQw3HGrWJ6HtSzuIZiSxrlHJ1GwGxpaMnQwQZCB7gOijg7QHWR+J9s9d
otUQg8uEZwV8B6wr+in5u8Z9n+ktD0bhnQRNVoPmZWkuuKmuXLXosvduLUz8h2XJ
h16UdAm0FAApQg9B/HvjvLRySGnRYpaPhQSHEekewEmX9VHTvl9aFANnhTycEOmq
yDwB+8P8rUkACPqF6EDpmeq3ycimTuLrMReyi5DtVTdTqAXY/Fa3NvZkdFb0qqLA
TEC5CqQZW8l/etkxSN4V52AiMLPios7FjNXjO5Ah/isATAx4Tc35hphkRoyD7RZJ
rzBxB5ldwf2+zUF/kpGGwG6AoVE9HK4OGZUHY/legUdVwOJ7bjiIiy1oYdSAWVxr
LVHVcHuB0gI5Py3J4cXZzS3dZj6q2Z8sqdd4AzCTDfvdVCr5Jduf0OHhTeEm6gf2
658g7oqxL+OGIWc2pkb206SLzNMwvOnCm12DuExp2PhSp3FQUq9FPncqc29OiH3t
yfneEvlMz9wjRzp7Nb6b
=rIRD
-----END PGP SIGNATURE-----


---
avast! Antivirus: Outbound message clean.
Virus Database (VPS): 120201-0, 02/01/2012
Tested on: 2/1/2012 4:43:14 PM
avast! - copyright (c) 1988-2012 AVAST Software.
http://www.avast.com




_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

gnupg-users-bounces@gnupg.org wrote on 02/01/2012 01:58:45 PM:
> ----- Message from Jerry <jerry@seibercom.net> on Wed, 1 Feb 2012
> 14:23:31 -0500 -----
>
> To:
>
> gnupg-users@gnupg.org
>
> Subject:
>
> Re: PGP/MIME use
>
> On Wed, 1 Feb 2012 13:37:56 -0500
> MichaelQuigley@TheWay.Org articulated:
>
> > However, I've written scripts to
> > routinely sign files for transmission to our bank.
>
> Does your bank actually verify those signed documents? I have sent
> documents to various organizations, both signed and unsigned and never
> heard a word spoken from any of them regarding it.

Yes they verify the signature on the file. In fact, I spent quite a bit
of time working with them to get the signature to successfully verify. (It
finally turned out that they did not want clearsign, but I had been
specifically told to use both clearsign and armour.) I'm quite confident
they are verifying the signature on all files transmitted via the platform
we're using.

On Wed, 1 Feb 2012 21:35:21 +0000
MFPA articulated:

> Seems likely to me that the majority of Windows users use neither
> S/MIME nor openPGP.

Which would equate to the majority of non-Windows users. However, of
those users on MS Windows that do use a form of document signing, I
believe that majority employ S/MIME, if for no other reason than it
works seamlessly in MS Outlook. As I stated elsewhere, I use S/MIME on
my MS Windows machines because it is just easier to do. I really,
really like the KISS principal. For that very reason, on my FreeBSD
based machines, I employ PGP. I see no problem with it and both work
quite well. Others are certainly entitled to their own opinion.

--
Jerry â™”

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the Reply-To header.
__________________________________________________________________


_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 2/1/2012 04:38 PM, Robert J. Hansen wrote:
> I have referred to this paper probably five times or more on this list
> and other lists. I really wish people would read it. I'm getting tired
> of answering this -- it's my least-favorite OpenPGP-related question.
>
> Shirley Gaw, Edward W. Felten, Patricia Fernandez-Kelly. Secrecy,
> Flagging and Paranoia: Adoption Criteria in Encrypted Email. Proceedings
> of CHI 2006 Conference on Human Factors in Computing Systems, 2006.
>
> www.cs.princeton.edu/~sgaw/publications/01Feb-Activists-sgaw-CHI2006.pdf


I have read the abstract, and admit that I only skimmed the rest of that
paper. I find that it is only really talking about the use of public key
encryption of messages, and the human factors that lead to the decision of
whether or not to encrypt messages.

That is a separate topic from actually signing your message with your secret
key - and is not terribly germane to public mailing lists. Since the list
owner would have to deem it worth the trouble to generate a key pair for the
list AND collect the public keys of each subscriber, and use software that
will be able to decrypt messages sent to the list, and re-encrypt them to
each subscriber. This would not significantly improve security in such a
forum, and would increase the load on the system that processes mail for the
list.

