Mailing List Archive

We shall value email usage
Dear GnuPG community,

email is a decentral standard for asynchronus communication
* one-to-one messenging
* closed groups
* public discussions (via mailinglists)
* trust anchor (as needed by many accounts on web-sites)

There is a wealth of Free Software implementations
and service providers, additional tools to make emails scriptable,
searchable and secure (even to be used anonymously).

We should value email and its ecosystem more.

It has become under pressure by
a) online messenging / web applications
b) vendors who want more user data and to bring
people into their walled garden (directing their attention
to paid advertisment)

It seems that rich native email clients as Free Software are a little
bit losing ground. A contributing factor from my perspective is
the complexity that is needed (and partly needed because propriety vendors
make it more complicated) to make an attractive client for many plattforms.
So it is not like a few volunteer hours can keep a native email client on par
or leading the proprietary vendors web-client development speed.
(My answer to this is more professionalism, more about this elsewhere.)

Considering the use cases above, email and native clients have a number of
advantages over other solutions and it is the basis for people being able to
use OpenPGP/MIME with GnuPG. My personal conclusion is that furthering
native Free Software email clients is good for GnuPG (and the world
needed good collaborative tools).

What I observe is that knowledge and practive of email usage
is declining. I notice it in many little things (like folks sending
alternative HTML mails, not being able to handle CC, good inline quoting,
good subjects). So where are good explanations about email practice?

Best Regards,
Bernhard
--
www.intevation.de/~bernhard ? +49 541 33 508 3-3
Intevation GmbH, Osnabr?ck, DE; Amtsgericht Osnabr?ck, HRB 18998
Gesch?ftsf?hrer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
Re: We shall value email usage [ In reply to ]
Bernhard Reiter wrote:

> What I observe is that knowledge and practive of email usage
> is declining. I notice it in many little things (like folks sending
> alternative HTML mails, not being able to handle CC, good inline quoting,
> good subjects). So where are good explanations about email practice?

This is quite normal, because millions of people nowadays are using
modern web based

email clients and those have with Gmail etc. the option to use OpenPGP
too. GnuPG

with add-ons for a MUAs seems therefore a bit outdated and is probably
mostly used

among Mailing List members. An exception might be the new Thunderbird, with

OpenPGP support.


Regards

Stefan
Re: We shall value email usage [ In reply to ]
Am Mittwoch 24 März 2021 16:15:16 schrieb Stefan Vasilev via Gnupg-users:
> Bernhard Reiter wrote:
> > What I observe is that knowledge and practive of email usage
> > is declining. I notice it in many little things

> This is quite normal, because millions of people nowadays are using
> modern web based email clients

Most webclients I have seen, are not as usable as native clients.
But this is no excuse for not using email in a good way. :)

> and those have with Gmail etc. the option to use OpenPGP
> too. GnuPG with add-ons for a MUAs seems therefore a bit outdated
> and is probably mostly used among Mailing List members.

Yes, there is a perception of "outdatedness".
Maybe it is needed to show the advantages to make it look modern.
A tool that is more effective should be modern.

Of course, email belong to many, a proprietary messenger to one vendor,
guess who has more marketing money. ;)

> An exception might be the new Thunderbird, with
> OpenPGP support.

The choise of implementing a pre-standard way of protected headers
and making it the default without way to disable it, was doing email and
secure email a disservice in my opionion. :(

Best,
Bernhard

--
www.intevation.de/~bernhard   +49 541 33 508 3-3
Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998
Geschäftsführer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
Re: We shall value email usage [ In reply to ]
Hi List,

Am Mi den 24. M?r 2021 um 16:15 schrieb Stefan Vasilev via Gnupg-users:
> Bernhard Reiter wrote:
>
> > What I observe is that knowledge and practive of email usage
> > is declining. I notice it in many little things (like folks sending
> > alternative HTML mails, not being able to handle CC, good inline quoting,
> > good subjects). So where are good explanations about email practice?
>
> This is quite normal, because millions of people nowadays are using modern
> web based
>
> email clients and those have with Gmail etc. the option to use OpenPGP too.
> GnuPG

If they are "modern" is something, I do not judge about. But there is
even a solution for Web-based mail clients. Mailvelope does a pretty
good job. Although there are some stuff to know about:
- Mailvelope can (obviously) only handle inline PGP mails. Decoding mime
mails (or encoding) is far away from such a tool
- Mailvelope cannot handle hidden encrypts (As I understand the
discussion, current Thunderbird is also unable to handle this.)
- Mailvelope Needs a e-mail address in the key identity. Otherwise it is
not selectable.

