Re: Possible to combine smartcard PIN with key password?

Peter Lebbing: > The result is that the on-disk key again adds nothing, > because an adversary that can physically access the smartcard can also > physically access the computer. The latter often requires breaking into a flat or an office. While smartcards are carried around. Breaking into a a fla

Re: Possible to combine smartcard PIN with key password?

NdK: > Il 24/12/2013 02:41, adrelanos ha scritto: > >> Adversary capabilities: >> - Can physically steal the smartcard. >> - Capable of dismantling a smartcard to extract the key its holing. >> [Maybe not now, but maybe in a few years the tool required to so so wil

Re: Possible to combine smartcard PIN with key password?

Peter Lebbing: >> By "part" I don't mean split one key in halves, but rather use two keys. > It's an interesting thought, I'll definitely give you that. However, if you > need > that kind of protection, I don't think you should use a normal computer with a > normal operating system. It seems to me

Re: Possible to combine smartcard PIN with key password?

NdK: > Il 22/12/2013 04:13, adrelanos ha scritto: > >> Or in other words, is it possible to store an already encrypted >> (password protected) gpg private keys on a smartcard? So the smartcard >> never gets to see the plain key? > That would be really useless: sm

Possible to combine smartcard PIN with key password?

oit to extract the key), I fall back to gpg's software key encryption. I am ignorant about the technical details. Maybe there is a technical reason why it's not worthwhile to combine these things? Or are smartcards just too limited at this stage of development to support that? Cheers, adrelanos

Caching all subkey passwords at once?

which lets one enter the password once and tell gpg-agent about it for all subkeys. Cheers, adrelanos ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: How much load are keyservers willing to handle?

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Jason Harris: > On Wed, Dec 18, 2013 at 10:20:26PM +0000, adrelanos wrote: > >> I am planing to write a script, which will refresh the apt >> signing key before updating using "apt-get update". The script >> migh

Re: How much load are keyservers willing to handle?

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Robert J. Hansen: >> I am planing to write a script, which will refresh the apt >> signing key before updating using "apt-get update". > > The question I have is, "What problem are you trying to solve?" What in case the apt signing key gets comprom

How much load are keyservers willing to handle?

estion would be interesting, but don't worry, if you ask me not to use keyservers for this, I'll use a mechanism outside of keyservers. Cheers, adrelanos [1] http://lists.debian.org/debian-security/2013/12/msg00031.html ___ Gnupg-users mailing l

Re: please give us safer defaults for gnupg

ved...@nym.hush.com: > On Tuesday, December 17, 2013 at 12:49 PM, "adrelanos" > wrote: > >> >The person who agreed with me: >> >carlo von lynX >> > >> >Also the autor of "15 reasons not to start using PGP". [1] >

Re: please give us safer defaults for gnupg

lo von lynX Also the autor of "15 reasons not to start using PGP". [1] Cheers, adrelanos [1] http://secushare.org/PGP ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: please give us safer defaults for gnupg

Robert J. Hansen:>> We think... > > If you're writing on behalf of a group, I would love to know the name of > the group and the names of its members. Understandable. At the moment it's just one person sharing that opinion. [Didn't ask many more yet.] I asked if I am allowed to tell names, probabl

Re: please give us safer defaults for gnupg

Werner Koch: > On Mon, 16 Dec 2013 18:37, adrela...@riseup.net said: > >> [This was originally planed as an open letter, but I thought it might >> be better to hear your arguments beforehand.] > > May I suggest to read the archives of just a few weeks to collect the > reasons why suggestions of u

please give us safer defaults for gnupg

e take our positive criticism and crank up gpg's defaults, so people can make their instructions simpler (example [7]). The more there is to explain [7], the more difficult it becomes, and the more likely it becomes to mess up. All the best, adrelanos [1] That is hopefully beyond questioning.

Re: Revocation certificate for sub key?

> Am Fr 13.12.2013, 22:56:07 schrieb adrelanos: >> Hi, >> >> Is it possible to create a revocation certificate just for sub keys and >> not the master key? > > --edit-key 0x12345678 > key 1 > revkey That's doesn't crea

Re: Revocation certificate for sub key?

