[even more OT] CLI for noobies: The keys to GnuPG
Albrecht Dreß
yellowdog-general@lists.terrasoftsolutions.com
Thu Jul 1 12:37:01 2004
--cWoXeonUoKmBZSoM
Content-Type: text/plain; Format=Flowed; DelSp=Yes; charset=ISO-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Am 01.07.04 15:57 schrieb(en) Clinton MacDonald:
> Albrecht:
>=20
> (I feel a rant coming on -- feel free to move on to the next message if =
=20
> you feel this is off topic.)
Of course not, Clint - I read *everything* you post to this list!
=20
> Albrecht Dre=C3 wrote:
> You are right, of course! I was oversimplifying in my earlier e-mail. We
[snipped discussion about encryption]
> "paper trails."
Exactly what I wanted to say. Only my english is much worse than yours, so =
=20
I left it to you ;-))
> I remember setting up GPG for Apple's Mail.app on my Mac OS X box, once.
[snipped description of weird Apple Mail crypto install]
> rather long passphrase. I turned it off.
Ouch. This kind of software is of course a show stopper. Unfortunately, =20
some programmers don't know what "user-friendly" means (apart from the =20
comic strip, of course)... With Linux (Open Source in general) IMHO the =20
situation is somewhat better (see below).
> [1] one standard encryption scheme must be agreed to by the appropriate =
=20
> governing bodies (such as has happened with secure Web transactions)
There are currently three IETF standards around (it's your choice if you =
=20
want to call them "standards" as they are three and not one, though):
* RFC 2440 or OpenPGP uses (surprise) PGP or GnuPG keys to sign and/or =20
encrypt single-part mails or single parts of multipart messages. It is =20
supported by, inter alia, kmail, balsa (natively), pine or outlook (using =
=20
special plugins). This RFC is rather old and has some shortcomings, so its =
=20
better to use
* RFC 3156 (sometimes called PGP/MIME) which puts the signed and/or =20
encrypted stuff (which may be a complete message with a complicated =20
structure) into a special "container", again using PGP/GnuPG keys. This =20
scheme is really very robust and should be the method of choice, also as =
=20
it is supported by most Linux MUA's (Mozilla, Balsa, Evolution, kmail and =
=20
sylpheed come to my mind).
* RFC 2633 (S/MIME) uses similar MIME structures as '3156, but with keys =
=20
which are comparable to SSL certificates.
> [2] a third party must be entrusted with keys for escrow (apparently, =20
> this is a major stumbling block for businesses)
Yes, but this applies only to S/MIME, where the key is signed (like ssl =20
certificates are) by a "Certificate Authority" (CA), and you must trust =20
the root certificate of the signer. Therefore, this is a method commonly =
=20
used by governments (e.g. the German government sponsored the integration =
=20
of S/MIME into kmail, as some ministries are switching to OpenSource) or =
=20
big companies which may even be their own CA.
PGP/GnuPG uses the distributed "Web of trust" instead. In short, assume =20
you don't trust my key (why should you?), but you have a friend whom you =
=20
trust (=3D=3D his key) fully. Now your friend trusts my key, so he signed i=
t =20
whith his one. At this point you may build a "chain" to trust my key at =20
least marginally.
> [3] all the "major" e-mail clients (for some definition of "major") must =
=20
> adopt the standard more or less at the same time
It works perfectly with '3156 - sending from Mozilla on [spit] Win2k at =20
work to Balsa/Linux at home, for example. Ans meanwhile all "major" OSS =20
MUA's support encryption (see list above).
> [4] the implementation would have to be as seamless as that in every Web =
=20
> browser, where we need not even know we are interacting with a secure =20
> site unless we look at the little padlock icon -- no command line!
In Balsa, for example, you have two buttons "Sign" and "Encrypt" in the =20
composer, which you may even preset depending upon your e-mail identity. =
=20
If you want, you have to enter the passphrase only once per session, as =20
either Balsa's built-in cache remembers your passphrases, or you install =
=20
pinentry (from the unstable GnuPG branch) to get a system-wide cache. Upon =
=20
receiving signed and/or encrypted mails, they are automagically signature =
=20
checked and/or decrypted. It's really as simple as just clicking sign/=20
encrypt on or off, and two passphrase (one for signing, and one for =20
decryption) once per day!! Oh, and if you received a signed mail, but you =
=20
don't have the key, there's a button to get it from a key server. Believe =
=20
me, you will *never* even see the command line!
An for the nasty key management (e.g. if you want to tune the trust of a =
=20
key), there are gpa or seahorse - again, no command line.
<rpm>
I hope some of the YDL packagers will read this - it would be great if =20
they had the necessary packages (GnuPG, gpgme and gpa, plus Balsa/Evo/...) =
=20
in 4.0!
</rpm>
> Unfortunately, by "major" e-mail client ([3]), we are probably talking
[snipped discussion about TTP]
> their Hailstorm initiative for this very reason).
This is a really good and important point. And it's the reason why Open =20
Source people usually have more trust into PGP/GnuPG as in S/MIME. See #2 =
=20
above - that's how it works, and you will *never* need a third party!
> The Mozilla folks might be able to do this, either in Mozilla or in
[snipped Mozilla discussion]
> customers have requested encryption to make a business case for this. =20
> Sigh.
Enigmail is a fine RFC3156 plugin for Mozilla - works perfectly with =20
Linux, MacOS X and Microsnot... Note that you still have to get and =20
install GnuPG separately, though.
> an additional step to sending every e-mail. Sigh.
Well, that depends - see #4 above!
> Thanks for listening to my rant, folks!
=2E..which is always interesting and welcome!
Cheers, Albrecht.
--=20
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Albrecht Dre=DF - Johanna-Kirchner-Stra=DFe 13 - D-53123 Bonn (Germany)
Phone (+49) 228 6199571 - mailto:albrecht.dress@arcor.de
_________________________________________________________________________
--cWoXeonUoKmBZSoM
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQBA5FlMn/9unNAn/9ERAkklAKDCUTJ4H5LKU/lSQfYGnhFtBW27MgCcCBpQ
MSdVLobDyk33LAyZl5pj3jk=
=hqsb
-----END PGP SIGNATURE-----
--cWoXeonUoKmBZSoM--