</div>
</section><!-- End #section2 -->
-<!-- ~~~~~~~~~ Section 2: Follow The Guide ~~~~~~~~~ -->
+<!-- ~~~~~~~~~ Section 3: Follow The Guide ~~~~~~~~~ -->
<section class="row" id="section3">
<div>
<!-- ~~~~~~~~~ section introduction: interspersed text ~~~~~~~~~ -->
<div class="section-intro">
- <h2><em>#2</em> Follow The Guide</h2>
- <p>Have the participants work through the Email Self-Defense guide a step at a time on their own computers. Make sure all participants complete each step before the group moves on to the next step. Talk about each step, but be sure not to overload the participants with minutia. Pitch the bulk of your instruction to the least tech-savvy participants. Consider holding a secondary workshop afterwards for the outliers in either direction.</p>
+ <h2><em>#3</em> Follow the guide as a group</h2>
+ <p>Work through the Email Self-Defense guide a step at time as a group. Talk about the steps in detail, but make sure not to overload the participants with minutia. Pitch the bulk of your instructions to the least tech-savvy participants. Make sure all the participants complete each step before the group moves on to the next one. Consider facilitating secondary workshops afterwards for people that had trouble grasping the concepts, or those that grasped them quickly and want to learn more.</p>
+ <p>Even powerful surveillance systems can't break private keys when they're protected by lengthy Diceware passphrases. Make sure participants use the Diceware method, if dice are available. Stress the importance of eventually destroying the piece of paper the Diceware password is written on, and make sure all the participants back up their revocation certificates.</p>
+ <p>In step 2, make sure the participants upload their keys to the same keyserver so that they can immediately download each other's keys later (sometimes there is a delay in synchronization between keyservers). During Step 3, give the participants the option to send encrypted messages to each other instead of or as well as Edward. Similarly, in Step 4, encourage the participants to sign each other's keys.</p>
</div><!-- End .section-intro -->
-
- <!-- ~~~~~~~~~ a div for each step ~~~~~~~~~ -->
- <div id="step-2a" class="step">
- <div class="sidebar">
- <p><img src="//static.fsf.org/nosvn/enc-dev0/img/en/screenshots/step2a-01-make-keypair.png" alt="Try it out."></p>
- </div><!-- /.sidebar -->
- <div class="main">
- <h3><em>Step 2.a</em> Public and Private Keys key</h3>
- <p>Make sure all the participants have a conceptual understanding of the relationship between public and private keys in a keypair. It's normal for people to not understand public-key cryptography on the first try. Use analogies to help explain the concept.</p>
-
- </div><!-- End .main -->
- </div><!-- End #step-2a .step -->
-
- <!-- ~~~~~~~~~ a div for each step ~~~~~~~~~ -->
- <div id="step-2b" class="step">
-<div class="sidebar">
- <p><img src="//static.fsf.org/nosvn/enc-dev0/img/en/screenshots/section5-02-use-it-well.png" alt="Section 5: Use it Well" /></p>
- </div><!-- /.sidebar -->
- <div class="main">
- <h3><em>Step 2.b</em> Diceware and Passphrases</h3>
- <p>Sufficiently strong passphrases <a href="https://firstlook.org/theintercept/2015/03/26/passphrases-can-memorize-attackers-cant-guess/"> can't easily be brute forced</a>, and thus protect the private key even if it falls into the wrong hands. Recommend participants use the <a href="http://world.std.com/~reinhold/diceware.html"> diceware method </a>, and have dice and the wordlist available for them to use. Participants who choose to use diceware should keep their passphrase with them at all at all times until they memorize it. Stress the importance of creating and backing up revocation certificates, especially to participants who write down their diceware passphrases.</p>
- <!-- ~~~~~~~~~ Troubleshooting ~~~~~~~~~ -->
- <div class="troubleshooting">
- <h4>Disclaimer</h4>
- <dl>
- <dt>Diceware and Licensing</dt>
- <dd>Something here about diceware's relationship with free software, or something.</dd>
- </dl>
- </div><!-- /.troubleshooting -->
-
- </div><!-- End .main -->
- </div><!-- End #step-3b .step -->
-
-
</div>
- </section><!-- End #section3 -->
+ </section>
-<!-- ~~~~~~~~~ Section 3: Sign Keys ~~~~~~~~~ -->
+<!-- ~~~~~~~~~ Section 4: Explain the pitfalls ~~~~~~~~~ -->
<section class="row" id="section4">
<div>
<!-- ~~~~~~~~~ section introduction: interspersed text ~~~~~~~~~ -->
<div class="section-intro">
- <h2><em>#3</em> Sign Keys</h2>
- <p>Emphasize the distinction between trusting a person subjectively, and seeing whose keys they've signed objectively. Without a proper understanding of trust, the beautiful transative trust properties of the web of trust are lost. Since trust is an internal and subjective thing, it's unnecessary for participants to share how much they trust another participant with anyone else.</p>
-
