GPGMail Wizard

Today we'd like to show you what the new GPGMail setup wizard is going to look like and what you'll be able to do with it.

Problem

The complexity of the OpenPGP-technology makes it hard for first time users to get started. The initial setup is the biggest hurdle to take. Users should not get stuck on that very first step, when trying to secure their communication.

Solution

A Wizard will guide all first time users through the setup process after installing GPG Suite. Easy steps ensure, that all actions are covered, to get users started with OpenPGP. Common issues are prevented, which previously could lead to a non-functional setup.

Wizard Welcome

1. Key Creation

After GPG Suite is installed, we look for existing secret keys. In case, no secret key is found, the GPG Suite Setup Wizard will open, the first time Mail.app is started after installing GPG Suite.

Create your key

The user is presented with a dropdown list of email addresses. Those are taken from existing mail accounts in Mail.app. This eradicates potential typos which could lead to broken setups. In case just a single mail account exists, no further action is required, since the correct mail address will be pre-selected.

Name and Password can be chosen at will, the password must match certain safety criteria to prevent weak passwords from being deployed.

2. Adress book search

In order to get started usign OpenPGP, the user needs to retrieve the public keys of their contacts. This can be a time consuming process and a long standing popular feature request was, to allow users to search for public keys using data from Contacts.app.

Wizard Access

'Allow Access' will initiate the search for public keys. The wizard connects to the key servers using an encrypted connection. Since this process can take a few seconds for very large address books, the user sees an animation of the contacts that the lookup is currently done for. Once the lookup is done, the contacts slide away.

Downloading keys

Once finished, the wizard shows all contacts for which a public key was found.

Keys downloaded

3. Conclusion and next steps

The final view summarizes the actions. It will reflect wether a key has been created or an axisting key was found. The user is also informed about the number of found keys, which where imported during the address book search.

A fance new feature allows the user to write their first encrypted and signed mail, by pressing a single button. Click 'Test Mail' and a new encrypted and signed mail to the users own email address is created. The body of that message includes detailed information about GPGMail usage - what buttons and indicators to look for when working with GPGMail.

Tell your friends is a great way of sharing the fact, that you have just joined the OpenPGP community. This openes a new mail that informs your friends about your new public key. Included are also OpenPGP implementations for the most common operating systems.

We've included a link to our forum, just in case any open questions remain.

Wizard Done

Whiteout Key Server - Update

As we mentioned in the last entry, Whiteout was entertaining the idea of releasing their key server implementation under an open source license.
Today, Tankred of Whiteout informed us that that is not possible and that the key server has to remain intellectual property of Whiteout.

Whiteout closes up shop

A few weeks ago we've learned that our friends at Whiteout are closing shop due to lack of demand for their great products. It goes to show that it's not easy at all to start a successful business based on a OpenPGP solution, and theirs was a pretty great one.

This is not only very sad because that means that future work on our favorite iOS email client with integrated OpenPGP is no longer happening, but also because they also have to shutdown their services, including their new key server with email verification, which we've integrated into our automated lookup.

This means we'll have to find a different solution for our lookup which will probably not be quite as good.

We still have some hope though, since last time we chatted with them they were entertaining the idea of open sourcing their key server. So let's keep our fingers crossed

Meeting with ToolsOnAir

At the conclusion event of netidee 2014, we've met a developer working for ToolsOnAir. ToolsOnAir is a company specialized in delivering video services, like storage, live streaming and other stuff, for businesses running on Mac based servers and they have their offices here in Vienna.
Some of their customers are currently deploying GPG Suite and so we've arranged a meeting to talk about possible cooperations.

On December 17th we've met with them in their office in Vienna and after introducing us to different staff members, we set down and talked about some topics that were of interest to them. They were especially interested in our plans for the future, with the idea of charging a small fee for the for future version of GPGMail.
They've also shared some concerns with us regarding exchanging encrypted emails between different platforms (Mac, Windows, iOS, Android) and mentioned that they still felt that key management is way too complex for some of their clients.
They had seen that we were planning to make key management easier, especially with the new setup wizard and the automated public key lookup and were pretty happy about that.

More detailed questions about key management were addressed, for example, what to do when a staff member leaves a company. The challenge there is, that they have to prevent further access to the key for the staff member, while still being able to decrypt past communication exchanged. We shared some best practices with them, like revoking the key and pushing that information to key server so all interested parties know, not to use this key for future communication, but not deleting the key either, in order to preserve the possibility to retain access to older encrypted communication.
We've also talked about future possibilities of elevated support for their clients and a cooperation for licensing.

All in all, it was very nice to get to know them better and we're looking forward to future cooperations.

Whiteout Key Server

For quite some time we've been recommending the Whiteout iOS app to our users as the best experience for reading and sending OpenPGP encrypted emails on iOS.

When checking their website for an update, we've stumbled across a blog post they had posted a few weeks earlier, regarding key management and the problem of key servers not validating email addresses when users push public keys to key servers. This basically means, that someone could create a key pair with the email address of someone else and publish it on the key servers. This problem can range from simply frustrating to quite dangerous.
For example there are about 4-5 keys with our team@gpgtools.org email address on the keyserver. Now from time to time, when people want to get in touch with us, we cannot read their emails, because they're using the wrong public key.

