Re: One alternative to SMTP for email: Confidant Mail

[MFPA]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512



On Saturday 28 March 2015 at 6:05:05 PM, in
, Peter Lebbing wrote:


> No, but nobody said the adjective was used
> tautological.

Maybe it doesn't imply or hint that to everybody, but it is definitely
what I infer when I read "from strictly business to the dodgy darknet
variety".


> It's like someone says "they're doing shady business in
> a dark alley" and you protest "Hey, I know plenty
> proper businesses that are just upstanding people
> making sales! In fact, I also know plenty alleys that
> let in a lot of sunlight..."

I think that's rather over-egging it. Wouldn't the equivalent protest
be about the possible insinuation (and cliche) that all business that
takes place in a dark alley is shady?

(-;


- --
Best regards

MFPA  

Don't learn safety rules by accident...
-BEGIN PGP SIGNATURE-

iQF8BAEBCgBmBQJVF+fhXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRCM0FFN0VDQTlBOEM4QjMwMjZBNUEwRjU2
QjdDNzRDRUIzMUYyNUYwAAoJEGt8dM6zHyXwGYIH+wduMMfpLdqVyfr83Vm8MJ1V
kbvKCaxWaIDu8iMFieIJo64gOitZBD4o/KWCISCwO7ADpzGmlrqwBcSjlYJSIw2f
I07IC8rM09Wab6jOqbDJCFgJASCVjl2NpAKhzaHO2GKeZjS9hbVA/ZsHACD4PNC4
AMKk/6eqbS4SLe7ULAU/b9jfkSRD3dNghzcSQkUu9bs2rzetTGcTz2aozmT0fOcy
LfR/nL+4i8JtbmaUbZ7W6jku8YXrknN9zAYih++NcWhT3+jaGjAV9BP/W7UUIjRh
PCXQo2LS5BqQjHjDYnUgcKUZjfHMPPOs+zY3HHotte1hUYTgFme2FHFTHQWi4iWI
vgQBFgoAZgUCVRfn7F8UgAAuAChpc3N1ZXItZnByQG5vdGF0aW9ucy5vcGVu
cGdwLmZpZnRoaG9yc2VtYW4ubmV0MzNBQ0VENEVFOTEzNEVFQkRFNkE4NTA2MTcx
MkJDNDYxQUY3NzhFNAAKCRAXErxGGvd45L80AQAHEDUcF6JJ7keNR3xhXo3jvavb
m/V3oDUsTHHotmPbjgEAq/6BWQ2cw1NtdA2OPdpISJo0A0sQD2GvKjng7ZGCbAE=
=RUbH
-END PGP SIGNATURE-


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gpg 2.0.27 is updating the trustdb constantly, and taking minutes to do it

[Werner Koch]

On Sat, 28 Mar 2015 19:58, dougb@dougbarton.email said:

> Just out of curiosity, do you have an ETA on a new release?

Nothing really important has changed since mid February except for a fix
in gpgtar - does anyone really use it on non-Windows?  (it has been
fixed in gpg4win).


Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: One alternative to SMTP for email: Confidant Mail

[Nick Econopouly]

