-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
On Tuesday 24 February 2015 at 10:16:20 PM, in
, Daniel Kahn Gillmor
wrote:
> That is, only a malicious person who manages to
> compromise that key material can make signatures with
> it. So why are you keeping it around?
To verify existing sig
On Wed, 25 Feb 2015 14:07, michard.anto...@gmail.com said:
> #gpg -r 6349E5E0 -e test.txt
> Abort
You should run it under a gdb to see the reason for the abort. This
should not happen.
$ gdb gpg
gdb> run -r 6349E5E0 -e test.txt
[...]
gdb> bt
Shalom-Salam,
Werner
--
Die Gedanken s
Hello,
there is a discussion ongoing regarding future of pgp/gpg encryption.
German ct magazine has postulated in their last edition that our pgp
handling seems to be too difficult for mass usage, keyserver infrastructure
seems to be vulnerable for faked keys, published mail addresses are
collect
Am Fr 27.02.2015, 09:45:36 schrieb gnupgpacker:
> German ct magazine has postulated in their last edition that our pgp
> handling seems to be too difficult for mass usage, keyserver
> infrastructure seems to be vulnerable for faked keys, published mail
> addresses are collected from keyservers and
On 27/02/15 09:45, gnupgpacker wrote:
> German ct magazine has postulated [...] published mail addresses are
> collected from keyservers
They are?
I can read German, but it is veeerr slooo. So I'll probably not do that.
But I have a honeypot key on the keyservers that has a computer-gen
Bjarni Runar Einarsson wrote:
> Hello GnuPG users!
>
> I just published a follow-up to Smári's blog post about the Mailpile
> team's frustration while working with GnuPG. The post is here:
>
>
> https://www.mailpile.is/blog/2015-02-26_Revisiting_the_GnuPG_discussion.html
>
> As it's rather
Thx.
Maybe implementation with an opt-in could preserve publishing of faked keys on
public keyservers?
So if new key is uploaded an email with verification link is sent from
keyserver to issuer.
If embedded link is verified by issuer in 10 Minutes => uploaded public key is
published
If embedd
Here the result:
GNU gdb 6.1.1 [FreeBSD]
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain
conditions.
Type "show copying" to see the conditions.
There is abso
Am Fr 27.02.2015, 12:27:40 schrieb gnupgpacker:
> Maybe implementation with an opt-in could preserve publishing of faked
> keys on public keyservers?
We need keyservers which are a lot better that today's. IMHO that also
means that a keyserver should tell a client for each offered certificate
w
Hi, Reference:
> From: "gnupgpacker"
> Date: Fri, 27 Feb 2015 09:45:36 +0100
"gnupgpacker" wrote:
> Hello,
>
> there is a discussion ongoing regarding future of pgp/gpg encryption.
>
> German ct magazine has postulated in their last edition that our pgp
> handling seems to be to
Xavier Maillard writes:
>Helmut Waitzmann writes:
>> gpg2 --verbose --keyserver hkp://pool.sks-keyservers.net --send-keys --
>> 72ABFF0923A87CF22D0ED7C4FDEE765D017077F1
>
>try without the -- stuff:
>
>gpg2 --verbose --keyserver hkp://pool.sks-keyservers.net --send-keys
>72ABFF0923A87CF22D0ED7
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
On 02/27/2015 12:02 PM, Hans-Christoph Steiner wrote:
>
> Bjarni Runar Einarsson wrote:
>> Hello GnuPG users!
..
>
> With all the recent attention to GnuPG and Werner's work, I have
> begun to think about things differently. GnuPG has an amazing
On 26/02/15 18:15, Helmut Waitzmann wrote:
> I tried
>
> gpg2 --verbose --keyserver hkp://pool.sks-keyservers.net --send-keys --
> 72ABFF0923A87CF22D0ED7C4FDEE765D017077F1
>
> and got the message
>
> gpg: sending key FDEE765D017077F1 to hkp server pool.sks-keyservers.net
> gpgkeys: HTTP post er
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
On 02/27/2015 12:43 PM, Hauke Laging wrote:
> Am Fr 27.02.2015, 12:27:40 schrieb gnupgpacker:
>
>> Maybe implementation with an opt-in could preserve publishing of
>> faked keys on public keyservers?
