Mailing List Archive

Dear GNUPG developers,

We have GOT TO make things simpler.

1/ I do have some years of experience with GnuPG. Especially with
convincing people to use it. It is not easy. But I do it because it is
in my interest to be able to communicate privately.
2/ My latest experience is with a person who sent me his entire keypair
per email. I had asked him to send me his public key only. I had
instructed him how to prepare that file ("export public key, do NOT
export the secret half of the keypair. Ensure this by ticking the right
boxes. If you use GPA do it like this, if you use Kleopatra, follow
those menu trails, if you use GPG Tools I do not know."). The person who
made the horror of sending his secret key over email is properly educated.
3/ Please do appreciate that the persons who we are convincing and
instructing are not particularly interested in privacy. They need simple
approaches.

4/ Here is my proposal:
4.1/ Stimulate that people use a GUI like GPA or Kleopatra. Not
Enigmail, although it offers the same, but it offers too much for
beginners. Email integration comes after people have a basic
understanding. Please do appreciate if people only want to be able to
prepare encrypted documents for sending them as attachments.
4.2/ Ensure that, when generating a keypair, GnuPG creates one directory
"Secretkeys", and one directory "Publickeys". Make GnuPG to store the
public part and the secret part separately in those directories. If
GnuPG needs also keypairs in a single file, store that under Secretkeys.
4.3/ Get rid of the confusing menu/Exportkeys/ vs menu/Exportsecretkey. etc.
4.5/ Get rid of the options to NOT publish keys on keyservers. Just work
the opt-in alternative: If you want to publish to keyservers, make that
a separate action that requires some effort.

Best regards,

Roland

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

On 9/30/19 4:58 AM, Roland Siemons wrote:
> Dear GNUPG developers,
>
> We have GOT TO make things simpler.
<snip>
> 3/ Please do appreciate that the persons who we are convincing and
> instructing are not particularly interested in privacy. They need simple
> approaches.

ProtonMail or Tutanota. Both ensure far more privacy and security than
Gmail. Both offer free accounts and smartphone apps. If you need to
communicate privately with someone, have them get an account.

> 4/ Here is my proposal:
> 4.1/ Stimulate that people use a GUI like GPA or Kleopatra. Not
> Enigmail, although it offers the same, but it offers too much for
> beginners. Email integration comes after people have a basic
> understanding. Please do appreciate if people only want to be able to
> prepare encrypted documents for sending them as attachments.
<snip>

Few people not particularly interested in privacy are going to adopt a
solution requiring selecting, cutting, encrypting and pasting text. If
they already use Thunderbird, Enigmail is an easy enough to learn. The
real stumbling block is that most people don't do email using
Thunderbird or any MUA.

Jeff

Roland Siemons wrote:

> Dear GNUPG developers,
>
> We have GOT TO make things simpler.
>
> 1/ I do have some years of experience with GnuPG. Especially with
> convincing people to use it. It is not easy. But I do it because it is
> in my interest to be able to communicate privately.
> 2/ My latest experience is with a person who sent me his entire keypair
> per email. I had asked him to send me his public key only. I had
> instructed him how to prepare that file ("export public key, do NOT
> export the secret half of the keypair. Ensure this by ticking the right
> boxes. If you use GPA do it like this, if you use Kleopatra, follow
> those menu trails, if you use GPG Tools I do not know."). The person who
> made the horror of sending his secret key over email is properly educated.
> 3/ Please do appreciate that the persons who we are convincing and
> instructing are not particularly interested in privacy. They need simple
> approaches.

Maybe you can convince your friends to use Mailvelope or the new AutoCrypt
from Vincent (who brought us Hagrid). Both are OpenPGP apps, and no longer
require GnuPG and therefore should it make easier for your friends to use.