-<p>Have the participants download each other's keys, read out their own fingerprints, and present their IDs to each other. Help participants navigate the interface to sign each other's keys, and encourage participants to assign each other trust levels if they already know each other.</p>
+ <h2><em>#4</em> Explain the pitfalls</h2>
+ <p>Remind participants that encryption works only when it's explicitly used; they won't be able to send an encrypted email to someone who hasn't already set up encryption. Also remind participants to double-check the encryption icon before hitting send, and that subjects and timestamps are never encrypted. See Email Self-Defense's Security Tips subsection for more information.</p>
+ <p>Advocate for free software, because without it, we can't <a href="https://www.fsf.org/bulletin/2013/fall/how-can-free-software-protect-us-from-surveillance">meaningfully resist invasions of our digital privacy and autonomy</a>. Explain the <a href="https://www.gnu.org/proprietary/proprietary.html">dangers of running a proprietary system</a>, and why GnuPG <a href="https://www.gnu.org/philosophy/proprietary-surveillance.html">can't begin to mitigate them</a>.</p>
</div><!-- End .section-intro -->
- <!-- ~~~~~~~~~ a div for each step ~~~~~~~~~ -->
- <div id="step-4a" class="step">
- <div class="sidebar">
- <p><img src="//static.fsf.org/nosvn/enc-dev0/img/en/screenshots/section4-web-of-trust.png" alt="Section 4: Web of Trust"></p>
- </div><!-- /.sidebar -->
- <div class="main">
- <h3><em>Step 4.a</em> Sign a key</h3>
- <p>In your email program's menu, go to Enigmail → Key Management.</p>
- <p>Right click on Edward's public key and select Sign Key from the context menu.</p>
- <p>In the window that pops up, select "I will not answer" and click ok.</p>
- <p>Now you should be back at the Key Management menu. Select Keyserver → Upload Public Keys and hit ok.</p>
- <p class="notes">You've just effectively said "I trust that
-Edward's public key actually belongs to Edward." This doesn't mean much
-because Edward isn't a real person, but it's good practice.</p>
-
-
- <!--<div id="pgp-pathfinder">
- <form enctype="application/x-www-form-urlencoded" action="/mk_path.cgi" method="get">
- <p><strong>From:</strong> <input type="text" placeholder="xD41A008" name="FROM"></p>
- <p><strong>To:</strong> <input type="text" placeholder="50BD01x4" name="TO"></p>
- <p class="buttons"><input type="submit" value="trust paths" name="PATHS"> <input type="reset" value="reset" name=".reset"></p>
- </form>
- </div><!-- End #pgp-pathfinder -->
-
- </div><!-- End .main -->
- </div><!-- End #step-4a .step -->
-
- <!-- ~~~~~~~~~ a div for each step ~~~~~~~~~ -->
- <div id="step-sign_real_keys" class="step">
- <div class="main">
- <h3><em>Important:</em> check people's identification before signing their keys</h3>
- <p>Before signing a real person's key, always make sure it
-actually belongs to them, and that they are who they say they are. Ask
-them to show you their ID (unless you trust them very highly) and their
-public key fingerprint -- not just the shorter public key ID, which
-could refer to another key as well. In Enigmail, answer honestly in the
-window that pops up and asks "How carefully have you verified that the
-key you are about to sign actually belongs to the person(s) named
-above?".</p>
- </div><!-- End .main -->
- </div><!-- End #step-sign_real_keys .step-->
-
-
-
</div>
</section><!-- End #section4 -->
-<!-- ~~~~~~~~~ Section 4: Explain The Pitfalls ~~~~~~~~~ -->
+<!-- ~~~~~~~~~ Section 5: Explain The Pitfalls ~~~~~~~~~ -->
<section id="section5" class="row">
<div>
<!-- ~~~~~~~~~ section introduction: interspersed text ~~~~~~~~~ -->
<div class="section-intro">
- <h2><em>#4</em> Explain the pitfalls</h2>
-<p>Remind participants that encryption works only where it's explicitly used; they won't be able to send an encrypted email to someone who hasn't set up encrption already. Also remind them to make sure encryption is selected before hitting send. Explain metadata to the participants, and advise them to use bland-sounding subject lines.</p>
+ <h2><em>#5</em>Share additional resources</h2>
+ <p>GnuPG's advanced options are far too complex to teach in a single workshop. If participants want to know more, point out the advanced subsections in the guide and consider organizing another workshop. You can also share <a href="https://www.gnupg.org/documentation/index.html">GnuPG's</a> and <a href="https://www.enigmail.net/documentation/index.php">Enigmail's</a> official documentation and mailing lists with them. Many GNU/Linux distribution's Web sites also contain a page explaining some of GnuPG's advanced features.</p>
-<p>Advocate for free software, for without it, we can't meaningfully resist invasions of our digital privacy and autonomy. Explain the <a href="http://www.gnu.org/philosophy/proprietary-surveillance.html">dangers</a> of running a proprietary system, and why GnuPG can't begin to mitigate them.</p>
</div><!-- End .section-intro -->
projects / enc-live.git / blobdiff