Re: Automating and integrating GPG

[Andreas Heinlein]

Am 20.09.2017 um 09:02 schrieb Werner Koch:
> On Mon, 18 Sep 2017 23:45, d...@fifthhorseman.net said:
>
>> I don't know how much smartcard interaction gpgme supports, though.
> Everything you need.  Have a look at GPA's smartcard features.  I assume
> it is the most advanced GUI to handle the OpenPGP card as well as
> several other cards.  For example it includes full support for the
> Telesec card with their NullPIN feature.
Interesting. I haven't found anything smartcard related in the GPGME
docs. I am really not good at C, but I took a look at the sources of
GPA, specifically the change_pin function in cm-openpgp.c, and it looks
like GPA is using assuan protocol through gpgme here:

char command[100];
snprintf (command, sizeof command, "SCD PASSWD%s %d",
 reset_mode? " --reset":"", pinno+1);
err = gpgme_op_assuan_transact_ext (gpgagent, command,
  
NULL, NULL, NULL, NULL, NULL, NULL,
   &operr);

I hadn't thought of that possibility. Python-GPG should support this,
too - take a look at assuan.py in the examples folder. But I haven't yet
found any documentation of the assuan commands you need here.
This probably isn't as easy as a Python programmer might expect...

Andreas


signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Houston, we have a problem

[Stefan Claas]

Hi all,

http://pgp.zdv.uni-mainz.de:11371/pks/lookup?op=vindex&search=Erika+Mustermann

Question for the experts, how can a casual or new GnuPG user, like Alice
and Bob, detect a Signature forgery on a pub key, when using Web based
key servers?

Note for native English speakers, Erika Mustermann is well known among
german users, same as Jon Doe.

Regards
Stefan


-- 
https://www.behance.net/futagoza
https://keybase.io/stefan_claas

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Houston, we have a problem

[Robert J. Hansen]

> Question for the experts, how can a casual or new GnuPG user, like Alice
> and Bob, detect a Signature forgery on a pub key, when using Web based
> key servers?

By remembering that anyone can create a key claiming to be anyone, and
that seeing a signature allegedly from Werner (or anyone) means
absolutely nothing until and unless you've verified the signing
certificate actually belongs to him.

Key validation -- ensuring a key really belongs to who it says -- is an
important step.  It cannot be skipped.  It is not optional.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Automating and integrating GPG

[Werner Koch]

On Thu, 21 Sep 2017 11:03, aheinl...@gmx.com said:

> Interesting. I haven't found anything smartcard related in the GPGME
> docs. I am really not good at C, but I took a look at the sources of

Yes, it is a generic interface to make a core libassuan function (which
is already used by gpgme) available as GPGME API.  The actual API to the
smartcard daemon is Assuan based and there is not much documentation than
the reference you get when running

  $ gpg-connect-agent
  > scd help

this lists all smartcard commands.  gpg-agent intercepts some of the
calls to provide a Pinentry but despite of this the "scd " prefix
forwards all command to scdaemon.

> I hadn't thought of that possibility. Python-GPG should support this,
> too - take a look at assuan.py in the examples folder. But I haven't yet

GPGME's Python interface supports this.  Here is code from the
distributed example:

--8<---cut here---start->8---
"""Demonstrate the use of the Assuan protocol engine"""

From __future__ import absolute_import, print_function, unicode_literals
del absolute_import, print_function, unicode_literals

import gpg

with gpg.Context(protocol=gpg.constants.protocol.ASSUAN) as c:
# Invoke the pinentry to get a confirmation.
err = c.assuan_transact(['GET_CONFIRMATION', 'Hello there'])
print("You chose {}.".format("cancel" if err else "ok"))
--8<---cut here---end--->8---


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


pgp6viIPhWFSJ.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: OT: Which smartphone would you use

[Thomas Hejze]

Hi Dotan,


Am Montag, 18. September 2017, 19:55:49 CEST schrieb Dotan Cohen:
> The answer pretty much depends on what smartphone features you are
> looking for. Do you need to run a web browser? Email integration?


well first of all I would like to make phone calls.

I use kdepim for contacts, calendar and email, so kdepim should run on it or 
at least be syncable.

And gnupg should run on it. And yes, a secure browser, too.

Everything else is a nice-to-have. So I guess Linux is the OS of choice. 
Hardware is anything-that-runs-on-Linux.

I know it is possible to jailbreak  an Android phone, the question is how 
difficult is this (for me).

Best regards.

Thomas

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: OT: Which smartphone would you use

[Thomas Hejze]

Am Montag, 18. September 2017, 20:13:14 CEST schrieb Matthias Apitz:
> >> I'm using for more than two years an Ubuntu phone BQ E4.5. The
> >> project was
> >> driven by Canonical and BQ as the hardware OEM. The project
> >> died in March of
> >> this year, but is now moved to a community of OpenSource entusiast. 

