Re: SSH generic socket forwarding for gpg-agent

[Matthew Monaco]

On 12/04/2014 01:23 AM, Werner Koch wrote:
> On Tue, 11 Nov 2014 18:35, m...@monaco.cx said:
>> Does anyone have gpg-agent forwarding working with SSH's recent generic 
>> socket
>> forwarding? Does it still require socat on one end, because I've only been 
>> able
>> to specify a socket path on the left-hand side of the forwarding
>> specification
> 
> Yes, it works for me.  However, I tested it with the current development
> version of 2.1 which adds an extra features:
> 
>--extra-socket NAME
>   Also listen on native gpg-agent connections on the given
>   socket.  The intended use for this extra socket is to
>   setup a Unix domain socket forwarding from a remote
>   machine to this socket on the local machine.  A gpg
>   running on the remote machine may then connect to the
>   local gpg-agent and use its private keys.  This allows to
>   decrypt or sign data on a remote machine without exposing
>   the private keys to the remote machine.
> 
> The documentation on how to use Unix domain sockets with ssh is a bit
> sparse.  You probably want to use "-o StreamLocalBindUnlink=yes" when
> connecting to the remote host and you have to enable the forwarding
> features (look for Stream* options).
> 

Hey, thanks for the info! Just to follow up, I was able to get it working with 
e.g:

ssh  \
   -R /.gnupg/S.gpg-agent:/.gnuppg/S.gpg-agent

However, this only works when the private material is in private-keys-v1.d; it
doesn't work with a smartcard =/

-oStreamLocalBindUnlick doesn't work either. I need to remove the socket on the
remote end manually.

And finally, I don't understand where --extra-socket comes into play here. In
the 2.1.1 release notes, you say it supports a restricted command set. Is there
a security risk, or is it just to prevent mistakes? Also, is the expected use
then to forward S.gpg-agent on the remote end to e.g., S.gpg-agent-extra on the
local, or should the remote end have a different name as well?

-Matt



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: [Announce] GnuPG 2.1.2 released

[Peter Lebbing]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 11/02/15 20:40, Werner Koch wrote:
> Since the start of the funding campaign in December several thousand people
> have been kind enough to donate a total of 25 Euro to support this
> project.  In addition the Linux Foundation gave a grant of $ 6 for
> 2015, Stripe.com and Facebook.com each pledged $ 5 per year.
> 
> I am amazed by this superb and unexpected support for the GnuPG project. 
> This will not only allow us to continue the project and hire at least a 
> second full time developer but gives us also the resources to improve 
> things which have been delayed for too long.

I'm so glad to hear that, congratulations! \o/

If there's anybody who deserves it, it's you. I hope this gives you some
well-deserved peace of mind regarding financially sustaining yourself and your
family while continuing to work on GnuPG.

Cheers!

Peter.

- -- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Key keeps showing unknown trust

[Werner Koch]

On Thu, 12 Feb 2015 00:25, 2014-667rhzu3dc-lists-gro...@riseup.net said:

> If GnuPG 2.1.x finds an existing secring.gpg, that is used. If not,
> the new file format secring.kbx is used.

Nope.  You will never find a secring.kbc.  2.1 uses secring.gpg only in
this ways:

If secring.gpg exists and the file .gpg-v21-migrated does not exist, the
secret keys from secring.gpg are imported to private-keys-v1.d/ and
.gpg-v21-migrated is created.

The migrated keys are stored in a special intermediate format below
private-keys-v1.d/ and converted to the final format as soon as you use
that key and thus have to enter the passphrase (which is needed for
re-encryption).



