Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: GnuPG: users

STEED - Usable end-to-end encryption

 

 

First page Previous page 1 2 3 4 Next page Last page  View All GnuPG users RSS feed   Index | Next | Previous | View Threaded


marcus.brinkmann at ruhr-uni-bochum

Oct 20, 2011, 4:46 PM

Post #51 of 80 (2355 views)
Permalink
Re: STEED - Usable end-to-end encryption [In reply to]

On 10/20/2011 10:25 PM, Matthias-Christian Ott wrote:
> But who are the providers? Except for people who work in computer
> science, physics or similar fields I don't know people who run their own
> mail servers or are part of a cooperative. Most other people use a
> handful of providers who often offer free service in exchange for the
> loss of privacy or at least some form of semi-targeted advertisement. Do
> you expect those providers to ruin their business models by implementing
> this proposal? I wouldn't count on them.

Maybe. But the only way to fail for certain is by not trying. There are
other business models and market pressures beside those that you are
highlighting. It's not easy to predict.

> Perhaps the providers could also be forced by law not to implement
> this, because (if I remember correctly) come countries require that
> they store at least the header information (including subject, which
> should also be encryted by the system) for traffic analysis. So in
> the worst case the providers couldn't implement this without breaking
> the law (I doubt that citizens could use the system without breaking the
> law in this situation either, but individuals are often more venturous
> than organisations).

STEED is fully compatible with existing mail encryption, so we do not include
the headers in the plaintext. I am not an expert, but as far as I know the
regulation usually demands to store connection data that is available, it does
not ask for data that is not available for whatever reason. I think your
interpretation of the regulations in that area is overly pessimistic, but I
could be wrong. Maybe you can verify this?

> What about making everyone their own provider? The efforts in this
> direction intiated by Eben Moglen that lead to the FreedomBox and other
> projects seem to go in the right direction. It doesn't seem to me less
> realistic than requiring cooperation from providers.

I think everybody deserves private email communication, not only those who are
willing to be their own provider. We don't expect people to carry out their
own snail mail letters either, and the business model of the post office does
not require spying on the letters.

Now, it may be the case that the freedom box is (or will be) a more attractive
way for people to do email, and everybody will use it and nobody will use
proprietary email service providers. That would be excellent! The FreedomBox
project is a very important project, and it deserves our strongest support
possible. If it is a better alternative, we still need to convince the
FreedomBox project to adopt the STEED proposal (not a single word in the paper
would have to change). And I agree that this is an overall more appealing
task than trying to convince the proprietary providers.

But, we have to go where the users are, and we have to try our best to get the
providers cooperation. There is no benefit in ignoring them and their users
just for our convenience.

If this is too daunting for you, please remember that we do not have to get
their active cooperation. If they accept it grudgingly because not following
along would be bad business (or illegal), then that's good enough. That
requires that we raise the state of the art in the field.

Maybe you are still not convinced. Then let me give you an illustrative
analogy. (Disclaimer: I am not associated with SawStop or anybody involved,
nor have I met anybody involved or used their product). An inventor created a
table saw that can prevent injury by stopping the blade as soon as it is
touched by human flesh ("SawStop"). According to the inventory, he could not
get the technology to be marketed by the big table saw companies. His claim
is that the companies think that by raising the safety measures in the table
saw, they would be more liable for table saw accidents, which would make them
subject to litigation. Eventually he created his own SawStop product line.
Now, after several years, lawmakers and regulators have taken notice and might
make sawstop like technology mandatory in table saws.

Now, maybe SawStop is bad technology, maybe it's good. But at least something
is true: As long as no candidate technology like it exists, the question
doesn't even come up. That's the state we are at with email encryption.
Everybody who tried has learned that email encryption is not worth the hassle.
Everybody who hasn't tried just expects email to be secure and might not even
be aware that it is not. It's time to change that equation, don't you think?

The good news is that STEED will integrate extremely well in P2P systems. The
dependency on a provider in STEED is not integral to the proposal, but just a
consequence of people already relying on their providers infrastructure for
everything else. If users use different infrastructure, STEED will also work
over that infrastructure just as well.

Thanks,
Marcus

_______________________________________________
Gnupg-users mailing list
Gnupg-users [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-users


wk at gnupg

Oct 21, 2011, 1:14 AM

Post #52 of 80 (2369 views)
Permalink
Re: STEED - Usable end-to-end encryption [In reply to]

On Fri, 21 Oct 2011 01:46, marcus.brinkmann [at] ruhr-uni-bochum said:

> not ask for data that is not available for whatever reason. I think your
> interpretation of the regulations in that area is overly pessimistic, but I
> could be wrong. Maybe you can verify this?

