This will be my last on the thread.
You've said several times that your interest is in making sure crypto
isn't the weak link in the chain.
Well, it's not. We know it's not. (And not just because of XKCD,
either.[*]). Roughly one in four desktop PCs is already exploited.
Applications are a see
> Of course. And Alice can always send Bob cleartext too. does that mean
> that Bob shouldn't offer any encryption key at all because there's no
> guarantee that it will be used?
It means Bob should have a line item for that in his security model.
"Alice may send me cleartext."
It also means Bo
On 07/04/2014 12:08 AM, Robert J. Hansen wrote:
> Bob is all about "I must have at least 256 bits of keyspace in all my
> email!" But Bob can't do that, because Alice can *always* degrade him
> to 112 bits by choosing 3DES.
Of course. And Alice can always send Bob cleartext too. does that mean
> I think you're talking about personal-cipher-preferences here, which
> Alice uses to govern the cipher she uses.
Correct.
> Note that she could even put IDEA first here.
Sure, but it wouldn't take unless Bob had IDEA in his preference list.
If Bob's preference list is AES256 CAMELLIA256 3DES,
On 06/28/2014 12:09 AM, Robert J. Hansen wrote:
> When faced with that, it's only a matter of time until Alice decides to
> put 3DES first in her own preference list. And then all her
> communications to Bob have 112 bits of keyspace, not the 256 Bob
> demands.
I think you're talking about person
On Sat, 28 Jun 2014 22:47, vmaa...@gmail.com said:
> I'm using the FSFE card [1] with SCR3500 [2]. Ok yeah sure, that’s a
> fellowship card but I actually also wanted to point out the SCR3500
Right. Some friends told me that this works really well for them. BTW,
the fellowship card is exactly th
I'm using the FSFE card [1] with SCR3500 [2]. Ok yeah sure, that’s a fellowship
card but I actually also wanted to point out the SCR3500 which is a nice
similar form factor option for a reader.
https://www.dropbox.com/s/jbaxi8ulfdz5585/fsfe_with_scr3500.jpg
[1] http://fsfe.org/fellowship/card.h
On Sat, Jun 28, 2014 at 9:18 AM, Werner Koch wrote:
> On Fri, 27 Jun 2014 21:44, ds...@jabberwocky.com said:
>
>> I do admire the Neo form factor though.
>
> The SCT3512 [1] with an OpenPGP card is also quite convenient:
>
> http://werner.eifzilla.de/sct3512.jpg
>
> I have taken off the ID-000 f
On Jun 28, 2014, at 5:20 AM, MFPA <2014-667rhzu3dc-lists-gro...@riseup.net>
wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA512
>
> Hi
>
>
> On Friday 27 June 2014 at 11:35:00 PM, in
> , David Shaw
> wrote:
>
>
>> Incidentally, since subkeys have come up in this
>> thread, I seem to r
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Hi
On Friday 27 June 2014 at 11:35:00 PM, in
, David Shaw
wrote:
> Incidentally, since subkeys have come up in this
> thread, I seem to recall a few strange bugs with 8.x
> (8.0? 8.1?) that make it difficult to use if the key
> you are encrypting
On Fri, 27 Jun 2014 21:44, ds...@jabberwocky.com said:
> I do admire the Neo form factor though.
The SCT3512 [1] with an OpenPGP card is also quite convenient:
http://werner.eifzilla.de/sct3512.jpg
I have taken off the ID-000 form factor card for the picture. The label
is also non-standard b
Since it looks as if I'm going to be out of contact for the next few
days (traveling), I figured I'd share the degradation a little early --
Alice and Bob are communicating. Bob insists on using extremely large
keyspaces: his certificate is RSA-16384 and his preference list is
AES256 CAMELLIA256.
On Jun 27, 2014, at 4:24 PM, John Clizbe wrote:
> Kristian Fiskerstrand wrote:
>> On 06/27/2014 03:54 PM, shm...@riseup.net wrote:
>>
>>
>>> Robert J. Hansen:
On 6/26/2014 5:57 PM, Daniel Kahn Gillmor wrote:
> PGP 8 was released over a decade ago, that's hardly a modern
> implemen
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
On 06/27/2014 10:24 PM, John Clizbe wrote:
> Kristian Fiskerstrand wrote:
>> On 06/27/2014 03:54 PM, shm...@riseup.net wrote:
>>
>>
>>> Robert J. Hansen:
On 6/26/2014 5:57 PM, Daniel Kahn Gillmor wrote:
> PGP 8 was released over a decade a
On 6/27/2014 3:14 AM, Werner Koch wrote:
> Assuming the sender uses a decent implementation, the attacker must have
> been able to modify the senders system by changing the code or the
> config files.
