On 10/10/2013 01:45 PM, Brian J. Murrell wrote:
> I was told by a developer of a piece of software that my key does not
> conform to rfc4800. He said:
>
> According to http://tools.ietf.org/html/rfc4880#section-5.2.2
> signatures of version 3 don't have subpackets, which are only
> availabl
On 10/10/2013 03:12 PM, Brian J. Murrell wrote:
> Yeah. I have considered both of those things also. I guess the only
> thing that was holding me back was that the existing key has an
> investment in signatures on it though. What I am unclear about is how
> the authenticity and trustibility of
On 10/10/2013 09:32 PM, Hauke Laging wrote:
> Am Fr 11.10.2013, 01:25:50 schrieb Robin Kipp:
>
>> Invoked addkey to generate a 2048 bit RSA sub key, with
>> encryption and signing capabilities.
>
> It seems to me that the more accepted recommendation here is to have separate
> subkeys for signin
On Thu 2013-10-24 15:05:45 -0400, Sylvain wrote:
> I saw a lot of activity in the Debian project about upgrading to a
> 4096 RSA key,
> e.g. http://lists.debian.org/debian-devel-announce/2010/09/msg3.html
>
> However GnuPG's default is 2048.
ENISA (the European Union Agency for Network and Inf
On 10/30/2013 06:58 AM, Sam Tuke wrote:
If you want to help us, send your own statement about why GPG is important to
you. Please keep it less than or equal to 130 characters, so it can be used on
social networks.
As a Debian user, I rely on GnuPG to ensure that the software I install
hasn't b
On 11/04/2013 12:45 AM, Chuck Peters wrote:
I added the following to gpg.conf:
personal-digest-preferences SHA512
cert-digest-algo SHA512
default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES
CAST5 ZLIB BZIP2 ZIP Uncompressed
I changed the preferences:
gpg> setpref SHA512 SHA384
ch to User IDs to it:
* Daniel Kahn Gillmor
* Alice Munroe
You meet me, check my identity, verify that i'm actually dkg, and just
sign the first User ID (because you have been unable to verify whether i
am also somehow Alice Munroe). (in fact, i am not Alice Munroe, but i
would like to
On 11/07/2013 11:09 AM, Leo Gaspard wrote:
Except they do not have to know X, nor that he makes perfectly reasonable
decisions in signing keys.
And I believe it's not noise. Let's make an example in the real world :
* I would entrust X with my life
* X would entrust Y with his life, without
On 11/15/2013 12:06 PM, Robert J. Hansen wrote:
> getting two
> computers to generate the exact same binary code from the exact same
> source code is a surprisingly difficult challenge. It requires a
> perfect match of everything from compiler versions to C library versions
> right down to identic
On 12/12/2013 12:33 PM, Hauke Laging wrote:
> 1) gpg not showing the UID (or overall) key validity by default
What do people think about changing the default of show-uid-validity to yes?
I would support this change; i think it would help users of gpg to
better-understand their keyring. and users
On 12/13/2013 02:09 PM, Werner Koch wrote:
> I estimate that not more than 1% of all GnuPG users are using gpg in the
> shell.
this sounds like an argument for being willing to change the
human-readable output on the shell -- there are not many people looking
at it anyway, and most of those peopl
On 12/13/2013 04:27 PM, Werner Koch wrote:
> On Fri, 13 Dec 2013 21:24, d...@fifthhorseman.net said:
>> I think for a piece of critical security infrastructure, GPG has been
>> supporting some insecure practices for far too long.
>
> Why do you think this is insecure? Because gpg does not encrypt
On 12/14/2013 12:01 PM, adrelanos wrote:
> [hauke wrote:]
>> Am Fr 13.12.2013, 22:56:07 schrieb adrelanos:
>>> Hi,
>>>
>>> Is it possible to create a revocation certificate just for sub keys and
>>> not the master key?
