Global changing of expiration date of mainkey and subkeys possible?

2015-04-07 Thread gnupgpacker 
Hello,
is there any way to change the expiration date of mainkey AND ALL attached
subkeys by one action only (and not key-by-key)?

Source:
pub  4096R/  erzeugt: 2014-12-09  verfällt: 2015-10-04  Aufruf: C
 Vertrauen: unbekannt Gültigkeit: unbekannt
sub  4096R/F0E6644F  erzeugt: 2014-12-09  verfällt: 2015-07-06  Aufruf: A
sub  2048D/4A692C49  erzeugt: 2014-12-09  verfällt: 2015-06-07  Aufruf: S
sub  4096R/CFC3C286  erzeugt: 2014-12-09  verfällt: 2015-06-07  Aufruf: E
sub  4096R/D64D3126  erzeugt: 2014-12-09  verfällt: 2015-06-07  Aufruf: S
[  unbek.] (1). gnupgpacker (testkey) 

Target:
pub  4096R/  erzeugt: 2014-12-09  verfällt: 2016-11-11  Aufruf: C
 Vertrauen: unbekannt Gültigkeit: unbekannt
sub  4096R/F0E6644F  erzeugt: 2014-12-09  verfällt: 2016-11-11  Aufruf: A
sub  2048D/4A692C49  erzeugt: 2014-12-09  verfällt: 2016-11-11  Aufruf: S
sub  4096R/CFC3C286  erzeugt: 2014-12-09  verfällt: 2016-11-11  Aufruf: E
sub  4096R/D64D3126  erzeugt: 2014-12-09  verfällt: 2016-11-11  Aufruf: S
[  unbek.] (1). gnupgpacker (testkey) 

Thanks + regards, Chris


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Making the case for smart cards for the average user

2015-04-07 Thread Peter Lebbing 
The type of UID that proves problematic when you include the angle
brackets in your search is this:

$ gpg2 -k c...@example.org
pub   2048R/17C05EBD 2014-08-13 [expires: 2015-04-14]
uid   [ unknown] c...@example.org

$ gpg2 -k ""
gpg: error reading key: No public key

It's about an UID without angle brackets! Hence, when you search for it
including the angle brackets, you don't find it. Your examples all are
with an UID that actually does include the angle brackets.

HTH,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Making the case for smart cards for the average user

2015-04-07 Thread MFPA 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Hi


On Tuesday 7 April 2015 at 4:34:05 AM, in
, Ben McGinnes wrote:


> The function and operation you're after is reasonable,
> no arguments there, my question is whether this is
> something which is actually a fault with GPG or if it's
> your MUA.

I don't believe it to be a fault with either.



> I strongly suspect the latter and here's
> why:

> Using one of the more unique UIDs on my key (the 4th
> one) if I enter that in the Enigmail Key Management
> window it returns my current key.

We are talking at cross-purposes.

When I look at that UID:-

 Ben McGinnes 

I see angle brackets around the email address, in the usual way.

I was talking about what happens when the angle brackets are not
there.

If I generate a key with the UID of:-

   Test20150407 u...@example.com

and try to encrypt an email to u...@example.com it fails.

If I add the UID:-

   Test20150407 

and try again, it just works.




> bash4-4.3$ gpg -k 
> bash4: syntax error near unexpected token `newline'
> bash4-4.3$
>
> An alternative character escape method drives this home:
>
> bash4-4.3$ gpg -k \
> bash4: syntax error near unexpected token `newline'
> bash4-4.3$ gpg -k 
> bash4: ben.mcgin...@pirate.org.au>: No such file or directory
> bash4-4.3$ gpg -k \
> pub   rsa4096/0x321E4E2373590E5D 2012-07-28
> uid [ultimate] Ben McGinnes 
> uid [ultimate] Ben McGinnes 
> sub   rsa3072/0x7FF2D37135C7553C 2012-07-28
> sub   elg4096/0xC98BAA1862E4484D 2012-07-28


> Furthermore, if I put another string after the line
> that produced that second error message I'll end up
> with a text file with that name containing the gpg
> output with no output to the screen.  I'm reasonably
> sure that if you do the same thing in a DOS terminal
> you'll get similar or possibly identical results.