Actually the German Federal commissioner for data protection demands the
use of strong encryption. According to him the message-escrow-able
de-mail.de law and services are not suitable for private messages. [1]



Salam-Shalom,

Werner


[1] In German:
<http://www.bfdi.bund.de/DE/Oeffentlichkeitsarbeit/Pressemitteilungen/2011/12_InkrafttretenDEMailGesetz.html?nn=408908>


--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.


_______________________________________________
Gnupg-users mailing list
Gnupg-users [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-users


johanw at vulcan

Oct 21, 2011, 5:21 AM

Post #53 of 80 (2358 views)
Permalink
Re: STEED - Usable end-to-end encryption [In reply to]

On 20-10-2011 22:25, Matthias-Christian Ott wrote:

> What about making everyone their own provider?

Is that technically equivalent to running your own mailserver? Because
that also gives some problems: I run my own server at vulcan.xs4all.nl
(bsmtp at a subdomain of my provider) but get some mails bounced because
of ecessive anti-spam filters that complain about no reverse DNS.

--
Met vriendelijke groet / With kind regards,
Johan Wevers

PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html


_______________________________________________
Gnupg-users mailing list
Gnupg-users [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-users


jeandavid8 at verizon

Oct 21, 2011, 7:12 AM

Post #54 of 80 (2365 views)
Permalink
Re: STEED - Usable end-to-end encryption [In reply to]

Matthias-Christian Ott wrote:

>
> What about making everyone their own provider? The efforts in this
> direction intiated by Eben Moglen that lead to the FreedomBox and other
> projects seem to go in the right direction. It doesn't seem to me less
> realistic than requiring cooperation from providers.
>
I was my own provider for many years, and that was easy enough. I got a
static IP address from my ISP for $10/month and ran sendmail as my MTA.
I used mutt am MUA.

But when I switched to Verizon as ISP in order to get FiOS, they wanted
$150/month for a static IP address and an additional fee (I forget what
it was) to be allowed to run sendmail as a server.

Verizon is a great ISP 8-( They discontinued Usenet, so I have to pay a
fee to another provider to use Usenet. They did not reduce their fees
when the reduced the level of service. Greed and Profit before Service:
it is the American way. 8-(

--
.~. Jean-David Beyer Registered Linux User 85642.
/V\ PGP-Key: 9A2FC99A Registered Machine 241939.
/( )\ Shrewsbury, New Jersey http://counter.li.org
^^-^^ 10:05:01 up 19:11, 4 users, load average: 4.93, 4.98, 5.11

_______________________________________________
Gnupg-users mailing list
Gnupg-users [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-users


christophe.brocas at cnamts

Oct 21, 2011, 7:22 AM

Post #55 of 80 (2424 views)
Permalink
Re: STEED - Usable end-to-end encryption [In reply to]

Le 21/10/2011 16:12, Jean-David Beyer a écrit :
> Matthias-Christian Ott wrote:
>
>> What about making everyone their own provider? The efforts in this
>> direction intiated by Eben Moglen that lead to the FreedomBox and other
>> projects seem to go in the right direction. It doesn't seem to me less
>> realistic than requiring cooperation from providers.
>>
> I was my own provider for many years, and that was easy enough. I got a
> static IP address from my ISP for $10/month and ran sendmail as my MTA.
> I used mutt am MUA.
>
> But when I switched to Verizon as ISP in order to get FiOS, they wanted
> $150/month for a static IP address and an additional fee (I forget what
> it was) to be allowed to run sendmail as a server.
>
> Verizon is a great ISP 8-( They discontinued Usenet, so I have to pay a
> fee to another provider to use Usenet. They did not reduce their fees
> when the reduced the level of service. Greed and Profit before Service:
> it is the American way. 8-(
>
Whaou ...

In France, the second ISP (http://www.free.fr/ ) gives a static IP by default
with port filtering and no bandwith usage limit.

BR
Christophe



*****************************************************
"Le contenu de ce courriel et ses éventuelles pièces jointes sont confidentiels. Ils s'adressent exclusivement à la personne destinataire. Si cet envoi ne vous est pas destiné, ou si vous l'avez reçu par erreur, et afin de ne pas violer le secret des correspondances, vous ne devez pas le transmettre à d'autres personnes ni le reproduire. Merci de le renvoyer à l'émetteur et de le détruire.