> >   Wasn't there also at least one company in Europe selling the
> > 
> > Ubuntu phones?
> 
> Yes, as I said BQ.com

Unfortunately their hardware dos not seem to support Ubuntu any more. I found 
the "Ubuntu Edition" under "obsolete models", even a cyanogen edition, but all 
their current models run on Android. The rest of their homepage is all 
marketing gibberish as it is the use, nowadays.

Best regards

Thomas



___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: OT: Which smartphone would you use

[Matthias Apitz]

El día jueves, septiembre 21, 2017 a las 07:09:01p. m. +0200, Thomas Hejze 
escribió:

> Am Montag, 18. September 2017, 20:13:14 CEST schrieb Matthias Apitz:
> > >> I'm using for more than two years an Ubuntu phone BQ E4.5. The
> > >> project was
> > >> driven by Canonical and BQ as the hardware OEM. The project
> > >> died in March of
> > >> this year, but is now moved to a community of OpenSource entusiast. 
> 
> > >   Wasn't there also at least one company in Europe selling the
> > > 
> > > Ubuntu phones?
> > 
> > Yes, as I said BQ.com
> 
> Unfortunately their hardware dos not seem to support Ubuntu any more. I found 
> the "Ubuntu Edition" under "obsolete models", even a cyanogen edition, but 
> all 
> their current models run on Android. The rest of their homepage is all 
> marketing gibberish as it is the use, nowadays.

Look for second hand devices of the BQ "Ubuntu Edition" (BQ does not
produce nor sell them anymore). Such devices you could reflash to the
software available at ubports.com

matthias
-- 
Matthias Apitz, ✉ g...@unixarea.de, ⌂ http://www.unixarea.de/  ☎ 
+49-176-38902045
Public GnuPG key: http://www.unixarea.de/key.pub
8. Mai 1945: Wer nicht feiert hat den Krieg verloren.
8 de mayo de 1945: Quien no festeja perdió la Guerra.
May 8, 1945: Who does not celebrate lost the War.


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: OT: Which smartphone would you use

[Thomas Hejze]

Am Dienstag, 19. September 2017, 13:44:53 CEST schrieb Andreas Ronnquist:

> 
> If I had the money, I would pledge for one of these:
> 
> https://puri.sm/shop/librem-5/
> 


That project looks promising, however, I fear I am not able to spend $924.000 
for my smartphone ;-)

Anyway that is what I am looking for, I hope they will make it. Nevertheless, 
even then it will take at least one year for them to bring their product to 
the market.

Looking at Tizen, Jolla, Firefox OS and Ubuntu Touch, I start to worry for the 
future of Open Source. Isn't there a business case for a FOSS smartphone?

Best regards
Thomas

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: OT: Which smartphone would you use

[Matthias Apitz]

El día jueves, septiembre 21, 2017 a las 06:54:43p. m. +0200, Thomas Hejze 
escribió:

> Hi Dotan,
> 
> 
> Am Montag, 18. September 2017, 19:55:49 CEST schrieb Dotan Cohen:
> > The answer pretty much depends on what smartphone features you are
> > looking for. Do you need to run a web browser? Email integration?
> 
> 
> well first of all I would like to make phone calls.
> 
> I use kdepim for contacts, calendar and email, so kdepim should run on it or 
> at least be syncable.
> 
> And gnupg should run on it. And yes, a secure browser, too.

I have ported gpg2 and the password storage manger 'pass' to my Ubuntu
phone BQ E4.5. I'm still working on the pcscd daemon to get the
GnuPG-card working in the phone. The tricky part is that you normally can
not install or compile additional software in the root file system of
the device (because it's mounted for good reasons read-only). You must
setup an additional complete system and chroot to it. If you later want
to run such compiled/installed software from outside the chroot, you
must set LD_IBRARY_PATH (...) so the software can find its stuff, for
example in a small shell wrapper script:

cat gpg2.sh
#!/bin/sh

LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/home/phablet/myRoot/usr/lib/arm-linux-gnueabihf
export LD_LIBRARY_PATH
/home/phablet/myRoot/usr/bin/gpg-agent --homedir /home/phablet/.gnupg \
   --use-standard-socket --daemon \
   --pinentry-program /home/phablet/myRoot/usr/bin/pinentry-curses
/home/phablet/myRoot/usr/bin/gpg-connect-agent /bye
PATH=$PATH:myRoot/usr/bin export PATH
/home/phablet/myRoot/usr/bin/gpg2 $*

This way I have gpg2 and pass working. I can SSH into the phone (or do
the same on the terminal-app) and run: 