Out of interest, yes:-

C:\TDM-GCC-32>gpg -k 
The syntax of the command is incorrect.
C:\TDM-GCC-32>
C:\TDM-GCC-32>gpg -k ^
gpg: using character set 'utf-8'
gpg: using PGP trust model
gpg: key 0x: accepted as trusted key

Keyring: C:/[...]/pubring.kbx
- 

- ---
pub   rsa4096/0x321E4E2373590E5D 2012-07-28
  Key fingerprint = DB47 24E6 FA42 86C9 2B4E  55C4 321E 4E23 7359 0E5D
uid [  full  ] Ben McGinnes 
uid [  full  ] Ben McGinnes (backup email address) 
uid [  full  ] Ben McGinnes 
uid [  full  ] Ben McGinnes 
sub   rsa3072/0x7FF2D37135C7553C 2012-07-28
sub   elg4096/0xC98BAA1862E4484D 2012-07-28


C:\TDM-GCC-32>gpg -k ^
The syntax of the command is incorrect.

C:\TDM-GCC-32>gpg -k 
The filename, directory name, or volume label syntax is incorrect.

C:\TDM-GCC-32>



> If
> so, then chances are pretty good that The Bat! is doing
> it wrong.

I disagree. That is me doing it on the command line. What The Bat!
does works, except in the event the email address is stated without
the usual angle brackets in the key's UID (or, if the email address is
the name on a group line, it appears there without angle brackets).



> Yes, that's the point, they're the 4 most likely ways a
> mail client might send a UID to GPG to look for a key,
> that was intentional.


Quotation marks aside, gpg.man says to include the angle brackets to
specify a key by an exact match on an email address. But that just
seems to be an example of substring match, where you pass the
substring, optionally prepended with an asterisk. And, of course, if
the first and last characters of the substring passed for matching are
not present in the key's UID there is no match.



> Right, so for the MUA to match them as a string they do
> indeed need to be escaped and it is precisely that
> behaviour which The Bat! needs to implement for it to
> just work.

The issue you refer to with The Bat! is not a difficulty in passing
the angle brackets as part of the string to match; that bit works. As
evidenced by my need to begin my PGPNET group line with:-

  group =

rather than:-

   group pgp...@yahoogroups.com=

the issue is an inability to match with something that is not there.

Which is not a fault in GnuPG nor in the MUA.



- --
Best regards

MFPA  

All generalisations are dangerous, even this one.
-BEGIN PGP SIGNATURE-

iQF8BAEBCgBmBQJVI9A7XxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRCM0FFN0VDQTlBOEM4QjMwMjZBNUEwRjU2
QjdDNzRDRUIzMUYyNUYwAAoJEGt8dM6zHyXwt60H/iQj+J9ffLPPOXP/4Msu7tFb
mLc2WaatdQ0j7QG9GAkF1BPSY2yf1q/PkvgTfo7NwJV91OM1b3Ap00KftbfE3gJO
5m2HRfVcIyWH71Tz9T7/b4jc688HK7RqdmFKYB6B3Yaf7sK7Lq4vE+ERLETXOeqG
/KjP0wHr/1EDCZ4O82rWiRonxJGmQtO620t27iuLtE5A7EZ8AmDtL4iaaEun+p/X
rTgKzemVeNo0IQxpkPS6Jh7Vk1jHP34/o8ZIPL2FB+0gNOGLbS7MkaHp2au/wLsk
lC8Qopp3Z4hfHahdZLpnd0Gqa+h/c9tZsL6D5Rn5EnkNdRCb774mPET0JVR3aBqI
vgQBFgoAZgUCVSPQRV8UgAAuAChpc3N1ZXItZnByQG5vdGF0

Re: Making the case for smart cards for the average user

2015-04-07 Thread Ben McGinnes 
On 7/04/2015 7:57 pm, Peter Lebbing wrote:
> The type of UID that proves problematic when you include the angle
> brackets in your search is this:
> 
> $ gpg2 -k c...@example.org
> pub   2048R/17C05EBD 2014-08-13 [expires: 2015-04-14]
> uid   [ unknown] c...@example.org
> 
> $ gpg2 -k ""
> gpg: error reading key: No public key
> 
> It's about an UID without angle brackets! Hence, when you search for it
> including the angle brackets, you don't find it. Your examples all are
> with an UID that actually does include the angle brackets.

Let me see if I've got this right ... the issue is one which can only
occur when the key owner has deliberately overridden the defaults by
using the "allow-freeform-uid" option, allowing them to drop the
standard format of "name " and then they're shocked
that doing so might produce unintended consequences?

Perhaps I'm being unreasonable, but surely if you go out of your way
to make sure that a particular pattern does *not* appear in your UID
then it is intended that searching on that pattern should not match
your UID.  Now granted, that intention may have been poorly considered
by said key owner, but I'd hardly call it a bug in GPG for not
anticipating that.  After all, all it is doing is matching the pattern
specified by the owner of the key.


