Re: Obituary for Artikel 10 Grundgesetz on GnuPG website

2016-02-05 Thread Sam Pablo Kuper 
On 05/02/16 03:56, Matthias Mansfeld wrote:
> On 5 Feb 2016 at 0:36, Sam Pablo Kuper wrote:
>> "Article 10 of the German constitution (communication privacy) is not
>> anymore with us."
>>
>> I would be grateful to know what happened (on 18 December 2015) to
>> prompt the posting of this statement on the GnuPG website.
> 
> This is the day when new (I say old zombie) data retention laws in 
> Germany came in force (... again...)
> 
> Articel 10 of our Grundgesetz (= "German Constitution") used to cover 
> privacy in telecommunication and generally all digital communication, 
> "Fernmeldegeheimnis", but this seems to be more and more worthless 
> with these old, new laws
> 
> http://www.vorratsdatenspeicherung.de/content/view/46/42/lang,en/
> https://de.wikipedia.org/wiki/Vorratsdatenspeicherung
> https://en.wikipedia.org/wiki/Telecommunications_data_retention (the 
> last one is outdated...)

Thank you!

- spk

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: FAQ maintenance

2016-02-05 Thread Peter Lebbing 
On 04/02/16 09:56, Robert J. Hansen wrote:
> What say y'all?

When the GnuPG default was not to show the key usage, I would have said:
unnecessary detail. In my opinion, in a very broad sense, the FAQ should be
aimed at people sticking to the defaults, not the people who tinker.

But now GnuPG shows the key usage by default. Personally, I would probably think
"usage: SC? What is it telling me?". The GNU Privacy Handbook doesn't seem to
mention it. The GnuPG 2.1 manual is not what I consider a guide for beginners,
it's more of a reference. But anyway, I don't see it there either. I just
quickly browsed through these two documents.

I do think it should be documented in a document that a beginner ought to read.
I don't know if it belongs in the FAQ; I would be equally satistied with it
being in the GNU Privacy Handbook. How well maintained is this latter document
anyway?

My 2 cents,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: FAQ maintenance

2016-02-05 Thread Robert J. Hansen 
> When the GnuPG default was not to show the key usage, I would have said:
> unnecessary detail. In my opinion, in a very broad sense, the FAQ should be
> aimed at people sticking to the defaults, not the people who tinker.

Let me put on the maintainer hat and speak ex cathedra a moment: The FAQ
is aimed at Qs that are F Aed.  The answers it provides are aimed at new
and/or casual users, not tinkerers, and this focus will not change.
Once a FAQ becomes a tinkering manual, the content explodes and so does
the size of the maintainer's job.  For my own sanity, I won't let it
become a tinkering guide.

> I do think it should be documented in a document that a beginner ought to 
> read.
> I don't know if it belongs in the FAQ; I would be equally satistied with it
> being in the GNU Privacy Handbook.

I suspect the FAQ is appropriate.  If we're going to present information
to new users, we should anticipate them having questions about it.

> How well maintained is [the GNU Privacy Handbook] anyway?

It's not, as near as I can tell.  Some of their GnuPG examples are from
version 0.9.4, which is 17 years old.  One would think periodic
maintenance would have led to these examples being updated.  For that
reason, my suspicion is it's unmaintained.

Further, I can't recall the last time I saw the maintainer (Mike Ashley)
post here.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Glossary. Please add definitions to a Glossary...

2016-02-05 Thread Peter Lebbing 
On 04/02/16 19:20, st...@mailbox.org wrote:
> Yes, that would be useful, and the wiki is the right place to publish it.

There's already a list of terms in the FAQ as well. "Signature" is not in it,
but I don't think that's a Frequently Asked Question. The other word Don Saklad
asked, "key", is there already.

HTH,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

GNU Privacy Handbook

2016-02-05 Thread Robert J. Hansen 
Looking over the GNU Privacy Handbook, it's clear it hasn't received any
maintenance in a decade or more.  According to it, DSA is limited to
1024-bit keys, RSA gets almost no mention, SKS gets no mention, and
users are led to use the (closed-source, non-synchronizing) PGP
Corporation keyserver.

IMO, the GPH needs to be taken down.  Documentation that badly out of
date does no one any good.  At the very least it needs top-to-bottom
revisions.

If Mike Ashley is no longer maintaining the GNU Privacy Handbook, I'm
willing to take on the job.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: GNU Privacy Handbook

2016-02-05 Thread Peter Lebbing 
On 05/02/16 12:01, Robert J. Hansen wrote:
> IMO, the GPH needs to be taken down.

