Re: Attacks on encrypted communicxatiopn rising in Europe

[martin]

On 24/08/16 15:37, Robert J. Hansen wrote:
> I find the current state of detente to be pretty good, actually.  We're
> allowed to design the best systems we can, and governments are allowed
> to discover where we're not as clever as we think we are.  If there's a
> flaw in Tor and the FBI uses it to pierce anonymity and go after a bad
> guy, I can get behind that.  Way to go, FBI, you did it right, now
> please hold on while we figure out how you did this and write a patch to
> keep you from doing it again.
> 
> I guess you could say my preferred solution to the crypto wars is to
> encourage an ongoing escalating crypto arms race.  It's crazy, but it
> seems to work.

For my €0.02 I think the above is mostly valid bar 2 small details:

1. Seldom we do find the FBI breaking security of anonymity tools. Only
if a high profile case shows up or someone leaks it. I think it is even
more rare for the FBI to outright disclose the vulnerability they used
so it can be patched. I don't even know if the other 3 letter agencies
do it.

2. Crypto arms race also implies stock piling vulnerabilities -
something Bruce Schneier is very vocal about [1][2]. I think the answer
here is to find a balance of some sort - i.e. keep vulnerabilities in
rare cases for short periods of time and then disclose and patch them.
However for that to work we need to trust the govt. to do the right
thing. Which I think is pretty much the core issue that started this
discussion.

Regards,
Martin

[1] Hacking Team, Computer Vulnerabilities, and the NSA -
https://www.schneier.com/blog/archives/2015/09/hacking_team_co.html
[2] Disclosing vs. Hoarding Vulnerabilities -
https://www.schneier.com/blog/archives/2014/05/disclosing_vs_h.html



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

gpg 1.4.16 Windows - version info

[Martin]

Hi

Just installed GnuPG 1.4.16 for Windows (on XP over here).

gpg --version
gpg (GnuPG) 1.4.16

Now I see in the signed messages that the version information about
GnuPG is very short:

Version: GnuPG v1

Bug or feature?

-- 
Beste Grüsse,
 Martin  mailto:msch...@gmail.com


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

How to back up my key

[Martin]

Hello everyone,

I'm new to GPG and unfortunately, the longer I browse the internet and read
about the topic, the lesser I know :(

I would like to hear your opinions on this setup:

1. I have turned my Raspberry Pi into my super secure offline computer.
This system will never be connected to the internet, it uses a keyboard
which I have bought only for this system and both, the RPi and the keyboard
will be locked into my safe. So: No malware, no keyloggers (hardware and
software).

2. I will create my GPG keys on this system and store them on a USB drive
inside a TrueCrypt container. I will carry that drive with me all the time.
I think it's not even necessary to put the keys into a TrueCrypt container
since they are encrypted as well but in case I lose the drive and someone
finds it, he would not immediately know what kind of content he is dealing
with and would probably just delete the stuff.

3. I would like to have further backups of that drive, who knows, it might
get damaged some day and I don't want to lose my key that way.

My questions are the following:

a) Do you see any flaws in that setup?

b) If I assume that my everyday laptop is infested with spyware and
keyloggers (which I don't believe), all my precautions are useless, aren't
they? In order to mount the TrueCrypt volume I have to enter the password
and in order to encrypt/decrypt mails, I have to enter the password for my
GPG key. A spy would now know my password and maybe even be able to
download my key, wouldn't he? Does that mean, I can only encrypt/decrpyt
messages on my offline machine, then copy them on a thumbdrive, then paste
them into my mail client??

c) How can I create further backups? Obviously I can just copy the contents
of my important USB stick onto more sticks. They will hardly all fail at
the same time. Then I could store those sticks at different locations. That
sounds quite inconvenient. I would prefer to store the contents of my
thumbrive on Dropbox or Google Drive, for example. Would that be a problem?
I mean.. it's inside a TrueCrypt container with a very strong password.
Even if someone cracked that container, he would find my encrypted private
key, with an even stronger password. If he would be able to bruteforce even
that password, I think then I am dealing with an enemy with godlike powers
anyways.

Any input is greatly appreciated!

Best regards,
Martin
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: How to back up my key

[Martin]

Hi Einar,

many thanks for your detailed answer! That's quite re-assuring, indeed!

Now I have to walk down yet another rabbit hole and read up about secure
cards :)

I was indeed planning to have a master key and sub keys but I didn't want
to complicate this thread too much, I will open another thread with more
questions about this topic soon.

Questions b) and c) remain unclear, though:

b) If I assume that a machine is compromised, do I have any chance to use
GPG? Entering my password (keylogger) and using my private key (trojans,
remote control malware) would enable an attacker to gain access to my key,
right? Are secure cards the only solution to this problem? Maybe I should
simply not use compromised machines when using GPG :)

c) Are there major concerns about backing up my TrueCrypt container on
Dropbox? I could even encrypt it further and put it into an encfs container
(which I am already doing when I use Dropbox). I have read blog posts where
people say that they even put their private master key openly into the wild
because it has a strong passphrase and strong encryption anyways.

Cheers,
Martin




On Mon, Jul 15, 2013 at 5:20 PM, Einar Ryeng  wrote:

> On Mon, Jul 15, 2013 at 03:25:15PM +0800, Martin wrote:
> >
> > I'm new to GPG and unfortunately, the longer I browse the internet and
> read
> > about the topic, the lesser I know :(
> >
> > I would like to hear your opinions on this setup:
> >
> > 1. I have turned my Raspberry Pi into my super secure offline computer.
> >
> > 2. I will create my GPG keys on this system and store them on a USB drive
> > inside a TrueCrypt container.
> >
> > 3. I would like to have further backups of that drive, who knows, it
> might
> > get damaged some day and I don't want to lose my key that way.
>
> So far so good, with a couple of minor modifications. And i sort of agree
> with
> you on the TrueCrypt stuff, it's always better if people just erase USB
> drives
> they incidentally find. However, you probably shouldn't carry your keys
> around
> like that anyway.
>
> > My questions are the following:
> >
> > a) Do you see any flaws in that setup?
>
> Not exactly flaws, but I would have done some minor changes/additions:
>
> When you create a key pair, you create one master key and one or more
> subkeys.
> The master key is the one that should be used only in a safe environment.
> This
> key is used for operations on your private keys (revoking, making new
> subkeys,
> etc) and for signing other people's keys. All of these are relatively
> infrequent operations, except signing other keys which you propably will do
> quite frequently until your key is well connected to those you communicate
> with.
>
> Therefore:
>  1) 1 USB drive that will ONLY be used in the secure environment,
> containing
> your master key and all subkeys.
>  2) A backup of 1), also ONLY for secure environment.
>  3) A USB drive or some other means to transfer your subkeys for
> encryption and
> signing to your laptop.
>
> If you suspect your laptop has been compromised, someone may have gained
> access
> to your encryption and signing subkeys, which means that they can act as
> you.
> Luckily, because your master key is safe, you can just revoke your subkeys
> and
> create new ones. Your web of trust connections to anyone else will not be
> affected, except that they need to fetch the new version of your keys from
> the
> keyservers. On the other hand, if someone compromises your master key, you
> would
> need to go another round signing people's keys.
>
> To be a bit more paranoid, or to allow for using GPG on computers you don't
> trust as much as your own laptop, you can use a hardware RSA implementation
> like the CryptoStick from the German Privacy Foundation. These can contain
> keys
> which cannot be extracted without physical access to the key and a quite
> laborous process at a fairly decent electronics lab.
>
> (Btw, you also want to create revocation certificates for your key when
> you make
> it, just to be certain that you're able to revoke it if you should come to
> lose either your key or your passphrase.)
>
> Cheers,
>
> --
> Einar Ryeng
>
>
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Several master keys vs. master key and subkeys

[Martin]

Hi everyone,

really sorry to ask so many stupid questions. I'm planning to write a nice
howto guide when I finally figured everything out, but before I can do that
I need to know what I am talking about :)

I want to have one master key with a super strong passphrase, which will
never expire and will basically never be used except for building my web of
trust. For every day use I would like to have subkeys which will expire
every 2 years.

So far I understand that GPG can create subkeys and I have found the
following two articles to be very good:

https://alexcabal.com/creating-the-perfect-gpg-keypair/
http://wiki.debian.org/subkeys

I have to say that the part about removing the original signing subkey
(whatever that means) seems to be a bit confusing.

After a while I stumbled upon this post:

http://www.davidsoergel.com/gpg.html

This person claims that subkeys are not the best option because:

### QUOTE ###

Disadvantages of subkeys:

* I find them Confusing.
* There are disturbingly many (i.e., any at all) bug reports on the web
about gpg software handling subkeys incorrectly.
* It is possible to export a subkey and attach it to a different primary
key, creating a potential security hole.
* No ability (without a lot of hassle, anyway) to use different passphrases
on primary and subkeys.

### ENDQUOTE ###

Is this really true? Do subkeys have the same passphrase as the master key?
I find this quite hard to believe.

I would like to know if David Soergel's approach has any flaws. As I
understand it, it works the same as using real subkeys, I would create two
normal keys, declare one to be my master key and one to be my first subkey.
Then I would sign the subkey with the master key which would enable me to
create a revocation cert for this subkey later, if needed?

Any reasons why I should stick to GPGs "native" subkey feature?

Many thanks for your help in advance!

Best regards,
Martin
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Multiple email addresses - any alternative to ask everyone to sign all my keys?

[Martin]

@Chris: That still leaves the problem of having to enter the passphrase for
the key on the untrusted machine, which might have a keylogger, doesn't it?




On Wed, Jul 24, 2013 at 6:24 AM, Christopher J. Walters  wrote:

> On 7/23/2013 3:55 PM, Philipp Klaus Krause wrote:
>
>> Am 23.07.2013 21:04, schrieb Heinz Diehl:
>>
>>> On 23.07.2013, Philipp Klaus Krause wrote:
>>>
>>>  Of course it is annoying to have to ask everyone to sign three keys -
 after all they are all my keys, and the people I ask to sign my key all
 get to see the same passport. Is there a better alternative?

>>>
>>> Create/use one key, and add all the different addresses.
>>>
>>>  I do not consider my university computer safe enough to trust it with
 the private key for my private mail.

>>>
>>> In this case, why should anybody else trust in the integrity of your
>>> identity? If you don't trust this machine, revoke the key and don't do
>>> anything confidential on/with it.
>>>
>>>
>>>
>> That's not a practical solution. I want to be able to read encrypted
>> mail sent to my university addresses on that machine.
>>
>> Philipp
>>
>
> While it is generally considered good policy to use any cryptographic
> software on a computer you do not trust, given your reason for wanting to
> use GnuPG on the untrusted university computer, I have a suggestion.
>
> Make a Live GnuPG USB thumb drive - make sure that you set the default
> path to be the USB drive, and not the HDD of the university computer.  Thus
> all of your keys would be on the USB drive and none on the untrusted
> computer.  If your private keys are already on the untrusted computer, then
> I can only suggest revoking them and creating new ones on a trusted
> computer - with the keyrings stored on the Live GnuPG USB drive.
>
> Regards,
> Chris
>
>
> __**_
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/**mailman/listinfo/gnupg-users
>
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Fwd: Goldbug.sf.net - Secure Multi-Crypto-Messenger v0.1 released

[Martin]

Wow that landing page looks like a super cheap rip-off of http://heml.is/...


On Sat, Jul 27, 2013 at 4:25 PM, Robert J. Hansen wrote:

> On 7/26/2013 10:45 PM, Randolph D. wrote:
> > Does anyone know, if this tool is really secure?
>
> Based only on their press release, this seems like a completely
> unscalable bucket of failure.
>
> > The so called "Echo" creates a peer-2-peer (p2p), respective
> > friend-2-friend (f2f) network, which sends every (strong encrypted) data
> > packet to everyone connected in that network to your node. When you can
> > decrypt the packet, it is yours and readable, if not, you share it with
> > all your connected neighbors. So far so simple.
>
> And this, right here, is why it's such a colossal disaster.  It cannot
> scale.
>
> Let's say that you're connected with 1,000 other users, and each of
> those users is connected with another 1,000.  Someone sends you an echo
> packet that you can't decrypt.  You then send it to 1,000 others.  999
> can't read it and the last one can.  Each of these 999 users then sends
> it on to *their* 1,000 contacts...
>
> Remember, this is delivery to a user *adjacent to you in the graph*.  It
> doesn't get better or easier than that.  And for a delivery this simple,
> we're still talking about spamming the network with a million packets
> (your original 1,000, plus 999,000 others) just to deliver a single packet.
>
> This is not a communications protocol.  This is a denial of service
> attack against a network.
>
> Now, maybe the people behind the "echo network" are world-class network
> engineers who have already accounted for this, and the person writing
> the marketing copy is a brain-dead marketroid who started sniffing glue
> at a tender age.  That's possible.  But, based on the marketing copy,
> the entire idea looks bogus to me.
>
>
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Unable to sign or decrypt with card

[martin]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 14/09/17 23:53, Philip Jackson wrote:
> Card status seems to be ok :
> 
> gpg --card-status
> Application ID ...: D2760001240102052870
> Version ..: 2.0
> Manufacturer .: ZeitControl
> Serial number : 2870
> Name of cardholder: Philip Jackson
> Language prefs ...: en
> Sex ..: male
> URL of public key : [not set]
> Login data ...: [not set]
> Private DO 1 .: [not set]
> Private DO 2 .: [not set]
> Signature PIN : forced
> Key attributes ...: 0R 0R 0R
> Max. PIN lengths .: 32 32 32
> PIN retry counter : 3 0 3
> Signature counter : 406
> Signature key : 60FF 4A45 7DD4 C4E2 CCAB  D98D 5154 49A8 9A99 D8BD
>   created : 2014-10-28 23:13:28
> Encryption key: C04C 016C 3460 2B42 CDBB  2566 79D4 67BF F5DF 6C91
>   created : 2014-10-28 23:18:24
> Authentication key: [none]
> gpg: using subkey 0x515449A89A99D8BD instead of primary key
> 0x26BD500A23543A63
> General key info..: pub  2048R/0x515449A89A99D8BD 2014-10-28 Philip
> Jackson (Jan 2013 +) 
> sec   2048R/0x26BD500A23543A63  created: 2013-01-22  expires: never
> ssb   2048R/0x2ACB19812A3EC90F  created: 2013-01-22  expires: never
> ssb>  2048R/0x515449A89A99D8BD  created: 2014-10-28  expires: never
>   card-no: 0005 2870
> ssb>  2048R/0x79D467BFF5DF6C91  created: 2014-10-28  expires: never
>   card-no: 0005 2870

Hi Philip,

A few weeks ago I experienced a very similar problem to what you
describe. I was not able to sign any of my mail with my smart card and I
was unable to decrypt files.

Output of my gpg --card-status showed the same:
Key attributes ...: 0R 0R 0R
...
sec   rsa4096/0x7BDDCD7C31F200DC  created: 2015-11-24  expires:..

I have the exact same card reader at home and when running the status
command I would get:

Key attributes ...: rsa4096 rsa4096 rsa4096
...
sec>  rsa4096/0x7BDDCD7C31F200DC  created: 2015-11-24  expires: 2017-11-23
  card-no: 0005 426B

So I just re-checked my card reader at work. As I use the Gemalto PC
Twin Reader it turned out that the connection between the USB cable and
the card reader was slightly loose. Afterwards I was able to use my card
as before.

I would suggest (if you haven't tried that already). To try a different
machine and/or a different reader combos and see if the problem is not a
trivial faulty reader.

Regards,
Martin
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEXpvIcrLGPB3dYM2b2/3pjiVWvVwFAlm7takACgkQ2/3pjiVW
vVweoQ//biDPhktWhhSgCYCtQy1wFTQsSkfss8qvJ1jwmvdZ7FOwAIoUD86yBR9j
8iVW8cOkOIyoOGXrszVpdwp0rylnYnfPxNnPd5Z4njvtaPeWXRoQFRNxIcWjasKA
ypSMY/cTasbIk4mTpskjuEjK+XrQNWH1zI2Laj3wbBBVAjQX+CRbUJVHYV7kEhX9
FHWxLc3aPrO4+YF8usDMMW7f9s9q2N5tGSzWo71UDoBjwsc9QJRmParcVi8Il0k4
RxHcjQq9/uLz+YEv1cG/5d9JMGEXSQ/DcLoJAx6nknrUhe8GTZXl3alwRoi7m/Ow
dlA+dHv7tX/LO4hh1V2jTr/KyTkB564vzAe6ZU97jjcDf/75XxmrEA/MQfsu7RK/
I+iVRB5pWKVlsGELn2ce+jTSPoB/fmFIIICMUOFSAz7NhzsPBBHQxDs5MSq7GNlP
wFhyCewvqB4HVwMjcI07mh7nppT6DwiyGo0aK7XxzECckBtPgfVpWIqcU2fn6p23
nc9qwEcGsD4TqM0fUS4XnRteg/RsPtSIxoaDzlY/LyEr9Z2gDFQKUJmo7Hlsuaq8
FhPbI6b8TOMUq/lCVi4qLJygMqBZpqVT5vJeD1sGfOL8XJcF05EAgI+3++3IiRHU
aGrwhL04AYGZClYjMlf9d57NZrL7UeFCGW5fn3sv5aLI7hS7Q0k=
=V4i6
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gpg-agent 2.1 persistent socket between sessions

[martin]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 25/10/17 15:54, Werner Koch wrote:
> p.s.
> The gnupg tarballs has a file
>   gnupg/doc/examples/systemd-user/gpg-agent.socket
> which is an example on how to specify the location of the socket.  The
> problem might be that systemd likes to stop all services at user logout.
Alternatively you can look into `KillUserProcesses` and
`KillExcludeUsers` options for systemd-logind[1].