Regards,
Ben



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Making the case for smart cards for the average user

2015-04-07 Thread Ben McGinnes 
On 7/04/2015 10:39 pm, MFPA wrote:
> 
> We are talking at cross-purposes.
> 
> When I look at that UID:-
> 
>  Ben McGinnes 
> 
> I see angle brackets around the email address, in the usual way.
> 
> I was talking about what happens when the angle brackets are not
> there.
> 
> If I generate a key with the UID of:-
> 
>Test20150407 u...@example.com
> 
> and try to encrypt an email to u...@example.com it fails.
> 
> If I add the UID:-
> 
>Test20150407 
> 
> and try again, it just works.

Ah.  Alright, fair enough, *that* is a bug.  The previous descriptions
made it sound like a key with the first of those test UIDs wouldn't
show up when searching for "" to which my response
was, well yeah.  The basis of my concern there being that partial
matches on email would have even more unintended consequences when
gTLDs matched ccTLDs and the inevitable can of worms that leads to
(and certainly has in the past in a more general sense).


Regards,
Ben





signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Splitting a GPG private key

2015-04-07 Thread Alfredo Palhares 
Hello Daniel,

> Do you want to require multiple people to come together to use that
> secret key?  or do you want them each to have the ability to use the key
> independently from each other?

The objective is require multiple people to use that secret key. Yes

> The answer about what to do would depend on how you want the key to be
> used.

Basically this key would a part of the encryption group of all the other
credentails. And to be the only key to encrypt extremely sensitive data

> It's not clear to me that we have a functional workflow to support the
> first scenario (where multiple people must come together to use the
> secret key) without a lot of overhead for the users.

> My understanding is that the Tails community does something like this,
> but they are a highly-technical group who are willing to custom-build
> their own tools and to endure quite a bit of tedious and inconvenient
> process to protect the safety of their users.

Do they have this documented somewhere.

> Consider that anyone who ever has access to the raw secret material of
> the shared key can effectively make a copy of it and then use it
> elsewhere in the future.
Yes, the key joining is a whole proccess on an offline machine with the presence
of all elements.

> If you can define your desired use cases more clearly, maybe someone on
> this list can propose an effective workflow for you.

I am open to any suggestions.

Thank you for you input!

-- 
Alfredo Palhares
GPG/PGP Key Fingerprint
68FC B06A 6C22 8B9B F110
38D6 E8F7 4D1F 0763 CAAD


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Making the case for smart cards for the average user

2015-04-07 Thread Daniel Kahn Gillmor 
On Tue 2015-04-07 08:39:57 -0400, MFPA wrote:
> I was talking about what happens when the angle brackets are not
> there.
>
> If I generate a key with the UID of:-
>
>Test20150407 u...@example.com
>
> and try to encrypt an email to u...@example.com it fails.

The above is neither an RFC 5322 addr-spec nor an RFC 5322 name-addr.
That is, it would not be considered acceptable in the To: line of an
e-mail header:

  https://tools.ietf.org/html/rfc5322#section-3.4

We could invent arbitrary ways to structure a User ID that includes an
e-mail address, but writing code to extract the e-mail address from
these things seems like a lot of heuristics at best, and there are all
kinds of ways that it could fail.

We know how to structure a proper name-addr and an addr-spec, and it's
not difficult.  If you want an e-mail address to be recognizable to
automated tools, you should structure it in a recognizable way.

The above UID is simply a mistake, and i don't think GnuPG should try to
accomodate it.

--dkg

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Making the case for smart cards for the average user

2015-04-07 Thread Peter Lebbing 
On 07/04/15 14:56, Ben McGinnes wrote:
> Let me see if I've got this right ... the issue is one which can
> only occur when the key owner has deliberately overridden the
> defaults by using the "allow-freeform-uid" option

GnuPG implements the OpenPGP standard. What hoops the users need to jump
through to get a certain behaviour with GnuPG might not be there in
other OpenPGP compliant programs. The OpenPGP standard merely says:

> By convention, it includes an RFC 2822 [RFC2822] mail name-addr, but
> there are no restrictions on its content.

That said, I understand your position. However, the patch to match on
bare e-mail addresses as UID even when searching with the angle brackets
already went in GnuPG 2.1 [1].

HTH,

Peter.