I agree. I was composing a mail on the subject when I started... eh... composing
a different mail on a different subject ;).

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: FAQ maintenance

2016-02-05 Thread Peter Lebbing 
On 05/02/16 00:25, da...@gbenet.com wrote:
> A list of do's and don'ts

Don't use --expert

> - weird and impracticable keys

... Don't use --expert ;P

> common sense usage - common sense

Stick to the defaults

> things to put in your gpg.conf :)

keyserver ...

And that's it.

Really. Having a look at my own gpg.conf, there are two more things:

default-key ...
use-agent

And those should not be needed for normal users, who only have a single key (I
have a bunch of test keys to play with), and only use GnuPG 2.1 (I use 1.x to
help people here on the list who use it).

Like I said in the mail I just sent: in my opinion, in a very broad sense, the
FAQ should be aimed at people sticking to the defaults, not the people who
tinker. GnuPG is already more than complicated enough without drowning people in
unnecessary detail. The defaults are reasonable; you should stick to them until
you have very good reason not to. Otherwise it is very easy to shoot yourself in
the foot. Or get lost and give up.

So I don't think those things you mention should be in the FAQ. In fact, "things
to put in gpg.conf" would seem directly opposed to:

> 8.1 Does GnuPG need to be ‘tuned’ before use?
> 
> No. GnuPG has sensible defaults right out of the box. You don’t need to
> tune GnuPG before you can use it.
(from the FAQ)

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: FAQ maintenance

2016-02-05 Thread Peter Lebbing 
On 03/02/16 21:12, Robert J. Hansen wrote:
> Beyond that, if there's anything
> you've always thought the FAQ should mention, now's a great time to
> suggest it.  :)

I just notice section 8.19. It says to verify a download:

> gpg foo.zip.asc

As became clear in this[1] discussion, you should always specify the file to be
verified, as in "gpg foo.zip.asc foo.zip".

Section 8.20 supposes GnuPG <2.1, by the way, since it plays around with the
fact that --export uses the same format as a keyring. I think it should be
rephrased to use --import instead of using the output of --export as a keyring.

Furthermore, I think a reasonably often asked question is "Why can't I provide
the password in a pipe to GnuPG anymore?". Old 1.4 allowed this, but 2.0 is
incapable of it and 2.1 needs a loopback pinentry. But of course, the answer
could instead say that it is very unlikely that it is more secure than just not
using a passphrase.

I don't have time right now to actually supply the text to use for these things,
sorry.

HTH,

Peter.

[1] https://lists.gnupg.org/pipermail/gnupg-users/2014-November/051333.html

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: FAQ maintenance

2016-02-05 Thread Peter Lebbing 
On 05/02/16 11:55, Peter Lebbing wrote:
> In fact, "things to put in gpg.conf" would seem directly opposed to:

Okay, I take that back, since section 8.7 clearly shows options you could put in
gpg.conf :).

Regarding that section, I think

> # Always add these two certificates to my recipients list.
> encrypt-to 23806BE5D6B98E10
> encrypt-to 1DCBDC01B44427C7

should be rephrased to use fingerprints, not long keyid's.

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: FAQ maintenance

2016-02-05 Thread Robert J. Hansen 
> Okay, I take that back, since section 8.7 clearly shows options you could put 
> in
> gpg.conf :).

I confess to some slight misdirection here.  Is that a valid gpg.conf
file?  Sure.  Will it get someone in trouble?  Probably not.  But is it
needed?  Not really.  :)

> Regarding that section, I think
> 
>> # Always add these two certificates to my recipients list.
>> encrypt-to 23806BE5D6B98E10
>> encrypt-to 1DCBDC01B44427C7
> 
> should be rephrased to use fingerprints, not long keyid's.

What's the justification?


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: FAQ maintenance

2016-02-05 Thread Peter Lebbing 
On 05/02/16 13:06, Robert J. Hansen wrote:
> What's the justification?


If somebody can create a long-keyID-collision, and you download your own key by
that key ID and also import the other one, they might be able to be the one that
gets "encrypted-to", I think? Another way to get on your keyring is when someone
attaches "their" public key to an e-mail and you click import.

If I just specify a key ID as encrypt-to in my gpg.conf, I don't get a warning
like "It is NOT certain that the key belongs to the person", it just encrypts to
a key with unknown validity without giving so much as a peep! So the usual
"collisions are not a problem because the key is invalid" doesn't apply. You're
stuck with the much weaker "your own key will probably be first in the keyring,
so it will use that". I don't feel comfortable with such a weak assurance.

HTH,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: FAQ maintenance

2016-02-05 Thread Robert J. Hansen 
> If somebody can create a long-keyID-collision...

