Re: What is 'CA fingerprint 1' on Smartcard

[Daniel Krebs]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Am 03.04.2015 um 13:14 schrieb Werner Koch:
> Back in 2005 the idea was to setup our own OpenPGP "CA" and the 
> FSFE prepared the cards for this (this is also one of the the 
> reasons for the PIN letter).  However, the folks responsible for 
> the fellowship card never came around to setup a process to 
> actually run such a "CA" and thus the whole thing got dusty.  I 
> still have the CDROM with the private key but I do not think that 
> this expired key is of any use.
> 
> 
> Salam-Shalom,
> 
> Werner

Hi Werner,
sorry for the late replay, somehow I missed your mail...
Was this meant to work kind of like the the CA of the ct's crypto
campaign?

DK
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.22 (GNU/Linux)

iQIcBAEBCgAGBQJVPgDCAAoJEA7irlPqaBCOigUQAKsAGEJC9KDqt3vUzAxF+mCN
cHb30nS3zLYucum95kG3jWknhFwn4fnXoLDrMEHokg41dI9jIOM6nqA1oPqwtxRz
oynEx+xrFWNK4X45Sr8eePmjzm5OmD5YumcbOz8cEIdI+BoR6tuf7gJxOQ5rXGWx
93jG3vJuJHg8xLeosPOiu/fvmD+A1LbwZUKfzmJD/ie8eIfwRYvt/+2eFj3AjzjD
jZviztbjVtPWZQ1+urIhoufbWyXFrP60I+sMzYeqWhTIMmipxgsKHDWE8+RKRI9L
w1Oyl11sPY01VIXNBf3sYkBTCtnze4MvyF723ZFS7XvmtqajPXlRl09rLOrbZZX5
KFl2AQSeUyv0cB7DiDOfUXxi4+nibNeHLb11DagDr+6ReBCDRr4WKeWzpG2YRuul
bfiI7wEsP54DaEjiPPvbeC+0Fv6iBsg4gZYXqYe7r30qfOSmdTcVGorcCGsO/1gu
RiJz9wRmanZpZNNx8xAA3ccQf5ftLM9/C57ILTeeTU2FTBD9L0gY25leLjpSAWPZ
Ub5FGvP1VIFrAvuneF98wQrmmF9aeJqUekg4zvehmQuH32J5qHxR2hNLrgUlB8Gq
VEzke5/rKwksN5etvh9o+kt7w4/OzkPgEjiz/qMUHdLyea2jcFTcfUxc0CRx65aT
+oSvKnVfn4Ujnm6DbgxR
=+Idr
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Yubikey NEO OpenPGP advisory

[MFPA]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512



On Thursday 23 April 2015 at 10:05:41 AM, in
, Peter Lebbing wrote:




> But I suppose it could work if you only use the NFC
> functionality when you're in a safe environment such as
> your own home.

Presumably that would mean keeping your card in an RFID-proof wallet
or tin when out and about.



> Right now, they're rolling out a payment system here in
> The Netherlands where you only need to tap your bank
> card to the payment terminal to do small payments.
> That's all that is needed.

We have that in the UK already. Payments up to, I think,  GBP20
without PIN or signature. Dangerous.



> So I'm still looking for a sturdy yet practical
> metallic sleeve to put around the bank card as soon as
> they replace my non-NFC card with an NFC card :). The
> one I've seen looked to finnicky to remove your bank
> card from, which you do every time you need to pay in a
> shop...

Some of the ones brought up by a search on "rfid card wallet " look
just like an ordinary wallet. And I'm sure a small metallic business
card holder or cigarette case would do the trick.






