Re: photo-ID
On Thursday, 1 January 2015, Robert J. Hansen wrote: > > I’ve discussed this attack vector on the keyserver mailing list. The > general consensus is that the attack that I’m concerned about is real, and > would result in serious disruption to the global keyserver network for an > extended period until we developed countermeasures — but those > countermeasures would fundamentally transform the keyserver network and > force us to radically redefine our expectations of service. > > Before people think I’m overreacting — > No. It is a realistic attack. Key servers might legitimately strip photo ids if it were ever a problem, IMHO. But in fact, a UID packet can contain arbitrary data anyway, can't it? Isn't that just the same problem. N. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: photo-ID
Hi Sorry if I misunderstood, but I didn’t say that the photo ID should be allowed to be as large as possible, and this is not allowed anyway by, for example, apps like GPG Keychain. But I was wondering … instead of attaching a photo to a public key, why not attach a hash of the photo using an image hashing algorithm? I don’t know much about image hashing (but this discussion has now made me more curious to learn) but such an algorithm is supposed to calculate a hash value for an image that could be compared against **perceptually similar** images. Since this will be a string it would not lead to the blob attack scenario described before. I found some interesting resources including a paper describing some algorithms http://www.phash.org/docs/pubs/thesis_zauner.pdf and there are also several API implementations http://www.phash.org/ (C++) https://pypi.python.org/pypi/ImageHash (Python). Would it not be possible for gpg to incorporate these so that a user can attach a set of hash values for their photo(s) to their public key that recipients could check against some other source? Sandeep Murthy s.mur...@mykolab.com > On 1 Jan 2015, at 02:30, Robert J. Hansen wrote: > >> I don’t agree. > > With what? > >> Why isn’t the photo ID feature not useful? > > I never said it wasn’t. > > I said the photo ID feature, *as used within OpenPGP certificates*, isn’t. > There’s a big difference there. > > Frankly, the possibility of allowing arbitrarily-sized binary blobs to be > attached to OpenPGP certificates scares the ever-living bloody f*ck out of > me. (I try to avoid vulgarity, but I’m using it here to underline just how > critical this problem is.) The keyserver network, as currently configured, > is susceptible to a total worldwide denial-of-service attack that can be > conducted by just one malicious individual who figures out how to turn the > photo ID feature into an attack vector. > > I’ve discussed this attack vector on the keyserver mailing list. The general > consensus is that the attack that I’m concerned about is real, and would > result in serious disruption to the global keyserver network for an extended > period until we developed countermeasures — but those countermeasures would > fundamentally transform the keyserver network and force us to radically > redefine our expectations of service. > > So, yeah. Photo IDs on OpenPGP certificates is really another way of saying > “OpenPGP supports putting arbitrarily-sized binary blobs on certificates that > will be replicated worldwide and, depending on local jurisdictions, will > immediately convert keyserver operators into felons.” That’s enough for me > to declare the entire OpenPGP implementation of photo IDs a staggering > clusterf*ck of failure, and something that I really wish would get dropped > from the OpenPGP spec. > > (I’m not going into specifics about the attack because I don’t want to give > anyone ideas, not in any expectation that it really matters a