To clarify, by "public mailing list", I mean that anyone can join it and post
to it. A private mailing list would mean, in this context, would be an
"invite-only" list, where one would have to be known to the list owner and
specifically invited to join.

Signing, OTOH is a personal choice of each subscriber. Those who choose to
do so can do so, and those who do no choose to do so, do not.

Regards,
Christopher J. Walters
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJPKbaFAAoJEJ6vdel2qM1cbsIP/1fRt03em5hHN3uQz5c+tilV
cfBTItlXIVE5W6I9Xl08mhIy5KGhCG9vn0Zjx5PJn30VYneakAxNxHzQ+uqDlDa0
9A/PvzUSOoz8AO0IDEblASsU6z6iS/1xEuP1C3GXeqZcb9Rg2//UPEHwAMxvE1sG
rmIMX2MUrTb2Tuy8EL20ym/VioUaqP3H/le1shNBmakS9sjgtsDooQzJX3erl64b
pKD30BaBmP93WiI/r7Sxnry0jp7n8yMSpYRCzKMUWde7MNVZ+MgwBo5EVisWBBkq
vh/X+uKbp/6uVSk1LXh/dpj8Sbl0Co8u+0jKudeBcGscu8Y/inuP22evKmS90XuE
qGx/Mgwy+Vp05M8OwuYk8+2V/41KLNoO/IWrtWQfwDEOJSjcA2mcamYdF8jwAeOY
IIW5Dapk2f5g4EciPZ1eO/SJ4227aV3PEbuceLAAy2BHSHuXIt9uTEq3SOHzxLKT
vauuP/kLgra9ZZJkESoSoAY5KBHaJt3C6+jSp7KYL6UNUipto8/mH0MF/KXecUyb
ZYOYSRDBlvE2/WicxZBCN0Nlwq1SQ38/zCUFyXiKnyhjiUNpBuHdOdZfrp9KWDrC
Y08GgwY4WWpmwBQbP3zPM1X7iVoP2gfmcm3+1gxfm/aVkhhm22JZNdvBGId69AIe
xDfh2dzEYWl+/S7oILXB
=E1X7
-----END PGP SIGNATURE-----


---
avast! Antivirus: Outbound message clean.
Virus Database (VPS): 120201-0, 02/01/2012
Tested on: 2/1/2012 5:02:50 PM
avast! - copyright (c) 1988-2012 AVAST Software.
http://www.avast.com




_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

On 2/1/12 5:02 PM, Christopher J. Walters wrote:
> I have read the abstract, and admit that I only skimmed the rest of
> that paper. I find that it is only really talking about the use of
> public key encryption of messages, and the human factors that lead
> to the decision of whether or not to encrypt messages.

Read the paper.

One of the principal reasons the NGO in the study avoided using crypto
was because they were concerned about appearing to outsiders as if
they were paranoids with something to hide.

Why do you want to sign everything? Because you want to detect if
someone's tampered with your messages. What are you, some kind of
paranoid who's worried about people screwing with your email?

Seriously. Read the paper. It's worthwhile.

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi


On Wednesday 1 February 2012 at 9:14:33 PM, in
<mid:201202012214.38430.mailinglisten@hauke-laging.de>, Hauke Laging
wrote:


> I just don't understand why someone
> who has understood the concept and is capable of
> validating keys of others, encrypting, decrypting and
> signing should not use that technology for his email
> (neither professional nor private).


There are plenty of things people don't bother doing, despite
understanding, knowledge, and capability. Why should this be
different?



- --
Best regards

MFPA mailto:expires2012@rocketmail.com

A closed mouth gathers no foot
-----BEGIN PGP SIGNATURE-----

iQCVAwUBTym6hqipC46tDG5pAQqsigP9Gh1IF9BleD9BKrPSTQgScgvRQggEo6Kg
CxRnvp6ium4RgwDKmSgd70pzPeeAclLmnG+NK9WE7229vIfR3bB9HvodYk/CFtf4
WcohaA9i9WnmmExNrDLqpI5lBrj44bUUf4zJ23sV+P2jlldtxF89T1AImdl7YQC2
j4z9K9QlFaE=
=l8xF
-----END PGP SIGNATURE-----


_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Am Mittwoch, 1. Februar 2012, 23:19:43 schrieb MFPA:

> > I just don't understand why someone
> > who has understood the concept and is capable of
> > validating keys of others, encrypting, decrypting and
> > signing should not use that technology for his email
> > (neither professional nor private).
>
> There are plenty of things people don't bother doing, despite
> understanding, knowledge, and capability. Why should this be
> different?