Attention : L'organisme de l'émetteur du message ne pourra être tenu responsable de l'altération du présent courriel. Il appartient au destinataire de vérifier que les messages et pièces jointes reçus ne contiennent pas de virus. Les opinions contenues dans ce courriel et ses éventuelles pièces jointes sont celles de l'émetteur. Elles ne reflètent pas la position de l'organisme sauf s'il en est disposé autrement dans le présent courriel."
******************************************************

_______________________________________________
Gnupg-users mailing list
Gnupg-users [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-users


expires2011 at ymail

Oct 21, 2011, 10:55 AM

Post #56 of 80 (2347 views)
Permalink
Re: STEED - Usable end-to-end encryption [In reply to]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi


On Thursday 20 October 2011 at 10:04:15 AM, in
<mid:87hb34xcds.fsf [at] vigenere>, Werner Koch wrote:


> Most users don't have personal web pages. So what now?
> Well many users have a facebook page - but this would
> make facebook mandatory and we woold need support from
> them (at least to guarantee that they don't break any
> assumptions). Not much different to work with ISPs.

If you are trying to get people to think about privacy, maybe
suggesting Diaspora as an alternative to Facebook is a direction to
consider...


- --
Best regards

MFPA mailto:expires2011 [at] ymail

War is a matter of vital importance to the State.
-----BEGIN PGP SIGNATURE-----

iQCVAwUBTqGyM6ipC46tDG5pAQr6+AP/dG6q9Z58HD7RVZI5h1EYEA6yDZ2Rfx/p
9zLGMKGh2QY1gYpBqG70g78IZnk01aG62MIALmRReHs6plqR7fjnASZZikItZDQY
IdG8J6B7yCVdA39phiABYoVbIDYeInyxJzMIWDVUDp1gyEYN55CVRmYUO1QslsuV
2VVad3uNL2c=
=wf9G
-----END PGP SIGNATURE-----


_______________________________________________
Gnupg-users mailing list
Gnupg-users [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-users


ott at mirix

Oct 23, 2011, 9:50 AM

Post #57 of 80 (2340 views)
Permalink
Re: STEED - Usable end-to-end encryption [In reply to]

On Fri, Oct 21, 2011 at 01:46:02AM +0200, Marcus Brinkmann wrote:
> On 10/20/2011 10:25 PM, Matthias-Christian Ott wrote:
> > But who are the providers? Except for people who work in computer
> > science, physics or similar fields I don't know people who run their own
> > mail servers or are part of a cooperative. Most other people use a
> > handful of providers who often offer free service in exchange for the
> > loss of privacy or at least some form of semi-targeted advertisement. Do
> > you expect those providers to ruin their business models by implementing
> > this proposal? I wouldn't count on them.
>
> Maybe. But the only way to fail for certain is by not trying. There are
> other business models and market pressures beside those that you are
> highlighting. It's not easy to predict.

I agree, there are other business models and perhaps there will be
demand for this, but I just summarised the service providers almost all
“non-technical” people I communicate with use.

> > Perhaps the providers could also be forced by law not to implement
> > this, because (if I remember correctly) come countries require that
> > they store at least the header information (including subject, which
> > should also be encryted by the system) for traffic analysis. So in
> > the worst case the providers couldn't implement this without breaking
> > the law (I doubt that citizens could use the system without breaking the
> > law in this situation either, but individuals are often more venturous
> > than organisations).
>
> STEED is fully compatible with existing mail encryption, so we do not include
> the headers in the plaintext. I am not an expert, but as far as I know the
> regulation usually demands to store connection data that is available, it does
> not ask for data that is not available for whatever reason. I think your
> interpretation of the regulations in that area is overly pessimistic, but I
> could be wrong. Maybe you can verify this?

I'm not aware of any overview of e-mail data rentention, so I don't
have complete picture, but a quick search on EU data retention laws
showed that only SMTP envelope data is officially stored, so at least
in these countries it's not a problem (though I think the subject
should be encrypted as well). Moreover, I agree that as long as the
body and thus the actual contents are not stored there is reason
why a provider could break the law by providing STEED services to
their costumers. Fortunately many countries have laws to garantuee
(at leas in theory) privacy of correspondance and these laws of a
long tradition, so it seems hard to abolish them. However, I see the
possibility that providers could be forced to cooperate with government
agencies, but this would have little impact and would require bigger
efforts to “break” STEED this way (e.g. MITM attacks by publishing
false keys for new contacts).

> > What about making everyone their own provider? The efforts in this
> > direction intiated by Eben Moglen that lead to the FreedomBox and other
> > projects seem to go in the right direction. It doesn't seem to me less
> > realistic than requiring cooperation from providers.
>
> I think everybody deserves private email communication, not only those who are
> willing to be their own provider. We don't expect people to carry out their
> own snail mail letters either, and the business model of the post office does
> not require spying on the letters.

I agree, but I also talked to people who don't care about privacy
(nothing to hide) and don't understand it. Therefore, it is important
not to rely on the market to provide the means for private e-mail
communication (do it yourself instead of relying on other people to do
it).

> But, we have to go where the users are, and we have to try our best to get the
> providers cooperation. There is no benefit in ignoring them and their users
> just for our convenience.