>>
>> --edit-key 0x12345678
>> key 1
>> revkey
>
> That's doesn't create a revo
On 12/16/2013 02:32 PM, Micah Lee wrote:
> Also, looks like the CA is CAcert--an awesome CA, but not trusted by
> browsers by default. I'd suggest getting a cert from StartSSL
> [https://startssl.com/], since they're they only CA that gives certs for
> free. And a wildcard cert (for *.gnupg.org) en
On 12/17/2013 08:53 AM, Sam Tuke wrote:
> On 14/12/13 21:27, Zechariah Seth wrote:
>> Will GnuPG blogs be cross-posted to the gnupg-users list? :)
>
> I could do that if others are happy with the idea.
If the expected volume is low-ish (e.g. no more than once a week or so)
i think that would be a
Hi Matt--
On 12/17/2013 10:07 AM, Matt D wrote:
> Hi! What encryption algorithm do we use in OpenPGP
OpenPGP has "algorithm agility", meaning that it's possible to use
different encryption algorithms at different times in the same
cryptographic framework. encrypted OpenPGP messages are generall
On 12/17/2013 10:37 AM, Werner Koch wrote:
> On Mon, 16 Dec 2013 21:35, d...@fifthhorseman.net said:
>
>> Werner, if i can help with configuring or maintaining the web server for
>> gnupg.org to address some of these issues, please let me know.
>
> Yes, I have problems to figure out a woking ciph
On 12/17/2013 01:22 PM, Robert J. Hansen wrote:
> With respect to 2048-bit crypto, don't believe the hype. Most users and
> most purposes will still be well-served with even a 1024-bit key. No
> one with half a brain is going to bother trying to break RSA-1024; they
> will instead come up with mo
On 12/17/2013 05:04 PM, Robert J. Hansen wrote:
> I don't understand the reasoning by which you have concluded that I am
> advocating RSA-1024. I'm not. I think the default of RSA-2048 is a
> good one. I'm only saying that for most users and most purposes,
> RSA-1024 is sufficient; to reach "vir
On 12/17/2013 08:27 PM, Robert J. Hansen wrote:
> Yes -- but no one is claiming that 112-bit keyspaces are vulnerable
> today, or at any time within the near future. Further, moving to a
> 128-bit keyspace is not, IMO, any sort of a real win: you're only
> gaining 16 bits of keyspace. At most you
On 12/17/2013 08:45 PM, Micah Lee wrote:
> As far as I know these preload lists only force HTTPS for these domains.
> I wonder if anyone could convince the browser vendors to also do
> certificate pinning, bypassing PKI based on CAs altogether?
I believe the answer for public-key-pinning is the sa
On 12/17/2013 10:28 PM, Robert J. Hansen wrote:
> On 12/17/2013 9:20 PM, Daniel Kahn Gillmor wrote:
>> (i'm glad you still feel they're trustworthy, even in the context of
>> them having issued a deliberately bad RNG, and their keylength
>> recommendations be
On 12/18/2013 12:29 AM, Robert J. Hansen wrote:
> A flawed standard is just that, a flawed standard. It's not a cause for
> a crisis of trust in an outfit that has enjoyed the community's trust
> for many decades.
Sorry, but NIST does face a crisis of trust, particularly in the area of
cryptograp
On 12/20/2013 03:20 PM, Micah Lee wrote:
> On 12/20/2013 08:21 AM, Eric Swanson wrote:
>> This is exactly what I was looking for. Thanks!
>
> There's a script called keytrans (with a symblink called pem2openpgp)
> that's bundled with the monkeysphere source code might do exactly what
> you need.
>
On 12/24/2013 01:02 PM, Johan Wevers wrote:
> You think someone will type it over? KeyID plus a URL would be more
> usefull IMO (perhaps a QR code with the URL?)
Please use a QR code that contains the full fingerprint (no spaces)
prefixed with OPENPGP4FPR: -- this is the mechanism used by the
monk
On 12/26/2013 03:01 PM, Avi wrote:
> Would having the e-mail address and name in the QR code adversely affect
> compatibility with monkeysign?