I give training courses about cryptography in a German party and am involved
in the discussion whether and how we should use it in our administration. Thus
I have some experience with (mostly) "normal" people (no IT geeks). My
experience is that

a) most people don't care at all (which probably everyone here can confirm...)

b) the other ones say that it's a useful technology but they do not use it due
to either their software not supporting it or (more important) their personal
lack of knowledge

c) I have never encountered someone saying something like "I know how it
works, I use it for software distribution and backups but I have never used it
for email".

The probable main difference to your "plenty of things" is that this is
considered useful (for email!) by many people (many more than capable of using
it). Thus it seems quite improbable to me that among those few who are capable
of using it there are many who do not find it useful (for email).


Hauke
--
PGP: D44C 6A5B 71B0 427C CED3 025C BD7D 6D27 ECCB 5814

Am Mittwoch, 1. Februar 2012, 17:19:08 schrieb Robert J. Hansen:
> On 2/1/12 10:47 AM, Hauke Laging wrote:
> > Of course not. I just don't believe that there are many examples of
> > this type out there. To me a serious user is one who actively signs,
> > encrypts, and/or verifies data and knows what he is doing. He has
> > created a key and verified at least one. Everything else seems like
> > special use to me.
>
> Then yes, you are selecting for email users. There are quite a lot of
> people who use GnuPG primarily for themselves -- for instance, a system
> administrator who signs each backup, a lawyer who encrypts files when in
> transit on a flash drive, etc.

My description does not select for email users only but also covers your
examples. We are not talking about "primarily" but about "only".


> Yes, this definition means that you're a serious user of your OS kernel.
> And why wouldn't you be? You demand your PC make thousands of kernel
> calls each second. Is that not serious use?

Depends on what you are thinking about. Of course, it is interesting to know
how many kernels are out there. But it is also interesting an deserves being
looked at seperately how many people have an "active", "planned" interaction
with their kernel. Something like compiling it themselves, compiling modules
for it, deactivating or configuring modules, configuring the kernel via
command line parameters, saving an old kernel version as fallback.


> >> (GnuPG is already on your system.)
> >
> > That's not true for a certain quite popular OS.
>
> Quite in context, please. In context, that sentence obviously referred
> to Linux users. Quoting people out-of-context to score points is a pet
> peeve of mine.

I apologize if anyone had the impression that I used your quote wrongly (but
why should I?). The point is that you said nothing about Windows which due to
its market share cannot be ignored. And that has no relation to the context of
your quote.


> And if users who know of,
> are aware of, who pay attention to, how GnuPG works behind the scenes
> aren't relevant to you, then what is?

I do not see how relevance could be bound to knowing what happens if this has
no influence to what happens at all. Users who need a software (whether they
know that or not) are relevant to me, too. But those users are relevant for
GnuPG's verification feature only because they never use anything else.

To me it's important for the assessment of a user whether ot not he causes any
data in the world to be changed (because he signs something, encrypts
something, something is encrypted for him). One groups makes just a quantity
difference to IT, the other one a quality difference.

The reason why most people do not use Enigmail (or something similar) is *not*
the installation of GnuPG. You can easily install GnuPG without any clue how
to use it. The main reasons are the lack of felt need (whether those people on
average feel a need for update rpm signature checks?) and the lack of
knowledge. Thus only comparing the GnuPG users with knowledge to the Enigmail
users makes sense to me.


> Each benchmark I use to represent
> a class of users, you reject as being not what you're talking about, so
> please tell me precisely what you *are* talking about.

I already did so:
> > This sounds like a No True Scotsman fallacy. If someone uses GnuPG but
> > not for email, does that disqualify them from being a serious user?
>
> [...] To me a serious user is one who actively signs, encrypts,
> and/or verifies data and knows what he is doing. He has created a key and
> verified at least one. Everything else seems like special use to me.

However, we are not discussing something important. You said that Enigmail
users were just a small share of GnuPG users. This share depends on the part
of GnuPG users considered. Obviously our opinions about that part differ but
the decision who is "right" has no consequence at all.


> > And which of these scenarios is more probable? Who will after
> > starting to sign emails start to send emails to people he is not
> > familiar with?
>
> Quite a lot, apparently. There are a whole lot of people on this
> mailing list. I'm sending a message to all of them, including people I
> don't even know.

But you don't send email to this list *because* you sign your email. You don't
even sign your email to this list.


> Your question: "Who will after starting to sign emails start to send
> emails to people he is not familiar with?"
>
> The answer is Facebook. Google+. eHarmony. Match.com. JDate.
> Bear411. ChristianSingles.com. The list goes on and on and on.