For some distributions `KillUserProcesses` defaults to yes which will
clean up all background running processes.Changing that to no will leave
processes lingering but can potentially cause other problems.

Martin

[1] - https://www.freedesktop.org/software/systemd/man/logind.conf.html

-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEXpvIcrLGPB3dYM2b2/3pjiVWvVwFAlnwuuIACgkQ2/3pjiVW
vVzBhA//Z0F8mWp6z4ce9rFMi/9J0sm8u71/HZI4IIAOsZoaJgrOuJgs5ObVXLwk
MH2H26gojQtJLiHZeLh6OFn1pI+GmAOQHhBNIh+t7jy2R4PlnEa7xU4HvO7m/2YW
VAD9mbifgiFhzz/Gkb+D23ZYVG4A2e3vm+1k/voYhtX6Yt71MLZuJZAbKRPCFZ3J
agFC5jxf9pQ78+UlzqRtHpmmMna5czQm09WUfS0OUj7E9T4UnkNY/4dL28NUVtQt
WcDvbXNAk5FNxcnqbn48uuNamAtqz0C6X+PsWnQoiG6DNXFd5CKYBaWiOal+gL3X
2Y8LVnGRSOGOBvPWX4NOPVB9ssn9M053kTt7WK4o1UIznsN49liTeYwUA+KMOeVN
7UQgNz7JYBlFkUDA17exauNg/UXW+2J8L3gpogOkQ9c0pB+e8YEbuHOosMXH0wOv
dVv9vQM8i1C8jyVkROc2AY4rlPV+wQLgUz7kI/35R8/rjdvkY8pEuA5z3MaWgYlL
veDwMjEKMVbVVu1tNbv+ozrHGWDhT5VtUm3yqO695lu5pPX7yqkIVtcyJiyQfJxJ
HvTu28mC4FRTf5y8EGlbb9yrt24qyI189VDT/Ub9vTPaqwxz956tM4xna+UHaH3R
ylHQj8sm8BTc3c2lfFlE7OS+7EMCtpB+ixXKUjTlbucZdS2m2ss=
=st+T
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Breaking MIME concatenation

[Martin]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Hi

Am Dienstag, 15. Mai 2018, 22:19:17 schreiben Sie:

> On 05/15/2018 04:44 AM, Patrick Brunschwig wrote:

> 

>> I think the correct solution must be to treat each MIME part
>> independently, i.e. it needs to be parsed independently by the HTML
>> engine and produce its own DOM tree. At the end, you can concatenate
>> these DOM trees and create a single correct HTML document.
>>
>> -Patrick

> So why use HTML with gnupg?

I think a fundamental discussion is necessary with the question: Who
should / will use GnuPG in the future?

Two extremes: Only these people who need really to encrypt their
emails because they are persecuted. But these people learned how to
handle their email client correctly and these people will write
text-only also in the future.

Or is Email encrypting a need for *every* email user? But there the
standard today IS that mails are HTML-written and contain links and
pictures and so on. If GnuPG should be a tool for "everybody" HTML
mail must be encrypted and decrypted correctly by the clients and
GnuPG should give any important information,

- --
Regards
 Martin
-BEGIN PGP SIGNATURE-

iQEzBAEBCAAdFiEE92uV/w2x7WB1p4XLsdyR185C444FAlr8NjoACgkQsdyR185C
4474IAf/VBxWlV8/r5QHblhK6wUVzZFflEJH1zrE25notn3F5SNp35hoF6JkbjNU
sbej2HMAaGPaSn7zoFNs6npzw/1jR0/Y8o6jgRR2XfDjCMMhMrDvfiGceoOvDNoG
FJfV5llksYKUYPXzxrxQLJ+m553MItZ2VfN0SXz4cLnH+cqEcXAt9dKHYdJPJjus
CxmEDe0U+noYYn+Pr7i6Lx18OGDyPot6OGt1lJ9biQhTpfn0/WuyFkHaNSRFoe8Z
LnLIjyvcKbb083nsYCQWlY59QR2Kz38ulzFajwGYx8fKXwFxSptpwEM8xbD0u/vh
DlGPOnzX7W8wgzvn+2AyQ/hi9kVWPg==
=Gbsn
-END PGP SIGNATURE-


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Vulnerable clients (was: US-CERT now issuing a warning for OpenPGP-SMIME-Mail-Client-Vulnerabilities)

[Martin]

Hi,

Am Mittwoch, 16. Mai 2018, 10:02:21 schreiben Sie:


> Werner, my conclusion in addition is that the table is incorrect.
> Most (if not even all) of the MUA which are noted for Linux do run on
> nearly any other UNIX flavor, FreeBSD, OpenBSD, ... and mutt in addition
> runs  on Canonical Ubuntu for smartphones/tablets and UBports devices.

To show that developers of clients take the situation seriously one
example: Today I got an update for Android R2Mail2 which fixes the
#efail problem.

There's still a chance ;-)
-- 
Regards
 Martin

pgpZi5sBPmIY2.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Kommentar: Efail ist ein Megafail für E-Mail-Verschlüsselung | heise online

[Martin]

Hello Matthias,

Friday, May 18, 2018, 3:40:53 PM, you wrote:

> Jürgen Schmidt is a dedicated OpenPGP hater. Be warned and/or just 
> ignore this comment.

And again recommandatioin for Signal. It seems to be a PR campaign -
but a very bad one.

-- 
Best regards,
Martin


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: how to suppress new "insecure passphrase" warning

[Martin]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Hello Ryan,

Thursday, September 17, 2020, 4:42:24 PM, you wrote:

> -Ryan McGinnis
> http://www.bigstormpicture.com
> PGP Fingerprint: 5C73 8727 EE58 786A 777C 4F1D B5AA 3FA3 486E D7AD

BTW your public key is not on keys.openpgp.org

- --
Best regards,
Martin
-BEGIN PGP SIGNATURE-

iQEzBAEBCAAdFiEE92uV/w2x7WB1p4XLsdyR185C444FAl9jgAcACgkQsdyR185C
445wzwf/QiBWBkH9UW6jzh7vbFbENQG39dBZTpK5TmG0BwRsdq72y4ccGpaCfZM9
02xSMeQ8ajPJ8luBH2cYHK+iBOQLlztl9yYj1crTYE+B0LBLWUMNlaH/OlduKUy7
1trJCpDVRljtFx5p3zqXiB5zP95R567e9UWXDGlpBPqj4BzhBseQGh4zNRdOGULI
4iCo2t1fhy4X5D32yhIEbP3nrTh9O4SpwYdSc0cL3jX+7KfdFqn+FQ0RgE69AFhZ
4yZ4iqA4H75oE6Hlsflg9nrQvL6BV63004FdIxRVYVsMEOMDqvGWwp8xYIibvJnO
wPoKLy2OtHi77e8Out9G5bcngUwhxA==
=8K8V
-END PGP SIGNATURE-


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Which keyserver

[Martin]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Hi list

Which keyserver do you recommend these days?

I have hkps://keys.openpgp.org in gpg.conf - but it seems that there
are missing a lot of public keys on this server.

- --
Best regards,
Martin
-BEGIN PGP SIGNATURE-

iQEzBAEBCAAdFiEE92uV/w2x7WB1p4XLsdyR185C444FAl9jzeAACgkQsdyR185C
444yaAgAgoj2wlUFhclr4nr/PeRu9LXHWR4IAbI7UvfmNEk2PcJVveIYHXrRQqdq
AOzxOv+HCzxz5RN9TIiQjLnqcyJlzQpZd6BIFRizr7ZMXEjtSS0oM/u0zevypcae
8L/uhFHgqp3KzYU7njz17k08JVGGTcOBhdGwICa+jlxc4L2y7eZhkFHoFFUxAPwc
xegbJOQKRLZhlLbvSsiFUc5x4uvxesA4ivqFNHWk336XHqdtUOG2tFr6i+hJF3Qc
d6b3g5psigQycr5l2NVQbsHHR0ie6KlX0/KJM9hZmpvPL3yEo4YhdWaeOAABU+AS
J+VEervsa2vRod5euFtPisS+EM2Z5g==
=d3Cq
-END PGP SIGNATURE-


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

GnuPG 2.2.32 with libgcrypt 1.8.8

[Martin]

Hi

I am really not a programmer ;-) but I tried to compile GnuPG 2.2.32 on my
Ubuntu 20.04 system.

Before I compiled libgcrypt 1.8.8 - seems to work, no error messages. So
these libreriers are going to /usr/local/lib

So I tell configure for GnuPG 2.2.32 to take this libgcrypt 1.8.8 files

with ./configure --with-libgcrypt-prefix=/usr/local

And configure tells me that files are found:

checking for libgcrypt-config... /usr/local/bin/libgcrypt-config
checking for LIBGCRYPT - version >= 1.8.0... yes (1.8.8)

But after "make" and "make install" I see the the GnuPG 2.2.32 doesn't use
libgcrypt 1.8.8 but 1.8.5 (which was installed by Ubuntu repository).

gpg --version
gpg (GnuPG) 2.2.32
libgcrypt 1.8.5

What I am doing wrong?

-- 
Regards



pgpL1cz_BIIsw.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: GnuPG 2.2.32 with libgcrypt 1.8.8

[Martin]

Hello Bernhard,

Tuesday, October 26, 2021, 9:37:47 AM, you wrote:

> Am Montag 25 Oktober 2021 17:01:15 schrieb Martin:
>> But after "make" and "make install" I see the the GnuPG 2.2.32 doesn't use
>> libgcrypt 1.8.8 but 1.8.5 (which was installed by Ubuntu repository).

> Maybe you need to modify the LD_LIBRARY_PATH accordingly.

Exactly, that was the solution! 

gpg --version
gpg (GnuPG) 2.2.32
libgcrypt 1.8.8

Thank you.
-- 
Best regards,
Martin


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Public keys stored on different server

[Martin]

Hello

Perhaps my question is strange an silly ;-)

More and more I see messages which are signed - but the author didn't
store his public key on a keyserver (eg. hkps://keys.openpgp.org) -
sometimes a footnote in the massages gives a link where the key could
be downloaded. Sometimes this link has a bad or strange https 
certificate...

What are the reasons for such a procedure and what is the advantage?

-- 
Best regards,
Martin

pgpUEqarpFiso.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Public keys stored on different server

[Martin]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Hello Alex,

Wednesday, February 1, 2023, 1:01:21 PM, you wrote:

> There's not much you can do in those situations. There's not
> really much in the way of an advantage compared to downloading from a
> keyserver when searching by the key ID.

It just seemed like a contradiction to me if a key for security
reasons should be downloaded from a website with an insufficient
certificate ;-)

- --
Best regards,
Martin
-BEGIN PGP SIGNATURE-

iQEzBAEBCAAdFiEE92uV/w2x7WB1p4XLsdyR185C444FAmPaiooACgkQsdyR185C
444E1Af9Eb7h9Kmqalk27WwprTx/fW/GK/m5HXdKLKLXtNbKbkGKu1f2lXEj3R6p
zlLC3npYgAr1ZPNT0H1G/1fHo8E4s8XeJRN8Lli216conbqX0KoY3OhC7vIMMpl7
3OgQXbEqPLBDZaFTmITHA6xCq5BN0jB+JGXKgWKBLEJUvyEfzgIY6jYqw1U7ng2a
55xSm2HQPCjhkoZnkZvj4fjuOzgSlID/v5g/yT9xZgMDUKBFuaejkg1NJ4OJXehb
OCTlC13O1dcbK+4Qe/aTBbnkjz7wLyUk7rdLN+uSW8MBA5wX22L4PERblVWYVTeT
/Gdu6xoPWfMwK4RNsmzQxRIpzy4ZCg==
=v7z2
-END PGP SIGNATURE-


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Public keys stored on different server

[Martin]

Hello Vincent,

Thursday, February 2, 2023, 12:41:48 PM, you wrote:

> For traditional (sks-style) keyservers, it is true that the list of all 
> certificates
> and email addresses is public, and must be by design. For keys.openpgp.org
> specifically, this full list is not public and never will be in accordance 
> with
> our privacy policy.

Could you please explain this, I don't understand really. So there are
public and no public keys on the this key-server? Who decides that a
key is public or non-public? Who or how can I request a non-public
key?

Martin

pgpZGoaGFRmh2.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Public keys stored on different server

[Martin]

Hello Vincent,

Ok - that is clear now. I never had the idea to get a "whole list" 
from a key server but I didn't understand why people let access their 
key only on their own website.

Martin

Thursday, February 2, 2023, 9:45:53 PM, you wrote:


>> Could you please explain this, I don't understand really. So there are
>> public and no public keys on the this key-server? Who decides that a
>> key is public or non-public? Who or how can I request a non-public
>> key?
> Sorry, that wasn't as clear as it could have been. There are no
> non-public keys, all keys are still publicly available, and can be
> retrieved by fingerprint or email address. You just can't retrieve
> all keys or email addresses as a full list, which makes it a far
> less interesting target for spammers.


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: German ct magazine postulates death of pgp encryption

[Martin Behrendt]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Am 27.02.2015 um 22:28 schrieb Christoph Anton Mitterer:
> On Fri, 2015-02-27 at 22:15 +0100, Werner Koch wrote:
>> Most people run Windows or Android (or use Lenovo stuff) and thus
>> have anyway no control over their boxes.
> To be honest, I don't think that anyone using Windows, Android,
> MacOS or any other [semi-]proprietary system actually wants to be
> secure - neither do I think that we should waste our resource on
> securing them which is per se not possible.

At what point is a system a [semi-]proprietary system?
How many computers are out there where not even a single part of the
hardware (and firmware) is proprietary?
Where do you draw the line? If I would have to guess, I would say, the
device you wrote that sentence with, falls in the category
semi-proprietary...

greetings
Martin

-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iEYEARECAAYFAlTw5C4ACgkQ/6vdZgk46sggswCgyXjGYnul/yxgMoDb7Astu1e+
u4wAnR9JqtMXTAy6MGo3HvzQSBV08m/U
=g1qf
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Enabling and using ECC keys (any reason not to?)

[Martin Behrendt]

On 26.03.2015 18:40, Pete Stephenson wrote:
> 
> People have raised concerns about the NIST curves, but they are part
> of the RFC 6637 standard so compliant programs must implement P-256,
> may implement P-384, and should implement P-521.
> 
> To address potential concerns with the NIST curves, GnuPG also
> supports the Brainpool curves which are similar in structure to the
> NIST curves but use parameters chosen from nothing-up-my-sleeve
> numbers and so should be reasonably trustworthy. Still, the structure
> of such curves leaves a bit to be desired (see
> http://safecurves.cr.yp.to/ for details, I'm hardly an expert).
> 

I just did a quick search but didn't find anything. But as a general
question, why is it not possible to use two different encryptions keys
and use a cascade two layer encryption? E.g. truecrypt offered something
similar for up to 3 different encryption methods.

So especially when introducing new algorithms which might be tampered
with, using e.g. an old style RSA Key as one layer and ECC as a second
should help against this. Or am I missing something here?

Greetings
Martin

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Is Open PGP or GnuPG or GPG possible on a Mac?

[Martin Behrendt]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

It should be possible but it might require high technical skills in
the operation of a search engine of your choice.

Lets try your topic:

https://startpage.com/do/search?q=Is+Open+PGP+or+GnuPG+or+GPG+possible+on+a+Mac

Looks like some usable answers turn up. But lets try something shorter
and more specific:

https://startpage.com/do/search?q=gnupg+on+mac

Looks also good. Maybe we can see if people asked about this on the
mailing list before? Lets try:

https://www.google.de/search?&q=gnupg%20on%20mac%20site%3Agnupg.org&ie=iso-8859-1&q=mac+installer++site:lists.gnupg.org%2Fpipermail%2Fgnupg-users%2F2014

Looks also interesting for 2014. Maybe there will also be some results
for 2015? Hope that gets you somewhere.

Greetings
Martin
-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iEYEARECAAYFAlVDKJYACgkQ/6vdZgk46siVKQCfQy5CoANLrJiK5dSpoS75DG9X
5FcAnROfi88h0UYDQ0L4ZMYWSLYiWe5N
=O6Pn
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: libgrypt in Wikipedia? (help wanted)

[Martin Behrendt]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Am 22.10.2015 um 17:47 schrieb Bernhard Reiter:
> Maye some Wikipedia author can give us a hand here and decide what
> should go in there.
> 
> (In wikipedia.de it is good style to not enter information about a
> product that I am commercially involved with. Some third party can
> do this with less potential conflict of interest.)

I don't consider myself a Wikipedia author but I followed "Sei mutig". ;
)
Since I am to lazy to read the manual, there are a lot of blanks
because I couldn't identify or find the correct information in the
libgcrypt Wikipedia entry.
So please put in the missing information yourself, or someone or post
them on my discussion page or via e-mail (I would appreciate an easy
to c/p format) and I will enter them.