- --
Best regards

MFPA  

To know what we know, and know what we do not know, is wisdom.
-BEGIN PGP SIGNATURE-

iQF8BAEBCgBmBQJVPgSrXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRCM0FFN0VDQTlBOEM4QjMwMjZBNUEwRjU2
QjdDNzRDRUIzMUYyNUYwAAoJEGt8dM6zHyXwrToIAK9CPUVIoeKiGn4ohX4RwLlr
cWNw0rfixE+SW2K3h2t7u5acr4hzz9inoATE56KXOVobaYlBJKt3KM5niPuegb1w
FiCUr9j2yMauTDSgcmihZ2io6tgtcaCbPtYoG6trxAQSr/P6TtFCc2MyXmCsquKr
IWD1wcSVk/WMF0OAyeORiS0YYRbixOq2hJ3ae35J5K9pnqfQGAkJ6WCj6IOdMM+l
vRXl6PQ+8s+Nk6Axdwv1m3JnUK810pV+96X1Jg6Dl/rm7+sRwvAI6I+7TUCkGbOR
xOLsoQZHV7ITGiXUN5WEOiOotKDTm8o30pXzkpBGmUydLAKpD8J7ha+dyQPbPjiI
vgQBFgoAZgUCVT4Eu18UgAAuAChpc3N1ZXItZnByQG5vdGF0aW9ucy5vcGVu
cGdwLmZpZnRoaG9yc2VtYW4ubmV0MzNBQ0VENEVFOTEzNEVFQkRFNkE4NTA2MTcx
MkJDNDYxQUY3NzhFNAAKCRAXErxGGvd45CNFAP9EdAkbWAsJ8bxo2S2+jqVlQK2p
R15BDzljzod+Gg1IjwD+MvNCqI+DVba0BMgb4Tjgy1HBzDfllGvVq+M9k0d2JQs=
=dpuO
-END PGP SIGNATURE-


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Yubikey NEO OpenPGP advisory

[Ville Määttä]

On 27.04.15 12:43, MFPA wrote:
>> Right now, they're rolling out a payment system here in
>> > The Netherlands where you only need to tap your bank
>> > card to the payment terminal to do small payments.
>> > That's all that is needed.
> We have that in the UK already. Payments up to, I think,  GBP20
> without PIN or signature. Dangerous.

Yep, EUR 25 max here in Finland if I recall correctly without PIN and
"random PIN check" once in a while… I suppose the banks get a warm and
fuzzy "we've done something" feeling from the random checks. Roll-out
started about a year ago I think.

>> So I'm still looking for a sturdy yet practical
>> metallic sleeve to put around the bank card as soon as
>> they replace my non-NFC card with an NFC card . The
>> one I've seen looked to finnicky to remove your bank
>> card from, which you do every time you need to pay in a
>> shop...
> 
> Some of the ones brought up by a search on "rfid card wallet " look
> just like an ordinary wallet. And I'm sure a small metallic business
> card holder or cigarette case would do the trick.

I have the basic blocking wallet from ThinkGeek [1] and it's just like a
normal wallet. They seem to have a new one as well although both out of
stock right now.

[1]: https://www.thinkgeek.com/brain/whereisit.cgi?t=rfid+wallet

-- 
Ville



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Yubikey NEO OpenPGP advisory

[Peter Lebbing]

Those NFC pay things you both mention sound a lot like what we have here
as well (€ 25 maximum, random PIN checks).

On 27/04/15 12:19, Ville Määttä wrote:
> I have the basic blocking wallet from ThinkGeek [1] and it's just like a
> normal wallet. They seem to have a new one as well although both out of
> stock right now.

Thanks for the hints, guys. But I'm very happy with my current leather
wallet, and the bag I keep the wallet in is almost full. So I'm more
looking for something really compact around the card, like a sleeve.
getDigital has one: [1]. I just can't judge how sturdy it is; the sleeve
I have seen in real life looked like it was quite a hassle to remove
your card from because it looked really flimsy.

Peter.

PS: getDigital has a lot of cool geeky stuff!

[1] https://www.getdigital.eu/RFID-Schutzhuelle.html (the 5 euro cover)

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Yubikey NEO OpenPGP advisory

[Peter Lebbing]

On 27/04/15 11:43, MFPA wrote:
>> But I suppose it could work if you only use the NFC
>> functionality when you're in a safe environment such as
>> your own home.
> 
> Presumably that would mean keeping your card in an RFID-proof wallet
> or tin when out and about.

