Tim wrote:
If you install the Enigmail plugin in ThunderBird, you can configure rules to control encryption options for specific e-mail addresses. It defaults to asking you what to do when it gets an address that does not match any of its rules. (It is all check boxes and drop-down options.)On Fri, 2008-05-30 at 11:46 -0430, Patrick O'Callaghan wrote:It's a basic fact of life that crypto software is complicated for users, and there appear to be fairly fundamental reasons why this is so (see "Why Johnny Can't Encrypt", an interesting paper by a group ofStanford researchers from a few years ago).I've had to set up PGP/GPG for someone, yonks ago, because comprehending any of it was going to be completely beyond them. But we had to be able to exchange some information confidentially, so there was no avoiding using it. Eventually I managed by setting it all up for them, and were able get to the point where I only had to give telephone help for the steps to encrypt or decrypt mail (enter passphrase, which passphrase it was they had to use, which options they had to pick to encrypt, etc.), but I don't think it was ever going to get to the stage of them being able to use it all by themselves. It would have helped if Evolution, for instance, allowed you to set an option in the address book to always encrypt for this person, rather than requiring the user to do an encrypt action choice for every email. I've had that option in other clients. That'd help against accidentally sending things in the clear, at the very least.
The key management option will let you create a key pair, publish a key, get a key from a key server, and import/export a key. For sending keys through the mail, even pgp offered the option to export your public key as an ASCII armored text file that you could include inside the message, or as an attachment. You can then import the key from that file. It is also handy if you want to publish your public key on a web page.One thing that struck as being particularly painful, since it was email that we were talking about, was the inability to give someone your public key in some way through your mail program. Yes, I know that's not a brilliantly safe way to set things up. But with two PCs next to each other on a LAN, that would have been safe and an easy to do it.
Sending/receiving a key using e-mail is not really a security risk if you have a second method of communication so that you can verify that the key is really from you. (Compare the key fingerprints.) You do not need to protect your public key - just make sure the key he gets is really your public key.
The GUIs and mail integration has improved drastically from when you had to do everything from the command line. But it was not that hard to create scripts to handle common tasks. For your friend you were exchanging mail with, something like "encrypt <file>" and "decrypt <file>" would probably been enough. Or just encrypt and decrypt if you used the same file names all the time.You had to use the gpg program, separately, to publish your key, or create it as a file. The "mail and encryption are separate things" issue is difficult for many to comprehend, and that's just another thing that will discourage many from using it. Various gpg programs are geared towards using public keyservers as about the only way to exchange keys (or the only obvious way to do it), but that may not be desireable for some. It certainly isn't for me, as I've found using them to be a guaranteed method for receiving spam. Even more so than having your e-mail address on your website, completely unmunged.
The keyservers share the key information, so it is hard to say what key server is being monitored. I would not think it would be a good source of addresses to SPAM... But I have seen addresses harvested from places like the Postfix support list. LOLAs I mentioned earlier, someone's obviously monitoring some keyservers, and harvesting addresses from them. Adding another address to the public key instantly results in that address being included in the next volley of spam. Peculiarly, removing some addresses from the key had a similar effect (no more spam being received at those addresses). I didn't expect that to happen. The keyserver I used was: hkp://subkeys.pgp.net Though I'm inclined to suspect the harvesting is not that server, in itself.
Mikkel -- Do not meddle in the affairs of dragons, for thou art crunchy and taste good with Ketchup!
Attachment:
signature.asc
Description: OpenPGP digital signature
-- fedora-list mailing list fedora-list@xxxxxxxxxx To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