> For example, see the attached code which is similar to what I was playing
> with for key-signing purposes, although I was going to print them on
> mailing
[rearranging top-posted-ness for chronological sanity]
On 12/27/2013 01:12 PM, Avi wrote:
> On Fri, Dec 27, 2013 at 1:01 PM, Olav Seyfarth wrote:
>> Apart from the question about whitespace, there are no OpenPGP related
>> fields defined in vCard, neither for keyIDs, key-download-URLs nor
>> fi
On 01/03/2014 08:12 AM, Leo Gaspard wrote:
> So changing the encryption could break an opsec.
If someone's opsec is based on the question of whether a message was
encrypted or not, then they've probably got their cart before their
horse too.
opsec requirements should indicate whether you encrypt,
On 01/03/2014 12:35 AM, Hauke Laging wrote:
> From the RfC perspective (PGP/MIME) this should not be a problem; you just
> need another level of nesting. Maybe the mail clients are not even prepared
> for reading such messages. That would not surprise me but would not be an
> argument against on
On 01/03/2014 06:56 PM, Leo Gaspard wrote:
> On Fri, Jan 03, 2014 at 12:50:47PM -0500, Daniel Kahn Gillmor wrote:
>> On 01/03/2014 08:12 AM, Leo Gaspard wrote:
>>> So changing the encryption could break an opsec.
>>
>> If someone's opsec is based on th
On 01/04/2014 04:41 PM, nb.linux wrote:
> - ...here I'm stuck, because (as I understand the lsign) I cannot export
> the signature...
>
> Is this right?
> How can I lsign a key and transfer the local signature from my air
> gapped system?
> Maybe by copying the keyring files between the systems?
On 01/17/2014 02:03 PM, Johannes Zarl wrote:
> If the revocation is a final act, as long as I can make sure that the
> revocation certificate reaches my communication partners I can be sure that
> nobody can compromise the key and "reenable" it and start impersonating me.
>
> If, however, the re
On 01/19/2014 09:55 AM, Daniele Ricci wrote:
> Ok, so I have to conclude it's implementation specific?
> I'm using a custom user attribute to store something that can change
> quite often (privacy lists for a chat user). What do you suggest?
I don't know what a "privacy list for a chat user" is.
On 01/19/2014 08:46 AM, Mark Schneider wrote:
> Is there any possibility to create a minimal version of gnupg?
gnupg already can produce gpgv, which (on debian at least) is 356KiB,
though it also dynamically links to libresolv and libz and libbz2 and
libc. I'm sure you could reduce that further
On 01/23/2014 09:34 AM, Uwe Brauer wrote:
> Hello
>
> A Long time ago, IBM's proprietary OS, called CMS had a particular
> feature for the login:
>
> It gave you three attempts to login in. If you failed there was a time
> delay of 20 min, if you failed again, the time delay was prolonged to
> o
On 01/23/2014 05:50 PM, Steve Jones wrote:
> I've been thinking about UIDs in keys, rfc4880 section 5.1 says that by
> convention a UID is an rfc2822 email address but this is not a
> requirement[1]. Gnupg does enforce that restriction unless you explicitly
> disable it. It would seem to make se
On 01/24/2014 12:48 PM, Steve Jones wrote:
> On Fri, 24 Jan 2014 12:15:40 -0500 Daniel Kahn Gillmor
> wrote:
>
>> http://web.monkeysphere.info/
>
> This looks pretty cool, and does cover some of the things I've been
> thinking about. I've been wondering
Hi Uwe--
On 01/27/2014 04:51 AM, Uwe Brauer wrote:
> Hi according to
> http://tools.ietf.org/html/rfc3156
>
>
> A pgpmime signed message contains lines such as
>
> Content-Type: multipart/signed; boundary="=-=-=";
> micalg=pgp-sha1; protocol="application/pgp-signature"
>
> While an atta
On 01/30/2014 01:59 AM, NdK wrote:
> Il 30/01/2014 02:14, DUELL, BOB ha scritto:
>
>> I will appreciate any and all comments. If there is a "better way" to do
>> this, I'd love to learn.