Any word on whether confidant mail will support the openpgp smart cards (or
yubikey, similar)?
-Nick
On Mar 29, 2015 7:55 AM, "MFPA" <2014-667rhzu3dc-lists-gro...@riseup.net>
wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA512
>
>
>
> On Saturday 28 March 2015 at 6:05:05 PM, in
> , Peter Lebbing wrote:
>
>
> > No, but nobody said the adjective was used
> > tautological.
>
> Maybe it doesn't imply or hint that to everybody, but it is definitely
> what I infer when I read "from strictly business to the dodgy darknet
> variety".
>
>
> > It's like someone says "they're doing shady business in
> > a dark alley" and you protest "Hey, I know plenty
> > proper businesses that are just upstanding people
> > making sales! In fact, I also know plenty alleys that
> > let in a lot of sunlight..."
>
> I think that's rather over-egging it. Wouldn't the equivalent protest
> be about the possible insinuation (and cliche) that all business that
> takes place in a dark alley is shady?
>
> (-;
>
>
> - --
> Best regards
>
> MFPA  
>
> Don't learn safety rules by accident...
> -BEGIN PGP SIGNATURE-
>
> iQF8BAEBCgBmBQJVF+fhXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
> ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRCM0FFN0VDQTlBOEM4QjMwMjZBNUEwRjU2
> QjdDNzRDRUIzMUYyNUYwAAoJEGt8dM6zHyXwGYIH+wduMMfpLdqVyfr83Vm8MJ1V
> kbvKCaxWaIDu8iMFieIJo64gOitZBD4o/KWCISCwO7ADpzGmlrqwBcSjlYJSIw2f
> I07IC8rM09Wab6jOqbDJCFgJASCVjl2NpAKhzaHO2GKeZjS9hbVA/ZsHACD4PNC4
> AMKk/6eqbS4SLe7ULAU/b9jfkSRD3dNghzcSQkUu9bs2rzetTGcTz2aozmT0fOcy
> LfR/nL+4i8JtbmaUbZ7W6jku8YXrknN9zAYih++NcWhT3+jaGjAV9BP/W7UUIjRh
> PCXQo2LS5BqQjHjDYnUgcKUZjfHMPPOs+zY3HHotte1hUYTgFme2FHFTHQWi4iWI
> vgQBFgoAZgUCVRfn7F8UgAAuAChpc3N1ZXItZnByQG5vdGF0aW9ucy5vcGVu
> cGdwLmZpZnRoaG9yc2VtYW4ubmV0MzNBQ0VENEVFOTEzNEVFQkRFNkE4NTA2MTcx
> MkJDNDYxQUY3NzhFNAAKCRAXErxGGvd45L80AQAHEDUcF6JJ7keNR3xhXo3jvavb
> m/V3oDUsTHHotmPbjgEAq/6BWQ2cw1NtdA2OPdpISJo0A0sQD2GvKjng7ZGCbAE=
> =RUbH
> -END PGP SIGNATURE-
>
>
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Instructions for converting keyring for 2.1

[Peter Lebbing]

I just followed the instructions on [1] for converting your pubring.gpg to the
new keybox format. I discovered I needed --import-options import-local-sigs on
the import command to also import my local signatures, which obviously is very
desirable when converting your public keyring... it's a bit lossy otherwise :S.

Here's a diff for the gnupg-doc git:

diff --git a/web/faq/whats-new-in-2.1.org b/web/faq/whats-new-in-2.1.org
index bc312da..1056dd0 100644
--- a/web/faq/whats-new-in-2.1.org
+++ b/web/faq/whats-new-in-2.1.org
@@ -561,7 +561,7 @@ then run import, and finally restore the ownertrust values:
 $ cd ~/.gnupg
 $ gpg --export-ownertrust >otrust.lst
 $ mv pubring.gpg publickeys
-$ gpg2 --import publickeys
+$ gpg2 --import-options import-local-sigs --import publickeys
 $ gpg2 --import-ownertrust otrust.lst
 #+end_example

HTH,

Peter.

[1] https://www.gnupg.org/faq/whats-new-in-2.1.html#keybox

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gpg 2.0.27 is updating the trustdb constantly, and taking minutes to do it

[Jesus Cea]

On 28/03/15 11:48, Werner Koch wrote:
> On Fri, 27 Mar 2015 17:07, j...@jcea.es said:
> 
>> My problem is that any change to the pubring, like downloading a new
>> key, refreshing, adding a new local signature with "--lsign", etc., will
>> force a trustdb update (in the next execution. For instance, decrypting
> 
> A new key signature may chnage rthe entire WoT thus it needs to be
> re-computed.  I have
> 
>   no-auto-check-trustdb
> 
> in my gpg.conf and 
> 
>   30   1 * * *   /usr/local/bin/gpg --batch --check-trustdb 2>/dev/null
> 
> in my crontab.  Thus tehre will be only one re-computation a day.

