p2p email: Virtual Email Institutions for Thunderbird

Randolph rdohm321 at gmail.com
Tue Aug 5 18:58:18 UTC 2014


Hi Patrick,

thanks for the feedback about instantbird. Any encryption is better
than no encryption. Good luck with OTR. Can you propose a release
date?

Why OTR? Joshua is sceptical.

- OTR has only one end to end key per session, other tools have an
instant forward secrecy.

- OTR is a plugin, other tools have a native encryption,

- OTR makes a key handshake each session, other tools do that once per
user in the address book for the asymmetric key and use a symmetric
key whenever you want to renew it. It is a security risk, to send a
D/H way the key much often

- As Plugin you send the key exchange over other transports, e.g.
XMPP. Here each new hop, which is not prober secured, is a risk for a
man in the middle attack. The D/H key exchange without a central trust
authority for certificates lead to self signed certs in OTR, which are
not secured by any means in OTR.

- graph analysis are possible with OTR, in other tools even this is excluded

- Authentification is not possible with OTR, this is as well insecure.

- please correct me if something is wrong, but at least six points to
think about for researchers.



Hi Joshua,

you are a research with no time for research ;-) . I am impressed
about your capabilities to abstract from your own content to a meta
level. Yes, Methods are as well important. Justification is not always
good or adequate.

You know the Nike Slogan? "Just do it". Of course I agree with making
a plan first and then think as well about pitfalls. But in the end
don't forget to start.

Defeatism is the opposite of constructivism and going ahead.

But research is a good keyword, as you work at university, can you
care for a student writing a thesis or homework about "encrypted p2p
messaging in T-Bird including a comparison of the tools
BitMail.sf.net, RetroShare and BitMessage?" It would be good to have
the drafted results before October. Please look into the details too.

Regarding usability I just want to mention one point: OTR needs each
session a key exchange, Enigmail needs for each email to decide, if it
should be decypted or not, lots of clicks to make it shown as
ciphertext, plaintext or not. Well I was surprised, that it has a
parser to display the ciperhtext email with the right key
automatically as plaintext. But the point is, if you look e.g. at
retroshare, that you once share a key, and the key is your contact, so
the key is in the address book, you are free to address this contact
and never ever need to think about key exchange. In the echo protocol
- (SSL (AES (RSA (Message)) - you can press a button for new end to
end encryption, but even never need to think about any key exchange.

The approach must be, that the key is the address - and this is only
valid in the p2p email world. All other tools are not that usable.
That´s why they have not been used.

I really hope, that your status "busy" allows you to take part in the
strategy meeting in October :-) come one, you like T-Bird much more
than I :).

My point is, that Thunderbird needs not encryption, it needs p2p email
encryption. Please include into your research the aspect of encryption
in decentral networks and its relation to community approaches.



Hi all,

I really would like to hear before october the feedback of Aceman,
Hiroyuki and Suyash and the GUI core team, maybe you can forward them
the thread web url, if they dont read this list.



I appreciate that the agenda and points for the T-Bird strategy are
such plain.  May I have some comments on it?

(A) The Thunderbird staff team that was originally promised to provide
stability to Thunderbird has been largely preoccupied with other
Mozilla initiatives, and is not able to maintain the product.

That´s really bad. Can you make it more transparent? What was the
headcount or hours donated? who were the people? what were their
tasks? Does it make sense to trust mozilla in the future after this
desert experience? a Download Server and a 4-days empty conference
room is all, which ties you to Mozilla? And if there is some
rebellion, they promise again a half time developer and all is fine
again? people in other regimes have been more clever to see the empty
promises earlier. Is there some transparent overview, how much has
been donated by mozilla to Thunderbird per year?

A solution could be to have one person responsible for performance.
The relationship - if still to be maintained - has to be regarded not
as a slave-relationship, to be under the spell of Mozilla, but not
even a cooperation partner, indeed Mozilla is a contract partner, in
which you discover that the parameters are not functional anymore,
then you should leave this contract partner instead of pleasing again.

(B) Existing volunteers spend most of their time keeping Thunderbird
functional at all in the light of massive changes occurring in the
base code, leaving little time for innovation or improvements.

