Re: gnupg-pkcs11 status & future

2016-02-28 Thread Werner Koch 
On Fri, 26 Feb 2016 16:02, pe...@digitalbrains.com said:

>> Rotating does only make sense if you take the old key soon offline.
>
> Why is this the case? I must admit I'm fairly comfortable not rotating
> my keys (which are on OpenPGP smartcards). But I can think of lines of

I personally agree in the case of smartcard stored keys.  The OP
requested that feature for smartcards and I can see no use case for this
unless the old key will be remove from the smartcard after some time.

The threat model would be based on the premise that keys can extracted
from a smartcard with some effort and an offline stored or deleted key
is more safe.


Salam-Shalom,

   Werner


-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Are ZLIB and ZLIB2 no longer supported in GnuPG?

2016-02-28 Thread Werner Koch 
On Fri, 26 Feb 2016 20:23, anth...@cajuntechie.org said:

> options in my .conf file. Specifically, it told me that ZLIB and ZLIB2
> weren't supported as compression algos.

You need to install a zlib development package before building GnuPG so
that it can add support for this.  You may also want to add bzlib2
support.

On Debian based system:  apt-get install zlib1g-dev  libbz2-dev

> compile flag that I didn't pass it? If they aren't supported, are there
> any security or usability implications to only using ZIP for compression?

As with most compression algorithms you are subject to DoS because it is
possible to create very small compressed file which will expand into a
huge output.  (Use --max-output to mitigate such attacks.)


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gnupg-pkcs11 status & future

2016-02-28 Thread Werner Koch 
On Sat, 27 Feb 2016 09:29, martin.kon...@erfrakon.com said:

> Please allow me to mention that many smartcards disallow cleartext export of 
> keys generated on the card while also don't allow to import cleartext private 
> keys.

Actually it is a core feature of all smartcards that you can't extract
the private key.

Importing of keys is also a very common features, although this is often
done by the issuer during the personalization stage.

> But this is not a backup issue as most cards also allow for n-of-m threshold 

Nope, unless you have a different definition of MOST.  There is also the
problem of API based attacks for such complex card APIs.  For example
the 4758, which had very advanced private key management features, could
be cracked by such an attack.


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gnupg-pkcs11 status & future

2016-02-28 Thread Peter Lebbing 
On 28/02/16 09:46, Werner Koch wrote:
> The threat model would be based on the premise that keys can extracted
> from a smartcard with some effort and an offline stored or deleted key
> is more safe.

Ah, that makes sense, thanks for the clarification!

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users