Re: German ct magazine postulates death of pgp encryption

[MFPA]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512



On Sunday 1 March 2015 at 6:58:19 PM, in
, Jonathan
Schleifer wrote:


> That "wasted energy" is a lot less than the energy we
> currently waste on spam,

I suspect my computer wastes very little energy in downloading and
storing a few dozen spam messages per month.



> especially if you take into
> consideration the amount of human time wasted.

Most are so obvious that we are talking fractions of a second per
email. Or maybe people who automatically filter their spam spend a
bit less time looking through it for false-positives.



>  The
> majority of the e-mail traffic is used up by spam.

I'm never convinced it is as big an iassue as some make out.


- --
Best regards

MFPAmailto:2014-667rhzu3dc-lists-gro...@riseup.net

The truth is rarely pure and never simple
-BEGIN PGP SIGNATURE-

iQF8BAEBCgBmBQJU9B1IXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRCM0FFN0VDQTlBOEM4QjMwMjZBNUEwRjU2
QjdDNzRDRUIzMUYyNUYwAAoJEGt8dM6zHyXwUwUH/0HFsSprR+wbpx78c5LPCLxu
GUlwOJXvoThi8k4N6GR1G0OqHct3c+cOqHpAYbjgYlvUluPJOS5riu1zZ3cXAcaG
xKAgg7a2zCMNU5SIEnKAH3sgnUOucULeBZ55obXbJL3ZfSElP2yWflMaBJJ4PVA6
0WLKcx+3k/NUQsJ758q/tLPYrZeIkJMXOsU9TJK+MQ0jLkVLDhIKAvlsdzFALi7A
8m5pYD5zNzk/g32Y4gUKYrEC/MwR5105JzVChgLF2g/ILOBMJPCql6cjER6j6vcb
3JuyfEfsCMRsKldfEAJsuipNLK6ccC//t/wfsbHEOsppOL25Tw835WxRk2WOBECI
vgQBFgoAZgUCVPQdY18UgAAuAChpc3N1ZXItZnByQG5vdGF0aW9ucy5vcGVu
cGdwLmZpZnRoaG9yc2VtYW4ubmV0MzNBQ0VENEVFOTEzNEVFQkRFNkE4NTA2MTcx
MkJDNDYxQUY3NzhFNAAKCRAXErxGGvd45MhnAQDT6unA/Th7fYK0vb8e7zTUci7a
WxTdv8jdDgbdP3EhUgEAwjd6EDzZH8sESeHZmQj5KUGGGNBRRmDkFXkAAzZ/6wA=
=3dC9
-END PGP SIGNATURE-


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: German ct magazine postulates death of pgp encryption

[MFPA]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512



On Sunday 1 March 2015 at 10:43:25 PM, in
, Jonathan
Schleifer wrote:


> The goal is that the
> proof of work for a single message takes 4 minutes.

Currently at work, when I ask somebody a question by email it is not
unusual to see the CC of the question to somebody else and then
receive the answer, all within a few minutes. Holding on to each
message for four minutes before sending would be massively
inefficient.

And four minutes per message would cripple corporate
email servers that serve thousands of staff.


- --
Best regards

MFPAmailto:2014-667rhzu3dc-lists-gro...@riseup.net

Put knot yore trust inn spel chequers
-BEGIN PGP SIGNATURE-

iQF8BAEBCgBmBQJU9B7fXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRCM0FFN0VDQTlBOEM4QjMwMjZBNUEwRjU2
QjdDNzRDRUIzMUYyNUYwAAoJEGt8dM6zHyXwc2cH/1DlvZbcpocAXcv8/SHO9OyN
fN7EUtqj9L4T+TIpBbZbyCRRHqTl476o4UujDsBzdCx1iekRUROx5UpAlJ2b6nRM
FEQHiCxlQDkbqHs7A4wTGAsWoAuuyNJqp3JhQl972SwBQdLjpTrrxeaatUGyYQAp
UpuxrRdozc+3P06GG+4b2QsCX+EKZX3qGaCOp0lICf0XrOyrGMI5MROC67kTjSFW
FQIRYBTyb0Ni7zDS04VvCqkryRPhfHCW7aszvlRUI6w4Uc5/gG63UGHN+nH6ZHTZ
fLWWBnxx6uJkknSDX3lxcpaPXmn2uI71foefZhBevmZM7C68N+EuaGz5SlmwvQ2I
vgQBFgoAZgUCVPQe318UgAAuAChpc3N1ZXItZnByQG5vdGF0aW9ucy5vcGVu
cGdwLmZpZnRoaG9yc2VtYW4ubmV0MzNBQ0VENEVFOTEzNEVFQkRFNkE4NTA2MTcx
MkJDNDYxQUY3NzhFNAAKCRAXErxGGvd45Hk/AQBX7xpvtBSHGQpZkFpY6KkJqCxU
N12zpuvsjIfMHAd8bAEAW3xc6UkM7e3pd+GakLLxZk5F4PGVq0Vbvet4YBXHmQ4=
=P15E
-END PGP SIGNATURE-