Right. But for nearly none of those cryptography is the reason for contaction
others. In other words: If email cryptography becomes more common there is no
reason to expect more email from unknown people (due to this effect).


> The people who would be complaining about my conduct would be people who
> don't know me from the wind. *They're* the ones who would have to be
> persuaded I was on the up-and-up.

OK but if someone considers his opinion about something he is not familiar
with superior to the uniform opinion of some who are familiar then I would
consider him an idiot (not stating that idiots cannot be a problem for someone
innocently accused).


> >> And then I imagined my dean answering, "That proves nothing: after
> >> all, if I was posting this stuff I wouldn't sign it, either."
> >
> > Would not make much sense to use the name but not sign it, though.
>
> Sure it would. Deniability.

That's the sense of non-signing. What's the sense of using your name? Creating
problems for yourself? Accepting those problems in order to make the offense
more interesting to the public?


Hauke
--
PGP: D44C 6A5B 71B0 427C CED3 025C BD7D 6D27 ECCB 5814

Am Mittwoch, 1. Februar 2012, 22:38:57 schrieb Robert J. Hansen:
> On 2/1/12 4:14 PM, Hauke Laging wrote:
> > I just don't understand why someone who has understood the
> > concept and is capable of validating keys of others, encrypting,
> > decrypting and signing should not use that technology for his email.
>
> I have referred to this paper probably five times or more on this list
> and other lists. I really wish people would read it. I'm getting tired
> of answering this -- it's my least-favorite OpenPGP-related question.

I knew that paper (due to one of your emails). I read it again now. It has
quite little to do with my "question".

My question was NOT "Why do so few people use email cryptography"? But that is
the question this paper wants to answer.

Some points from the paper:
• It is (mainly) about people not familiar with GnuPG in some context
different from email.

• One of the two most IT capable people being interviewed does not even know
how to make signatures.

• Most or even all of those users did not have an environment which creates
signatures or encrypts automatically. I have not read how they did it; I
assume they used some program not integrated into their email software and had
to use the clipboard for transferring the data.

• Most of the paper is about encryption. None of the interviewed people denied
the sense of encryption in certain cases.

I do not see how to get valid conclusions from non-IT people using bad
software for IT people free to chose their software.


Hauke
--
PGP: D44C 6A5B 71B0 427C CED3 025C BD7D 6D27 ECCB 5814

On 2/1/12 5:53 PM, Hauke Laging wrote:
> I apologize if anyone had the impression that I used your quote
> wrongly (but why should I?). The point is that you said nothing about
> Windows which due to its market share cannot be ignored. And that has
> no relation to the context of your quote.

Yes, I'm ignoring Windows, mostly because I have absolutely no idea
where to begin estimating GnuPG users on Windows. All I can do is
mutter something about "wovon man nicht sprechen kann, darüber muß man
schweigen" and quickly change the subject. :)

That said, yes, on Linux Enigmail is a niche player. The major distros
ship either KDE or GNOME desktops. KDE's default mail application is
KMail, and GNOME's is Evolution. Both have strong OpenPGP support. You
don't need to install Thunderbird+Enigmail on those platforms to get
OpenPGP support for email, so most people who want OpenPGP email don't.

> The reason why most people do not use Enigmail (or something similar)
> is *not* the installation of GnuPG.

Having fielded questions from people stymied by Enigmail installation
for a few years now, I disagree. I've encountered a lot of people who
find it to be a significant obstacle. It was much worse in the past,
but since the introduction of Windows installers for GnuPG the problems
have diminished significantly. We still get a fair number of them, though.

> But you don't send email to this list *because* you sign your email.
> You don't even sign your email to this list.

No, but I do sign emails. There are a fair number of people who can
attest to that. I just don't sign emails to mailing lists except in
unusual cases (e.g., I'm making a post to the Enigmail list in my role
as a list moderator) or when I've enabled signing by accident.

> Right. But for nearly none of those cryptography is the reason for
> contaction others. In other words: If email cryptography becomes more
> common there is no reason to expect more email from unknown people
> (due to this effect).

I don't understand what you're saying. If cryptography is the reason to
contact someone, then I think we all need to get out more. :) I contact
people to *communicate*. Cryptography is just a tool to facilitate that.

> OK but if someone considers his opinion about something he is not
> familiar with superior to the uniform opinion of some who are
> familiar then I would consider him an idiot.

World's full of 'em. God knows I've asserted my right to be a damnfool
idiot from time to time, so I'm inclined to judge them a bit more leniently.