Let's say you had the opportunity to convince a smaller independent
hosting provider that e.g. sells web hosting, e-mail and resells
internet connectivity, how would you do this? There had to be real
demand and easily installable and maintainable software to convince them
to implement STEED.

Recently I did some search and inquiries on DNSSEC, for which there is
argueably real demands from private and enterprise customers and there
is working software, but only relatively few companies worldwide offer
it and I don't expect it to be widely deployed within the next years.
However, people running their own server have it running or at leas
prepared (waiting for the registras to close the trust chain by
submitting their public key to the registry) for some time now.

> Maybe you are still not convinced. Then let me give you an illustrative
> analogy. (Disclaimer: I am not associated with SawStop or anybody involved,
> nor have I met anybody involved or used their product). An inventor created a
> table saw that can prevent injury by stopping the blade as soon as it is
> touched by human flesh ("SawStop"). According to the inventory, he could not
> get the technology to be marketed by the big table saw companies. His claim
> is that the companies think that by raising the safety measures in the table
> saw, they would be more liable for table saw accidents, which would make them
> subject to litigation. Eventually he created his own SawStop product line.
> Now, after several years, lawmakers and regulators have taken notice and might
> make sawstop like technology mandatory in table saws.
>
> Now, maybe SawStop is bad technology, maybe it's good. But at least something
> is true: As long as no candidate technology like it exists, the question
> doesn't even come up. That's the state we are at with email encryption.
> Everybody who tried has learned that email encryption is not worth the hassle.
> Everybody who hasn't tried just expects email to be secure and might not even
> be aware that it is not. It's time to change that equation, don't you think?

I agree, but there is a lot to be done. If the technical specification
is done and there is working software, there really hard work just
begins as I tried to demonstrate by taking DNSSEC as an example.

Regards,
Matthias-Christian

_______________________________________________
Gnupg-users mailing list
Gnupg-users [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-users


marcus.brinkmann at ruhr-uni-bochum

Oct 23, 2011, 1:56 PM

Post #58 of 80 (2340 views)
Permalink
Re: STEED - Usable end-to-end encryption [In reply to]

Hi Matthias-Christian,

thanks for your comments, I think they are entirely correct. With respect to
convincing ISPs, STEED is not a complete proposal yet. The STEED paper covers
the technical aspects of making email encryption usable for the user. It does
not cover the policies of the parties involved and strategies to break down
walls of tradition. I think there are good reasons for this. It is easier to
present the technical aspects in the form of a paper, while the policy stuff
is probably more a learning process that involves entering a dialogue of
multiple parties. Also, success of STEED may depend on external policy
changes to some extent. When those happen, we should already be in place, though.

So, you summed it up best: "there is a lot to be done"

Thanks,
Marcus

_______________________________________________
Gnupg-users mailing list
Gnupg-users [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-users


mwood at IUPUI

Oct 24, 2011, 8:15 AM

Post #59 of 80 (2391 views)
Permalink
Re: STEED - Usable end-to-end encryption [In reply to]

On Fri, Oct 21, 2011 at 06:55:47PM +0100, MFPA wrote:
> If you are trying to get people to think about privacy, maybe
> suggesting Diaspora as an alternative to Facebook is a direction to
> consider...

I would suggest that, if you are trying to get people to think about
privacy, about the only thing worth saying to them (initially) is to
point out real-life examples of bad things happening to average people
who didn't think about privacy.

No one can desire salvation until he believes that he is in jeopardy.

--
Mark H. Wood, Lead System Programmer mwood [at] IUPUI
Asking whether markets are efficient is like asking whether people are smart.


rjh at sixdemonbag

Oct 24, 2011, 8:24 AM

Post #60 of 80 (2348 views)
Permalink
Re: STEED - Usable end-to-end encryption [In reply to]

On 10/24/11 11:15 AM, Mark H. Wood wrote:
> No one can desire salvation until he believes that he is in jeopardy.

Although hellfire-and-damnation preachers are a popular cultural idea,
they're really quite rare: most preachers go more for the John 10:10
angle [*]. They've found through centuries of proselytization
experience that things work better if you pitch the benefit of the
faith, rather than the hypothesized penalties if you live without it.

The relevance here should be plain: we need to pitch the benefits of
confidential and assured communications, not the hypothetical penalties
if they fail to take our advice.



[*] "I am come that they might have life, and that they might have it
more abundantly." John 10:10, KJV
Attachments: signature.asc (0.18 KB)


mwood at IUPUI

Oct 24, 2011, 9:02 AM

Post #61 of 80 (2345 views)
Permalink
Re: STEED - Usable end-to-end encryption [In reply to]

On Mon, Oct 24, 2011 at 11:24:40AM -0400, Robert J. Hansen wrote:
> On 10/24/11 11:15 AM, Mark H. Wood wrote:
> > No one can desire salvation until he believes that he is in jeopardy.
>
> Although hellfire-and-damnation preachers are a popular cultural idea,
> they're really quite rare: most preachers go more for the John 10:10
> angle [*]. They've found through centuries of proselytization
> experience that things work better if you pitch the benefit of the
> faith, rather than the hypothesized penalties if you live without it.