$ ssh phablet@ubphone
Welcome to Ubuntu 15.04 (GNU/Linux 3.4.67 armv7l)

phablet@ubuntu-phablet-bq:~$

phablet@ubuntu-phablet-bq:~$ ls -l .password-store/web/bla.gpg
-rw--- 1 phablet phablet 356 Sep 20 12:58 .password-store/web/bla.gpg
phablet@ubuntu-phablet-bq:~$

phablet@ubuntu-phablet-bq:~$ ./pass.sh web/bla

   
┌┐
   │ Please enter the passphrase to unlock the secret key for the OpenPGP 
certificate:  │
   │ "Matthias Apitz "
│
   │ 2048-bit RSA key, ID 76254069, 
│
   │ created 2017-09-20 (main key ID CBE83911). 
│
   │
│
   │
│
   │ Passphrase 
___ │
   │
│
   │  
  │
   
└┘

abc123
Username: g...@unixarea.de


-- 
Matthias Apitz, ✉ g...@unixarea.de, ⌂ http://www.unixarea.de/  ☎ 
+49-176-38902045
Public GnuPG key: http://www.unixarea.de/key.pub
8. Mai 1945: Wer nicht feiert hat den Krieg verloren.
8 de mayo de 1945: Quien no festeja perdió la Guerra.
May 8, 1945: Who does not celebrate lost the War.


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Houston, we have a problem

[Stefan Claas]

On Thu, 21 Sep 2017 10:55:26 -0400, Robert J. Hansen wrote:
> > Question for the experts, how can a casual or new GnuPG user, like
> > Alice and Bob, detect a Signature forgery on a pub key, when using
> > Web based key servers?  
> 
> By remembering that anyone can create a key claiming to be anyone, and
> that seeing a signature allegedly from Werner (or anyone) means
> absolutely nothing until and unless you've verified the signing
> certificate actually belongs to him.
> 
> Key validation -- ensuring a key really belongs to who it says -- is
> an important step.  It cannot be skipped.  It is not optional.

Thanks for your reply. Let's assume the following: You would be also
a german national, we both are friends and would have bad things in
mind...

I issue now fake signatures (from a german CA) to our fake keys* and
then we would start some bad business on the Internet. How could
customers, not pros like all you guys here on the list, could verify
that we both are the persons the keys/signatures are claiming?

* Due to my stupidness i no longer have access to my passphrase
nor can i find my rev cert, in case someone would use my key,
which i used here for signing previous post from me.

Regards
Stefan

-- 
https://www.behance.net/futagoza
https://keybase.io/stefan_claas

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Houston, we have a problem

[Ralph Seichter]

On 21.09.17 20:49, Stefan Claas wrote:

> How could customers, not pros like all you guys here on the list,
> could verify that we both are the persons the keys/signatures are
> claiming?

Legal identification is required. Since you are German, you can use
https://www.heise.de/security/dienste/Wie-kann-ich-mitmachen-474837.html
as a reference for how this can be done.

-Ralph

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Houston, we have a problem

[Stefan Claas]

On Thu, 21 Sep 2017 21:11:17 +0200, Ralph Seichter wrote:
> On 21.09.17 20:49, Stefan Claas wrote:
> 
> > How could customers, not pros like all you guys here on the list,
> > could verify that we both are the persons the keys/signatures are
> > claiming?  
> 
> Legal identification is required. Since you are German, you can use
> https://www.heise.de/security/dienste/Wie-kann-ich-mitmachen-474837.html
> as a reference for how this can be done.

Hi Ralph,

i am well aware of Heise's CA, because an old pub key of mine bears a
sig3 from them. The thing is someone could issue a fake sig3 from
Heise's CA key to someone else's pub key, without that that customers
would detect it, nor Heise would know it, until of course they would
see the keys in question. I don't know if CA's here in Germany scan
key servers for their issued signatures.

Regards
Stefan

-- 
https://www.behance.net/futagoza
https://keybase.io/stefan_claas

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Houston, we have a problem

[Ralph Seichter]

On 21.09.17 21:38, Stefan Claas wrote:

> The thing is someone could issue a fake sig3 from Heise's CA key to
> someone else's pub key, without that that customers would detect it,
> nor Heise would know it, until of course they would see the keys in
> question.

I'm not certain what problem you see that has not been around for as
long as PGP/GPG exists? You can only ever be certain of a signature if
you have personally verified the signing key and the signer's identity.
That's why the default owner trust level is "unknown" (not trusted).

-Ralph

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Passphrases no longer found in keyring

[Brad Zynda]

Hello,

Wanted to follow forward with the below topic here as Patrick from
Enigmail suggested.

Quick Summary: CentOS 7 1708 enigmail/pinetry now asks for passphrase
all the time which was not the behavior prior to the recent update.


Thanks,
Brad


Yeah just ran through all the troubleshooting stuff and all works as
expected.