Greetings
Martin
-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iEYEARECAAYFAlYpFtsACgkQ/6vdZgk46sgRPACgmT6tjp/2kALYH92vSVaMPsSH
wswAnid5ZWfR4hE2H4LxMZeYvqDm8Vd0
=7L7N
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: What causes this bad signature

[Martin Behrendt]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 14/11/15 20:28, Sebastian Wiesinger wrote:
> Hello, [...]
> 
>  sig!3   P0x58A2D94A93A0B9CE 2015-03-27
> never   Sebastian Wiesinger  sig-3
> 1 0x5E5CCCB4A4BF43D7 2015-11-14 never   Governikus OpenPGP
> Signaturservice (Neuer Personalausweis) 

Am 15.11.2015 um 09:46 schrieb gnupgpacker:
> Hi,
> 
> there is a German government service that signs PGP keys??
> 
> What's the way to get it signed? Which institution?
> 
> Thanks, Chris


-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iEYEARECAAYFAlZIVQkACgkQ/6vdZgk46sjncwCcDSubMfXbxp74+8/EGHaPK1J/
doMAoMUm5sblLnvguPBrIvPzhqz7cDsP
=ZbiA
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: basic identity mgmt

[Martin Behrendt]

Am 11.01.2016 um 17:35 schrieb Lachlan Gunn:
>>
>>
>>> You've already received good answers on your questions, so some questions
>> for you. :)  What is your concern about signing the key? And are you aware
>> that local signatures will not be communicated beyond your keyring?
> 
> 
> I actually ran into this issue the other day.  For me it's problematic
> because my certification key is on an offline machine, so it's inconvenient
> to have to power it up and do a round-trip through the airgap when I'm not
> going to propagate the signature anyway.  It's not a dealbreaker but it's
> still a bit irritating.
> 
> Thanks,
> Lachlan
> 

Without thinking a lot about it on my part, but wouldn't a separate
signing sub-key help with this?

Greetings
Martin

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Nitrokey HSM and GPG

[Martin Konold]

Hi,

I am successfully using Nitrokey Pro with GnuPG 2.1.11.

On the otherhand I have a need to support more than 3 RSA subkeys and 
therefore I am testing with Nitrokey HSM which is supposed to be able to deal 
with up to 48 RSA-2048 keys.

On an uptodate openSUSE I verfied that Nitrokey Pro fully works as expected but 
Nitrokey HSM fails with 

OpenPGgpg2 --card-status
gpg: selecting openpgp failed: Card error
gpg: OpenPGP card not available: Card error

Kind Regards
--martin konold

-- 
Dipl.-Physiker Martin Konold

e r f r a k o n Partnerschaftsgesellschaft
Erlewein, Frank, Konold & Partner - Beratende Ingenieure und Physiker
Registergericht: Amtsgericht Stuttgart PR 126
Firmensitz: Adolfstraße 23, 70469 Stuttgart
fon: 0711 67400963
fax: 0711 67400959
email: martin.kon...@erfrakon.de
http://www.erfrakon.com



___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Nitrokey HSM and GPG

[Martin Konold]

Am Mittwoch, 24. Februar 2016, 20:12:13 CET schrieb Andreas Schwier:

Dear Andreas,

> the Nitrokey HSM has an embedded SmartCard-HSM which is only supported
> by gpgsm. Unfortunately you can not use a key on the device as gpg key,
> but only for S/MIME. GPG only supports cards that conform to the OpenPGP
> Card Specification, which the SmartCard-HSM doesn't.

Thanks for enlightening me. 

I assume if I simply want to encrypt / decrypt files gpgsm should be 
sufficient?!

I read the man page but still fail using the Nitrokey HSM with gpgsm.

Can you provide me a hint how to instruct gpgsm to use a specific SmardCard-HSM 
device?

I successully used openssl with this card but fail with gpgsm sofar using

engine -t dynamic -pre SO_PATH:/usr/lib64/engines/libpkcs11.so -pre ID:pkcs11 
-pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/usr/lib64/opensc-pkcs11.so

req -engine pkcs11 -new -key 0:10 -keyform engine -out cert.pem -text -x509 -
days 3640

Kind Regards
--martin konold

-- 
Dipl.-Physiker Martin Konold

e r f r a k o n Partnerschaftsgesellschaft
Erlewein, Frank, Konold & Partner - Beratende Ingenieure und Physiker
Registergericht: Amtsgericht Stuttgart PR 126
Firmensitz: Adolfstraße 23, 70469 Stuttgart
fon: 0711 67400963
fax: 0711 67400959
email: martin.kon...@erfrakon.de
http://www.erfrakon.com



___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

cipher used when both --encrypt and --symmetric is specified

[Martin Ilchev]

I am looking for some help to figure out what cipher is used for symmetric
encryption when both pass phrase and public keys are used. I have
configured my gpg.conf with my preferred cipher algorithms as follows:
personal-cipher-preferences AES256 TWOFISH CAMELLIA256 AES192 CAMELLIA192
AES CAST5 CAMELLIA128 BLOWFISH IDEA 3DES

I have ran the following tests:
1. Symmetrically encrypt a file:
$gpg2 --symmetric somefile
decrypting that file shows the correct cipher being used (I am looking at
symkey enc packet field cipher 9 - aes256):
$ gpg2 -vvv --decrypt somefile.gpg
gpg: using character set `utf-8'
:symkey enc packet: version 4, cipher 9, s2k 3, hash 10
salt 7ff4f273bd71e14e, count 24117248 (231)
gpg: AES256 encrypted data
:encrypted data packet:
length: 360
mdc_method: 2
gpg: encrypted with 1 passphrase
:compressed packet: algo=1
:literal data packet:
mode b (62), created 1456410134, name="somefile",
raw data: 1551 bytes
gpg: original file name='somefile'

2. Symmetrically encrypt and also encrypt for my own public key:
gpg2 -vvv --symmetric --encrypt --sign -r 0x1234567890ABCDEF somefile
decrypting the file shows that the cipher used is CAST5 (again looking at
the same symkey enc packet field cipher 3 - CAST5):
$ gpg2 -vvv --decrypt somefile.gpg
gpg: using character set `utf-8'
:pubkey enc packet: version 3, algo 1, keyid 1234567890ABCDEF
data: [4096 bits]
gpg: public key is 0x1234567890ABCDEF
gpg: using subkey 0x1234567890ABCDEF instead of primary key
0x1234567890ABCDEF
gpg: selecting openpgp failed: Card not present
:symkey enc packet: version 4, cipher 3, s2k 3, hash 10, seskey 256 bits
salt 7fa903ae28975d77, count 24117248 (231)
gpg: CAST5 encrypted session key
:encrypted data packet:
length: unknown
mdc_method: 2
gpg: encrypted with 1 passphrase
gpg: using subkey 1234567890ABCDEF instead of primary key 1234567890ABCDEF
gpg: encrypted with 4096-bit RSA key, ID 1234567890ABCDEF, created
2018-13-34
  "Martin"
gpg: public key decryption failed: Operation cancelled
gpg: AES256 encrypted data
:compressed packet: algo=2
:onepass_sig packet: keyid 1234567890ABCDEF
version 3, sigclass 0x00, digest 10, pubkey 1, last=1
:literal data packet:
mode b (62), created 1456410193, name="somefile",
raw data: 1551 bytes
gpg: original file name='somefile'

To get the cipher name from the cipher numbers I check RFC4880 (
https://tools.ietf.org/html/rfc4880#section-9.2).

My expectation is that symmetric encryption should use the same cipher
(AES256) in both cases.

Can someone please explain if the above is the expected behaviour or if my
expectations are wrong?

I am running Debin 8.3 with gnupg2 2.0.26-6. I use gpg2 because my 4096b
public/private keys are on a smart card.

I also apologies for the really long e-mail.

Kind Regards,
Martin
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Decrypt without importing key to keyring

[Martin Konold]

Am Donnerstag, 25. Februar 2016, 08:35:28 CET schrieb Werner Koch:

Hi,

> On Wed, 24 Feb 2016 11:34, thecisso...@hotmail.fr said:
> > Hi, is there a way to use a private key (PGP) to decrypt a message
> > without adding it to the keyring.

There is of course the option to leave the private key exclusivly on an 
OpenPGP Smartcard. This only requires a stub in the keyring which can be 
recreated on demand.

Kind Regards
--martin konold

-- 
Dipl.-Physiker Martin Konold

e r f r a k o n Partnerschaftsgesellschaft
Erlewein, Frank, Konold & Partner - Beratende Ingenieure und Physiker
Registergericht: Amtsgericht Stuttgart PR 126
Firmensitz: Adolfstraße 23, 70469 Stuttgart
fon: 0711 67400963
fax: 0711 67400959
email: martin.kon...@erfrakon.de
http://www.erfrakon.com




___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: cipher used when both --encrypt and --symmetric is specified

[Martin Ilchev]

Hi Peter,

Thanks for the reply.

I did browse the man pages quite a bit (I am a bit afraid I browsed too
much and touched stuff I should leave well alone :))

I did set my key preferences a few months ago and made sure the key had
them as well. Here is the output of showperf:

 Cipher: AES256, AES192, AES, CAST5, 3DES


 Digest: SHA512, SHA384, SHA256, SHA224, SHA1


 Compression: ZLIB, BZIP2, ZIP, Uncompressed
 Features: MDC, Keyserver no-modify

Also here is all the stuff I have in my gpg.conf:
```
personal-cipher-preferences AES256 TWOFISH CAMELLIA256 AES192
CAMELLIA192 AES CAST5 CAMELLIA128 BLOWFISH IDEA 3DES
personal-digest-preferences SHA512 SHA384 SHA256 SHA224 AES256 AES192
AES CAST5 ZLIB BZIP2 ZIP Uncompressed
s2k-digest-algo SHA512
keyserver hkps://hkps.pool.sks-keyservers.net
keyserver-options
ca-cert-file=/home/martin/.gnupg/sks-keyservers.netCA.pem
keyserver-options no-honor-keyserver-url
keyid-format 0xlong
with-fingerprint
cert-digest-algo SHA512
default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES
CAST5 ZLIB BZIP2 ZIP Uncompressed
use-agent
```

Let me know if you need more info.

Regards,
Martin

On Fri, 26 Feb 2016 at 09:55 Peter Lebbing  wrote:

> On 25/02/16 15:42, Martin Ilchev wrote:
> > I am looking for some help to figure out what cipher is used for
> > symmetric encryption when both pass phrase and public keys are used. I
> > have configured my gpg.conf with my preferred cipher algorithms as
> follows:
> > personal-cipher-preferences AES256 TWOFISH CAMELLIA256 AES192
> > CAMELLIA192 AES CAST5 CAMELLIA128 BLOWFISH IDEA 3DES
>
> Those preferences are not what is used when encrypting to your own key.
> To see those do:
>
> $ gpg2 --edit-key {KEYID}
> > showpref
>
> To change them do:
>
> > setpref 
>
> Note that this refers to all types of preferences, not just ciphers.
>
> To set a default preference list for setpref, include in your gpg.conf:
>
> default-preference-list 
>
> I'd suggest a bit of browsing through the man page with a search term of
> "preference" :). Note that these key preferences are part of your public
> key, and if you want others to respect them as well, they need to
> refresh your public key with the new preferences if you change them.
>
> > 2. Symmetrically encrypt and also encrypt for my own public key:
> > gpg2 -vvv --symmetric --encrypt --sign -r 0x1234567890ABCDEF somefile
> > decrypting the file shows that the cipher used is CAST5
>
> It would be helpful to know what your key preferences are, since it
> might just be the most preferred algorithm from the intersection of
> personal preferences and key preferences.
>
> HTH,
>
> Peter.
>
> --
> I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
> You can send me encrypted mail if you want some privacy.
> My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>
>
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Single GPG key and multiple yubikeys

[Martin Konold]

Am Donnerstag, 25. Februar 2016, 15:56:32 CET schrieb Peter Lebbing:

Hi,

> Note that it is very impractical to regularly use two smartcards on the
> same computer because of all this. You should probably stick to using a
> single smartcard on any single computer.

In case there is an urgent need to use two smartcards on the same computer and 
account I recommend to make use of scdaemon.conf and seperate GNUHOME 
directories. You may then differentiate between the two cards with the gpg --
homedir commandline option.

Kind Regards
--martin konold

-- 
Dipl.-Physiker Martin Konold

e r f r a k o n Partnerschaftsgesellschaft
Erlewein, Frank, Konold & Partner - Beratende Ingenieure und Physiker
Registergericht: Amtsgericht Stuttgart PR 126
Firmensitz: Adolfstraße 23, 70469 Stuttgart
fon: 0711 67400963
fax: 0711 67400959
email: martin.kon...@erfrakon.de
http://www.erfrakon.com



___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gnupg-pkcs11 status & future

[Martin Konold]

Am Freitag, 26. Februar 2016, 15:18:55 CET schrieb Werner Koch:

Hi,

> In any case you need to load the keys onto the card and don't have the
> card create the key.  Smartcards may break and then you would not be
> able to decrypt anything if you don't have an offline backup the key.

Please allow me to mention that many smartcards disallow cleartext export of 
keys generated on the card while also don't allow to import cleartext private 
keys.

But this is not a backup issue as most cards also allow for n-of-m threshold 
schemes and DKEK/key-wrapping  e.g. http://www.smartcard-hsm.com/2014/09/25/
Desaster_Recovery_for_your_SmartCard-HSM.html

IMHO there are additional legit use cases where having multiple private keys 
for decryption would be more than useful. Today I circumvent the limit by 
using multiple OpenPGP Cards and multiple GNUPGHOME directories each configured 
for a different USB device (scdaemon.conf)

While imho pkcs#11 is ugly it really is a tool to gain interoperability while 
cleaning up a lot of mess (many people are confused with the current 
situation) and make encryption available to the masses.

Kind Regards
--martin konold

-- 
Dipl.-Physiker Martin Konold

e r f r a k o n Partnerschaftsgesellschaft
Erlewein, Frank, Konold & Partner - Beratende Ingenieure und Physiker
Registergericht: Amtsgericht Stuttgart PR 126
Firmensitz: Adolfstraße 23, 70469 Stuttgart
fon: 0711 67400963
fax: 0711 67400959
email: martin.kon...@erfrakon.de
http://www.erfrakon.com



___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Single GPG key and multiple yubikeys

[Martin Konold]

Am Freitag, 26. Februar 2016, 12:43:54 CET schrieb Kristian Fiskerstrand:

Hi Kristian,

> > the two cards with the gpg -- homedir commandline option.

> A workaround currently could be to remove the specific keygrip files
> from private-keys-v1.d (for gnupg 2.1) for the known stubs and doing a
> gpg-connect-agent learn /bye or gpg --card status during e.g smartcard
> attachment in an udev rule etc.

This looks really good though it does not allow to have multiple smartcards 
connected simultaneously.

It is my understanding that  'gpg-connect-agent learn /bye' cannot deal with 
multiple cards visible simultaneously via scdaemon and pscd.

Did I overlook something?

I therefore would like to whish to be able to choose the smartcard (maybe 
indirectly via keyid) as I am today already able to achieve on the commandline 
using keyrings.

Why should the commandline user interface of gpg be different if the private 
keys reside on smartcards compared to a keyring in the filesystem?

What do you think?

Kind Regards
--martin konold

-- 
Dipl.-Physiker Martin Konold

e r f r a k o n Partnerschaftsgesellschaft
Erlewein, Frank, Konold & Partner - Beratende Ingenieure und Physiker
Registergericht: Amtsgericht Stuttgart PR 126
Firmensitz: Adolfstraße 23, 70469 Stuttgart
fon: 0711 67400963
fax: 0711 67400959
email: martin.kon...@erfrakon.de
http://www.erfrakon.com



___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: cipher used when both --encrypt and --symmetric is specified

[Martin Ilchev]

Hi Vedaal,

You are correct that is not my real key ID.

Funny enough the key was generated in Nov-2015. However you are absolutely
correct about the --s2k-cipher-algo option. I added that to my gpg.conf and
after that symmetric + public works exactly as I expected. I get AES256
every time.

There is one thing I would like to understand - the man page says:
   --s2k-cipher-algo name
  Use  name as the cipher algorithm used to protect secret
keys.  The default cipher is CAST5. This cipher is also used for
conventional encryption if --personal-cipher-pref‐
  erences and --cipher-algo is not given.

So CAST5 is the preferred cipher for secret keys and is also the default
for symmetric. On the other hand using --personal-cipher-preferences does
not seem to apply to symmetric + public encryption. Is this by design?

Regards,
Martin

On Fri, 26 Feb 2016 at 14:52  wrote:

>
> On 2/26/2016 at 5:48 AM, "Martin Ilchev"  wrote:
>
> >I did set my key preferences a few months ago and made sure the
> >key had
> >them as well. Here is the output of showperf:
> >
> > Cipher: AES256, AES192, AES, CAST5, 3DES
> .
>
> >> > 2. Symmetrically encrypt and also encrypt for my own public
> >key:
> >> > gpg2 -vvv --symmetric --encrypt --sign -r 0x1234567890ABCDEF
>
> >> > decrypting the file shows that the cipher used is CAST5
>
> =
>
> 0x1234567890ABCDEF is obviously not your real key id.
>
> I suspect the key was generated some time ago, when the default cipher to
> protect one's secret key, was CAST5
>
> GnuPG's default choice for the encryption algorithm for a symmetric cipher
> will be what the s2k-cipher-algo is.
>
> In your case for that key, it is CAST 5
>
>
> Try This:
>
> gpg2  --s2k-cipher-algo AES256 --symmetric --encrypt --sign -r
> 0x1234567890ABCDEF  filename
>
> The encryptions should now be with AES256 for both the symmetric part and
> the part encrypted to your key.
>
>
> vedaal
>
>
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: cipher used when both --encrypt and --symmetric is specified

[Martin Ilchev]

Hi Peter,

Thanks for the advice. I will have a look at the mailing list. For now I am
happy that I have a working solution.

