Re: Explicit command for particular behavior
On Tue, 12 Sep 2017 21:07, r...@splintermail.com said: > gpg --export --armored some_key_id > keyfile (Please try to use the fingerprint instead of the key_id.) > But then I wanted perform some basic checks on the file submitted, and I > found this fantastic behavior: > > cat keyfile | gpg --with-colons --with-fingerprints There is actually a better way since 2.1.23: gpg --with-colons --import-options show-only --import pgpzsN_719FTv.pgp Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Re: [Feature Request] Multiple level subkey
>Such a thing already exists, at least here in Italy: CIE/CNS. X509-based certs. exactly, this is what started the idea; we have no power over those certificate for revoke, and i have no idea if a new certificate is issued if you loose your document. What I found out is that the CA seems to be region-based, so i will have to track all of them. If you know something more, I am very interesting to hear, all the info i got is pieces found here and there. I also hope the same apply on the rest of the EU, since AFAIK that certificate is on the European Health Insurance Card. BUT, of course using a card reader is not possible, especially if we think the smartphone as main device. So would be nice if somehow the certificate can sign (and revoke! that is also important!) a "normal" key, that is stored on the phone, and act as main key that generate the subkey for all the application requiring it. All the application save the user by the "certificate" identity, so even changing key the user is automatically recognized. Do you think this is feasible and i should research in this direction? >Anyway that's something that IMVHO does not fit well with GPG. Can you explain why? also, i said in my first email i am not sure there is the right place, but i didn't know anywhere else where to have this discussion, so tips on this regards are also appreciated. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Re: [Feature Request] Multiple level subkey
>Until and unless you present a usability study involving 100+ people composing >a representative sample of an identifiable community, you don't know a thing. * I think * is NOT * I know *. I may be wrong: I don't care. First of all i want to implement this for myself, and if i'm right and is something that people like, that is good for them. I will expose my reasoning instead; unfortunately i don't have the resources or knowledge for a full study. - smartphone outnumber pc since 2011 (http://www.marketwatch.com/story/one-chart-shows-how-mobile-has-crushed-pcs-2016-04-20) - smartphone are already carried everyday by most people owning them (http://www.nydailynews.com/life-style/addicted-phones-84-worldwide-couldn-single-day-mobile-device-hand-article-1.1137811) - smartphone have NFC, BT, WiFi, making contacless payment or key exchange extremly easy, convenient, and fast. In fact, i know payment and even public transport access by NFC is already a reality. (no source needed, i hope) - smartphone are easy to loose or get stolen (45% of 18-24 years hold has lost at least one phone according https://www.statista.com/statistics/241365/us-cell-phone-users-whose-device-has-been-lost-or-stolen-by-age-group/) - many smartphone are not safe (http://thehackernews.com/2016/08/hack-android-phone.html) - some documents in different country already come with a personal certificate/key bound to the person My idea is to make possible for the everyday user to add/manage new services with a main password (by using the level 2 key, encrypted), accessing services eventually passwordless (level 3 key), but in case of the loss of the device, reissue all certificate in a automatic fashion on the new device, staring from the safe key describing the original identity (level1) Now, from the *user* point of view, I think we can all agree that the reissuing of the key is quite a pain, and having safe way to do it automatically is quite nice. but no stat on that. On the server side, we already have something going in the right direction with openID (but i don't think can be made transparent-compatible, that is another big discussion) >And without exception, not one has been successful. better one more try, that one less >Househusband. English has used this word since 1858. TIL >They may lack sophisticated technical skills, but that's not the same as being >foolish or clueless. But my target is not fools or clueless, my target is who is lacking the technical skill. For those person is all about convenience; 50% of android user does NOT lock the phone (https://www.elie.net/blog/survey-most-people-dont-lock-their-android-phones-but-should). Since apple has implemented touchID, they say >80% of the user use it. (http://appleinsider.com/articles/16/04/19/average-iphone-user-unlocks-device-80-times-per-day-89-use-touch-id-apple-says) This, in my opinion, is exactly the target, make the deploy of the key easier, especially in case of device loss (aka level 2 and 3 key compromised) >Your "average internet user" is a 1940s-style way of thinking. We need to do >better than that. Then explain FB, google, youtube, amazon... all of them does NOT provide a great deal of personalization, if at all. UX, usability, all is about create a "average user" out of your target audience, and make things work for most of them. It is extremely hard to do, but now we have much more literature. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: [Feature Request] Multiple level subkey