I understand that, nice hack, but I used 1.4.19 until a week ago and
this recalculation was taking a few seconds. Now it is taking minutes.

Same configuration, same keyring files:

With 1.4 GPG:

"""
jcea@ubuntu:~/video$ time gpg.OLD --update-trustdb
gpg: public key FBBB8AB1 is 58138 seconds newer than the signature
gpg: public key D3A42C61 is 2009 seconds newer than the signature
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:  21  signed:  96  trust: 0-, 0q, 0n, 0m, 0f, 21u
gpg: depth: 1  valid:  96  signed: 116  trust: 0-, 96q, 0n, 0m, 0f, 0u
gpg: next trustdb check due at 2015-04-08

real0m7.570s
user0m6.800s
sys 0m0.440s
"""

With 2.0.27 GPG:

"""
jcea@ubuntu:~/video$ time gpg2 --update-trustdb
gpg: Note: signatures using the MD5 algorithm are rejected
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:  21  signed:  96  trust: 0-, 0q, 0n, 0m, 0f, 21u
gpg: depth: 1  valid:  96  signed: 106  trust: 0-, 96q, 0n, 0m, 0f, 0u
gpg: next trustdb check due at 2015-04-08

real1m27.370s
user1m10.240s
sys 0m13.950s
"""

Trustdb rebuild time has skyrocketed. Unless GPG 1.4 has a serious bug,
2.0.17 is doing something wrong. The sys time is interesting, looks like
GPG 2.0.27 is doing a lot of syscalls. I wonder if it is doing the
calculations several times, or what.

>> As I said, my pubring.gpg is 34MB long. With gnupg 1.4.x it would take a
>> few seconds only.
> 
> Which 1.4 version is this?

"""
jcea@ubuntu:~/video$ gpg.OLD --version
gpg (GnuPG) 1.4.19
Copyright (C) 2015 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later

This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: ~/.gnupg
Supported algorithms:
Pubkey: RSA, RSA-E, RSA-S, ELG-E, DSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2
"""

>> PS: Bonus: how to get rid of
>>
>> """
>> gpg: DBG: armor-keys-failed (KEY 0x010D6F3A BEGIN
> 
> Sorry for this.  It has already been fixed in the repo, see below.

Great. Thanks.

PS: Thanks for GNUPG!.

-- 
Jesús Cea Avión _/_/  _/_/_/_/_/_/
j...@jcea.es - http://www.jcea.es/ _/_/_/_/  _/_/_/_/  _/_/
Twitter: @jcea_/_/_/_/  _/_/_/_/_/
jabber / xmpp:j...@jabber.org  _/_/  _/_/_/_/  _/_/  _/_/
"Things are not so easy"  _/_/  _/_/_/_/  _/_/_/_/  _/_/
"My name is Dump, Core Dump"   _/_/_/_/_/_/  _/_/  _/_/
"El amor es poner tu felicidad en la felicidad de otro" - Leibniz



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: SSH CA and OpenPGP card

[Stephan Beck]

Am 27.03.2015 um 13:36 schrieb Bolesław Tokarski:
> Hello,
[...]
> Is the PKCS#11 library for OpenPGP card usable?


I guess you may install and use gnupg-pkcs11-scd for that purpose, provided that
you only use RSA keys.

See /usr/share/man/man1/gnupg-pkcs11-scd.1 for more info.


Hope that helps

Stephan





signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: One alternative to SMTP for email: Confidant Mail

[Mike Ingle]

> Any word on whether confidant mail will support the openpgp smart 
cards (or

> yubikey, similar)?  -Nick

With GPG 2.1, the gpg-agent handles all the passphrase prompting. I 
don't see
why it would not work with a smartcard. Which one do you think I should 
get to

test with? I have not played with them.

> > That's more or less what it does. When you get an email
> > from  j...@somewhere.com, it fetches that key id and
> > adds it to your keyring. If you get an email from a
> > different key claiming j...@somewhere.com, it also
> > fetches that key id and adds it, but now messages from
> > both users show a key collision until you go delete one
> > of those keys.