Thank you and Vedaal for the help.

Regards,
Martin

On Mon, 29 Feb 2016 at 11:12 Peter Lebbing  wrote:

> On 29/02/16 11:51, Martin Ilchev wrote:
> > So CAST5 is the preferred cipher for secret keys and is also the default
> > for symmetric. On the other hand using --personal-cipher-preferences
> > does not seem to apply to symmetric + public encryption. Is this by
> design?
>
> For me, GnuPG 1.4 behaves as you indicate, which is counterintuitive,
> especially given the text in the man page. But GnuPG 2.1 correctly gives
> me the preferred algo from the intersection of
> --personal-cipher-preferences and key prefs. It's a bit difficult for me
> to test GnuPG 2.0 at the moment. I should do something about that.
>
> I faintly recall some discussion about this, but that's it, I don't
> remember more than that. You could try a search on this mailing list.
>
> HTH,
>
> Peter.
>
> --
> I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
> You can send me encrypted mail if you want some privacy.
> My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>
>
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Question about getting started with PGP and smart cards

[Martin Ilchev]

Hi Josh,

I am using a smart card and reader for about 6 months now. The set up I
went with is:
Smart-card "OpenPGP Smartcard V2.1" from kernel concepts (
http://shop.kernelconcepts.de/). The card supports keys up to 4096 length
with gpg2.

Card-reader - Gemalto GemPC Twin/TR (IDBridge CT30) - works out of the box
on linux and windows (tested it on windows 7 SP1 and windows 8.1). I got
mine here
http://www.smartcardfocus.com/shop/ilp/id~463/gemalto-gempc-twin-tr-idbridge-ct30-/p/index.shtml

To get the card reader working in Linux I used this guide to get me started
(was able to set everything up with no hassle) -
https://www.corsac.net/?rub=blog&post=1548. I only needed to
install pcsc-tools and pcscd.

For Windows I installed gpg4win and migrated my linux gpg.conf and keys
over and it just worked. Also in windows if you want to use putty with a
smart card you will need a patched putty agent. You can get one from here
http://smartcard-auth.de/ssh-en.html. It is free to use with OpenPGP
Smartcards from kernel concepts so a win-win :).

Last but not least - make sure to back up your private keys! Once a key is
on the card it is impossible to get it back.

I only got the above for test use but now I am using it every day at work,
at home and on my laptop without any issues. I can sign, encrypt/decrypt as
well as authenticate for SSH with a single smart card.

Let me know if you need any additional information.

Regards,
Martin

On Sat, 27 Feb 2016 at 17:44 Antoine Michard 
wrote:

> I've try, on Fedora 23 I can't use my USB smartcard reader without PCSC
> daemon
>
> This package are needed: pcsc-lite pcsc-lite-ccid pcsc-tools
>
> Antoine Michard
> GPG Key: 0xF5C9E7CD0882B381
>
> Le 27/02/2016 18:14, Peter Lebbing a écrit :
> > On 27/02/16 17:58, Antoine Michard wrote:
> >> But on Linux is not so easy. You have to install all needed depencies
> for the
> >> reader (pcscd)
> >
> > I should note that pcscd is not needed for the readers I mentioned in my
> reply,
> > since they are well supported through the builtin driver of scdaemon
> (and GnuPG
> > 1.4).
> >
> > In fact, installing pcscd will make it more difficult to use. I suggest
> to only
> > use pcscd for readers that are not natively supported by GnuPG, unless
> you have
> > specific needs (usually when you want to use smartcards for more things
> than GnuPG).
> >
> >> and sometimes Gnome Keyring will make harder to make it work [5].
> >
> > Heck, yeah.
> >
> > HTH,
> >
> > Peter.
> >
>
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Decryption error: open(CONOUT$) failed

[Cyril Martin]

Hello,



since few days we face of an issue to decrypt files (.gpg) with GNUPG 1.4.9



We get error:

***

gpg: fatal: open(CONOUT$) failed: The system cannot find the file specified.

secmem usage: 0/0 bytes in 0/0 blocks of pool 0/32768

***



If issue was due to < the file specified > I think we should get this error :


gpg: can't open `FILE_SPECIFIED'
gpg: decrypt_message failed: file open error

*



Decryption is processed by a program launched with a Windows service account.



Manually with my personal account, it's OK I can decrypt, but not with the 
program



I have keyrings under:

C:\Users\windows_service_account\AppData\Roaming\gnupg



Could you help me please?



GNUPG 1.4.9

Windows server 2008 R2

Cyril

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

GnuPG 2.0.30 console output charset

[Martin S.]

Hi list

How to set GnuPG 2.0.30 configuration that the console output has the
correct charset on Windows 7. The language is set to German in
registry - but Umlauts are not displayed correctly.

Thanks.

m.s.


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

GPG and Mailinglists using IBCPRE

[Martin Konold]

Hi,

what is currently the recommended setup for running encrypted mailing lists.

I am thinking about some IBCPRE mechanism. see also https://en.wikipedia.org/
wiki/Identity-based_conditional_proxy_re-encryption

I think this would allow the mailing list software act as a proxy reencrypting 
without directly having the private key of the mailing list on the mailing 
list server.

What do you think about IBCPRE.

Regards
--martin
Mit freundlichen Grüßen
--martin konold

-- 
Dipl.-Physiker Martin Konold

e r f r a k o n
Erlewein, Frank, Konold & Partner - Beratende Ingenieure und Physiker
Registergericht: Amtsgericht Stuttgart PR 126
Firmensitz: Adolfstraße 23, 70469 Stuttgart
fon: 0711 67400963
fax: 0711 67400959
email: martin.kon...@erfrakon.de
http://www.erfrakon.de



___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

regular update of all keys from a keyserver

[Martin T]

Hi,

I am aware that one can update all the keys in local-keyring from a
keyserver using "gpg --refresh-keys". Are there any disadvantages to
simply put this command into user crontab and execute for example once
a day?


thanks,
Martin

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: regular update of all keys from a keyserver

[Martin T]

Thank you for all the replies!




Martin

On Mon, Oct 17, 2016 at 7:52 PM, Brian Minton  wrote:
>
>
> On 10/17/2016 11:41 AM, Daniel Kahn Gillmor wrote:
>> On Mon 2016-10-17 06:31:16 -0400, Martin T wrote:
>>
>>> I am aware that one can update all the keys in local-keyring from a
>>> keyserver using "gpg --refresh-keys". Are there any disadvantages to
>>> simply put this command into user crontab and execute for example once
>>> a day?
>> The only disadvantages are if you don't want to reveal the contents of
>> your keyring to the public keyservers, or to announce your presence on
>> the network.
>>
>> If you prefer to do these things in an anonymized way, you might prefer
>> a tool like parcimonie,
>
> I run a key server, which allows me to do as many key-retrieval queries
> as I like, without giving any information away to the rest of the
> world.  It also helps a little, but not completely, with the problem of
> adding keys to the keyserver network, with respect to my social
> network.  In particular, it's not easy for any keyserver to see which of
> its peers' peers a given key or set of keys, originated from.  However,
> in theory, an attacker could track the progress of a given key across
> the network of keyservers by quick querying, but it's a pretty small
> window between the introduction of keys to a single member of the pool,
> and it being shared to all the keyservers.
>
>
>
>
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

list revoked UIDs

[Martin T]

Hi,

I imported a public key from keyserver which has multiple UIDs and one
of those UIDs is revoked. When I execute "gpg --list-keys "
then I see only active UIDs and not that one revoked UID. Is there a
way to list that revoked UID? Or wasn't that imported in the first
place?


thanks,
Martin

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: list revoked UIDs

[Martin T]

Thanks! This did the trick.


Martin

On Tue, Oct 18, 2016 at 2:29 PM, Peter Lebbing  wrote:
> On 18/10/16 12:42, Martin T wrote:
>> Is there a
>> way to list that revoked UID?
>
> I think it's:
>
> gpg --list-options show-unusable-uids --list-keys <...>
>
> I grepped the man page for "revoked" until I hit upon this.
>
>> Or wasn't that imported in the first
>> place?
>
> That is a possibility, depending on import-options.
>
> HTH,
>
> Peter.
>
> --
> I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
> You can send me encrypted mail if you want some privacy.
> My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>
>

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

ways to ensure that GPG public key belongs to right person in business to business communication

[Martin T]

Hi,

let's say that Alice from company A and Bob from company B need to
exchange some private data with each other. Alice and Bob need to
encrypt data just that one time, they do not belong to web-of-trust,
but both company A and company B websites are trusted by certification
authority, secure and available only over TLS. This gives a first
option where both Alice and Bob ask their IT departments to publish
their public keys on the company website so Alice can get Bobs public
key over TLS from company B website and the other way around. Or when
for example website of company B is not trusted by CA, then Alice can
pick up the phone, call the customer-support of the company B and ask
for Bob and then ask Bob to send her an e-mail with a public key and
verify the fingerprint of the public key over a phone? Are there
better(easier to use or more secure) ways to ensure that GPG public
key belongs to right person in business to business communication?


thanks,
Martin

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: ways to ensure that GPG public key belongs to right person in business to business communication

[Martin T]

Hi,

thanks for reply! Unfortunately, Alice and Bob cannot meet in person
because of geographical distance. If they could, then this would
definitely be the best way to exchange public keys. I further
simplified my initial idea:

Alice from company A asks Bob from company B to send her Bobs public
key using an e-mail. Both Alice and Bob know each other e-mail
addresses because they have been in contact before during a project
which involves both company A and company B. Now when Alice receives
Bobs public key, she will send hers in return to same e-mail address
which she received the Bobs public key. Then she looks up the phone
number of the customer support department of company B from company B
official website and calls there and asks for Bob. Once she gets Bob
on the phone, she asks Bob to tell the fingerprint of his public key
and then Alice tells her public key fingerprint to Bob and asks Bob to
confirm that it matches.

I guess this provides reasonable security?


thanks,
Martin


On Wed, Oct 26, 2016 at 11:51 PM, Daniel Kahn Gillmor
 wrote:
> Hi Martin--
>
> On Wed 2016-10-26 16:21:48 -0400, Martin T wrote:
>
>> let's say that Alice from company A and Bob from company B need to
>> exchange some private data with each other. Alice and Bob need to
>> encrypt data just that one time, they do not belong to web-of-trust,
>> but both company A and company B websites are trusted by certification
>> authority, secure and available only over TLS. This gives a first
>> option where both Alice and Bob ask their IT departments to publish
>> their public keys on the company website so Alice can get Bobs public
>> key over TLS from company B website and the other way around. Or when
>> for example website of company B is not trusted by CA, then Alice can
>> pick up the phone, call the customer-support of the company B and ask
>> for Bob and then ask Bob to send her an e-mail with a public key and
>> verify the fingerprint of the public key over a phone? Are there
>> better(easier to use or more secure) ways to ensure that GPG public
>> key belongs to right person in business to business communication?
>
> It depends on how much involvement you want the IT department to have.
>
> There are a few more options:
>
>  * if Alice and Bob can meet in person, they can give each other
>business cards with their fingerprints on them.  If this is how Alice
>finds Bob's e-mail address in the first place, this is a natural
>place to exchange cryptographic details as well.
>
>  * the two companies could use WKD (web key directory), which is in its
>infancy, but is at least supported by GnuPG 2.1.x.
>
>  * Alice and Bob could submit their keys to a third-party notary like
>Symantec's PGP Global Directory (if such a thing still exists)
>
>  * Alice and Bob could publish their public keys in the public
>keyservers (e.g. gpg --send-key $FINGERPRINT) when they create their
>keys.  Then they could look each other up in the public keyservers;
>if Alice finds only one public key associated with Bob's e-mail
>address, she might just decide to assume it's the right one.
>
> These all have slightly different security properties and failure modes,
> which might have different value to Alice and Bob, depending on their
> threat model and any other economic or logistical pressure they're
> under.
>
>   --dkg

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Can I revitalise an old key-pair?

[Martin Hvidberg]

Thanks all

I won't get any of my old keys back, I see that :-(
I can only re-establish the secret key for two of them. One I have 
earlier revoked (for good reasons), and another for which I no longer 
remember the paraphrase.


Good thing is I have learned a lot about keys.
I'll soon make yet a new key-set, and this time I'll be more organised 
and make a revoke certificate, that I'll keep in a safe place, together 
with the secret key, and the paraphrase.


Again - thanks all, your a grate group.

:-) Martin

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

gpg4win pinentry ignores PIN-pad

[Martin Wolters]

Hi,

I am using gpg4win 2.2.1, which according to the change log supports
the SPR332 PIN-pad, but pinentry requests the PIN from the keyboard.
Is there anything I need to configure to enforce the entry from the
card reader?

In GNU/Linux, pinentry only opens a window telling me to enter the PIN
on the card reader and I don't even get the opportunity to enter it
from my keyboard by mistake. This is the way I want it.

Since I don't know where to start, I attached a log from scdaemon. If
you need any additional information, I will be happy to provide it.

Have a good time,
Martin

scdaemon[15820]: chan_0138 -> OK GNU Privacy Guard's Smartcard
server ready
scdaemon[15820]: chan_0138 <- GETINFO socket_name
scdaemon[15820]: chan_0138 -> D
C:UsersasdfAppDataRoaminggnupgS.scdaemon
scdaemon[15820]: chan_0138 -> OK
scdaemon[15820]: chan_0138 <- OPTION event-signal=f8
scdaemon[15820]: chan_0138 -> OK
scdaemon[15820]: chan_0138 <- SERIALNO openpgp
2013-10-22 19:53:07 scdaemon[15820] reader slot 0: active protocol: T1
2013-10-22 19:53:07 scdaemon[15820] slot 0: ATR=3B DA 18 FF 81 B1 FE 75
1F 03 00 31 C5 73 C0 01 40 00 90 00 0C
2013-10-22 19:53:07 scdaemon[15820] DBG: send apdu: c=00 i=A4 p1=00
p2=0C lc=2 le=-1 em=0
2013-10-22 19:53:07 scdaemon[15820] DBG:  PCSC_data: 00 A4 00 0C 02 3F 00
2013-10-22 19:53:07 scdaemon[15820] DBG:  response: sw=6B00  datalen=0
2013-10-22 19:53:07 scdaemon[15820] DBG: send apdu: c=00 i=A4 p1=04
p2=00 lc=6 le=-1 em=0
2013-10-22 19:53:07 scdaemon[15820] DBG:  PCSC_data: 00 A4 04 00 06 D2
76 00 01 24 01
2013-10-22 19:53:07 scdaemon[15820] DBG:  response: sw=9000  datalen=0
2013-10-22 19:53:07 scdaemon[15820] DBG:dump:
2013-10-22 19:53:07 scdaemon[15820] DBG: send apdu: c=00 i=CA p1=00
p2=4F lc=-1 le=256 em=0
2013-10-22 19:53:07 scdaemon[15820] DBG:  PCSC_data: 00 CA 00 4F 00
2013-10-22 19:53:07 scdaemon[15820] DBG:  response: sw=9000  datalen=16
2013-10-22 19:53:07 scdaemon[15820] DBG:  dump:  D2 76 00 01 24 01
02 00 00 05 00 00 04 89 00 00
2013-10-22 19:53:07 scdaemon[15820] AID: D2 76 00 01 24 01 02 00 00 05
00 00 04 89 00 00
2013-10-22 19:53:07 scdaemon[15820] DBG: send apdu: c=00 i=CA p1=5F
p2=52 lc=-1 le=256 em=0
2013-10-22 19:53:07 scdaemon[15820] DBG:  PCSC_data: 00 CA 5F 52 00
2013-10-22 19:53:07 scdaemon[15820] DBG:  response: sw=9000  datalen=10
2013-10-22 19:53:07 scdaemon[15820] DBG:  dump:  00 31 C5 73 C0 01
40 05 90 00
2013-10-22 19:53:07 scdaemon[15820] Historical Bytes: 00 31 C5 73 C0 01
40 05 90 00
2013-10-22 19:53:07 scdaemon[15820] DBG: send apdu: c=00 i=CA p1=00
p2=C4 lc=-1 le=256 em=0
2013-10-22 19:53:07 scdaemon[15820] DBG:  PCSC_data: 00 CA 00 C4 00
2013-10-22 19:53:07 scdaemon[15820] DBG:  response: sw=9000  datalen=7
2013-10-22 19:53:07 scdaemon[15820] DBG:  dump:  00 20 20 20 03 00 03
2013-10-22 19:53:07 scdaemon[15820] DBG: send apdu: c=00 i=CA p1=00
p2=6E lc=-1 le=256 em=0
2013-10-22 19:53:07 scdaemon[15820] DBG:  PCSC_data: 00 CA 00 6E 00
2013-10-22 19:53:07 scdaemon[15820] DBG:  response: sw=9000  datalen=217
2013-10-22 19:53:07 scdaemon[15820] DBG:  dump:  4F 10 D2 76 00 01
24 01 02 00 00 05 00 00 04 89 00 00 5F 52 0A 00 31 C5 73 C0 01 40 05 90
00 73 81 B7 C0 0A 7C 00 08 00 08 00 08 00 08 00 C1 06 01 10 00 00 20 00
C2 06 01 10 00 00 20 00 C3 06 01 10 00 00 20 00 C4 07 00 20 20 20 03 00
03 C5 3C CC 19 5D 23 92 34 85 8F E0 25 31 DB A9 F0 CC F3 EA 7E F1 4F 79
C0 D2 34 6E 04 09 AB 89 B5 ED 10 8D 1F 92 D2 4A E6 0B AF 7A F7 D8 1C 32
87 D5 E3 D5 A0 F1 BA 75 29 9B 20 95 6A 3C EC C6 3C 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 CD 0C 52 5D 88 A3 52 5D 88 A3 52 5D 88 A3
2013-10-22 19:53:07 scdaemon[15820] DBG: send apdu: c=00 i=CA p1=00
p2=5E lc=-1 le=256 em=0
2013-10-22 19:53:07 scdaemon[15820] DBG:  PCSC_data: 00 CA 00 5E 00
2013-10-22 19:53:07 scdaemon[15820] DBG:  response: sw=9000  datalen=0
2013-10-22 19:53:07 scdaemon[15820] DBG:  dump:
2013-10-22 19:53:07 scdaemon[15820] Version-2 ..: yes
2013-10-22 19:53:07 scdaemon[15820] Get-Challenge ..: yes (2048 bytes max)
2013-10-22 19:53:07 scdaemon[15820] Key-Import .: yes
2013-10-22 19:53:07 scdaemon[15820] Change-Force-PW1: yes
2013-10-22 19:53:07 scdaemon[15820] Private-DOs : yes
2013-10-22 19:53:07 scdaemon[15820] Algo-Attr-Change: yes
2013-10-22 19:53:07 scdaemon[15820] SM-Support .: no
2013-10-22 19:53:07 scdaemon[15820] Max-Cert3-Len ..: 2048
2013-10-22 19:53:07 scdaemon[15820] Max-Cmd-Data ...: 2048
2013-10-22 19:53:07 scdaemon[15820] Max-Rsp-Data ...: 2048
2013-10-22 19:53:07 scdaemon[15820] Cmd-Chaining ...: no
2013-10-22 19:53:07 scdaemon[15820] Ext-Lc-Le ..: yes
2013-10-22 19:53:07 scdaemon[15820] Status Indicator: 05
2013-10-22 19:53:07 scdaemon[15820] GnuPG-No-Sync ..: no
2013-10-22 19:53:07 scdaemon[15820] GnuPG-Def-PW2 ..: no
2013-10-22 19:53:07 scdaemon[15820] D