Regards
Stefan

--
box: 4a64758de9e8ceded2c481ee526440687fe2f3a828e3a813f87753ad30847b56
certified OpenPGP key blocks available on keybase.io/stefan_claas


_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Stefan Claas via Gnupg-users wrote:

> Roland Siemons wrote:
>
> > Dear GNUPG developers,
> >
> > We have GOT TO make things simpler.
> >
> > 1/ I do have some years of experience with GnuPG. Especially with
> > convincing people to use it. It is not easy. But I do it because it is
> > in my interest to be able to communicate privately.
> > 2/ My latest experience is with a person who sent me his entire keypair
> > per email. I had asked him to send me his public key only. I had
> > instructed him how to prepare that file ("export public key, do NOT
> > export the secret half of the keypair. Ensure this by ticking the right
> > boxes. If you use GPA do it like this, if you use Kleopatra, follow
> > those menu trails, if you use GPG Tools I do not know."). The person who
> > made the horror of sending his secret key over email is properly educated.
> > 3/ Please do appreciate that the persons who we are convincing and
> > instructing are not particularly interested in privacy. They need simple
> > approaches.
>
> Maybe you can convince your friends to use Mailvelope or the new AutoCrypt
> from Vincent (who brought us Hagrid). Both are OpenPGP apps, and no longer
> require GnuPG and therefore should it make easier for your friends to use.
>
> Regards
> Stefan
>

Forgot the links, sorry ...

Mailvelope:

https://www.mailvelope.com/en/

Key server for Mailvelope:

https://keys.mailvelope.com/

Autocrypt for Thunderbird:

<https://addons.thunderbird.net/en-US/thunderbird/addon/autocrypt/>

Regards
Stefan







--
box: 4a64758de9e8ceded2c481ee526440687fe2f3a828e3a813f87753ad30847b56
certified OpenPGP key blocks available on keybase.io/stefan_claas


_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

> Few people not particularly interested in privacy are going to adopt a
> solution requiring selecting, cutting, encrypting and pasting text. If
> they already use Thunderbird, Enigmail is an easy enough to learn. The
> real stumbling block is that most people don't do email using
> Thunderbird or any MUA.
>

I use Thunderbird 70.0b2 and have used it for years. However it is a
major pain to implement digital signage and encryption. A pain.

Dennis



_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Am 30.09.2019 um 21:32 schrieb Dennis Clarke:
> I use Thunderbird 70.0b2 and have used it for years. However it is a
> major pain to implement digital signage and encryption. A pain.


I use enigmail and the signing and encrypting runs very smooth with
thunderbird.

Regards Bernhard

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

With all due respect... NO.
It is not wise to impede on the power-users who use GPG due to the availability of the various configurations that brought us here in the first place.


On 9/30/19 9:43 AM, Roland Siemons wrote:[snip]
> 4/ Here is my proposal:
> 4.1/ Stimulate that people use a GUI like GPA or Kleopatra. Not Enigmail, although it offers the same, but it offers too much for beginners. Email integration comes after people have a basic understanding. Please do appreciate if people only want to be able to prepare encrypted documents for sending them as attachments.
This is not an issue with GnuPG. GnuPG is a back-end utility that front-end applications (like GUIs) interface to. Go to your vendor of choice that interfaces with GPG and complain to them about the complexity their interface. As far as GPG goes, it does exactly what it's supposed to. It's a command-line utility. Its raw interface is not supposed to be exposed to the kind of user you're expecting.

> 4.2/ Ensure that, when generating a keypair, GnuPG creates one directory "Secretkeys", and one directory "Publickeys". Make GnuPG to store the public part and the secret part separately in those directories. If GnuPG needs also keypairs in a single file, store that under Secretkeys.Keys are stored in a keyring database. You're not supposed to export them by copying files over in this way. You use the command-line utility to import or export your public keys.
For instance, the following command exports all of your signed public keys in PGP format:
gpg -a --export
...or you can export a specific key by suffixing that last command with the key (or name or email some other identifier) that you want to export. Exporting private keys is done the same way. Exporting the trust database can be done this way as well, albeit with different options.
> 4.5/ Get rid of the options to NOT publish keys on keyservers. Just work the opt-in alternative: If you want to publish to keyservers, make that a separate action that requires some effort.AFAIK, distributing keys to keyservers already takes a separate action. Unless there's some other command I'm not aware about, the only way I see to distribute keys to some keyserver is with the following command:
gpg --send-keys $KEY_IDENTIFIER
-----BEGIN PGP SIGNATURE-----

iLcEARMKAB0WIQQWZv6JZKxO310TWtXo8fj9gx4T0wUCXZPnWAAKCRDo8fj9gx4T
0/YtAgEBKgPN/9Ua2odPSPn2K7g1Qnc2XovMnDWE30reqNT4/cYCQmnVuwjMspqs
w5dA7SSIj/fSm9NJptn5dS7y70NoIgIEDJ2+QDNj/4PpUSkkIr3zHpI+y4yIanLP
UxWL8YI5mHUAfGAZ05O8HwwDUm+Z+q4joxVjBjP8pNASTklHrf4U32A=
=Oi8M
-----END PGP SIGNATURE-----