> That's the sense of non-signing. What's the sense of using your name?
> Creating problems for yourself? Accepting those problems in order to
> make the offense more interesting to the public?

Ask Charlie Sheen, or for that matter anyone who's ever wrestled with
bipolar disorder, drug addiction, or any of a whole host of illnesses
and/or conditions that can cause erratic behavior. Sometimes the
software running on the gray matter just breaks and people act in weird
ways. It's part of the human condition.

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

On 2/1/12 6:08 PM, Hauke Laging wrote:
> My question was NOT "Why do so few people use email cryptography"?
> But that is the question this paper wants to answer.

Your statement was, "I just don't understand why someone who has
understood the concept[s] and is capable of [using the software] should
not use that technology for his email." That's a statement, not a
question: I inferred your question as, "Why is it people who understand
the concepts and are capable of using the software don't use it for
their email?"

And that is, in fact, exactly the question they're answering. "In this
paper we try to identify additional barriers by interviewing a set of
users from an organization that relies on secrecy. Our interviews
demonstrate that users' attitudes about encryption, and the social
significance users attach to it, are an important factor in limiting
adoption."

Their central finding? It's not a technological problem: it's a social one.

> Some points from the paper:
>
> • It is (mainly) about people not familiar with GnuPG in some context
> different from email.

Incorrect. GnuPG is never mentioned in the paper. The NGO mentioned in
the paper is PGP-only. Some of their case studies (Woodward) used PGP
to encrypt files on their desktops: others (Abe) were email-only. Some
were email-only (Jenny) but abandoned it, others... etc.

> • Most or even all of those users did not have an environment which
> creates signatures or encrypts automatically.

Incorrect. The paper makes it clear they had plugins available to do
the process automatically. "In addition, [Woodward] distrusted plugins
for email programs, relying on encrypting the text of a message first
and copying it into his email program later." That sentence only makes
sense if they had access to plugins. Further, PGP circa 2006 shipped
with email plugins.

Another user, Abe, "used encryption to protect financial data ... [he]
believed this setup was simple." From that I infer Abe had suitable
tools for the task -- which is quite plausible, given we know they were
using PGP.

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Am Donnerstag, 2. Februar 2012, 00:27:04 schrieb Robert J. Hansen:

> Your statement was, "I just don't understand why someone who has
> understood the concept[s] and is capable of [using the software] should
> not use that technology for his email." That's a statement, not a
> question:

You are so right. You like quotation contexts, don't you?

> I knew that paper (due to one of your emails). I read it again now. It has
> quite little to do with my "question".

See the ""?


> I inferred your question as, "Why is it people who understand
> the concepts and are capable of using the software don't use it for
> their email?"

Correct.


> And that is, in fact, exactly the question they're answering. "In this
> paper we try to identify additional barriers by interviewing a set of
> users from an organization that relies on secrecy. Our interviews
> demonstrate that users' attitudes about encryption, and the social
> significance users attach to it, are an important factor in limiting
> adoption."

That's not even nearly the question they are answering. For none of the users
they mention that he uses GnuPG-like software in a context different from
email. At most one of them "understands the concept" (as a whole, not just a
part of it, i.e. encryption). They don't say that explicitly but we have to
assume that everyone else has neither understood the feature signing nor is
using it.

How much do these people have in common with admins and lawyers in your
opinion?


> Their central finding? It's not a technological problem: it's a social
> one.

I have never heard or assumed something different.


> > Some points from the paper:
> >
> > • It is (mainly) about people not familiar with GnuPG in some context
> >
> > different from email.
>
> Incorrect. GnuPG is never mentioned in the paper.

Thus we have no reason to assume that any of them is familiar with GnuPG. Our
point is people familiar with GnuPG who do not use email cryptography. This is
the other way round: People using email (most of them) with no information
about their other background.


> > • Most or even all of those users did not have an environment which
> > creates signatures or encrypts automatically.
>
> Incorrect. The paper makes it clear they had plugins available to do
> the process automatically. "In addition, [Woodward] distrusted plugins
> for email programs, relying on encrypting the text of a message first
> and copying it into his email program later." That sentence only makes
> sense if they had access to plugins. Further, PGP circa 2006 shipped
> with email plugins.

No, it also makes sense reading "He did not see a problem in not having a tool
for automatic processing as he would not have used it anyway as he distrusted
such plugins".

Furthermore "available" is not the same like "using".

There are other quotes which make sense only if such plugins are NOT
available:

"He (Abe) estimated that encrypting every e-mail message would
add another hour to his workday unless it was automated."