> Why should the user need to delete one, rather than just be told there
> were two and the one with such-and-such a fingerprint (or the one
> highlighted) signed this message? If it is just a string in a key UID 
rather

> than a functional email address, it will not necessarily be unique.

There should not be two or more keys advertised for one email address. That
creates confusion, requires the recipient to have two CM accounts, and
increases the risk of bogus keys being used. Since CM keys disappear 
from the

key search results about a month after the key owner stops advertising them,
people should delete old or bogus keys from their keyrings.

> > It's similar to regular PGP keyservers in that it will
> > accept any key someone wants to post. The main
> > difference is keys expire after a month or so if they
> > are not  re-posted.

> In a similar way to a file that has not been requested for a
> relatively long time dropping off a peer-to-peer filesharing network?

Once the owner stops advertising the key (by using it in a CM account), 
after

a month or so the STORUTIL will remove it from the servers. That depends on
how often server operators run STORUTIL to prune their server directories.

> Is there a way to incorporate some sort of challenge/response at key
> creation time before the key is uploaded to the peer-to-peer system?
> Or could the challenge/response be handled by a number of
> "verification agents" incorporated into the peer-to-peer network?

Not at the moment. There is no place to put a gatekeeper in this system. 
It is

a Kademlia peer to peer network with signature and integrity checking done
before the key is accepted. Any gatekeeping will have to be done by the 
clients.

In general it's a server dumb/client smart system.

> > Anyone can run a provider and I expect them to range from strictly
> > business to the dodgy darknet variety.

> Using "darknet" services to enhance privacy does not equate to
> "dodgy". A person's communications are none of anybody else's
> business, apart from whoever they choose to communicate with.

No offense to the darknet intended. I'm in favor of more widespread Tor 
and I2P
usage, that's why I built in support for it. Using CM over hidden 
services is a good

way to avoid social graph building.

An example of a "dodgy darknet provider" would be if one of the darknet 
markets

decided to run a couple of covert CM servers (having only Tor hidden service
addresses) to facilitate vendor to customer communication. That would solve
the problem of some users not encrypting their messages, and would allow 
people

to communicate even if the hidden website server is down.

Suppose a reporter on a "strictly business" CM provider wanted to interview
vendors of that darknet market. She could do so using CM without needing a
technical expert to handle the encryption, and without either party being
exposed to any risks. In the past that has been difficult.

It is also possible to run mailing lists and file servers over CM. I am
currently running a CM users' mailing list.

Mike

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: SSH CA and OpenPGP card

[NIIBE Yutaka]

On 03/27/2015 09:36 PM, Bolesław Tokarski wrote:
> ssh-keygen *can* sign a public key with a smartcard. Using a PKCS#11 token.
> However, I see that the OpenPGP card does not natively talk PKCS#11, but
> there's some wrapper library. Am I really forced to use that? Would it work
> correctly or would it break the keys currently on the card?
> 
> Is the PKCS#11 library for OpenPGP card usable?

Scute is a shared library for NSS (Network Security Services) with
scdaemon (of GnuPG) which provides PKCS#11 interface.

But, I'm afraid it doesn't work for OpenSSH.  I mean, the library
interface of NSS doesn't match to the one of OpenSSH.

Well, I think that it's possible for us to write a script using
gpg-connect-agent which asks generating signature by authentication
key of GnuPG.  Then, the script can be used for certificate generation
of OpenSSH (instead of ssh-keygen).

I generated *-cert.pub by ssh-keygen, and examined its content.  It
seems that it's simple concatenation of:

Header
Public key to be signed
Key Id
Options (in ASCII)
Signing public key of CA
Signature

We can use SIGKEY, SETHASH, and PKSIGN commands of gpg-agent to
generate signature and other part can be written by, say Python, or
something.

Ideally, ssh-keygen would have better to talk ssh-agent to ask
signing, though.
-- 

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users