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

On 02/10/2019 00:55, Tony Lane via Gnupg-users wrote:
> This is not an issue with GnuPG. GnuPG is a back-end utility that front-end applications (like GUIs) interface to. Go to your vendor of choice that interfaces with GPG and complain (...)

And this is precisely why GnuPG failed.
Cheers,
Chris

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

On 10/2/19 4:15 PM, Chris Narkiewicz via Gnupg-users wrote:
> On 02/10/2019 00:55, Tony Lane via Gnupg-users wrote:
>> This is not an issue with GnuPG. GnuPG is a back-end utility that front-end applications (like GUIs) interface to. Go to your vendor of choice that interfaces with GPG and complain (...)
>
> And this is precisely why GnuPG failed.
> Cheers,
> Chris


If a user needs a masters degree and twenty years of experience to use a
tool then the tool will only ever be used by such people. Common sense.



--
Dennis Clarke
RISC-V/SPARC/PPC/ARM/CISC
UNIX and Linux spoken
GreyBeard and suspenders optional

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Dennis Clarke wrote:

> On 10/2/19 4:15 PM, Chris Narkiewicz via Gnupg-users wrote:
> > On 02/10/2019 00:55, Tony Lane via Gnupg-users wrote:
> >> This is not an issue with GnuPG. GnuPG is a back-end utility that
> >> front-end applications (like GUIs) interface to. Go to your vendor of
> >> choice that interfaces with GPG and complain (...)
> >
> > And this is precisely why GnuPG failed.
> > Cheers,
> > Chris
>
>
> If a user needs a masters degree and twenty years of experience to use a
> tool then the tool will only ever be used by such people. Common sense.

And this is probably the reason why digital signatures from GnuPG were never
been adopted (for business related things) in the EU and elsewere.

A good example for easy creation of digital signatures I came across today.

This service is free of charge. One only needs a card reader and his / her
ID-card. plus the free Open eCard software.

https://pilots.futuretrust.eu/sigs

Regards
Stefan

--
box: 4a64758de9e8ceded2c481ee526440687fe2f3a828e3a813f87753ad30847b56
certified OpenPGP key blocks available on keybase.io/stefan_claas


_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 10/3/19 5:53 PM, Stefan Claas via Gnupg-users wrote:
> And this is probably the reason why digital signatures from GnuPG were never
> been adopted (for business related things) in the EU and elsewere.

I don't know about the EU, but I can name at least 20 fortune-500 businesses that use GPG, including Facebook (yes, even they use GPG, see for yourself).
And those are just the ones -I- know of. And this isn't even counting government. As far as security goes, you cannot beat GnuPG. You do not have to submit your secret online or to some shady third party.
In fact, there's an entire industry dedicated to the sorts of services GnuPG provides, you might've heard of one - Yubikey.

-----BEGIN PGP SIGNATURE-----

iLgEARMKAB0WIQQWZv6JZKxO310TWtXo8fj9gx4T0wUCXZbEKAAKCRDo8fj9gx4T
05qBAgY94RW3iWAsqAp1epy44ArbPCRkU56kq9VihTKqQls/TMDx2FTx28LpafC5
qaUZhvABKoW9/5a2wN0m0av3aaB+bgIJAaCwT2qBU5OYpvxyaDX+RZwQ7GDd1/LT
3B8cJeQhCcDigoO4OazoMd1CgD6F1e63Y+NKeWfnLUlC3mvYcMnc2FQh
=abwF
-----END PGP SIGNATURE-----

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Tony Lane via Gnupg-users wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> On 10/3/19 5:53 PM, Stefan Claas via Gnupg-users wrote:
> > And this is probably the reason why digital signatures from GnuPG were never
> > been adopted (for business related things) in the EU and elsewere.
>
> I don't know about the EU, but I can name at least 20 fortune-500 businesses
> that use GPG, including Facebook (yes, even they use GPG, see for yourself).
> And those are just the ones -I- know of. And this isn't even counting
> government. As far as security goes, you cannot beat GnuPG. You do not have
> to submit your secret online or to some shady third party. In fact, there's
> an entire industry dedicated to the sorts of services GnuPG provides, you
> might've heard of one - Yubikey.

