@jwildeboer I have been using S/MIME with #Thunderbird since at least 2015.

Many of the reasons described in the #letsEncrypt forum are true, which does not mean S/MIME is impossible to fix or use.

There is native support for S/MIME in many email clients both desktop and mobile/tablet, including most of the 'stock' clients installed by default in most of the devices, so this is not an issue.

I think the big problems are basically 2:

1.- Having a throwaway key and certificate every 30 days (as we do with Letsencrypt SSL/TLS) is very inconvenient because we would need to keep a long collection of them in order access old messages.

2.- People access their email from multiple devices, so syncing the private key securely across all of them becomes a challenge.

For the tech savvy, both problems are manageable:

1.- You can get a free S/MIME certificate from #Actalis valid for 1 year here:

https://www.actalis.com/s-mime-certificates.aspx

***
Please read a very important reply to this post by @duxsco pointing out to the insecurity of the Actalis certificate, and providing a secure but not free alternative.
***

2.- You can manually add this certificate to all your devices and keep an encrypted/secure repository with all your old keys and certificates in case you need to access your archived email.

I've been doing exactly that for years and it is just fine for signing my email.

IMHO for 'fixing' the whole signing and encryption of emails, #OpenPGP is conceptually closer to be a more consistent solution, and I use it with everyone who understands it, but I have to admit that the ecosystems is far less ready than for S/MIME (you will need to use specialised apps or installed plugins, etc.), Thunderbird being a shining exception.

PGP has several very powerful advantages:

1.- You don't need a CA for the sole purpose of generating your keys.

2.- You can use the same keys for many years.

3.- People who really trust each other can sign each other's keys creating a web-of-trust.

4.- There is a free network of keyservers where you can upload your public keys and make them available to everyone.

5.- Most people these days have their own website, blog or social media account where they can publish their public keys for cases when they distrust the public servers. They can manually exchange them too.

In the long run I believe we should promote the adoption of OpenPGP instead of S/MIME, with more people using it, native support should follow.

I am not an expert though, so I'd love to hear from others too. 😊

#pgp #gpg #privacidadebemboa

@dani da uma oliada...

#privacidadebemboa

@kikobar
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

então já temos maneira de verificar e assinar toots! Com a extensão de navegador de internet Mailvelope!
um dia ainda faço um vídeo sobre como assinar toots e criar uma chave própria para toots (tive alguns obstáculos). :-)
#privacidadebemboa
-----BEGIN PGP SIGNATURE-----

wsFcBAEBCAAGBQJkGzQmAAoJEKaP3dMsSRv6GWEQAK+BC8WpbJTUiNqdFGDF
iYgpgNV10onnmlLsSUlicixBjdIvo6q7cAwkmJD41gi8aKJNCutPdQ1HWP66
GPbc9ly1NhuzhoiSJkKLvnGd9KmRehnZ3aiZy++o1rDN97PDTW/KHS3Vt4V6
gC6tzmbGtCb6sMoEVIBg6sxaxf+KHfvQvAhl6d+sOJCyPDaRnEOkluN8JeD2
6UOPxCv5X35TTx+qo0WxenSwbTu/IcL/q3JkAceLCRsCr2dOO1Lg9VHNGGsT
cWI3OQeadC/5ZOfo/1PS3lppKKavi6tCKH8E5H3ZuwbRxGlV42bk2b/Rv2rM
EIxWkML0w1F8x6nkL5l5J4F822LfZP/UVs+/CT+x8qr+UqY+SEoIsS1J7615
mu2S5iDtzsdcE1H2JgUyLpsn9i+Uo2+MC51F2U04FEsy1IUpPRfn+gL4x52c
SoUygKOflCHesHjVWsZ2dpA/BO9nXajq4J3X2HAIgbYFZ+msdaLiUmq6LQIm
jnDrZL0ZiCsUUqrOG8R3BYq9FrwoldObPHiUyusQPdkUKYgz1JvWkZCbrOVI
QeAjaaO+n9kpCdyOHmlqCMNdBVG3/vP64r7ptTwjooAVUJc4VI21HIdLAIxQ
62Tui3WlXN4cZ8OXx4UlPmlGgh5Mwl3wrKgkNb/YBC5BUt6J5gGesEjaH57M
sYX3
=aXN/
-----END PGP SIGNATURE-----

@kikobar

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Testa para ver se consegues verificar a minha assinatura.
Criei esta chave própria para o Mathstodon. Está no keyserver da Ubuntu, e é a segunda chaves que encontras: 0xA68FDDD32C491BFA .
Se funcionar o Mailvelope chega para verificar e assinar toots...
Com ele já consegui verificar a assinatura do teu toot, só falta agora assinar este toot (e verificá-lo).
#privacidadebemboa
-----BEGIN PGP SIGNATURE-----

wsFcBAEBCAAGBQJkGyuyAAoJEKaP3dMsSRv68FMQAMqkLWj4R4sX9qTg75At
m0jKCxzufUg0vmqSWUPq/nIN4lrIM/rG/QIoI/8LOb0oTuqTgFXibL3IpAXX
y0sIMOIXjz+rauRmCmBJwJmUy0XaBgenlRBgQN/zz1wGmrAkAi+habpZVgqA
FI0UiHbw3FFZWUkeKuNrSu699vDX6KymJrSy4g4X9w2BtXU9DD+JREkWoVom
ePNl/J2o6dVVNFmltvnXHCU4UFMhvFmB3tnHhreidhdHoODy4VYsb/AZ/OeL
Wmni5W0BcFdKeV3UB7QXUkjxFp90heSAFGKmdrFRqZjN+oxn2jU3MLCavbUz
LUCKJqpOYE4ppa1Sb5y2SfZ8gUOc3Zz0OPAYukHFevfgKBQBGjs0rxxXj35N
Y6SOKDfh5jdC7eLtMKB9Yw+IMNxvWwHMSQBKqLMVk1JOQXqUb2lB9ofAlGjV
HjqN7bv9LJrqmC6Br48yyvKo5hTb+rlEb3OcF0ALWouhfuZHmt1uEbAJjBxk
fqvE/ZfQFh1yofMMo+iHW2KwEDOUk9MTSQAKMMbddii93Ct2KajdwMCBz/Rt
uofZC/6tAs/OxjWVYcsTcSTV2Mc1WJAMOwzM3OgIDpJ1tHTQCEWNZNLIFKj/
0dsTwacnijbhXMHNhpnWYOLqfjW6xnUkeBthkOMUUoYiMdaCpFl5erh/qkR4
Ca0t
=QTZI
-----END PGP SIGNATURE-----

@kikobar
With the username out of the signed message, it works!
#privacidadebemboa

@stephan also have been discussing with @dani at #privacidadebemboa a way of introducing PGP signing of the posts, which can play some role in the spam bots war that we are going to face soon.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

@anildash you are absolutely right, on one hand #ActivityPub and #Mastodon have their shortcomings, but those are not reasons to create a new thing, they are reasons to contribute and improve them.

On the other hand, not being censorship resistant or not having incentives to run servers are not in the list of shortcomings:

- - ActivityPub and Mastodon are censor resistant - we can build as many servers as we want in as many geographies as we want, so nobody can silence us. What we have is moderation and blocking, which is not 'silencing' anyone, but choosing who we want to listen to.

- - Of course there are incentives to run servers, according to #FediverseObserver, there are 21941 active servers in the Fediverse as I write this message. This more than proves that there are incentives to do it.

One of the missing features in Mastodon (that we could copy from #Nostr and #SSB) is the support for cryptographic signing and validation of the messages, so we can know beyond any doubt if a message comes from the author and has not been alter on its way, but we don't even need to modify the ActivityPub protocol to implement that, because any piece of text can be signed, as I've signed this message as an example. We only need some code at the application level to validate the signature and beautify the rendering of the message to remove the ugly GPG tags and crypto gibberish. :)

#pgp #gpg #openpgp #privacidadebemboa
-----BEGIN PGP SIGNATURE-----

iF0EARECAB0WIQRwx9CQETNHHfLm6agAbBOmjiXTtwUCZBkEwgAKCRAAbBOmjiXT
t3AfAKCO2RBu9SAC01ZYEDyAwLxr4xNGbQCfVypaLJa89DKD5nkBi7PEfNVTJao=
=4dAJ
-----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Eu acho que criptografar mensagens em um micro-blog não faz muito sentido, mas assinar as mensagens para ter certeza de quem é o autor e evitar mensagens falsas ou alteradas faz.

O que você acha dessa forma de mensagem assinada com o OpenPGP?

Qualquer pessoa pode verificar a assinatura por si mesma. :)

#privacidadebemboa #openpgp #pgp #gpg #privacy

-----BEGIN PGP SIGNATURE-----

iF0EARECAB0WIQRwx9CQETNHHfLm6agAbBOmjiXTtwUCZBfdDgAKCRAAbBOmjiXT
t6k4AJ42jPQU6UrnbFVEGtRUwc4GiIWufACfVdSasY2T+2RRg3YgxIDg9bRAlLw=
=8AxV
-----END PGP SIGNATURE-----

@glauco_neto64
Nós avisamos no hashtag #privacidadebemboa quando tivermos uma data para o evento online 😉

@glauco_neto64
PGP, é um programa de encriptação, com a melhor tecnologia de encriptação para civis (os militares talvez tenham a sua própria tecnologia).

Neste evento online, vamos falar sobre PGP e como usar esta tecnologia nos teus ficheiros e no teu email. E muitas mais coisas do PGP, como identidade descentralizada, verificação e assinatura chaves de identidade, assinar digitalmente documentos e emails, rede de confiança (web of trust), etc.

Tudo isto pode ser feito, usando o criptosistema PGP ou o criptosistema GnuPG (os dois programas são equivalentes).

#privacidadebemboa #pgp #gpg

Um dos melhores guias que encontrei na internet da seguranca e privacidade.

Um enfoque pragmatico e simple:

https://github.com/chewaccajedi/privacy

#privacidadebemboa #privacy #pgp #gpg #tails #tor

O melhor livro de introdução à criptografia que encontro na Internet -> https://archive.org/details/pgp-70-intro-to-crypto/ 📕

Ensina bem todos os conceitos de criptografia e PGP. Aprendendo PGP, aprende-se tudo sobre criptografia 🔑 É um ótimo livro!! ⭐ ⭐ ⭐ ⭐ ⭐

#privacidadebemboa

Um novo começo 🥳 Este é o hashtag escolhido para o projeto de evento de criptografia online de Portugal 😎 As nossas discussões vão ser aqui, no Fediverso 🐘

#privacidadebemboa