even after deleting the 1st key pair, owner's trust is defaulting to ultimate

[war.dhan]

i have created a key pair using the defaults at first.
et the owners trust as ultimate using enigmail 1.7.
then i realised about not adding :
personal-digest-preferences SHA256
cert-digest-algo SHA256
default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES
CAST5 ZLIB BZIP2 ZIP Uncompressed
since i have not uploaded the key to public server, i immediately
deleted the key.
added the above three lines gnupg.conf.
created a key pair with same credentials for both key pairs:
name: myname
email: myn...@email.com

to my surprise the 2nd key pair has owners trust as ultimate.
is this intended behaviour or is anything abnormal ?
or is there any specific reason ?

i am using gnupg 2.0.25-1 on manjaro.

thanks & regards,
war.dhan

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: symmetric email encryption

[Mark H. Wood]

On Sat, Jul 19, 2014 at 05:46:02PM -0700, Bob Holtzman wrote:
> On Sat, Jul 19, 2014 at 01:55:45PM -0400, Robert J. Hansen wrote:
> > > A factor of two is "immense" to you...?
> > 
> > Yes.  A secret that only I know I can keep; a secret known to two people
> > can only be kept for a while.  Yes, that's an immense difference.
> 
> Old Hell's Angels saying, "3 people can keep a secret if two of them are
> dead". Not a very sophisticated bunch but..

Often attributed to Benjamin Franklin.

-- 
Mark H. Wood, Lead System Programmer   mw...@iupui.edu
Machines should not be friendly.  Machines should be obedient.


signature.asc
Description: Digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: scdaemon support for SmartCard-HSM

[Werner Koch]

Hi Andreas,

On Fri, 18 Jul 2014 16:44, andreas.schwier...@cardcontact.de said:

> we've added support for the SmartCard-HSM to scdaemon. Please find the
> patch that applies to master at [1].

If you want me to apply that patch please read doc/DETAILS on how to
send a DCO. (I'd appreciate a sample card for testing but that is not a
requirement).

Some quick remarks:

If you took anoyher app-*.c as template, please add all the copyright
lines from that file and add your own copyright line (unless you have an
assignbment for GnuPG with the FSF)

Lines should in general not be longer that 80 characters, I spotted one
or two which are longer.

Someone needs to proofread the code of course ;-)


> 1. Signing with ECDSA: Apparently gpgsm puts the wrongs (RSAEncryption)
> algorithm identifier in SignerInfo when using ECDSA. As a result
> verification of the CMS fails with "conflicting use".

I doubt that gpgsm really support ECC.  Thus such problems are to be
expected.

> 2. At least on Kubuntu the PIN callback to prompt the user to enter the
> PIN at the reader PIN PAD does not work. gpgsm is reporting an invalid

GnuPG does this on itself - no need for a callback.  Well, it should do
that.   What pinentry are you (Kubuntu) using?

> 3. Apparently kleopatra only support TCOS card. It's unclear to my why
> this restriction is in place.

The contract specified that card and thus Kleopatra did a minimal job to
fulfill the requirements.  For better card support you should use GPA
(you may want to add support for your card there as well).


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: even after deleting the 1st key pair, owner's trust is defaulting to ultimate

[Werner Koch]

On Mon, 21 Jul 2014 10:33, wardhan.v@gmail.com said:

> to my surprise the 2nd key pair has owners trust as ultimate.

Ultimate trust is always set for newly created keys.  It is not set if
you import a key.


Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Automatic e-mail encryption

[Mark H. Wood]

On Sat, Jul 19, 2014 at 02:26:44PM +0200, Peter Lebbing wrote:
> By the way: if we had a working alternative to SSL/TLS, all the mail
> servers could talk to eachother securely without eavesdropping. That way

Please remind me why we need an alternative to TLS.

> the contents of e-mails is only exposed on the sending SMTP server and
> the receiving SMTP and mailbox servers (f.e., IMAP). The mailbox server

I treat hop-by-hop encryption, not as an alternative to end-to-end,
but as defense in depth.

-- 
Mark H. Wood, Lead System Programmer   mw...@iupui.edu
Machines should not be friendly.  Machines should be obedient.


signature.asc
Description: Digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: ECC and CMS (was: [Announce] The fifth Beta for GnuPG 2.1 is now available for testing)

[Werner Koch]

On Tue,  8 Jul 2014 09:56, bernh...@intevation.de said:

> Do you also know the status of  CMS (x.509) for S/MIME? 

May work but likely needs a bit of testing and code fiddling.  I have
lost most interest in CMS, thus better do not expect that I will spend
time on it.


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Mutt: Decrypting inline gpg format directly

[Werner Koch]

On Fri, 18 Jul 2014 18:18, whirlp...@blinkenshell.org said:

> I wonder if Mutt can be configured to decrypt inline pgp messages
> automatically, without piping the attachment to `gpg --decrypt`.

IIRC, I implemented that about a decade ago.  Simply put

set crypt_use_gpgme

into your ~/.muttrc.