damn. My > write-up is available, but I’m not going to help you find it.) > > >> Surely any piece of >> information that would help another person, with whom you >> are proposing to communicate, to identify you first, is a good >> thing. > > Sure, but it would be nice if it didn’t expose people to phenomenal risk > while we’re at it. > > We have better ways of doing photo IDs — e.g., keybase.io. I think we should > use them. > > You’re arguing against something I never said and don’t believe. > signature.asc Description: Message signed with OpenPGP using GPGMail ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: photo-ID
On 01-01-2015 14:33, Sandeep Murthy wrote: > Sorry if I misunderstood, but I didn’t say that the photo ID should > be allowed to be as large as possible, and this is not allowed anyway > by, for example, apps like GPG Keychain. Huge size would not be the only problem. Wait until the first person uploads a key with a child porn image as photo-id, and then wildly posts "to download this child porn image, get GnuPG and download key 0x12345678. It might even be done by someone who deliberately wishes to get all keyservers offline. -- ir. J.C.A. Wevers PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Updating public key problem
Hi guys, I've updated my GnuPG key and send to keyservers. What I updated ? I've just deleted 2 expired subkeys and added one with a longer (in 2015) expiration. But as I can see in a keyserver - http://pgpkey.org/pks/lookup?op=vindex&search=0x5935a6bfb301c1aa2218e0e57d58bae0dbeb2b6a&fingerprint=on those 2 expired subkeys still appear and that's why, in my opinion, why the sending an encrypted message doesn't work by the free service like - https://encrypt.to/linuxdeb...@zoho.com Before the expirationd date of those 2 keys, the encrypt.to service worked. Try to send me an e-mail via encrypt.to or compare the publick key information with the attached (updated). If the attachment is not included, I add the the ASCII format below. Thanks for any tip how to correctly update or what to do, so my public key would be possible to be used by encrypt.to for those who wanna send me a private message. Btw, I use Debian Wheezy, KDE, 32b., mostly Kgpg app or CLI gpg commands. My updated public key: -BEGIN PGP PUBLIC KEY BLOCK- Version: GnuPG v1.4.12 (GNU/Linux) mQSuBFJqGJkRDACUayLdZH0RMZI/sFAqW4w9pjR8FEtkhEZ2RUzfPjxhDGLk2VvA WiIk5hEJ7KL0BSCaBFrB319xl4LH0/QeBTzyaG4AnH2D1jlDbO8pM5OsL8T+ukF5 jb63nn3GOls8H7Rm2dLWdEB0e/UDVhzORment1yTYzeGsN1nL5+oh1KOmFBJoD2A rKyE58Yw642SFEc/vO0S9+gKvytB8YFnpFuvaeDil2l0/z0sELQ2JHb/Li0I58NZ Wduw8Se6WDVMILjPdffV8amspVuwids/1nRGN4yQMkh0lNszfVw3Y+uyKvHbAy32 6vyl/xnppv3cfS9onk5Eoo+aUVj10i9g2tsl2RpdZQ7lsdlwZkYtdXcIdgE7cmtV RohwEwZA7AN8yVsi04Ka8H3zQAxcYyGvY3LlqmgRi5gt6Lh3hjpk0gyuSgKS690a C1A8sfbhIwzoUIHc6YaHxnY6HgxGoP/0rOrrX3lt1QWgp2gqeiLff6SQ2InsdBNS 08X3mdOjwD+yX18BANRVgY3JuF8BhcCvdgS06upQDjAIRtzZnnyKUiQYAIDjC/4k qy/lrRT2m0ZaXU6L2PWJaqESS0pNviy2izASwgslHOhEzagdMCnoWmJiGS3/8JZr yv04mTueSsEjoX58uWMIhQBzlyH+t/16lI/t9MHkXxllG8rwsAhU/4AWAr2zeSrX G8qxLpWLMD6rSk3tLy84SnLoFRCtvSNTtC6pNYelanUOcJDD6QYhSbIn9E2sqqbn OON59Do0dRvoX1oIoDLwcaAOP4RH4Tcy/fsqlxy6BPBchp/S4KqejvFo1RuCGF0T c52sbJGkWuxHfcdn4uufYHKWN106G2F9nKmjbSXj12qtJZKwM1ZZ8IbKfkW/5/SO axxbzL7sl96cZRAXc7YGmgCZ0rcWBMtNFcIDqrG8VJzVFXqCb+LCr9eWfbNlRK1v ATRGIGi/768mSNOh4Nwxdo0KL06Rp4BKM/huVkrtHurxbcjTtfa7V5ZECn7pJMvU kaJcV4J0czVJpZEVng/z1Thl6Jbf9QthY+hBXm/Sx7TGDQUpToWVvZ1ay7Z5B4YL /0/8DFRb/FpPee7bfTaqJvUeiH8lcCiPyHcst14vu3rcGLwfPhGHT/QNtHhUHlGy faNnCyUuu1D6WEXF9Ta/zj8HDsj4u/z9za6Hzhb/JfSu9qnhDwQ3M4zOBl9ECWNn KTxK8jUMWbe+f7Euqd3k5rFehipFmCzSqYkZfZZM5qSC7PBW9RuA7uPrFNreGwiZ x+/nV/1sFL7dzwp2uVtigdGtTbyCfRkb0zEtezOOAq3vSeuj2SuFRkkGsXG49jZ2 s4eHWolfZEXanUne4eqo8P2IIt4dwc5MMz2aSYjE1KX4Ie7OUTlsSsTyLqe1UX+h 