Salam-Shalom,
   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: [Announce] GnuPG 2.1.2 released

[Philip Jackson]

On 12/02/15 13:10, Peter Lebbing wrote:
> On 11/02/15 20:40, Werner Koch wrote:
>> > Since the start of the funding campaign in December several thousand people
>> > have been kind enough to donate a total of 25 Euro to support this
>> > project.  In addition the Linux Foundation gave a grant of $ 6 for
>> > 2015, Stripe.com and Facebook.com each pledged $ 5 per year.
>> > 
>> > I am amazed by this superb and unexpected support for the GnuPG project. 
>> > This will not only allow us to continue the project and hire at least a 
>> > second full time developer but gives us also the resources to improve 
>> > things which have been delayed for too long.
> I'm so glad to hear that, congratulations! \o/
> 
> If there's anybody who deserves it, it's you. I hope this gives you some
> well-deserved peace of mind regarding financially sustaining yourself and your
> family while continuing to work on GnuPG.

I'll second all that - great news !!

Philip



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

emulating smartcard with Nexus 5

[Brian Minton]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

I recently got a new Nexus 5, with NFC.  Supposedly it supports ISO
7816-4.  Is there any possibility of, for instance, porting gnuk to
android?  I'd love to use my smartphone as a smartcard.  Of course, the
smartphone wouldn't have as many anti-tampering features as a typical
smart card, so this would be mainly for educational purposes rather
than true security.
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iF4EARYIAAYFAlTc0jMACgkQN7lQes/yAW7/OgEArP9gubqUWEhNV00RJJJreXw1
oe0NgnT8OVjEfCtiouQBAFNFNebTKfEM19bKt2+vVlXOzJRwp9/jqUsNqk29WyME
=q0eT
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: [Announce] GnuPG 2.1.2 released

[Patrick Brunschwig]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On 11.02.15 20:40, Werner Koch wrote:
> Hello!
> 
> The GnuPG Project is pleased to announce the availability of the 
> third release of GnuPG modern: Version 2.1.2.

The "usual" installer for Mac OS X is now available from
https://sourceforge.net/p/gpgosx/docu/Download/


- -Patrick

-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQIcBAEBCAAGBQJU3ONdAAoJENsRh7ndX2k7o6EP+weTsb+ziwUfWYa6RCwwchn6
yRaAVGqGtsAOPZFHoodZq0P2ijOtuZn6vgFlWeHUqSV08eg3pIfX/zdm5yEkp/Gu
Xe1x8yARXXacLmLaRKmw9+7bBnzFaYOVLjUo92VBH6eLWypuMl1pUY4PwpuWUxoa
pX/wnX0mnd3sh9skwpGlMfQCWBjlwe8KIJEtE7odGhTwXHpCW0wGOLxb8eDXB5od
kVYakaqscdRwVHnQ0aPeA0cBKN8nqK158L/Wia1S9m+ZhDjskK9lclXLEhnT3TMr
4T2cijlhojAC9IgiplP/pwwcl7grEQvfF4CaEalfUFRZclY9AHI3wtw50MU35RFs
a/v4OGlY6edD1wZ8kuSDSPcAoC1B/qFSw5MrSi3aGPzN1ERXNjc6g/liOl5bn/Eh
PqEUDox+g3SGGutqmmkp7Du5flwT5Cqxtys5cyOsk7ZYzQg6ApPNS/uFhTauYNw8
8T090SHEgpBqqAxU/kQEIwnh4AfiHfC/9EpmXTv2PpXeYItGlUuDgEQJ3ds2UsIt
jLxn1r86kew+W9pI+aBbuQ+Gf0lQCgiXHzWYaVWvixWQe+hzcsAxnjhBLwu7TBmo
uWSWeHnd8aqZ+1qqueY5WCIXeihCSjm27RIc549qR/bohN1r0isZv2+MZjMZ0IIg
3Km6HP92CucB2tKhdjL/
=X6xw
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Pinpad card reader problems in 2.1.2

[Werner Koch]

Hi!

I introduced a regression in 2.1.2 which may lead to a non working
pinpad reader.  If you experience problems, please try the attached
patch.


