On Fri 2017-04-07 16:55:05 +, joao baleza wrote:
> Sorry. I was not clear enough. I will try to explain better. As
> far has I understand, a 2048 key gpg RSA digital signature has
> 2048 bits. But the binary gpg signature file has more than 2048
> bits because the file has some extra data besi
On 04/09/2017 08:49 PM, NIIBE Yutaka wrote:
> Steve McKown wrote:
>> Can someone explain why ssh after sign asks for the passphrase again,
>> and what I might be able to do to avoid this condition? It's not a big
>> deal, but I do wonder if it suggests a misconfiguration on my part.
>
> It is no
> There's been some discussion both on and off this list about the fact
> that people don't use GnuPG (even with Enigmail) because it's 'too
> hard'. I have friends that are reasonably intelligent who just can't
> figure it out and, for the life of me, I just don't see why.
Better grab your readin
> I think this is being confounded by adjoining two conversations---that
> smartcards provide additional security given a compromised system, and
> the satirical quote your provided. I was referring in this case to the
> latter.
If you send or receive sensitive communications from a compromised
e
What's the first step to begin using it?...
Anthony Papillion writes:
> There's been some discussion both on and off this list about the
> fact that people don't use GnuPG (even with Enigmail) because it's
> 'too hard'. I have friends that are reasonably intelligent who
> jus
On Sun, Apr 09, 2017 at 11:30:47 -0700, Doug Barton wrote:
> You and Rainer have gone on at great length about the part of the threat
> model equation dealing with the attacker. However, you don't seem to take
> into account the other part of the equation, what you are protecting.
Sure: the sensit
Steve McKown wrote:
> Can someone explain why ssh after sign asks for the passphrase again,
> and what I might be able to do to avoid this condition? It's not a big
> deal, but I do wonder if it suggests a misconfiguration on my part.
It is not misconfiguration. It is expected behavior.
Please
On Sun, Apr 09, 2017 at 16:44:03 -0400, Robert J. Hansen wrote:
>> But this is a dangerous
>> article, and hard to distinguish between satire and actual security
>> advice. And there's both.
>
> I thoroughly disagree. This is not an article filled with actual
> security advice. It was published
On 4/9/2017 6:24 PM, Anthony Papillion wrote:
There's been some discussion both on and off this list about the fact
that people don't use GnuPG (even with Enigmail) because it's 'too
hard'. I have friends that are reasonably intelligent who just can't
figure it out and, for the life of me, I just
There's been some discussion both on and off this list about the fact
that people don't use GnuPG (even with Enigmail) because it's 'too
hard'. I have friends that are reasonably intelligent who just can't
figure it out and, for the life of me, I just don't see why.
Don't get me wrong, GnuPG by it
OMG, this thread has gotten completely out of hand. I will reply to my
own message in an attempt not to add too much to the hate and discontent
already present. This is exactly why I normally only lurk, rarely
comment, and only ask a question when I absolutely have to. I'm sorry
that I bothered. I
> I have to admit the replies to this thread have been very informative in
> ways that simple answers just never would be. Here I was trying to get
> "it" "right" the first (thirty first) time, when it's clear that there's
> no it or right. I am heartened by the dialog and as a result of my
> readi
On 4/9/17 3:16 PM, Robert J. Hansen wrote:
>> I know of PGP-based WoT used in security-aware networks of sysadmins,
>> CERTs etc. I would have guessed that a significant part of the
>> audience of this list are professional/experienced/involved admins or
>> developers. But let me know why the majo
> But this is a dangerous
> article, and hard to distinguish between satire and actual security
> advice. And there's both.
I thoroughly disagree. This is not an article filled with actual
security advice. It was published in USENIX's humor column, after all.
It is straight-up satire of tendenc
> On 8. Apr 2017, at 08:18, Niels Kobschätzki wrote:
>
> Hi,
>
> I rsyncd my .gnupg-folder to a new computer (moving from Fedora to TrueOS).
> When I try to decrypt now something I get the message "no secret key
> available".