>
> We need keyservers which are a lot better th
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
On 02/27/2015 12:57 PM, Philip Jackson wrote:
> On 26/02/15 18:15, Helmut Waitzmann wrote:
>> I tried
>>
>> gpg2 --verbose --keyserver hkp://pool.sks-keyservers.net
>> --send-keys -- 72ABFF0923A87CF22D0ED7C4FDEE765D017077F1
>>
>> and got the messag
First, most of these "let PGP die" rants only really apply to OpenPGP email.
GPG does a wonderful job of signing and verifying packages for Debian, Ubuntu,
Fedora, etc.
Second, OpenPGP email exists now, can be installed and used right now, and
provides proven protection for the body of an email m
Hi Hans-Christoph!
Hans-Christoph Steiner wrote:
> With all the recent attention to GnuPG and Werner's work, I have begun to
> think about things differently. GnuPG has an amazing security track record.
> It has had few serious security bugs, nothing even close to heartbleed that I
> know of, an
> Your positions to this ct approach?
The c't magazine is mostly well respected in Germany and the editors
have some valid points; the latest articles are by no means mindless
rants or PGP-bashing. The thought of letting PGP die as an e-mail
encryption mechanism for the "masses" (the non-tech-savv
On 27/02/15 12:02, Hans-Christoph Steiner wrote:
> For example, I think that
> `gpg --json` is great idea. I ended up using a Java wrapper of GPGME, which
> is in turn a wrapper of GnuPG. I think it makes a lot more sense to have `gpg
> --json` as the parseble interface, then implement a GPGME-st
On 27-02-2015 12:15, Peter Lebbing wrote:
> So.. back to c't. Since they were writing an article,
Isn't this just an article that started with the article of Moxie
Marlinspike about GnuPG that was also on Slashdot yesterday?
(Its at http://www.thoughtcrime.org/blog/gpg-and-me/).
--
ir.
On Fri, 27 Feb 2015 12:34, michard.anto...@gmail.com said:
> #2 0x000801918130 in __stack_chk_fail () from /lib/libc.so.7
> #3 0x000801179e43 in _gcry_cast5_amd64_cfb_dec () from
I would try to build libgcrypt 1.6.3, which I just released, and check
if that problem still exists. There
On Fri, 27 Feb 2015 13:23, gnupg...@seichter.de said:
> have some valid points; the latest articles are by no means mindless
> rants or PGP-bashing. The thought of letting PGP die as an e-mail
The article has two problems:
- It compares an offline system (mail) with online systems (chat
syst
It saddens me, but I have to agree. Raising interest around PGP encryption
is easy, but when it comes to actually using it, that's when people seem to
back off quickly. I'm not a developer, so have no idea what would be
required, but it seems to me that more focus is needed on making the
experien
On Fri 2015-02-27 03:07:39 -0500, MFPA wrote:
> On Tuesday 24 February 2015 at 10:16:20 PM, in
> , Daniel Kahn Gillmor wrote:
>
>> That is, only a malicious person who manages to
>> compromise that key material can make signatures with
>> it. So why are you keeping it around?
>
> To verify existin
Hi everyone!
> Am 27.02.2015 um 13:11 schrieb Kristian Fiskerstrand
> :
>
> People need to understand that operational security is critical for
> any security of a system and validate the key through secondary
> channel (fingerprint, algorithm type, key length etc verifiable
> directly or throug
On Fri, Feb 27, 2015 at 09:45:36AM +0100, gnupgpacker wrote:
> German ct magazine has postulated in their last edition that our pgp
> handling seems to be too difficult for mass usage, keyserver infrastructure
> seems to be vulnerable for faked keys, published mail addresses are
> collected from ke
> Back in the good all days where everyone ran their own MTA and had
> full control over their DNS zones...