And do those 20 companies business with their customers were GnuPG
signatures are legally binding, like real signatures on letters?

That for example is the case with eIDAS conform digital signatures
here in Europe.

Regards
Stefan

--
box: 4a64758de9e8ceded2c481ee526440687fe2f3a828e3a813f87753ad30847b56
certified OpenPGP key blocks available on keybase.io/stefan_claas


_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 10/4/19 3:35 AM, Stefan Claas wrote:
> And do those 20 companies business with their customers were GnuPG
> signatures are legally binding, like real signatures on letters?

_At least_ 20 fortune 500 businesses _that I know of_. Mind you, I'm not even counting governments.
And yes, it is recognized by the US government at the very least. See https://lists.gnupg.org/pipermail/gnupg-users/2018-September/060987.html and https://app.leg.wa.gov/RCW/default.aspx?cite=42.45.130


> That for example is the case with eIDAS conform digital signatures
> here in Europe.

Digital signatures are, in general, legally binding.
If for instance a government official who's known to use PGP signatures signs off on a treasonous act, that signature can be used against him or her in court of law.
But it can also be used for contracts.
e-signature is a legal concept used to capture a person’s intent to be legally bound by the terms of an agreement or contract.
While a digital signature is a mathematical algorithm. A cryptographic technology used to make data tamper evident, digitally sign of documents.
Even the "newer" signatures that are the Elliptic Curves are recognized as per FIPS-186-4, see:
https://www.federalregister.gov/documents/2015/10/20/2015-26539/federal-information-processing-standard-fips-186-4-digital-signature-standard-request-for-comments#h-9
and notably https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf
-----BEGIN PGP SIGNATURE-----

iLgEARMKAB0WIQQWZv6JZKxO310TWtXo8fj9gx4T0wUCXZd8fgAKCRDo8fj9gx4T
02ZvAgjW4j3F1vJna5KRq2po8xW6qmds0u8wUIJNDnQ46nBecy7nxTVyRNgMqdTq
kG19RhDdWvQZ850hmeAK6KJiYUAR+gIJAQ7YSL91Ncopuj8Eeamlh/KBpHfsrCS9
KT/7ZaFhKusw8fOz5XjvQxTksxeJrDsAYvIyufjdu837ri+qEqXWMWSd
=Lx49
-----END PGP SIGNATURE-----

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Tony Lane wrote:

> Digital signatures are, in general, legally binding.

In the EU qualified digital signatures (QES) are legally binding
and I strongly doubt that in the U.S. with it's ESIGN Act the same
holds true for GnuPG home installations.

I guess a proper Google search will show it us. :-)

Otherwise the commercially available PGP or free GnuPG would have been
mentioned in the news as a low cost eSig solution long time ago, right?

Regards
Stefan

--
box: 4a64758de9e8ceded2c481ee526440687fe2f3a828e3a813f87753ad30847b56
certified OpenPGP key blocks available on keybase.io/stefan_claas


_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Stefan Claas via Gnupg-users wrote:

> Tony Lane wrote:
>
> > Digital signatures are, in general, legally binding.
>
> In the EU qualified digital signatures (QES) are legally binding
> and I strongly doubt that in the U.S. with it's ESIGN Act the same
> holds true for GnuPG home installations.
>
> I guess a proper Google search will show it us. :-)

Well, I was wrong. It seems that the U.S. ESIGN Act is pretty relaxed
and does not need such strong requirements like in the EU.