> But when I do gpg -K all my secret keys get listed and when I do
> I know of PGP-based WoT used in security-aware networks of sysadmins,
> CERTs etc. I would have guessed that a significant part of the
> audience of this list are professional/experienced/involved admins or
> developers. But let me know why the majority of users are not.
I've been in the PGP com
(Apologies for the HTML mail; it seems to be the best way to submit a
screenshot, though.)
The last two subkeys on this list are elliptical curves, not RSA. GPA
is mis-reporting them.
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnu
Hi,
I rsyncd my .gnupg-folder to a new computer (moving from Fedora to TrueOS).
When I try to decrypt now something I get the message "no secret key
available".
But when I do gpg -K all my secret keys get listed and when I do gpg -k all
public keys are listed. gpg is a symlink to gpg2 on that
Hi all,
Am 08.04.2017 um 10:16 schrieb Wouter Verhelst:
> Smartcards are useful. They ensure that the private half of your key is
> never on any hard disk or other general storage device, and therefore
> that it cannot possibly be stolen (because there's only one possible
> copy of it).
The kerne
On 2017-04-04 10:27, Teemu Likonen wrote:
Will Senn [2017-04-04 00:19:11-05] wrote:
On 4/3/17 11:48 PM, Doug Barton wrote:
What's your threat model?
[...] I do not really know what I need vs what I think I need. In my
uneducated state, I think I want to be as secure as possible [...]
Consi
> Am 09.04.2017 um 20:30 schrieb Doug Barton :
>
> On 04/09/2017 11:01 AM, Mike Gerwitz wrote:
>> If I know a threat exists, I'm going to evaluate my threat model and
>> decide whether or not it is worth my time to mitigate it; whether I can
>> hope to mitigate it; and whether attempting to do so
On 04/09/2017 11:01 AM, Mike Gerwitz wrote:
If I know a threat exists, I'm going to evaluate my threat model and
decide whether or not it is worth my time to mitigate it; whether I can
hope to mitigate it; and whether attempting to do so is going to put me
at even more risk for some other threat.
On Sun, Apr 09, 2017 at 07:51:09 -0400, Robert J. Hansen wrote:
> In the real world, threat models are much simpler. Basically, you're
> either dealing with Mossad or not-Mossad. If your adversary is
> not-Mossad, then you’ll probably be fine if you pick a good password
> and don’t respond to email
Hi,
I'm using a Yubikey NEO with GnuPG 2.1.11 on Ubuntu 16.04 LTS.
Everything is working fine except that caching of the passphrase works
differently depending upon whether the first operation is sign or
authenticate. I can show this with two GnuPG operations: sign a file
and ssh key-based login
I will try phrasing it differently though, is it possible to make the
ecc keys with sha512 and aes256?
and is sha512 the most secure algorithm to go with aes256?
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/
> Sorry, not any more. Look at the online-banking fraud business.
> Automated credential stealing tools from simple keyloggers to
> sophisticated maleware such as from the Zeus family are available on
> a pay-and-play basis.
I've seen some truly scary malware, and I'm not seeing the level of
sophi
> Am 09.04.2017 um 17:26 schrieb Robert J. Hansen :
>
>> Good point, and I agree to that for a very basic assessment. However,
>> the assumption that only politicians and government employees holding
>> a security clearance are targeted by Mossad & co is a thing of the
>> past.
>
> It never was
> Good point, and I agree to that for a very basic assessment. However,
> the assumption that only politicians and government employees holding
> a security clearance are targeted by Mossad & co is a thing of the
> past.
It never was true -- for decades the French DGSE surveilled on Airbus's
compe
> Am 09.04.2017 um 13:51 schrieb Robert J. Hansen :
>
>> A long and random passphrase is a good measure against dictionary and
>> brute force attacks. It does not defend against malware sniffing the
>> keyboard or scraping memory pages.
>
> Jim Mickens' essay, "This World Of Ours", ought be requ
> A long and random passphrase is a good measure against dictionary and
> brute force attacks. It does not defend against malware sniffing the
> keyboard or scraping memory pages.
Jim Mickens' essay, "This World Of Ours", ought be required reading for
anyone talking seriously about scraping memory
30 matches
Mail list logo