Nope.
It took me about fifteen seconds to come up with a way to do this with
acceptable (if not-
> My understanding is that the YubiKey Neo applet supports up to 2048 bit RSA.
> Thus there are some keys that will work with the V2 SmartCard but not on the
> Neo.
Yes limitation is physical, the ship cannot have key size more than 2048 bit
RSA on Yubikey, for the V2 SmartCard GnuPG, it's d
Kristian Fiskerstrand wrote:
> On 06/27/2014 03:54 PM, shm...@riseup.net wrote:
>
>
>> Robert J. Hansen:
>>> On 6/26/2014 5:57 PM, Daniel Kahn Gillmor wrote:
PGP 8 was released over a decade ago, that's hardly a modern
implementation:
>>>
>>> And yet, it still conforms (largely) to RF
On Jun 27, 2014, at 6:45 AM, Viktar Siarheichyk wrote:
> On 26.06.2014 23:28, Paul R. Ramer wrote:
>> On June 26, 2014 8:26:16 AM PDT, Daniel Kahn Gillmor
>> wrote:
>>
>>> As for arguments about use on smartcards -- if you plan to get a
>>> smartcard, and you have a primary key that is too lar
On 26.06.2014 23:28, Paul R. Ramer wrote:
> On June 26, 2014 8:26:16 AM PDT, Daniel Kahn Gillmor
> wrote:
>
>> As for arguments about use on smartcards -- if you plan to get a
>> smartcard, and you have a primary key that is too large for it, you
>> can always generate and publish new subkeys th
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Hi
On Friday 27 June 2014 at 3:57:25 PM, in
, Kristian Fiskerstrand
wrote:
> You won't convince a corporate IT department in a Law
> firm (or for that matter Financial world) about it.
> They want SLAs and support, and who knows what custom
> ad
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
On 06/27/2014 03:54 PM, shm...@riseup.net wrote:
>
>
> Robert J. Hansen:
>> On 6/26/2014 5:57 PM, Daniel Kahn Gillmor wrote:
>>> PGP 8 was released over a decade ago, that's hardly a modern
>>> implementation:
>>
>> And yet, it still conforms (la
On 6/27/2014 at 9:59 AM, shm...@riseup.net wrote:
>is it really a case of obdurateness, "if it ain't broke don't fix
>it,"
>or an unwillingness to use and get accustomed to something new
>and/or
>different, perhaps a new gui - look, i completely sympathise with
>the
>latter especially for older
Robert J. Hansen:
> On 6/26/2014 5:57 PM, Daniel Kahn Gillmor wrote:
>> PGP 8 was released over a decade ago, that's hardly a modern
>> implementation:
>
> And yet, it still conforms (largely) to RFC4880. Methinks you're
> objecting because it's a largely-conforming implementation that doesn't
On Thu, 26 Jun 2014 23:36, r...@sixdemonbag.org said:
> on the key. For any OpenPGP certificate, you can send it 3DES-encrypted
> traffic and be in complete accordance with the spec and the recipient's
> preferences.
Assuming the sender uses a decent implementation, the attacker must have
been a
On 6/26/2014 5:57 PM, Daniel Kahn Gillmor wrote:
> PGP 8 was released over a decade ago, that's hardly a modern
> implementation:
And yet, it still conforms (largely) to RFC4880. Methinks you're
objecting because it's a largely-conforming implementation that doesn't
have good support for SHA256.
On 06/26/2014 05:45 PM, Robert J. Hansen wrote:
> On 6/26/2014 2:25 PM, Daniel Kahn Gillmor wrote:
>> If you know of a modern OpenPGP implementation that supports SHA-1 but
>> not SHA-256 or SHA-512, please point it out (and no, creating one just
>> to be able to point to it doesn't count :P)
>
>
On 6/26/2014 2:25 PM, Daniel Kahn Gillmor wrote:
> If you know of a modern OpenPGP implementation that supports SHA-1 but
> not SHA-256 or SHA-512, please point it out (and no, creating one just
> to be able to point to it doesn't count :P)
PGP 8.x, which is still in use today by a surprising numb
On 6/26/2014 4:35 PM, Hauke Laging wrote:
> You mean except for that you must be capable of forging a mainkey
> signature (if you don't control the sending system anyway in which case
> you don't need the key any more)?
Nope. :) I meant what I said.
The preference list on the key is advisory,
On June 26, 2014 8:26:16 AM PDT, Daniel Kahn Gillmor
wrote:
>As for arguments about use on smartcards -- if you plan to get a
>smartcard, and you have a primary key that is too large for it, you can
>always generate and publish new subkeys that will fit in your
>smartcard.