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: German ct magazine postulates death of pgp encryption

[Kristian Fiskerstrand]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 03/02/2015 04:50 AM, Chuck Peters wrote:
> Kristian Fiskerstrand said:
 
 You wouldn't need the keyservers to be involved in this at
 all. Anyone could set up such a mail verification CA outside
 of the keyserver network.
> 
> How about storing keys in a more distributed manner, DNS, in
> addition to some other method of authentication, DNSSEC and DANE?

See http://lists.gnupg.org/pipermail/gnupg-devel/2015-February/029544.html

- -- 
- 
Kristian Fiskerstrand
Blog: http://blog.sumptuouscapital.com
Twitter: @krifisk
- 
Public OpenPGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3
- 
Ab esse ad posse
- From being to knowing
-BEGIN PGP SIGNATURE-

iQEcBAEBCgAGBQJU9CSbAAoJEP7VAChXwav6liwH+gILZFinaFUAPIL5vzX9eXM3
+kaRQOBl/XrTqW8Izk+qmjJncRTgUnJrmpKQC1ubDNJzi19ku4AA09mpD1PPc4HQ
ytu9bqUGLnBj71Uffrn5lFQ/hSQGyGvtnmsBRw2f8P1d4qcxJdauHPBdI77eZvsJ
d4rmzr6UKN9FQcCZQpkEiK/mzioh8/j7Dknzy9wC1Hb4ZmTpj/8LwMxMMh08djSF
3n6ZXmauKiBA6OnQgQ51guZF/abk1nDz6Y5J9fNIjbkJDgrYVFKUWKPxUOkgeOJM
qPB1tOT6xcTrx/Wa+2NXZ4ZPzX7z5uMS/0IJPRvquEDT3FmbNfC+wdcL0FNlWVc=
=/iS8
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

RE: German ct magazine postulates death of pgp encryption

[gnupgpacker]

Hello,

> On Behalf Of Patrick Brunschwig
> Sent: Sunday, March 01, 2015 3:42 PM
> The idea I have in mind is roughly as follows: if you upload a key to
> a keyserver, the keyserver would send an encrypted email to every UID
> in the key. Each encrypted mail contains a unique link to confirm the
> email address. Once all email addresses are confirmed, the key is
> validated and the keyserver will allow access to it just like with any
> regular keyserver.
> This way, we have a simple verification of the access to the private
> the key, as well as access to the email addresses contained in the UID
> by quite a simple means. I would say this is about as reliable as
> sending an email to someone requesting their key.

+1 

This procedure should be implemented in keyservers. 

No CA needed, no centralisation necessary => just verifying of existing AND
proper working email addresses.

Additional:
There are lot of old keys on keyservers not being verified in described
manner.
Those keys (or the newer, verified ones) could be marked with a short hint
on keyservers to differ between verified and not verified email addresses.

Facility of deleting own (!) keys on keyserver wanted for old (revoked,
expired, test, failed...) keys. 

Regards, Chris




___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: German ct magazine postulates death of pgp encryption

[Stephan Beck]

Am 28.02.2015 um 13:31 schrieb Peter Lebbing:

> PS: By the way, my ISP and some of it's employees are in a perfect position to
> do a man in the middle. 

No doubt about it. And we actually don't know how they "use" their position.
Well, looking at some sort of collaboration published a few weeks ago, we might
have some hints...


>I sure hope they can't "just hack my system" because of
> that position. 

Sticking to that "perfect position argument", in what kind of position are
(would be) the people that control (packaging of) your distro? (Just curious.)

>The one capability certainly does not imply the other.



Cheers,

Stephan





signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: A forgotten patch?