[1] https://bugs.g10code.com/gnupg/issue1927

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Splitting a GPG private key

2015-04-07 Thread Daniel Kahn Gillmor 
On Tue 2015-04-07 09:14:09 -0400, Alfredo Palhares wrote:
> [dkg wrote:]
>> Do you want to require multiple people to come together to use that
>> secret key?  or do you want them each to have the ability to use the key
>> independently from each other?
>
> The objective is require multiple people to use that secret key. Yes

This is still ambiguous to me.  I described two distinct cases, and i'm
not sure which one you are agreeing to.  From the rest of your message,
i think you're agreeing to the first question, but not the second.

>> The answer about what to do would depend on how you want the key to be
>> used.
>
> Basically this key would a part of the encryption group of all the other
> credentails. And to be the only key to encrypt extremely sensitive data

I don't know what "the encryption group" means.  can you explain
further?  I think you might mean that everything encrypted to any key
will also be encrypted to this key; and that some especially sensitive
material will *only* be encrypted to this key.

>> My understanding is that the Tails community does something like this,
>> but they are a highly-technical group who are willing to custom-build
>> their own tools and to endure quite a bit of tedious and inconvenient
>> process to protect the safety of their users.
>
> Do they have this documented somewhere.

https://tails.boum.org/news/signing_key_transition/index.en.html#index2h1

says:

 * Is not owned in a usable format by any single individual. It is split
   cryptographically using gfshare.

  gfshare is: http://www.digital-scurf.org/software/libgfshare

If you have more questions about how they this, you may wish to ask them
to the tails folks themselves:

 https://tails.boum.org/support/index.en.html

I find that their mailing lists and IRC channel (see "Support List" and
"Chat" at the bottom of the page) are usually pretty helpful and
responsive to well-framed questions.

hth,

   --dkg


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Making the case for smart cards for the average user

2015-04-07 Thread MFPA 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Hi


On Tuesday 7 April 2015 at 2:14:55 PM, in
, Daniel Kahn Gillmor
wrote:


> On Tue 2015-04-07 08:39:57 -0400, MFPA wrote:
>> I was talking about what happens when the angle brackets are not
>> there.

>> If I generate a key with the UID of:-

>>Test20150407 u...@example.com

>> and try to encrypt an email to u...@example.com it
>> fails.

> The above is neither an RFC 5322 addr-spec nor an RFC
> 5322 name-addr. That is, it would not be considered
> acceptable in the To: line of an e-mail header:

>   https://tools.ietf.org/html/rfc5322#section-3.4

> We could invent arbitrary ways to structure a User ID
> that includes an e-mail address, but writing code to
> extract the e-mail address from these things seems like
> a lot of heuristics at best, and there are all kinds of
> ways that it could fail.

> We know how to structure a proper name-addr and an
> addr-spec, and it's not difficult.  If you want an
> e-mail address to be recognizable to automated tools,
> you should structure it in a recognizable way.

> The above UID is simply a mistake, and i don't think
> GnuPG should try to accomodate it.

Fair enough. That we should try to accommodate:-

 u...@example.com

but not:-

Test20150407 u...@example.com

actually makes sense to me. I structured my example UID incorrectly.


- --
Best regards

MFPA  

Dogs look up to us. Cats look down on us. Pigs treat us as equals.
-BEGIN PGP SIGNATURE-

iQF8BAEBCgBmBQJVI+PuXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRCM0FFN0VDQTlBOEM4QjMwMjZBNUEwRjU2
QjdDNzRDRUIzMUYyNUYwAAoJEGt8dM6zHyXwSTwH/3RWs2TwjupTuuGt0yZKpAFG
MrHLVxNhTLIebfSH8YhsEmYuTNoJD80UG3v7nq/aHUuXtFDaHNjXhCmqDK3zFWSG
s//8lFY1rQdSGi1gIY/jFA+kB7avaumHxDb0xOZAKZLqcnauX12ZPSuohb/ryFfY
Lkh72WvTKGqG0WW7tvUAlINmQ5aWXcmM03lJ/zYfzpTRLmir3d2qCKIzeImSNhOv
2T1hCbdKtINngMGOoHeNNPI9hnpPiDbUiZ2RDgzYEuQXwDlwokb39pcmEDrTxUhL
S3YM/HU8unXcseKrFqDvaXYj048mY7iwg/qn+BkfHSV8yAjtlAFWKgM95VnNaRmI
vgQBFgoAZgUCVSPj+V8UgAAuAChpc3N1ZXItZnByQG5vdGF0aW9ucy5vcGVu
cGdwLmZpZnRoaG9yc2VtYW4ubmV0MzNBQ0VENEVFOTEzNEVFQkRFNkE4NTA2MTcx
MkJDNDYxQUY3NzhFNAAKCRAXErxGGvd45O8zAQDpcM6LBGVMDhuuhyU8Pvwfaxkj
/zqLFiGGhOTGxN6ZogEApRBwR6JzQiWO2XLaWiSPp39eB+hNNqPZ0G/6T1P5xw0=
=IHCo
-END PGP SIGNATURE-