>If that's the tradeof
Am Do 26.06.2014, 16:06:25 schrieb Robert J. Hansen:
> Since it's possible to degrade the cipher preference to 3DES,
> we need to assume that's exactly what will happen. (Your next
> objection is "How?". That's a non-sequitur right now. I believe
> serious adversaries can do this because (a) the
On 6/26/2014 11:26 AM, Daniel Kahn Gillmor wrote:
> The pushback of "don't bother using stronger crypto, something else
> will be your problem" seems silly to me. It's like saying "don't
> bother fighting sexism, people are going hungry!" We can (and
> should) push on all of these fronts concurre
On 06/24/2014 07:28 AM, Gabriel Niebler wrote:
> I consider myself quite the amateur (I haven't even read most of RFC
> 4880 yet), but I do take issue with one point in the riseup.net Best
> Practices page, namely the bit where it says "self-signatures must not
> use SHA1".
> I find that statement
> The goal of this document is to encourage people to make sure that
> crypto is not the weak point in their communications.
If that's your criteria, RSA-1024 is sufficient. Real systems are so
exploitable that crypto is never the weak point.
> Please read Bernstein's paper suggesting larger ke
On 06/26/2014 10:26 AM, Robert J. Hansen wrote:
> So in a very real sense, anything past RSA-2048 is at best a "you
> *might* get some additional security, depending on what symmetric
> algorithm your correspondent uses. Oh, and you can't forbid your
> correspondent from using 3DES, either."
Of c
On 06/25/2014 02:25 AM, Werner Koch wrote:
> This misunderstanding is actually an indication of the problem. You are
> talking 4096 vs. 2048 while the more important case is to read the
> security announcements and update your gpg.
That's a great point. I've just proposed a pull request on that
> While in principle I agree that 2048 bit key is strong enough for most
> uses, comparing 3DES keys space (or any other symmetric encryption
> algorithm) and RSA (or some other public key system) key space is a
> bit like comparing apples and oranges. If you crack the 3DES
> encryption of a messag
On 06/26/2014 04:26 PM, Robert J. Hansen wrote:
>> Ah, yes... the fetish of equinonecroflagellation. It has an
>> strikingly common rate of incidence with maxicryptosizism...
>
> Although I'm going to be (almost wholly) agreeing with John here,
> I'm speaking just for myself. If anyone wants to c
> Ah, yes... the fetish of equinonecroflagellation. It has an strikingly common
> rate of incidence with maxicryptosizism...
Although I'm going to be (almost wholly) agreeing with John here, I'm
speaking just for myself. If anyone wants to chime in with a
"d'accord," that's on them. :)
What get
Robert J. Hansen wrote:
>> Even if they did intercept them, are the Americans any good at
>> interrogating a horse?
>
> Yes. We are world champions at beating dead horses. To interrogate a
> horse, first simply shoot it in the head, and then we can leverage our
> dead-horse-beating skills in ord
MFPA:
> Hi
>
>
> On Tuesday 24 June 2014 at 8:37:30 PM, in
> , Johan Wevers wrote:
>
>
>> Al Quaida use horse couriers who memorise the
>> message, the American's could not intercept them.
>
> Even if they did intercept them, are the Americans any good at
> interrogating a horse?
might be o
On Wed, 25 Jun 2014 21:53, joh...@vulcan.xs4all.nl said:
> While important I don't loose a night's sleep over a DOS attack. It's
> annoying but it doesn't reveal any confidential information.
Nor do I. However, such a simple DoS is generally consideres a security
bug and thus you should better u
> Even if they did intercept them, are the Americans any good at
> interrogating a horse?
Yes. We are world champions at beating dead horses. To interrogate a
horse, first simply shoot it in the head, and then we can leverage our
dead-horse-beating skills in order to do enhanced equine interroga
On 25-06-2014 21:51, MFPA wrote:
> Even if they did intercept them, are the Americans any good at
> interrogating a horse?
I don't know, but torturing the courtier turned out to be unreliable at
best.
--
ir. J.C.A. Wevers
PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html
__
On 25-06-2014 8:25, Werner Koch wrote:
> This misunderstanding is actually an indication of the problem. You are
> talking 4096 vs. 2048 while the more important case is to read the
> security announcements and update your gpg.
While important I don't loose a night's sleep over a DOS attack. It'
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Hi
On Tuesday 24 June 2014 at 8:37:30 PM, in
, Johan Wevers wrote:
> Al Quaida use horse couriers who memorise the
> message, the American's could not intercept them.
