Question: how can we help more people use OpenPGP?

Posted by dkg on Fri 15 Jun 2007 at 11:01

I use gpg and other associated OpenPGP infrastructure a lot these days, but it's taken me a long time to get up to speed with it. The growing use of gpg across the debian project (including the introduction of OpenPGP-signed APT repositories) has helped me immensely. I have friends and colleagues who use OpenPGP systems to varying degrees (including some not at all). Some of the folks who use it rarely (or not at all) are interested in learning more. I'd like to help the system spread, as i think it's the best infrastructure we have for seeing real decentralized, end-to-end cryptographic communications.

What's a good way to help people learn the ins and outs of the system? Which ideas of the architecture are crucial to understand, and which ones can be glossed over in an introductory/bootstrapping session without starting bad (insecure) habits?

I have a selfish motive for this as well, of course: i want to be able to communicate securely with more people, and i want to be able to do it with free tools. The more people who adopt this reasonable, functional, free infrastructure (even if they're not using debian, or committed to free software principles), the more powerful our free tools will be.

I'm looking for advice that's tailored to different kinds of beginners. Some of us like knowing the full details of the relevant RFCs. Others would prefer a "click this button and your messages will be secure" kind of approach. But these angles are too extreme: the former takes time and energy that legitimately busy people don't have, and the latter isn't thoughtful enough to be terribly trustworthy.

Theory

Most non-technical beginners probably start pretty close to the "click this button" perspective, and need a bit of philosophical orientation to start using the tools well. For example:

What is trust?
What does 'secure' mean to you?
What threats are you trying to defend against?
How can we imagine a system that might be 'secure' over long distances or times?

I'd love to find good sources of this kind of material that are engaging and concise. Do you have a favorite web page that made the ideas "click" for you, even if it didn't tell you technically how to proceed? What made it good?

Philosophical suggestions

Here's some resources i've found about the theoretical why and how of OpenPGP. If you have other good links, please share!

There's Phil Zimmerman's original piece explaining why you should want to use PGP.
The GNU Privacy Handbook is a good writeup about how to start with GnuPG, and contains an interesting "Concepts" section. However, it gets quite arcane quite fast, and it only gives a brief overview (at the end!) about why you might want to use this stuff in the first place.
A talk by Harald Tveit Alvestrand from 1995(!) lays out the issues fairly well, though in a terse way with few concrete examples (and his technical details are understandably dated).
Princeton University's IT department has a very short overview of how a public key system works, though it doesn't go into much detail about key management, or the "why bother" question.
Wikipedia's Web of Trust page covers the basic ideas (and appears to be well-edited at this writing), but it's probably too heavy on jargon for a beginner to make much sense of it.
Patrick Feisthammel's explanation of the Web of trust which has some nice concrete examples about how one might verify identity.

Practice

For some learners, good philosophical material alone is what they need to pick up the way the system works (though they'll need to learn the specifics of a tool if they want to use it). For others, the same theoretical material is best digested by comparing the ideas to a concrete tool as they work through it. For non-technical users, this probably means a software tool with a GUI. What good GUI frontends to the OpenPGP infrastructure are out there that would help interested users explore the new ideas? Which tools won't overwhelm them or encourage bad habits? Do you have a favorite tool, or one that highlights features that you think are crucial?

As for my own learning style, i like to experiment when i'm learning something new. OpenPGP can be a little intimidating in this regard, because making a key and certifying it as your identity is kind of a big deal: you don't want to change your identity too often, so it feels important that it be done right the first time. How can we encourage experimentation with these tools without encouraging an explosion of throwaway keypairs, cluttering public keyservers, or building a culture where people expect identities to change frequently or without review?

Tool suggestions

Some tools i've seen that are more or less useful:

GnuPG (a.k.a. gpg) is of course the canonical free implementation of the OpenPGP standard. Users of debian and debian-derived systems can of course just apt-get install gnupg. Non-debian users might need to download binaries for their systems.
But gpg isn't a terribly friendly user interface, even for those of us with command line experience. It's a very powerful, very configurable tool, but it can be a little overwhelming. Not necessarily the best interface for a beginner to learn/experiment with, but probably necessary as an underpinning for many other free tools with more beginner-friendly UIs.
Enigmail is a plugin for the Thunderbird e-mail client (known as Icedove on debian). It requires an external installation of gpg. Version 0.95.0 significantly simplified the default interface, making it much less intimidating for a beginner. 0.95 is in debian unstable as of this writing.
Gpg4win is a complete GPG package for windows which includes a plugin for MS Outlook (2003 or later) and the windows file explorer. If yer stuck in the 'doze, it might be helpful. I haven't tried it, and i don't know what the UI is like. Anyone have any recommendations?
Seahorse is a GNOME-based OpenPGP (and SSH!) key manager and agent. It includes a lot of neat GUI tools to hook into the underlying capabilities of gpg, and to help think about the web of trust.
GPA is a GUI frontend distributed by the gpg folks (and debian, of course). i find it difficult to use if you don't already know what you're doing, which makes it not so good for beginners. But if someone wants to show me how beginners can use it simply, i'm happy to learn!

Did i miss your favorite tool? Please speak up!

Conclusion

We have a technically-capable toolset for decentralized, authenticated communication. It exists, it works, and it's been in debian for years! The problem is, as Harald Alvestrand put it:

Deciding who to trust is a complex problem. It is not solved, and will be a problem for years to come.

What can we do as supporters of free infrastructure to help others learn how to use these tools? What can we do to help people understand the tools well enough to make their own decisions about who to trust? And how can we encourage the spread of truly free infrastructure so that these decisions aren't compromised by the tools they depend on?

This article can be found online at the Debian Administration website at the following bookmarkable URL:

http://www.debian-administration.org/articles/532