6xaUjG7+6FLX9i+dA46lsI3DOcorRcLRuSGDvDV+i/EeoSrViwZfAEYU68QNTG2W 9RSeR85KhVacRWyY7icDMaN1raDVmvevqDrSzEfzu1fj34nIdF76gLTSTOh9LXLC c1HlZYDcwq0bmNCDMmMjxnHUYZse/tcI1Q1B+YUpt5NLwm3x0fh4S+AhejcLl28H urQ7TGludXggREVCSUFOIChodHRwOi8vd3d3LmRlYmlhbi5vcmcpIDxsaW51eGRl YmlhbkB6b2hvLmNvbT6IgAQTEQgAKAIbIwYLCQgHAwIGFQgCCQoLBBYCAwECHgEC F4AFAlOu2qoFCQI5+REACgkQfVi64NvrK2rZKwEAiJmTIhVk9wYhcJwJ6PmrW1wx Yt56ojizFYxA4Ik5/PkBAIxCjFCSyDfg8oRPNrPAY0I0/wRu19EMu1kOoRjYtZmA iIAEExEIACgFAlJqGJkCGyMFCQHanAAGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheA AAoJEH1YuuDb6ytq9QMA/2fGHFWy5Fhr0Lbccot8LtNjJTVfveJLLul353p6Or3K AQCCntbctT8OLKbDu1dsGRbYTuU3hI5JGMzNf24qgZuZaYiABBMRCAAoAhsjBgsJ CAcDAgYVCAIJCgsEFgIDAQIeAQIXgAUCVJSDdgUJAsie3QAKCRB9WLrg2+srahhl AQCZ1G3cbpboy034FE7dx4bMtqeUFokI+a68Ms3IQ+M6zwD7Bd7FxOeFt7pviwPV Z1biodx39oBX646Cnaom4IJNANzR1eHV3wEQAAEB/9j/4AAQ SkZJRgABAQEASABIAAD/4QkZRXhpZgAATU0AKggAAA4AAgIBAAQB LAICAAQBAAAI5QD/2P/gABBKRklGAAEBAAABAAEAAP/bAEMADwoL DQsJDw0MDREQDxEWJRgWFBQWLSAiGyU1Lzg3NC80MztCVUg7P1A/MzRKZEtQV1pf YF85R2hvZ1xuVV1fW//bAEMBEBERFhMWKxgYK1s9ND1bW1tbW1tbW1tbW1tbW1tb W1tbW1tbW1tbW1tbW1tbW1tbW1tbW1tbW1tbW1tbW1tbW//AABEIAGQAUQMBIgAC EQEDEQH/xAAfAAABBQEBAQEBAQAAAQIDBAUGBwgJCgv/xAC1EAACAQMD AgQDBQUEBX0BAgMABBEFEiExQQYTUWEHInEUMoGRoQgjQrHBFVLR8CQzYnKC CQoWFxgZGiUmJygpKjQ1Njc4OTpDREVGR0hJSlNUVVZXWFlaY2RlZmdoaWpzdHV2 d3h5eoOEhYaHiImKkpOUlZaXmJmaoqOkpaanqKmqsrO0tba3uLm6wsPExcbHyMnK 0tPU1dbX2Nna4eLj5OXm5+jp6vHy8/T19vf4+fr/xAAfAQADAQEBAQEBAQEB AQIDBAUGBwgJCgv/xAC1EQACAQIEBAMEBwUEBAABAncAAQIDEQQFITEGEkFR B2FxEyIygQgUQpGhscEJIzNS8BVictEKFiQ04SXxFxgZGiYnKCkqNTY3ODk6Q0RF RkdISUpTVFVWV1hZWmNkZWZnaGlqc3R1dnd4eXqCg4SFhoeIiYqSk5SVlpeYmZqi o6Slpqeoqaqys7S1tre4ubrCw8TFxsfIycrS09TV1tfY2dri4+Tl5ufo6ery8/T1 9vf4+fr/2gAMAwEAAhEDEQA/APRACuV1zxnBZSPb2CCeZTgyE/Iv+NJ401w2 9gLO2ZknnJV+zKoOP17e1Z3h3wY0wiu9TwsZ+YW+OWH+16fSok23aJ3UKNOMPa1t ui7mP9v1zWrhjFJdSkdViJVR+A4q6sfi2Jdyi8GOeua9AtbS3tIvLtoUiTOdqLip 6XI+5UsctowVjz+38banZusN7bJIVPz7lKPj+X6V1+j6zaaxbebbNhh9+NvvKfem 63ottrNqY5lCygHy5R1U/wCFedWkt7oGt4RG86F9rov8Y7j6YovKD11RUadLFQbg uWSPWKKjgmWe3jmjzskUMufQjNSVoeba2gAFMlz5T4badpw3p70+o5ziCQ+i k/pQNbnB+HYX13xbPqE6h4YmL4YceiD+v4V6BXI/DxP9CvHI6ygD8q62ohtc6cZK 9Xl6LQy9Z1GaB4bGwUNe3Odm77sajq59hUMOg3HElxrN+8/UlJdqD/gPSobeTHju 6jl6m0Tys9hnnH410Bq9zOTdNJLtchtY5o4tlxKJWB4fGCR7j1rivHEf2PxBZXkR 2s6gkjrlW/wIFdosiS3jIC+6AfN1C8/zrj/GCjU/EdlZRneI0JlC/wAAJyf0FRPY 2wbarXfZ3O0gQRwIgxtUYXHTHb9KfQowoGMYHT0pas4wAKa6hkKnoRg06igD jfAEjRTahZScNG4
gpg vs smime, snowden etc
Hello I am sorry if this is a little off-topic but I am not sure where to ask. I use both, gpg and smime (the later either with gpgsm or with thunderbird) Recently the German news magazine «Der Spiegel» [1] published more of the «Snowden files», which reveal that gpg is NSA safe[2]. Does anybody know whether smime has the same level of security? There are at least two possible weak spots. - the generation and sign of the certificate, ideally the generation of the keypair should be done by the crypto module of the browser, but that could be hacked... - the length of the key for the symmetric encryption. Maybe there are others. Any comments? Thanks Uwe Brauer Footnotes: [1] and I presume the Guardian and the New York Times as well. [2] although the documents do not provide any information concerning the key length and the gpg version smime.p7s Description: S/MIME cryptographic signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpg vs smime, snowden etc
On 01.01.2015, Uwe Brauer wrote: > Recently the German news magazine «Der Spiegel» [1] published more of > the «Snowden files», which reveal that gpg is NSA safe[2]. > > Does anybody know whether smime has the same level of security? There > are at least two possible weak spots. Nobody really knows, unless there is transparent and reviewable evidence which supports either direction. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