Pop up box with hello

key passhrase prompt and completion with gpg2 --sign

no errors

Will get in touch with the gnupg folks

Thanks,
Brad

On 09/21/2017 02:00 PM, Patrick Brunschwig wrote:
> This really looks like some issue with gpg-agent (as if it were started
> by gpg each time something needs to be done).
>
> I can only recommend you to check our troubleshooting guide for gpg-agent:
> https://www.enigmail.net/index.php/en/faq-en?view=topic&id=14
>
> If that doesn't help, you better ask for help at the GnuPG mailing list.
>
> -Patrick
>
> On 21.09.17 14:42, Brad Zynda wrote:
>> Here is the conf:
>>
>> # GPGConf disabled this option here at Thu 14 Sep 2017 10:10:58 AM EDT
>> # default-cache-ttl 300
>> # GPGConf disabled this option here at Thu 14 Sep 2017 10:10:58 AM EDT
>> # max-cache-ttl 99
>> ###+++--- GPGConf ---+++###
>> default-cache-ttl 86400
>> max-cache-ttl 864000
>> ###+++--- GPGConf ---+++### Thu 14 Sep 2017 10:21:45 AM EDT
>> # GPGConf edited this configuration file.
>> # It will disable options before this marked block, but it will
>> # never change anything below these lines.
>> use-standard-socket
>> enable-ssh-support
>> ~
>>
>> The 2 at the bottom were added to try and fix the issue based on forum
>> and mail list replies I had found, i can remove those if not needed.
>>
>>
>> Thanks,
>> Brad
>>
>> On 09/21/2017 08:36 AM, Patrick Brunschwig wrote:
>>> You need to check the following two settings in gpg-agent.conf. The
>>> values are in seconds. Standard default is 5 minutes, but Linux
>>> distributions may choose to use different defaults.
>>>
>>> default-cache-ttl
>>> max-cache-ttl
>>>
>>> -Patrick
>>>
>>> On 21.09.17 14:28, Brad Zynda wrote:
 Hi Patrick,

 Sorry I never received the first response I will look at the timeout
 settings, any in particular?

 and will ps auxx gpg-agent.

 Thanks,
 Brad

 On 09/21/2017 08:22 AM, Patrick Brunschwig wrote:
> On 21.09.17 14:09, Brad Zynda wrote:
>> Hello
>>
>> With Centos 7.4 (1708) enigmail now constantly asks for a passphrase
>> (Pinetry-gtk-2) box.
>>
>> Thunderbird 52.3.0 64bit
>> Enigmail 1.9.8.2
>>
>> Added use-standard-socket to .gnupg/gpg-agent.conf and rebooted,
didn't
>> help.
>>
>> tried a fresh install of thunderbird and enigmail, created new keys,
>> still asking for passphrase constantly.
>
> I already replied to your first email on 09/17. Did you follow my
advice?
>
>  This either means that the timeout settings are not correct, or that
>  gpg-agent is terminated after every operation. You can check the
latter
>  doing "ps ax | grep gpg-agent".
>
> -Patrick
>
>
>
>>>
>>>
>
>

___
enigmail-users mailing list
enigmail-us...@enigmail.net
To unsubscribe or make changes to your subscription click here:
https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Houston, we have a problem

[Stefan Claas]

On Thu, 21 Sep 2017 21:59:26 +0200, Ralph Seichter wrote:
> On 21.09.17 21:38, Stefan Claas wrote:
> 
> > The thing is someone could issue a fake sig3 from Heise's CA key to
> > someone else's pub key, without that that customers would detect it,
> > nor Heise would know it, until of course they would see the keys in
> > question.  
> 
> I'm not certain what problem you see that has not been around for as
> long as PGP/GPG exists? You can only ever be certain of a signature if
> you have personally verified the signing key and the signer's
> identity. That's why the default owner trust level is "unknown" (not
> trusted).

Well, call me a stupid Mac dummie, but how in the world could GnuPG
users , living in different areas verify that? As one more example i
give name here  Governikus CA.

If someone would issue a fake sig3 from Governikus to someone
else how could you, for example, verify that the sig3 is from
Governikus?

https://pgp.governikus-eid.de/pgp/

Regards
Stefan

-- 
https://www.behance.net/futagoza
https://keybase.io/stefan_claas

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Houston, we have a problem

[Robert J. Hansen]

> I'm not certain what problem you see that has not been around for as
> long as PGP/GPG exists? You can only ever be certain of a signature if
> you have personally verified the signing key and the signer's identity.
> That's why the default owner trust level is "unknown" (not trusted).

About 25 years ago I first saw the suggestion that signatures from
unvalidated certificates should simply not be visible to the end-user,
as a signature from an unvalidated certificate is meaningless and the
risk of people believing "oh, Frank (or whoever) signed this!" is so high.

(A command of --list-all-sigs would need to be added, to force display
of signatures from unvalidated certificates.)

I've thought it was a good idea ever since I first saw it.  I have
always been in a distinct minority, though...

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Houston, we have a problem

[Robert J. Hansen]

> If someone would issue a fake sig3 from Governikus to someone
> else how could you, for example, verify that the sig3 is from
> Governikus?

By validating Governikus's certificate.