And I agree with this. The problem with applying the turn-or-burn
sermon to proselytization is that it requires that the audience
already believes in sin and hell, and that the problem is one of
raising awareness. Unbelievers...don't believe. It is fortunate to
such efforts that an argument couched in terms of benefit is available.

> The relevance here should be plain: we need to pitch the benefits of
> confidential and assured communications, not the hypothetical penalties
> if they fail to take our advice.

So, in the absence of any threat, what exactly *are* those benefits?

The cited passage asserts that the hearer is missing out -- he could
have more than he has now. How much more can I get out of email by
using crypto? What do I get, if I don't believe that my privacy is
threatened or I do not value privacy?

--
Mark H. Wood, Lead System Programmer mwood [at] IUPUI
Asking whether markets are efficient is like asking whether people are smart.


rjh at sixdemonbag

Oct 24, 2011, 10:25 AM

Post #62 of 80 (2331 views)
Permalink
Re: STEED - Usable end-to-end encryption [In reply to]

(There are two anecdotes here: the first is purely for amusement, the
latter is actually meant to be on-point.)

On 10/24/11 12:02 PM, Mark H. Wood wrote:
> The cited passage asserts that the hearer is missing out -- he could
> have more than he has now. How much more can I get out of email by
> using crypto? What do I get, if I don't believe that my privacy is
> threatened or I do not value privacy?

In an amusing aside, I just got back from lunch at a seafood restaurant.
While I was sitting there I encountered a street preacher who was
wandering through the tables asking people if they were saved. She (a
rare case of a woman evangelical pastor) came to my table and asked me
my opinion on homosexuality.

I blinked a few times at her. "You're asking me?" She repeated her
question. "I'm eating *shellfish* while *wearing a shirt made of two
different kinds of fabric* and you're asking me what I think of
something else that's a Levitican abomination?"

Management intervened a couple of seconds later and removed the street
preacher from the premises.

I've learned my lesson: no more citing Scripture right before lunch. :)
The strange people you meet in downtown Washington D.C...




With respect to your question: what we offer is privacy, but most people
do not understand privacy, do not care about privacy, and would not care
about privacy even if they understood it.

During graduate school the politically-active members of the Computer
Science department were up in arms over government surveillance.
Flyers, bulletin board notices, EFF fundraising campaigns, and the like.
Yet, when the Department required all TAs sign up for Facebook, in the
interests of "being accessible to the undergraduates," there wasn't any
outcry. I was serving as the Area Steward for the graduate student
labor union and tried to drum up some outrage that we were being
*required* to sign up for a privacy-annihilating 'service.' Nobody was
interested -- not even the people who had flyers on their doors
condemning Total Information Awareness and EFF stickers on their laptops.
Attachments: signature.asc (0.18 KB)


dan at geer

Oct 24, 2011, 8:02 PM

Post #63 of 80 (2336 views)
Permalink
Re: STEED - Usable end-to-end encryption [In reply to]

>
> With respect to your question: what we offer is privacy, but most people
> do not understand privacy, do not care about privacy, and would not care
> about privacy even if they understood it.
>
> During graduate school the politically-active members of the Computer
> Science department were up in arms over government surveillance.
> Flyers, bulletin board notices, EFF fundraising campaigns, and the like.
> Yet, when the Department required all TAs sign up for Facebook, in the
> interests of "being accessible to the undergraduates," there wasn't any
> outcry. I was serving as the Area Steward for the graduate student
> labor union and tried to drum up some outrage that we were being
> *required* to sign up for a privacy-annihilating 'service.' Nobody was
> interested -- not even the people who had flyers on their doors
> condemning Total Information Awareness and EFF stickers on their laptops.
>

You got that right, Brother.

To be more pointed, how many folks on this list carry a cell phone?

--dan


_______________________________________________
Gnupg-users mailing list
Gnupg-users [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-users


peter at digitalbrains

Oct 25, 2011, 2:26 AM

Post #64 of 80 (2356 views)
Permalink
Re: STEED - Usable end-to-end encryption [In reply to]

On 24/10/11 19:25, Robert J. Hansen wrote:
> With respect to your question: what we offer is privacy, but most people
> do not understand privacy, do not care about privacy, and would not care
> about privacy even if they understood it.

So if we can't motivate users by showing the bad stuff that can happen if you
have no privacy, then how to do it? I don't see any other way.

Which for a pessimist might imply that it is simply doomed, and we'll never have
e-mail crypto by default.

