Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. GnuPG>
  3. gpa
Wish: group support for Kmail and gnupg
bernhard at intevation
Nov 8, 2006, 2:00 AM
Post #1 of 9 (7019 views)
Permalink
Hi Werner, Hi Marc,
I like to bring up the support for groups (aka aliases of gnupg recipients)
for KMail. (There probably is an issue for this as well, but I am currently
offline.)

My thoughts:
Currently gnupg has the --group feature, I believe that keeping recipient
alises on the gnupg level is good, as this is the place where recipients
are checked anyway.

The alternative: Associate several keys with one email adress oder identifier
on client level. This seems more cumbersome to me.

To improve the current situation is would be a good next step to have
KMail make it possible to select a gnupg group from the interface when
it is looking for a key for an email address.
For this gnupg must somehow provide the list of groups on request.
Werner: Do we have such a method in gpgme already?

On KMail side it would involve adding code to retrieve this list
and add it to the selection dialog.

Bernhard

--
Managing Director - Owner, www.intevation.net (Free Software Company)
Germany Coordinator, fsfeurope.org (Non-Profit Org for Free Software)
www.kolab-konsortium.com (Email/Groupware Solution, Professional Service)
Re: Wish: group support for Kmail and gnupg [ In reply to ]
wk at gnupg
Nov 29, 2006, 9:03 AM
Post #2 of 9 (6775 views)
Permalink
On Wed, 8 Nov 2006 11:00, bernhard@intevation.de said:

> The alternative: Associate several keys with one email adress oder identifier
> on client level. This seems more cumbersome to me.

That is in fact the only solid way to implement it. The --group
sopport in gpg was a hack and I always feared the problems.

> To improve the current situation is would be a good next step to have
> KMail make it possible to select a gnupg group from the interface when
> it is looking for a key for an email address.
> For this gnupg must somehow provide the list of groups on request.
> Werner: Do we have such a method in gpgme already?

$ gpg --with-colons --list-config group

Returns a listing of all defined groups. This does not use the
configure interface, though. I am still not convinced that the group
feature is a good idea. To implement it properly we need anotehr
database to store these aliases - using the configure file is a hack
which does not scale.

I thinking of a gpgk daemon to manage keys - with such a new
infrastructure we could easily add aliases. But it is all not a good
solution: The receiving MUA does not know about this mapping and may
want to complain about a mismatch in the addresses used in the mail
and those used in the key to encrypt it.


Shalom-Salam,

Werner


_______________________________________________
Gpa-dev mailing list
Gpa-dev@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gpa-dev
Re: Wish: group support for Kmail and gnupg [ In reply to ]
bernhard at intevation
Nov 30, 2006, 3:15 AM
Post #3 of 9 (6782 views)
Permalink
On Wednesday 29 November 2006 18:03, Werner Koch wrote:
> On Wed, 8 Nov 2006 11:00, bernhard@intevation.de said:
> > The alternative: Associate several keys with one email adress oder
> > identifier on client level. This seems more cumbersome to me.
>
> That is in fact the only solid way to implement it.

I am unsure about this.
Actually the association from key to user id (including) email address
happens on the gpg level already. So having several clients
like KMail, mutt and other frontends that can make use of this information,
this information is best maintained at the same level than the user ids.

Doing this sort of associations in frontends will multiply the place
where it would need to be configured.

> The --group
> sopport in gpg was a hack and I always feared the problems.

It solves an important use case: I know that more than one person
is behind one email address, having several keys. I want to send there.

> > To improve the current situation is would be a good next step to have
> > KMail make it possible to select a gnupg group from the interface when
> > it is looking for a key for an email address.
> > For this gnupg must somehow provide the list of groups on request.
> > Werner: Do we have such a method in gpgme already?
>
> $ gpg --with-colons --list-config group
>
> Returns a listing of all defined groups. This does not use the
> configure interface, though.

As I can ask for user ids over gpgme, I would expect this to be available
via gpgme and not via the configure interface.

> I am still not convinced that the group
> feature is a good idea.

The use case described above is real and to promote encryption,
it should be made easier to solve for frontends.

> To implement it properly we need anotehr
> database to store these aliases - using the configure file is a hack
> which does not scale.

I cannot say much about the implementation side.

