Re: ideal.dll // fixing thread breaking

On Fri, Jun 29, 2012 at 01:45:17PM -0400, Robert J. Hansen wrote: > IMO, if your client is showing correct PGP/MIME signatures on this list, > you should file a defect report about your client. The message has been > changed in transit and is no longer in the exact same state as it was > when the

Re: ideal.dll // fixing thread breaking

On Fri, 29 Jun 2012 13:45:17 -0400 "Robert J. Hansen" wrote: Hello Robert, >IMO, if your client is showing correct PGP/MIME signatures on this list, >you should file a defect report about your client. It certainly warrants investigation. I'll check bug tracker and ML archives to see if it's k

Re: ideal.dll // fixing thread breaking

On 06/29/2012 12:02 PM, Steve wrote: > Oh dear. I found it. The bug has been reported > 2003: https://bugs.launchpad.net/mailman/+bug/265961 That bug turned out to be in Enigmail, not Mailman. Mailman was repackaging the attachment in a way that was technically valid but which Enigmail wasn't exp

Re: ideal.dll // fixing thread breaking

On Fri, 29 Jun 2012 11:48:28 -0400 "Robert J. Hansen" wrote: Hello Robert, >Mika is more or less right, except it isn't headers -- it's the PGP/MIME >attachment separator. Mailman makes a very slight tweak and that's That makes more sense. I thought I must have been going mad. :-) >This ma

Re: ideal.dll // fixing thread breaking

On Fri, 29 Jun 2012 19:02:57 +0300 Mika Suomalainen wrote: Hello Mika, >I am using GMail as headers probably say if you look at them. The form address is hotmail. Message ID is hotmail, too. gmail *is* mentioned, but not in any of the transport headers. Anyhow, Robert has explained where and

Re: ideal.dll // fixing thread breaking

On 06/29/2012 12:26 PM, Brad Rogers wrote: > Seems okay here; Most messages check out, be they inline or MIME > signed. IMO, if your client is showing correct PGP/MIME signatures on this list, you should file a defect report about your client. The message has been changed in transit and is no lo

Re: ideal.dll // fixing thread breaking

On 06/29/2012 12:00 PM, Steve wrote: > not meaning to spark up new discussions about this issue (we've had that > before). But I really think, the energy invested in this discussion > would be better invested in writing mailman tweaks. In the language of software engineering, this has moved from a

Re: ideal.dll // fixing thread breaking

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 29.06.2012 15:06, Brad Rogers kirjoitti: > Headers are outside what is signed, surely? > > Changing, adding or removing headers should have no bearing on the > validity of PGP signatures. If header changes were involved, > nothing would be verifiabl

Re: ideal.dll // fixing thread breaking

On Fri, 29 Jun 2012 18:00:03 +0200 Steve wrote: Hello Steve, >not meaning to spark up new discussions about this issue (we've had >that before). But I really think, the energy invested in this It was not my intention to "open old wounds" as it were. I was curious about Mika's statement, which

Re: ideal.dll // fixing thread breaking

Oh dear. I found it. The bug has been reported 2003: https://bugs.launchpad.net/mailman/+bug/265961 I wish I had better coding skills, but I don't. Sorry I can't code the fix... signature.asc Description: Message signed with OpenPGP using GPGMail ___ G

Re: ideal.dll // fixing thread breaking

Hey all, not meaning to spark up new discussions about this issue (we've had that before). But I really think, the energy invested in this discussion would be better invested in writing mailman tweaks. Also, someone mentioned, that there already in fact *is* a mailman patch for PGP/MIME to wor

Re: ideal.dll // fixing thread breaking

On 06/29/2012 08:06 AM, Brad Rogers wrote: >> If you ask on Enigmail mailing list, they will tell you that that >> issue is with Mailman (or other mailing list software) which messes up >> with headers and makes PGP/MIME unverifiable. They will also say that > > Headers are outside what is signed,

