Mailing List Archive

Improving product summary in announcement (Re: [Announce] GnuPG 2.2.14 released)
Hello,

first: Congratulations on the new release!

Am Dienstag 19 März 2019 12:28:25 schrieb Werner Koch:
> The GNU Privacy Guard (GnuPG, GPG) is a complete and free implementation
> of the OpenPGP and S/MIME standards.

Noticed that "S/MIME" also includes the email part,
which I don't think GnuPG fully provides.

Cryptography is complicated enough, so we should try to be as clear as we can.
To suggest something better is hard, some thoughts and ideas:
Mentioning "S/MIME" is good as this is a well known keyword for the open
standard (beside OpenPGP) that GnuPG is used for. While "Cryptographic
Message Syntax (CMS)" would be technical more on a similiar level like
OpenPGP, it is less known and such harder to understand.

What about
"The GNU Privacy Guard (GnuPG, GPG) provides a complete and free engine
to implement email and file cryptography by OpenPGP and S/MIME standards."

Or maybe
"The GNU Privacy Guard (GnuPG, GPG) is a complete and free implementation
of the OpenPGP and CMS standards needed for OpenPGP/- or S/MIME mails."

or
"The GNU Privacy Guard (GnuPG, GPG) is a complete and free implementation
of the OpenPGP and CMS standards. CMS is needed for S/MIME mails."

Best Regards,
Bernhard
ps.: Sendign this to -devel@ because I think it is a concern for people
producing GnuPG.


--
www.intevation.de/~bernhard   +49 541 33 508 3-3
Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998
Geschäftsführer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
Re: Improving product summary in announcement (Re: [Announce] GnuPG 2.2.14 released) [ In reply to ]
Hi,

Thank you for your input. But:

On Wednesday 20 March 2019 10:28:13 CET Bernhard Reiter wrote:
> Am Dienstag 19 M?rz 2019 12:28:25 schrieb Werner Koch:
> > The GNU Privacy Guard (GnuPG, GPG) is a complete and free implementation
> > of the OpenPGP and S/MIME standards.
>
> Noticed that "S/MIME" also includes the email part,
> which I don't think GnuPG fully provides.
>
> Cryptography is complicated enough, so we should try to be as clear as we
can.

For this reason I _never_ mention CMS in any user visible string. Even x509
Certificates are "S/MIME Certificates". Users do "OpenPGP" or they do "S/MIME"
they have "OpenPGP Keys" or "S/MIME Certificates". I try in my work to reduce
the distinction in the wording between Keys and Certificates.

> What about
> "The GNU Privacy Guard (GnuPG, GPG) provides a complete and free engine
> to implement email and file cryptography by OpenPGP and S/MIME standards."

But you say above that you do not want to complicate things?

> Or maybe
> "The GNU Privacy Guard (GnuPG, GPG) is a complete and free implementation
> of the OpenPGP and CMS standards needed for OpenPGP/- or S/MIME mails."

CMS is for developers. In my experience users do not know it and should not be
exposed to it, ever. Personally I've used GnuPG for S/MIME and OpenPGP for
years before I even knew what CMS meant.

Yep it's all not technically correct but we want to provide a good user
experience and that is not helped by adding confusing "technically correct"
terms.

Best Regards,
Andre

--
GnuPG.com - a brand of g10 Code, the GnuPG experts.

g10 Code GmbH, Erkrath/Germany, AG Wuppertal HRB14459
GF Werner Koch, USt-Id DE215605608, www.g10code.com.

GnuPG e.V., Rochusstr. 44, D-40479 D?sseldorf. VR 11482 D?sseldorf
Vorstand: W.Koch, M.Gollowitzer, A.Heinecke. Mail: board@gnupg.org
Finanzamt D-Altstadt, St-Nr: 103/5923/1779. Tel: +49-2104-4938799
Re: Improving product summary in announcement (Re: [Announce] GnuPG 2.2.14 released) [ In reply to ]
Hi Andre,

Am Mittwoch 20 März 2019 16:12:46 schrieb Andre Heinecke:
> For this reason I _never_ mention CMS in any user visible string. Even x509
> Certificates are "S/MIME Certificates". Users do "OpenPGP" or they do
> "S/MIME" they have "OpenPGP Keys" or "S/MIME Certificates". I try in my
> work to reduce the distinction in the wording between Keys and
> Certificates.

those are different occasions to me.
If users are exposed to name a technical format, it should be named precisely.
For the rare case that a user wants to dig deeper, the structure can shine
through, if it must be seen anway.

To me GnuPG is for technicians, as it is - at the essence - a crypto engine.
So in the GnuPG announcement I believe it is good to show the technical
precision of the product and its crew.

> > What about
> > "The GNU Privacy Guard (GnuPG, GPG) provides a complete and free engine
> > to implement email and file cryptography by OpenPGP and S/MIME
> > standards."
>
> But you say above that you do not want to complicate things?