"He (Abe) figured this man has an automated system for encrypting e-mail"

"I (Jenny) think he probably has some automated system. That everything he
sends gets encrypted automatically. I can’t believe he’s encrypting manually
every time. But to me, it’s like—OK, if it’s automated—fine."

"If it was encrypted on his computer and he sent to my computer, automatically
encrypted or decrypted it—fine. Then, encrypt everything you want."

"Arguably, some of the stigma associated with using encrypted e-mail was tied
to the overhead of the system ActivistCorp used. Where appropriate, some of
the process can be removed or automated."

> Another user, Abe, "used encryption to protect financial data ... [he]
> believed this setup was simple."

The same one saying "most people see this as more work and want things
simpler" and "I’m actually considered a “techie”". "Simple" is in the eye of
the beholder. It may even have referred to the point that he just encrypts
financial data which he regularly synchronizes with others.


Hauke
--
PGP: D44C 6A5B 71B0 427C CED3 025C BD7D 6D27 ECCB 5814

On 2/1/2012 7:30 PM, Hauke Laging wrote:
>> Your statement was, "I just don't understand why someone who has
>> understood the concept[s] and is capable of [using the software] should
>> not use that technology for his email." That's a statement, not a
>> question:
>
> You are so right. You like quotation contexts, don't you?

I'm afraid, Hauke, that I don't understand what you're getting at.

>> I inferred your question as, "Why is it people who understand
>> the concepts and are capable of using the software don't use it for
>> their email?"
>
> Correct.

Then you have my response to that: the paper I cited does a good job of
answering that question.

> That's not even nearly the question they are answering.

Then we disagree completely, and there's nothing more to be said.

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

> ---------- Forwarded message ----------
> From: "Robert J. Hansen" <rjh@sixdemonbag.org>
> To: gnupg-users@gnupg.org
> Cc:
> Date: Wed, 01 Feb 2012 18:12:24 -0500
> Subject: Re: PGP/MIME use
> On 2/1/12 5:53 PM, Hauke Laging wrote:
> Yes, I'm ignoring Windows, mostly because I have absolutely no idea
> where to begin estimating GnuPG users on Windows. All I can do is
> mutter something about "wovon man nicht sprechen kann, darüber muß man
> schweigen" and quickly change the subject. :)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512


OK, I'm sorry, but when someone drops Wittgenstein—on topic—on a
list about cryptography, there needs to be some recognition of
that.

Well done, sir.

- --Avi
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (MingW32) - GPGshell v3.78
Comment: Most recent key: Click show in box @ http://is.gd/4xJrs

iL4EAREKAGYFAk8q3clfGGh0dHA6Ly9rZXlzZXJ2ZXIudWJ1bnR1LmNvbS9wa3Mv
bG9va3VwP29wPWdldCZoYXNoPW9uJmZpbmdlcnByaW50PW9uJnNlYXJjaD0weDBE
NjJCMDE5RjgwRTI5RjkACgkQDWKwGfgOKfkt7AD/XBnefqGl/3Ul2FcghMK6pOwf
8pmkxBiy/EC8qxF8TZIA/RgCgmYwzzERQHFj5X9pQJCX2x7EURV+otSFR+7yWvwK
=nc8f
-----END PGP SIGNATURE-----


----
User:Avraham

pub 3072D/F80E29F9 1/30/2009 Avi (Wikimedia-related key) <avi.wiki@gmail.com>
   Primary key fingerprint: 167C 063F 7981 A1F6 71EC  ABAA 0D62 B019 F80E 29F9

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

>> Has there been a concerted effort to make Enigmail an integral part of
>> Thunderbird, distributed with it? If yes, what are the reasons that it
>> has been rejected so far? If no, why not?
> Werner replied:
> The Mozillas don't like OpenPGP. To them it is probably too much
> anarchy compared to S/SMIME. Ask the Mammon.
Robert replied:
> * S/MIME is already irrelevant to the vast majority of
> Thunderbird users, and providing OpenPGP would just
> introduce a redundant irrelevant capability
>
> * Enigmail requires a binary that's not maintained by
> Mozilla, which is released on its own schedule, and
> is licensed under terms other than those Mozilla
> prefers

Mozilla is founded by Google. Without Google they would be gone. Googles business model is not to protect the user but to analyze him. That is not possible when you use mail encryption.

The question is still valid and imo, some pressure from the user community might help to bring Thunderbird to the point where it can be downloaded containing enigmail. That would be a huge step! The arguments by Robert seem to be rather minor compared to the huge benefit delivery of save communication would bring.