[blog] Happy gnu year
Hi, find below a plain text copy of a blurb i wrote today: https://gnupg.org/blog/20150101-happy-gnu-year.html if you like to comment, please group reply to this mail. Salam-Shalom, Werner Happy gnu year to everyone and a big *thank you* to all supporters of GnuPG. It is awesome to see that GnuPG and its makers received a lot of attention in the last weeks of 2014. This is really appreciated by all of us. Speaking of me, the donations allow me to keep on working on free software and GnuPG in particular — at least for the next months. Early December friends reminded me that it is the time to kick off a donation campaign to secure the future of GnuPG. They supported me with a [press release] which was republished by others (e.g. [Cory Doctorow]) and soon many small and larger donations started to fill up the donation status bar with a bit of green. I was not just amazed by the financial support but also by the many encouraging messages to us developers like /Keep the excellent work! Please!/, /Thanks for keeping us safe an protecting our basic human rights./, /You guys are great! Safe communication should be a right./, /Thank you so much for this hard work. You're truly directing us toward a better world/, /GPG is important software for our society's future/, /Thanks for doing great work. I know it's under appreciated, but it's absolutely necessary/, /Please keep it up, guys, and run further donation rounds if you need money. If GPG goes down, we'll all be at a loss/, or /freedom of thought, freedom of speech, freedom of information/. Up until today we received more than a quarter of the campaign’s goal and donations are still coming in. Let me add that my work on GnuPG would have not been possible without the incredible support of my family who deserve all my thanks. At the 31C3 the [Reconstructing narratives] lecture ([video]) told us again about the depressingly sad state of our world regarding to freedom and humanity. It was also reported that most of our secure electronic communication methods don’t do what we expected from them – with the exception of a very few tools, GPG (i.e. GnuPG) being one of them. With the raised attention towards securing our communication and to help preserving us from a world nobody wants to have, we need to improve GnuPG and its frontends. They need to be easy usable by everyone and be a standard part of every communication device much like the ubiquitous web browser. It will take time and a lot of effort to do that. I am confident that with enough support we can achieve that goal. Now let us look forward and see what is on the list. As a prerequisite we need to establish a solid organizational framework to free developers of tasks they are not best in, like looking for money, running funding campaigns, preparing paperwork for donation programs, and talking to ties and non-techies. We need better and streamlined documentation. For example, there are lots of different HOWTOs and other documents explaining the use of GnuPG and frontend applications. Many of them are outdated and some documents contradicts each other. Thus the goal is to prepare a canonical set of documentation to support all kind of users. See and use the [Wiki] if you are interested to help. [Enigmail] is one of the most used mailer frontends for GnuPG and thus should be a primary target for improvements. There are currently only two spare time developers for it — despite that some smaller bugs make it sometimes hard to use for a beginner. This needs to be changed by improving the communication between the developers and finding the resources to assign a paid developer to it. The network of OpenPGP keyservers works quite well for the relatively