Though pessimists are unfortunately more often right than optimists[1], I do
think the number of TLS connections between MUAs and MTAs has increased because
the clients have it on by default. And I base this on absolutely nothing.

Peter.

PS: Nice anecdote :)


[1] Curse the researchers who actually did scientific research on this! Some
things are better left unknown and only speculated about :).

--
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at http://wwwhome.cs.utwente.nl/~lebbing/pubkey.txt

_______________________________________________
Gnupg-users mailing list
Gnupg-users [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-users


rjh at sixdemonbag

Oct 25, 2011, 5:54 AM

Post #65 of 80 (2335 views)
Permalink
Re: STEED - Usable end-to-end encryption [In reply to]

On 10/25/11 5:26 AM, Peter Lebbing wrote:
> So if we can't motivate users by showing the bad stuff that can
> happen if you have no privacy, then how to do it? I don't see any
> other way.

Years ago W.D. Richter wrote a fictitious interview between the two
fictitious characters Reno Nevada and Buckaroo Banzai. It sums up my
position quite well.

=====

Q: You lament the decline of the great causes -- civil rights, the
antiwar movement, the war on poverty, the exploration of space -- and
the all-consuming preoccupation with the self in today's culture. But
what gave birth to these great causes to begin with?

A: Twin utopias, unfortunately: the myth of revolution and the myth of
progress.

Q: These are myths?

A: To the extent that people believe in them as utopias, yes, which is
how they were oversold in many cases. By embracing any utopia, we sow
the seeds of cynicism when things don't work out as advertised.

Q: Not that they've ever been tried...

A: Which is the fallacy -- that big change has to happen on an
institutional or national level. When it doesn't, you have the
epidemic of cynicism we have today, with bean counters running the
whole shooting match under the rubric of being realists.

Q: So what do we failed idealists do?

A: First, stop being failures. It's absurd to judge ourselves against
a scale larger than our own efforts.

=====

I reject your premise, which seems to be that we *should* motivate
users, or that it is *possible* for us to do it. I don't think either
one is true. I don't think that I -- or any group of us -- has the
capability to do this, so my response to this is to let myself off the
hook for it.

Every now and again I'll meet someone who's interested in learning
about privacy and how to protect it. I do my best to help these
people along. That's what I can do, that's what's within my power,
that's the standard I judge myself by -- how well I do what good I can do.

It's made a world of difference in my mental health.

_______________________________________________
Gnupg-users mailing list
Gnupg-users [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-users


jeandavid8 at verizon

Oct 25, 2011, 6:12 AM

Post #66 of 80 (2342 views)
Permalink
Re: STEED - Usable end-to-end encryption [In reply to]

dan [at] geer wrote:
>> With respect to your question: what we offer is privacy, but most
>> people do not understand privacy, do not care about privacy, and
>> would not care about privacy even if they understood it.
>>
[snip]
>
> You got that right, Brother.
>
> To be more pointed, how many folks on this list carry a cell phone?
>
> --dan
>
I carry one about half the time, but it is usually powered off unless I
am expecting a call, or when I need to make one. Also about once every
other month to use the GPS navigation feature.

--
.~. Jean-David Beyer Registered Linux User 85642.
/V\ PGP-Key: 9A2FC99A Registered Machine 241939.
/( )\ Shrewsbury, New Jersey http://counter.li.org
^^-^^ 09:10:01 up 4 days, 18:16, 3 users, load average: 4.84, 5.14, 5.11

_______________________________________________
Gnupg-users mailing list
Gnupg-users [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-users


peter at digitalbrains

Oct 25, 2011, 7:57 AM

Post #67 of 80 (2324 views)
Permalink
Re: STEED - Usable end-to-end encryption [In reply to]

On 25/10/11 14:54, Robert J. Hansen wrote:
> Every now and again I'll meet someone who's interested in learning
> about privacy and how to protect it. I do my best to help these
> people along. That's what I can do, that's what's within my power,
> that's the standard I judge myself by -- how well I do what good I can do.

The problem with the current proposal in that respect is that it requires
co-operation of e-mail providers. If there is no significant user base, the
providers don't want to cater for that very small minority that asks them to
implement the extra DNS functionality. And without the functionality being
offered by the e-mail providers, there is no chance to build a significant user
base.

If there was no dependency on third parties implementing stuff for their
customers, this catch-22 would not be there. It needs to be such that an
individual can say "I will install this" and then communicate with people who
did the same thing. If this individual then comes to the conclusion "My provider
does not support this", he would need to be very motivated indeed to do
something about it.

So currently there is no way to only have a few people do this, and let that
group grow slowly.

Peter.