You seem to be asking the same question (and getting the same answer)
over and over again.  Perhaps try a different phrasing?  Or is it that
the answer isn't clear?


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Houston, we have a problem

[Stefan Claas]

On Thu, 21 Sep 2017 16:16:12 -0400, Robert J. Hansen wrote:
> > If someone would issue a fake sig3 from Governikus to someone
> > else how could you, for example, verify that the sig3 is from
> > Governikus?  
> 
> By validating Governikus's certificate.

Do i understand you right, i validate Werner's pub key and when
i get a signed email from Erika Mustermann the sig should be then
o.k. from her, because i signed Werner's key?
 
> You seem to be asking the same question (and getting the same answer)
> over and over again.  Perhaps try a different phrasing?  Or is it that
> the answer isn't clear?

I'm sorry! Let me say one last word. If i would be a programmer of
software like GnuPG, my software would not allow to receive unwanted
signatures on my pub key, nor would it allow that someone else can
fake a sig on someone else's pub key with my key-id.

Good night and best regards
Stefan

-- 
https://www.behance.net/futagoza
https://keybase.io/stefan_claas

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Houston, we have a problem

[Ralph Seichter]

On 21.09.17 22:11, Stefan Claas wrote:

> > You can only ever be certain of a signature if you have personally
> > verified the signing key and the signer's identity.
>
> Well, call me a stupid Mac dummie, but how in the world could GnuPG
> users , living in different areas verify that?

They can't. That's one of the reasons the "web of trust" is a tricky
concept. Among all of the people I know to use PGP, I trust only two to
verify both key fingerprints and identities as thoroughly as I do. That
means I usually have to jump through hoops to verify stuff myself, and
that only works for people I have personally met (and checked their
Personalausweis or what have you). My web of trust is almost non-existent.
Yours might be extensive. It all depends on what you verify yourself and
who else you trust to verify. As Robert wrote, you seem to keep rehashing
the same issue, and an old one at that.

> https://pgp.governikus-eid.de/pgp/

You mean there are people who actually use Online-PA, and trust the BSI
on top of that? You're kidding, right? ;-) I neither care nor trust what
Governikus signs. I've been providing IT security services for decades,
and find it extremely hard to trust others in this field, based on my
own experience.

-Ralph


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Houston, we have a problem

[Stefan Claas]

On Thu, 21 Sep 2017 22:38:06 +0200, Ralph Seichter wrote:
> On 21.09.17 22:11, Stefan Claas wrote:
> 
> > > You can only ever be certain of a signature if you have personally
> > > verified the signing key and the signer's identity.  
> >
> > Well, call me a stupid Mac dummie, but how in the world could GnuPG
> > users , living in different areas verify that?  
> 
> They can't. That's one of the reasons the "web of trust" is a tricky
> concept. Among all of the people I know to use PGP, I trust only two
> to verify both key fingerprints and identities as thoroughly as I do.
> That means I usually have to jump through hoops to verify stuff
> myself, and that only works for people I have personally met (and
> checked their Personalausweis or what have you). My web of trust is
> almost non-existent. Yours might be extensive. It all depends on what
> you verify yourself and who else you trust to verify. As Robert
> wrote, you seem to keep rehashing the same issue, and an old one at
> that.

Thank you for your detailed point of view.

> > https://pgp.governikus-eid.de/pgp/  
> 
> You mean there are people who actually use Online-PA, and trust the
> BSI on top of that? You're kidding, right? ;-) I neither care nor
> trust what Governikus signs. I've been providing IT security services
> for decades, and find it extremely hard to trust others in this
> field, based on my own experience.

Well, i used once their service to obtain a sig3. I think under normal
circumstances this would be a better idea to check if a Personalausweis
is valid or fake, assuming GnuPG Signatures could be used in the future
for online business, because then "carefully" crafted WoT signatures
would have imho no weight in the business world.

Regards
Stefan

-- 
https://www.behance.net/futagoza
https://keybase.io/stefan_claas

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Houston, we have a problem

[Ralph Seichter]

On 21.09.17 22:13, Robert J. Hansen wrote:

> About 25 years ago I first saw the suggestion that signatures from
> unvalidated certificates should simply not be visible to the end-user
> [...]

Yeah, that would be one way to make these sigs less obvious. Of course
it does not solve the underlying issue, but for the layman it might be
an improvement.

-Ralph

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Houston, we have a problem

[Robert J. Hansen]

> Do i understand you right, i validate Werner's pub key and when
> i get a signed email from Erika Mustermann the sig should be then
> o.k. from her, because i signed Werner's key?

No.  When you see something claiming to be Werner's sig on Erika's
certificate, ask yourself:

* Is it correct?
* Does the signing cert really belong to Werner?
* Do you trust Werner?