small active user base. For a mass use of it we need to add a few things or start to deploy an easier method for retrieving keys. This is essential for making mail encryption the default on the net. Although the use or proprietary platforms supports the spook’s surveillance programs, it is a pipe dream to believe that free operating systems like Linux or FreeBSD can completely replace Windows, Mac OS, and Android any time soon. Improving our crypto tools on those platforms is thus essential to help those users and to trigger a network effect to make encrypted communication the default. For GnuPG this means to make the core components available on these platforms using a standard unattended installer, so that frontend applications (like Enigmail) can easily install it if not yet available. Separating the GnuPG core from the frontend applications also allows for an automatic update procedure to be prepared for possible security relevant bugs and to be able to easily deploy new algorithms as soon as the needs arises. As stated in the press r
PGP and BeID
Besides Mozilla Thunderbird (v31.3.0) en Enigmail (1.7.2) I installed GpG4Win (2.2.3) in order to encrypt/sign emails. Works like a charm (no pun intended). The only problem I have is that, when I try to open the "Manage Smartcard" option in Enigmail, I receive an error saying that the smartcard is not supported (gpg: OpenPGP card not available: Not supported). As smartcard I use my Belgian EiD card with the the ACR38U as cardreader. Additional software installed: 1. middleware (4.0.7 7453) 2. OpenPGP Smartcard Minidriver (OpenPGPmdrv-1.0.0.0) Works also a like a charm. As OS I use Windows 8.1 64bit I suspect that the OpenPGP software is the culprit and doesn't support my smartcard. Is this correct and can I do something to make it work? ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: GPG (v. 1.4.12) is not user-friendly
Ryan Sawhill wrote: > I disagree with your subject, and propose that you google for a tutorial > since the man page clearly didn't work for you. The man page did work for me, and I was able to accomplish my goal. > (As far as I can tell, you were trying to import someone's pubkey, in which > case you should simply have used: gpg --import FILE) No, I was trying to get the key's fingerprint, _without_ importing it. I thought my original message made clear that I was trying to get the fingerprint. The point of my message was that GPG apparently requires pointless circumlocution for this simple function. Now I'm afraid you'll just ask, ‟why not just import it?”, even though that misses the point. The answer is: I don't want it on my keyring, if it's the wrong key. How do I know whether it's the right key? By checking the fingerprint! And to check it, I have to get it. Then you might answer that I should import the key, get the fingerprint, check that it's the right one, and remove the key if it's the wrong one. But it's more straightforward to simply check the fingerprint first, and not import the key in the first place if it's the wrong one. Which was my goal. Getting the fingerprint should not require importing the key. Getting the fingerprint should not require writing to any file at all. It should only require reading. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Fwd: Re: [Announce] GnuPG 2.1.1 released