That seems to be a big 'if' right now.  Short collisions are easy; long
ones are nontrivial.  Or did I miss something?

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: FAQ maintenance

2016-02-05 Thread Peter Lebbing 
On 05/02/16 13:34, Robert J. Hansen wrote:
> Or did I miss something?

No, I don't think so. But I was under the impression that for a while now,
people were generally advised not to rely on the uniqueness of long key ID's.
And since this seems to be all you rely on with encrypt-to, key validity not
being a factor, it seems unwise to me. But it's your FAQ (and your gpg.conf
apparently ;). And since I just stipulated the implications as far as I see
them, I accept your judgement of the situation.

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

GnuPG 2.1 how to delete card based secret key ?

2016-02-05 Thread Oleg Gurevich 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Hi @all,

with GnuPG modern (2.1) i can't delete anymore a secret key based on smartcard. 
Is there an known workaround ?

by calling of: gpg --delete-secret-key ABCDEF123
...
Delete this key from the keyring? (y/N) y
This is a secret key! - really delete? (y/N) y
gpg: deleting secret key failed: Not possible with a card based key
gpg: deleting secret subkey failed: Not possible with a card based key
gpg: deleting secret subkey failed: Not possible with a card based key
gpg: ABCDEF123: delete key failed: Not possible with a card based key



Mit freundlichen Grüßen/ с Уважением/ best regards

Oleg Gurevich

PGP fingerprint: 38A0 D0CC BD23 1707 B0AF  D158 E9D7 6E3F E74A 0B0C
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQIcBAEBCAAGBQJWtKzgAAoJEH5u5dDzfOKim6oP/2Ek9wbMDw9LB5GqRHwIrnpq
Kz9ZpT9tCPsoMEKWchHop1tjxSB35RKLcYN/BAQPi6i66qHO4WZwrKIAOhCXc/T5
sK25+Fk/jUXaicClEnJTsnlpwItPL4tp+rnp9JMKSMMlajZDQh/MNCOUM1JyCoSw
X4OSGsISkwLYw/75m+yXqeX07czFhxygJCHHauXz9EtKz9/TvGlUDycxDnAcWfAq
4GsU71/4ZWIuYuCdVj3zupTujeSk/PP6m+rtbIzXXgmhn2OIL8B/KaOpwqZbuidN
Jz43AUeRDaeBdmwheezHz2nR8OfmIpTUB44Iog/4XAL6ybau4zKDOyCtHPOvP4kB
E2nQy7u882I1muYdZ2kJ08R509N0Pit0rWshqp3HQ0HWQzlANG00ezRwZcr2T8V1
Kf6Zsk6c2RS6TUZJCHZAfz3Lpbi4LBV5r8HJIJRpgdEYWlfgsH4D81gyd0vHFCLu
+nvfbVGvgLPXbNH5tbHKGcSKgkXMsOC38yvRaU32Bh/oua4ERqXEhjKmdnW9T0wg
72SVAlCkbhSfhEUKz+jFbrx04pSfi9XSIIqWbUcf+9fsnFps96pk5vNti4cjVi/4
yUIZO4YW6AXaVPetT4ZVfr9KY6xxRZla6Ty5PHe+ygWLWFBpdFlsOoz0W4B7jy2K
Bskp4On/AXPH5Q2Idjcb
=fXkb
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: GnuPG 2.1 how to delete card based secret key ?

2016-02-05 Thread Oleg Gurevich 
... to delete key from the keyring

mit freundlichen Grüßen/ с уважением/ sincerely yours

Oleg Gurevich


PGP fingerprint: 38A0 D0CC BD23 1707 B0AF  D158 E9D7 6E3F E74A 0B0C

> On 05 Feb 2016, at 19:36, Peter Lebbing  wrote:
> 
>> On 05/02/16 15:08, Oleg Gurevich wrote:
>> with GnuPG modern (2.1) i can't delete anymore a secret key based on 
>> smartcard. Is there an known workaround ?
> 
> Do you want the key off your keyring or off your smartcard?
> 
> Peter.
> 
> -- 
> I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
> You can send me encrypted mail if you want some privacy.
> My key is available at 


smime.p7s
Description: S/MIME cryptographic signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: GnuPG 2.1 how to delete card based secret key ?

2016-02-05 Thread Peter Lebbing 
On 05/02/16 15:08, Oleg Gurevich wrote:
> with GnuPG modern (2.1) i can't delete anymore a secret key based on 
> smartcard. Is there an known workaround ?

Do you want the key off your keyring or off your smartcard?

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users