>> Your "average internet user" is a 1940s-style way of thinking. We need to do >> better than that. > > Then explain FB, google, youtube, amazon... all of them does NOT > provide a great deal of personalization, if at all. They all provide intensely personalized experiences. Just because they don't expose the dials and switches to you doesn't mean they don't exist. As an example: Google Chrome scans the content of webpages you visit, and uses that to guide autocomplete in the search bar. Your autocomplete settings are automatically personalized based on your browsing history with no user intervention needed. Automatic personalization of user experience based on the software learning the user's behavior is pretty much the gold standard in UX design nowadays. It's a commendable goal and worth pursuing. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Unable to sign or decrypt with card
Philip Jackson wrote: > I have the log file which I attach. > > It shows a number of reports of the same error (lines 89,91,97,99,101) > ERR 83886254 Unknown option , before it asks me for the pin > (line 111). It says 'confidential data not shown' three times but I only > entered the pin once. > > Can you determine anything from this ? Not much. It fails just after sending a command to the card. It seems that there is some communication problem between host and card reader. How 'gpg --card-status' works? You can try to debug scdaemon by having .gnupg/scdaemon.conf: = debug-level guru debug-all verbose debug-ccid-driver log-file /run/user/1000/scd.log = Here is what we can see in your log. > 2017-09-11 18:10:21 gpg-agent[8972] gpg-agent (GnuPG) 2.1.11 started [...] gpg-agent started. > 2017-09-11 18:10:22 gpg-agent[8972] no running SCdaemon - starting it [...] And then, scdaemon started after PKDECRYPT command from gpg to gpg-agent. > 2017-09-11 18:10:22 gpg-agent[8972] DBG: chan_7 -> SERIALNO > 2017-09-11 18:10:22 gpg-agent[8972] DBG: chan_7 <- S SERIALNO > D2760001240102052870 0 > 2017-09-11 18:10:22 gpg-agent[8972] DBG: chan_7 <- OK [...] Card works fine to answer its serial number. > 2017-09-11 18:10:22 gpg-agent[8972] DBG: chan_7 -> PKDECRYPT OPENPGP.2 > 2017-09-11 18:10:22 gpg-agent[8972] DBG: chan_7 <- INQUIRE NEEDPIN ||Please > enter the PIN > 2017-09-11 18:10:22 gpg-agent[8972] starting a new PIN Entry [...] gpg-agent asks PKDECRYPT command to scdaemon, and scdaemon inquires PIN for the authentication. > 2017-09-11 18:10:22 gpg-agent[8972] DBG: chan_8 -> SETDESC Please enter the > PIN > 2017-09-11 18:10:22 gpg-agent[8972] DBG: chan_8 <- OK > 2017-09-11 18:10:22 gpg-agent[8972] DBG: chan_8 -> SETPROMPT PIN > 2017-09-11 18:10:22 gpg-agent[8972] DBG: chan_8 <- OK > 2017-09-11 18:10:22 gpg-agent[8972] DBG: chan_8 -> [[Confidential data not > shown]] > 2017-09-11 18:10:23 gpg-agent[8972] SIGUSR2 received - updating card event > counter > 2017-09-11 18:10:30 gpg-agent[8972] DBG: chan_8 <- [[Confidential data not > shown]] > 2017-09-11 18:10:30 gpg-agent[8972] DBG: chan_8 <- [[Confidential data not > shown]] > 2017-09-11 18:10:30 gpg-agent[8972] DBG: chan_8 -> BYE [...] This is interaction between pinentry and gpg-agent. SIGUSR2 (it means: a card is found) comes from scdaemon to gpg-agent, because scdaemon periodically checks if card is inserted. > 2017-09-11 18:10:30 gpg-agent[8972] DBG: chan_7 -> END > 2017-09-11 18:10:30 gpg-agent[8972] DBG: chan_7 <- ERR 100663395 Operation > cancelled > 2017-09-11 18:10:30 gpg-agent[8972] DBG: chan_7 -> CAN > 2017-09-11 18:10:30 gpg-agent[8972] DBG: chan_7 <- ERR 100663571 Unknown IPC > command > 2017-09-11 18:10:30 gpg-agent[8972] smartcard decryption failed: Operation > cancelled > 2017-09-11 18:10:30 gpg-agent[8972] command 'PKDECRYPT' failed: Operation > cancelled > 2017-09-11 18:10:30 gpg-agent[8972] DBG: chan_6 -> ERR 100663395 Operation > cancelled [...] gpg-agent sends the PIN to scdaemon (until "END"), and I think that scdaemon sends command to the card through card reader. But it fails. There are two ways to access card reader for GnuPG. One is through PC/SC, and another is internal CCID driver of GnuPG. If it doesn't work well with PC/SC, it's worth to try the internal CCID driver (or vice virsa). -- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