Hi Werner, Apologies, I'm an idiot. The option is still there. Optional Features: --disable-option-checking ignore unrecognized --enable/--with options --disable-FEATURE do not include FEATURE (same as --enable-FEATURE=no) --enable-FEATURE[=ARG] include FEATURE [ARG=yes] --disable-dependency-tracking speeds up one-time build --enable-dependency-tracking do not reject slow dependency extractors --disable-gpg do not build the gpg program --disable-gpgsm do not build the gpgsm program --disable-agent do not build the agent program --disable-scdaemon do not build the scdaemon program --disable-g13 do not build the g13 program --disable-dirmngr do not build the dirmngr program --disable-tools do not build the tools program --disable-doc do not build the doc program --enable-symcryptrunbuild the symcryptrun program --disable-gpgtardo not build the gpgtar program --enable-gpg2-is-gpgSet installed name of gpg2 to gpg Apologies for the false positive before. Cheers, and Happy New Year, Dom Sent from OS X. If you wish to communicate more securely my PGP Public Key is 0x872524db9d74326c. Forwarded Message Subject: Re: [Announce] GnuPG 2.1.1 released Date: Thu, 18 Dec 2014 20:19:56 + From: Dominyk Tiller To: gnupg-users@gnupg.org CC: w...@gnupg.org Apologies, that option is indeed gone. I was trying to pass it anyhow, in order to use an external (but up-to-date) gpg-agent as my agent, because that's how I was configuring the 2.0.x branch, "--disable-agent --with-agent-pgm=/usr/local/opt/gpg-agent/bin/gpg-agent". When I went to build this new release of the 2.1.x branch I just automatically passed those configure options, and when the configure script didn't flag the option as unrecognised I wondered if it was a bug that it was erroring out. I should have probably double-checked to see if I was just being stupid ;). Cheers for the reply, Dom Sent from OS X. If you wish to communicate more securely my PGP Public Key is 0x872524db9d74326c. On 18/12/2014 08:35, Werner Koch wrote: > On Wed, 17 Dec 2014 13:54, dominyktil...@gmail.com said: > >> I'm still hitting a new one though. If you attempt to compile using an >> external gpg-agent, rather than one with the package, you hit this: > > You mean an option --disable-agent? Do we still have this option - it > needs to be removed. gpg-agent is not optional. > > > > Salam-Shalom, > >Werner > signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: GPG (v. 1.4.12) is not user-friendly
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 01/01/2015 05:59 AM, Kelly Dean wrote: > Ryan Sawhill wrote: >> I disagree with your subject, and propose that you google for a >> tutorial since the man page clearly didn't work for you. > > The man page did work for me, and I was able to accomplish my > goal. > ... > > Now I'm afraid you'll just ask, ‟why not just import it?”, even > though that misses the point. The answer is: I don't want it on my > keyring, if it's the wrong key. At this point I would just like to point out that nobody should rely on the existence of a key in the keyring for security. After a proper key validation the key should be signed, either locally or as an exportable signature to form part of the WoT. As such the existence of the key on the keyring really does not pose any issue (maybe except for aesthetically) > > Getting the fingerprint should not require importing the key. > Getting the fingerprint should not require writing to any file at > all. It should only require reading. Just looking at the file in question the fingerprint is not stored along with the data, but you can get the long keyid using $ gpg --list-packets Tmp/kf.asc ... :public key packet: version 4, algo 1, created 1197735934, expires 0 ... keyid: 0B7F8B60E3EDFAE3 For the fingerprint the key will have to be parsed and the fingerprint calculated. This doesn't have to be done in the primary user keyring however, but you can easily use a temporary keyring - see "--keyring file" - -- - Kristian Fiskerstrand Blog: http://blog.sumptuouscapital.com Twitter: @krifisk - Public OpenPGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 - "Action is the foundational key to all success" (Pablo