Salam-Shalom,

   Werner


-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
>From 07a71da479daaac43b8c5b1034a1e66f96bdbc48 Mon Sep 17 00:00:00 2001
From: Werner Koch 
Date: Thu, 12 Feb 2015 20:40:39 +0100
Subject: [PATCH] scd: Fix regression in 2.1.2 (due to commit 2183683)

* scd/apdu.c (pcsc_vendor_specific_init): Replace use of
bufNN_to_uint by direct code.
--

Hey, that was little endian.
---
 scd/apdu.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/scd/apdu.c b/scd/apdu.c
index e5db4f0..5e7d27b 100644
--- a/scd/apdu.c
+++ b/scd/apdu.c
@@ -1851,9 +1851,9 @@ pcsc_vendor_specific_init (int slot)
   if (l == 1)
 v = p[0];
   else if (l == 2)
-v = buf16_to_uint (p);
+v = (((unsigned int)p[1] << 8) | p[0]);
   else if (l == 4)
-v = buf32_to_uint (p);
+v = (((unsigned int)p[3] << 24) | (p[2] << 16) | (p[1] << 8) | p[0]);
 
   if (tag == PCSCv2_PART10_PROPERTY_bMinPINSize)
 reader_table[slot].pcsc.pinmin = v;
-- 
2.1.4

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: [Announce] GnuPG 2.1.2 released

[Werner Koch]

On Thu, 12 Feb 2015 18:31, patr...@enigmail.net said:

> The "usual" installer for Mac OS X is now available from
> https://sourceforge.net/p/gpgosx/docu/Download/

I just added the URL to the download page.


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

MIME or inline signature ?

[Xavier Maillard]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Hello,

in my quest of the perfect setup, I am asking myself what is the
prefered way to sign a message: inline (like this one) or using a MIME header ?

Is there a big thumb rule to respect ?

Regards
- --
Sent with my mu4e
-BEGIN PGP SIGNATURE-
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)

iQQcBAEBCgAGBQJU3S03AAoJEN4v/Iaa+lFltkof/j3eXbkVpNETKZi8OXz9K+WX
StI2wb3UczzBAJHfeBTPiTLRb+JOG2YvVSkEZ7VQauMK8lAzHzwpixT6eu3cNI6p
z4IJXpuJd9Z6f7qOVD8/j3yeENe0929UGqcUyBK1+3Dzj7w+2Pae1R/6dSz8Hrhz
2e6q8J9HTq8O8mH5RdI44xXorMVNP7FEEpwBsqj7qzK/1kYGKnbsL6sI1VYdV/xy
mtEoboOAe+Hi1fF8iVTOOIOHgJClInebMgeW6JvZOhPCzZde0OCYyd4elMbt0N0z
JHEYutH3rMwMdQ1e+zNnSK9LWmtn4M470YwT9EERkw8x27HYWxRrPId2e2tF2pxp
ATYyDZuVjt6Rj7JzW8Z/qOhlUgMbVRHIOPtBgLfcfSLayJXufjlri4C5U+HENbKL
0liAT2GPMTrDe23QuySn+UrFWgeX8gfnEso2eL4IiLjFsmF+CMOL3PIEpRMu1GGN
pZ1RQdp9r3/JU4b6zwOEp2PtRglXIVriTtLvolf1MYQnUP7gFrlBzQe+Q8oaIB7y
e8M9QbO373dsa2fMZcaAM8nSewA1xD7aUHSvrc+zDDh1Jj0bndbCMcriTX+0BPPI
hxlErmONCJ2pfvfZhJInYaz8NO7S5QQM6YVTIrZSIchnuIPZ/KkRdOewcc2/krUi
jCOkG5qxd0hg05duHI7R5SKvnLv6OSdU1qSNlyErgtnVGUw7xkRKCVFP0p0xF/Xz
lCgztzoDeEaPSv01SavWz07ApEHh8LAS/PR4NZMQpSCACCLTho2IkgVfaQKlRBAJ
awKp5hTIoh5mZlV58xF5gO/eHGjule26xBwOuaZhO29CBkeSNUF2LxsHHXduDtV2
llmsntJyPUvMOz4pXW2vyglmumnBK1QY4BlrkfY+VrwymyB67XPlDh0bbDATjKE6
g5WndMV2Bkgo9srpVYTrEcAD8iI/9kkzvMVvKaQYbJfrtvGbAlC+1KwrS1bET1Xu
hPa3iJWImky8bY8mlSQP0rZBfQsej/7g5Da+TfvrEkWQ+QKG0XTPnEu7f/wbHjdU
LQX8d16Z7dWY2aN0UTHI5zBObnuU/HjAKTGmMq8dhlGGXz5vL8Ru2Ssj1w8m8wv0
dfh+ysYFkkZlGMjeqRm/6S2LKnBrd/TCTHiczuZtZ85DSHHe/VyYKNc+VdwZH1wl
dQBEUPG1CC3K6fGqzFP/nwqqN5PuzikP52177ICEx3VxuLwjU1esa+r2KJai7vCJ
hvTpoyJhPlf5CTGaGZ8f2wkf5eRsXKVDstXV2FbgO9Jvkze9Uo+10oQ6XNntG/xi
TTBnF6pFGsG8yrS1ecK/Oq2dSqif0g8cjjJ1SKUHhZr91pGWdr5X0UkmXjJIvP8=
=KuOK
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: moving up from 2.0.26 to 2.1.1