If you can positively answer all three questions 'yes', then you should
trust it.  Otherwise, you shouldn't.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Houston, we have a problem

[Daniel Kahn Gillmor]

On Thu 2017-09-21 22:37:38 +0200, Stefan Claas wrote:
> I'm sorry! Let me say one last word. If i would be a programmer of
> software like GnuPG, my software would not allow to receive unwanted
> signatures on my pub key

The way the universe works is that once data is public, other data might
refer to that public data, and even the person who created the first bit
of data can't prevent it.

An OpenPGP certificate is, at minimum:

 * a public primary key K
 * a User ID U
 * a signature from K that binds U to K

Once this data is published, anyone with a different key X can make a
new certification, which also claims that U is correctly bound to K.
This is what "signing a key" means.

Your choice of software implementation can't prevent those third-party
certifications from being produced, nor from being published, nor can it
prevent other people's software from discovering them and making
inferences based on them.

There are some good (and some bad) arguments that software capable of
interpreting OpenPGP certificates should only accept third-party
certifications that the first-party (the party being certified) has
explicitly endorsed, which might come close to meeting your requirement
here.  But no one has spec'ed out exactly how to do that or written such
a constraint, and existing OpenPGP software will continue to exist even
if new (improved) software is developed and distributed.

> nor would it allow that someone else can fake a sig on someone else's
> pub key with my key-id.

If by "key-id" you mean your actual public key, then the cryptography
behind OpenPGP does actually enforce this already.  It's not believed to
be possible to forge an OpenPGP signature from any reasonably strong
modern OpenPGP key.

If by "key-id" you mean the 32-bit long thing like "D21739E9", then
there's no way to cryptographically secure that -- it's just too
low-entropy.  I've written elsewhere about why key ids are bad:

https://debian-administration.org/users/dkg/weblog/105

Hope this helps to clear things up,

 --dkg


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Houston, we have a problem

[Ralph Seichter]

On 21.09.17 22:37, Stefan Claas wrote:

> If i would be a programmer of software like GnuPG, my software would
> not allow to receive unwanted signatures on my pub key, nor would it
> allow that someone else can fake a sig on someone else's pub key with
> my key-id.

If you can solve the design problem of having a decentralised key
infrastucture, the ability for everyone to create and sign keys without
third party involvement, and the detection/prevention of "fake" sigs
(whatever fake may mean), I'm sure we all would be interested. ;-)

-Ralph

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Houston, we have a problem

[Stefan Claas]

On Thu, 21 Sep 2017 17:06:18 -0400, Robert J. Hansen wrote:
> > Do i understand you right, i validate Werner's pub key and when
> > i get a signed email from Erika Mustermann the sig should be then
> > o.k. from her, because i signed Werner's key?  
> 
> No.  When you see something claiming to be Werner's sig on Erika's
> certificate, ask yourself:
> 
>   * Is it correct?
>   * Does the signing cert really belong to Werner?
>   * Do you trust Werner?
> 
> If you can positively answer all three questions 'yes', then you
> should trust it.  Otherwise, you shouldn't.

I can only say now i don't know if i should ever "trust" signatures
again on someone else's pub key, because in the past i have had only
communicated with people i did not know personally. And with
Erika's key example while trusting Werner's key i don't like the
idea when clicking in the Web interface on Werner's key-id that
it leads to Werner's key. That's all what i can say now. I better
should start now using my class3 S/MIME certificate...

Regards
Stefan


-- 
https://www.behance.net/futagoza
https://keybase.io/stefan_claas

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Houston, we have a problem

[Stefan Claas]

On Thu, 21 Sep 2017 23:11:23 +0200, Ralph Seichter wrote:
> On 21.09.17 22:37, Stefan Claas wrote:
> 
> > If i would be a programmer of software like GnuPG, my software would
> > not allow to receive unwanted signatures on my pub key, nor would it
> > allow that someone else can fake a sig on someone else's pub key
> > with my key-id.  
> 
> If you can solve the design problem of having a decentralised key
> infrastucture, the ability for everyone to create and sign keys
> without third party involvement, and the detection/prevention of
> "fake" sigs (whatever fake may mean), I'm sure we all would be
> interested. ;-)

Long ago when we had a discussion here on the Mailing List on
how to prevent unwanted signatures i made a proposal that
signing someone's public key should work similar to revocation
certificates. If you would like to sign my pub key you had to
send me a, let's call it, Signature Request Certificate, if i accept
it i enter my passphrase and then the Software would extract
the needed signature bits from the request cert and add those
bits to my pub key. Like i said i'm no programmer and can't
therefore test if such a feature proposal would work.

Regards
Stefan

-- 
https://www.behance.net/futagoza
https://keybase.io/stefan_claas

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Houston, we have a problem

[Stefan Claas]

On Thu, 21 Sep 2017 17:05:35 -0400, Daniel Kahn Gillmor wrote:

> If by "key-id" you mean the 32-bit long thing like "D21739E9", then
> there's no way to cryptographically secure that -- it's just too
> low-entropy.  I've written elsewhere about why key ids are bad:
> 
> https://debian-administration.org/users/dkg/weblog/105
> 
> Hope this helps to clear things up,

Yes, i was referring to those bits and thanks for your other
detailed explanation.