Picasso) -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJUpcCrAAoJEPw7F94F4TaghTEQAKX1odInTX1bewigLfrhTX7t inVyTS7oxdA/AsiRayx3jo2lj+tGoe+eYcRphhPmeclQ5hk8pL8bgpRrjJWfpuwL GIRj1Pr7Z6ArnxdotrVlNQ9pl28K/RlcXE4Ogoq9cfaAvoMfY6TGU5T7gqO7vywN gyGFTE0C+ol4qf3PzlSUmIojn1KFsgzJhufHAKCD6Oi0EVrbk1JtfbKe4zqwB2Iy AhMHVX7cExUn3JlXeEzBwmeMBtsZvLjfb2OCWu0ULlSO/yXDd09jbPdscoVH3iPs zZBpTIN4efprvd9HahqDLqRGTpUCAvTRGotSlA9suynavRZPCvFs7J7gpXam/o2b Q1di1OJSCff+Hoax0RXH80eHzzlyVRwNMnogPtayw6OStKET5AggC+quN38SNV20 A23LFvx7b/IN5ZYC3mcdVWR4oMPrS+OPdIF2WDY82CmCS0Djk5CrzgXVfYF4MsdG 7aol0QIkEIAkhJR+5SwqgjMd4mXrX5WWdPbsiCeWuIPWdmOdF0y2I7agSnljZpIT dSQSNS2wIbTXFaqkxeMHXk2NIlTjQUMWNmTiHa9BWJLACQoHqwI/YAAMzF2OjoS9 7svQiHgULozxrC3U9dtlN/abqQDlnmK4Pze2WwRRSABrjz5l1D3bUBAMugjpyQ/E 3zO33S9H/AcsWKYpEXfx =YG2W -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: GPG (v. 1.4.12) is not user-friendly
On Thursday 01 January 2015 04:59:37 Kelly Dean wrote: > Getting the fingerprint should not require importing the key. Getting the > fingerprint should not require writing to any file at all. It should only > require reading. I haven't tried with gpg 1.4, but with gpg 2.0.22 it's as easy as # gpg --with-fingerprint key.gpg Regards, Ingo signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpg vs smime, snowden etc
On Thursday 01 January 2015 19:19:58 Uwe Brauer wrote: > Hello > > I am sorry if this is a little off-topic but I am not sure where to ask. > I use both, gpg and smime (the later either with gpgsm or with > thunderbird) > > Recently the German news magazine «Der Spiegel» [1] published more of > the «Snowden files», which reveal that gpg is NSA safe[2]. > > Does anybody know whether smime has the same level of security? There > are at least two possible weak spots. > > - the generation and sign of the certificate, ideally the >generation of the keypair should be done by the crypto module of >the browser, but that could be hacked... > > - the length of the key for the symmetric encryption. > > Maybe there are others. The PKI resp. the CAs are the weakest spot of S/MIME (if you rely on the S/MIME PKI for certificate verification). Regards, Ingo signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Updating public key problem
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Am 01.01.2015 um 18:10 schrieb Linux Debian: (...) > I've updated my GnuPG key and send to keyservers. What I updated ? > I've just deleted 2 expired subkeys and added one with a longer > (in 2015) expiration. But (...) those 2 expired subkeys still > appear (...) Yes, key servers are purely cumulative. Information cannot be deleted or made to disappear from them, including revoked or expired (sub)keys. This is by design, so that noone can e.g. remove someone else's (sub)key(s), signatures, preferences etc. from the key server network. > (...) and that's why, in my opinion, why the sending an encrypted > message doesn't work by the free service like - > https://encrypt.to/linuxdeb...@zoho.com Before the expirationd > date of those 2 keys, the encrypt.to service worked. I don't know that service, but if that is the case, then I suggest you take it up with the people who run the encrypt.to service. If it cannot handle expired subkeys then they don't implement the OpenPGP standard correctly. Cheers gabe -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQEcBAEBCgAGBQJUpbwIAAoJEO7XEikU4kSzr0gH/jWaRd2+8f/uv74iRjRkVdyK w8/wNFC1kgnnpCknabtQWZsyIdtltSSuH3Eg8RxuGQWqLAcguJ/5rvPO1DxyW142 7kuUZhOFHWKKzH6oK8jqCnf/FGEu4TSg20Qzf3KGiOB+AKGYAMEfEHo5KjwZfxYi WRwMRhLj/eLa9HNbUQvTPTpVlZFhy7ueXB0kt7mhXt5yasa9QQIEX1YlPgr/QTL+ R8uHC3GMBHzHzcj/YqzXCx/dPX8gsnfdodEMgSzPvuGsnj3YJ65kuCSdYYgUpoJ4 MKJp+rldUQAFb/zMDObSHCgTOej3hP+yNHoTPnGC4JFiW7RJUBYhL+NVWG9wcaM= =5yoP -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: GPG (v. 1.4.12) is not user-friendly