Well, if the PIN protection actually works (unlike in the affected
Yubikeys) and you only enter the PIN in an environment where you're sure
nobody is sniffing the over-the-air data, I suppose you could decide to
rely on the fact that your PIN is still secret, preventing access to
unauthorized people.

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Yubikey NEO OpenPGP advisory

[MFPA]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512



On Monday 27 April 2015 at 11:33:27 AM, in
, Peter Lebbing wrote:


> So I'm more looking for something
> really compact around the card, like a sleeve.
> getDigital has one: [1]. I just can't judge how sturdy
> it is; the sleeve I have seen in real life looked like
> it was quite a hassle to remove your card from because
> it looked really flimsy.

The sleeves I have seen online looked pretty flimsy, and they have to
be if they will be small enough to fit in the credit card slots in a
wallet. There are also wallet liners, where a sheet of RFID-blocking
material goes in the large banknote section(s) of the wallet and is
supposed to protect the cards when the wallet is closed' not sure
about that idea.

- --
Best regards

MFPA  

Working hard. Please interrupt at once.
-BEGIN PGP SIGNATURE-

iQF8BAEBCgBmBQJVPhsrXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRCM0FFN0VDQTlBOEM4QjMwMjZBNUEwRjU2
QjdDNzRDRUIzMUYyNUYwAAoJEGt8dM6zHyXwu4gH/2KxZDT+dyQLostUR/32jy9s
fdpvHQi2mKoWfp3tO1VKzpekRmglbJlUg9CYPC96N3N96nPVukjQKZ7PRR78UJ0m
KTMPoK+BTdn8Nz3SquINKzOhA+PsTv0Tf+WGkBqoNpt8PmUlg1gTTeIHNlOi7WzT
AgH//lcR/hyBCaa7+SpQckHRx+ccsRIqS/3s+vLmKVQmshyOQRE+o2bPPzzoGIzT
NJfogaJ5eZ2vLVDysc9uR8CT6wpRcxybOf5tdTncS1GniQNo1Jlc/HhVN7XJuVAS
fX4w+Gi1tu2RYpJ5AK/xPQzvgJA3W6ecoT3CkQa2QGY89xbesy/5/0l8iUFNh8qI
vgQBFgoAZgUCVT4bOF8UgAAuAChpc3N1ZXItZnByQG5vdGF0aW9ucy5vcGVu
cGdwLmZpZnRoaG9yc2VtYW4ubmV0MzNBQ0VENEVFOTEzNEVFQkRFNkE4NTA2MTcx
MkJDNDYxQUY3NzhFNAAKCRAXErxGGvd45KP7AQDyDaOfSzMh27xMHg/0VR2BLWSB
7fdkUJRQcQ+qjpdmQAD+IOfjDKIpvVJU6ei+15reOWPhQyibBjhBUYtrMTeYkAo=
=NeL7
-END PGP SIGNATURE-


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Yubikey NEO OpenPGP advisory

[Willy Witfood]

On 04/27/2015 12:36 PM, Peter Lebbing wrote:
> On 27/04/15 11:43, MFPA wrote:
>>> But I suppose it could work if you only use the NFC
>>> functionality when you're in a safe environment such as
>>> your own home.
>> Presumably that would mean keeping your card in an RFID-proof wallet
>> or tin when out and about.
> Well, if the PIN protection actually works (unlike in the affected
> Yubikeys) and you only enter the PIN in an environment where you're sure
> nobody is sniffing the over-the-air data, I suppose you could decide to
> rely on the fact that your PIN is still secret, preventing access to
> unauthorized people.
>
> Peter.
>

Hi,

whether this is a big or minor issue really depends on the use case.
In my opinion the perfect use case for the yubikey NEOs OpenPGP is to
respond quickly to confidential but not extremely sensitive email in all
environments which includes mobile phones. Here it's still significantly
better to use one with the vulnerability then the most common
alternatives: storing the key on the phone or using plaintext email.