Imagine a world in which Windows and OS X are delivered with OpenPGP. I don't see why that should not happen. It's all a question of community requests and pressure on the according companies behind that OSs. That pressure could also take share in pure statistics: If people simply buy machines which come with build in OpenSource crypto. That would be the case, if average people (not like us who are subscribed to this geeky mailing list) become more security aware and realize that privacy matters). Call me idealistic, but I think it's up to the community to make that happen.

All the best,
steve

On 2/20/12 2:24 PM, Steve wrote:
> Mozilla is founded by Google.

Mozilla receives funds from Google and others. The "and others" bit is
important.

> Without Google they would be gone.

Without Google Mozilla would have to find other partners. I'm willing
to bet cash money on the barrelhead they already have other partners
lined up in the event this becomes necessary.

> That is not possible when you use mail encryption.

I doubt that whether you use email encryption is really any concern to
Google. Invasive, intrusive email scanning exposes them to all manner
of legal risks, from both civil and criminal law. It's also a public
relations disaster waiting to happen, and could result all manner of
horrific penalties for Google.

Traffic analysis gives them almost as much useful information with much
less risk exposure -- and email encryption doesn't interfere with
traffic analysis.

I'm not a particular fan of Google (or Facebook or what-have-you), but
let's make sure our criticisms of them match up to reality.

> The question is still valid and imo, some pressure from the user
> community might help to bring Thunderbird to the point where it can
> be downloaded containing enigmail.

You're certainly welcome to. If you'd like to see Enigmail bundled with
Thunderbird, then please write the Thunderbird developers a
politely-worded email asking them to look into it. However, talking on
this list (or on the Enigmail user list) about how much you'd like to
see it in Thunderbird is unlikely to achieve anything: the people who
make those decisions are not, as far as I know, on either this list or
Enigmail's list.

> The arguments by Robert seem to be rather minor compared to the huge
> benefit delivery of save communication would bring.

There is virtually nothing OpenPGP can do that S/MIME cannot do. There
are certainly some implementation differences between the two, but in
terms of broad capabilities they're almost identical. If you want email
encryption capabilities, they're already there. If you want OpenPGP
specifically, you'll need to find things OpenPGP can do that S/MIME
can't do, and pitch it to the Thunderbird developers on that score.

> Imagine a world in which Windows and OS X are delivered with
> OpenPGP.

Windows and OS X are delivered with S/MIME already. If people aren't
using S/MIME (and they overwhelmingly are not!), why should we believe
the presence of an OpenPGP suite would change their behavior?

> Call me idealistic, but I think it's up to the community to make that
> happen.

I'm not trying to dissuade you, but the people you need to convince are
not on this mailing list. :)

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

On 2/20/12 2:24 PM, stevebell@gulli.com wrote:
. . .
> Mozilla is founded ["funded" probably] by Google. Without Google
> they would be gone.
> Googles business model is not to protect the user but to analyze him.
> That is not possible when you use mail encryption.
>
> The question is still valid and imo, some pressure from the user
> community might help to bring Thunderbird to the point where it can
> be downloaded containing enigmail.
. . .

Just considering your own points, would you trust an encryption
functionality you thought was written in a way satisfying Google?

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

> . . .
>> Mozilla is founded ["funded" probably] by Google. Without Google
>> they would be gone.
>> Googles business model is not to protect the user but to analyze him.
>> That is not possible when you use mail encryption.
>>
>> The question is still valid and imo, some pressure from the user
>> community might help to bring Thunderbird to the point where it can
>> be downloaded containing enigmail.
> . . .
>
> Just considering your own points, would you trust an encryption
> functionality you thought was written in a way satisfying Google?


Sorry. Funded of course. And to answer your question. No I wouldn't. But would you still trust OpenPGP if it was delivered with every chromebook? Maybe that wouldn't satisfy Google, but I never asked for encryption technology that satisfied Google.

Robert wrote:
> I'm not a particular fan of Google (or Facebook or what-have-you), but
> let's make sure our criticisms of them match up to reality.

You might be correct. But also we all know that if Google has access the US gov does have access as well (other expamples would be dropbox, twitter, …). And although I might only tell my mom to buy 6 egg for a cake I'm going to make, I still don't want them to read that. Neither Google (which you say they don't - but since we can't look into their internal mechanisms we'd have to trust them and if you ask me "do you trust google" I'd rather not) nor the US gov (which we know they do). Why again was it, that europe needed to sign swift-treaty?