There is an old idiom, in which the people on a boat get the message
form the captains rooms, that the wind comes up and they should set
the canvas - but their answer is: no time, we have to paddle.. When
the mozilla vision is promote openness, innovation & opportunity on
the Web and you have no time to live this value, then paddle paddle
paddle, but then you have no entity and not identity to mozilla. When
the basic maintenance even is done by volunteers, then why do you need
Mozilla?

I would even go further: Why do you need XUL and gecko still? use Qt
like Wireshark and VLC have done the transition too. Use
BitMail.sf.net Qt code and release it as Thunderbird QT. The project
would appreciate that, I assume.

A solution could be to stop core maintenance and focus only on
innovations. maybe the next months allows to bring out an installer
with calendar and chat default it and having a strategy about
switching from XUL to Qt or add p2p encrypted email to T-Bird (in XUL
then).

(C) Innovation efforts that were in-process in 2012, and were badly
needed, have largely remained frozen and incomplete. This includes
maildir, replacement address book, async database processing, and
others.

So there is no innovation for T-Bird. Which is even worth, and leads
to the question: Is T-Bird dead? do some old configured men ride a
dead horse? Please be aware, that you do not fulfill the 33 % of the
Mozilla Vision to be Innovative. Within two years neither Instantbird
nor Lightning has made it in the defaul installation - and I remember
a very long talk with the old project lead in 2012 about that. A bloat
of functions has been implemented (ok, I am harsh, the functionality
updates are good, but make it as well complex) - without strategy.
Companies switching to linux regret this, as everything in Office can
be replaced by linux apps, but there is no email calendar. Ligthning
is so essential, it should be in T-Bird as default.

As a summary: you have been cutted off from mozilla, you dont have
support from mozilla, you get empty promises (trust them once a gain
and T-Bird is dead in two years)  and T-Bird is 33 % not in the vision
of Mozilla.  It´s s sorrow child like Aschenbrödel/Cinderella.

A solution could be to prioritize the innovation processes and having
Mozilla responsible for them. If they don' t implement it with their
funds according to a project plan, T-Bird is not worth to be a tool
under this vision - in the mozilla eyes. Then leave this instead of
whining.  Please accept the reality.

(D) Many volunteer contributors express frustration at the lack of
direction and leadership of Thunderbird.

There was in 2012 a project lead and if I get it rigth, this has
changed? Well.. the lead is not always to focus on, it is the
colleague and the community. You have no friendly community like
ubuntu has, where each one helps others? See our process: Justify,
come back in one year, may be be allowed to make a plugin, ohh
quality, we cannot turn the wheel... T-Bird has not only financial
problems, divorce traumata problems, innovation problems, and a
leadership and team building problem - it sends out also negative
vibrations. Why this?

A solution could be to perform a new team action based on a clear
strategy and goals, what to implement, which must be a group will but
as well with individual motivations *and* individual contributions,
even if you are not an advocate for that group solution.

A team could be build around the GUI-Improvements and around the p2p
encrypted email idea.

(E) The governance structure of Thunderbird is a remnant of the old
staff-driven project, rather than reflecting a community-driven
project.

Maybe the T-Bird development team has a generation conflict. The old
people do not allow, see themselves in charge and keep the order.
Better would be a role as a mentor for a new developer.  I don' t want
to ask, if the remnant is frustrating and expelling the new younger
community developers. (if there are young developers choosing XUL
instead of Qt). This is a hard discussion and maybe the core, which
could be solved, if in the October meeting everyone introduces itself
with his age and which other developer he has mentored and worked
until now together.

A solution could be to create a young team for the Qt-Bird and make a
bet, to bring in one year a nice gui out for the Q-T-Bird with the
mentorship of the old XUL developers. T-Bird then ships both apps in
the installer and asks the user to install both. After one year, two
installers will be created and the download-counts will show, what the
customer chooses. Well, its not about ressources, it is about, if
there are XUL contributors or if this is a dead language outside of
the mozilla world and about a new generation, to see, if the customers
can be addressed by them.



(F) Design for a new address book (code-named Ensemble)

Nice summer projects for some students. Here the p2p encryption key
could be the addess as already written. In p2p email the encryption
key is the address. Please consider this in the redesign of the
contact book. For many reasons p2p and encryption and gui and
innovation and building a new team for it are quite close together.