Ideally I would like to have one identity with multiple subkeys which
also communicate multiple use cases, say

1) confidential: subkey on a yubikey NEO
2) secret: subkey on a smart-card with an independent card-reader with a
pin-pad
3) top secret: offline key

Then the sender could select the right one for the message.

Willy


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Certificate server

[Dmitry Falko]

Hello!

First of all, sorry for my english.

I use gpgsm (x.509 certificates) to encrypt the data and wanted to know 
whether there is a chance to work through gpgsm with certificates server 
as GPG works with the key server.
I saw that Cleopatra can recieve x.509 certificates from ldap server, 
but can't find any information about gpgsm.

And I am interested in information of configuring gpg certificate server.

--
Best Regards, Dmitriy!


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Yubikey NEO OpenPGP advisory

[Julian H. Stacey]

> Thanks for the hints, guys. But I'm very happy with my current leather
> wallet, and the bag I keep the wallet in is almost full. So I'm more
> looking for something really compact around the card, like a sleeve.
> getDigital has one: [1]. I just can't judge how sturdy it is; the sleeve
> I have seen in real life looked like it was quite a hassle to remove
> your card from because it looked really flimsy.
> 
> Peter.

I make my own RF blockers, though un-tested yet :
For maybe 10 years my business cards have been made from 80 gram/
square metre paper, folded once & cut to size, then heat sealed
into plastic, hot lamination pouches, using 2 alternate products:
  Leitz 100x Credit Card Hot seal laminating pouches 125 (250) mic
1 Leitz 33810 bar code 5 411313 338103
  Ibico ibi pouches for hot laminating credit card 54 x 86 mm
100 pouches . clear . 5 mil 125 micron permanently sealed & protected
http://www.gbceurope.com/gbc/en/gb/v/1997/10/card-laminating-pouches.aspx

Years back I realised I could cut some aluminium cooking foil to
same size as the paper, & seal that as an RF / microwave test tool,
then an RFC card arrived, & I inserted the metal foil `card' behind
the NFC credit card, on the outside of the wallet.

The metal foil in sealed plastic puch is a much slimmer (0.26 mm)
than a credit card (0.8 mm), so fits well in same wallet slot as an NFC
enabled credit card (metal foil on outer side of wallet of course.

As cards are stacked offset in a wallet I assume it make sense to
decide where on the credit card the NFC chip is, for max overlap
of the foil.

I made a larger foldable excapsulated foil pouch for my brother's
wallet, (he had NFC cards before I did). I can't remember what
thickness plastic I used + 2 for British passports (some kind of chip).

I haven't tested them yet, just use them :-) I recently got an NFC
app to convert my Android phone into an NFC reader on USB coupled
to a PC, so I will test it some time, but :
A) I dont normally carry my NFC card, &
B) I haven't looked beyond 
https://www.freebsd.org/cgi/ports.cgi?query=NFC&stype=all
   at
https://svnweb.freebsd.org/ports/head/devel/libnfc/

If aluminium cooking foil is too thin, some are thicker than others,
& I have some thin copper sheet too, but I doubt it will need that.

I've long been planning to insert aluminium foil in the new
version of my business cards, which BTW look like this
http://berklix.com/~jhs/cv/#card

I guess computer clubs could create similar cards, with foil blockers.
I bought my hot laminator long ago, it does up to A4 size, since
then prices for laminators have crashed, & credit card sized ones
even cheaper, probably most on this list can with local friends
club together & buy/ share a laminator, & make ther own blockers,
but we need to check how effective they are :-)

Cheers,
Julian
--
Julian Stacey, BSD Linux Unix C Sys Eng Consultant Munich http://berklix.com
Indent previous with "> ".  Reply Below as a play script.
Send plain text, Not quoted-printable, HTML, or base64.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Notes from the first OpenPGP Summit

[Werner Koch]

On Mon, 27 Apr 2015 01:31, b...@pagekite.net said:
> Thanks for the write-up, Werner! :-)

Actually you have been much faster with your report
https://www.mailpile.is/blog/2015-04-20_OpenPGP_Email_Summit.html

>>   disappointed that many of the participants favored this closed
>>   invitation-only style summit and want the next meeting to happen the

> On the one hand, I suspect it would be very hard to maintain the
> excellent signal/noise ratio we had, in a completely open summit. On

Maybe.  We are used to work on mailing list and I would bet that in most
cases it is easier to ask too noisy participants to behave well during a
physical meeting than on mailing lists.  The IETF has quite some
experience with that and requires physical meetings for important tasks.

