Hi. Good catch. I previously did not need to supply a password to
encrypt. I know the password, just not sure where to define it with
GPG4Win or other method. Even though the server is internal, I want it to
be secure. I could lock down file permissions if that helps.
When I try #2, it gives m
Am Di 03.12.2013, 18:32:53 schrieb Eric Poellinger:
> Regarding the steps I took to expire the keys (4A4DBDC7 is the primary
> key, 0C0305EC is the sub) 1. gpg --edit-key 4A4DBDC7
> 1a. expire...2y
> 1b. enter passphrase
> 1c. quit and save
It would have been more helpful to see the exact steps f
Am Di 03.12.2013, 20:20:07 schrieb Robert J. Hansen:
> By introducing offline primary key storage on an air-gapped system, your
> policy has become so complicated that no one, yourself included, is
> capable of always following it to the letter.
Oh, recently I involuntarily proved that I do: I "m
Am Di 03.12.2013, 20:10:32 schrieb Robert J. Hansen:
> UEFI is a surprisingly capable operating environment. If I can
> compromise your machine, then I put down my own code in the UEFI loader
> and wait for you to reboot your machine.
That's why crypto best practices should be extended to "what
On 12/3/2013 7:53 PM, Hauke Laging wrote:
> Sure but it makes little sense to play best practice in one part of key
> management (expiration) and simultaneously worst practice (online mainkey) in
> a much more important part of key management.
By introducing offline primary key storage on an air
On 12/3/2013 7:49 PM, Hauke Laging wrote:
> Compromising the respective mainkey is more difficult by several
> orders of magnitude. You would have to compromise at least the boot
> medium (CD/DVD) or the hardware I use.
Why do you think it's hard to compromise your boot medium? Your boot
medium i
Am Di 03.12.2013, 19:03:13 schrieb Robert J. Hansen:
> 1. The attacker can just extend the validity himself. He's
> successfully compromised the key, after all.
Sure but it makes little sense to play best practice in one part of key
management (expiration) and simultaneously worst practice
Am Di 03.12.2013, 19:26:09 schrieb Robert J. Hansen:
> Could you please share a realistic scenario by which an attacker could
> compromise a subkey without also having the ability to compromise the
> primary signing key?
That's really easy: In order to get access to the subkey which will sign thi
On 12/3/2013 6:20 PM, Hauke Laging wrote:
> Imagine a certificate which is always prolonged for just one day. If this
> gets
> compromised then it will not be prolonged any more (at least not by its owner
> but we all love our highly secure offline mainkeys, don't we?) so everyone
> will notice
On 12/3/2013 6:59 PM, Hauke Laging wrote:
> He could but he would need the secret mainkey for that operation
> and...
Could you please share a realistic scenario by which an attacker could
compromise a subkey without also having the ability to compromise the
primary signing key? I've been trying
Am Mi 04.12.2013, 00:39:46 schrieb Johannes Zarl:
> Isn't that just a false sense of security? After all, if the key has been
> compromised, the attacker can just prolong the validity
He could but he would need the secret mainkey for that operation and...
> > but we all love our highly secure o
On Wednesday 04 December 2013 00:20:10 Hauke Laging wrote:
> Am Mi 04.12.2013, 00:00:21 schrieb Johannes Zarl:
> > Sorry for asking a possibly stupid question, but how exactly does a
> > shorter
> > validity period get you more security?
>
> This is the security against the possibility that
>
> a
Am Mi 04.12.2013, 00:00:21 schrieb Johannes Zarl:
> Sorry for asking a possibly stupid question, but how exactly does a shorter
> validity period get you more security?
This is the security against the possibility that
a) the key has been compromised and revoked and you don't know that (because
On Tuesday 03 December 2013 23:44:20 Hauke Laging wrote:
> Expiration serves two purposes:
> 1) Passively revoke a key if you have lost access to the secret mainkey
> (i.e. to the key itself or to its passphrase).
> 2) Force your communication partners (people are lazy) to update your
> certificate
Am Di 03.12.2013, 08:22:28 schrieb Eric Poellinger:
> PRIMARY QUESTIONS - I am uncertain about the sub-key. When I attempt to
> 'expire' it the date does not seem to change.
What exactly did you do? Did you mark the subkey before and did you save the
changes to the keyring after the expire comm
Quoting bj :
Hi all. I found and modified a batch file that encrypts files prior to
sending them out. Now we need to decrypt incoming files from another
company (encrypted with our key).
What operating system are you using? This is the sort of thing that's
more appropriate for a Windows
PRIMARY QUESTIONS - I am uncertain about the sub-key. When I
attempt to 'expire' it the date does not seem to change.
The first question I have is, "How did you attempt to 'expire' it?"
SECONDARY QUESTION - is there documentation regarding 'best
practices' on managing expiring keys and rene
Hello all
This is my first experience with renewing GPG keys - I did some research but
wanted to confirm an observation.
This is the key before issuing the 'expire' command:
pub 2048R/4A4DBDC7 created: 2012-01-13 expires: 2014-01-12 usage: SC
trust: ultimate validi
Am Di 03.12.2013, 12:21:26 schrieb bj:
> Where is password defined?
passwort is (implicitly) defined in the keyring. The secret key is stored
encrypted. You need the passphrase in order to use the key. You must know the
passphrase, you cannot get it from the GnuPG installation.
> *FOR /F "del
Hi all. I found and modified a batch file that encrypts files prior to
sending them out. Now we need to decrypt incoming files from another
company (encrypted with our key). The GPG4Win GUI allows me to do this
manually but I would like to automate on a server. The echo line below
seems to be t
Il 03/12/2013 15:30, Mark H. Wood ha scritto:
> I wonder how feasible that really is. The system surrounding the card
> is not under control of the card's manufacturer or anyone who might
> have corrupted him. All it takes is one knowledgable person watching
> the data stream for interesting ano
Thanks Werner
This is for a client who is using gpg 142 and I am trying to simulate that
here. we are providing them the pgp keys.
attched the conf file.
here is the list of commands run
C:\gpg>set GNUPGHOME=home
C:\GPG>gpg --list-keys
home\pubring.gpg
pub 1024D/551A09BA
On Mon, Dec 02, 2013 at 07:33:22PM +0100, Peter Lebbing wrote:
[snip]
> Since smartcards are primarily used for security purposes, I wouldn't be
> surprised if it responded specially to a message signed by the NSA (or
> encrypted
> with a symmetric cipher with a specific key known to the NSA).
I
On Mon, 2 Dec 2013 19:25, ctsonet...@yahoo.com said:
> When I import a PGP public key that has "NO expiry" date, into GPG
> 1.4.2, it s
1.4.2 is quite old (8 years) and you should definitely not use it
anymore.
It seems that you did not invoked gpg correctly. Please show us the
actual command
24 matches
Mail list logo