Re: Quotes from GPG users

[Martin Gollowitzer]

* Sam Tuke  [131030 13:18, 
  mID <5270e670.3070...@gnupg.org>]:

> Hi all,
> 
> I'm working with Werner to promote GnuPG and raise awareness. To that end 
> we're
> collecting quotes from users - endorsements from people who know and trust 
> GPG,
> people like you.
> 
> If you want to help us, send your own statement about why GPG is important to
> you. Please keep it less than or equal to 130 characters, so it can be used on
> social networks.

Unfortunately, this is slightly longer (it's really hard to stick to 130
characters):

GnuPG allows for both proving a message's authenticity and preventing
eavesdropping. It's one of the most important tools I use every day.

I'll try to come up with a better one ASAP.

Best,

Martin


signature.asc
Description: Digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

unable to use gnupg on a read-only filesystem

[Martin Vegter]

Dear list,
I am working on a read-only filesystem and I am using following command:

echo "hello" | gpg -e -a -r mar...@example.com

This command fails with the following errors:

gpg: failed to create temporary file `/root/.gnupg/.#lk0x847421':
Read-only file system
gpg: fatal: can't create lock for `/root/.gnupg/trustdb.gpg'

I don't have the option "use-temp-files" enabled in my config. Even when
I explicitly disable it, I get the same errors:

echo "asdf" | gpg --keyserver-options no-use-temp-files -e -a -r
mar...@example.com

Could somebody please advice how I can use gpg without temporary files ?

many thanks,
Martin



___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: [Announce] GnuPG launches crowdfunding campaign

[Martin Gollowitzer]

* Richard Ulrich  [131219 13:47, 
  mID <1387457142.1836.18.camel@XPS13dev>]:

> As this is about a crypto project, wouldn't it be adequate to accept
> payments in crypto currencies?

I wouldn't consider this a priority. Bitcoin violates one of the
fundamental laws of economics and is therefore supposed to crash at some
point. Choosing goteo was IMHO a good idea because their system is Free
Software and I don't know if they even support BTC et al.

Just my €0,02 

Martin 


signature.asc
Description: Digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: BoF at FOSDEM ?

[Martin Paljak]

Too bad I missed. Where did you get with the ECC discussion?

m.
--
Martin
+372 515 6495


On Sat, Feb 1, 2014 at 10:32 AM, Kristian Fiskerstrand
 wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA512
>
> [Seems my email from my cellphone got stuck in the moderator queue. So
> please excuse a duplicate post once it gets through. ]
>
> On 02/01/2014 10:25 AM, Kristian Fiskerstrand wrote:
>> I have signed up for a slot at H3.227 today (saturday) at
>> 1300-1400
>>
>> see you there
>>
>> Sent from my BlackBerry 10 smartphone.
>
>
>
>> *From: *Werner Koch *Sent: *Friday, January 24, 2014 10:27 PM
>
> ,,,
>
>> Okay, thus we have
>>
>> - Report on current keyserver work [Kristian] - Make GPG invisible
>> to the user [Arne] - ECC and GnuPG progress [Werner]
>>
>
>
> - --
> - 
> Kristian Fiskerstrand
> Blog: http://blog.sumptuouscapital.com
> Twitter: @krifisk
> - 
> Public PGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net
> fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3
> - 
> Aut disce aut discede
> Either learn or leave
> -BEGIN PGP SIGNATURE-
>
> iQIcBAEBCgAGBQJS7M00AAoJEPw7F94F4TagAXsP/3u0L0GN4C6Dhnn9Hu1ujhAd
> YJ7Hqt3qsektvJHWYQoH+I2dXVN+Pse3TeEOnflHg183mD2OvtARCJy+GMaOQowB
> paEbeBL3RWkrZNG/j8AxhVdHXYBZqAqGc7Yk++M2s59Zmrqu2RDvlehLagL8is25
> RMzScPoDz+xNt6ZV0f9xyg1hzS8Pq0FgJ12SHI6ut5w1BGkEplDXSg3/C9rsubvO
> WBf0AAMnn+npgvkjV3BHXNGglSPlZyR2xxrBUdc8T3MPt0uYdXxcoFAwqfLhiyDk
> nASlbQtLYiTqM9Bi6eUeUI1eOqSyZ6/Iw70BiNOm+A925tNT1/Cqkr5y3sxVMSxM
> VnFgfWrhgE03vnnxPEFwFwWK+Jhq9CNBVl6BEcLhjF96ynNbjV1LgQL/CSfCcRwU
> 1iu57MFEVPZ1610d2UuhCfeR/asvvtKb+Pog4638uCKUz8O1PVycUWT7IopH3G5Q
> L9Nz1en0qO1S9daJWDdULAqpG3R3iQBsWFu/AKHEEMbTg59lzpmuydIQT0+fKduF
> 8fLQVcgLGONzhpf7ecdqadz88AY5lDhhDG4GnIBEG2TOnSFK3IorapVsBYwqLovC
> rYWwRjh7NgyDVEF15Ggyso+Lpc1c4PnOIpwhn2yO+Dni0MhUrssABxwK3uI6Zt38
> QzBB2wh/lxu8NTIHwmHL
> =lWZX
> -END PGP SIGNATURE-
>
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Scute and SmartCard insertion/removal in Firefox

[Martin Paljak]

If you have a web server *and* a client where you can control the
session cache and initiate a re-negotiation, Firefox will try to look
at your token again.

At least this was the case a while ago.
--
Martin
+372 515 6495


On Wed, Feb 5, 2014 at 12:58 PM, Urs Hunkeler  wrote:
> Hi,
>
> I use the GnuPG card and have installed all the software, including Scute. I
> configured a server for HTTPS asking for client certificates. When the card
> is inserted before requesting the page, I get a request for the user PIN for
> the card, and then the certificate is exchanged with the server as desired,
> and everything works fine.
>
> When the card is not inserted, my web application detects that no
> certificate has been sent and shows a login-failed message. If I then insert
> the card and reload the page, the card is not accessed and login still
> fails. I actually have to terminate and restart Firefox for it to use the
> card (shift-click on reload does not work either).
>
> Ideally, I would like to be logged out when I remove the card and logged in
> when I insert the card. Mozilla provides an unofficial JavaScript object to
> detect card insertion/removal
> (https://developer.mozilla.org/en-US/docs/JavaScript_crypto). The JavaScript
> code detects successfully insertion and removal of the card. Using mozilla's
> example script, when I remove the card, the page is reloaded, but displays
> an error message. I can probably hide the error message by verifying the
> connection in the background (AJAX) or reloading the page with a delay.
> However, when I insert the card, the page is still reloaded but the client
> certificate is not used.
>
> Is there a way to reload a page and explicitly request that the SmartCard be
> accessed? Or do you have any suggestions for a work-around?
>
> Sincerely,
> Urs
>
>
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Multiple Subkey Pairs

[Martin Behrendt]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Hi,

I want to achieve the following:
1. A Master signing key
2. A subkey signing/enc pair for my normal machine
3. A subkey signing/enc pair for e.g. my mobile device

What I want to do is to have a different "pair" for my mobile device
or work computer than on my machine. I want to give those pairs a
shorter lifetime like 1 year (depending on the paranoia level) so I
can change them more frequently. (Besides the hopefully security
advantages this also would make changing outdated subkeys more easily
because there will be still a working keypair while people still
update to the new keypairs)

To setup a key with subkeys is not to big of a problem. There are
enough tutorials out there. I just didn't find a nice key management
tool for that. Especially exporting keys with only one of the subkey
pairs requires some work ...

Now the following problem arises (at least from the reading I have
done). As I understand gpg only uses one of the encryption subkeys to
encrypt the message. So the question is, is it possible to encrypt to
all encryption subkeys in a key? And if yes, is there an easy way to
do it, so also not just me can handle that, but also the people who
sent me encrypted mails. (And if not, does it make sense to implement
something like this in gnupg?)

And a more general question: This approach generates some overhead so
is there maybe a way to achieve something similar more easily?

Thanks for ideas and input.
Martin
-BEGIN PGP SIGNATURE-
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEAREKAAYFAlMhi+oACgkQ/6vdZgk46sgnowCcCRLJKxcWaDlrFQqSuWsYg6EY
2mAAn0PqF30Mq/MDKuinw8nZR6yXUogk
=ZGtB
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Multiple Subkey Pairs

[Martin Behrendt]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Am 13.03.2014 16:42, schrieb ved...@nym.hush.com:
> 
> On Thursday, March 13, 2014 at 8:03 AM, "Martin Behrendt"
>  wrote:Hi,
> 
>> I want to achieve the following: 1. A Master signing key 2. A
>> subkey signing/enc pair for my normal machine 3. A subkey
>> signing/enc pair for e.g. my mobile device
> 
>> What I want to do is to have a different "pair" for my mobile
>> device or work computer than on my machine. I want to give those
>> pairs a shorter lifetime like 1 year (depending on the paranoia
>> level) so I can change them more frequently.
> 
> = You can let all your correspondents know that they can
> encrypt simultaneously to all 3 of your keys that have the same
> e-mail address (assuming that you give them the fingerprints and
> long key id' s for the 3 keys, and they aren't going to be fooled
> by some attacker making a new key with your name and  e-mail
> address).
> 

Thank you, that sounds like a solution worth going for. I'm just not
sure, how to e.g. tell thunderbird/enigmail to use multiple keys for
one email address when sending (or will it do that by default?). If
you have a hint for that would be nice, otherwise I will try to find
out myself.
My closest thoughts to a solution like this were, go set my reply-to
to two email addresses and maybe play around with the subkey
identities to achieve the same. Or also two different key pairs. One
big key with subkeys would be nicer tho, to hide the "complexity" a
little.

@Hauke, Daniel
Thx for your replies, too. Like I wrote, I am aware that multiple
encryption subkeys are not used. Thats why I was asking, if changing
that would make sense. Or what the bigger drawbacks are.

Also the fact that it is hard to determine which key has which
security level is correct and an important issue. But I think this is
a problem which can be solved by a proper key management and presentation.

Martin
-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iEYEAREKAAYFAlMh3TgACgkQ/6vdZgk46shm3QCeLD6yYByhhOnDCPCpZPPO/863
9+AAnj2J4NA53YWbO9rn30rEBwh5wR79
=m03k
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Multiple Subkey Pairs

[Martin Behrendt]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Am 13.03.2014 17:39, schrieb Daniel Kahn Gillmor:
> 
> what is the advantage of this approach?  what threat are you trying
> to defend against?
> 
> I'll work from the assumption that you are worried that an
> attacker might compromise one of your machines, copy that machine's
> decryption key, and then use its key do decrypt messages that had
> been sent prior to the compromise.
> 
> In this case, having your recipients encrypt every message to all
> three keys is *exactly* as risky as having a single key shared
> across all machines -- a compromise of any one of the machines
> results in a decryption of all messages.
> 

One use case would be, if you use portable thunderbird only those
encrypted messages get compromised which can be decrypted by the local
key and which were composed in a certain time-frame. On my side, I
still can read messages friend send me, which are only encrypted to
e.g. make mass surveillance harder. But they don't have actual
"important" content. On the other side, those friends of mine, more
worried about the topic in general know how to only use my safer key.
So the basic idea is, I'm always reachable via encryption but for
insecure devices I have a short living key which I can change
frequently while I still have a long term key out there which can more
more trusted.
I don't know if this makes much sense or if are there better ways. Or
maybe thats a stupid problem to think about at all. I just thought
about using gpg for multiple devices (especially insecure mobile ones)
and approaches to increase the security. And now I want to see, what
is technical possible and if there is a solution to it. If not maybe
someone at least also starts thinking about the problem and comes up
with a good solution.

Martin
-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iEYEAREKAAYFAlMh+CkACgkQ/6vdZgk46sg1xwCgk3b9UyFmpOvAwoPQNIIXe1L+
/d4An1j5QQzTyKWVNNQhkyWd7+ejnrOG
=Cas0
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Multiple Subkey Pairs

[Martin Behrendt]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Am 17.03.2014 11:34, schrieb Robert J. Hansen:
>> The YYY (->a famous three letter agency) e.g. denies to archive
>> content of YYY citizens mails. It is thus perfectly reasonable to
>> assume it does so with all other ones.
> 
> This is not a reasonable inference.
> 
> I deny being able to violate the Second Law of Thermodynamics.  Is
> it perfectly reasonable to assume I can violate the First or the
> Third? No, clearly not: the inference is not logically sound.
> Neither is your original inference.
> 

That is an odd comparison. What does a statement about a fundamental
law of physics which you can't change have to do with a statement
about what you are doing, where you are perfectly free to do something
else than you say? If that is what you base you judgment as "not a
reasonable inference" on I'm truly worried.

> 
>> sorry again, if we are speaking about the YYY, only metadata if 
>> recipient and sender are YYY citizens and if we believe what the
>> agency says.
> 
> I cannot accept this assertion, as it is offered without either
> direct evidence or logically sound inferences.
> 

You have not spend time understanding how YYY work it seems to me. How
they communicate with the public. How they bend the truth, redefine
the meaning of certain words when communicating. How to be
over-specific in their denials.
- From my understanding it is a perfectly valid inference to assume that
the YYY stores also content data of communication.
You can find evidence for that in congressional hearings, in
Newspapers and so forth.
But since the last years revelations and how they dealt with them, how
they communicated in congressional hearings, don't seem to be evidence
enough for you, I'm afraid no one will be able to help you see that
the inferences are reasonable. At first you need to be willing to
question their motives and their "truthfulness". Otherwise it doesn't
make sense to argue about reasonable or non reasonable inferences.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iEYEAREKAAYFAlMm7gsACgkQ/6vdZgk46sipBgCgpCU6TjRXBFSU6HfWAJfoAo4s
nwcAn0s7yQT6ZfYBXX1VClQ/0J9+2VCL
=nTSx
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Multiple Subkey Pairs

[Martin Behrendt]

Am 17.03.2014 17:54, schrieb Robert J. Hansen:
>> That is an odd comparison. What does a statement about a fundamental
>> law of physics which you can't change have to do with a statement
>> about what you are doing, where you are perfectly free to do something
>> else than you say?
> 
> Try some variations.
> 
> I deny that I've ever been to Vienna; is it logical to believe, based on
> that, that I've traveled extensively in Europe?
> 
> I deny that I've ever seen _Star Wars Episode III_.  Is it logical to
> believe, based only on that, that I've seen every other installment?
> 
> I deny that I've ever read the second stanza of Coleridge's 'Kubla
> Khan'.  Is it logical to believe, based only on that, that I've read the
> first?
>

All this examples lack the dimension of illogical, untruthful and
purposely misleading communication, humans are capable of. Of cause in a
pure logical environment all of your examples have to be answered with:
You can't draw these conclusions.
But taking into account that humans are not strictly logical, and taking
into account the past we can reasonably make conclusions which we can't
by pure propositional logic.