> Every user in the group could "leak" the secret key. At least put it
> into a smartcard/token connected to
On 02/04/2014 09:01 AM, Mark H. Wood wrote:
> Having said that, you might look at how OpenSSH has included X.509
> certificates in its operation. There is precedent for something like
> what you suggest.
fwiw, the answer here is "they haven't". Roumen Petrov's X.509 patches
remain outside of Ope
On 02/03/2014 10:55 PM, Hauke Laging wrote:
> This idea came to my mind while I was wondering why several CAs offer
> free (but rather useless...) certificates for X.509 but not for OpenPGP.
> Whatever they do with X.509 can be done with OpenPGP, too (e.g. setting
> an expiration date for the si
On 02/04/2014 12:36 PM, Hauke Laging wrote:
>> I don't know of a formalized way to do the other mapping, but it seems
>> like it would be pretty straightforward to embed the full X.509
>> certificate in a notation packet
>
> Why wouldn't the fingerprint and the DN not be enough? The whole
> appro
On 02/05/2014 01:04 PM, Peter Lebbing wrote:
> So you could create a hybrid model:
>
> I assign trust to a specific CA. That CA has issued a certificate with DN
> "XYZ".
> In my public OpenPGP keyring, there exists a key with a UID "XYZ", and that
> public key has the same raw key material as the
On 02/05/2014 03:06 PM, Werner Koch wrote:
> Almost all X.509 certification in public use certify only one of two
> things:
>
> - Someone has pushed a few bucks over to the CA.
>
> - Someone has convinced the CA to directly or indirectly issue a
>certificate.
To further clarify: "Domain V
On 02/10/2014 08:44 AM, Jim Ernst wrote:
> After looking at it further, I did wonder whether or not it was a result of
> exporting the file off of one UNIX machine and importing it onto another
> (again, using just --export). Would you know if movement like that between
> machines should create
On 02/12/2014 06:40 AM, Michael Anders wrote:
> I am still puzzled, however. Can anyone explain the logical reason as to
> why we need this jungle in OpenPGP, which thankworthily is usually more
> or less hidden from the user anyways?
> A good reason would help the complicated workings to stick w
On 02/17/2014 07:17 PM, Nat Tuck wrote:
> Does anyone know the status on the inclusion of secure ECC in gnupg?
It is perhaps open for discussion whether djb's criteria for
"safecurves" can be defined as "secure ECC", but you can find recent
discussion about the use of edwards curves (EdDSA) in Ope
On 02/26/2014 12:08 AM, Hauke Laging wrote:
> I suggest to add a new key generation mode. The only difference would be
> that the random input is not read from /dev/random any more (and that
> random_seed would not be used or newly initialized) but from an explicit
> source: --random-source /pat
On 02/28/2014 02:58 PM, Hauke Laging wrote:
> a) Maybe I was not clear enough about that but I do not suggest this as
> a "Set the flag once (and do the other stuff) and after that you are
> safe forever" feature. This feature would have to be used for every
> encryption, too. (I guess it would
Hi Martin--
On 03/13/2014 06:44 AM, Martin Behrendt wrote:
> I want to achieve the following:
> 1. A Master signing key
> 2. A subkey signing/enc pair for my normal machine
> 3. A subkey signing/enc pair for e.g. my mobile device
> Now the following problem arises (at least from the reading I hav
On 03/13/2014 12:30 PM, Martin Behrendt wrote:
> Am 13.03.2014 16:42, schrieb ved...@nym.hush.com:
>> = You can let all your correspondents know that they can
>> encrypt simultaneously to all 3 of your keys that have the same
>> e-mail address (assuming that you give them the fingerprints and
>
On 03/13/2014 06:17 PM, MFPA wrote:
> On Thursday 13 March 2014 at 2:31:06 PM, in
> , Hauke Laging wrote:
>
>> gpg --recipient 0xD4BC64B8\!
>
> I've never see it with a backslash before the exclamation mark.