A solution could be to choose first the right code for p2p encryption
and the choose the right programming language for the address book.



(G) Fixing crasher bugs

Is there any overview, which three have been identified as the main ones?

A solution could be to have a plan for these most crashing bugs. Can
the experts from Mozilla have some quality assurance contributions for
assigned bugs?

(H) Design of the user interface for a filter editor supporting
boolean search criteria

Might be a personal wish, I dont think this is essential for any user.

(I) How can we work collaboratively to make plans for product
direction (a roadmap) with our limited resources? Should we even have
a roadmap?

A discussion about a road map needs a brainstorming first, what
everyone could imagine is  on the roadmap. Then you need a discussion
about that and for each item from each person a commitment to what
extend he wants to work on that. If you make a list with all people,
if you ask them, what the goals in the personal view could be and send
me this, I would love to create a small query about that, with a
field, in which then everybody can subscribe from 1-10 the personal
interest in this and !!! from 1-10 which would be essential for the
T-Bird strategy. The result of this preliminary work would then be the
opening of the strategy meeting and you would see the preferences of
each person, the dedicated resources and already all the points to
discuss. Sounds good? Good. I see here and there some agenda creators
and here and there some topic and non-touchers. Let´s crate it in
advance and by dedicated details, the voting then structures as well
the order for the topics and as well the time frames on it. Well, you
asked me to moderate your session and we try if remote, ok?

A solution could be to create the roadmap items before the session
starts. You then can start quicker into group work and are much more
efficient.

(J) How should we organize the project governance to make a transition
between the old Mozilla-dominated leadership, to a community-based
governance module?

One mean has been suggested above, by voting and giving everyone a
voice. Participation. A better way to exclude the old.

(K) How can we fill non-coding gaps in project operations, including
marketing, business development, and contributor engagement?

I think this is as well strong related to the community approach.
Many, Many people love to create a wiki or webpage for open source
projects. Here I have to suggest really to take the quality people out
of their function. How much quality control should restrict people to
take part?





(L) How can we better empower bug triagers to have an impact to
actually get bugs fixed?

Huh? A bug tracker which is revised and assignes bugs to people and
teams? Who is currently responsible for the bug tracker? I could see
the experienced mentors in this role to care for that and trying to
find young people to fix the bugs (rather than not doing it
themselves).

(M) Should we be raising income through donations? If so, what form
would that take, and how would the income be used?

Selling echo-server-accounts, adding an ad frame to the read mail,
make a campaign like wikipedia,  tie a donation check to the gui
passphrase login.

(N) What are the obstacles and frustrations that people are
experiencing in contributing to Thunderbird, and how can we overcome
these?

I think a survey does not give any feedback. I is more a personal
thing of people not welcomed in your community of developers, hard to
discover. Three gui developers have been mentioned as key people, even
the two main developers have not yet participated in the p2p email
idea.. are the main people even frustrated? Everyone still with us ?
...



(O) Who are our users? How can we better understand and meet the needs?



(Z) VISION AND MISSION :
"T-Birds community mission is to promote openness & trust, innovation
& opportunity in encrypted and secure Messaging for users, who seek
for open source communication solutions".



Maybe everyone can introduce himself, what his contribution to each of
the three components has been?



May I start to explain the method?

OPENNESS: I think I was open to look for justification, for pitfalls,
for usability and a benchmark for other p2p tools.

INNOVATION: I think I was innovative to research over one year (Blake
knows) present the idea to you for encrypted p2p emailing (or
messaging)  with an evaluated library/kernel for that idea. I don´t
know any more appropriate tool.

OPPORTUNITY: And I think I was fostering the opportunity for the
users, to be part of p2p emailing and helping to set up a new way of
emailing by a) encryption and b) the p2p way (which I don't see as
devideable - just adding encryption to T-Bird is not the successful
idea). and I am suggestion the opportunity to switch to Qt and leave
XUL and Mozilla and even suggest to merge with the BitMail project
and/or allow a Qt-Bird and a XUL-Bird.



Any others (if not, good luck for october)? or comments? Regards Randolph



More information about the tb-planning mailing list