[Bernhard Reiter]

On Sunday 01 March 2015 at 20:11:10, Werner Koch wrote:
> > was a bug report for the patch? I would gladly write one if that would
>
> Well written bug reports are always appreciated.

I believe the main thing that Werner is mentioning here is that
analysis of an unwanted situation and a fix are two different things.
Having a reproducable problem report is very valuable and may be 
easier to agree on as first step. 

Then there are always several ways to improve the situation.
And naturally this may lead to a discussion about what is the best way
to take.

So if anyone find a problem with GnuPG - may it be a defect or a behaviour 
that should be different - best is to get a reproducable behaviour reported 
and get people to agree that it is a problem.

Best Regards,
Bernhard





-- 
www.intevation.de/~bernhard (CEO)www.fsfe.org (Founding GA Member)
Intevation GmbH, Osnabrück, Germany; Amtsgericht Osnabrück, HRB 18998
Owned and run by Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner


signature.asc
Description: This is a digitally signed message part.
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

wiki.gnupg.org (Re: LDAP-based Keyserver)

[Bernhard Reiter]

Hi Neal,

On Saturday 28 February 2015 at 12:27:05, Neal H. Walfield wrote:
>   http://wiki.gnupg.org/LDAPKeyserver

and while you were at it, you have also went through a number of wiki pages 
correcting and improving the format and language! 

Thanks and welcome to the club of wiki.gnupg.org helpers!
(We are always looking for more members! :) )

Bernhard
-- 
www.intevation.de/~bernhard (CEO)www.fsfe.org (Founding GA Member)
Intevation GmbH, Osnabrück, Germany; Amtsgericht Osnabrück, HRB 18998
Owned and run by Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner


signature.asc
Description: This is a digitally signed message part.
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: German ct magazine postulates death of pgp encryption

[Werner Koch]

On Sun,  1 Mar 2015 23:43, js-gnupg-us...@webkeks.org said:

> I don't really agree with that. The goal is that the proof of work for a
> single message takes 4 minutes. At that rate, sending spam really is not

So you can send 360 mail a day.  Assuming your 24/7 business make 700
Euro a day each mail costs you 2 Euro - snail mail would be much cheaper
(or de-mail ;-).

We had the discussion on proof-of-work as anti-spam measure more than a
decade ago and the outcome was that it won't work.  I can't see that any
parameters changed since then.



Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: wiki.gnupg.org (Re: LDAP-based Keyserver)

[Neal H. Walfield]

At Mon, 2 Mar 2015 12:35:30 +0100,
Bernhard Reiter wrote:
> On Saturday 28 February 2015 at 12:27:05, Neal H. Walfield wrote:
> >   http://wiki.gnupg.org/LDAPKeyserver
> 
> and while you were at it, you have also went through a number of wiki pages 
> correcting and improving the format and language! 

I was found out :)

> Thanks and welcome to the club of wiki.gnupg.org helpers!
> (We are always looking for more members! :) )

wiki.gnupg.org has the potential to be a great resource.  But, it
needs a lot more content.  I think this would be a good place for
recipes, such as , how to generate keys offline [1] or key signing
related practices.

Neal

  [1] 
http://blog.josefsson.org/2014/06/23/offline-gnupg-master-key-and-subkeys-on-yubikey-neo-smartcard/


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Whishlist for next-gen card

[NdK]

Il 01/03/2015 21:54, Peter Lebbing ha scritto:

> No, I'm talking about that as well. And I don't think the fingerprint of
> the host is part of the signed data or the signature. Why do you think the
> fingerprint of the host is part of that?
Because I didn't remember well the SSH protocol...

> By /host/ authentication I mean that you verify that the host your are
> connecting to is in fact the host you wanted to connect to; and /that/ is
> through the public key of the host, of which you can verify the fingerprint.
> Let's call this keypair A.
That gets verified during initial key setup.

> After you've verified the fingerprint, a copy of the hosts' public key, A, is
> stored in ~/.ssh/known_hosts on your client machine.
Ok, just something to help the user avoid a verification step every time.

> But when the host is authenticating that you are in fact the user you are
> claiming to be, you sign a challenge that only you could sign because you have
> the private key, let's call it B. That is /user/ authentication.
Ok.