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Splitting a GPG private key

2015-04-07 Thread MFPA 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Hi


On Tuesday 7 April 2015 at 2:14:09 PM, in
, Alfredo Palhares wrote:



> I am open to any suggestions.

Maybe somebody more knowledgeable than me can comment on whether
"Shamir's Secret Sharing Scheme" [0] might be something relevant to
mention here.

I know nothing about it; I previously read the page I an linking to
after seeing it mentioned on a discussion group.

[0] .


- --
Best regards

MFPA  

Lotto: A tax on people who are bad at statistics!
-BEGIN PGP SIGNATURE-

iQF8BAEBCgBmBQJVI+CNXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRCM0FFN0VDQTlBOEM4QjMwMjZBNUEwRjU2
QjdDNzRDRUIzMUYyNUYwAAoJEGt8dM6zHyXwxNQIAIbEvEi5dff72n4qp0v1UrjM
dY09bJEidSGoe6XNPalvwkEAAvWvdMLE1MlW9oXQ/NmoiFgKQul0pPcRaEiGj8ht
fxdE9EkBvIlatOrXtul45gJtw++teI0sDrRDm9+NdVQLVOVWodJ4yKL+DdirVnWM
8pRgFvjodTJHaK40BSxl9kIH/yzv/t4/MbLnB9lFJWf9haMqoXqUoi0/G6E11Nnl
FxRNqZ7GJpl5zvh1Wggf1ZFdt5HXvomVgfq1Y+HvIUtjP4AFdZoT3hyHKzHzVhp3
OzXeA5v7FG/6od2Y3YOMKf2FGlFoyDyC4Ksx2hwHoDlgMkWy762hlTCjk1Mp3MuI
vgQBFgoAZgUCVSPgmF8UgAAuAChpc3N1ZXItZnByQG5vdGF0aW9ucy5vcGVu
cGdwLmZpZnRoaG9yc2VtYW4ubmV0MzNBQ0VENEVFOTEzNEVFQkRFNkE4NTA2MTcx
MkJDNDYxQUY3NzhFNAAKCRAXErxGGvd45HdVAQDcBKiQEzGVA6CnUpgCCKYp3wwQ
bQ5HNKGOFQXkqL7kZwEAo5mwAJf7aJfXFpMqH+ujC/NOYKsAJWlH4nbyxcVGqAE=
=m5Ws
-END PGP SIGNATURE-


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: SSH CA and OpenPGP card

2015-04-07 Thread Bolesław Tokarski 
Hello,

FYI: I managed to solve my issue by using pure opensc-pkcs11. OpenPGP cards
seem to be supported by opensc. At least, I managed to sign an SSH public
key of a server with the key on the card.

Best regards,
Bolesław Tokarski
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Making the case for smart cards for the average user

2015-04-07 Thread MFPA 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Hi


On Tuesday 7 April 2015 at 1:56:01 PM, in
, Ben McGinnes wrote:



> Let me see if I've got this right ... the issue is one
> which can only occur when the key owner has
> deliberately overridden the defaults by using the
> "allow-freeform-uid" option,

Or, indeed, using batch mode.



> allowing them to drop the
> standard format of "name " and then
> they're shocked that doing so might produce unintended
> consequences?

Don't know about "shocked", but unintended consequences for a
non-standard UID scheme was indeed the issue.

The OP started this thread with a plug for his version of the GnuPG
smart card. Part of his scheme was to generate keys with a simplified
UID format that contained just an email address.



> Perhaps I'm being unreasonable, but surely if you go
> out of your way to make sure that a particular pattern
> does *not* appear in your UID then it is intended that
> searching on that pattern should not match your UID.
> Now granted, that intention may have been poorly
> considered by said key owner,

I pointed out that at least one MUA sends the email address enclosed
in angle brackets as the search string for GnuPG to locate the key. No
angle brackets around the email address means no key found. The OP
reconsidered his scheme and added the angle brackets. Issue resolved.



> but I'd hardly call it a
> bug in GPG for not anticipating that.  After all, all
> it is doing is matching the pattern specified by the
> owner of the key.