Re: ideal.dll // fixing thread breaking

On Fri, 29 Jun 2012 10:31:09 +0300 Mika Suomalainen wrote: Hello Mika, >If you ask on Enigmail mailing list, they will tell you that that >issue is with Mailman (or other mailing list software) which messes up >with headers and makes PGP/MIME unverifiable. They will also say that Headers are ou

Re: ideal.dll // fixing thread breaking

On 27.06.2012 18:33, Peter Lebbing wrote: > For future reference, that URL is in the headers of every mail you get from > the > list, btw. -- [Mika Suomalainen](https://mkaysi.github.com/) || NOTICE! I am on mobile broadband with very limited time, so I cannot read emails very much. The best t

Re: ideal.dll // fixing thread breaking

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 28.06.2012 21:50, Peter Lebbing wrote: > On 28/06/12 17:24, Mika Suomalainen wrote: >>> Were you able to verify that signature? > I don't believe my Enigmail is willing to check any PGP/MIME > signatures for me... must be something broken with the

Re: ideal.dll // fixing thread breaking

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, On 28.06.2012 18:55, Brad Rogers wrote: > On Thu, 28 Jun 2012 18:24:32 +0300 Mika Suomalainen > wrote: > > Hello Mika, > >>> Were you able to verify that signature? > Several people use PGP/MIME, all of which verify here, and include > the list

Re: ideal.dll // fixing thread breaking

On 28/06/12 17:24, Mika Suomalainen wrote: > Were you able to verify that signature? I don't believe my Enigmail is willing to check any PGP/MIME signatures for me... must be something broken with the installation. I don't really pay attention to signatures on this mailing list, and this is the on

Re: ideal.dll // fixing thread breaking

On Thu, 28 Jun 2012 18:24:32 +0300 Mika Suomalainen wrote: Hello Mika, >Were you able to verify that signature? Several people use PGP/MIME, all of which verify here, and include the list headers you seem to be saying get removed. Not only on this list, but many other lists, too. I have seen

Re: ideal.dll // fixing thread breaking

gt; include the headers: > >>> [...] Date: Wed, 27 Jun 2012 16:14:46 +0100 From: Brad Rogers >>> To: gnupg-users@gnupg.org Subject: Re: >>> ideal.dll // fixing thread breaking Message-ID: >>> <20120627161446.058c6...@abydos.stargate.org.uk> In-Re

Re: ideal.dll // fixing thread breaking

@gnupg.org > Subject: Re: ideal.dll // fixing thread breaking > Message-ID: <20120627161446.058c6...@abydos.stargate.org.uk> > In-Reply-To: <20120627143030.99d05e6...@smtp.hushmail.com> > References: <20120627143030.99d05e6...@smtp.hushmail.com> > [...] > L

Re: ideal.dll // fixing thread breaking

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 27.06.2012 18:33, Peter Lebbing wrote: > For future reference, that URL is in the headers of every mail you > get from the list, btw. I think that it's not on those, which are PGP/MIME signed. - -- [Mika Suomalainen](https://mkaysi.github.com/) |

Re: ideal.dll // fixing thread breaking (Andy Ruddock)

>Date: Wed, 27 Jun 2012 17:54:16 +0100 >From: Andy Ruddock >I just set up a free hushmail account, using the web interface you >don't >get an In-Reply-To field in the header. >I couldn't find any settings which would enable this. >So, if you're using a free hushmail account then I guess you're

Re: ideal.dll // fixing thread breaking

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 ved...@nym.hush.com wrote: > > ok > > changed to individual digest mode, and replying directly > (hushmail default of 'reply' is to individual user and cc to list) > > hope it works, > > if not, any other suggestions to try in hushmail? > > TIA

Re: ideal.dll // fixing thread breaking

On Wed, 27 Jun 2012 11:34:02 -0400 Peter Lebbing wrote: >and you get an interface where you can change such settings. ok changed to individual digest mode, and replying directly (hushmail default of 'reply' is to individual user and cc to list) hope it works, if not, any other suggestions to

Re: ideal.dll // fixing thread breaking

On 27/06/12 17:14, Brad Rogers wrote: > Sadly, with mailman, unsubbing and resubbing is the only way for a > regular user to change their subscription format. Having switched from digest to individual message mode myself about a year ago, I can tell you you are mistaken. I did it succesfully in th

Re: ideal.dll // fixing thread breaking

On 27/06/12 16:30, ved...@nym.hush.com wrote: > btw, > how do I change from 'digest-mode' to 'individual-list mode'? Go to , enter your e-mail address and password you subscribed with, and you get an interface where you can change such settings.