Regards
Stefan

-- 
https://www.behance.net/futagoza
https://keybase.io/stefan_claas

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: OT: Which smartphone would you use

[MFPA]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512



On Thursday 21 September 2017 at 6:33:40 PM, in
, Thomas Hejze wrote:-

> I start to worry for the
> future of Open Source. Isn't there a business case
> for a FOSS smartphone?

I think Fairphone  tries, but they still
have proprietary hardware drivers. "Made using conflict-free
minerals."

Too dear for me (529 euros from Fairphone themselves, 465 GBP new or
385 GBP refurbished from .


- --
Best regards

MFPA  

When duty calls...hang up immediately
-BEGIN PGP SIGNATURE-

iNUEARYKAH0WIQSWDIYo1ZL/jN6LsL/g4t7h1sju+gUCWcQ9D18UgAAuAChp
c3N1ZXItZnByQG5vdGF0aW9ucy5vcGVucGdwLmZpZnRoaG9yc2VtYW4ubmV0OTYw
Qzg2MjhENTkyRkY4Q0RFOEJCMEJGRTBFMkRFRTFENkM4RUVGQQAKCRDg4t7h1sju
+jmUAQDxchKAt309STLCAkGJTgEckUP7bB5r7UfrnovnogJRdQEA1ZkuiAVY8O3s
1cQfq6UukipLzxPPiQctndaZzUJ0NAGJApMEAQEKAH0WIQRSX6konxd5jbM7JygT
DfUWES/A/wUCWcQ9D18UgAAuAChpc3N1ZXItZnByQG5vdGF0aW9ucy5vcGVu
cGdwLmZpZnRoaG9yc2VtYW4ubmV0NTI1RkE5Mjg5RjE3Nzk4REIzM0IyNzI4MTMw
REY1MTYxMTJGQzBGRgAKCRATDfUWES/A/7jvEACkLELN+gDQ4eMUddi+F8uB6ol9
srnKEDF0WtgEXLP40RaQDZkTbV3AtxLZh+vjoDUhaV2jHzUHZSizEcCbvhc3M5gK
yoZaAEBERJ41l/vTQ2Fz/4uUo8CyVudnLOt/1XY1N9qafS2XD29HKACMpN5wPfa0
IPB6jmKrv0Rb3Btrb/KnVGbukkiyPB09Ranut4X7UsnZTl8t7c1A37m6jGFT4e0/
dRNB38IN7LHcFL/nbdg3Jq0KIXLJ/B8KsHdNlg4o6Lf47n3VFh2tlFO+C6fiyhWe
DN/Yp/ZKKe8SybNkXopUv3cAnsb3aKfRkV6zXPURzj7lMiB43fwJex53NOBmanka
pU5j7o7LmZzz6N02cSA/R59F9psTrjd1X51rpyQP+oK4hTJFvqRb2Dyr4Gw32etP
D4ToJpqNZgck+JtNXjXr4BXsMLC2h3B1jjYF405nN4jqN6e9uP7WEwk4712GhSjP
kbd39BxZMGb+CNisIFmkmt1MlMcw1xK5mTw97J8l3MbZWkFcz/epnBFE65WEw8h9
9/jMLS/he+hZF5yv9YGYv+r6VXx0glRHosMRcW/w56UKgxK0VfGVgfzRVHL2sgdr
vxLESshqGwJx8agFVSDxuPf/VFlnkq0KyGPZkrqArJSTqmrGqH/dBRLQJB079oC7
kH80lDwaoFhRu4JGxg==
=Dr8t
-END PGP SIGNATURE-


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

automatic conversion from keyring to keybox files?

[MFPA]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512



Now that the upgrade path for GnuPG 2.0.x users is to 2.2.x versions, will be 
there any automatic conversion from keyring to keybox
files, either offered by the installer or available as a command?