--
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at http://wwwhome.cs.utwente.nl/~lebbing/pubkey.txt

_______________________________________________
Gnupg-users mailing list
Gnupg-users [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-users


rjh at sixdemonbag

Oct 25, 2011, 8:09 AM

Post #68 of 80 (2335 views)
Permalink
Re: STEED - Usable end-to-end encryption [In reply to]

On 10/25/11 10:57 AM, Peter Lebbing wrote:
> The problem with the current proposal in that respect is that it
> requires co-operation of e-mail providers.

I disagree. The problem with the current proposal is it offers email
providers no payoff for their work. If it could credibly be said,
"implement STEED and you'll get 25% less spam across your network,"
email providers would be lining up around the block to participate.

As I mentioned before, most people do not understand privacy, do not see
the benefit from privacy, and even if they understood it would not see a
benefit from it. That's the dealbreaker. Hundreds of good ideas have
foundered on those shoals: I suspect STEED will turn out to be another.

But I hope I'm wrong.

_______________________________________________
Gnupg-users mailing list
Gnupg-users [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-users


gnupg.user at seibercom

Oct 25, 2011, 8:22 AM

Post #69 of 80 (2339 views)
Permalink
Re: STEED - Usable end-to-end encryption [In reply to]

On Mon, 24 Oct 2011 23:02:32 -0400
dan [at] geer articulated:

> To be more pointed, how many folks on this list carry a cell phone?

I carry one virtually all the time. It is sort of in my job
description. I have to be available 24/7.

--
Jerry ✌
GNUPG.user [at] seibercom
_____________________________________________________________________
Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the Reply-To header.


_______________________________________________
Gnupg-users mailing list
Gnupg-users [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-users


peter at digitalbrains

Oct 25, 2011, 11:40 AM

Post #70 of 80 (2336 views)
Permalink
Re: STEED - Usable end-to-end encryption [In reply to]

On 25/10/11 17:09, Robert J. Hansen wrote:
> I disagree. The problem with the current proposal is it offers email
> providers no payoff for their work. If it could credibly be said,
> "implement STEED and you'll get 25% less spam across your network,"
> email providers would be lining up around the block to participate.

Yes, and if it could credibly be said "implement STEED and you'll get 10% more
clients", you'd need crowd control. Unfortunately, both "ifs" are not met. When
you try to create the perfect standard that solves all e-mail problems, it
quickly becomes a terrible mess. You need focus and compartmentalisation, draw
some boundaries.

Peter.

--
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at http://wwwhome.cs.utwente.nl/~lebbing/pubkey.txt

_______________________________________________
Gnupg-users mailing list
Gnupg-users [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-users


mwood at IUPUI

Oct 25, 2011, 1:11 PM

Post #71 of 80 (2318 views)
Permalink
Re: STEED - Usable end-to-end encryption [In reply to]

So, to summarize what I think I've been hearing: the problem which
remains to be solved (if it is a problem) is a nontechnical one, and
no amount of technical wizardry will solve it. The most that can be
done now is to be ready to help someone who fears for his privacy and
asks, "what can I do?"

Maybe someday there will be a panic and everybody will be asking.
It's good to have an answer.

--
Mark H. Wood, Lead System Programmer mwood [at] IUPUI
Asking whether markets are efficient is like asking whether people are smart.


rjh at sixdemonbag

Oct 25, 2011, 2:17 PM

Post #72 of 80 (2324 views)
Permalink
Re: STEED - Usable end-to-end encryption [In reply to]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 10/25/11 4:11 PM, Mark H. Wood wrote:
> So, to summarize what I think I've been hearing: the problem which
> remains to be solved (if it is a problem) is a nontechnical one,
> and no amount of technical wizardry will solve it.

This is what I think. But

(a) technical wizardry will be very useful for when/if
we finally figure out how to solve the social problem
(b) I might be wrong about no amount of technical wizardry
being able to solve the social problem

That's where I stand. This is why regarding STEED, I'm pessimistic but
hopeful. I doubt it will achieve the hoped-for ends: but I hope that
I'm wrong. :)

_______________________________________________
Gnupg-users mailing list
Gnupg-users [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-users


rjh at sixdemonbag

Oct 25, 2011, 2:19 PM

Post #73 of 80 (2305 views)
Permalink
Re: STEED - Usable end-to-end encryption [In reply to]

On 10/25/11 5:17 PM, Robert J. Hansen wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256

[rest of message, which *lacked* a signature, elided]

Wow, that's a wacky error. Time to file a bug report in Enigmail!