Re: ideal.dll // fixing thread breaking

On Wed, 27 Jun 2012 10:30:30 -0400 ved...@nym.hush.com wrote: Hello ved...@nym.hush.com, Unfortunately, as you suspected, the message I'm replying to did break threading. It's Hushmail that's at fault, I believe. >does it require unsubscribing and re-subscribing, >or is there an easier way? Sa

Re: ideal.dll // fixing thread breaking

On Wed, 27 Jun 2012 09:33:38 -0400 Aaron Toponce wrote: >On Mon, Jun 25, 2012 at 08:44:11PM +0200, Werner Koch wrote: >> On Mon, 25 Jun 2012 20:12, aaron.topo...@gmail.com said: >> > So, if >Thus, the reason I began with 'if'. :) Am using Hushmail (have been using it since it came out) and a

Re: ideal.dll

On Mon, Jun 25, 2012 at 08:44:11PM +0200, Werner Koch wrote: > On Mon, 25 Jun 2012 20:12, aaron.topo...@gmail.com said: > > So, if the system can be improved by removing support for PGP2, which > > includes cleaning up code, squashing bugs, and tightening security, then > > why is it still around?

Re: ideal.dll

On Mon, 25 Jun 2012 20:12, aaron.topo...@gmail.com said: > So, if the system can be improved by removing support for PGP2, which > includes cleaning up code, squashing bugs, and tightening security, then > why is it still around? 20 years later? Because you still want to be able to decrypt your 2

Re: ideal.dll

On Mon, Jun 25, 2012 at 12:11:57AM +0200, Werner Koch wrote: > I am telling for more than a decade that PGP 2 should not be used > anymore. The rationale for this was that OpenPGP is a standard and > fixes great many problems of PGP 2. GnuPG supports PGP 2 only because > this provides a way to mi

Re: ideal.dll

Robert J. Hansen wrote: > On 06/24/2012 06:11 PM, Werner Koch wrote: >> I am telling for more than a decade that PGP 2 should not be used >> anymore. > > The list may find my own timeline of MD5 to be worth reading -- it might > give some insight into why PGP 2 (in particular the MD5 vulnerabilit

Re: ideal.dll

On 06/25/2012 10:18 AM, Johan Wevers wrote: > That depends on your threat model. If signing messages is not so > important to you but encrypting is, this advice is understandable. > So let MD5 be broken, it matters not for encryption. If MD5 signatures can be forged (and news reports strongly ind

Re: ideal.dll

On Mon, 25 Jun 2012 16:18, joh...@vulcan.xs4all.nl said: > That depends on your threat model. If signing messages is not so > important to you but encrypting is, this advice is understandable. So > let MD5 be broken, it matters not for encryption. Not that I would Sure it matters. The self-signa

Re: ideal.dll

On 25-06-2012 0:11, Werner Koch wrote: > A few years later it was obvious that MD5 is broken in practice. I can't > understand anyone suggesting to use PGP2. I have heard of people keep > on using and suggesting >=4k keys but still being bounded to the broken > MD5 and the flawed PGP public key p

Re: ideal.dll

On 06/24/2012 09:05 PM, Robert J. Hansen wrote: > 2005: At Black Hat, Dan Kaminsky starts off with the EFF's website and > the NSA's website. Dan is able to, in realtime, tweak the EFF's > website with nondisplaying characters in order to make it look > unchanged from the origina