[Philip Jackson]

Hi Stephan,

On 12/02/15 22:46, Stephan Beck wrote:
> Hi, Philip,
> 
> Am 11.02.2015 um 22:35 schrieb Philip Jackson:
>> On 11/02/15 21:16, Daniel Kahn Gillmor wrote:
>>> On Wed 2015-02-11 14:02:49 -0500, Philip Jackson wrote:
 On 11/02/15 14:59, Brian Minton wrote:
> 
> [snip]
> 

> In synaptic: have you set the "always prefer the latest version" option under
> Synaptic > Settings > Preferences > Distribution (tab)? If not, at least in
> theory it might explain why your synaptic does not show you the latest 
> version.
> 
> Sorry, if the wording is not 100% correct. I have the German version 
> installed,
> and I'm retranslating it into English.

Ok - this was already selected by default when I looked (and the English
version is :  Settings > Preferences > Distribution > "Always prefer the highest
version" )

But I just found the latest version of gnupg available in Debian experimental by
highlighting the gnupg2 package in Synaptic Manager and then selecting
'properties > Versions tab'  It is not shown in the main window but only in the
properties dialog box.  But that's now clearer to me.


>>
>> If I do gpg2 --version, it comes back clearly with 2.0.26. and enigmail 
>> clearly
>> indicates that it has found the gpg2 that I built.
>>
>> So, moving on, if I do :
>>
>>  apt-get -t experimental install gnupg2
>>
>> will I get 2.1.1 installed together with its dependencies ?
>>
>> And returning to my original questions, since it is written that 2.0* and 2.1
>> cannot co-exist, I suppose that I shall have to remove manually everything
>> connected with my 2.0.26 ?
> 
> If you click on "remove completely" in the main window, right-clicking on the
> gnupg program list item, all modules should be removed. I think this option is
> the equivalent to the --purge command option in apt.
> 
Thanks for that suggestion, Stephan.  I hadn't noticed that there were two
different removal options in Synaptic Package Manager : removal and complete
removal.

In fact when I removed 2.0.22, I did so using ubuntu's 'Software Centre' using
its removal button.  It looks like the Software Centre only does a little bit of
removal.

How strange, it's like the old story of being only a little bit pregnant.

Best, Philip




signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: moving up from 2.0.26 to 2.1.1

[Stephan Beck]

Hi, Philip,

Am 11.02.2015 um 22:35 schrieb Philip Jackson:
> On 11/02/15 21:16, Daniel Kahn Gillmor wrote:
>> On Wed 2015-02-11 14:02:49 -0500, Philip Jackson wrote:
>>> On 11/02/15 14:59, Brian Minton wrote:

[snip]