Even if they did intercept them, are the Americans any good at
interrogating a
On Tue, 24 Jun 2014 21:35, joh...@vulcan.xs4all.nl said:
> Finally upgrade that 286 to DOS > 3.0? If you have a system that can't
> handle 4k keys you have very specific needs. Sending a lot of messages
This misunderstanding is actually an indication of the problem. You are
talking 4096 vs. 2048
On 24-06-2014 11:42, Pete Stephenson wrote:
> ObXKCD: http://xkcd.com/538/
The problem with that method is that it only works once, after that
other communication methods will be used. Al Quaida use horse couriers
who memorise the message, the American's could not intercept them.
--
ir. J.C.A.
On 24-06-2014 8:47, Werner Koch wrote:
> How does a help 4096 key help if I can send you an encrypted mail which
> will lock up your MUA until you kill it
Finally upgrade that 286 to DOS > 3.0? If you have a system that can't
handle 4k keys you have very specific needs. Sending a lot of messages
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 6/24/2014 10:57 AM, Hauke Laging wrote:
> Am Di 24.06.2014, 09:50:04 schrieb Nex6|Bill:
>
>> anykind of "best practice", should be simple, so that it
>> encourages a sane baseline for people.
>
> That depends on it whether you need security or t
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 6/24/2014 10:52 AM, Robert J. Hansen wrote:
>> I recently, generated a new keypair (GPG4win), and the defaults
>> presented where RSA/2048. I did, some digging around on the RSA
>> vs DSA thing and RSA still seems to be the recommended way to go,
Am Di 24.06.2014, 09:50:04 schrieb Nex6|Bill:
> anykind of "best practice", should
> be simple, so that it encourages a sane baseline for people.
That depends on it whether you need security or the illusion of security
is enough for you.
IMHO it is one of the main problems that hardly anyone ca
> I recently, generated a new keypair (GPG4win), and the defaults
> presented where RSA/2048. I did, some digging around on the RSA vs DSA
> thing and RSA still seems
> to be the recommended way to go, the only thing I did was up my key size
> to 4096 I left all the other defaults.
This depend
I just finished reading the article, I don't know anyone who does all of those
things. most people I know
who are advid GPG users, gen a key, maybe a revoke, upload it to a keyserver
sometimes. and that's about it.
using subkeys, offline keys etc, adds way more complexity to something arguably
I recently, generated a new keypair (GPG4win), and the defaults presented where
RSA/2048. I did, some digging around on the RSA vs DSA thing and RSA still seems
to be the recommended way to go, the only thing I did was up my key size to
4096 I left all the other defaults.
On Monday, Jun
> Just for the records: _I_ do not consider the use of a 4096 bit RSA key
> and a preference for SHA-512 a best practice.
I'll go one step further: I think the article is going to do more harm
than good.
When young people ask me where to begin programming, I tell them to just
begin. Don't worry
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Am 24.06.2014 09:36, schrieb Cpp:
> I was going to create a new PGP key myself by following that
> article. Werner, do you have any more input or comments to add
> regarding that article? I am curious to hear input from multiple
> sources/people.
I
On Tue, 24 Jun 2014 11:42, p...@heypete.com said:
> Would SHA-256 be a better (in the context of being more compatible)
> choice if one preferred using a non-SHA-1 hash?
At least on 32 bit machines SHA-256 is faster than SHA-512. Some CPUs
have hardware support for SHA-256 but not for SHA-512.
On 6/24/2014 8:47 AM, Werner Koch wrote:
> On Tue, 24 Jun 2014 05:55, fr...@frase.id.au said:
>
>> rounds today. Quite a lot of good info, especially regarding key
>> strength and expiry, and digest preferences.
>
> Just for the records: _I_ do not consider the use of a 4096 bit RSA key
> and a
I was going to create a new PGP key myself by following that article.
Werner, do you have any more input or comments to add regarding that
article? I am curious to hear input from multiple sources/people.
On 6/24/14, Werner Koch wrote:
> On Tue, 24 Jun 2014 05:55, fr...@frase.id.au said:
>
>> r
On Tue, 24 Jun 2014 05:55, fr...@frase.id.au said:
> rounds today. Quite a lot of good info, especially regarding key
> strength and expiry, and digest preferences.
Just for the records: _I_ do not consider the use of a 4096 bit RSA key
and a preference for SHA-512 a best practice. For a secure
Hi all,
An OpenPGP Best Practices article from riseup.net has been doing the
rounds today. Quite a lot of good info, especially regarding key
strength and expiry, and digest preferences.
https://help.riseup.net/en/gpg-best-practices
Cheers,
Fraser
_
61 matches
Mail list logo