> Was the idea of having a mixed summit discussed? I think there was
> general consensus that we could probably skip the introductions next

Not that I know.  I left the session at some point, though.

> time, so perhaps one of the two days could be open and the other day
> closed for people who want to work together on specific issues?

As long has all participants may introduce a new attendee I would be
fine with such a scheme.  No need for strict registration rules.

> Or the group could fork, with the first day shared for talks and getting
> to know each other, and the second day forked into non-dev-friendly
> activities (crypto-parties, keysigning, introductory talks) scheduled

The problem is that at least for talks, those speakers would likely also
want to participate in the smaller working groups.

> out-reach, it's might not be a great idea.  But we do have a while until
> the next meetup is planned, so there is time to reconsider and think
> about whether we can find a way to preserve the focus of the group
> while still welcoming new people to the community.

Organizing a conference takes some time and thus we would need to start
with it soon.  In case people would agree to come again to Germany I
have an idea whom to ask to run such a conference.

> Although my politics and yours align, I think it might be a strategic
> mistake to exclude the closed-source folks from these discussions...

The GNU towers expect me to talk like this - but I am not always wearing
my GNUhat ;-)


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Generating GnuPG S/MINE key pair

[Dan Bryant]

TL;DR: gpgsm import fails with "no issuer found in certificate"

I'm trying to generate a key-pair for GnuPG S/MINE strictly for
instructional reasons.  I'll concede that I'm using a weak CA, but I'm
trying to image how the CA maintainers do this task as well.  So, for my
instruction, I'm trying to do the following:

I started off just wanting to create a GnuPG S/MINE key-pair.  I soon found
out that gpgsm requires key-pars to be externally signed by a CA.  So now
I'm trying to do the whole process, make-key, sign-key, import-key

   1. Create a CA with a new RSA key-pair (openSSL)
   2. Generate a new GnuPG S/MINE key-pair (gpgsm)
   3. Sign the GnuPG S/MINE key-pair with my fictitious CA above (openssl)
   4. Import the now signed GnuPG S/MINE key-pair into my gpgsm key-ring.

So I theory I thought this should work, but I've botched it somewhere along
the way.  Again... this is for INSTRUCTIONAL purposes.  I realize a self
signed CA is about as secure as a post-it on a monitor.  Trying to learn...

Here's what I tried (for those unfamiliar with Windows, the '^' is a line
continuation).

-- gpgsm
openssl genrsa -out rootCA.key 2048
openssl req -x509 -new -nodes -key rootCA.key -days 1024 -out rootCA.pem
gpgsm --gen-key > unsigned.pem
gpg-protect-tool --p12-export ^
   %appdata%\gnupg\private-keys-v1.d\{keygrip_from_prev_gen_key_cmd}.key ^
   > kgfpgkc.p12
openssl pkcs12 -in kgfpgkc.p12 -nocerts -out kgfpgkc.pem
openssl x509 -x509toreq -signkey kgfpgkc.pem ^
   -in unsigned.pem -out unsigned.csr
openssl x509 -req -CA rootCA.pem -CAkey rootCA.key -CAcreateserial ^
-in unsigned.csr -out signed.pem -days 500
gpgsm --import signed.pem
--Output
gpgsm: no issuer found in certificate
gpgsm: basic certificate checks failed - not imported
gpgsm: no issuer found in certificate
gpgsm: basic certificate checks failed - not imported
gpgsm: ksba_cert_hash failed: No value
gpgsm: total number processed: 2
gpgsm:   not imported: 2


So... Why did the issuer check fail?  Do I need to import my fake CA (tried
that).  If so, how?  Is there an option to provide a PEM to serve as the
root CA (like Python)?  Also tried coping rootCA.pem to com-certs.pem, but
no luck
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Generating GnuPG S/MINE key pair