> among Mailing List members. An exception might be the new Thunderbird, with

As you might see, I use mutt as mail client. But recently, I started
having an eye to thunderbird for some reasons. I liked the Enigmail
addon. It is sad, that the native implementation in Thunderbird is a
big step back. Although there is some advantages like the hidden subject
header.

On the other hand, as it was stated here too, it is not possible to
disable it so the still dump majority of Outlook is unable to view the
subject. However, Outlook is also unable to view quotes a usable way,
neither is it able to create proper mails. So I always wonder, why
people stick to such horrible software.

Gru?
Klaus

Ps. I might need to use this Outlook in future for work mails. But I try
to fight it. :-)
--
Klaus Ethgen http://www.ethgen.ch/
pub 4096R/4E20AF1C 2011-05-16 Klaus Ethgen <Klaus@Ethgen.ch>
Fingerprint: 85D4 CA42 952C 949B 1753 62B3 79D0 B06F 4E20 AF1C
Re: We shall value email usage [ In reply to ]
Hi Klaus,

Am Donnerstag 25 März 2021 10:25:22 schrieb Klaus Ethgen:
> But there is
> even a solution for Web-based mail clients. Mailvelope does a pretty
> good job. Although there are some stuff to know about:
> - Mailvelope can (obviously) only handle inline PGP mails. Decoding mime
> mails (or encoding) is far away from such a tool

AFAIR Mailvelope can do OpenPGP/MIME
(if the webmailer it is used with offers some features).
https://www.mailvelope.com/en/faq#only_attachments

Did you know: you can use GnuPG with Mailvelope, if you want (e.g. for
smartcards or higher security needs)
https://github.com/mailvelope/mailvelope/wiki/Mailvelope-GnuPG-integration

> It is sad, that the native implementation in Thunderbird is a
> big step back. Although there is some advantages like the hidden subject
> header.

To me the protected headers implementation Thunderbird is a step back,
as it leads to unnecessary data leaks (subject and cc) to other clients
with are OpenPGP/MIME compatible. And it reduces the usability for emails
in many cases (see my email thread about it).

> On the other hand, as it was stated here too, it is not possible to
> disable

It is possible to disable (they added this later), but it is an expert option
and the default is still on (see drawbacks mentioned above).
https://lists.gnupg.org/pipermail/gnupg-users/2021-February/064862.html

Best Regards,
Bernhard

--
www.intevation.de/~bernhard   +49 541 33 508 3-3
Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998
Geschäftsführer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
Re: We shall value email usage [ In reply to ]
Hi,

Am Do den 25. M?r 2021 um 11:51 schrieb Bernhard Reiter:
> To me the protected headers implementation Thunderbird is a step back,
> as it leads to unnecessary data leaks (subject and cc) to other clients
> with are OpenPGP/MIME compatible.

Well, there is other..

For example, if you start editing a mail with thunderbird and put it to
drafts. Then finishing the edit with mutt. This will leak the following
headers:
- user-agent
- x-mailer
- x-mozilla-draft-info
- x-enigmail-draft-status
- x-account-key
- x-identity-key
- fcc

Even when sending mails just from thunderbird, it leaks at least the
user-agent header.

Currently I configured my MTA to remove that headers for outgoing mails.

