Re: Default encryption for Message

[Jens Lechtenboerger <jens.lechtenboerger@fsfe.org>]

On 2014-09-28, Daiki Ueno wrote:

> Jens Lechtenboerger <jens.lechtenboerger@fsfe.org> writes:
>
> So, maybe improving the documentation of mml2015-encrypt-to-self would
> be a good start?

Yes, there is room for improvement ;)
Maybe that variable should not be t or nil but instead a list of key
IDs (empty by default).

>> (1) Friend Bob wants to send a message to Alice and is supposed to
>> choose the correct key B (but neither A nor C).
>>
>> (2) Alice wants to send an encrypted message to colleague Charlie,
>> and she wants to make sure that the message is encrypted to her key
>> A (but neither B nor C) in addition to Charlie’s key.
>>
>> For (1), my code sets mm-encrypt-option to 'guided to enforce a
>> manual choice so that Bob learns about the existence of those three
>> public keys in the first place.  (Ted Zlatanov suggested to save
>> that choice.)
>
> I don't think this is a good idea.  I know some people ("security" fans)
> like this kind of verbose behavior, but others don't even want to
> remember key IDs and are prone to choose wrong keys.
>
> There are criticisms about a related topic:
> http://www.superlectures.com/guadec2013/more-secure-with-less-security

Thank you for the link.  The idea of using intentions is a good one.
I don’t see how to specify intentions without questions in this
case, though.  Maybe I just didn’t get the point of the video.

Bob’s intention is simple: Encrypt a message to Alice.  However, in
the scenario outlined by you, Alice’s intention is much more
complex: Have different parties use different keys in messages sent
to her.  How do those parties and their software learn about her
intention?  As you just pointed out, Bob quite likely does not know
about key IDs.  In contrast, his software does.

I think of a question like this (to be answered by Bob): “Multiple
encryption keys for <Alice@example.org> are available.  Which one(s)
would you like to use?  (Type ?/a/c/m; ? for help.)”

? displays explanation for the other keys:
- a: Abort.  I don’t know what that means, and I’ll ask the
  recipient offline.
- c: Continue.  I don’t know what that means.  Use the default key
  and insert a question for the recipient.
  (This would insert a customizable text like the following into the
  message: “P.S. My software told me that I could use several
  encryption keys, namely <list of key IDs inserted here>, but I
  don’t know how to choose.  Please explain your intention.”)
- m: Menu.  Display a menu (see mm-encrypt-option 'guided), where
  Bob chooses.  Once Bob has chosen, he is asked whether he’d like
  to choose anew for every message sent to Alice or to record this
  choice permanently.

>> Besides, what is the intended meaning for signatures if
>> mml2015-signers contains multiple keys?
>
> This is certainly for the case when one wants to sign a message with
> multiple keys.

My fault.  I wasn’t aware of that idea.  I don’t see why people
would do this, but it works.

Best wishes
Jens