>> This would be useful for offline master keys. Trusted persons could be >> given the revocation certificate for sub keys and send it to key servers >> when they suspect compromise. But should the sub key revocation >> certificate get into the wrong hands due to compromise, the damage would >> be

Revocation certificate for sub key?

revocation certificate get into the wrong hands due to compromise, the damage would be limited. Cheers, adrelanos ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: article about Air Gapped OpenPGP Key

Paul R. Ramer: > adrelanos wrote: >> When one uses a Live system for its air gapped OpenPGP key, one >> would have to constantly remember re-creating this that gpg.conf. >> (Gone after reboot.) > > Not necessarily. You can plug in a USB drive with your custom > gp

Re: article about Air Gapped OpenPGP Key

Robert J. Hansen:>> Please leave feedback or hit the edit button. Maybe it's useful for >> someone. It's under public domain. > > A major omission: > > "What is this, why should I care, and what security risks does it > mitigate?" > > Without that, the article is useful only to people who have alre

Re: article about Air Gapped OpenPGP Key

Hauke Laging: > Am Mo 18.11.2013, 17:21:22 schrieb adrelanos: >> Hi, >> >> An article about air gapped OpenPGP keys has been written by me: >> https://www.whonix.org/wiki/Air_Gapped_OpenPGP_Key >> >> Please leave feedback or hit the edit button. > >

Re: article about Air Gapped OpenPGP Key

Pete Stephenson: > 1. If you set the keyprefs in your gpg.conf configuration file before > you generate a new key it will generate new keys with these stronger > defaults rather than having you need to edit them later. See > for details > a

article about Air Gapped OpenPGP Key

Hi, An article about air gapped OpenPGP keys has been written by me: https://www.whonix.org/wiki/Air_Gapped_OpenPGP_Key Please leave feedback or hit the edit button. Maybe it's useful for someone. It's under public domain. Cheers, adrelanos ___

Re: [liberationtech] [tor-talk] BitMail.sf.net v 0.6 - Secure Encrypting Email Client

I am not in contact with bitmail in any way, I wouldn't use it myself because I find the communication about bitmail very poor, namely no responses to points raised by others. Anyway, I like to comment on a few things raised here. Ulex Europae: > Robert' > should upload his binaries to Github. No

How to add information about purpose/security of sub keys?

master key [a]? Cheers, adrelanos ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: subkey comments?

Okay, thank you, Hauke! I now understood this whole thing better. Maybe I am guilty of a XyProblem. I should have said what I really wanted to do and will post a hopefully better formulated question. Hauke Laging: > You (as most people) have not understood how mainkey, user IDs and subkeys > are

Re: subkey comments?

Hauke Laging: > Am Di 12.11.2013, 15:50:10 schrieb adrelanos: > >> Is it possible to have subkeys with different comments than the main >> key? How? > > The main question is: What do you mean by "comments"? You probably refer to > the comment part of a user

subkey comments?

Hi! Is it possible to have subkeys with different comments than the main key? How? Cheers, adrelanos ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: How to create new keyring from an existing key in an existing keyring?

Peter Lebbing: > On 11/08/13 23:11, adrelanos wrote: >> I could think of a way to export the key, change --homedir, create a new >> keyring, and import a the key. But is there a more elegant way? > > gpg --export 0xDEADBEEF | gpg --no-default-keyring --keyring \ > /etc/ap

How to create new keyring from an existing key in an existing keyring?

, adrelanos ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Successful experiment boosting the number of users using OpenPGP verification for file download

Werner Koch: > On Wed, 31 Jul 2013 19:30, adrela...@riseup.net said: > >> verification is the least secure method, to the download page? >> (You can see the design here: [3]) >> >> A: 1 in ~11 users. > > Actually [3] is the same URL as [1]. Sorry about that. [1]: www.webcitation.org/6IWk5h4E9

Successful experiment boosting the number of users using OpenPGP verification for file download

error message. You can get some more information and more detailed statistics here: [5] [6] This is also a follow up to: "[liberationtech] secure download tool - doesn't exist?!?" [4] Cheers, adrelanos Footnotes: [1] http://www.webcitation.org/6IWk5h4E9 [2] Please ignore the &quo

Clearsign text document with multiple keys?

second one, then the signature of the first one. Its a bit cumbersome. Is it possible to verify the document in one run and get a list of signers? Cheers, adrelanos ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo

Re: gpg --fingerprint show only fingerprints and nothing else?

Peter Lebbing: > On 19/06/13 00:10, Hauke Laging wrote: >> gpg --with-colons --fingerprint | awk -F: '$1 == "fpr" {print $10;}' > >>> when the output ever changes >> >> It won't (it's designed not to change). > > At the risk of sounding pedantic, let me point out that the output you get > with >

gpg --fingerprint show only fingerprints and nothing else?