Gru?
Klaus
--
Klaus Ethgen http://www.ethgen.ch/
pub 4096R/4E20AF1C 2011-05-16 Klaus Ethgen <Klaus@Ethgen.ch>
Fingerprint: 85D4 CA42 952C 949B 1753 62B3 79D0 B06F 4E20 AF1C
Re: We shall value email usage [ In reply to ]
On 3/25/2021 12:34 PM, Klaus Ethgen wrote:
> Hi,
>
> Am Do den 25. M?r 2021 um 11:51 schrieb Bernhard Reiter:
>> To me the protected headers implementation Thunderbird is a step back,
>> as it leads to unnecessary data leaks (subject and cc) to other clients
>> with are OpenPGP/MIME compatible.
>
> Well, there is other..
>
> For example, if you start editing a mail with thunderbird and put it to
> drafts. Then finishing the edit with mutt. This will leak the following
> headers:
> - user-agent
> - x-mailer
> - x-mozilla-draft-info
> - x-enigmail-draft-status
> - x-account-key
> - x-identity-key
> - fcc
>
> Even when sending mails just from thunderbird, it leaks at least the
> user-agent header.
>
> Currently I configured my MTA to remove that headers for outgoing mails.

You can disable the usage of the user-agent in TB, one can only hope for
the others as well.

--
John Doe

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: We shall value email usage [ In reply to ]
Am Donnerstag 25 März 2021 12:34:15 schrieb Klaus Ethgen:
> if you start editing a mail with thunderbird and put it to
> drafts. Then finishing the edit with mutt.

Just wondering if there is a standard for sharing email drafts ...

Anyhow implementing the wrapped message method of protected headers
would also be good for drafts: Just fully encrypt the real mail.

Note that email needs meta data like a postal package needs an address sticker
on the cardboard.

Best,
Bernhard

--
www.intevation.de/~bernhard   +49 541 33 508 3-3
Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998
Geschäftsführer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
Re: We shall value email usage [ In reply to ]
* Bernhard Reiter:

> Just wondering if there is a standard for sharing email drafts ...

https://tools.ietf.org/html/rfc6154 defines optional attributes for
"special-use" mailboxes. That applies to IMAP only, of course, but it
may be sufficient, depending on a user's client/server combination.

-Ralph

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: We shall value email usage [ In reply to ]
Bernhard Reiter wrote:
>
> Am Mittwoch 24 M?rz 2021 16:15:16 schrieb Stefan Vasilev via Gnupg-users:
>> Bernhard Reiter wrote:
>>> What I observe is that knowledge and practive of email usage
>>> is declining. I notice it in many little things
>> This is quite normal, because millions of people nowadays are using
>> modern web based email clients
> Most webclients I have seen, are not as usable as native clients.
> But this is no excuse for not using email in a good way. :)
>
>> and those have with Gmail etc. the option to use OpenPGP
>> too. GnuPG with add-ons for a MUAs seems therefore a bit outdated
>> and is probably mostly used among Mailing List members.
> Yes, there is a perception of "outdatedness".
> Maybe it is needed to show the advantages to make it look modern.
> A tool that is more effective should be modern.
>
> Of course, email belong to many, a proprietary messenger to one vendor,
> guess who has more marketing money. ;)
>
>> An exception might be the new Thunderbird, with
>> OpenPGP support.
> The choise of implementing a pre-standard way of protected headers
> and making it the default without way to disable it, was doing email and
> secure email a disservice in my opionion. :(
>
The more I think about GnuPG with email MUA usage I strongly believe
that the Industry has better

options than email, especially when it comes to decentralised and
confidential communications.


Hopefully the Industry will take a look at affordable hardware based
encrypted Fax comms for

the little individual or small business owner.


https://www.tccsecure.com/Products/voice-fax-data-encryption/CSD3324spf-detail.aspx


Hardware based AES/DH crypto phones (no smartphones) would be a welcome
addition too.

Or that the OpenPGP community revives PGPfone, for free Internet calls,
at least ...


Regards

Stefan
Re: We shall value email usage [ In reply to ]
Am Mittwoch 31 März 2021 22:28:45 schrieb Stefan Vasilev via Gnupg-users:
> The more I think about GnuPG with email MUA usage I strongly believe
> that the Industry has better options than email, especially when it comes
> to decentralised and confidential communications.