Nor would I. But if somebody creates a key UID with just a bare email
address, is it sensible to accept that email address as a match when
selecting keys?

- --
Best regards

MFPA  

Consistency is the last refuge of the unimaginative
-BEGIN PGP SIGNATURE-

iQF8BAEBCgBmBQJVI+yTXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRCM0FFN0VDQTlBOEM4QjMwMjZBNUEwRjU2
QjdDNzRDRUIzMUYyNUYwAAoJEGt8dM6zHyXw2HsIAK3/8H1iBC8dLPmusB4lAhSk
gRnuqa3f5ZS0BjQ7M5oI1gSirkx9vahIU8SEk2a215kUbr2FL2fw2cwFscVy3Fc1
WiOq4iUqyfrrKhHpnGH+M8mmXpuFwN9MNuL93qnXYwYjTX5ZrcTZ6vSE9EKsX4wh
6pdG0I8DSdngCL+Ss6fVLA2PiEjPeYy0nRXxh7aHT22nuG2pxkgtORMOTz3/PMb8
N0V5HnUP2qt9FGi9cwWBczhpwuWiiYx3DchY7wReMs4MGUCGQwJQoceSfrn4ChvR
7Rtsj4EmieBiVkqBorboc4rcEMEzKyHM6aiqOOs9LHeR4BgzH/hnMsgen57RAaWI
vgQBFgoAZgUCVSPsm18UgAAuAChpc3N1ZXItZnByQG5vdGF0aW9ucy5vcGVu
cGdwLmZpZnRoaG9yc2VtYW4ubmV0MzNBQ0VENEVFOTEzNEVFQkRFNkE4NTA2MTcx
MkJDNDYxQUY3NzhFNAAKCRAXErxGGvd45BSiAQCBKxOgzME70e56LpzZpaPMFdva
dZbfxeT0u86Szpu7fQEAZ7Ruw4P4l6UEiXGGO8gWpPS5JfMIqg4CrlNkuHrLOAk=
=AMFq
-END PGP SIGNATURE-


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Making the case for smart cards for the average user

2015-04-07 Thread Ben McGinnes 
On 8/04/2015 12:41 am, MFPA wrote:
> 
>> allowing them to drop the standard format of "name
>> " and then they're shocked that doing so might
>> produce unintended consequences?
> 
> Don't know about "shocked", but unintended consequences for a
> non-standard UID scheme was indeed the issue.
> 
> The OP started this thread with a plug for his version of the GnuPG
> smart card. Part of his scheme was to generate keys with a simplified
> UID format that contained just an email address.

Said OP needs to spend about a year running an SMTP server before
making a design decision like that, but anyway.

>> Perhaps I'm being unreasonable, but surely if you go out of your
>> way to make sure that a particular pattern does *not* appear in
>> your UID then it is intended that searching on that pattern should
>> not match your UID.  Now granted, that intention may have been
>> poorly considered by said key owner,
> 
> I pointed out that at least one MUA sends the email address enclosed
> in angle brackets as the search string for GnuPG to locate the key. No
> angle brackets around the email address means no key found. The OP
> reconsidered his scheme and added the angle brackets. Issue resolved.

Good.

>> but I'd hardly call it a bug in GPG for not anticipating that.
>> After all, all it is doing is matching the pattern specified by the
>> owner of the key.
> 
> Nor would I. But if somebody creates a key UID with just a bare email
> address, is it sensible to accept that email address as a match when
> selecting keys?

Ah, but if it is truly just the email address then is it sitting in
the email field of the UID or the name field?  If it's the latter then
you could match any part of it you liked normally.  An email client is
likely to have a small fit at that point, but the email client is
designed to interact with a specific set of transmission protocols, in
this case SMTP.  So if a GPG user wants a UID that does not meet the
criteria for SMTP addressing then the GPG user can't expect it to work
automatically.  As for a vendor foisting poor configuration on end
users ... well, the instinctive reaction is to reach for a LART, but
that won't be necessary really because that vendor will be out of
business within a year.


Regards,
Ben



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Making the case for smart cards for the average user

2015-04-07 Thread Ben McGinnes 
On 8/04/2015 12:04 am, MFPA wrote:
> On Tuesday 7 April 2015 at 2:14:55 PM, in
> , Daniel Kahn Gillmor
> wrote:
> 
>> We know how to structure a proper name-addr and an addr-spec, and
>> it's not difficult.  If you want an e-mail address to be
>> recognizable to automated tools, you should structure it in a
>> recognizable way.
> 
>> The above UID is simply a mistake, and i don't think
>> GnuPG should try to accomodate it.
> 
> Fair enough. That we should try to accommodate:-
> 
>  u...@example.com
> 
> but not:-
> 
> Test20150407 u...@example.com
> 
> actually makes sense to me. I structured my example UID incorrectly.