Regards
Stefan

--
box: 4a64758de9e8ceded2c481ee526440687fe2f3a828e3a813f87753ad30847b56
certified OpenPGP key blocks available on keybase.io/stefan_claas


_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

> On 10/4/19 3:35 AM, Stefan Claas wrote:
>> And do those 20 companies business with their customers were GnuPG
>> signatures are legally binding, like real signatures on letters?
>
> _At least_ 20 fortune 500 businesses _that I know of_. Mind you, I'm
not even counting governments.

20? Wow. There are 8 billion people on this planet, most of them don't
work at 20 companies from Fortune 500.

WhatsApp build crypto system that is successfully adopted by billions of
users without technical knowledge.

Our views on what can be considered a successful adoption are strongly
misaligned.

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

On 10/5/19 2:11 AM, Chris Narkiewicz via Gnupg-users wrote:
> 20? Wow. There are 8 billion people on this planet, most of them don't
> work at 20 companies from Fortune 500.

Most don't even work on software to begin with. What's your point?

> WhatsApp build crypto system that is successfully adopted by billions of
> users without technical knowledge.

Did you really set the bar _that_ low? Forgetting for a moment that Whatsapp is proprietary
and there's no way to actually audit the code... We already know that governments
have been pushing https://archive.is/suDJS for ways to decrypt it directly
and that they can in fact read messages via a central authority/server
https://archive.is/2TXqU when the receiving user of a message is offline.

If you consider deliberately breaking E2E encryption by design a "success" then
yes, our views _strongly_ differ on not just what's successful, but also what's acceptable.

But go ahead, please rationalize why "ease-of-use" is more important than actual security
for power-users such as myself and those who absolutely won't compromise on true E2EE.

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Tony Lane via Gnupg-users wrote:

> But go ahead, please rationalize why "ease-of-use" is more important than
> actual security for power-users such as myself and those who absolutely won't
> compromise on true E2EE.

Not to rain your parade, but I follow the topic encryption since the mid '80s
and can say nowadays that GnuPG has failed to become an email encryption
product for the masses, which IIRC was the initial goal of Mr Zimmermann's PGP
back in the early ninetees.

Instead GnuPG became the ultimate tool for PGPGs[1].

Try the following experiment, as power user: Explain to your loved ones,
friends and co-workers GnuPG usage (with all its surrounding stuff like
installing MUAs and plug-ins, besides of GnuPG) point them to the FAQ as
learning resource and then show them as modern alternative Mailvelope
or the new Autocrypt from Vincent ...

Once done consider again why in modern software design ease of use is an
important factor, if you like to reach out to the masses and want to
convince people to use software based on the OpenPGP protocol.

[1] Pretty Good Privacy Geek

Regards
Stefan

--
box: 4a64758de9e8ceded2c481ee526440687fe2f3a828e3a813f87753ad30847b56
certified OpenPGP key blocks available on keybase.io/stefan_claas


_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Dear List,

I explained a problem.
I proposed a step forward towards a solution.
There were 17 responses.

So far, those responses either:
- advised to no longer use GnuPG, or
- denied or downplayed the problem (although I demonstrated the
existence of the problem), or
- argued against those who denied or downplayed the problem.

No single response touched upon my proposal. This is very disappointing.

Developers, please consider my proposition, and tell me what you like or
dislike about it.

Sincerely,

Roland


_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

On Fri, 4 Oct 2019 21:28, Stefan Claas said:

> Well, I was wrong. It seems that the U.S. ESIGN Act is pretty relaxed
> and does not need such strong requirements like in the EU.

The EU neither. Even the Qualifizierte Elektronische Signatur,
introduced in Germany ages ago, is not anymore a requirement for the
majority of transactions. In fact the Einfache Elektronische Signatur
(i.e. your name below a email) is often sufficient. It is the same as
with handwritten signatures - if it comes to a litigation the court
decides and evaluates the entire circumstances. Having a government
issued token (e.g. a qualified electronic signature) puts more trust
into the validity of the signature but still allows the signer to
repudiate the signature just by telling that the token was lost and the
PIN was on an attached post-it.

Recall that for VAT purposes (the major revenue source of almost
countries) no signature on digital invoices is required. A EU decision
once overturned the German requirement for a government issued qualified
signature on invoices and thus was the tombstone for the qualified
electronic signature (modulo that some companies try to keep them alive
as their business model but that, along with their questionable legal
hack, is a different story).

