Mailing List Archive

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On Fri, 22 Oct 2021, Bernhard Reiter wrote:

> Hello friends of OpenPGP,

Hi!

> as part of his Bachelor thesis [1], Christoph wants so to find out, which
> actions could increase the overall usage of WKD.

There are two parts of the usage: The publishing part and the
search-for-and-use-if-available part. Both need separate measurements, I
think.

>
> Ideally we should be able to observe some changes in the usage of WKD over
> time and hopefully can credit something to some changes like measures tried
> during the research.
>
> So how do we observe WKD usage over time? Obviously this is hard to do,
> as we are in a decentral system, this is designed to keep things private.
>
> Thus our measurement could only be indirectly.
>
> One idea is: If we have a public email address where a lot of emails are send
> to, e.g. the submission address of a mailinglist
> we could set up an OpenPGP key for it via WKD
> and use a small tool to pipe each incoming mail through on the server
> to decrypt and count the mail.

Wouldn't this break DKIM signatures on the mail? Just to be clear: You
intend to send the encrypted mail through the mailing list as usual,
right?

Also: This would only cover mailing lists and thus skew the results. What
about organizations, that use WKD in-house, but whose members rarely write
to mailing lists?

>
> We can also count the number of request for the WKD address on the webserver
> serving the WKD. In both counts, no personal data is saved.
> So it is just about the safety of the decryption tool, which can be provided.
>
> Do you know email addresses, e.g. of mailinglists, where you know the server
> administrators would be potentially willing to help this academic research?
>
> An other ideas?

If you want to fiddle around with mailservers, I would prefer your second
approach: You measure the requests to the webserver, but actually don't
offer a key via WKD - thus, the email flow is undisturbed, but you still
get your metrics.

For measuring the publishing part, one could actively query for WKD on
known MX domains.

For measuring the usage part, I think, it's more valuable to have a look
at available software and their features: How many people use mail client
X, and does X have WKD enabled by default or can it use WKD at all / as a
fallback / ...

>
> Best Regards,
> Bernhard

regards,
Erich

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEE3p92iMrPBP64GmxZCu7JB1Xae1oFAmFy8hUACgkQCu7JB1Xa
e1pl1g/9F7mEkQhHS6nT9lFOJb6qj+lbuRU33wAtqcUdY4VsuEZOiG0rjTQWwrkJ
MkeC8Q09zNZu7xNEy4R86R9nhjyZjgohjqbxxntdSL5YCsJCVGVLLz6dvmzUIXTc
xtEgIZp8Qi2ftOLZQaCc9qkp6RduuBoqJPbLIgan+XWvRIQE2X4/xaDljVuJUkqz
m3I7tQzsdm6QFK+0w6WiWp4qigNpkxWe8j/LlOWzQROXymkymDOmnDVX+qPakoh0
P1q5rD9tlFvDSAEURHw3b9KpFgD0F9hvzquzl7T2t58zgXph/LXu5cHJqYJNdqgq
t4J7ZM4bK6pRjwz1vlKyoqvK+7NS9HWr8f3b+9mr4nNpJtC8bgUmIBDnMPWkl490
OedA6I+mczhtCidJMEfU1QxE/CR3f8YlFbu7zkXZ++VAedm3uY5dyWltZSr7u+fw
Swbuw3gYPIPUi0pN+LnXvDFDZCEkn7fzSrkwkMUa0nlMXMGzX3pAUooVVktZjnN1
JCf5Mg6hSr8giHhHzNcBN3FmFC6wTeXgUk/HLcgi/OrUClDHsCS2zB372ZhtxXWo
EI++nbYBDGFMjt6CLl6bSqTPTQH4r9YHQvlOmA2D2VGhejskcZObbbM/C15JErKr
fZf7sre8x7wvgALmRoDG2MK6Pk9j8VA0VCqn7sLIcA80gPbNk9k=
=xoNe
-----END PGP SIGNATURE-----

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Hi Erich,

Am Freitag, 22. Oktober 2021, 19:17:07 CEST schrieb Erich Eckner via Gnupg-
users:

> There are two parts of the usage: The publishing part and the
> search-for-and-use-if-available part. Both need separate measurements, I
> think.

Yes, though we want to focus on the latter part.

> > One idea is: If we have a public email address where a lot of emails are
> > send to, e.g. the submission address of a mailinglist
> > we could set up an OpenPGP key for it via WKD
> > and use a small tool to pipe each incoming mail through on the server
> > to decrypt and count the mail.
>
> Wouldn't this break DKIM signatures on the mail?

Good question.
Mailman as a popular mailinglist software, already modifies mails, thus may
break these DKIM signature. I need to do more research on this concern.
(Here is an old Mailman Discussion https://wiki.list.org/DEV/DKIM)

> Just to be clear: You intend to send the encrypted mail through the mailing
> list as usual, right?

Yes, unencrypted, of course.

> Also: This would only cover mailing lists and thus skew the results. What
> about organizations, that use WKD in-house, but whose members rarely write
> to mailing lists?

If you have any ideas how to do a direct or indirect measurement, I'd like to
hear about them.

> If you want to fiddle around with mailservers, I would prefer your second
> approach: You measure the requests to the webserver, but actually don't
> offer a key via WKD - thus, the email flow is undisturbed, but you still
> get your metrics.

True, using the weblogs may give some indications. However
it does not measure if the clients later actually would understand the pubkey
and send encrypted emails and an advanced client may cache the results of a
WKD request for a limited time.

> For measuring the publishing part, one could actively query for WKD on
> known MX domains.

(As written above, the work is more focused on the client, but following up
your suggestion: That they offer a WKD in principle does not say much about
how many email addresses actually offer a key, as we cannot walk them and need
an email address before we could actually do a real query. Otherwise, would be
interesting to see if there are more prominent WKD offers out there.)

> For measuring the usage part, I think, it's more valuable to have a look
> at available software and their features: How many people use mail client
> X, and does X have WKD enabled by default or can it use WKD at all / as a
> fallback / ...

This is a good suggestion, Christoph is already doing this since a while.

Thanks for your feedback!

Best Regards,
Bernhard
ps.: I've chosen to have this discussion in gnupg-users, where me and
Christoph are subscrubed.
--
www.intevation.de/~bernhard +49 541 33 508 3-3
Intevation GmbH, Osnabr?ck, DE; Amtsgericht Osnabr?ck, HRB 18998
Gesch?ftsf?hrer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner