Summit 2019 Notes
This page documents the notes that were taken during the 5th OpenPGP Email Summit which took place 2019-10-12/13.
Patrick discussed future of Enigmail and Thunderbird
- enigmail is going away (except for postbox)ox)ox)ox)
- thunderbird will build in openpgp support as a peer of S/MIME support
- timeline is short -- identifying crypto library is a blocker at the moment -- language + licensing are the biggest concerns
- most likely at the moment sounds like Botan + RNP
Andre talks about GnuPG plans and updates
- 2.3.0 is expected to be released 20 December
- Biggest work in progress is the keyring daemon
- they'll have a local office in Duesseldorf soon
- they're working on organizational/institutional support
Holger presents deltachat -- implementation and status
- cross-platform implementations (iOS is biggest blocker)
- verified groups
- Burner accounts
- ed25519 upgrade for keyskeys
- chat bots
- mime-parser cleanup and review
- rPGP improvements and parsing
- rpgp (pure rust) - https://github.com/rpgp/rpgp , dual licensed Apache/MIT
- RNP (C API, C++, botan)
- GnuPG (C, libgcrypt, with bindings)
- pgpy (python)py (python)
- go-openpgp (go)
- netpgp (C, openssl)
- LibTMCG (C++, libgcrypt + (botan); experimental feature), used by DKGPG - https://www.nongnu.org/libtmcg
Workshop: How to approach UX Decisions
- Quick round how do people approach UX issues, how are decisions made, are there dedicated people working on it?
- Some teams had dedicated UX people, worked with universities on structured studies
- Some had dedicated "special users" who they regularly sought feedback from
- Others were more ad-hoc: shoulder-surfing, feedback from users
- You can learn UX Design, it's a good problem solving tool.
- Eileen: Don't armchair problems, go out and ask people.
- Eileen introduces personas: helps you be empathetic. AKA a more personalized form of threat modelling. Sounds vague at first, will get more concrete when you "flesh it" out.
- A persona is a sketch of a person.
- A couple of bullet points about a person, based on reality
- Demographics, but also how they might use the software
- What are their hobbies, their family? Help with empathy.
- What is their intent, what do they want to achieve
- A more generic form of threat modeling
- UX testing doesn't have to be complicated, start with pen&paper and ask people if they can make sense of your drawings.
- Based on groups of personas you can build user stories: X wants to do Y to achieve Z.
- Break-away, into pairs, developing our own personas for our projects, discussion...
- The need for too many users is often a sign that you're doing too much at once (which probably won't make anyone happy).
- Having only 3 personas can also lead to doing to much at once.
- Hacker as a persona: do we need to design for them? They can build their own thing? But they are often quite vocal (loud), maybe support the project financially or technically. But often don't even actually need encryption tools, don't have a threat model, want encryption for the sake of it.
- The question is not: how can we simplify things. It is: how can we make it work better for the persona we're thinking about. For a hacker persona that could actually mean a lot of configuration options.
- Problem: immature projects have more hacker/tech-savvy users, even if the target would be more mainstream. Changing the interface would repeal them. Maybe leaving hackers behind is ok, they will be able to care for themselves. Reaching the "mainstream" is hard, though, you can get stuck on the way.
- A challenge: reacting to user feedback from a vocal minority, e.g. power users who know about GitHub issues. How to meet and talk to people who are not already "hackers"?
- A persona is a sketch of a person, a scenario is a sketch of a situation/use-case.
- Personas are beautiful, use personas for your software: : https://simplysecure.org/resources/persona-template-security.pdf
- Probably bad example from GnuPG of personas and user stories: https://wiki.gnupg.org/EasyGpg2016/VisionAndStories
- More resources:
- UI Heuristics (NN Group, 1994): https://www.nngroup.com/articles/how-to-conduct-a-heuristic-evaluation/cles/how-to-conduct-a-heuristic-evaluation/t-a-heuristic-evaluation/cles/how-to-conduct-a-heuristic-evaluation/
- Formative Testing (Tails interview): https://simplysecure.org/blog/formative-testingistic-evaluation/rmative Testing (Tails interview): https://simplysecure.org/blog/formative-testingistic-evaluation/
- Example of Tails personas: https://tails.boum.org/contribute/personas/
- NoScript Case Study (Designing for power users): https://simplysecure.org/blog/noscript-case-study/blog/noscript-case-study
- Some templates for UX beginners: https://simplysecure.org/ux-starter-pack/