> The host checks that your public key B is in ~/.ssh/authorized_keys on the
> server machine; if so, you're authenticated.
Ok.
But the signature contains the session identifier (called H in RFC4257
sec 8), that is derived from the initial key exchange (that should then
be partially handled by the card as well). Luckily there's no need to
recalculate it when keys are refreshed (RFC4257, sec 7.2), so it's
one-time penalty.

So the "card" should receive (and handle) the key exchange, prompting
the user to accept the public key the server sent and then allow the
auth key to just sign data where the session id is the one it
calculated. Might be non-banal to handle concurrent ssh sessions with
overlapping key exchanges (card generates a "blob" --might be
symmetrically encrypted with a key only known to the card-- that's
"cached" by ssh and passed back to the card when a new auth signature is
requested for an existing session id?).

BYtE,
 Diego.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Decrypting PGP/MIME on the command line

[René Puls]

On Mon, 02 Mar 2015 00:34:55 +0100 Daniel Kahn Gillmor wrote:
> On Sun 2015-03-01 20:01:05 +0100, Werner Koch wrote:
> > On Sun,  1 Mar 2015 15:32, rp...@kcore.de said:
> >
> >> is there a command line utility that takes a PGP/MIME encrypted
> >> message (a plain RFC 2822 text file) and outputs an unencrypted
> >> copy? The
> >
> > Not really.  MIME is a structured format and as such it may result
> > in a bunch of encrypted, non-nencrypted, signed, unsigned,
> > message/alternative sub-documents.  Thus it is not easy to write a
> > general purpose command line tool.
> 
> python's email module is quite good for programmatically handling mime
> parts if you want to manipulate an e-mail (though it may not be so
> good for reconstructing it in some sort of bytewise exact fashion).

Python seems to be the best solution for me, at least I have some
experience with the language.

Thank you, also to Werner and Doug, for the suggestions.

> A tool that transforms an OpenPGP encrypted+signed MIME message into
> an OpenPGP-signed MIME message while retaining the original signature
> would be a really nice tool to have.

I will post here if I manage to come up with something useful. :-)

René

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: German ct magazine postulates death of pgp encryption

[Peter Lebbing]

On 02/03/15 11:35, Stephan Beck wrote:
> Sticking to that "perfect position argument", in what kind of position are 
> (would be) the people that control (packaging of) your distro? (Just
> curious.)

I think they basically completely control my system. For individual Debian
Developers, it might need some ingenuity to get something sneaky on my
computer, since they generally only provide source, and the binaries are built
on the Debian infrastructure. Mind you, I say they need some ingenuity, that
is a far shot from "it's difficult". But the keys that the package manager
checks? If you have those, and can get my package manager to download your
stuff, it's trivial to change any file, any binary, any program on my computer.

It has occured to me that I probably could simply local-sign and fully trust
all OpenPGP keys of Debian Developers, since if the holder of said key wanted,
they could simply hardwire my GnuPG installation to effectively do the same
without my consent. But still, I haven't done it :).

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

GPG4Win 2.2.3 Smart card support

[Saxena, Deepak]

Hello,

I am Deepak Saxena from Gemalto (formerly SafeNet Inc) and I am curious if 
smart cards are supported for storing the keys which will be used to encrypt 
files or email using gpg4win.
I have installed gpg4win 2.2.3 and want to test SafeNet smart cards.
I am getting following error:

[cid:image001.jpg@01D0552D.660C8450]

Can  you please update me if third party tokens/smartcard cards are supported 
in your product.
Is MSCAPI/PKCS11 supported?

--Deepak saxena
+919911641953

The information contained in this electronic mail transmission 
may be privileged and confidential, and therefore, protected 
from disclosure. If you have received this communication in 
error, please notify us immediately by replying to this 
message and deleting it from your computer without copying 
or disclosing it.


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: German ct magazine postulates death of pgp encryption

[MFPA]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512



On Monday 2 March 2015 at 9:40:12 AM, in
, Jonathan
Schleifer wrote:


> It's not only your computer.

Likewise, it is not just my computer that would be wasting orders of
magnitude more energy on "proof of work" for all outgoing messages
than it currently wastes on downloading a little spam.



> Just think about the
> processing power required by spam filters.

I do not use spam filters because I have always regarded a single
missed important message due to a "false positive" from a spam filter
to be a more serious problem than any number of spam messages
received. And if an email provider I use has spam filters that I
cannot effectively opt out of, I still don't pay the electric bill for
their processing power.