A list of more specific words usually make something easier to understand.
* "implementation" -> "engine" is more specific towards GnuPG
* "email" and "file" are also more specific and easier to understand.
In this variant there is no "complete implementation" of S/MIME claimed,
only that GnuPG is an engine for S/MIME, so the mention of S/MIME can
be kept.

> Yep it's all not technically correct but we want to provide a good user
> experience and that is not helped by adding confusing "technically correct"
> terms.

If people read the annoucement's first sentence and want to understand it,
I'll consider it helpful to be correct and clarifying and the same time. My
hope was that the suggested first variant above, which did not add another
term, maybe an improvement.

Best Regards,
Bernhard

--
www.intevation.de/~bernhard   +49 541 33 508 3-3
Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998
Geschäftsführer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
Re: Improving product summary in announcement (Re: [Announce] GnuPG 2.2.14 released) [ In reply to ]
Hi,

On Thursday 21 March 2019 09:31:52 CET Bernhard Reiter wrote:
> Am Mittwoch 20 M?rz 2019 16:12:46 schrieb Andre Heinecke:
> > For this reason I _never_ mention CMS in any user visible string. Even
x509
> > Certificates are "S/MIME Certificates". Users do "OpenPGP" or they do
> > "S/MIME" they have "OpenPGP Keys" or "S/MIME Certificates". I try in my
> > work to reduce the distinction in the wording between Keys and
> > Certificates.
>
> those are different occasions to me.
> If users are exposed to name a technical format, it should be named
precisely.

I disagree with that statement. S/MIME and OpenPGP are the relevant encryption
standards. No one talks about CMS. This is something implementors know about
but even the most expert users do not know that "CMS" is a thing.

> For the rare case that a user wants to dig deeper, the structure can shine
> through, if it must be seen anway.

I think you can dig deeper into how S/MIME works and find out about the
Cryptographic Message Syntax.

> To me GnuPG is for technicians, as it is - at the essence - a crypto engine.
> So in the GnuPG announcement I believe it is good to show the technical
> precision of the product and its crew.

I have a strong opinion about the fact that CMS should not be used anywhere
user visible. Sorry that we disagree here but CMS is just so arbitrary.
To me using CMS is like saying:
I sent you an OpenPGP Message Syntax RFC 2440 combined with MIME Security with
OpenPGP RFC 3156 to securely send you a mail instead of saying: "I sent you a
PGP Mail."

> > > What about
> > > "The GNU Privacy Guard (GnuPG, GPG) provides a complete and free engine
> > > to implement email and file cryptography by OpenPGP and S/MIME
> > > standards."
> >
> > But you say above that you do not want to complicate things?
>
> A list of more specific words usually make something easier to understand.
> * "implementation" -> "engine" is more specific towards GnuPG

I respectfully disagree with that. Ok Implementation is not a good word but I
find engine even worse. I would rather just use "software"

> * "email" and "file" are also more specific and easier to understand.
> In this variant there is no "complete implementation" of S/MIME claimed,
> only that GnuPG is an engine for S/MIME, so the mention of S/MIME can
> be kept.
>
> > Yep it's all not technically correct but we want to provide a good user
> > experience and that is not helped by adding confusing "technically
correct"
> > terms.
>
> If people read the annoucement's first sentence and want to understand it,
> I'll consider it helpful to be correct and clarifying and the same time. My
> hope was that the suggested first variant above, which did not add another
> term, maybe an improvement.

I also disagree here. GnuPG is very often times used to encrypt just
"Messages" e.g. if you want as an American to buy Medicine for a reasonable
price. You do not use GnuPG for email or files you just use it. Why be specific
if we are just a general crypto engine?

On the back of our T-Shirts we have "The universal crypto engine" In my
opinion this would be the best caption but this is then too unspecifc.

Best Regards,
Andre

--
GnuPG.com - a brand of g10 Code, the GnuPG experts.

g10 Code GmbH, Erkrath/Germany, AG Wuppertal HRB14459
GF Werner Koch, USt-Id DE215605608, www.g10code.com.

GnuPG e.V., Rochusstr. 44, D-40479 D?sseldorf. VR 11482 D?sseldorf
Vorstand: W.Koch, M.Gollowitzer, A.Heinecke. Mail: board@gnupg.org
Finanzamt D-Altstadt, St-Nr: 103/5923/1779. Tel: +49-2104-4938799
Re: Improving product summary in announcement (Re: [Announce] GnuPG 2.2.14 released) [ In reply to ]
On Wed, 20 Mar 2019 16:12, aheinecke@gnupg.org said:

> CMS is for developers. In my experience users do not know it and should not be

Right and many even don't known the terms, maybe they know pkcs#8 but
the common term is S/MIME. When I changed the announcement I really
thought what to write and concluded that well known terms are better
than technical abbreviations in a short summary.



Shalom-Salam,

Werner

--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.