Promoting GnuPG support for Okular and addition to Gpg4win
Andre Heinecke
aheinecke at gnupg.org
Tue May 16 16:58:21 BST 2023
Hi,
On Tuesday 16 May 2023 15:58:47 CEST Paul Brown wrote:
> Okay... I have read the post, but still have some questions:
Thanks for looking into the topic. I'll try my best to explain a bit more. I'm
a bit strapped for time today so I can't do screenshots or a video. Maybe
tomorrow.
> So the package you deliver to customers comprises cryptographic software,
> and will soon come bundled with a hardened version of Okular too,
> correct? I see it already includes Kleopatra as its certificate manager.
Correct. Kleopatra is both the certificate manager and the Frontend for file
encryption / verification etc.
> Can you explain how Okular fits into the existing collection of software?
For now we are concentrating on PDF signature verification and creation. So if
you want to encrypt your PDF according to the laws around restricted documents
you would still use Kleopatra to encrypt / decrypt the whole file.
It fits into our software because our users need to manage both their private
keys (which they use to sign) and their public keys (which signatures are
shown as valid) with our Software if they plan to use it.
So basically if you can use our Software to decrypt data someone sends you,
you will then automatically be able to sign PDF documents using this key.
GnuPG also supports Identity cards like [1] without additional drivers.
Technically you can generate an S/MIME certificate (S/MIME certificates are
whats required for PDF signatures) with any Smartcard GnuPG supports. That
includes open hardware like the
> Or, even better, can you give me a scenario where a user would prefer to
> use the hardened Okular over another PDF reader?
Our customers / users manage their certificates independently of the system or
Mozilla trust stores and they are usually far more restricted about this. I
think you can summarize it like "If you are using GnuPG for S/MIME already or
only want to use a restricted set of acceptable certificate authorities for
signature verification".
So for example as someone in the German government, Adobe reader would show
you a document signed by "Olaf Scholz (Bundeskanzler)" as validly signed, even
if the certificate was issued by the "China Financial Certification Authority
(CFCA) " For a list of certificate authorities included in Windows see: [2]
For Mozilla it does not look much better. And those CA's can change
unbeknownst to you through an update of Firefox or Windows.
It is also much easier to import a specific certificate for you or for someone
else in Kleopatra then either in the Windows store or the Mozilla store. So it
could just be a user preference. e.g. If you get a certificate from an issuing
authority you just double click it, then it will be imported to Kleo and can
then be used for signing or verification.
GnuPG by default does not have a list of trusted root certificates. GnuPG VS-
Desktop comes with an included list of some CAs which are certified by the
German government.
In the future we will probably extend that to all Certificate Authorities which
are allowed to issue certificates according to eIDAS.
Most large S/MIME users have their company certificates and these of their
partners added in that list, too.
Regarding the hardening, they "should" use it when reading any PDF from an
unknown source. But this is mostly in regards to be able to use "any" PDF
reader in their hardened environments.
> Are we talking providing users with
> the means to display encrypted documents or for encrypting documents for
> sending them safely?
No, it is more about "Identity Management" and "Authentication". Encryption we
can do for anything without a PDF reader. Well signing, too but for legality
the signature has to be embedded within the PDF.
> Please excuse my ignorance, as I am not a super-technical person, and I need
> to get my head around these things from a user's perspective.
No you are making valid points. I can maybe better illustrate this with some
screenshots. I hope my explanations make sense. FYI we asked some of our large
customers what they would think of the idea of us including a PDF reader and
most thought it was a good idea because of the synergies.
So this is not a case of just coldly extending our package, there is a demand
for this.
Maybe to better illustrate that from an end users perspective as with S/MIME
the usual case is that the trusted certificates etc are centrally managed:
- You work at a company or office and have a smartcard to access your encrypted
disk e.g. with Rohde & Schwarz trusted disk.
- You use the same smartcard to access your RESTRICTED documents.
-> Now you can additionally sign documents with that same smartcard.
Or if you have KMail configured for S/MIME signed mail, you can now not only
sign your Mails but PDF documents with the same S/MIME setup.
Similarly if you have Outlook configured to do RESTRICTED compliant S/MIME with
our plugin, you can now sign documents, too.
Where previously this would have required different configurations.
> Yeah, or we could just enable a shared folder on Collaborate and dump stuff
> there.
I think we definitely need some screenshots or even a short video to illustrate
the workflow. :)
A shared folder should not be required for the data, if I have to share some
larger data I can just upload into our infrastructure.
Best Regards,
Andre
1: https://www.d-trust.net/en/solutions/signature-cards
2: https://ccadb.my.salesforce-sites.com/microsoft/
IncludedCACertificateReportForMSFT
--
GnuPG.com - a brand of g10 Code, the GnuPG experts.
g10 Code GmbH, Erkrath/Germany, AG Wuppertal HRB14459
GF Werner Koch, USt-Id DE215605608, www.g10code.com.
GnuPG e.V., Rochusstr. 44, D-40479 Düsseldorf. VR 11482 Düsseldorf
Vorstand: W.Koch, B.Reiter, A.Heinecke Mail: board at gnupg.org
Finanzamt D-Altstadt, St-Nr: 103/5923/1779. Tel: +49-211-28010702
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 5655 bytes
Desc: This is a digitally signed message part.
URL: <http://mail.kde.org/pipermail/kde-promo/attachments/20230516/cf60cc7c/attachment.sig>
More information about the kde-promo
mailing list