It is a perfectly okay to allow a Fortgeschrittene Elektronische
Signatur (advanced electronic sigature, i.e. S/MIME or OpenPGP) to
replace a handwritten signature if that has been stated in contracts or
constitutional documents or their bylaws. This prima facie evidence is
nearly always sufficient unless notarial documents are anyway required.

There is a lot of literature on that topic which can easily be found and
studied. It is is not the topic of this technical mailing list, though.


Salam-Shalom,

Werner

--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.

Sent from my iPad

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

On Sat, 5 Oct 2019 12:15, Stefan Claas said:

> installing MUAs and plug-ins, besides of GnuPG) point them to the FAQ as
> learning resource and then show them as modern alternative Mailvelope

And don't forget to point them to all the HOWTOS and RFCs required to to
use and admin a MUA, sendmail, and the net configuration to name just a
few. The point here is that you falsely compare a system tool with an
end user visible interface.


Shalom-Salam,

Werner

--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.

On 10/5/19 6:15 AM, Stefan Claas via Gnupg-users wrote:
> Tony Lane via Gnupg-users wrote:
>
>> But go ahead, please rationalize why "ease-of-use" is more important than
>> actual security for power-users such as myself and those who absolutely won't
>> compromise on true E2EE.
>
> Not to rain your parade, but I follow the topic encryption since the mid '80s
> and can say nowadays that GnuPG has failed to become an email encryption
> product for the masses, which IIRC was the initial goal of Mr Zimmermann's PGP
> back in the early ninetees.

The original poster, perhaps unintentionally, stated the real reason the
masses have not adopted PGP, "Please do appreciate that the persons who
we are convincing and instructing are not particularly interested in
privacy." That's it in a nutshell. The masses are not particularly
interested in privacy. If they were, they'd abandon Gmail and Yahoo and
all the other providers who make no excuse for the fact their economic
model depends on users being not particularly interested in privacy.

I have used GnuPG since it was first released and PGP2 and PGP5 before
that. I read "Why Johnny Can't Encrypt" 20 years ago. I didn't believe
it then and don't believe it now because in my experience any
sufficiently motivated, reasonably intelligent person who wants to use
these tools can learn to do so expending less time and effort than it
takes to master the latest video game.

> Instead GnuPG became the ultimate tool for PGPGs[1].

Sure it is. As Mr. Lane explained, its supposed to be. But that
doesn't mean that it can't be used by non-PGPGs. You don't have to
understand every command and option to use GnuPG effectively. A handful
will suffice for file or email encryption.

> Try the following experiment, as power user: Explain to your loved ones,
> friends and co-workers GnuPG usage (with all its surrounding stuff like
> installing MUAs and plug-ins, besides of GnuPG) point them to the FAQ as
> learning resource and then show them as modern alternative Mailvelope
> or the new Autocrypt from Vincent ...

I agree that there are easier-to-learn encryption solutions than GnuPG.
Mailvelope, FlowCrypt, ProtonMail, Mailfence and Tutanota come
immediately to mind. Any is adequate for the privacy needs of the
masses. Unfortunately, the masses haven't swarmed to them any more than
to PGP or GnuPG. The masses think they have nothing to hide. They
aren't at all concerned about privacy.

> [1] Pretty Good Privacy Geek

Jeff

Werner Koch wrote:

> On Sat, 5 Oct 2019 12:15, Stefan Claas said:
>
> > installing MUAs and plug-ins, besides of GnuPG) point them to the FAQ as
> > learning resource and then show them as modern alternative Mailvelope
>
> And don't forget to point them to all the HOWTOS and RFCs required to to
> use and admin a MUA, sendmail, and the net configuration to name just a
> few. The point here is that you falsely compare a system tool with an
> end user visible interface.

Well, it has to do with the fact that I started with MacPGP in the mid '90s
which was GUI based and no Linux system tool.

Regards
Stefan

--
box: 4a64758de9e8ceded2c481ee526440687fe2f3a828e3a813f87753ad30847b56
certified OpenPGP key blocks available on keybase.io/stefan_claas


_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users