[Enigmail] From offlist

[Robert J. Hansen]

Robert J. Hansen wrote:
> David D-- contacted me off-list with a question.  He doesn't want to 
> post on the list for reasons known only to him.  This is his
> question, with his email address and last name stripped, reposted
> with his permission.

<reaches for the list moderator hat>

We generally prefer these questions to be posted to the list instead of
to themselves personally.  The reasons are both technical and cultural.

The technical reason is that other people may have this same question.
If this question is asked on-list and answers are posted on-list, then
Google can index them and future users can just Google instead of asking
us.  Taking questions to the list, instead of to private email, is a
kindness to future users.  We heartily recommend it for that reason.

The second technical reason is the list serves as a load balancer.  If
you throw the question on the list, then any of half-a-dozen very
knowledgeable people will speak up and give an answer.  Other people who
don't speak up as much but who have run into your problem before may
throw their two cents in, too.  But if people just look for someone who
posts a lot of answers and then email that person off-list, that person
will soon find themselves drowned; there's no load balancing.

Finally, the cultural reason is that we have generally decided this is
the forum we'd like to use to talk about Enigmail.  We try to keep a
pretty friendly list and we encourage people to make use of it.  If
people are just going to email us off-list, then why bother with the
list at all?

If you have a very real need for privacy (and I've seen no evidence to
think David D-- doesn't), then sure, email us off-list.  We'll try to
help.  But most questions belong on the list unless there's a very real
need otherwise.

<removes hat>


David D-- wrote:
> I'm looking to start encrypting my emails, but I'm not sure whether
> to use SSL or Gnu Private Guard (through Enigmal with Thunderbird).
> I'm definitely not an expert on this, but am I right in understanding
> that with SSL (using a server from trustmail or swissmail) you can
> send an email to anyone whether they have a key or not, but with
> Enigmal the recipient has to have a key for the email to be
> encrypted?

SSL and GnuPG provide two very different sets of capabilities.  They're
really apples and oranges.  SSL will protect your email when you're
sending your email to your email server.  However, once it leaves your
email server it's in cleartext.  It travels the internet in cleartext,
it arrives at your recipient's server in cleartext, it's put in your
recipient's mailbox in cleartext.

For some people, this is enough.  Other people want an end-to-end
encryption channel.  GnuPG provides that.

You're correct in that SSL doesn't require you to have your recipient's
public key and GnuPG does.

> If this is the case it seems that using Enigmail is more secure, but
> how would you send an encrypted email to someone whose public key is
> not on any directory?

You send them an email and ask for their key.  They email it back to
you, and you import it to your local keyring.  It's possible for a
malicious attacker to have replaced the public key your correspondent
sent you with a public key of the attacker's choosing, though -- what we
call a Man In The Middle attack -- so it's important to verify that you
received the correct key.  The usual way to do this is to contact your
friend by some method other than email and ask them for a fingerprint of
their key.  If the fingerprint they give you matches the one you find by
looking at your copy of their key, then you have the correct key.