Yeah, this is fair because the first one is accepted by SMTP in the
mail from and rcpt to commands, but the second one wouldn't.

bash4-4.3$ telnet seditious 25
Trying 172.17.23.9...
Connected to seditious.adversary.org.
Escape character is '^]'.
220 seditious.adversary.org ESMTP Postfix
helo me
250 seditious.adversary.org
mail from: presid...@whitehouse.gov
250 2.1.0 Ok
rcpt to: b...@adversary.org
250 2.1.5 Ok
data
354 End data with .
From: Bazza 
To: Benny 
Subject: The Jets

Yo dude, we need those jets!


.
250 2.0.0 Ok: queued as E654111C0515
quit
221 2.0.0 Bye
Connection closed by foreign host.

Compare that to this:

Trying 172.17.23.9...
Connected to seditious.adversary.org.
Escape character is '^]'.
220 seditious.adversary.org ESMTP Postfix
helo foo
250 seditious.adversary.org
mail from: Bazza presid...@whitehouse.gov
555 5.5.4 Unsupported option: presid...@whitehouse.gov
quit
221 2.0.0 Bye
Connection closed by foreign host.

The MUA uses the brackets to work out which bits to use in those two
commands.  Once the data command has been delivered you can put in
whatever you like (hence mail spoofing and spam), but before the data
command is delivered the format is explicit.

That said, if just the brackets are included it will still behave, in
case the MUA extracts them from the From and To fields along with the
address:

Connected to seditious.adversary.org.
Escape character is '^]'.
220 seditious.adversary.org ESMTP Postfix
helo snafu
250 seditious.adversary.org
mail from: 
250 2.1.0 Ok
rcpt to: 
250 2.1.5 Ok
data
354 End data with .
From: Bazza 
To: Benny 
Subject: Re: The Jets

What do you mean you don't believe it was me without a GPG signature?
My National Security Advisor said that was bad and the NSA had to tell
me what to do.


.
250 2.0.0 Ok: queued as 3057A11C0515
quit
221 2.0.0 Bye
Connection closed by foreign host.


Regards,
Ben

P.S.  The Jets are gone.  ;)



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

RE: Splitting a GPG private key

2015-04-07 Thread Bob (Robert) Cavanaugh 
Alfredo,
I don't have any personal experience with splitting the key. What we do at my 
employer is split the secret key passphrase. Yes, this is a manual process but 
very secure. For highly important keys we assign six trusted individuals, three 
have defined one half of the passphrase and three have defined the other half. 
The halves are backed up physically and stored securely in two separate 
locations. No one person knows the entire passphrase ever. When encryption is 
required, one person from each of the three people physically inputs their half 
of the passphrase. Decryption happens normally. Obviously this only works if 
you only encrypt a small amount of secret material or do it infrequently. We 
have found this to be a very secure method.

Thanks,
 
Bob Cavanaugh
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Global changing of expiration date of mainkey and subkeys possible?

2015-04-07 Thread Werner Koch 
On Tue,  7 Apr 2015 11:27, gnupgpac...@on.yourweb.de said:

> is there any way to change the expiration date of mainkey AND ALL attached
> subkeys by one action only (and not key-by-key)?

No.  Please file a feature requests at bugs.gnupg.org. if you think this
is important.


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Splitting a GPG private key

2015-04-07 Thread Brian Minton 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

The Debian project solves this by having the secret key shared using
 (https://en.wikipedia.org/wiki/Shamir%27s_Secret_Sharing).
https://ftp-master.debian.org/keys.html

On Tue, Apr 7, 2015 at 1:29 PM, Bob (Robert) Cavanaugh
 wrote:
> Alfredo,
> I don't have any personal experience with splitting the key. What we
do at my employer is split the secret key passphrase. Yes, this is a
manual process but very secure. For highly important keys we assign six
trusted individuals, three have defined one half of the passphrase and
three have defined the other half. The halves are backed up physically
and stored securely in two separate locations. No one person knows the
entire passphrase ever. When encryption is required, one person from
each of the three people physically inputs their half of the
passphrase. Decryption happens normally. Obviously this only works if
you only encrypt a small amount of secret material or do it
infrequently. We have found this to be a very secure method.
>
> Thanks,
>
> Bob Cavanaugh
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iF4EARYIAAYFAlUkGbsACgkQN7lQes/yAW7RhwEAsr+5FMW7NGkCht6NTrkdehav
hEFg33E/5qScgfAPanEBAAHd0oMxmyWJf5qsDBUWCFfZp0SKk4qYOmZi4pg2kfUD
=iFNV
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Blind signatures for simple election