On 12/31/2014 08:59 PM, Kelly Dean wrote: I thought my original message made clear that I was trying to get the fingerprint. The point of my message was that GPG apparently requires pointless circumlocution for this simple function. No, your original message contained nothing but the output of various commands. I'm sure it was clear to you, and it may even have been clear to some on the list. But assuming that people can infer meaning from such a post is not really a strategy for success. :) Doug ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: The praise of GnuPG @31C3
On 12/31/2014 06:40 PM, Robert J. Hansen wrote: The protocol was secure: you just had to configure it correctly. Yes, thank you for your tidy summary of "Security 101." :) What I'm looking for is some sort of concrete information about "When ssh is configured the NSA can break it." I've seen quite a few sites make the claim that "zomg, ssh is broken!" but haven't yet seen any specifics. Doug ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: photo-ID
> Sorry if I misunderstood, but I didn’t say that the photo ID should > be allowed to be as large as possible, and this is not allowed anyway > by, for example, apps like GPG Keychain. It *is* allowed by the spec, and it’s the spec that’s the problem here. > But I was wondering … instead of attaching a photo to a public key, > why not attach a hash of the photo using an image hashing > algorithm? This is sort of what keybase.io does; it lets you post cryptographically-signed statements like “this is my Twitter account” to let other people have confidence that a given social media account really does belong to you. smime.p7s Description: S/MIME cryptographic signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: GPG (v. 1.4.12) is not user-friendly
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi On Thursday 1 January 2015 at 9:55:18 PM, in , Ingo Klöcker wrote: > I haven't tried with gpg 1.4, but with gpg 2.0.22 it's > as easy as > # gpg --with-fingerprint key.gpg I just tested with GnuPG 1.4.18 and it worked. - -- Best regards MFPAmailto:2014-667rhzu3dc-lists-gro...@riseup.net The man who really wants to do something finds a way, the other finds an excuse. -BEGIN PGP SIGNATURE- iQF8BAEBCgBmBQJUpeZPXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRCM0FFN0VDQTlBOEM4QjMwMjZBNUEwRjU2 QjdDNzRDRUIzMUYyNUYwAAoJEGt8dM6zHyXwAN4H/2C+9NRhXmZkT7ZHxBOGTJ8v IAKJv7svgbe1qHRic0WeT4nEVupmAUiAnlpHvuhFAts2NiFGFn2uFXeMsGD5w4Yw /pjSMAbxtHtzY1mS4J4YoHtl9xtjttNCItF5D31/h7NKX5WEZSPlS1jI7U3gPc2B oVmzV0BwOc0xu9zQO4xj1OC/EkEO1wC0VoGkP67tDCFXcAAyE3OOKSmvWjSGvcAi kuf57Mj5qD6EYqxpc3NruKDFBYObZjnVt2NbR5U2hLEdVEAxWZtCMSC9XZidYSnE TADG2jYO7ZoSVwYFAIlQDf4py55ZX3gVZqAH6iR619SUj3NCSekeFQLvNpV16emI vgQBFgoAZgUCVKXmWV8UgAAuAChpc3N1ZXItZnByQG5vdGF0aW9ucy5vcGVu cGdwLmZpZnRoaG9yc2VtYW4ubmV0MzNBQ0VENEVFOTEzNEVFQkRFNkE4NTA2MTcx MkJDNDYxQUY3NzhFNAAKCRAXErxGGvd45LSlAQBLI61c+4uEI/+cAu9ufHNPQWCZ xXSSDKnkEtqC/i71EgEAFyiAXzniocZzNHUv+hA9X58amPyy5pxRaZjqk1+sGQc= =NIoa -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: The praise of GnuPG @31C3
> What I'm looking for is some sort of concrete information about "When ssh is > configured the NSA can break it." I've seen quite a few sites make > the claim that "zomg, ssh is broken!" but haven't yet seen any specifics. First, my usual reminder: don’t focus on the three-letter Voldemort. The world is a bigger place than that and there are lots of threats, including many non-government actors. Second — I suspect those who know won’t tell, and those who claim to know will steadfastly refuse to demonstrate it. Which tells you nothing you didn’t already know, I’m sorry. :( smime.p7s Description: S/MIME cryptographic signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