Ah, yes, back when men were men and sheep were scared. :)
(It's an old American joke about the Old West: "when men were men and
sheep were scared," mostly due to a shortage of women. I im
Yes, but the colon protocol doesn't support things like passphrase entry, etc.
On Fri, Feb 27, 2015 at 9:09 AM, Peter Lebbing wrote:
> On 27/02/15 12:02, Hans-Christoph Steiner wrote:
>> For example, I think that
>> `gpg --json` is great idea. I ended up using a Java wrapper of GPGME, which
>> i
On 27.02.15 13:11, Kristian Fiskerstrand wrote:
> On 02/27/2015 12:43 PM, Hauke Laging wrote:
>> Am Fr 27.02.2015, 12:27:40 schrieb gnupgpacker:
>
>>> Maybe implementation with an opt-in could preserve publishing
>>> of faked keys on public keyservers?
>
>> We need keyservers which are a lot bett
-Enquiry
Massachusetts College of Pharmacy indicated an interest for the
Ask The Pharmacist program
at
http://www.mcphs.edu/impact/community%20service%20programs/pharmacy%20outreach%20program
How would you inform the MCPHS Ask The Pharmacist program in a way that
they can understand clearly the s
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
On 02/27/2015 05:26 PM, Patrick Brunschwig wrote:
> On 27.02.15 13:11, Kristian Fiskerstrand wrote:
>> On 02/27/2015 12:43 PM, Hauke Laging wrote:
>>> Am Fr 27.02.2015, 12:27:40 schrieb gnupgpacker:
>>
Maybe implementation with an opt-in could
Hi Kristian,
> Am 27.02.2015 um 17:31 schrieb Kristian Fiskerstrand
> :
>
> On 02/27/2015 05:26 PM, Patrick Brunschwig wrote:
> > On 27.02.15 13:11, Kristian Fiskerstrand wrote:
> >> On 02/27/2015 12:43 PM, Hauke Laging wrote:
> >>> Am Fr 27.02.2015, 12:27:40 schrieb gnupgpacker:
> >>
> May
On 21/02/15 19:54, NdK wrote:
>>> 4 - HOTP PINs for signature/certification keys
>> What generates the HOTP then? Do you type a PIN on the HOTP device to get
>> the HOTP?
> No need. Just an applet on the phone could do. At least if you aren't
> using the same phone to do the crypto.
I don't under
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
On 02/27/2015 07:37 PM, Marco Zehe wrote:
> Hi Kristian,
>
>> Am 27.02.2015 um 17:31 schrieb Kristian Fiskerstrand
>> :
>>
>> On 02/27/2015 05:26 PM, Patrick Brunschwig wrote:
>>> On 27.02.15 13:11, Kristian Fiskerstrand wrote:
On 02/27/2015
Hey.
I really cannot understand why ct/heise and some others run these
Anti-OpenPGP campaigns recently, while at the same time hypocritically
claiming they'd be in favour of cryptography for people.
- Per se, users will need to have at least some basic understanding of
cryptography - otherwise a
On Fri, 27 Feb 2015 19:37, marcozehe...@mailbox.org said:
> And here’s the other problem the main article in c’t mentions: Those
> keys, although faked, were certified. They were certified by equally
> faked keys which resemble keys that are quite well-known. So unless
Nope. According to the que
On Fri, 27 Feb 2015 17:26, patr...@enigmail.net said:
> that anyone can upload _every_ key to a keyserver is an issue. If
> keyservers would do some sort of verification (e.g. confirmation of
> the email addresses) then this would lead to much more reliable data.
We have such a system. It is call
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
On 02/27/2015 08:42 PM, Werner Koch wrote:
> On Fri, 27 Feb 2015 19:37, marcozehe...@mailbox.org said:
>
>> And here’s the other problem the main article in c’t mentions:
>> Those keys, although faked, were certified. They were certified
>> by equal
>> But that's the main primary reason of the article at all. The fact
>> that anyone can upload _every_ key to a keyserver is an issue. If
>
> No, it is not, it has always been very clear no to rely on the
> existence of a key on either a keyserver or on a local keyring without
> proper verificat
On Fri, 2015-02-27 at 20:56 +0100, Werner Koch wrote:
> There is no trust in keyservers by design. As soon as you start
> changing this you are turning PGP into a centralized system.