[Dan Bryant]

OK... I found some very old posts about this... don't know how much still holds.
  -- https://lists.gnupg.org/pipermail/gnupg-devel/2011-June/026126.html

This guide says:
1. Convert rootCA.pem to rootCA.der
2. Place rootCA.der in dirmngr\trusted-certs
3. Ensure rootCA.der has revocation URL (??can disable??)
4. Add rootCA.der fingerprint to trustlist.txt
5. Restart dirmngr service and gpg-agent

Don't know... you think that will work?

BTW.. Here's the versions of the previously mentioned utilities:
- OpenSSL 1.0.2a 19 Mar 2015
- gpg-protect-tool (GnuPG) 2.0.27 (Gpg4win 2.2.4)
- gpgsm (GnuPG) 2.1.3

On Mon, Apr 27, 2015 at 3:07 PM, Dan Bryant  wrote:
> TL;DR: gpgsm import fails with "no issuer found in certificate"
>
> I'm trying to generate a key-pair for GnuPG S/MINE strictly for
> instructional reasons.  I'll concede that I'm using a weak CA, but I'm
> trying to image how the CA maintainers do this task as well.  So, for my
> instruction, I'm trying to do the following:
>
> I started off just wanting to create a GnuPG S/MINE key-pair.  I soon found
> out that gpgsm requires key-pars to be externally signed by a CA.  So now
> I'm trying to do the whole process, make-key, sign-key, import-key
>
>   1. Create a CA with a new RSA key-pair (openSSL)
>   2. Generate a new GnuPG S/MINE key-pair (gpgsm)
>   3. Sign the GnuPG S/MINE key-pair with my fictitious CA above (openssl)
>   4. Import the now signed GnuPG S/MINE key-pair into my gpgsm key-ring.
>
> So I theory I thought this should work, but I've botched it somewhere along
> the way.  Again... this is for INSTRUCTIONAL purposes.  I realize a self
> signed CA is about as secure as a post-it on a monitor.  Trying to learn...
>
> Here's what I tried (for those unfamiliar with Windows, the '^' is a line
> continuation).
>
> -- gpgsm
> openssl genrsa -out rootCA.key 2048
> openssl req -x509 -new -nodes -key rootCA.key -days 1024 -out rootCA.pem
> gpgsm --gen-key > unsigned.pem
> gpg-protect-tool --p12-export ^
>%appdata%\gnupg\private-keys-v1.d\{keygrip_from_prev_gen_key_cmd}.key ^
>> kgfpgkc.p12
> openssl pkcs12 -in kgfpgkc.p12 -nocerts -out kgfpgkc.pem
> openssl x509 -x509toreq -signkey kgfpgkc.pem ^
>-in unsigned.pem -out unsigned.csr
> openssl x509 -req -CA rootCA.pem -CAkey rootCA.key -CAcreateserial ^
> -in unsigned.csr -out signed.pem -days 500
> gpgsm --import signed.pem
> --Output
> gpgsm: no issuer found in certificate
> gpgsm: basic certificate checks failed - not imported
> gpgsm: no issuer found in certificate
> gpgsm: basic certificate checks failed - not imported
> gpgsm: ksba_cert_hash failed: No value
> gpgsm: total number processed: 2
> gpgsm:   not imported: 2
>
>
> So... Why did the issuer check fail?  Do I need to import my fake CA (tried
> that).  If so, how?  Is there an option to provide a PEM to serve as the
> root CA (like Python)?  Also tried coping rootCA.pem to com-certs.pem, but
> no luck
>
>

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Generating GnuPG S/MINE key pair

[Dan Bryant]

Getting closer... The DirMngr stuff is totally required.  Got that out
of the way (added rootCA to the right dirmgr stuff).

Now I'm scrubbing the logs and it looks like DirMgr is complaining
because I didn't timestamp any of my custom certs.  Any "--ignore_ts"
or similar option to bypass this message?
 dirmngr[7276] command 'VALIDATE' failed: No value 

On to 
http://stackoverflow.com/questions/21297139/how-do-you-sign-certificate-signing-request-with-your-certification-authority
although I might have to shelve this for a few days at this point.