> When I try your way from the command line, I get :
>
> $ apt-cache policy gnupg2
> gnupg2:
>   Installed: 2.0.22-3ubuntu1.1
>   Candidate: 2.0.22-3ubuntu1.1
>   Version table:
>  2.1.1-1 0
>   1 http://ftp.debian.org/debian/ experimental/main amd64 Packages
>  *** 2.0.22-3ubuntu1.1 0
> 500 http://fr.archive.ubuntu.com/ubuntu/ trusty-updates/main amd64
Packages
> 500 http://security.ubuntu.com/ubuntu/ trusty-security/main amd64 
> Packages
> 100 /var/lib/dpkg/status
>  2.0.22-3ubuntu1 0
> 500 http://fr.archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
>
> I'm not sure what this is telling me but I think it is indicating :
>
> 1.that 2.1.1 is available in experimental/main Packages.
> 2.that I have 2.0.22 installed
> 3.that latest available for my distro (candidate) is 2.0.22
>
> Although I did, last summer, install 2.0.22 using the distro's software 
> centre,
> I subsequently used the same software centre to remove it before building 
> 2.0.26
> on my own.  So I don't know why the above indicates that 2.0.22 is installed.

In synaptic: have you set the "always prefer the latest version" option under
Synaptic > Settings > Preferences > Distribution (tab)? If not, at least in
theory it might explain why your synaptic does not show you the latest version.

Sorry, if the wording is not 100% correct. I have the German version installed,
and I'm retranslating it into English.


>
> If I do gpg2 --version, it comes back clearly with 2.0.26. and enigmail 
> clearly
> indicates that it has found the gpg2 that I built.
>
> So, moving on, if I do :
>
>  apt-get -t experimental install gnupg2
>
> will I get 2.1.1 installed together with its dependencies ?
>
> And returning to my original questions, since it is written that 2.0* and 2.1
> cannot co-exist, I suppose that I shall have to remove manually everything
> connected with my 2.0.26 ?

If you click on "remove completely" in the main window, right-clicking on the
gnupg program list item, all modules should be removed. I think this option is
the equivalent to the --purge command option in apt.

Best regards

Stephan Beck



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: MIME or inline signature ?

[Robert J. Hansen]

> in my quest of the perfect setup, I am asking myself what is the 
> prefered way to sign a message: inline (like this one) or using a
> MIME header ?
> 
> Is there a big thumb rule to respect ?

https://www.gnupg.org/faq/gnupg-faq.html#use_pgpmime



smime.p7s
Description: S/MIME Cryptographic Signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: MIME or inline signature ?

[Daniel Kahn Gillmor]

On Thu 2015-02-12 18:14:14 -0500, Robert J. Hansen wrote:
>> in my quest of the perfect setup, I am asking myself what is the 
>> prefered way to sign a message: inline (like this one) or using a
>> MIME header ?
>> 
>> Is there a big thumb rule to respect ?
>
> https://www.gnupg.org/faq/gnupg-faq.html#use_pgpmime

This part appears to be out of date:

   Since PGP/MIME can't reliably be sent to the three largest GnuPG
   mailing lists, it’s hard to claim that PGP/MIME is ready for
   widespread usage. For now, it’s best to use inline traffic unless you
   can be certain that PGP/MIME messages will not be mangled in transit.

I don't know if this is true for PGP-Basics, but it is certainly not
true for enigmail or gnupg-users.  Please update the FAQ!

 --dkg, noting the irony of the parent message being sent with
   S/MIME, an entirely different standard


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: emulating smartcard with Nexus 5

[NIIBE Yutaka]

Hello,

Let me record a bit of history.

On 02/13/2015 01:19 AM, Brian Minton wrote:
> I recently got a new Nexus 5, with NFC.  Supposedly it supports ISO
> 7816-4.  Is there any possibility of, for instance, porting gnuk to
> android?  I'd love to use my smartphone as a smartcard.  Of course, the
> smartphone wouldn't have as many anti-tampering features as a typical
> smart card, so this would be mainly for educational purposes rather
> than true security.

In fact, Ueno (cc-ed) did something like that around 2007-2008.  It
was the precursor of Gnuk.  IIRC, he wrote a paper describing his
work.  If he still has the code, it would help you.