And what options would that be?

> Hopefully the Industry will take a look at affordable hardware based
> encrypted Fax comms for the little individual or small business owner.
>
https://www.tccsecure.com/Products/voice-fax-data-encryption/CSD3324spf-detail.aspx

Briefly skimmed the page, it does not say how the maschine-in-the-middle
(MITM) attack is migitated. Also this hardware solution does not offer the
means to transport electronic documents, neither would crypto phones.

Best Regards,
Bernhard

--
www.intevation.de/~bernhard   +49 541 33 508 3-3
Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998
Geschäftsführer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
Re: We shall value email usage [ In reply to ]
Bernhard Reiter wrote:

> Am Mittwoch 31 M?rz 2021 22:28:45 schrieb Stefan Vasilev via Gnupg-users:
>> The more I think about GnuPG with email MUA usage I strongly believe
>> that the Industry has better options than email, especially when it comes
>> to decentralised and confidential communications.
> And what options would that be?

First of all we should consider that GnuPG did not changed the email
world as users may

had expected over the decades and during to continuing mass-surveillance
it is debatable

if a few users should use this communication form further. It would be
good if it would

be accepted by millions when conducting online business but since this
is not the case,

nor never will be, it can be argued when a few people do encrypted email
communications,

why not switch to other channels, to reduce the flow of meta data?

An option would be to use UIDless GnuPG key pairs with the Bitmessage
p2p Network

to give GnuPG users additional anonymity. Another method could be IPFS
(InterPlanetary

FileSystem) usage where users distribute encrypted GnuPG payloads and
only provide the

IPFS hashes to communication partners, so that they can read those
hashes, say from

an SMS, a FAX etc. and then download the encrypted payload from places
they feel

comfortable with. Another option would be direct FAX/GnuPG usage, with a
different armor,

which is OCR friendly.

>
>> Hopefully the Industry will take a look at affordable hardware based
>> encrypted Fax comms for the little individual or small business owner.
>>
> https://www.tccsecure.com/Products/voice-fax-data-encryption/CSD3324spf-detail.aspx
>
> Briefly skimmed the page, it does not say how the maschine-in-the-middle
> (MITM) attack is migitated. Also this hardware solution does not offer the
> means to transport electronic documents, neither would crypto phones.
>
Correct no electronic documents, but would it be not a bit more
difficult or less common to

intercept DH usage from hardware based devices compared to software
based Internet DH

usage? At least this product exists and it can be assumed that it is
been used.


Regards

Stefan


_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: We shall value email usage [ In reply to ]
On 01/04/2021 15:39, Stefan Vasilev via Gnupg-users wrote:
> Another option would be direct FAX/GnuPG usage, with a different armor,
> which is OCR friendly.

From a purely practical point of view, why would anyone in the modern
world use a system where a digital message is rendered in OCR-able
format on an analogue raster, to be converted into digital tones, then
passed down an analogue connection, which is almost certainly carried
over a VoIP backbone? Please stop.

--
Andrew Gallagher
Re: We shall value email usage [ In reply to ]
On 31-03-2021 22:28, Stefan Vasilev via Gnupg-users wrote:

> Hopefully the Industry will take a look at affordable hardware based
> encrypted Fax comms for

Fax? To get the information on paper? In 2021? Why?

> Hardware based AES/DH crypto phones (no smartphones) would be a welcome
> addition too.

Why limit yourself with expensive special purpose hardware that has far
less options than the current?

> Or that the OpenPGP community revives PGPfone, for free Internet calls,
> at least ...

I think Signal has already stepped into that niche.

--
ir. J.C.A. Wevers
PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html


_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: We shall value email usage [ In reply to ]
Johan Wevers wrote:

> On 31-03-2021 22:28, Stefan Vasilev via Gnupg-users wrote:
>
>> Hopefully the Industry will take a look at affordable hardware based
>> encrypted Fax comms for
> Fax? To get the information on paper? In 2021? Why?