Just one example from the not so far past: "We are not and we will not
spy on chancellor Merkel"
Without any context and background information it is not "logical" to
draw the conclusion that there has been spying in the past. But knowing
e.g. who said that, it is reasonable to assume so.

> This is all rather irrelevant, though, since it's clear you _a priori_
> believe nothing claimed by that outfit.  (Which may be justified, mind
> you.  Saying "I do not trust them and I consider all of their statements
> a nullity: I will only trust what I can independently verify" is a
> perfectly logical position.)
> 
>> You have not spend time understanding how YYY work it seems to me.
> 
> There are two options here: either I confess my ignorance, in which case
> you'll claim to be more knowledgeable and thus right, or I claim my
> knowledge, in which case you'll think I'm clearly "too close to them to
> be trusted."

There are at least three options: 3. My impression is wrong.

> At this point, I don't care what you think.  My original statement -- "I
> have seen no credible claims that anyone anywhere in the world is doing
> bulk surveillance of email content on an internet-wide scale" -- stands.
> 

I was referring to this statement of yours:

> I cannot accept this assertion, as it is offered without either direct
> evidence or logically sound inferences.

I don't care about the direct evidence but the logically sound inference
that bulk surveillance of email content on an internet-wide scale is
happening is reasonable.
But if you want evidence [1]:
"At least some of the data traffic coming through the German internet
exchange point DE-CIX is diverted to German intelligence and other
agencies."
They (and this is just the "Germans") divert a certain percentage. It
would be illogical if they wound analyze that in some way. Therefor by
pure logic a mass surveillance is happening. Now we can argue about how
"mass" and "internet-wide scale" are defined, but my assumptions is,
that for you this example doesn't fulfill the criteria and because there
is no evidence that other countries doing the same your statement will
stand. I hope you never have a reason to start caring about what I
think. Because your world seems to be the more righteous and calm place
and I wish I didn't have to worry about the future of free societies as
much.

[1]
http://www.h-online.com/news/item/PRISM-scandal-internet-exchange-points-as-targets-for-surveillance-1909989.html

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Multiple Subkey Pairs

[Martin Behrendt]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Am 18.03.2014 15:01, schrieb Robert J. Hansen:
> 
> My other position is that we have to be careful what we believe.
> In these times it's tempting to see shadows and jump at them,
> believing that we're seeing the bogeyman.  We have to resist this
> temptation.  In frightening times, we must pay special attention to
> logic and reason.
> 

Sorry if I sound cynical but the bogeyman says hallo [1]:

"The National Security Agency has built a surveillance system capable
of recording “100 percent” of a foreign country’s telephone calls,
enabling the agency to rewind and review conversations as long as a
month after they take place, [...]"

and yes, they used that system. So I 100% agree with you, we must pay
special attention to logic and reason. And I don't don't know what it
takes, but if you still don't see logic and reason in taking the
assumption that there is a mass and wide-scale surveillance also of
also E-Mail content as fact, than again, I so would like to life in
your world.

[1]
http://www.washingtonpost.com/world/national-security/nsa-surveillance-program-reaches-into-the-past-to-retrieve-replay-phone-calls/2014/03/18/226d2646-ade9-11e3-a49e-76adc9210f19_story.html
-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iEYEAREKAAYFAlMoiBQACgkQ/6vdZgk46sjINwCdFKLlS5PM2oFFbuqF7EJxPVOD
cBEAoLwwuW8dIhuMiiDlABtm2f76Vo4z
=9EEP
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Multiple Subkey Pairs

[Martin Behrendt]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Am 18.03.2014 19:34, schrieb Robert J. Hansen:
> (1) Given how many flat wrong things get printed in the newspaper, 
> believing this reporting may not be wise.
> 

While this in general is true, I really wonder why you say that in the
current context. Especially an article where the main facts are backed
up by quotes of officials.

> (2) Let's assume it's true.  The story only says it can record 100%
> of a foreign country's telephone calls for up to a month, not that
> it can store *all* telephone calls for an indefinite period of
> time.  There's still a lot of targeting that has to go on here.
> Claims of worldwide surveillance are still overblown.
> 
We were talking about mass surveillance on an internet-wide scale. Not
of a worldwide 100% surveillance.

> (3) The capability may exist, but the story never claims the system
> has been used.  We've had nuclear weapons sitting idle in their
> silos for decades: this capability may be the information
> equivalent of a nuke in a silo.
> 
"The voice interception program, called MYSTIC, began in 2009. Its
RETRO tool, short for “retrospective retrieval,” and related projects
reached full capacity against the first target nation in 2011.
Planning documents two years later anticipated similar operations
elsewhere."
All quotes from [1].

> (4) Your "yes, they used that system," I simply can't believe, not 
> without seeing supporting evidence.
> 
See above. Read the article. If you don't believe them ask them for
their source material.
"At the request of U.S. officials, The Washington Post is withholding
details that could be used to identify the country where the system is
being employed or other countries where its use was envisioned."

> My uncle, a Korean War veteran, tells me that at one point during
> the war U.S. troops reported they were witnessing tactical nuclear
> strikes. It turned out this was just the 16-inch guns of the
> _U.S.S. Iowa_ battleship.  Apparently, it's pretty easy to mistake
> a 16-inch shelling for a tactical nuclear strike.  The relevance to
> our present situation is this: just as it was very easy for troops
> to see mind-blowingly huge explosions and to conclude the war had
> just gone nuclear, it is very easy for us to look at fragmentary
> and often-inaccurate news media reports and leap to conclusions
> about "that system must exist and it must be in use!"
> 
I can't see how it is possible to compare a life threatening situation
of an combat situation under stress with reading and understanding a
newspaper report. But here are some more quotes from the article:

"A senior manager for the program compares it to a time machine"

"In a statement, Caitlin Hayden, spokeswoman for the National Security
Council, declined to comment on “specific alleged intelligence
activities.” Speaking generally, she said “new or emerging threats”
are “often hidden within the large and complex system of modern global
communications, and the United States must consequently collect
signals intelligence in bulk in certain circumstances in order to
identify these threats.”"

> Be careful.  Carefully separate out what you see from what cause
> you're ascribing to it.  If you see X, I'm willing to accept that
> you see X. But so far you seem to be leaping towards "... therefore
> Y!", and there I think you're on much weaker ground.
> 
Yes we were talking about logic and reason. And I told you why I
think, even without evidence my "therefore Y" is logically and reasonable.

> I never said we should not be aware of the possibility, nor have I
> ever said that such a thing cannot happen.
> 
> I said that we should not treat it as fact, because facts are
> things which can be proven, and so far there's no proof here.

No what you said was this:
>> sorry again, if we are speaking about the YYY, only metadata if 
>> recipient and sender are YYY citizens and if we believe what the 
>> agency says.
> 
> I cannot accept this assertion, as it is offered without either
> direct evidence or logically sound inferences.

And I argued why it is a logically sound inference.


[1]
http://www.washingtonpost.com/world/national-security/nsa-surveillance-program-reaches-into-the-past-to-retrieve-replay-phone-calls/2014/03/18/226d2646-ade9-11e3-a49e-76adc9210f19_story.html
-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iEYEAREKAAYFAlMomrkACgkQ/6vdZgk46siirQCgpJgaTnZn1dW7UgIPStOus57U
cfgAn3mQXtElb8TSnlfVtOf2pKka0Wst
=zjJY
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: OpenPGP smartcard and RSA 8192 bit

[Martin Paljak]

No. 4k is the reasonable maximum.
--
Martin
+372 515 6495


On Sun, Mar 23, 2014 at 12:37 PM, -- --  wrote:
> Hi!
>
> Just for the sake of curiosity, is it possible to store a 8192 bit RSA key
> on the OpenPGP smart card? Two keys ? Three keys?
>
> Thank you, please include me in CC for reply.
>
> John Peters
>
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Access to www.gnupg.org only via TLS

[Martin Gollowitzer]

* Doug Barton  [140430 10:05, 
  mID <5360ae82.6070...@dougbarton.us>]:

> On 04/30/2014 12:41 AM, Werner Koch wrote:
> >Hi,
> >
> >I have changed the website setup so that any plain text access to
> >www.gnupg.org is redirected to https://www.gnupg.org .  Strict Transport
> >Security (HSTS) has also been enabled.
> >
> >In case of problems with TLS you may use www dot tla-friendly dot
> >gnupg.org to view the pages.
> >
> >Note that https is not enforced for lists.gnupg.org and the other
> >services because over there we use CAcert certificates which do not work
> >widely enough.
> 
> All good news. :)
> 
> >If there is an interest to have lists at https as well,
> >I consider to purchase a certificate for it.
> 
> I know it's been discussed on the list before, but I'm quite happy
> with https://www.startssl.com/, and you certainly can't beat the
> price. :)

You might want to consider my blogpost about StartSSL [1]. Despite that,
the SSLLabs test shows two small issues when testing gnupg.org [2], one
of which is the too short time sent in the HSTS header.

[1] 
http://blogs.fsfe.org/gollo/2014/04/13/what-the-heartbleed-bug-revealed-to-me/
[2] https://www.ssllabs.com/ssltest/analyze.html?d=gnupg.org

Thanks, 
Martin 


signature.asc
Description: Digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Managing Subkeys for Professional and Personal UIDs

[Martin Behrendt]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Am 03.05.2014 05:01, schrieb Robert J. Hansen:>
> And regardless of whether it's a good practice or a bad one, I've
> worked in businesses that have done exactly this -- so it's a
> real-world example that demonstrates the occasional need for a
> third party to possess signing keys.
> 

And regardless of whether it's a good practice or a bad one, I've
worked in businesses that have done exactly this (ordered people to
jump out the windows) -- so it's a real-world example that
demonstrates the occasional need for a company to make such orders.

Am 03.05.2014 03:32, schrieb Robert J. Hansen:
> 
> Personally, I would prefer not to have my name on such a
> certificate, for reasons that have already been expressed on the
> list.  But if there's a corporate policy that says each cert must
> have the name of someone authorized to use it, then that's the way
> you play the game.

Personally, I would prefer not to discriminate against black people,
for reasons that have already been expressed on the list. But if
there's a corporate policy that says I have to, then that's the way
you play the game.

PLEASE refrain from using generic phrases which defend stupidity
because the stupidity is done in real-life. These are lazy things to
say, they might sounds like arguments, but they are not. And they have
been used way to often to defend the worst human behavior or to defend
why nobody did something against it.
It makes by heart bleed every time I see or hear them.
It is okay to say: "This is done." But please ALWAYS conclude (if
"this" is stupid/injustice/bad practice) "but it needs to be changed."

I know, we are living in a world where it is hard to fight every
stupidity that is in place. And sometimes you have to do these stupid
things in order to get somewhere. But a first easy step is, not to
defend them.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iEYEAREKAAYFAlNko7wACgkQ/6vdZgk46shmbQCfQ7jsvq208OHZyQATOceBDYMF
eMwAn27OZCAZlMUvhtvgDZ/Ox7snzqWr
=T/dl
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Managing Subkeys for Professional and Personal UIDs

[Martin Behrendt]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Am 04.05.2014 10:30, schrieb Robert J. Hansen:
> 
> Are there good business reasons for third party escrow of signing
> keys? Quite probably.  If you can think of a situation where an
> autopen is appropriate, whether in business or in government,
> that's also a situation where third-party escrow of signing keys
> would also likely be appropriate.
> 

No, there are no good reasons.
There is no technical problem to give different signers the same
rights to make certain signatures but make it comprehensible who
actually signed it. This is important in case an error happened or
someone intentionally did something wrong to commit a crime.

In a world were everyone would do the right thing and didn't make
mistakes I would be definitely with you. It would be no problem to not
be able to distinguish who actually made a signature. But we are not
living in that world.
And you should know that. I read your story "Two Thousand Miles to the
Promised Land". Just imagine that guy being able to make signatures
appeared to be made by you or anyone else in the company without the
recipient knowing, juts because there have been "good business
reasons". Imagine how much more damage he could have done.
So again, there are no good business reason. There are only reasons
like laziness, stupidity or it costs to much. And it costs to much
might be a legitimate reason in our world. But only so long someone
made damage that is higher than the cost to make it right from the
beginning.

And as a side note. Your answer to my other mail completely missed my
point. I was saying that you are using phrases and rhetoric rather
than arguments to try to defend your point.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iEYEAREKAAYFAlNmCoYACgkQ/6vdZgk46sjI1gCfb7+PXECe2By1dDjkdshLvjvx
qpAAnA3u2C3tKx9ivulWwTD6SexqnS4y
=xPrL
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Managing Subkeys for Professional and Personal UIDs

[Martin Behrendt]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Am 04.05.2014 12:52, schrieb Robert J. Hansen:
>> No, there are no good reasons.
> 
> If that's an axiom in your system, then so be it.  But let's not
> go about thinking that's something you've deduced from principles.
> 
Well I haven't heard any so far.


> It's not about technical problems.  In the case of the President
> and his autopen, it's about legal problems.  Under United States
> law, for a piece of legislation to take effect the President must
> affix his signature to the *exact same piece of paper* that the
> House and Senate affixed their marks to.  He's not allowed to sign
> a copy.
> 

So, let's make an insecure system instead of maybe changing the law?
Or maybe changing your priority as a president. There is more than one
road that leads to Rom.
Besides, *he* needs to sign the original document. So it is okay to
make it appear he signed it originally by himself but he has not? That
is okay and within the law? For this to be within the law, I would
expect they would need to write it into the law. So they also could
write other stuff in the law, e.g to add the information who operated
the autopen and that an autopen was used.

> You are certainly free to think this is a broken system.  (Thinking
> the American political system is broken is the favorite pastime of
> many Americans.)  But you have to admit this is a real-life example
> taken from the highest corridors of power in an environment where
> there are some extreme security implications of allowing third
> parties to execute the President's signature...
> 
> ... /and yet they choose to do it./
> 
This is, again, rhetoric and not an argument. I explained that before.

> That's the world we live in.  You are, of course, free to scream
> that they are all idiots and fools and morons who are not listening
> to your divinely-inspired wisdom.  Me, I'm going to grit my teeth,
> say, "well, let me see if I can help them not make a complete hash
> of things," and engage the world as it is.
> 
No I'm not screaming. It has nothing to do with me having more wisdom
than others. I just want to learn from the past and put 10% more
energy in having a more secure system. I'm just saying that there are
better ways to solve the same problem while you defend your position
with phrases and rhetoric and not with arguments.
Let me exaggerate of what it sounds to me, what you are saying:
There is a nuclear power plant build next to a volcano on the shore of
an ocean and just on top of the boundary points of two tectonic plates.
I'm saying. Hey guys thats stupid, shouldn't we build wind engines or
wave power machines here instead and shut down the nuclear power
plant? The volcano is active, tsunamis do happen here and let's not
forget about the earthquakes.
And you are saying: "You are, of cause, free to scream that they are
all idiots and fools and morons who are not listening to your
divinely-inspired wisdom. Me I'm going to grit my teeth, say, "well,
let me see if I can help them not make a complete hash of things," and
engage the world as it is."

It is valid to say: Yes this is stupid but we need to secure the
system on a short term perspective as it is but we need to do
something better on the long run.
But from what you are saying and how you are behaving I only get: The
world is stupid. I won't change it but I will help to make the outcome
of the stupid things not have such a bad effect. But I will defend the
overall stupidity behind it because the stupidity is done and that is
how the world is. And there are people saying "We are not going to
change it."

> Did you read the part about the ex-CEO breaking into my apartment
> and accessing my PC?  Come on, man.  My *personally owned*
> certificates were compromised.  How much worse could it really have
> been if he'd chosen to improperly use my *corporately owned*
> certificate?
> 

Yes, I said I read the story.
And ones you discovered your personally owned certificates were
compromised you revoked them, made new ones and you were aware of the
fact that they might be misused and could be more cautions over a
period of time. But your corporate certificates could have been
misused from the beginning without stealing them first from you by
design of the system you defend. Can you see the difference?

>> And as a side note. Your answer to my other mail completely
>> missed my point. I was saying that you are using phrases and
>> rhetoric rather than arguments to try to defend your point.
> 
> If you haven't been seeing arguments, then I respectfully suggest 
> reading closer.
> 

I didn't say you are *only* using phrases and rhetoric. I admit you
are also using badly designed examples which most of the time, if you
think them through, are not helping your point.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iEYEAREKAAYFAlNnTs4ACgkQ/6vdZgk46shx0wCePfgKmiv3wpOQl/n8bnR7WhEA
puYAn0UWyjiplyGQUoIrkdqY5/dQV3cs
=BxdB
-END PGP SIGNATURE-

Re: Managing Subkeys for Professional and Personal UIDs

[Martin Behrendt]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Am 05.05.2014 12:55, schrieb Robert J. Hansen:
> 
>> This is, again, rhetoric and not an argument. I explained that
>> before.
> 
> As I explained, you are choosing not to recognize the argument.
> 
You honestly seem to think that "We are doing $A, so it is okay to do
keep on doing $A instead of working towards doing $B which is way
smarter to do." is an argument. This gives me an explanation why you
didn't listen to your doubts in the mentioned story. Maybe you got
convinced to keep on going by similar "arguments"?