Call / Text: 281.760.4296


On Mon, Apr 27, 2015 at 9:22 PM, Dan Bryant  wrote:
> OK... I found some very old posts about this... don't know how much still 
> holds.
>   -- https://lists.gnupg.org/pipermail/gnupg-devel/2011-June/026126.html
>
> This guide says:
> 1. Convert rootCA.pem to rootCA.der
> 2. Place rootCA.der in dirmngr\trusted-certs
> 3. Ensure rootCA.der has revocation URL (??can disable??)
> 4. Add rootCA.der fingerprint to trustlist.txt
> 5. Restart dirmngr service and gpg-agent
>
> Don't know... you think that will work?
>
> BTW.. Here's the versions of the previously mentioned utilities:
> - OpenSSL 1.0.2a 19 Mar 2015
> - gpg-protect-tool (GnuPG) 2.0.27 (Gpg4win 2.2.4)
> - gpgsm (GnuPG) 2.1.3
>
> On Mon, Apr 27, 2015 at 3:07 PM, Dan Bryant  wrote:
>> TL;DR: gpgsm import fails with "no issuer found in certificate"
>>
>> I'm trying to generate a key-pair for GnuPG S/MINE strictly for
>> instructional reasons.  I'll concede that I'm using a weak CA, but I'm
>> trying to image how the CA maintainers do this task as well.  So, for my
>> instruction, I'm trying to do the following:
>>
>> I started off just wanting to create a GnuPG S/MINE key-pair.  I soon found
>> out that gpgsm requires key-pars to be externally signed by a CA.  So now
>> I'm trying to do the whole process, make-key, sign-key, import-key
>>
>>   1. Create a CA with a new RSA key-pair (openSSL)
>>   2. Generate a new GnuPG S/MINE key-pair (gpgsm)
>>   3. Sign the GnuPG S/MINE key-pair with my fictitious CA above (openssl)
>>   4. Import the now signed GnuPG S/MINE key-pair into my gpgsm key-ring.
>>
>> So I theory I thought this should work, but I've botched it somewhere along
>> the way.  Again... this is for INSTRUCTIONAL purposes.  I realize a self
>> signed CA is about as secure as a post-it on a monitor.  Trying to learn...
>>
>> Here's what I tried (for those unfamiliar with Windows, the '^' is a line
>> continuation).
>>
>> -- gpgsm
>> openssl genrsa -out rootCA.key 2048
>> openssl req -x509 -new -nodes -key rootCA.key -days 1024 -out rootCA.pem
>> gpgsm --gen-key > unsigned.pem
>> gpg-protect-tool --p12-export ^
>>%appdata%\gnupg\private-keys-v1.d\{keygrip_from_prev_gen_key_cmd}.key ^
>>> kgfpgkc.p12
>> openssl pkcs12 -in kgfpgkc.p12 -nocerts -out kgfpgkc.pem
>> openssl x509 -x509toreq -signkey kgfpgkc.pem ^
>>-in unsigned.pem -out unsigned.csr
>> openssl x509 -req -CA rootCA.pem -CAkey rootCA.key -CAcreateserial ^
>> -in unsigned.csr -out signed.pem -days 500
>> gpgsm --import signed.pem
>> --Output
>> gpgsm: no issuer found in certificate
>> gpgsm: basic certificate checks failed - not imported
>> gpgsm: no issuer found in certificate
>> gpgsm: basic certificate checks failed - not imported
>> gpgsm: ksba_cert_hash failed: No value
>> gpgsm: total number processed: 2
>> gpgsm:   not imported: 2
>>
>>
>> So... Why did the issuer check fail?  Do I need to import my fake CA (tried
>> that).  If so, how?  Is there an option to provide a PEM to serve as the
>> root CA (like Python)?  Also tried coping rootCA.pem to com-certs.pem, but
>> no luck
>>
>>

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users