Re: ideal.dll

On 06/24/2012 06:11 PM, Werner Koch wrote: > I am telling for more than a decade that PGP 2 should not be used > anymore. The list may find my own timeline of MD5 to be worth reading -- it might give some insight into why PGP 2 (in particular the MD5 vulnerabilities) tend to engender such passion

Re: ideal.dll

On Fri, 22 Jun 2012 20:52, ved...@nym.hush.com said: > Am somewhat surprised by the unprovoked V3 rants, when I asked for > nothing from anyone, and only thanked WK for allowing it to happen. I am telling for more than a decade that PGP 2 should not be used anymore. The rationale for this was t

Re: ideal.dll

On Fri, Jun 22, 2012 at 02:18:13PM -0400, Robert J. Hansen wrote: > On 6/22/2012 1:44 PM, ved...@nym.hush.com wrote: > > As you mentioned earlier, the v3 people have an entrenched user- > > base, and are hardly novices, and 'for them', listing the keysize > > with the fingerprint, really is trivia

Re: ideal.dll

On 06/22/2012 02:52 PM, ved...@nym.hush.com wrote: > Am somewhat surprised by the unprovoked V3 rants, when I asked for > nothing from anyone, and only thanked WK for allowing it to happen. Your characterization of "adding the key length is a trivial [something]" is what irritated me. As I menti

Re: ideal.dll

On Fri, 22 Jun 2012 14:18:25 -0400 Robert J. Hansen wrote: >If people want to keep using PGP 2.6, let them, but I'm not going >to >help them do it. >Were it up to me, PGP 2.6 support in GnuPG would be reduced to >read-only. So be thankful Werner isn't paying attention to my >preferences. :

Re: ideal.dll

On 6/22/2012 1:44 PM, ved...@nym.hush.com wrote: > As you mentioned earlier, the v3 people have an entrenched user- > base, and are hardly novices, and 'for them', listing the keysize > with the fingerprint, really is trivial. If people want to keep using PGP 2.6, let them, but I'm not going to h

Re: ideal.dll

On Fri, 22 Jun 2012 12:56:46 -0400 Robert J. Hansen wrote: >On 6/22/2012 12:39 PM, ved...@nym.hush.com wrote: >> " trivially countered by >> simply listing the keysize together with the fingerprint." > >This is, unfortunately, not a trivial fix. > >Already people don't pay attention to proper v

Re: ideal.dll

On 6/22/2012 12:39 PM, ved...@nym.hush.com wrote: > " trivially countered by > simply listing the keysize together with the fingerprint." This is, unfortunately, not a trivial fix. Already people don't pay attention to proper validation because the idea of checking the fingerprint is alien to the

Re: ideal.dll

On Fri, 22 Jun 2012 11:23:27 -0400 David Shaw wrote: >There is more than one attack against V3. There is the "bit >sliding" attack, where you can forge the whole fingerprint, but as >a side effect it changes the keysize, and there is the DEADBEEF >attack where you can forge the key ID, but

Re: ideal.dll

On Fri, Jun 22, 2012 at 10:21:35AM -0400, ved...@nym.hush.com wrote: > vulnerability in that their fingerprint mechanism is trivially > gamable, > so long keyid collisions are easy. [snip] Please fix your mail client. It is breaking threads. Thanks, -- . o . o . o . . o o . . . o . .

Re: ideal.dll

On Jun 22, 2012, at 10:21 AM, ved...@nym.hush.com wrote: > Daniel Kahn Gillmor dkg at fifthhorseman.net wrote on > Thu Jun 21 22:38:31 CEST 2012 : > >> v3 keys have a serious > vulnerability in that their fingerprint mechanism is trivially > gamable, > so long keyid collisions are easy. > > The

ideal.dll

Daniel Kahn Gillmor dkg at fifthhorseman.net wrote on Thu Jun 21 22:38:31 CEST 2012 : >v3 keys have a serious vulnerability in that their fingerprint mechanism is trivially gamable, so long keyid collisions are easy. The 'serious vulnerability' you refer to, is trivially countered by simply lis