> Point blank: /the world does not care what you think./  Nor what I 
> think, for that matter.  The world cares about its established 
> procedures and The Way Things Have Always Been Done.  If you try
> very hard, you may be able to make small amounts of headway in
> changing small things.  I encourage this: choose wisely where you
> will expend your efforts.  But that will still leave vast parts of
> the world that will not be changed, and you have to have some plan
> for dealing with those parts other than to tsk-tsk and say, "well,
> they shouldn't be doing that."
> 
> By all means, pick an important part of the world that needs
> changing and work on it.  But the rest of the world will keep on
> going about its merry way, not giving a damn what you -- or I --
> think of it.
> 

Can you see the fundamental difference for the development of our
society in defending stupidity; and working to reduce the effect of
stupidity but *at least* pointing out or mentioning smartness?
Change doesn't come by one person. It comes by enough people speaking
about it. You have to start somewhere. And if you don't feel like not
to do the least bit, to improve our society. Well than maybe you also
shouldn't make an effort against it. Especially not with senseless
rhetoric which has been used to discriminate against people and worse
and justifying for others not to do something about it.

It is completely valid to argue!!!: $A is easy, simple, takes no
effort and it works. These can be good arguments to not to change
something in place. And explaining to change to $B takes to much
resources and thats why we are not doing is, is also valid. Than you
can have a discussion. But the other rhetoric is just wrong.


-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iEYEAREKAAYFAlNnfYkACgkQ/6vdZgk46sg6GgCcC9C9X7ycg7xZ70LA2j3DxRqh
RAEAoJvuuWcHUsjDaBtKQ7tpyoIoryss
=iuuv
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: FAQ change, final draft

[Martin Behrendt]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Am 13.08.2014 um 20:43 schrieb Robert J. Hansen:
>> Hi Robert, This looks great. One very minor point (possibly not 
>> germane, please comment): Are you discussing the reliability of
>> the NIST P curves for ECC?
> 
> No, because that's the first time anyone's asked that question on
> the list -- so it's not a frequently asked question.  :)
> 

To bad, I was about to suggest to adept some of these questions* to
the elliptic curve cryptography and answer them if possible or at
least state that an answer is not possible at this time. Because they
probably will become frequently asked questions in the future**. ;)
But I can understand if that is going to be dealt with, when we are at
that point in time.

regards
Martin

* What will be a good default key length and why e.g.
** maybe true for some of the other questions already in the FAQ as well.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iEYEAREKAAYFAlPr1xEACgkQ/6vdZgk46sj0xwCgutbhFXSHpZZg3uu6yFQ5EV4j
L/4AnjYmvhzbCv4mqTB7IuLU8mqy9gRH
=SsU4
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: FAQ change, final draft

[Martin Behrendt]

Am 14.08.2014 um 04:32 schrieb Robert J. Hansen:
> On 8/13/2014 5:22 PM, Martin Behrendt wrote:
>> Because they probably will become frequently asked questions in the
>> future.
> 
> The questions experts think will be frequently asked are usually rarely
> asked.  :)
> 
> 

But I don't qualify as an expert. :)
And two other things I noted while reading the FAQ (under what can be
improved perspective).

1. On the starting page for the FAQ[0] I tried to view all formats and
the txt format link [1] uses ftp instead of https and leaves me with the
following message:

> 300: ftp://ftp.gnupg.org/gcrypt/gnupg/GnuPG-FAQ.txt/ 200: filename
> content-length last-modified file-type

2. Assuming that sooner or later stuff about ECC will find its way into
the FAQ. I think an overview (maybe in a table) which connects the
questions "7.6 What's RSA" to "7.12 What's Camellia" would help a
beginner/intermediate.

I'm thinking of something like:
Name | Can be used for | Type | ...
Elgamal | encryption | asymmetric

What you think?


[0] https://www.gnupg.org/documentation/faqs.html
[1] ftp://ftp.gnupg.org/gcrypt/gnupg/GnuPG-FAQ.txt/

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Fwd: It's time for PGP to die.

[Martin Behrendt]

Am 18.08.2014 um 14:31 schrieb Robert J. Hansen:
> On 8/18/2014 2:01 AM, Johan Wevers wrote:
>> And who determines wether it has any "testimonial value"?
> 
> Johan, we're entering paranoid fantasy here.  If you truly believe the
> whole of the USG is corrupt, and that our independent judiciary is in
> cahoots with a corrupt Executive and Legislature in order to
> systematically violate people's rights, well... then I think I'm going
> to need to stop talking with you, which I regret.  :(
> 

I think his question is not only good, it is necessary and important to
ask. Especially when it comes to laws. Or if you want a more visible
example just look at all the misinterpretation of "laws" in religions.

And furthermore you don't need to assume a conspiracy or corruptness.
People make mistakes.
People are willing to bypass the law because they think they serve a
greater good "in this one special case".
People don't think about the greater consequences of their actions.
People are ambitious.
People are stupid.
People ...

But anyhow, how about you choose your password to be a confession about
a crime you committed. Would this be enough testimonial value? :)

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: It's time for PGP to die.

[Martin Behrendt]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Am 19.08.2014 um 21:16 schrieb MFPA:
> Hi
> 
> 
> On Monday 18 August 2014 at 8:21:06 PM, in 
> , Robert J. Hansen wrote:
> 
> 
> 
>> No, the Fourth Amendment protects all people within U.S. borders
>> equally.  Americans get no special protections over visitors to
>> the country.
> 
> Do people at a border crossing point count as being "within" the 
> borders?
> 

As far as I know, at (international) airports the answer is "no".
There is a zone (that can be extended at will*), where you are
basically in no mans land.
I think that relates to the word "transit zone"[0]
A search for "airport transit zone" might get you some better information.

[0] https://en.wikipedia.org/wiki/International_zone
* see also Snowden  and his whereabouts during the phase were he
applied for asylum
-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iEYEARECAAYFAlPzpooACgkQ/6vdZgk46shoFgCfc2qWkoQDDkCAH2cy/FtEH3e6
cpQAnjoh/s+VWS3wzNpbPwx9Yhb1LQBY
=7VNg
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: encrypting to expired certificates

[Martin Behrendt]

Am 15.09.2014 um 14:10 schrieb Hauke Laging:
> 
> I agree. But expiration does not necessarily mean "don't use at all". 
> Expiration is not the same as revocation. This is not affected by the 
> fact that revocation may be impossible (private key lost and 
> compromised).
> 
> The RfC is quite clear about revocations. It is not about expirations.
> 
> http://tools.ietf.org/html/rfc4880#section-5.2.3.3
> 
> 
> Expiration is a good feature. Handling expired keys in this way 
> discourages using expiration dates, though.

2 arbitrary use cases:

1. One uses the expiration date as a reminder, to think about maybe
updating it to new standards or what so ever. In this case, a warning
when using an expired case is enough.

2. One lives in an hostile environment and it is possible that someone
can retrieve his private-key/pass-phrase and prevents him from revoking
the key. In this case preventing someone from sending you information
which might harm your well being is a good thing.*

Since the sender can't know how you use the expiration date I guess the
more conservative approach is the safer one if you consider extreme
cases like scenario 2.

Greetings
Martin

*This is probably highly theoretical, I don't know.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: encrypting to expired certificates

[Martin Behrendt]

Am 16.09.2014 um 12:13 schrieb Peter Lebbing:
> On 15/09/14 21:56, Robert J. Hansen wrote:
>> From the plain meaning of the word, "expiration."
>>
>> There's a half-finished liter of milk in my fridge that's now a week 
>> past its expiration date.  (Yes, yes, I'm going to throw it out once
>> I get home...)
>>
>> If you want, feel free to come by.  I'll pour you a glass of milk. 
>> After all, an expiration date doesn't mean "don't use this," right? 
>> It's only a number that's to be interpreted according to however
>> someone wants.
> 
> Sure! A week might be a bit much, but if it were 3 or 4 days I'd agree.
> Starting from slightly before the expiration date to well past, I simply
> sniff it, pour out a little, look if it is curdling... and if none of
> those things apply, I happily pour myself some perfect moo juice. A
> bloody shame to throw it away. You really throw out perfectly good food?
> Just because someone said "well, given our process variations, even the
> worst piece, even the milk produced on a hot day and picked up a bit
> late, would still be okay for one and a half week. To cover our asses,
> let's say we warrant it for a week"?
> 

Just as a side node. The usage of this example is a little unlucky
because it has so many traps based on cultural differences. I saw that
discussion coming when I read it.

In Germany on food products you will find the word "Expiration Date"
which literally means: "Don't eat me after that date." But there is a
discussion to change that because what they are actually meaning in this
context is: "I won't change my shape, taste and rigidity till that
date." So I guess, people with such a background are a little more open
to the interpretation of that phrase.
But as far as I know, in the US it says "Best before" to avoid that
confusion and make clear that this product is probably still good, some
time after that date.

And I think the same confusion is going on with respect to the
expiration date in our context. And I am all for not overloading the
meaning of words, so if I read expiration date than for me this is a
dead line. If you mean "best before" than I would prefer if people say
it like this.

Martin

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: encrypting to expired certificates

[Martin Behrendt]

Am 16.09.2014 um 16:41 schrieb Werner Koch:
> On Tue, 16 Sep 2014 12:52, martin-gnupg-us...@dkyb.de said:
> 
>> In Germany on food products you will find the word "Expiration Date"
>> which literally means: "Don't eat me after that date." But there is a
> 
> Actually you find "mindestens haltbar bis DATE" which literally means
> "at least stable/durable until DATE".  It is the guarantee promise from
> the vendor.  Which would actually support Hauke.
> 
> To put this discussion to an end, he may simply do a jump to the left
> and put the option --faked-system-time ISODATESTRING on his command
> line.
> 

Ups, yea you are right, my bad. But that doesn't change my point, that
"expiration date" is something else than "best before" or "best used
until". So if an enforced "expiration date" does not make sense, I would
prefer to rename it to any of the other options and than allow sending
encrypted messages to these keys. Until than you're solution should
work, too. :)

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: emails snowden and poitras

[Martin Behrendt]

Am 14.10.2014 um 10:55 schrieb Rejo Zenger:
>
> So, what's the objective of Snowden, you think?

I assume that Laura Poitras never used gpg before or at least Snowden
assumed so. I guess the main intend of the question were to sensitize
her of the topic and make her think about possible threats and teach her.
And he explicitly asks to confirm that on a different communication
channel to avoid the problem you mentioned.

>
> Of course, if Poitras would answer that her private key is in the
> hands of some other person, I expect her to have revoked to key
> anyways.
>

If you assume she is new to gpg I guess that is a wrong expectation.

greetings
Martin

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Update on USG, Software, and the First Amendment

[Martin Behrendt]

Am 27.10.2014 um 19:20 schrieb Robert J. Hansen:
> Just received word back from a friend of mine who's a law professor
> focusing in electronic civil liberties, and is a former Commissioner of
> the FCC to boot.  He's skeptical that ITAR/EAR enforcement will affect
> U.S. hackers participating in libre software development.  More than
> that I can't/shouldn't say, since he was writing off-the-cuff in a
> personal email rather than carefully drafting remarks for public
> consumption.
> 
> He rather likes writing short essays on law.  If there's interest, I'll
> try and talk him into writing something layman-friendly about ITAR/EAR,
> cryptography, and the First Amendment.

I actually would be interested in how he would argue if he was the
government and would want to prosecute hackers for that. Or both. Just
like the old saying: 2 lawyers, 3 opinions.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Why the software is crap

[Martin Behrendt]

Am 14.11.2014 um 12:41 schrieb da...@gbenet.com:
> Hello All,
> 
> I even tried exporting my private and public key from the command line and 
> then tried
> importing. The same error message as before. I have checked on the internet - 
> most of the
> suggestions are crap - the authors have never ever tried to do what they 
> suggest others to
> do. If they had done so then they would have known just how crappy their 
> supposed expertise was.
> 
> I have even looked through https://www.gnupg.org/faq/GnuPG-FAQ.html  and 
> found this to be a
> useless pile of crap also.
> 
> I am faced with two options:
> 
> (1) Create yet another set of keys
> (2) Give up using gnupg after some 20 years
> 
> I think I will unsubscribe from this list and give up on gnupg as a pile of 
> crap.
> 
> David
> 

I think unsubscribing is the best thing you can do. Because you probably
successfully destroyed the good intension and motivation of anyone
helping you, with the offending nonsense you wrote in your last mails.

If you are angry just shut up and write again after you cooled yourself
down. The problem is more likely with you because there are not many
people reporting such problems.
And I can tell from my own experience that it is not even a problem
copying the content of the gnupg directory between windows and linux.
Tried that successfully.
Maybe you should read the FAQ again (and try to understand what is
written). Maybe there is a difference between exporting the public part
of a key and the private part.

Anyway, enjoy your life.
Martin

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Why the software is crap

[Martin Behrendt]

Am 14.11.2014 um 13:24 schrieb da...@gbenet.com:
> I have cooled.
> [...]
> Sure you can moan criticise me for my getting frustrated - and you can all 
> moan and cringe
> and all withdraw your support - BUT NO ONE HAS EVER OFFERED ANY PRACTICAL 
> USEFUL ADVICE THAT
> WILL ENABLE ME TO TRANSFER MY KEYS AND HAVE THEM WORKING CORRECTLY. NO ONE. 
> NOT EVEN YOU.
> 
Aha, so that is cooled?

Okay, maybe I wasn't clear. I will extend my advise. Shut up. Cool Down.
Cool Down more. Start writing. If your write yourself into rage again,
go back to cooling and DON'T hit the send button.

> You are offended? Why? It is an easy thing to do is it not to moan about what 
> and how people
> express themselves - yet you completely ignore the real issue.

1. I'm offended because you act like a little kid and miss judge the
work of others, just because you have a small problem with a part of the
work. And if that is not enough you blame others just because the most
likely cause for the problems you are having is YOU.
2. I'm offended because you state your little narrow view of the world
as fact.
3. I'm offended that you are to lazy to give a detailed report of what
commands you use, what the output is. What messages you get. No chance
for anyone to reproduce the problem. Just demands from you, negating all
the support and help people tried to give you. But I have not seen a
single sign, that you thought about, what you can do, so it easier for
others to help.
So please don't give me that crap with "how people express themselves".
And I hope point 3 is close enough to the real issue for you.


If you get till here, I hope the above part is from it's "tune" close
enough to how you communicate, so you get an impression how your mails
appear to others. Now comes a little more productive part. Here are some
questions which might get you on track:
People told you that c/p the .gnupg directory is the easiest solution
and worked for them.
Your wrote you used import/export commands. Why that and not the c/p
solution?
Which keys did you want to export/import via command line? Just your
private key?
And please take above point 3 into consideration. Without a detailed
step by step instruction (with commands, ...)  which leads to the
problem at least I am out.
I can just tell you that I just successfully created a private key,
exported it, imported it with an outdated (portable) gnupg version and
used it with no problems.

Martin

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: How much information can be gleaned about a gpg key by possessing both plaintext and ciphertext?

[Martin Behrendt]

Am 21.11.2014 um 10:57 schrieb Schlacta, Christ:
> I know some encryption schemes reveal more information about the keys used
> when an attacker has both the plaintext and the ciphertext.  In general,
> how much information does GPG reveal in such situations?

Short answer: Thats no problem.
google e.g.: "plain text attacks on gnupg site:gnupg.org"

Greetings
Martin

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Holidays

[Martin Behrendt]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


Am 15.12.2014 um 19:57 schrieb Robert J. Hansen:

> Not only that, but from now until January 6 I'll match any
> contributions that *you* make, dollar for dollar and euro for euro,
> up to $500.

Just out of curiosity, at which EUR-USD exchange rate are you at?
And how do you treat multiple donations by the same person? :)

Greetings Martin
-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iEYEARECAAYFAlSPMqIACgkQ/6vdZgk46si53wCgyNkYByjSaZkgwOP+/DmUlWgE
cjQAoKK0eSbhDTmMyUStPJmMvhxV1f7L
=N8kD
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: emulating smartcard with Nexus 5

[Martin Paljak]

Hello,

You need to emulate an OpenPGP via Host Card Emulation.

You can get necessary parts from here:

1. OpenPGP applet. Try this: https://github.com/Yubico/ykneo-openpgp
or This: https://github.com/martinpaljak/AppletPlayground
2. Emulator for running the applet code in Android:
https://github.com/martinpaljak/vJCRE

I have some code that did exactly that but was not published because
of some technical limitation not related to possible software only
OpenPGP: https://github.com/martinpaljak/mobiil-idkaart

If you are capable of creating Android software with a GUI, I could
help with the non-Android-GUI issues.