2015-04-07 Thread jan . svensson 
Hello,

I have been looking around a bit, but couldn't find the answer. I
would like to do the following with GPG if possible, thanks in
advance:

Assume we would like to hold a small election where no one should be
able to know which political party anyone have voted for.

User A, user B, and user C each have a small text file named
"ballot.txt" which contains his/her favorite political party written
in clear text, e.g. just the text "D" (for the Democratic Party) or
the text "R" (for the Republican Party).

Then all of them generates some kind of blinding factor "b" to be used
to blind their ballot. Then they blind "ballot.txt" with the blinding
factor b:

blind(ballot.txt,b)

All of them sends their "ballot.txt.blind" to the signer user X who
can not see the contents of the file since it is blinded.

User X signs all of the files "ballot.txt.blind" with the same
signature used only for this election:

sign(blind(ballot,b),d)

User X now sends "ballot.txt.blind.sign" back to user A, user B, and
user C. Each of them now unblinds their file "ballot.txt.blind.sign":

unblind(sign(blind(ballot,b),d),b)

which can be reduced to

sign(ballot,d)

Finally, at the day of election, user A, user B, and user C vists an
election room and delivers their file "ballot.txt.sign" on a USB
memory stick and watches while the trustee stores their ballots
"ballot.txt.sign" in some way. This file "ballot.txt.sign" contains
their political party written in clear text and also contains a
signature made by user X to indicate that the ballot is valid for the
election.

How can I do all above in some simple way with GPG commands like
--gen-key, --sign, --verify etc? Or do I need to apply e.g. some
patches to GPG to be able to do this?

Thanks alot in advance!

Jan
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Blind signatures for simple election

2015-04-07 Thread MFPA 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Hi


On Tuesday 7 April 2015 at 7:15:13 PM, in
,
jan.svens...@hush.com wrote:


> Hello,

> I have been looking around a bit, but couldn't find the
> answer. I would like to do the following with GPG if
> possible, thanks in advance:

> Assume we would like to hold a small election where no
> one should be able to know which political party anyone
> have voted for.

What you went on to describe sounds quite a bit like CryptoBallot [0],
[1].

[0] .
[1] .

- --
Best regards

MFPA  

Those who do not read are no better off than those who cannot.
-BEGIN PGP SIGNATURE-

iQF8BAEBCgBmBQJVJGPdXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRCM0FFN0VDQTlBOEM4QjMwMjZBNUEwRjU2
QjdDNzRDRUIzMUYyNUYwAAoJEGt8dM6zHyXwd/8H+QG0p1/NazZYgbfGVUsVh9Ds
C2nF18Z1PqFh+bxwMFVF32cJGqoThh9wl59Cqjd6rwv//B/iM1pu24wnY89/yZ4P
fZdudI4cY6SRUAaPfiu+hC9CjgIEOKiPa1lBO4vZEsxnpH9zPPBDMOay6OYA6/3g
5qw5kyWMhbygd+/b//oedpWX5Y96xCec/d//UPAfmxeVG+ouV/Z5n1i2BKw79ise
f+/Cpk54ewTClHzXWTiLxR1oj0ntfFvsye6ndsZ7Ea8oMGxyh3zTiWXqyxiI4ilG
5BXVvM6q6XY9y0ee9bYr2bnymItBnbZp9F5MydzGNYGSmMcm0uExQcNJcHI5DXyI
vgQBFgoAZgUCVSRj418UgAAuAChpc3N1ZXItZnByQG5vdGF0aW9ucy5vcGVu
cGdwLmZpZnRoaG9yc2VtYW4ubmV0MzNBQ0VENEVFOTEzNEVFQkRFNkE4NTA2MTcx
MkJDNDYxQUY3NzhFNAAKCRAXErxGGvd45HB7AQC6XwM40tU807PwdIw+tUVFZ5s2
iDqfWjv+2zPHlTGU/QEAxv6/dr+GDFM52vb+ol7G4Yh6dbod+msTlwbof0N+3Qw=
=MDc8
-END PGP SIGNATURE-


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users