> Think about
> the load servers have. Think about wasted harddrive
> space (mail providers do need to store that spam).

I would wager that needless use of HTML in emails probably contributes
far more to un-necessary server load and storage requirements than is
contributed by than spam.



> What does obvious have to do with wasting resources?

If the spam messages were not obvious, far more man-hours would be
wasted in spotting and deleting them. And people's time is the most
precious resource of all.


> Ok, you clearly haven't looked at it *at all*. There is
> no corporate server involved. It's peer-to-peer. And
> the proof of work is done on your local machine.

I don't see corporate iT and data security policies giving up
corporate email servers to allow peer-to-peer communication between
staff's workstations and the outside world anytime soon. I would
expect them to still want to know what staff were sending out, and
maybe encrypt it at the network boundary.


- --
Best regards

MFPAmailto:2014-667rhzu3dc-lists-gro...@riseup.net

Alcohol and Calculus don't mix. Never drink and derive.
-BEGIN PGP SIGNATURE-

iQF8BAEBCgBmBQJU9M9zXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRCM0FFN0VDQTlBOEM4QjMwMjZBNUEwRjU2
QjdDNzRDRUIzMUYyNUYwAAoJEGt8dM6zHyXwGsYIAJo0AO2vHomsEhwAC8m4zGHc
563MGDo4Q6USWNJGUZx+aDPZ5VYHsARB0gRS/wx4Az+nUnHS6VrEo9CH3PNFKIrp
1Wl8dkaNGUyc8FPJKhwNMMi/SJDQhAPshUeWZmkDp8BaWsTrPhlE91NVMUWeNdOO
bu2qRwXxOsEjK+Ac/Spds2oyHwRjZTg9DT3mm892IBxBwZysLzkGXXtb8VhXmYJv
Y11oenxYBlbzd95a2LYgdEQFhaHPFRjien179g3XroKqdZ3bOs7j6TF/OxP//cxU
OwBC0c6yFkJoj9tEh649LjsVTJyaY6uSN9gWX/Hb3og45RzB9F1FFo/m4yLRMk6I
vgQBFgoAZgUCVPTPeF8UgAAuAChpc3N1ZXItZnByQG5vdGF0aW9ucy5vcGVu
cGdwLmZpZnRoaG9yc2VtYW4ubmV0MzNBQ0VENEVFOTEzNEVFQkRFNkE4NTA2MTcx
MkJDNDYxQUY3NzhFNAAKCRAXErxGGvd45MN0AQDyacdIGkv0JiOzeUWrOlx3wLyb
fuM8bA6vAnrVHFO8QgEAyncDMAY6b341xc8weBPKMJwYiIM9+kX6KJIPGvzf5gE=
=ehQz
-END PGP SIGNATURE-


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: German ct magazine postulates death of pgp encryption

[vedaal]

This month's Wired has an article about encryption for voice and text using 
pgp, and intercompatibility between i-phone and android while using it.

http://www.wired.com/2015/03/iphone-app-encrypted-voice-texts/

I wouldn't trust it with my real key, but would make a new 'smartphone' key 
signed with my real key, and comment it as for phone use only.

If this catches on, as Wired thinks, then it might be a new way of introducing 
pgp encryption to the general public, and from there it's not such a difficult 
step to getting phone users to try encrypting e-mails and files,

... and breathe new life into pgp encryption ...



vedaal


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: strength of voice authentication [was: Re: German ct magazine postulates death of pgp encryption]

[Johan Wevers]

On 01-03-2015 22:01, flapflap wrote:

> Just think about the "grandchild trick" ([0], unfortunately not in
> English) which is a method where the criminals phone (often elder)
> people and tell them that they are a grandchild, nephew, or other remote
> relative and need some money for some reason

Ah yes, but then, with such methods a number of failures are to be
expected and the scammers don't care as long as a certain percentage is
fooled. When using this trick to fool someone into telling confidentuial
things it is very uncertain. For once, I've never heard of the police
trying something like this to obtain confessions or information: the
chance of failure in an indivicual case are too big.

-- 
ir. J.C.A. Wevers
PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: strength of voice authentication [was: Re: German ct magazine postulates death of pgp encryption]

[Jonathan Schleifer]

On Mon, 02 Mar 2015 22:24:45 +0100, Johan Wevers  
wrote:

> For once, I've never heard of the police
> trying something like this to obtain confessions or information: the
> chance of failure in an indivicual case are too big.