Due to a restriction of key servers, it's also not possible to delete a public key, once it's on the key servers. While this absolutely makes sense considering the de-centralized nature of key servers, it's terribly frustrating for OpenPGP users that might not know about this or learn about it too late.

To our surprise Whiteout was planning to introduce their own keyserver which tried to fix that problem. Their key server would send a verification message to the email addresses associated with any public key pushed to their server, and only return it from their api and push it to other key servers, after the users uploading a public key verified, that they were indeed the real owners of the email addresses, associated with their key.

This new key server is the perfect fit for our automated public lookup, since it not only provides a very simple REST API to query keys by email address (which is certainly faster than invoking a gpg process for each query), but also always prioritize key results that have had their email address verified.

So we've contacted them and they are happy to allow us to use their key server in GPGMail. YEAH!

First ever OpenPGP Summit

Considering that PGP and OpenPGP have been around for decades it's quite fascinating to think, that most of the developers working on projects related to OpenPGP (which aren't that many) have never met in person. Which makes it even greater, that Nico, a developer of the popular mail plugin Enigmail (which enhances Thunderbird with OpenPGP functionality) came up with the idea of hosting a conference with PGP developers. Of course, when he asked us, we immediately said yes!

So in April 2015 we traveled to Dreieich, Germany, close to Frankfurt, to attend the first ever OpenPGP summit at the headquarters of Griegerich & Partner, who hosted the event.

Quite to our surprise, Nico really managed to get together the developers of the most well known OpenPGP projects, from Whiteout, Enigmail, Werner Koch (THE gnupg developer!), Mailvelope, Google End-to-End, gpg4win and gpg4o (among others).

Each of the projects represented gave a quick talk about their projects and what they're planning to do in the future, on the first day, to get to know each other better. While we've heard about a lot of them before, some were certainly new to us.

On the second day, we've sat down and voted on some topics we were interested in discussing. We've later split up into smaller groups, with each group discussing one topic. It was interesting to learn, that a lot of us are working on solving the same problems:

  • Easier keymanagement
  • Secure and reliable backup of private keys (we all know what happens if we lose our keys :()
  • Adoption of PGP/MIME (the standarized way of sending mail in a proper MIME structure)
  • Securing meta data which is currently leaked due to restrictions of the mail protocol
  • A proposal to solve some parts of the meta data problem (like encrypting the subject)

We've always been strong believers of promoting the PGP/MIME standard, since it has a proper RFC and most developers adhere to the standard.
So it was particularly interesting to learn from the developers at Whiteout, that for mobile applications, the PGP/MIME structure wasn't the right choice. Since in PGP/MIME the entire message, body and attachments, are encrypted together, it may result in a huge payload. While this is no problem on a desktop, it poses some serious problems on mobile devices which would greatly benefit from a different structure where especially the attachments are encrypted separately, so it's fast to fetch the body and show the decrypted version, while not having to wait for the attachments to load. When a user later wants to decrypt the attachments as well, they can be fetched and decrypted on demand. That would make for a much better user experience.

We're still really happy about PGP/MIME, but these are certainly some aspects to consider.

On the last day, one member of each group presented a summary of the topics discussed within the group and so we all shared the most important things we had learned in the different sessions.

All in all it was a great experience and we're really looking foward to attend the next summit, which thanks to Nico is already in the planning phase.

Improved Public Key lookup in GPGMail

When using GPGMail to encrypt a message to a recipient, it's necessary to already have the recipient's public in the keyring.

Otherwise GPGMail will simply tell you, that there's no public key available and that you have to fetch it via GPG Keychain. This has always been a nuisance and made it harder, especially for novice users, to easily encrypt messages.

For a long time we've been thinking of how to best integrate public key lookup directly into Mail, when a recipient is entered, and finally found a solution for it.

Now when you type in an email address, GPGMail first checks if a matching public key is available in your key ring. If there's no matching public key to be found in your keyring, GPGMail will automatically search for one on a pgp key server and import it if one is found.

If a public key is available, the tint color of the address overlay will be changed to green and a checkmark icon will be displayed next to it.

Public Key Available

If it can't find one however, you'll see a question mark icon next to the address overlay.

Public Key Not Available

In that case, it's possible to manually search for a key on a key server.

Public Key Not Available Lookup



We are really happy about this feature and believe it will greatly improve the user experience. It's not finished yet, but we hope it will be soon.

Netidee Call 9

We couldn't be happier to announce, that our project proposal has been accepted for the 9th Call of Netidee.


In the next months we'll be working on some new and exciting features for GPGMail, which will really improve key management. We're also planning to revamp a substanstial part of GPG Suite, but we don't want to spoil the surprise just yet.

Throughout 2015, this site will be updated regularly with screen shots and progress reports. All source code created as part of this project will be released under an open source license and reside in a public Git repository.



Netidee Logo