Re: --verify --status-fd separator for multiple signatures?

2015-03-20 Thread Patrick Schleizer 
Doug Barton:
> On 3/19/15 10:39 AM, Patrick Schleizer wrote:
>> Hi,
>>
>> when using --verify combined with --status-fd [or --status-file], how
>> can one notice in scripts, that processing the one signature is done and
>> that further status-fd messages belong to the next message?
> 
> You are using --with-colons, right?

No. Using --status-file. --with-colons does not seem to affect that.

Cheers,
Patrick


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

RE: Email-only UIDs and verification (was: Making the case for smart cards for the average user)

2015-03-20 Thread Bob (Robert) Cavanaugh 
Hi,
One thought to add to the mix: Phishng attacks by having unknowledgable users 
"click on this link" are pretty successful. Doesn't this proposal open a  new 
threat vector?

Thanks,
 
Bob Cavanaugh


> -Original Message-
> From: Gnupg-users [mailto:gnupg-users-
> bounces+robertc=broadcom@gnupg.org] On Behalf Of MFPA
> Sent: Thursday, March 19, 2015 5:58 PM
> To: Jose Castillo on GnuPG-Users
> Subject: Re: Email-only UIDs and verification (was: Making the case for smart
> cards for the average user)
> 
> * PGP Signed by an unknown key
> 
> 
> 
> On Wednesday 18 March 2015 at 6:18:57 PM, in  9bc3-b6ae5d093...@gmail.com>, Jose Castillo
> wrote:
> 
> 
> > On Mar 16, 2015, at 8:55 PM, MFPA
> > <2014-667rhzu3dc-lists-gro...@riseup.net> wrote:
> 
> MFPA>> No angle brackets around the email address means no key found.
> 
> JC> Good point, I’ll make that change.
> 
> Appreciated.
> 
> As you probably read in Daniel Kahn Gilmore's message, he has lodged a bug
> report/feature request for GnuPG.
> 
> 
> JC> As a sidenote, I
> > notice that when I’m generating a key interactively, I get an error
> > message of 'Name must be at least 5 characters long’ when I try to
> > make an email-only UID.
> > It works in batch mode, and obviously with the allow-freeform-uid
> > option, but just thought it was interesting to point out. Someone
> > attempting to make such a UID in the interactive mode might be
> > forgiven for putting their email address in the ‘name’ field as a
> > workaround.
> 
> They would be scolded at the next prompt, then probably either give up, or
> go back and enter a name, or enter their email address a second time.
> 
> I would imagine the "average user" you are aiming at would use your GUI to
> create keys. A more advanced user might read your documentation, so you
> could tell them which options to use if they wanted to create a key matching
> your bespoke user-id standard through the normal GnuPG text interface.
> 
> 
> 
> 
> MFPA>> Thinking about it, you don't need the user to click a
> >> link or to reply to an email at all.
> 
> > This is a very good point, and I can see making this change.
> 
> I would think it would make it easier to code: you don't have to bother
> tracking the verication link/email.
> 
> 
> 
> > This was in reference to the PGP global directory’s verification
> > check. Having never used it I’m curious why the validity period is
> > only two weeks.
> 
> Lots of activation or verification links sent out by email have a short 
> validity
> period. People are used to that.
> 
> PGP Global Directory's FAQ
>  says:-
> 
> What if I don't respond to the renewal message?
> 
> The PGP Global Directory will give you two weeks to respond. If
> you don't respond, your key will be removed from the directory, as
> it is assumed you no longer have the key or are no longer using
> the email address in the user ID of the key.
> 
> 
> 
> 
> > Does the
> > user have to re-verify their email address every two weeks? That seems
> > excessive.
> 
> It would be.(-;
> 
> The user has two weeks to react to the verification email. Once the user has
> verified the email address, the verification is good for six months. Then they
> get a renewal verification email, and so on.
> 
> I have no idea why the PGP GD verification signatures last only two weeks
> instead of six months. Their FAQ is silent on the matter.
> 
> 
> 
> MFPA>> Finally, if the person at the other end is able to
> >> decrypt my message and reply to me, then the key and the email
> >> address are controlled by the same person.
> >> What assurance does the verification service add?
> 
> > In the case of establishing communication with someone you haven’t yet
> > met, it gives you an assurance that a third party has verified that
> > they were in control of the address on a given date within the last
> > year.
> 
> The person at the other end decrypting my message and replying to me
> shows that the key and the corresponding email address are both controlled
> by the same person today (Person A), verified by me.
> 
> Additional information: the verification service verified that the key and the
> email address were both controlled by the same person (Person B)on a given
> verification date within the last year.
> 
> I am opening communication with the Person A at that address today. I
> neither know nor care if Person B, who was there within the last year, is the
> same person as person A. So I cannot think of a use for the additional
> information. (I'm not saying there is no use, merely that I can't see one.)
> 
> 
> 
> > If I
> > query your email address and find four keys, I don’t know what to do;
> 
> Good question.
> 
> 1. You could ask me, in an email encrypted to all four keys.
> 
> 2. You could ask me, in up to four individually-encrypted emails. May not
> need all four if I answer before you sent them all.
> 
> 3. Out-of-bound communication, such