> I thinking of a gpgk daemon to manage keys - with such a new
> infrastructure we could easily add aliases. But it is all not a good
> solution: The receiving MUA does not know about this mapping and may
> want to complain about a mismatch in the addresses used in the mail
> and those used in the key to encrypt it.

Bernhard

Attached Files:

Re: Wish: group support for Kmail and gnupg [ In reply to ]
wk at gnupg
Nov 30, 2006, 3:32 AM
Post #4 of 9 (6767 views)
Permalink
On Thu, 30 Nov 2006 12:15, bernhard@intevation.de said:

> Actually the association from key to user id (including) email address
> happens on the gpg level already. So having several clients

That is coincidence. A key does not need to have an email address.
Well, most do but it is not a requirement of gnupg.

> like KMail, mutt and other frontends that can make use of this information,
> this information is best maintained at the same level than the user ids.

Frontends have much more information about email adresses. They need
to handle To, Cc and especailly Bcc - gpg does not know about this.
MUAs can also keep track of communication patterns and assign trust to
a key by looking at these patterns. I hope this will eventually be
implemented.

Adding this stuff to gpg will finally add knowledge about email to it
which is not the Unix way. I even hesitated to add PKA to gpg but
this is an exception because no other way to implement it exists.

> It solves an important use case: I know that more than one person
> is behind one email address, having several keys. I want to send there.

For me it jutts works adding these addresses to a --group. It is more
of a problem with some MUAs. Then again it should be fixed in the
MUA.

> As I can ask for user ids over gpgme, I would expect this to be available
> via gpgme and not via the configure interface.

No, it is not a key, it does not work.

> The use case described above is real and to promote encryption,
> it should be made easier to solve for frontends.

So where is the actual problem you want to solve? It is Mutt, which
checks each recipient's key validity instead of leaving this to gpg.
Right?




Shalom-Salam,

Werner


_______________________________________________
Gpa-dev mailing list
Gpa-dev@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gpa-dev
Re: Wish: group support for Kmail and gnupg [ In reply to ]
kloecker at kde
Nov 30, 2006, 11:31 AM
Post #5 of 9 (6759 views)
Permalink
On Wednesday 08 November 2006 11:00, Bernhard Reiter wrote:
> Hi Werner, Hi Marc,
> I like to bring up the support for groups (aka aliases of gnupg
> recipients) for KMail. (There probably is an issue for this as well,
> but I am currently offline.)
>
> My thoughts:
> Currently gnupg has the --group feature, I believe that keeping
> recipient alises on the gnupg level is good, as this is the place
> where recipients are checked anyway.
>
> The alternative: Associate several keys with one email adress oder
> identifier on client level. This seems more cumbersome to me.

FWIW, KMail supports associating several keys with one email adress
since ages (even before Ägypten stopped being just a country on the
African continent).

Regards,
Ingo
Re: Wish: group support for Kmail and gnupg [ In reply to ]
bernhard at intevation
Dec 6, 2006, 1:22 AM
Post #6 of 9 (6747 views)
Permalink
On Thursday 30 November 2006 20:31, Ingo Klöcker wrote:
> FWIW, KMail supports associating several keys with one email adress
> since ages (even before Ägypten stopped being just a country on the
> African continent).

Ingo,
this is interesting. Can you tell me how this works with KMail/Kontact?

Let us say I want to send at team@example.com
and know that three people read there a@example.org, b@example.com,
c@example.net.
I enter team@example.com in the to: field,
select encryption and OpenPGP.
What do I need to do next?


Bernhard
Re: Wish: group support for Kmail and gnupg [ In reply to ]
bernhard at intevation
Dec 6, 2006, 1:28 AM
Post #7 of 9 (6717 views)
Permalink
On Thursday 30 November 2006 12:32, Werner Koch wrote:
> On Thu, 30 Nov 2006 12:15, bernhard@intevation.de said:
> > Actually the association from key to user id (including) email address
> > happens on the gpg level already. So having several clients
>
> That is coincidence. A key does not need to have an email address.
> Well, most do but it is not a requirement of gnupg.

I know that it is not a requirement, but it is handy to get
the additional data of a key, like the uids.
This makes key management easier and this is important
for the solution to be secure.

> > like KMail, mutt and other frontends that can make use of this
> > information, this information is best maintained at the same level than
> > the user ids.
>
> Frontends have much more information about email adresses. They need
> to handle To, Cc and especailly Bcc - gpg does not know about this.
> MUAs can also keep track of communication patterns and assign trust to
> a key by looking at these patterns. I hope this will eventually be
> implemented.