I'm guessing the reason is more that this would be a legal mine field and most 
likely completely useless in court.

-- 
Jonathan


pgpaN4ya35EI6.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: German ct magazine postulates death of pgp encryption

[Kristian Fiskerstrand]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 03/02/2015 12:12 PM, Kristian Fiskerstrand wrote:
> On 03/02/2015 10:16 AM, gnupgpacker wrote:
>> Hello,

Seems I inadvertently sent this message only directly without CCing
the list

> 
> 
> ..
> 
> 
>> This procedure should be implemented in keyservers.
> 
>> No CA needed, no centralisation necessary => just verifying of 
>> existing AND proper working email addresses.
> 
> This _is_ a CA, granted with weak verification (could arguably say 
> similar to domain validated X.509 certs), but conceptually a CA
> none the less. Such weak verification does not rely on being
> implemented in keyservers, and would be better off outside it.
> 
> 
>> Additional: There are lot of old keys on keyservers not being 
>> verified in described manner.
> 
> Because they are not designed for it, nor need it.
> 
>> Those keys (or the newer, verified ones) could be marked with a 
>> short hint on keyservers to differ between verified and not 
>> verified email addresses.
> 
>> Facility of deleting own (!) keys on keyserver wanted for old 
>> (revoked, expired, test, failed...) keys.
> 
> This could open up to several attacks, in particular where keys
> have been revoked. The keyservers are add only for a reason, and
> should remain so.
> 
> 
> 

- -- 
- 
Kristian Fiskerstrand
Blog: http://blog.sumptuouscapital.com
Twitter: @krifisk
- 
Public OpenPGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3
- 
"Expect the best. Prepare for the worst. Capitalize on what comes."
(Zig Ziglar)
-BEGIN PGP SIGNATURE-

iQEcBAEBCgAGBQJU9NfPAAoJEP7VAChXwav6eSoH/1Gmz850g/CtJjo5La10GeO5
mIojoblh3P6k8yJ2FyHJqBQM12BqYXzjIa+cJizBBQG8ZSw4feX7kP2Ucznx37H/
8UUzUmWEFDDF0A4asNX1oVo4xaDmJbbqyBIRzOIkDXsyoyC1vrKdfnA7wODO9U+F
x4DBgOq/IaPVsZggeeEuKc5SoYKXhZ9+eHcPsSCWh0JrHR11YHR9nIV5LuxXoY0d
z0X+afV2cExRRD8iGWb7QIA/sR33V2IaGCUfIwhi4+O+xmzETZTohiO03Jx5hE7H
N/JYSPeNOSaVPPZ+2TNsbYkVs3RMOMdb3TvTZAQCOoNXo28T8nkAg8n0UZA3X9g=
=EpMZ
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: trust paths

[Johan Wevers]

On 01-03-2015 13:27, Jonathan Schleifer wrote:

> You are assuming it will be spoofed for everyone. It could just
> be spoofed for you. Anybody who can MITM you and give you a fake
> SSL cert that you accept

Well, perhaps they could if the ONLY way I communicated wit someone
would be electronically. I usually discuss sensitive matters with people
I know personally, so I could compare key ID's when I meet the other in
person. No way to spoof that.

That might not work when whistleblowing to a reporter I don't know
personally bu then, I would either first talk to him personally or
remain completely anonymous.

-- 
ir. J.C.A. Wevers
PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: German ct magazine postulates death of pgp encryption

[Johan Wevers]

On 02-03-2015 22:23, ved...@nym.hush.com wrote:

> http://www.wired.com/2015/03/iphone-app-encrypted-voice-texts/
> 
> I wouldn't trust it with my real key, but would make a new
> 'smartphone' key signed with my real key, and comment it as
> for phone use only.

You can't, it uses an own key scheme not compatible with openpgp. The
protocol is described on
https://github.com/WhisperSystems/TextSecure/wiki/ProtocolV2, they use
ECC with Curve25519 and AES256. Signatures on a key are not possible.
Only manual verification of the key fingerprint, or, when ypou meet in
person, scanning this number represented in a QR code on screen with the
camera, is possibble.

> If this catches on, as Wired thinks

I use Textsecure quite some time as sms replacement but failed to
convinvce anyone else to use it too (wether as sms replacement or stand
alone chatapp).

-- 
ir. J.C.A. Wevers
PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users