Martin
--
Martin
+372 515 6495


On Fri, Feb 13, 2015 at 1:55 AM, NIIBE Yutaka  wrote:
> Hello,
>
> Let me record a bit of history.
>
> On 02/13/2015 01:19 AM, Brian Minton wrote:
>> I recently got a new Nexus 5, with NFC.  Supposedly it supports ISO
>> 7816-4.  Is there any possibility of, for instance, porting gnuk to
>> android?  I'd love to use my smartphone as a smartcard.  Of course, the
>> smartphone wouldn't have as many anti-tampering features as a typical
>> smart card, so this would be mainly for educational purposes rather
>> than true security.
>
> In fact, Ueno (cc-ed) did something like that around 2007-2008.  It
> was the precursor of Gnuk.  IIRC, he wrote a paper describing his
> work.  If he still has the code, it would help you.
>
> Since I didn't like smartphone (which is smart enough to cheat its
> users, by my interpretation), I wrote the code for ATmega 20MHz to
> implement OpenPGPcard functionality, inspired by his work.  It took
> five second to sign RSA-1024.  I demonstraded this work at FSFS 2008
> in India, then, I demonstrated "gpg --card-status" worked with ATmega
> implementation in Japan Linux Symposium 2009, in Akihabara, Tokyo.
>
> After that, around 2010, experts claimed that we should not use
> RSA-1024 any more.  So, I gave up my ATmega work, and sought another
> MCU candidate.
>
> That's the start of Gnuk with STM32F103.
>
> P.S.
> The ATmega implementation of RSA was done when I was an employee of
> National Institute of AIST, Japan, and it was registered as the work
> under AIST (perhaps, copyrighted by AIST).  I left the code there when
> I left AIST in September, 2010.  If interested, please contact AIST
> (not me).
> --
>
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Please remove MacGPG from gnupg.org due to serious security concerns

[Martin Paljak]

On Tue, Feb 17, 2015 at 6:00 PM, Ville Määttä
 wrote:
> Instead they should use upstream and contribute the minimal amount of 
> wrappers or fixes upstream. Case in point: Has the fix for gpg-agent / 
> scdaemon hang been discussed upstream at all [4], [5]? In MacGPG there is 
> still ../libexec/gnupg-pcsc-wrapper which has been modified in commit 
> f4c3e1bb to fix the issues of scdaemon hanging in Yosemite [6]. GnuPG proper 
> has removed it in bc6b45 [7]. How would one go about fixing this issue for 
> upstream? Has GPGTools contributed anything regarding this other than the 
> initial discussion[8] about the issue? Upstream still does have the issue 
> which now seems to have been fixed in the fork but in a binary removed from 
> upstream…


Not sure about overall GnuPG affection with Apple or other closed
source software, but the PC/SC layer in Yosemite is broken (again):

http://ludovicrousseau.blogspot.fr/2014/12/os-x-yosemite-and-smart-cards-known-bugs.html

Generally speaking, I think the GPGTools folks care about "usage for
dumbusers" which means making stuff Work(tm) for the not-so-powerusers
on a not-so-great platform. It is the users's choice to use OSX (not
Linux), the same way it is their choice to use Mail.app (not Enigmail)
the same way it is their choice to use a simple to use binary
installer with crappy build machinery instead of verifying the
checksums of every download.

> So, *"official website for gpg on OS X"* according to this user critical of 
> making discontinuation of a free version.

GnuPG just got a huge sum of money, I'm sure arrangements can be made
to allocate some of that for a easy to use and *free* OSX version with
an integrated GUI ?

> Another: GPGTools support site has a certificate mismatch [14]. WTF is a 
> *.tenderapp.com cert doing here?

Because that site is run by Tender and if you connect to the https
version, you get their site? Probably makes sense to bug Tender with
this.


So, generally speaking: if the upstream has not catered to the OSX
folks and somebody on the internet has, I would not blame GPGTools
guys for doing it. Yes, it would be nice if one at least tried to
contribute back to upstream and to work in an open manner, but at
least they DO something, for what there is apparent need.

Martin

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: New results against SHA-1

[Martin Ågren]

2009/5/1 Atom Smasher :
> On Thu, 30 Apr 2009, David Shaw wrote:
>
>> http://eurocrypt2009rump.cr.yp.to/837a0a8086fa6ca714249409ddfae43d.pdf
>>
>> There is not much hard information yet, but the two big quotes are "SHA-1
>> collisions now 2^52" and "Practical collisions are within resources of a
>> well funded organisation."
>
> [...] what's next? will it have to be a bigger hash?

No, not bigger, but better. :) SHA-2 should be better, but since it's
conceptually quite similar to SHA-1, one could be somewhat worried...
SHA-3, on the other hand, will be very well-studied when it becomes a
standard, so we should in a way be able to trust it as much as we
trust AES. Google "SHA-3 competition" for more information.

Take care!

Martin

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

key generation: email-address necessary?

[Martin Bretschneider]

Hi,

I want to recreate my GnuPG keys. My question is if I can omit the email 
address? Since I do not want my email addresses to appear on the 
keyservers because of spammers and so on. I only want to put my name and 
maybe my toplevel domain in the comment field.

Is the some kind of problem with this behavoir? Can email clients find 
out what key to use if there is no known email address?

What do you think?

Kind regards from the CeBIT town;)

Martin
-- 
http://www.bretschneidernet.de/OpenPGP-key: 0x4EA52583
 _o)(o_ Albert Einstein:
   -./\\//\.-   Few are those who see with their
_\_VV_/_own eyes and feel with their own hearts.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: key generation: email-address necessary?

[Martin Bretschneider]

Am Samstag 27 Februar 2010 schrieb Laurent Jumet:

Hi Laurent,

> Martin Bretschneider  wrote:
> > I want to recreate my GnuPG keys. My question is if I can omit the
> > email address? Since I do not want my email addresses to appear on
> > the keyservers because of spammers and so on. I only want to put my
> > name and maybe my toplevel domain in the comment field.
> > Is the some kind of problem with this behavoir? Can email clients
> > find out what key to use if there is no known email address?
> > What do you think?
> 
> You can use whatever you want to identify your key.
> But in some cases, mail programs expect to find your e-mail.

that was my expectation as well. But what do the email clients do then? 
Do they say "no key available" or do the look for the name? What are 
your experiences?

TIA  Martin
-- 
http://www.bretschneidernet.de/OpenPGP-key: 0x4EA52583
 (o__o)  Ernest Hemingway:
 //\/\\I like to listen. I have learned a great deal
 V_/\_V from listening carefully. Most people never listen.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: key generation: email-address necessary?

[Martin Bretschneider]

Am Samstag 27 Februar 2010 schrieb Laurent Jumet:
> Hello Martin !
> 
> Martin Bretschneider  wrote:
> >> You can use whatever you want to identify your key.
> >> But in some cases, mail programs expect to find your e-mail.
> >
> > that was my expectation as well. But what do the email clients do
> > then? Do they say "no key available" or do the look for the name?
> > What are your experiences?
> 
> They can call another key with a similar name. :-)
> 
> It's not easy to answer that question, as it depends on your own
>  system. When you read a signed message, GPG provides a way to call
>  automatically the sender's public key on your designed servers, when
>  it doesn't find it in your PubRing; it goes on the Net, retrieves
>  the key, incorporates it in your KeyRing and than verifyes the
>  signature on the message. This process can abort if ID's doesn't
>  match.

I know that it depends on the system; this is why I wrote the email 
since I think that here are people that know GnuPG in combination with 
several email clients...

Let's break down the problem: A and B have public keys on some 
keyserver. A has no email address in his public key, B does.

AFAIK there are these four use cases concering emails and OpenPGP:

1: A sends a signed email to B. 
2: A sends a (signed and) encrypted email to B. 
3: B sends a signed email to A. 
4: B sends a (signed and) encrypted email to A. 

Use case 1 and 2 should be no problem. Based on the key information 
saved in the signature the email client of B should get the public key 
of A. The email adress does not matter.

Use case 3 should also be no problem since it does not deals with A 
public key.

Use case 4 is the problematic one, B's email client does not know 
anything about A. B's email client could search for A fore- and surename 
on a keyserver...

What do you think?

TIA  Martin



-- 
http://www.bretschneidernet.de/OpenPGP-key: 0x4EA52583
   _o)(o_ Sallust:
 -./\\//\.-  Nam idem velle atque idem
  _\_VV_/_  nolle, ea demum firma amicitia est.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: What is the benefit of signing an encrypted email

[Martin Gollowitzer]

Hi,

* jimbob palmer  [110111 12:05]:
> In Firefox I can sign or encrypt or encrypt+sign an e-mail.
> 
> In what case would I want my encrypted emails also signed? Does it
> provide any additional benefit over a pure encrypted email?

A digital signature is useful so the sender can check if that message
was really sent by you. If it's only encrypted, there is no proof for
that since everyone who knows the recipient's public key can encrypt
messages for this particular person.

All the best, 
Martin 

-- 
The early worm is for the birds.


pgp5z5w27fqOS.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Problems with pcsc-lite 1.6.6 and Cherry ST-2000U

[Martin Gollowitzer]

Hi all,

Has anyone experienced problems with the most recent version of
pcsc-lite (1.6.6) when using an OpenPGP smartcard with GnuPG? My card
reader, a Cherry ST-2000U stopped working after I updated my Gentoo
system recently (while my SCR335 still works). I tried to do some
debugging and scdaemon reports an unknown PC/SC error code. This is all
I could find out. I also tried to disable the internal CCID driver, but
this didn't change anything. I still receive different error messages
(like "no card found" although the card is inserted).
Any hints what I could do?

Thanks, 
Martin 


pgpEpaOcaZ8iy.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Prosecution based on memory forensics

[Martin Gollowitzer]

* freej...@is-not-my.name  [110113 11:35]:
> P.S. Robert, how about trimming your line lengths!

Apple Mail sucks at this ;)

Martin


smime.p7s
Description: S/MIME cryptographic signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: What is the benefit of signing an encrypted email

[Martin Gollowitzer]

Hi Werner,

* Werner Koch  [110119 19:31]:
> I'd like to see a feature in MUAs to wrap the entire mail as presented
> in the composer into a message/rfc822 container and send the actual
> message out with the same headers as in the rfc822 container.  This
> allows to sign the entire mail including the headers.  On the receiving
> site the MUA should figure out that the signed headers match the actual
> ones and visually indicate the message including the header as signed.
> This is fully MIME compliant and should not break any MIME aware mailer
> (except for those only claiming to support MIME).

I think this would be really great. Do you think it's worth the effort
to contact the developers of Thunderbird/Enigmail, Mutt, Gnus and some
others that support OpenPGP about this?

Thanks, 
Martin 

-- 
For extra security, this message has been encrypted with double-ROT13.


pgpE8D9k6LmZs.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: PGP/MIME considered harmful for mobile

[Martin Gollowitzer]

* Patrick Brunschwig  [110225 10:10]:
> On 25.02.11 07:43, Robert J. Hansen wrote:
> > On 2/24/11 10:15 PM, Daniel Kahn Gillmor wrote:
> >> my colleague is using the application named "email", version 2.2.2 on a
> >> stock 2.2.1 motorola droid.
> > 
> > My problem is reproducible on a stock Droid X running 2.2.something --
> > just got off a very long flight, funeral in the morning: I'll dig the
> > precise version number tomorrow.
> 
> The only mail client on Android I know of to handle OpenPGP messages is
> K9 (together with APG). But K9 only supports inline-PGP, PGP/MIME
> messages are not displayed.

This is true, but K9 at least does display the messages correctly.
Despite that, PGP/MIME support is being worked on because it's
considered better than inline PGP.

Martin


pgp5TiVUPmun3.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: PGP/MIME considered harmful for mobile

[Martin Gollowitzer]

* Robert J. Hansen  [110225 07:47]:
> > There are good reasons to prefer a PGP/MIME and S/MIME signature
> > standards over inline PGP.
> 
> And vice-versa.  In inline's defense, it *works*, and PGP/MIME often
> doesn't.

Maybe one should think about *why* this is the case. Nevertheless, your
statement is not true as such. PGP/MIME *does* work, but there are MUAs
out there which can't cope with it.

Martin


pgpZ7aij3sSJ8.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: PGP/MIME considered harmful for mobile

[Martin Gollowitzer]

* Daniel Kahn Gillmor  [110225 18:31]:
> On 02/25/2011 12:11 PM, Martin Gollowitzer wrote:
> > * Patrick Brunschwig  [110225 10:10]:
> >> The only mail client on Android I know of to handle OpenPGP messages is
> >> K9 (together with APG). But K9 only supports inline-PGP, PGP/MIME
> >> messages are not displayed.
> > 
> > This is true, but K9 at least does display the messages correctly.
> 
> These two statements seem to be in direct contradiction to each other.

Sorry for the misunderstanding: The message body is being displayed, but
the signature is not verified. K9 is the only e-mail client for Android
that I consider usable.

All the best, 
Martin 


pgpZaPtkhKopq.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: PGP/MIME considered harmful for mobile (Jameson Rollins)

[Martin Gollowitzer]

* Avi  [110225 19:21]:
> For those of us who use webmail, inline signatures are rather
> useful.

There are webmail applications supporting PGP/MIME. If yours doesn't, it
is not a good one. Inline signatures are not a good thing IMHO.

Martin


pgpPpk4wPE5Xj.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: PGP/MIME considered harmful for mobile

[Martin Gollowitzer]

* Doug Barton  [110227 05:30]:
> If you look at the characteristics of the actual messages encrypted mail 
> is very similar whether it's in-line or MIME. It's signed messages that 
> make things interesting because the signature in a MIME message is 
> actually (sort of) an attachment but also sort of not, which is why it 
> confuses simple mail readers like Outlook Express.

Encrypted messages differ from signed messages. The percentage of
inline-signed messages I receive with bad signatures is much higher than
the number of PGP/MIME messages with broken signatures.

Despite that, there are MUAs which do not automatically parse every
message completely to see if there's inline PGP content in them, but if
the see that a message uses PGP/MIME they immediately try to
decrypt/verify the message.

Martin


pgpJv55KyzBlt.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: [SOLVED] SCR3310 reader working for root, but not scard group

[Martin Gollowitzer]

* Todd A. Jacobs  [110227 04:02]:
> Here are the steps I needed to take under Ubuntu 10.10 to get this
> particular reader working properly as a mortal user.

You could also have run the script [1] linked from the only up-to-date
OpenPGP smartcard howto [2] I'm aware of.

[1] http://download.fsfe.org/tools/cardreader/udev-howto-automatization.sh
[2] http://wiki.fsfe.org/Card_howtos/Card_with_subkeys_using_backups

All the best, 
Martin


pgpRWFRaMoTaW.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Smart Card Physical Best Practices?

[Martin Gollowitzer]

* Grant Olson  [110227 04:11]:
> I usually just leave it in until I leave the computer for lunch or a
> meeting or whatever.

Same here, but I always take the card with me if I leave the room.

> One thing I didn't realize at first, is that once you've unlocked either
> your encryption or authentication key, it will remain unlocked as long
> as the card is powered up, regardless of any password cache settings
> you've set in your gpg configuration.
> 
> If that bothers you, but you don't want to keep yanking and inserting
> the smartcard, you can kill the scdaemon process and it'll effectively
> 'unplug' your card.  I'm pretty sure there's an easier command to do
> this too, but I can't remember it off-hand.

Yes, this might be an issue. What I do is that I run my gpg-agent in a
loop and the agent is killed every 10 minutes or so, also causing
scdaemon to exit. This works pretty well. And, of course, you should
force the card to ask for the PIN for every single signature (this can
be set on the card itseld).

> But I personally just assume I'll notice the blinking activity light on
> my reader if some malware script or something weird tries to run gpg
> commands while the card is activated.

My multitasking capabilities are not good enough for parallely working
on my PC and always watching my card reader at the same time ;-)

Martin


pgpGEbCqRyk43.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: PGP/MIME considered harmful for mobile

[Martin Gollowitzer]

* David Tomaschik  [110227 19:22]:
> How about "inline confuses users who don't know anything about OpenPGP"?

100% agreed. Thank you!

Martin


pgpOXtxwgzgho.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: PGP/MIME considered harmful for mobile

[Martin Gollowitzer]

* Robert J. Hansen  [110227 20:28]:
> > How about "inline confuses users who don't know anything about OpenPGP"?
> 
> 1.  Why are you sending them signed emails anyway?

I sign *all* my e-mail except for messages sent from my mobile (in that
case, my signature tells the receiver why the message is not signed and
offers the receiver to request a signed proof of authenticity later) or
messages to people who can't receive signed messages (I had a case where
e-mails arrived empty because of the MS Exchange/Antivirus/whatever
combination at the receivers working place).

> 2.  And seeing strange MIME attachments doesn't confuse people?

Less than strange text fragments at the head and the bottom of a message
(Some people even think they are being spammed when they see inline PGP
data), because an attachment without useful data will rather be ignored.

Martin


pgpOeUJ0XAMmC.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: keyservers

[Martin Gollowitzer]

* Andrew Long  [110317 21:47, mID 
<7871bbee-1f8d-4efc-b0f3-9a17ec4ce...@mac.com>]:
> Anyone else having problems accessing pool.sks-keyservers.net? I've  
> tried pointing nslookup at a couple of the root DNS name servers and  
> get DOMAIN (not known)

By now, I at least get NS records again, but lookup of the pools doesn't
work. 

Martin


pgp6C9Hm4NnQN.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Keyservers

[Martin Gollowitzer]

Hi,

* Jonathan Ely  [110320 22:18, 
  mID <4d866ead.9080...@gmail.com>]:

> Really? For me, it is much easier to access the newest reply instead of
> using the Down Arrow key to find it. Gmail always worked the same way
> for me.

You might want to read [1,2,3].

[1] https://wiki.fsfe.org/Fellows/mk/EmailGuide
[2] http://en.wikipedia.org/wiki/Posting_style
[3] http://www.guckes.net/mail/editing.html

Martin


pgpzM6GEPIAHL.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users