Well not necessarily - at least not in the sense of exactly one power
having control over the whole key network (a
Hello!
We are pleased to announce the availability of a new GnuPG classic
release: Version 1.4.19. This release mitigates two new side channel
attacks.
Updating any GnuPG 1.4 version to 1.4.19 is suggested!
To update a GnuPG 2.0 or 2.1 version you need to update the shared
library Libgcrypt to
Hello!
The GNU project is pleased to announce the availability of Libgcrypt
version 1.6.3. This is a security fix release to mitigate two new side
channel attacks.
Libgcrypt is a general purpose library of cryptographic building blocks.
It does not provide any implementation of OpenPGP or other
Il 27/02/2015 19:43, Peter Lebbing ha scritto:
> I don't understand the practical difference between HOTP and the button
> to confirm an action.
That the HOTP doesn't need HW support so it can be implemented in
standard smartcards.
>> If that info is embedded in the signature packet, it could add
On Fri, 27 Feb 2015 21:07, kristian.fiskerstr...@sumptuouscapital.com
said:
> Increasing the information on keyservers like this, in particular in
> the descriptive parts can be considered, would it suffice to be part
> of the standard web interface for keyserver intro, or would it have to
> be ad
On Fri, 2015-02-27 at 21:12 +0100, Andreas Schwier wrote:
> So what exactly is the purpose of the keyserver then ?
Find trust paths, signature updates, self signature updates, key
revocation certs (but beware of the issues I've described in my mail a
few seconds before)...
Cheers,
Chris.
smime.
On Fri, 27 Feb 2015 21:24, cales...@scientia.net said:
> - Nothing is encrypted (so everyone eavesdropping will know that I just
> downloaded the key for nsa-whistleblow...@wikileaks.org... and five
Which he will anyway see as soon as you send the mail. Iff we have an
anonymous network both pr
Am Fr 27.02.2015, 21:25:40 schrieb Christoph Anton Mitterer:
> On Fri, 2015-02-27 at 21:12 +0100, Andreas Schwier wrote:
> > So what exactly is the purpose of the keyserver then ?
>
> Find trust paths
What could that be good for? If you do not make very strange assumptions
that could be of any u
On Fri, 2015-02-27 at 22:15 +0100, Werner Koch wrote:
> Most people run Windows or Android (or use Lenovo stuff) and thus have
> anyway no control over their boxes.
To be honest, I don't think that anyone using Windows, Android, MacOS or
any other [semi-]proprietary system actually wants to be sec
On Fri, 2015-02-27 at 22:25 +0100, Hauke Laging wrote:
> > Find trust paths
> What could that be good for? If you do not make very strange assumptions
> that could be of any use only if you assign certification trust to
> unknown keys which would be completely crazy.
I meant in the sense that I
Am Fr 27.02.2015, 22:30:41 schrieb Christoph Anton Mitterer:
> Obviously I'll need any intermediate keys (and enough of them that I
> personally decide it's trustworthy).
Once more we see the term that confuses nearly everyone:
You personally decide to trust a key – for it's certifications. That
On 27/02/15 21:12, Andreas Schwier wrote:
> I'd rather start a communication
> with a bogus key and establish trust in my genuine peer from the
> conversation we are having.
But what about that Man in the Middle who does nothing more than receive
your message encrypted to their key and forward it
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
On 02/27/2015 09:56 PM, Werner Koch wrote:
> On Fri, 27 Feb 2015 21:07,
> kristian.fiskerstr...@sumptuouscapital.com said:
>
>> Increasing the information on keyservers like this, in particular
>> in the descriptive parts can be considered, would it
On 27/02/15 21:59, NdK wrote:
> For auth it should be the hash of the host's pub key, the same SSH shows
> you the first time you connect to that host.
I think you're confusing /host/ authentication and /user/
authentication. I was talking about using the auth key on your OpenPGP
card to do user a
Am Fr 27.02.2015, 20:56:00 schrieb Werner Koch:
> On Fri, 27 Feb 2015 17:26, patr...@enigmail.net said:
> > that anyone can upload _every_ key to a keyserver is an issue. If
> > keyservers would do some sort of verification (e.g. confirmation of
> > the email addresses) then this would lead to much
Am Fr 27.02.2015, 23:05:07 schrieb Peter Lebbing:
> But what about that Man in the Middle who does nothing more than
> receive your message encrypted to their key and forward it to the
> real recipient you are building a trust relationship with?
He does have to do more: He has to intercept the me
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
On 02/27/2015 11:21 PM, Hauke Laging wrote:
> Am Fr 27.02.2015, 23:05:07 schrieb Peter Lebbing:
>
>> But what about that Man in the Middle who does nothing more than
>> receive your message encrypted to their key and forward it to
>> the real recip
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Am 27.02.2015 um 22:28 schrieb Christoph Anton Mitterer:
> On Fri, 2015-02-27 at 22:15 +0100, Werner Koch wrote:
>> Most people run Windows or Android (or use Lenovo stuff) and thus
>> have anyway no control over their boxes.
> To be honest, I don't th
Am Fr 27.02.2015, 13:11:33 schrieb Kristian Fiskerstrand:
> > We need keyservers which are a lot better that today's. IMHO that
> > also means that a keyserver should tell a client for each offered
> > certificate whether it (or a trusted keyserver) has made such an
> > email verification.
>
> Th
On Fri, 2015-02-27 at 22:40 +0100, Martin Behrendt wrote:
> At what point is a system a [semi-]proprietary system?
> How many computers are out there where not even a single part of the
> hardware (and firmware) is proprietary?
I rather meant Android here, which may have an open source core, but i
On 2015-02-27 13:23, Ralph Seichter wrote:
> > Your positions to this ct approach?
>
> The c't magazine is mostly well respected in Germany and the editors
> have some valid points; the latest articles are by no means mindless
> rants or PGP-bashing. The thought of letting PGP die as an e-mail
> e
On 02/27/2015 01:12 PM, Andreas Schwier wrote:
> So what exactly is the purpose of the keyserver then ? If you expect me
> to still verify fingerprints out of band, why would I grab a - probably
> bogus key - from a keyserver first place ? I could immediately ask my
> peer to send it by mail.
I
Hello,
I recently came to know that Felix von Leitner (Fefe) did a code audit
of GnuPG in 2009. According to him, the patch fixes lots of problems
that might be usable as in attack vectors on GnuPG. It seems however, as
if this patch was never included into upstream GnuPG. Because of that,
he keep
Hi Chris,
> Am 27.02.2015 um 19:16 schrieb Christoph Anton Mitterer
> :
>
> This is basically what they want: Anonymous cryptography, whose complete
> security is based on some good luck whether you've communicated with the
> right peer the first time.
>
> But instead of just advertising that c
Hi Werner et al,
> Am 27.02.2015 um 20:56 schrieb Werner Koch :
>
> There is no trust in keyservers by design. As soon as you start
> changing this you are turning PGP into a centralized system.
OK, then I have a very practical question: Even though this is my fourth or
fifth attempt at establ
On Sat, 2015-02-28 at 07:01 +0100, Marco Zehe wrote:
> So like everywhere, different opinions, and that one journalist’s
> opinion definitely doesn’t speak for all of the folks at c’t or Heise
> in General.
Well, that might be... but with respect to this question, there is only
one correct opinion
Hi Andreas,
> Am 27.02.2015 um 21:12 schrieb Andreas Schwier
> :
> The keyserver would make sense, if my mail client would automatically
> fetch the public key from a server, based on the e-mail address of the
> sender and some identity data (e.g. fingerprint) in the mail signature.
FWIW, that’s
66 matches
Mail list logo