- --
Best regards

MFPA  

Don't cry because it is over - smile because it happened
-BEGIN PGP SIGNATURE-

iNUEARYKAH0WIQSWDIYo1ZL/jN6LsL/g4t7h1sju+gUCWcRBdF8UgAAuAChp
c3N1ZXItZnByQG5vdGF0aW9ucy5vcGVucGdwLmZpZnRoaG9yc2VtYW4ubmV0OTYw
Qzg2MjhENTkyRkY4Q0RFOEJCMEJGRTBFMkRFRTFENkM4RUVGQQAKCRDg4t7h1sju
+q0DAP49k3V/xfx9yCSC6hrQEEPUdqhcsZL2+jLQEtNFnLVW7wEApFUrtbW80Ijx
dKrnc5qoSWN42HQk+TZNQK+SAQqcwwGJApMEAQEKAH0WIQRSX6konxd5jbM7JygT
DfUWES/A/wUCWcRBdF8UgAAuAChpc3N1ZXItZnByQG5vdGF0aW9ucy5vcGVu
cGdwLmZpZnRoaG9yc2VtYW4ubmV0NTI1RkE5Mjg5RjE3Nzk4REIzM0IyNzI4MTMw
REY1MTYxMTJGQzBGRgAKCRATDfUWES/A/1MLEACFmmyebuYeT0Suoo8YAED7cnp8
YqNawt7CGcs1ShJCPWVQJtCjyT44DylsrM3h7kB+dZPy79SYK2gOuv7rIpbdIP8H
LpHOQfxf1nlRo54OAAi8vxA18Rb3e2KIvPsHR+ZawBK9zcnaIRp4yLsJPuHqqbWD
56hP8IoIDT+S+6IqMxTJ+eXhNo6x/6u5YzCWtTRuRy4TZl/702Dp+W4SJiqSe/Rj
4d6TG0/IhB66wvxSQooPNcUVxt/1M9n13/203uNdhU2VjlKfq12OekLzJF13ohf+
NVHIbaii0F7SADr2fI8Ru0GRAwHesFt08KMDA3i8mtSE7HDLebAfLM9sg0A+iwDr
mJeZ0s/gdP/s74pZQKF+FNOcsr7xLMJGdyURHQmX+6mhlc7MaYgPERb8GtYTzx58
JDn8/3qPrNGhiKEVtvfLQAE77FpdSg3UP7sBJkWZXd1pze0SAMrlCghNwSiedha/
DDqDw21OKTCFwyuF1HPvRWZvEyLMIjll0QAgGbXqapYKNVHitMYCv0y6WByk1QO3
9fCReVj8xMdFZhneB0W3eZt3VrKkuvxEfEzAqt4YoJ2bn4G948DlH/rdeOGYXbQc
L5+7LMxBI9JxIjjfHKBmHd2JwlZ6Q+YizNLfFJLLUJvv4BX3GZXTnjtdfNcMcuWu
Rd7Z+hfqIsNtAhKbrg==
=ZpxC
-END PGP SIGNATURE-


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Houston, we have a problem

[Ángel]

On 2017-09-21 at 23:37 +0200, Stefan Claas wrote:
> Long ago when we had a discussion here on the Mailing List on
> how to prevent unwanted signatures i made a proposal that
> signing someone's public key should work similar to revocation
> certificates. If you would like to sign my pub key you had to
> send me a, let's call it, Signature Request Certificate, if i accept
> it i enter my passphrase and then the Software would extract
> the needed signature bits from the request cert and add those
> bits to my pub key. Like i said i'm no programmer and can't
> therefore test if such a feature proposal would work.
> 
> Regards
> Stefan


Nope. This would solve the case of «Key of legitimate user signed by
fake user»¹ but not «Fake user signed by another fake user», which is
the problem.


¹ Assuming the legitimate one would notice and not allow his key to be
signed by the evil one, which is no problem, actually.


The proposal would be technically feasible (invalidating all existing
signatures, and probably conflicting with local sigs, but feasible).
However, it wouldn't solve the underlying problem.

Best




___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Prince Jones v US

[Robert J. Hansen]

Good news for US citizens: _Prince Jones v US_ was decided Thursday.
The important text from the opinion is recreated here, and the
implications for encrypted email follow.

* * * * *

But in addition to the fact that people reasonably value and hope to
protect the privacy of their location information, what necessitates our
conclusion is the _method_ by which the government obtained the location
information in this case. Unlike in a situation in which the government
determines a person's location through visual surveillance or by
employing the older generation of tracking devices, it cannot be argued
that "the information obtained by [the government] in this case was ...
readily available and in the public view". The cell-site simulator
employed in this case gave the government a powerful person-locating
capability that private actors do not have and that, as explained above,
the government itself had previously lacked -- a capability only
superficially analogous to the visual tracking of a suspect. And the
simulator's operation involved exploitation of a security flaw in a
device that most people now feel obligated to carry with them at all
times. Allowing the government to deploy such a powerful tool without
judicial oversight would surely "shrink the realm of guaranteed privacy"
far below that which "existed when the Fourth Amendment was adopted". It
would also place an individual in the difficult position either of
accepting the risk that at any moment his or her cellphone could be
converted into tracking device or of forgoing "necessary use of" the
cellphone. We thus conclude that under ordinary circumstances, the use
of a cell-site simulator to locate a person through his or her cellphone
invades the person's actual, legitimate, and reasonable expectation of
privacy in his or her location information and is a search.

* * * * *

The above is taken from the opinion -- citations omitted.  But it
appears to me this logic is immediately applicable to many different
kinds of surveillance: namely, if it involves security flaws in common
everyday technologies which millions of Americans entrust with their
secrets and who really cannot reasonably avoid using... then it needs a
warrant.

The implications for electronic privacy in the United States should be
clear.  This is a really good development.  :)

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users