Fax is faster than email and arrives, while email delivery to a
recipient can not

been guranteed. Secondly it is more dezentralised than smpt(s) servers with

many users. Third assuming households have muli-purpose printers too

they can simply scan the Fax for further processing.

>
>> Hardware based AES/DH crypto phones (no smartphones) would be a welcome
>> addition too.
> Why limit yourself with expensive special purpose hardware that has far
> less options than the current?

Why not, this product is available and does not limit Internet users to
do other things

besides encrypted Fax usage.

>
>> Or that the OpenPGP community revives PGPfone, for free Internet calls,
>> at least ...
> I think Signal has already stepped into that niche.

No, Signal is an easy to monitor smartphone tool needing a server with
registered users, while

PGPfone was a Computer usage only tool, for direct and secure comms,
between two endpoints,

without server usage. Dialing was done from IP address to IP address and
verified with the included

PGP wordlist.

Regards

Stefan



_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: We shall value email usage [ In reply to ]
Andrew Gallagher wrote:

> On 01/04/2021 15:39, Stefan Vasilev via Gnupg-users wrote:
>> Another option would be direct FAX/GnuPG usage, with a different armor,
>> which is OCR friendly.
>
> From a purely practical point of view, why would anyone in the modern
> world use a system where a digital message is rendered in OCR-able
> format on an analogue raster, to be converted into digital tones, then
> passed down an analogue connection, which is almost certainly carried
> over a VoIP backbone? Please stop.


Why stop? It is a valid option for almost real time decentralized comms
which guarantees

that the recipient gets a time stamped encrypted document from a
hardcoded landline no.

email delivery, as you may no, can not be guaranteed and in case of
GnuPG armored messages

they will be most likely filtered for further archival and/or processing.

Regards

Stefan





_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: We shall value email usage [ In reply to ]
On 01-04-2021 17:54, Stefan Vasilev via Gnupg-users wrote:

> Fax is faster than email and arrives, while email delivery to a
> recipient can not

On;y if the recipient has a landline that can always pickup the fax
call. A more and more uncommon situation. I don't have a landline
anymore, no use for it.

> many users. Third assuming households have muli-purpose printers too
> they can simply scan the Fax for further processing.

What a waste of paper and expensive ink. And I don't have a
(functioning) printer anyway, why would I? I can read everything on
screen. Maybe RMS might do something like that but while I support him
in the current which hunt I'm not as strict as he is about using modern
hardware. Killing some Google services like advertising id on my phone
and blocking ads is as far as I go.

>> Why limit yourself with expensive special purpose hardware that has far
>> less options than the current?

> Why not, this product is available and does not limit Internet users to
> do other thing besides encrypted Fax usage.
Why buy expensive special purpose hardware for only that use case?

> No, Signal is an easy to monitor smartphone tool needing a server with
> registered users, while

Not really easy to monitor, not since they implemented "sealed sender"
so the server does only know the receiver, not the sender.

> PGPfone was a Computer usage only tool, for direct and secure comms,
> between two endpoints,

Who both had to synchronize being online at the same time. That might
have been acceptable 20 years ago but not now.

> without server usage. Dialing was done from IP address to IP address and
> verified with the included PGP wordlist.

That might cause problems now that most people have dynamic IP addresses.

--
ir. J.C.A. Wevers
PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html


_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: We shall value email usage [ In reply to ]
Johan Wevers wrote:

Sorry for not quoting your message!

Let's say it this way, Bernhard likes to promote email usage for GnuPG,

or why should we here on this Mailing List value email usage (with a MUA)?

I showed a couple of examples to make it for the surveillance industry a bit

harder to collect decentralized distributed GnuPG encrypted payloads. :-)

And I am aware that we have people here on this ML who for example

work(ed) in that industry and that they like how GnuPG with MUAs

on online devices work. ;-)

Regards

Stefan


_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: We shall value email usage [ In reply to ]
Hi,

1 avr. 2021, 18:19 de gnupg-users@gnupg.org:

> Why stop?
>
You're right. Today is the good day to break habits, think out of the box and do things differently!

;)

Best regards,
l0f4r0

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users