Promoting GnuPG support for Okular and addition to Gpg4win

[Andre Heinecke]

Hi,

On Tuesday 16 May 2023 15:58:47 CEST Paul Brown wrote:
> Okay... I have read the post, but still have some questions:

Thanks for looking into the topic. I'll try my best to explain a bit more. I'm 
a bit strapped for time today so I can't do screenshots or a video. Maybe 
tomorrow.

> So the package you deliver to customers comprises cryptographic software,
> and  will soon come bundled with a hardened version of Okular too,
> correct? I see  it already includes Kleopatra as its certificate manager.

Correct. Kleopatra is both the certificate manager and the Frontend for file 
encryption / verification etc.

> Can you explain how Okular fits into the existing collection of software?

For now we are concentrating on PDF signature verification and creation. So if 
you want to encrypt your PDF according to the laws around restricted documents 
you would still use Kleopatra to encrypt / decrypt the whole file. 

It fits into our software because our users need to manage both their private 
keys (which they use to sign) and their public keys (which signatures are 
shown as valid) with our Software if they plan to use it.

So basically if you can use our Software to decrypt data someone sends you, 
you will then automatically be able to sign PDF documents using this key.


GnuPG also supports Identity cards like [1] without additional drivers.
Technically you can generate an S/MIME certificate (S/MIME certificates are 
whats required for PDF signatures) with any Smartcard GnuPG supports. That 
includes open hardware like the 

> Or,  even better, can you give me a scenario where a user would prefer to
> use the  hardened Okular over another PDF reader? 

Our customers / users manage their certificates independently of the system or 
Mozilla trust stores and they are usually far more restricted about this. I 
think you can summarize it like "If you are using GnuPG for S/MIME already or 
only want to use a restricted set of acceptable certificate authorities for 
signature verification".

So for example as someone in the German government, Adobe reader would show 
you a document signed by "Olaf Scholz (Bundeskanzler)" as validly signed, even 
if the certificate was issued by the "China Financial Certification Authority 
(CFCA) " For a list of certificate authorities included in Windows see: [2]
For Mozilla it does not look much better. And those CA's can change 
unbeknownst to you through an update of Firefox or Windows.

It is also much easier to import a specific certificate for you or for someone 
else in Kleopatra then either in the Windows store or the Mozilla store. So it 
could just be a user preference. e.g. If you get a certificate from an issuing 
authority you just double click it, then it will be imported to Kleo and can 
then be used for signing or verification.


GnuPG by default does not have a list of trusted root certificates. GnuPG VS-
Desktop comes with an included list of some CAs which are certified by the 
German government.
In the future we will probably extend that to all Certificate Authorities which 
are allowed to issue certificates according to eIDAS.

Most large S/MIME users have their company certificates and these of their 
partners added in that list, too.


Regarding the hardening, they "should" use it when reading any PDF from an 
unknown source. But this is mostly in regards to be able to use "any" PDF 
reader in their hardened environments.

> Are we talking providing users with 
> the means to display encrypted documents or for encrypting documents for 
> sending them safely?

No, it is more about "Identity Management" and "Authentication". Encryption we 
can do for anything without a PDF reader. Well signing, too but for legality 
the signature has to be embedded within the PDF.

> Please excuse my ignorance, as I am not a super-technical person, and I need 
> to get my head around these things from a user's perspective.

No you are making valid points. I can maybe better illustrate this with some 
screenshots. I hope my explanations make sense. FYI we asked some of our large 
customers what they would think of the idea of us including a PDF reader and 
most thought it was a good idea because of the synergies.

So this is not a case of just coldly extending our package, there is a demand 
for this.

Maybe to better illustrate that from an end users perspective as with S/MIME 
the usual case is that the trusted certificates etc are centrally managed:
- You work at a company or office and have a smartcard to access your encrypted 
disk e.g. with Rohde & Schwarz trusted disk. 
- You use the same smartcard to access your RESTRICTED documents. 
-> Now you can additionally sign documents with that same smartcard.


Or if you have KMail configured for S/MIME signed mail, you can now not only 
sign your Mails but PDF documents with the same S/MIME setup.
Similarly if you have Outlook configured to do RESTRICTED compliant S/MIME with 
our plugin, you can now sign documents, too.

Where previously this would have required different configurations.
 
> Yeah, or we could just enable a shared folder on Collaborate and dump stuff 
> there.

I think we definitely need some screenshots or even a short video to illustrate 
the workflow. :)

A shared folder should not be required for the data, if I have to share some 
larger data I can just upload into our infrastructure.


Best Regards,
Andre
 
1: https://www.d-trust.net/en/solutions/signature-cards
2: https://ccadb.my.salesforce-sites.com/microsoft/
IncludedCACertificateReportForMSFT

-- 
GnuPG.com - a brand of g10 Code, the GnuPG experts.

g10 Code GmbH, Erkrath/Germany, AG Wuppertal HRB14459
GF Werner Koch, USt-Id DE215605608, www.g10code.com.

GnuPG e.V., Rochusstr. 44, D-40479 Düsseldorf.  VR 11482 Düsseldorf
Vorstand: W.Koch, B.Reiter, A.Heinecke        Mail: board at gnupg.org
Finanzamt D-Altstadt, St-Nr: 103/5923/1779.   Tel: +49-211-28010702
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 5655 bytes
Desc: This is a digitally signed message part.
URL: <http://mail.kde.org/pipermail/kde-promo/attachments/20230516/cf60cc7c/attachment.sig>