Re: --verify --status-fd separator for multiple signatures?

2015-03-20 Thread Patrick Schleizer 
Werner Koch:
> On Thu, 19 Mar 2015 18:39, patrick-mailingli...@whonix.org said:
> 
>> when using --verify combined with --status-fd [or --status-file], how
>> can one notice in scripts, that processing the one signature is done and
>> that further status-fd messages belong to the next message?
> 
> That is unfortunately a bit complicated due to different behaviour in
> gpgsm and gpg.  I suggest to do what we do in gpgme/src/verify.c .  Of
> course if would be useful to make sure that NEWSIG is also emitted by
> gpg but you also need to take care of older gpg versions.
> 
> I assume adding NEWSIG to gpg has simply be forgotten.

Well, I don't speak C, so I can't make head or tail of "what we do in
gpgme/src/verify.c".

Maybe let's put it this way. If there is no guarantee to get a NEWSIG or
other separator... Is there a limited combination of start and end keywords?

What I mean... Here is an example...

start: [GNUPG:] ERRSIG [...]
end__: [GNUPG:] NODATA [...]

start: [GNUPG:] SIG_ID [...]
end__: [GNUPG:] TRUST_[...]

start: [GNUPG:] ERRSIG [...]
end__: [GNUPG:] NO_PUBKEY [...]

Is there a complete list of all possible start/end keyword combinations?

Cheers,
Patrick


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Unsupported certificate error

2015-03-20 Thread David 
I just installed GnuPG 2.0.27 on my Ubuntu 14.10 laptop.  I am getting
this error from gpa:

The GPGME library returned an unexpected
error at keytable.c:150. The error was:

Unsupported certificate

This is either an installation problem or a bug in GPA.
GPA will now try to recover from this error.

I have researched it a bit and it seems to either be due to a MD5
certificate or a conflict between gnome-agent and the gpa-agent.

Has anyone seen this and solved it?

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Defaults

2015-03-20 Thread Tobias Mueller 
On Wed, Mar 18, 2015 at 09:09:30AM +0100, Werner Koch wrote:
> Create a new key:
> 
>   $ gpg --no-options --quick-gen-key 'test key '
>   About to create a key for:
>   "test key "
>   
>   Continue? (Y/n) y
>   public and secret key created and signed.
>   
>   pub   rsa2048/50C4476F 2015-03-18
> Key fingerprint = 11E9 91C2 36E0 21A6 1E35  A682 68CC E4C2 50C4 476F
>   uid   [ultimate] test key 
>   sub   rsa2048/807D0FF4 2015-03-18
Is there anything in this listing that would allow me to quickly copy and paste
(e.g. double click and middle click) in order to further work with the key,
e.g. edit or encrypt to?
The short key id would probably do, but the "rsa2048/" prefix prevents me from 
simply double clicking it.
The fingerprint would probably be better to identify the key, but, similarly,
the spaces prevent me from selecting it easily.

>   
> What are the preferences:  
>   
>   $ gpg --no-options --edit-key 50C4476F
  
>   gpg (GnuPG) 2.1.3-beta26; Copyright (C) 2015 Free Software Foundation, Inc.
>   Secret key is available.
>   
>   pub  rsa2048/50C4476F
 

I thought short keyids are dangerous and should not be used,
cf. .  If that's the case then it might be a good
idea to fade them out as much as possible.

Cheers,
  Tobi

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users