Hi! When I run gpg --fingerprint Is there a way to only get the fingerprints, without any other information? (I need this to automate gpg tasks and would like to avoid awk/sed, since this easily breaks, when the output ever changes.) Cheers, adrelanos

How difficult is it to break the OpenPGP 40 character long fingerprint?

ide a longer fingerprint which in theory can't be broken with computing power expected in for example 100(0) years? Cheers! adrelanos ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: feedback on a gpg encryption/signing GUI frontend

What do you think about kgpg? Maybe many people don't know, that it also has a text editor with handy sign, verify, encrypt, decrypt buttons? I find it quite good, there are just some usability glitches here and there and perhaps some bugs (never could get symmetric encryption to work). Personal

Re: gpg for anonymous users - Alternative to the web of trust?

Peter Lebbing: > On 27/03/13 22:15, Leo Gaspard wrote: >> until a lot of people verify and sign your public key. > > People might be more inclined to sign the key when it says something like > > adrelanos (Whonix signing key) Yes, that a good suggestion worth to try an

Re: gpg for anonymous users - Alternative to the web of trust?

Markus Reichelt: > * adrelanos wrote: > >> How can I establish a pseudonym that no one can easily fake while >> remaining anonymous? > > a) you can't > define 'easily' - these days nobody reads/checks anything anymore > (there's some XKCD about

Re: gpg for anonymous users - Alternative to the web of trust?

Johnicholas Hines: > The question is how to distinguish yourself from a nation-state's covert > agency purporting to be an individual interested in anonymity; you need to > do something that the agency would find difficult to do. I don't think that's possible at all. > Getting your name and key i

Re: gpg for anonymous users - Alternative to the web of trust?

Forlasanto: > On 3/29/2013 9:38 AM, adrelanos wrote: >>> Forgive me for saying so, but for something as high-profile as a linux >>> distro, using a pseudonym for signing the distro for the sake of >>> anonymity doesn't sound like a great plan. >> What&

Re: gpg for anonymous users - Alternative to the web of trust?

more than welcome, but at the moment there is no implication that someone will step forward. >If^H^H^Hwhen someone cracks > your identity, it will somewhat discredit you and your distro as far as > being capable of maintaining anyone's anonymity. It only proves I made a mistake and

Re: gpg for anonymous users - Alternative to the web of trust?

Yes, I agree, it's pretty much impossible to distinguish myself from a nation-state's covert agency. Hence, I only asked how to claim a pseudonym. David Chadwick: > Its pretty much impossible to distinguish a nation-state's covert agency > personnel who are masquerading as someone else from the re

gpg for anonymous users - Alternative to the web of trust?

As a brief introduction, I am adrelanos, the strictly pseudonymous (anonymous) maintainer of Whonix, an Open Source Anonymous Operating System. [1] I gpg-sign binary releases and source code (git tags) in order to authenticate Whonix to users, and prevent adversaries from distributing altered

Re: How to verify X.509 signatures?

Peter Lebbing: > On 23/03/13 21:06, adrelanos wrote: >> TrueCrypt.org says [1] they are signing "TrueCrypt Setup >> 7.1a.exe" [2] with a X.509 signature. How can I verify such a >> signature? > > This is probably a "Microsoft Authenticode" sign

Re: How to verify X.509 signatures?

Markus Reichelt: > * adrelanos wrote: > >> TrueCrypt.org says [1] they are signing "TrueCrypt Setup 7.1a.exe" >> [2] with a X.509 signature. How can I verify such a signature? > > For Windows, they explicitly state how to do that. Yes, that's easily work

How to verify X.509 signatures?

be verified. Please remember that the signature file (.sig or .asc) should be the first file given on the command line. gpgsm --verify "TrueCrypt Setup 7.1a.exe" gpgsm: ksba_cms_parse failed: End of file Cheers, adrelanos [1] http://www.truecrypt.org/docs/?s=digital-signatures [2] http

Re: dh key exchange via ascii email?

Ileana: > Hello, > > I am curious if there is a built-in or optional way to do a > diffie-hellman key exchange over PGP encrypted email. Such that > subsequent emails could be forward secret? > > Is there some program already out there that each party can use to > generate ascii cut and paste

/etc/gnugpg.d/

What about having /etc/gnugpg.d/ where you can drop configuration files just you can drop them into /etc/apt/apt.conf.d/? For example someone could make a hkps distro package, get the certificate into the correct place and drop a configuration file to use the certificate. Werner Koch: > On Tue, 2

"gpg: Signature made " tamper resistant?

Hello, is the gpg output "gpg: Signature made " tamper resistant? Or in other words, is the date and time taken from the signers machine clock and signed with the signers private key? Cheers! adrelanos ___ Gnupg-users mailing list G