Since I didn't like smartphone (which is smart enough to cheat its
users, by my interpretation), I wrote the code for ATmega 20MHz to
implement OpenPGPcard functionality, inspired by his work.  It took
five second to sign RSA-1024.  I demonstraded this work at FSFS 2008
in India, then, I demonstrated "gpg --card-status" worked with ATmega
implementation in Japan Linux Symposium 2009, in Akihabara, Tokyo.

After that, around 2010, experts claimed that we should not use
RSA-1024 any more.  So, I gave up my ATmega work, and sought another
MCU candidate.

That's the start of Gnuk with STM32F103.

P.S.
The ATmega implementation of RSA was done when I was an employee of
National Institute of AIST, Japan, and it was registered as the work
under AIST (perhaps, copyrighted by AIST).  I left the code there when
I left AIST in September, 2010.  If interested, please contact AIST
(not me).
-- 

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: MIME or inline signature ?

[Jerry]

On Thu, 12 Feb 2015 23:46:33 +0100, Xavier Maillard stated:

> Hello,
> 
> in my quest of the perfect setup, I am asking myself what is the
> prefered way to sign a message: inline (like this one) or using a MIME
> header ?
> 
> Is there a big thumb rule to respect ?

Inline  totally destroys a "sig delimiter" and adds a lot of useless garbage
to the message body. I never use it. If someone is using an MUA that cannot
handle PGP/MIME that is their problem, not mine.

-- 
Jerry


pgpmRYC0qaTbf.pgp
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: MIME or inline signature ?

[Robert J. Hansen]

> I don't know if this is true for PGP-Basics, but it is certainly not
> true for enigmail or gnupg-users.  Please update the FAQ!

It's still true for PGP-Basics; Enigmail's been bit by it within the
last year, if memory serves, but it's been generally accepted; GnuPG's
been AFAIK stable for it.  I've got a few hours free tomorrow; I'll see
about fixing this verbiage.

I should also add that PGP/MIME *may* give protection to metadata (see
Patrick's decision to use the creative header protection scheme you
mentioned), with some verbiage about how only Enigmail has promised to
implement it.  But over the last 18 months or so the metadata issue has
become important to a lot of people, so that should also be mentioned.

As is my usual, once I draft something I'll post an easily
human-readable diff to the mailing list and give people a chance to
raise objections and concerns.  I'm more the FAQ custodian than the FAQ
maintainer -- I want everything in it to reflect community consensus,
not just my own opinion.  :)

>  --dkg, noting the irony of the parent message being sent with
>S/MIME, an entirely different standard

And the MIME attachment being mangled by the mailing list, yes, I agree.
 It's almost a bizarre endorsement of the attachment fragility idea...




smime.p7s
Description: S/MIME Cryptographic Signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: MIME or inline signature ?

[Matthias Mansfeld]

Zitat von Xavier Maillard :


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Hello,

in my quest of the perfect setup, I am asking myself what is the
prefered way to sign a message: inline (like this one) or using a  
MIME header ?


Is there a big thumb rule to respect ?

Regards
- --
Sent with my mu4e


Maybe I cannot offer a big rule for THE preferred way. Jerry is right,  
but maybe we HAVE to deal with recipients who have no influence to  
take a mail client which is capable to handle PGP/MIME sigbatures  
properly. Then it is also MY problem.
If your mail client is able to select the way it signs depending on  
the recipient's address (for example GPGRelay, in fact a nice local  
proxy for mail clients which are completetly unable to do anything  
wich GnuPG) then you can let it sign for all "default" recipients with  
PGP/MIME and only for these who cannot handle this, with inline  
signature.


Regards
Matthias
--
Matthias Mansfeld Elektronik * Leiterplattenlayout
Neithardtstr. 3, 85540 Haar; Tel.: 089/4620 093-7, Fax: -8
Internet: http://www.mansfeld-elektronik.de
GPG http://www.mansfeld-elektronik.de/gnupgkey/mansfeld.asc


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: MIME or inline signature ?