Well I agree. The question to me is: On which level should what
be implemented. The knowledge which uidinformation belongs to
which group of keys is something that I would want to share
with all my MUAs anyway. So implementing this within each MUA
is not a good idea.

> Adding this stuff to gpg will finally add knowledge about email to it
> which is not the Unix way. I even hesitated to add PKA to gpg but
> this is an exception because no other way to implement it exists.

I only propose to add a mapping
uid -> n* keys
if uid includes an email address, fine. If not: still good.

> > It solves an important use case: I know that more than one person
> > is behind one email address, having several keys. I want to send there.
>
> For me it jutts works adding these addresses to a --group. It is more
> of a problem with some MUAs. Then again it should be fixed in the
> MUA.

To do this I would want the MUAs to use gpgme because they will otherwise
have to implement another interface to GnuPG which makes it more complicated
and error prone I believe.

> > As I can ask for user ids over gpgme, I would expect this to be available
> > via gpgme and not via the configure interface.
>
> No, it is not a key, it does not work.

It works for other uid information like the email addresses,
if I remember correctly.

> > The use case described above is real and to promote encryption,
> > it should be made easier to solve for frontends.
>
> So where is the actual problem you want to solve? It is Mutt, which
> checks each recipient's key validity instead of leaving this to gpg.
> Right?

I want to solve it both for mutt and KMail/Kontact
and while doing this also for Claws getting the design right.

Bernhard
Re: Wish: group support for Kmail and gnupg [ In reply to ]
kloecker at kde
Dec 6, 2006, 11:26 AM
Post #8 of 9 (6732 views)
Permalink
On Wednesday 06 December 2006 10:22, Bernhard Reiter wrote:
> On Thursday 30 November 2006 20:31, Ingo Klöcker wrote:
> > FWIW, KMail supports associating several keys with one email adress
> > since ages (even before Ägypten stopped being just a country on the
> > African continent).
>
> Ingo,
> this is interesting. Can you tell me how this works with
> KMail/Kontact?
>
> Let us say I want to send at team@example.com
> and know that three people read there a@example.org, b@example.com,
> c@example.net.
> I enter team@example.com in the to: field,
> select encryption and OpenPGP.
> What do I need to do next?

That should be pretty straight forward.

- Select "Send Message".
- KMail will tell you "There are conflicting encryption preferences for
these recipients. Encrypt this message?". Select Encrypt.
- The Encryption Key Selection dialog will pop up. Select the desired
keys of a, b and c, check "Remember choice" and select OK.
- A dialog asking for the name of the contact for "team@example.com"
will pop up.
- The Encryption Key Approval dialog will pop up. Optionally change the
Encryption preference for "team@example.com", e.g. choose "Ask whenever
encryption is possible".
- After approving the encryption keys the message will be sent.

Somewhere in between you will probably be asked for your passphrase for
signing the message.

The next time you send a message to team@example.com KMail will know
which keys to use.

I haven't tried it, but you should also be able to do the above from the
address book, i.e. you create a new contact for team@example.com and
edit the signing/encryption options of the contact.

Regards,
Ingo
Re: Wish: group support for Kmail and gnupg [ In reply to ]
bernhard at intevation
Dec 7, 2006, 11:18 AM
Post #9 of 9 (6749 views)
Permalink
Ingo,

On Wednesday 06 December 2006 20:26, Ingo Klöcker wrote:
> - The Encryption Key Selection dialog will pop up. Select the desired
> keys of a, b and c, check "Remember choice" and select OK.

ah! This is the hard part.
With many keys in the list, selecting several keys is not very intuitive.
Usually I need to search to limit the choice and then the other key
I might have selected is gone.

> I haven't tried it, but you should also be able to do the above from the
> address book, i.e. you create a new contact for team@example.com and
> edit the signing/encryption options of the contact.

Yes it is possible.
I have to test this. Thanks for the hint!

It still leaves the problem of configuration for several MUAs.
It would be very cool if I could also select a group to use for
encryption in KMail.

Bernhard

--
Managing Director - Owner, www.intevation.net (Free Software Company)
Germany Coordinator, fsfeurope.org (Non-Profit Org for Free Software)
www.kolab-konsortium.com (Email/Groupware Solution, Professional Service)

Attached Files:

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal