Hello,
I've been using my gpg card with success in Ubuntu for a while but as
everyone knows the init system is switching from upstart to systemd as it
is happening on Debian and the vast majority of other distributions.
In the "past" one could start gpg-agent from the script that boots Xorg or
ev
On Mon 2015-03-16 20:55:51 -0400, MFPA wrote:
> Although I don't really like email addresses in the UIDs of my keys, I
> quite like the simplicity of your "email address only" simplified UID
> format. However, I would urge you to reconsider your decision to drop
> the angle brackets. At least one
I currently have GPG 1.4.8 installed on a Windows server. Can the c:\Programs
Files (x86)\GNU\ directory simply be copied to another server and used or do I
need to go through the "download and installation" process on the new server?
Thanks.
___
On 2015-03-16 14:36, Donavan-Ross Costaras wrote:
> Hi,
Hi!
I don't fully understand what you're trying to accomplish, or what you
exactly need. Sorry about that. I hope my reply might help you though.
> To present the correct key I use .ssh/confg to define the
> identityFile (ssh key) used for
On 3/17/15 7:23 AM, Clark Rivard wrote:
I currently have GPG 1.4.8 installed on a Windows server. Can the
c:\Programs Files (x86)\GNU\ directory simply be copied to another
server and used or do I need to go through the “download and
installation” process on the new server? Thanks.
1.4.8 is da
On 3/17/15 7:48 AM, Paulo Lopes wrote:
Hello,
I've been using my gpg card with success in Ubuntu for a while but as
everyone knows the init system is switching from upstart to systemd as
it is happening on Debian and the vast majority of other distributions.
In the "past" one could start gpg-ag
Are you using gpg-agent to handle ssh agent responsibilities, yes or no?
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
On Tuesday 17 March 2015 at 5:38:03 PM, in
, Daniel Kahn Gillmor
wrote:
> This might be a bug (or at least a well-warranted
> feature enhancement) in GnuPG.
> I've just opened
> https://bugs.g10code.com/gnupg/issue1927 to track it.
Thanks.
-
I am running gpg command so I believe yes is the answer. (I am a novice at
this so still learning.)
-Original Message-
From: Gnupg-users [mailto:gnupg-users-boun...@gnupg.org] On Behalf Of Doug
Barton
Sent: Tuesday, March 17, 2015 2:21 PM
To: Paulo Lopes
Cc: gnupg-users@gnupg.org
Subj
Ok, then you need to start the agent prior to or during the X startup,
so that the variables are available to your environment (as you were
doing previously).
So, why are you trying to start the agent with systemd? What method were
you using previously, and did you try it in the new OS version
On Tue, Mar 17, 2015 at 7:19 PM, Doug Barton wrote:
> On 3/17/15 7:48 AM, Paulo Lopes wrote:
>
>> Hello,
>>
>> I've been using my gpg card with success in Ubuntu for a while but as
>> everyone knows the init system is switching from upstart to systemd as
>> it is happening on Debian and the vast
Given that 2.1 introduces a lot of new capabilities (mostly with respect
to ECC), I think now, early on in the 2.1 series, would be a good time
to discuss changing the defaults for newly-generated certificates.
In a nutshell:
* Offer Brainpool-512 and RSA-3072 as options for
new
That question was for Paulo, not you. :) And FWIW, since you're using
GnuPG 1.x the answer is no.
Doug
On 3/17/15 12:32 PM, Clark Rivard wrote:
I am running gpg command so I believe yes is the answer. (I am a novice at
this so still learning.)
-Original Message-
From: Gnupg-users
OK - thanks.
-Original Message-
From: Doug Barton [mailto:dougb@dougbarton.email]
Sent: Tuesday, March 17, 2015 3:08 PM
To: Clark Rivard; Paulo Lopes
Cc: gnupg-users@gnupg.org
Subject: Re: what is the proper way to load gpg-agent with systemd
That question was for Paulo, not you. :) And
Perhaps not directly gnupg related, more OS X related. But, with both
GPGtools an GnuPG for OS X I'll post it here... (and there was this OS X
sec. discussion the other week) :)
It's seem like “Gatekeeper” is only using http if I read it correctly.
Ex-NSA Researcher Finds Sneaky Way Past Apple Ma
Please keep things on the list so that the most users can be helped.
You need to run the --recv-key command first, or the --verify command
will continue to fail.
Try this:
gpg --keyserver hkp://pool.sks-keyservers.net --recv-key 4F25E3B6
Doug
On 3/17/15 1:23 PM, Clark Rivard wrote:
Doug
Yes!
-Original Message-
From: Doug Barton
Sent: 17/03/2015, 20:20
To: Paulo Lopes
Cc: "gnupg-users@gnupg.org"
Subject: Re: what is the proper way to load gpg-agent with systemd
Are you using gpg-agent to handle ssh agent responsibilities, yes or no?
_
I ran the recv-key command again and got a message about "requesting key...from
hkp server pool..." but then got "HTTP fetch error 7 couldn't connect: No
error"
Any ideas?
-Original Message-
From: Doug Barton [mailto:dougb@dougbarton.email]
Sent: Tuesday, March 17, 2015 3:28 PM
To:
On 3/17/15 1:42 PM, Clark Rivard wrote:
I ran the recv-key command again and got a message about "requesting key...from hkp server
pool..." but then got "HTTP fetch error 7 couldn't connect: No error"
Any ideas?
Try it a few more times, you may have gotten a bad server from the pool.
If it s
>> -Original Message-
>> From: Doug Barton [mailto:dougb@dougbarton.email]
>> Sent: Tuesday, March 17, 2015 3:07 PM
>> To: Clark Rivard
>> Subject: Re: Copy Current GPG Installation to Another Server
>> gpg: Signature made Fri Feb 27 00:55:58 2015 PST using RSA key ID
>> 4F25E3B6
>> gpg: Go
My vote is for the defaults Robert is proposing. Definitely in keeping with
what else I have been reading.
Thanks,
Bob Cavanaugh
> -Original Message-
> From: Gnupg-users [mailto:gnupg-users-
> bounces+robertc=broadcom@gnupg.org] On Behalf Of Robert J.
> Hansen
> Sent: Tuesday, Mar
I tried all of the options below but still got the "HTTP fetch error 7".
I used the "sha1sum" option and got the expected result - does this verify the
integrity adequately?
-Original Message-
From: Doug Barton [mailto:dougb@dougbarton.email]
Sent: Tuesday, March 17, 2015 3:46 PM
T
On 3/17/15 2:09 PM, Clark Rivard wrote:
I tried all of the options below but still got the "HTTP fetch error 7".
That would indicate that the system(s) do not have access to the
Internet. Is that an expected result?
I used the "sha1sum" option and got the expected result - does this verify
On 17/03/15 22:09, Clark Rivard wrote:
> I used the "sha1sum" option and got the expected result - does this verify
> the integrity adequately?
It's just as good as verifying the signature of a key with short ID 4F25E3B6. As
you can soon see elsewhere in this thread, I don't think it practicall
On 17/03/15 22:04, Doug Barton wrote:
> Assuming you get the package, the signature, and the fingerprint from the same
> *.gnupg.org resources, what does that buy you?
Assuming they're all protected by https, nothing.
What does verification of that signature buy you though? That your download
was
On Tue, 17 Mar 2015 15:44:47 -0400 Robert J. Hansen wrote:
> [*] As I read the tea leaves, I'm more convinced of AES256's long-term
> strength than I am of AES128's. However, the idea that either one of
> them is somehow 'weak' is just ludicrous. If you use AES128, don't
> panic. :)
I remember
How do you check the fingerprint?
-Original Message-
From: Gnupg-users [mailto:gnupg-users-boun...@gnupg.org] On Behalf Of Peter
Lebbing
Sent: Tuesday, March 17, 2015 4:19 PM
To: Doug Barton
Cc: GnuPG Users
Subject: Re: Copy Current GPG Installation to Another Server
On 17/03/15 22:04,
On 3/17/15 2:27 PM, Clark Rivard wrote:
How do you check the fingerprint?
Step 1 is that you have to get a validated version of the fingerprint of
the key that you would have been using to verify the package if you
could have downloaded that key in the first place.
The concept of validating
> I remember reading about an attack that works better against AES-256
> than AES-128:
That one's a related-key attack, which requires the attacker to have a
significant number of keys that have some mathematical relationship to
each other.
OpenPGP uses random nonces for symmetric keys (or itera
On 3/17/15 2:19 PM, Peter Lebbing wrote:
On 17/03/15 22:04, Doug Barton wrote:
Assuming you get the package, the signature, and the fingerprint from the same
*.gnupg.org resources, what does that buy you?
Assuming they're all protected by https, nothing.
I think you missed my point. If all t
On 3/17/15 1:54 PM, Peter Lebbing wrote:
-Original Message-
From: Doug Barton [mailto:dougb@dougbarton.email]
Sent: Tuesday, March 17, 2015 3:07 PM
To: Clark Rivard
Subject: Re: Copy Current GPG Installation to Another Server
gpg: Signature made Fri Feb 27 00:55:58 2015 PST using RSA key
On 3/17/2015 8:44 PM, Robert J. Hansen wrote:
> Given that 2.1 introduces a lot of new capabilities (mostly with respect
> to ECC), I think now, early on in the 2.1 series, would be a good time
> to discuss changing the defaults for newly-generated certificates.
>
> In a nutshell:
>
> * Off
On 17/03/15 22:56, Peter Lebbing wrote:
> and checking it says
>
> pub 2048R/4F25E3B6 2011-01-12 [expires: 2019-12-31]
> Key fingerprint = D869 2123 C406 5DEA 5E0F 3AB5 249B 39D2 4F25 E3B6
> uid [ full ] Werner Koch (dist sig)
> sub 2048R/AC87C71A 2011-01-12 [expires: 2019-12-31
On 3/17/15 2:56 PM, Peter Lebbing wrote:
On 17/03/15 22:34, Doug Barton wrote:
Assuming they're all protected by https, nothing.
I think you missed my point. If all three resources related to verification are
provided by the same source, then verifying the fingerprint gets you zero added
secur
On 17/03/15 22:34, Doug Barton wrote:
>> Assuming they're all protected by https, nothing.
>
> I think you missed my point. If all three resources related to verification
> are
> provided by the same source, then verifying the fingerprint gets you zero
> added
> security. It's more or less equiv
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
On 03/17/2015 10:58 PM, Pete Stephenson wrote:
> On 3/17/2015 8:44 PM, Robert J. Hansen wrote:
...
> Is Deterministic DSA only available in 2.1, or do 1.x and 2.0.x
> also have that feature?
>
RFC6979 is used for gnupg 2.0 compiled with libgcrypt
> As long as we're considering "legacy" algorithms like RSA and DSA,
> is there any particular reason for preferring RSA over DSA at such
> key lengths?
I have reasons to prefer RSA, yes, but whether they'll convince you is a
different matter. :)
Where signature size matters most is in email. A
On Tue 2015-03-17 17:58:47 -0400, Pete Stephenson wrote:
> Alas, a lot of Linux distributions are quite slow-moving: it's unlikely
> that distributions like Debian and Ubuntu will have GnuPG 2.1.x
> available (let alone installed by default) for several years.
For debian stable, this is likely to
I would think you can copy your keyring over, though. I did that when
converting from an old, unsupported version of PGP to GPG. But that was
Solaris to Linux. You mileage may vary.
Regards,
Cathy
---
Cathy L. Smith
IT Engineer
Pacific Northwest National Laboratory
Operated by Battelle f
> I have reasons to prefer RSA, yes, but whether they'll convince you
> is a different matter. :)
D'oh! Forgot to mention an important one --
RSA-3072 keys can be moved to smart cards, and/or generated on the same.
Very few smart cards support DSA. :)
signature.asc
Description: OpenPGP di
> I agree that defaulting to brainpool-512 right now would be a
> mistake.
>
> Defaulting to RSA 3072 seems reasonable to me, though.
I think it's best to minimize the number of times we change the
defaults. If we change them too often it causes users to wonder if
there's some weakness in OpenPG
On 3/17/2015 11:25 PM, Robert J. Hansen wrote:
>> As long as we're considering "legacy" algorithms like RSA and DSA,
>> is there any particular reason for preferring RSA over DSA at such
>> key lengths?
>
> I have reasons to prefer RSA, yes, but whether they'll convince you is a
> different matter
On Tue 2015-03-17 18:37:40 -0400, Robert J. Hansen wrote:
>> I agree that defaulting to brainpool-512 right now would be a
>> mistake.
>>
>> Defaulting to RSA 3072 seems reasonable to me, though.
>
> I think it's best to minimize the number of times we change the
> defaults. If we change them too
I recommend starting it from a script in /etc/profile.d/
If you're running >2.1 then you don't need to do the env-file thing. Here's
an example:
https://wiki.archlinux.org/index.php/GnuPG#gpg-agent
On Tue, Mar 17, 2015 at 2:36 PM, Doug Barton wrote:
> Ok, then you need to start the agent prior
> by this argument, you should have pushed for RSA 3072 during the
> last defaults change, since it would have lasted longer than 2048 ;)
You're absolutely right, I should have. :) I took my eye off the ball
and didn't notice we were changing defaults, otherwise I would've argued
then for RSA-30
>> Looking over it again, it turns out the Canadians are distrustful
>> of 128-bit crypto *in general*. None of them are approved for
>> periods longer than seven days.
>
> True, but that's not uncommon: OpenVPN in TLS mode renegotiates a
> new session key ever hour by default. GnuPG generates ne
On Tuesday, March 17, 2015 06:53:48 PM Daniel Kahn Gillmor wrote:
> Brainpool-512 is incompatible with some of the other work going on in
> the OpenPGP ecosystem (e.g. yahoo and google's work on the e2e webmail
> app, which supports P-256 and P-512).
Well, the Yahoo! folks are not 100% committed t
On 2015-03-17 23:18, Doug Barton wrote:
I think you are asking way too much, and
giving near-zero value in return.
I'm not asking for anything. I suggested they check the plain SHA1
checksum or even not check at all! I'm merely opposed to making people
think the short key ID is any good for v
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
On 03/17/2015 11:02 PM, Peter Lebbing wrote:
> On 17/03/15 22:56, Peter Lebbing wrote:
>> and checking it says
>>
>> pub 2048R/4F25E3B6 2011-01-12 [expires: 2019-12-31] Key
>> fingerprint = D869 2123 C406 5DEA 5E0F 3AB5 249B 39D2 4F25 E3B6
>> ui
On 03/17/2015 08:44 PM, Robert J. Hansen wrote:
Given that 2.1 introduces a lot of new capabilities (mostly with respect
to ECC), I think now, early on in the 2.1 series, would be a good time
to discuss changing the defaults for newly-generated certificates.
Some of the defaults you propose are
On 3/17/2015 11:25 PM, Kristian Fiskerstrand wrote:
> On 03/17/2015 10:58 PM, Pete Stephenson wrote:
>> On 3/17/2015 8:44 PM, Robert J. Hansen wrote:
>
> ...
>
>> Is Deterministic DSA only available in 2.1, or do 1.x and 2.0.x
>> also have that feature?
>
>
> RFC6979 is used for gnupg 2.0 compi
On Tue 2015-03-17 18:53:42 -0400, Damien Goutte-Gattat wrote:
> Do you mean signatures in general, or key signatures (certifications)?
> For key signatures, SHA-1 is still the default for RSA keys
Is this correct? I think we should be defaulting to SHA-256 for RSA
certifications these days.
If
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
On 03/17/2015 10:04 PM, Doug Barton wrote:
> On 3/17/15 1:54 PM, Peter Lebbing wrote:
-Original Message-
>
> Assuming you get the package, the signature, and the fingerprint
> from the same *.gnupg.org resources, what does that buy y
On 03/18/2015 12:28 AM, Daniel Kahn Gillmor wrote:
On Tue 2015-03-17 18:53:42 -0400, Damien Goutte-Gattat wrote:
Do you mean signatures in general, or key signatures (certifications)?
For key signatures, SHA-1 is still the default for RSA keys
Is this correct? I think we should be defaulting
> Some of the defaults you propose are already there.
Yes. My list was comprehensive ("what the new set should be"), not
differential ("what needs changing"). :)
> So, AES256 is already the default symmetric cipher (CAST5 and IDEA
> are not even in the list and must both be explicitly requested
On 3/17/15 4:17 PM, Peter Lebbing wrote:
On 2015-03-17 23:18, Doug Barton wrote:
I think you are asking way too much, and
giving near-zero value in return.
I'm not asking for anything.
Originally you suggested that they verify the fingerprint, and use that
to retrieve the key. Glad to see n
On 3/17/15 4:34 PM, Kristian Fiskerstrand wrote:
On 03/17/2015 10:04 PM, Doug Barton wrote:
On 3/17/15 1:54 PM, Peter Lebbing wrote:
-Original Message-
Assuming you get the package, the signature, and the fingerprint
from the same *.gnupg.org resources, what does that buy you?
S
On Tue 2015-03-17 14:43:02 -0400, Paulo Lopes wrote:
> So what I did was to create a user unit file like this on ~/.local/:
>
> [Unit]
> Description=gpg-agent
> ConditionFileIsExecutable=/usr/bin/gpg-agent
>
> [Service]
> ExecStart=/usr/bin/gpg-agent --daemon --enable-ssh-support
> --scdaemon-progr
I thought keyservers strip all punctuation. So becomes
foo example com.
On Tue, Mar 17, 2015, 3:33 PM MFPA <2014-667rhzu3dc-lists-gro...@riseup.net>
wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA512
>
>
>
> On Tuesday 17 March 2015 at 5:38:03 PM, in
> , Daniel Kahn Gillmor
> wrote:
>
>
On Tue 2015-03-17 21:35:46 -0400, Brian Minton wrote:
> I thought keyservers strip all punctuation. So becomes
> foo example com.
This discussion has been about gnupg and its own keyring, not
necessarily about keyservers. The bug report i filed referred to local
gpg activity, not keyserver activ
60 matches
Mail list logo