[Xavier Maillard]

Jerry  writes:

> On Thu, 12 Feb 2015 23:46:33 +0100, Xavier Maillard stated:
>
>> Hello,
>>
>> in my quest of the perfect setup, I am asking myself what is the
>> prefered way to sign a message: inline (like this one) or using a MIME
>> header ?
>>
>> Is there a big thumb rule to respect ?
>
> Inline  totally destroys a "sig delimiter" and adds a lot of useless garbage
> to the message body. I never use it. If someone is using an MUA that cannot
> handle PGP/MIME that is their problem, not mine.

I agree. So I'll go for PGP/mime.

--
Sent with my mu4e

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: MIME or inline signature ?

[Xavier Maillard]

Robert J. Hansen  writes:

>> in my quest of the perfect setup, I am asking myself what is the
>> prefered way to sign a message: inline (like this one) or using a
>> MIME header ?
>>
>> Is there a big thumb rule to respect ?
>
> https://www.gnupg.org/faq/gnupg-faq.html#use_pgpmime

THank you for this pointer. I effectively remember this point in the
old days. I am glad the situation is getting better.

Regards
--
Sent with my mu4e

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: MIME or inline signature ?

[des-apare . cido_77]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

> Maybe I cannot offer a big rule for THE preferred way. Jerry is
> right, but maybe we HAVE to deal with recipients who have no
> influence to take a mail client which is capable to handle PGP/MIME
> sigbatures properly. Then it is also MY problem.

I agree. With my PGP contacts I learned, that some can't handle
PGP/MIME mails. The experience is, that the Addon Mailvelope (Firefox,
Chrome) can't handle at all mails with attachment in PGP/MIME format.
Also the Client K9 for smartphones.
A compromise would be to set up per-recipient-rules in Enigmail to
send inline mails to these contacts.

Best regards

Anton
- -- 
des-apare.cido_77 at autistici dot org
2048R/0x6FE6F0B56FB0CD78, 2014-03-06
PGP: E87B D4A1 45A6 8D97 F672 E50E 6FE6 F0B5 6FB0 CD78



On 13/02/15 03:23, Matthias Mansfeld wrote:
> 
> Zitat von Xavier Maillard :
> 
>> -BEGIN PGP SIGNED MESSAGE- Hash: SHA512
>> 
>> Hello,
>> 
>> in my quest of the perfect setup, I am asking myself what is the 
>> prefered way to sign a message: inline (like this one) or using a
>> MIME header ?
>> 
>> Is there a big thumb rule to respect ?
>> 
>> Regards - -- Sent with my mu4e
> 
> Maybe I cannot offer a big rule for THE preferred way. Jerry is
> right, but maybe we HAVE to deal with recipients who have no
> influence to take a mail client which is capable to handle PGP/MIME
> sigbatures properly. Then it is also MY problem. If your mail
> client is able to select the way it signs depending on the 
> recipient's address (for example GPGRelay, in fact a nice local
> proxy for mail clients which are completetly unable to do anything
> wich GnuPG) then you can let it sign for all "default" recipients
> with PGP/MIME and only for these who cannot handle this, with
> inline signature.
> 
> Regards Matthias
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Icedove - http://www.enigmail.net/

iQEcBAEBCAAGBQJU3ZPfAAoJEG/m8LVvsM14AM8IAJKwfqMc1k+1Y2YJ0tjbGC6F
jrFIuxaqiRkr0Q0rg6Ty1Po8zzfctxuXAMnrRapZAL+ldyvkNrGRW07U0Bkhg83M
C5k32cCHuyGjeT1v4Mcx4gExb33zoQBpHLi0EOZcW4VvNQ6RCpK8fBUIGgsi+tJM
WBDuuPc70qFWVoA0JJP8vcdGzDg/DXwNtX0aiCBuzXZk8nsZUZKMkWAGDCkzrhpq
RF819j1R7L+sUv6NSesoanWuutwDhdunjcEiGbklv0xQ4nlPBgwE6IkN862stuI3
Za8VziG+BdEwvBi0Zi5mlUMkOl1VhQ+x7BPvMTurUm35csoZNngEIMfdwhDQzHU=
=EfOk
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: MIME or inline signature ?

[Christopher W. Richardson]

FWIW, Mac Mail marked this message as spam. Not sure if it universally does 
that for all inline sigs, but ... FYI.