Salam-Shalom,

   Werner


-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Is it possible to set a passphrase_cb in gpgme with openpgp protocol

[Werner Koch]

On Fri,  4 Jul 2014 11:52, ret...@rethab.ch said:

> I read in the ruby-bindings library that this only worked with version 1.X
> but seems not to work anymore with 2.X. Is there any truth to this?

Right.  GnuPG-2 require the gpg-agent and the gpg-agent is soley
responsible for asking for the passphrase.  Check out the mail archives
on how to work around this (pinentry wrapper).

But: On common request GnuPG 2.1 (currently in beta) has a feature to
allow gpg-agent to call back to gpg (and in turn to gpgme etc) for the
passphrase (see --allow-looopback-pinentry and pinentry-mode).  GPGME
supports this.


Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: even after deleting the 1st key pair, owner's trust is defaulting to ultimate

[Daniel Kahn Gillmor]

On 07/21/2014 04:33 AM, war.dhan wrote:
> i have created a key pair using the defaults at first.
> et the owners trust as ultimate using enigmail 1.7.
> then i realised about not adding :
> personal-digest-preferences SHA256
> cert-digest-algo SHA256
> default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES
> CAST5 ZLIB BZIP2 ZIP Uncompressed
> since i have not uploaded the key to public server, i immediately
> deleted the key.
> added the above three lines gnupg.conf.
> created a key pair with same credentials for both key pairs:
> name: myname
> email: myn...@email.com
> 
> to my surprise the 2nd key pair has owners trust as ultimate.
> is this intended behaviour or is anything abnormal ?
> or is there any specific reason ?

Any key created by GnuPG is automatically set to "ultimate" ownertrust
by default, on the assumption that this is your key, so you are willing
to believe any certifications that you make.

If you want the 2nd key to have some other ownertrust than the first
one, you should change that explicitly.  But since it sounds like it is
your personal key (and your only key), i don't see why you'd want to
reduce the ownertrust from ultimate.

--dkg



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Automatic e-mail encryption

[Peter Lebbing]

On 21/07/14 15:32, Mark H. Wood wrote:
> Please remind me why we need an alternative to TLS.

Well, I actually meant X.509 and the CA system, which is what is currently
abundantly used in SSL and TLS. If you plug in a different form of
authentication, I think the rest is okay.

> I treat hop-by-hop encryption, not as an alternative to end-to-end,
> but as defense in depth.

Yes. I already explained why I think there is little difference when the mails
are stored unencrypted on a mailbox server. If you only decrypt to local
storage, then I agree.

By the way, regarding DANE as an alternative to the CA system: I think a proper
implementation of authentication through DNS could well be way better than the
CA system: at least you can only be screwed by people having access to signing
keys for the root and the TLD, instead of anyone with access to a CA 
certificate.

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: symmetric email encryption

[Bob Holtzman]

On Mon, Jul 21, 2014 at 09:12:36AM -0400, Mark H. Wood wrote:
> On Sat, Jul 19, 2014 at 05:46:02PM -0700, Bob Holtzman wrote:
> > On Sat, Jul 19, 2014 at 01:55:45PM -0400, Robert J. Hansen wrote:
> > > > A factor of two is "immense" to you...?
> > > 
> > > Yes.  A secret that only I know I can keep; a secret known to two people
> > > can only be kept for a while.  Yes, that's an immense difference.
> > 
> > Old Hell's Angels saying, "3 people can keep a secret if two of them are
> > dead". Not a very sophisticated bunch but..
> 
> Often attributed to Benjamin Franklin.

Wow! Didn't know he was a h.a. or that he could ride.


> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users


-- 
Bob Holtzman
A man is a man who will fight with a sword
or tackle Mt Everest in snow, but the bravest 
of all owns a '34 Ford and tries for 6000 in low.


signature.asc
Description: Digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Automatic e-mail encryption

[MFPA]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Hi


On Monday 21 July 2014 at 5:23:51 PM, in
, Peter Lebbing wrote:


> On 21/07/14 15:32, Mark H. Wood wrote:
>> Please remind me why we need an alternative to TLS.

> Well, I actually meant X.509 and the CA system, which
> is what is currently abundantly used in SSL and TLS. If
> you plug in a different form of authentication, I think
> the rest is okay.

Doesn't Monkeysphere [0] allow the use of the OpenPGP web of trust to
authenticate certificates for TLS?