>
>> The question is still valid and imo, some pressure from the user
>> community might help to bring Thunderbird to the point where it can
>> be downloaded containing enigmail.
>
> You're certainly welcome to. If you'd like to see Enigmail bundled with
> Thunderbird, then please write the Thunderbird developers a
> politely-worded email asking them to look into it.

Will do.

>> The arguments by Robert seem to be rather minor compared to the huge
>> benefit delivery of save communication would bring.
>
> There is virtually nothing OpenPGP can do that S/MIME cannot do.

Hm, that was also bothering me with the other mails you wrote on this topic earlier. It's already very late here, so bare with me I'm taking this from remembrance. You said due to the fact that the world is very big and web of trust not used much, it can't serve as a good information tool since most likely the signatures will be from people I don't know.

I'm not so sure about that. Wonder why google called the grouping feature in G+ "circle"? We communicate and behave and live in circles. This list is just another circle. And I might know e.g. our beloved Werner Koch from another project than this list. Or I might know Robert from another context than this list. The context might be the same (e.g. computersecurity) but it will still be the same people because at any time only so and so much people are currently dealing with a certain topic with a certain level of expertise. Wouldn't that mean that actually the web of trust should work well?

I think the web of trust is an awesome idea and again (as with encryption in general) it's up to each and every human to make use of those tools. Eventually the web of trust might become very informative indeed.

Isn't the big difference that OpenPGP is a decentralized concept while S/MIME requires centralized infrastructure? And I have to say, currently I'd rather go with decentralized. Again, it boils down to the question of trust. I'd rather trust the web of trust than an anonymous centralized entity for which I don't know why they are in this business and who exactly is behind the curtain of a company name (there is no business with a decentralized web of trust and imo it's much harder to corrupt it).


> There are certainly some implementation differences between the two, but in
> terms of broad capabilities they're almost identical. If you want email
> encryption capabilities, they're already there. If you want OpenPGP
> specifically, you'll need to find things OpenPGP can do that S/MIME
> can't do, and pitch it to the Thunderbird developers on that score.

See above.

>> Imagine a world in which Windows and OS X are delivered with
>> OpenPGP.
>
> Windows and OS X are delivered with S/MIME already. If people aren't
> using S/MIME (and they overwhelmingly are not!), why should we believe
> the presence of an OpenPGP suite would change their behavior?

Again, see above

>> Call me idealistic, but I think it's up to the community to make that
>> happen.
>
> I'm not trying to dissuade you, but the people you need to convince are
> not on this mailing list. :)

I am well aware of that fact. I just wanted to add my thought to this very interesting discussion. And maybe it's us (the people on this list) that can make a change. It has to start somewhere…

All the best, steve

On 2/20/12 7:55 PM, Steve wrote:
> Hm, that was also bothering me with the other mails you wrote on
> this topic earlier. It's already very late here, so bare with me I'm
> taking this from remembrance. You said due to the fact that the world
> is very big and web of trust not used much, it can't serve as a good
> information tool since most likely the signatures will be from people
> I don't know.

I think this is a mischaracterization of my position. My position is,
"PKI is hard." We don't have any tools that can scale up to the size of
the world.

> I'm not so sure about that. Wonder why google called the grouping
> feature in G+ "circle"? We communicate and behave and live in
> circles.

Circles that are increasingly separate from actual physical interaction.
There are a lot of people in my circles I've never met before, which
makes the problem of verifying their keys rather difficult.

Social media will not solve the PKI problem. In many ways it makes it
worse. Social media is predicated around the idea that you have given
up your privacy and anonymity in exchange for being more connected to
the social flow around you. Before Facebook, people who used encryption
and other privacy technologies were looked at by the population at large
as being kind of kooks. Now we're being looked at as if we're about to
step off into the woods with Ted Kaczynski.

The things that we value are increasingly out of step with the things
our society values. And, you know, that's fine: there are *lots* of
communities with values out of step with those of the larger society.
But we should be cautious of thinking that we're going to wave a little
crypto magic fairy dust and suddenly everyone will come to our side of
the privacy fence: they won't, and it doesn't matter how good our
Kool-Aid tastes.

> Wouldn't that mean that actually the web of trust should work well?

The question is not whether we think it should work well, but rather
whether it *does* work well. It doesn't.

> I think the web of trust is an awesome idea and again (as with
> encryption in general) it's up to each and every human to make use
> of those tools.

As long as people have to make a conscious choice to use these tools,
these tools will never become mainstream.

> Isn't the big difference that OpenPGP is a decentralized concept
> while S/MIME requires centralized infrastructure?

Not really. S/MIME is as capable of decentralized behavior as OpenPGP.

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users