Chris




> On 12 Feb 2015, at 23:46, Xavier Maillard  wrote:
> 
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA512
> 
> Hello,
> 
> in my quest of the perfect setup, I am asking myself what is the
> prefered way to sign a message: inline (like this one) or using a MIME header 
> ?
> 
> Is there a big thumb rule to respect ?
> 
> Regards
> - --
> Sent with my mu4e
> -BEGIN PGP SIGNATURE-
> Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
> 
> iQQcBAEBCgAGBQJU3S03AAoJEN4v/Iaa+lFltkof/j3eXbkVpNETKZi8OXz9K+WX
> StI2wb3UczzBAJHfeBTPiTLRb+JOG2YvVSkEZ7VQauMK8lAzHzwpixT6eu3cNI6p
> z4IJXpuJd9Z6f7qOVD8/j3yeENe0929UGqcUyBK1+3Dzj7w+2Pae1R/6dSz8Hrhz
> 2e6q8J9HTq8O8mH5RdI44xXorMVNP7FEEpwBsqj7qzK/1kYGKnbsL6sI1VYdV/xy
> mtEoboOAe+Hi1fF8iVTOOIOHgJClInebMgeW6JvZOhPCzZde0OCYyd4elMbt0N0z
> JHEYutH3rMwMdQ1e+zNnSK9LWmtn4M470YwT9EERkw8x27HYWxRrPId2e2tF2pxp
> ATYyDZuVjt6Rj7JzW8Z/qOhlUgMbVRHIOPtBgLfcfSLayJXufjlri4C5U+HENbKL
> 0liAT2GPMTrDe23QuySn+UrFWgeX8gfnEso2eL4IiLjFsmF+CMOL3PIEpRMu1GGN
> pZ1RQdp9r3/JU4b6zwOEp2PtRglXIVriTtLvolf1MYQnUP7gFrlBzQe+Q8oaIB7y
> e8M9QbO373dsa2fMZcaAM8nSewA1xD7aUHSvrc+zDDh1Jj0bndbCMcriTX+0BPPI
> hxlErmONCJ2pfvfZhJInYaz8NO7S5QQM6YVTIrZSIchnuIPZ/KkRdOewcc2/krUi
> jCOkG5qxd0hg05duHI7R5SKvnLv6OSdU1qSNlyErgtnVGUw7xkRKCVFP0p0xF/Xz
> lCgztzoDeEaPSv01SavWz07ApEHh8LAS/PR4NZMQpSCACCLTho2IkgVfaQKlRBAJ
> awKp5hTIoh5mZlV58xF5gO/eHGjule26xBwOuaZhO29CBkeSNUF2LxsHHXduDtV2
> llmsntJyPUvMOz4pXW2vyglmumnBK1QY4BlrkfY+VrwymyB67XPlDh0bbDATjKE6
> g5WndMV2Bkgo9srpVYTrEcAD8iI/9kkzvMVvKaQYbJfrtvGbAlC+1KwrS1bET1Xu
> hPa3iJWImky8bY8mlSQP0rZBfQsej/7g5Da+TfvrEkWQ+QKG0XTPnEu7f/wbHjdU
> LQX8d16Z7dWY2aN0UTHI5zBObnuU/HjAKTGmMq8dhlGGXz5vL8Ru2Ssj1w8m8wv0
> dfh+ysYFkkZlGMjeqRm/6S2LKnBrd/TCTHiczuZtZ85DSHHe/VyYKNc+VdwZH1wl
> dQBEUPG1CC3K6fGqzFP/nwqqN5PuzikP52177ICEx3VxuLwjU1esa+r2KJai7vCJ
> hvTpoyJhPlf5CTGaGZ8f2wkf5eRsXKVDstXV2FbgO9Jvkze9Uo+10oQ6XNntG/xi
> TTBnF6pFGsG8yrS1ecK/Oq2dSqif0g8cjjJ1SKUHhZr91pGWdr5X0UkmXjJIvP8=
> =KuOK
> -END PGP SIGNATURE-
> 
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users