[0] 






- --
Best regards

MFPAmailto:2014-667rhzu3dc-lists-gro...@riseup.net

None are so fond of secrets as those who do not mean to keep them
-BEGIN PGP SIGNATURE-

iPQEAQEKAF4FAlPNZuRXFIAALgAgaXNzdWVyLWZwckBub3RhdGlvbnMub3Bl
bnBncC5maWZ0aGhvcnNlbWFuLm5ldEJBMjM5QjQ2ODFGMUVGOTUxOEU2QkQ0NjQ0
N0VDQTAzAAoJEKipC46tDG5pT4EEAMC4kI/KJAPc875se1/JPjtCKRcerlH1seD6
lASS+0xhYrOVTX8cg0bUl56ef4og4wnAVtTQ162pYB3ce6iltWFh5f2jPxbnvmbH
xOOcGXQ7tkXgAgbr8YoU03s5AygLHbH6bTn8Z4idy/PCSh/EKRLxrbnij+JHsRvz
0n2cCXsu
=15Ic
-END PGP SIGNATURE-


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Automatic e-mail encryption

[Peter Lebbing]

On 21/07/14 21:15, MFPA wrote:
> Doesn't Monkeysphere [0] allow the use of the OpenPGP web of trust to
> authenticate certificates for TLS?

I don't think this helps much authenticating one SMTP server to another. Even if
it would be possible, they are usually operated by ISP's; I don't see them using
the WoT for that any time soon.

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Automatic e-mail encryption

[Doug Barton]

On 07/21/2014 09:23 AM, Peter Lebbing wrote:

By the way, regarding DANE as an alternative to the CA system: I think a proper
implementation of authentication through DNS could well be way better than the
CA system: at least you can only be screwed by people having access to signing
keys for the root and the TLD, instead of anyone with access to a CA 
certificate.


SSL/TLS is designed to (primarily) do two things, of roughly equivalent 
importance depending on the context:


1. Provide a framework to cryptographically secure the communication channel
2. Provide some level of assurance that the endpoint you've connected to 
is actually the entity you intended to communicate with


What DANE does is provide a DNS resource record which gives you the 
signature of the certificate that's relevant to the host name you want 
to connect to. The system assumes that both the host record and the DANE 
RR (TLSA) are signed with DNSSEC.


This facilitates purpose number 1 above as it allows the connection to 
start off encrypted. It also allows your client to verify that the 
certificate it gets is the one it was looking for. Assuming that you 
have the same level of confidence in the organization you're 
communicating with to manage their DNSSEC keys properly as you do for 
them to manage their SSL keys properly, it also fulfills purpose number 2.


As Peter points out however, you're simply transferring your trust in 
the hierarchy "above" the organization you're communicating with from 
the CAs to the TLD and root zone operators. The good news is that for 
now the TLDs have proven very trustworthy in their handling of their own 
DNSSEC keys, and replacing them due to a compromise is orders of 
magnitude easier than revoking/replacing CA signing certs. I will leave 
judgment of how the root zone operators are doing up to the reader, as 
my opinion would undoubtedly be biased. :)


hth,

Doug


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Mutt: Decrypting inline gpg format directly

[Jeff Fisher]

On Fri, Jul 18, 2014 at 06:18:39PM +0200, The Fuzzy Whirlpool Thunderstorm 
wrote:
> I wonder if Mutt can be configured to decrypt inline pgp messages
> automatically, without piping the attachment to `gpg --decrypt`.  I
> know, piping works, but it'd be more convenient to have mutt do the
> piping task and automatically display the decrypted message inside.
> If anyone has an idea or experience with Mutt, please give your
> answer.

I use this in my ~/.muttrc, which seems to work:

message-hook '!(~g|~G) ~b"^-BEGIN\ PGP\ (SIGNED\ )?MESSAGE"' "exec 
check-traditional-pgp"

It's borrowed from someone, but I don't remember where I originally
saw it.

You can also use P in the message pager to manually check a
message.

Cheers,
Jeff

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Automatic e-mail encryption

[MFPA]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Hi


On Monday 21 July 2014 at 8:56:21 PM, in
, Peter Lebbing wrote:


> I don't think this helps much authenticating one SMTP
> server to another. Even if it would be possible, they
> are usually operated by ISP's; I don't see them using
> the WoT for that any time soon.

But an individual user could use it for authenticating the first/last
hop between their MUA or browser or SMTP server and their ISP or email
provider's servers.


- --
Best regards

MFPAmailto:2014-667rhzu3dc-lists-gro...@riseup.net

1 + 1 = 3, for large values of 1
-BEGIN PGP SIGNATURE-

iPQEAQEKAF4FAlPNvKhXFIAALgAgaXNzdWVyLWZwckBub3RhdGlvbnMub3Bl
bnBncC5maWZ0aGhvcnNlbWFuLm5ldEJBMjM5QjQ2ODFGMUVGOTUxOEU2QkQ0NjQ0
N0VDQTAzAAoJEKipC46tDG5pn/cD/A0PU2IdxpzHiU9Wdone+m7oB+EIJXKq7tpq
f4u3cNYmndDNPiFTFu3RY+lVPYMWmcOjWMh4Taftmy7zvNP8lj6JEaYQEep7BJlE
WsAWL+wFRBqL1yaTleqGs7vWQb22Bxcne7/ycaqMUlA54PMDMoLEP72eoHtKNThA
yYQfdoCp
=h3fC
-END PGP SIGNATURE-


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users