_______________________________________________
Gnupg-users mailing list
Gnupg-users [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-users


gnupg at lists

Oct 25, 2011, 2:48 PM

Post #74 of 80 (2327 views)
Permalink
Re: STEED - Usable end-to-end encryption [In reply to]

On 25/10/11 21:11, Mark H. Wood wrote:

> So, to summarize what I think I've been hearing: the problem which
> remains to be solved (if it is a problem) is a nontechnical one, and
> no amount of technical wizardry will solve it. The most that can be
> done now is to be ready to help someone who fears for his privacy and
> asks, "what can I do?"
>
> Maybe someday there will be a panic and everybody will be asking.
> It's good to have an answer.

I think there are two major technical problems which would make things a
lot easier if they were solved.

1.) A system of mapping email addresses to public keys
2.) A system of distributing private keys between all of a users email
clients automatically.

These can be tackled independently.

For #2 I'd like to see an IMAP extension where the client can upload and
download password protected private keys. The security of the keys would
rely on a strong passphrase (different from the IMAP passphrase
obviously) but it would solve the problem of copying the keys between
clients/backing them up. It would also mean that the clients can handle
the key generation/management without the user even knowing it is happening.

For #1 I'd like to see two options. First of all, the DNS solution
described in the STEED proposal. Secondly, as a backup, if the DNS
record doesn't exist, and somebody emails me with a header containing a
link (*) to their key and its fingerprint, or even just the key it's
self, I'd like to automatically use that. Initially major email
providers like GMail/Hotmail wouldn't implement the DNS solution, but
that wouldn't stop people using GMail/Hotmail with supporting IMAP
clients from automatically looking up keys and encrypting.

I can imagine these two solutions being implemented natively in Dovecot,
Courier IMAP, Evolution and Thunderbird if the right people can be
convinced. Maybe a few other widely used open source IMAP servers and
MUAs. At that point, getting noticed by Microsoft/Google/Yahoo should be
easier.

Web browsers would need to be upgraded to make functions available for
webmail providers. I'd imagine this coming later once average users are
using encrypted email without even realising. Each new implementation
would simply lead to more and more encrypted email. We don't need an all
or nothing approach.

We might even end up with MSAs that accept mail from clients without
encryption support, then look up the recipients public key, and encrypt
it before passing it on.

(*) there's a nasty privacy issue when you're able to trigger a
receiving email client to do arbitrary http lookups. It means the sender
is able to determine when the recipient downloaded the email, and what
IP address they were using at the time. Perhaps MTAs could look up the
public key on delivery and add it to the email headers.

If somebody pulls this off, the spam fighting industry is going to have
a lot of fun. It becomes a lot more difficult to identify spammy content
if you can't read it. I guess all of that filtering tech (bayes/uribl
lookups etc) would end up having to be pushed to the client. Those are
problems to be solved by other people though.

--
Mike Cardwell https://grepular.com/ https://twitter.com/mickeyc
Professional http://cardwellit.com/ http://linkedin.com/in/mikecardwell
PGP.mit.edu 0018461F/35BC AF1D 3AA2 1F84 3DC3 B0CF 70A5 F512 0018 461F
Attachments: signature.asc (0.44 KB)


expires2011 at ymail

Oct 25, 2011, 3:46 PM

Post #75 of 80 (2316 views)
Permalink
Re: STEED - Usable end-to-end encryption [In reply to]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi


On Tuesday 25 October 2011 at 10:26:57 AM, in
<mid:4EA680E1.6070406 [at] digitalbrains>, Peter Lebbing wrote:


> On 24/10/11 19:25, Robert J. Hansen wrote:
>> With respect to your question: what we offer is privacy, but most people
>> do not understand privacy, do not care about privacy, and would not care
>> about privacy even if they understood it.

> So if we can't motivate users by showing the bad stuff
> that can happen if you have no privacy, then how to do
> it? I don't see any other way.

> Which for a pessimist might imply that it is simply
> doomed, and we'll never have e-mail crypto by default.

An oft-used analogy when promoting encrypted communication is to
compare it to sending a letter in an envelope rather than sending a
postcard. If people don't care about privavy, why did envelopes rather
than postcards develop as the default for sending messages through the
post?

- --
Best regards

MFPA mailto:expires2011 [at] ymail

During an eruption - move away from the volcano - not towards it
-----BEGIN PGP SIGNATURE-----

iQCVAwUBTqc8UaipC46tDG5pAQps0gQAuGIMmK7uuyV1kxZYhk9Q3cV+BwZYIzt/
fOBOGWkFIsbAOnv815fV/adh43UOxioG0VDMxDHost2Wp+aOjVdGdNCYVYcBVUV8
+s9Or2yMIxEvjhXEbkfrEiAmB+miNjDOgpFJqdq2s6KNcYbyUQ8M/UCOcUAUaej0
LN7dErynosk=
=kSKU
-----END PGP SIGNATURE-----


_______________________________________________
Gnupg-users mailing list
Gnupg-users [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-users

First page Previous page 1 2 3 4 Next page Last page  View All GnuPG users RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.