> What does the backslash add?
it tells your shell to avoid interpreting the ! as a shel
On 03/15/2014 03:53 PM, Juha Heljoranta wrote:
> I am not able to get the gpg to verify a signature.
>
> Any advice how to fix this?
> Or could the key 9C973C92 be invalid/broken?
>
>
> $ mkdir -m 700 newgnupg
> $ echo foo > zinc-0.2.0.jar
> $ wget
> http://repo1.maven.org/maven2/com/typesafe/
On 03/25/2014 07:38 AM, Mikael Nordfeldth wrote:
> The problem I experience is when importing back the 'pubkeys' and
> 'subkeys' files (see Debian guide):
Hm, i just ran through the instructions at
https://wiki.debian.org/Subkeys with a dummy/test user, and they seemed
to work for me. so somethin
On 03/25/2014 10:27 AM, Mikael "MMN-o" Nordfeldth wrote:
> Also: One thing I noticed is that my output from 'gpg -K' for the master
> keyring (which I'm exporting from) only has one UID (the JPEG photo),
> but not the primary UID 'Mikael "MMN-o" Nordfeldth '
> which is listed when using the '--edi
On Wed 2014-03-26 17:37:05 -0400, -- -- wrote:
> is it possible to encrypt a file with a symmetric cipher (e.g., AES256)
> using a key file (e.g., a binary file) instead of a password?
Yes, but you will need to translate the binary file into a long ascii
string first (which means the exact
On 03/28/2014 07:48 AM, Peter Lebbing wrote:
> And the hack presented doesn't allow for
> the common scenario: a key file *as well as* a password.
sorry, i think my assumption of the common scenario was very different
from yours, or i wouldn't have recommended the conversion i did.
i'd assumed t
On 04/02/2014 01:07 PM, Tim Chase wrote:
> 1) I'd missed that GPG conveniently compresses the data before
> encrypting which would explain some of the differences I saw.
[...]
> in more than half of my use cases (small plain-text/JSON messages)
It sounds to me like you might be setting up some
On 04/02/2014 01:55 PM, ved...@nym.hush.com wrote:
> Is it possible to generate an RSA key in GnuPG, and then use it (not in
> GnuPG, but in other systems using RSA keys), to encrypt and decrypt RSA
> messages?
i think you might be interested in openpgp2pem from the monkeysphere
package.
> If s
On 04/08/2014 12:45 AM, Peter Michaux wrote:
> I am creating a Debian APT repository of system packages. I need to
> sign the repository's Release file, creating detached signature file
> Release.gpg, so that packages can be installed on another Debian
> system with `apt-get install` without the c
On 04/08/2014 02:16 AM, Peter Michaux wrote:
> I'm concerned about the inability of reprepro to include in a single
> distribution two files which are only different versions of the same
> package. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=570623
sorry for the off-topic aside, i'm glad to
On 04/09/2014 07:20 PM, Robert J. Hansen wrote:
> No, it does not. Nor does Chrome.
Chromium (from which chrome is based) actually embeds a copy of openssl,
but doesn't use it for its TLS implementation, which is where the bug
would be triggered. (i'm not sure why they do this embedding actuall
On 04/22/2014 05:40 PM, Peter Lebbing wrote:
> On 22/04/14 13:56, Hauke Laging wrote:
>> This can easily be seen from the facts that (a) the same owner can have
>> several keys and (b) there are scenarios in which you will not assign the
>> same trust to these keys.
>
> Oh wow. I understand you ca
On 04/22/2014 03:57 PM, Peter Lebbing wrote:
> Perhaps the novice interface should just stick to "validity" and do away with
> the whole concept of ownertrust to keep things simple. Suggest that people
> meet
> up with someone and sign their key personally if they want validity.
>
> Also, I think
On 04/22/2014 06:11 PM, Peter Lebbing wrote:
> In your example, you do not trust the two keys differently[1]. However, due
> to a
> technicality, you can't assign both the same ownertrust, because they would
> add
> up. I don't think this is a fundamental thing that changes the concept of
> owner
On 04/23/2014 05:23 AM, Peter Lebbing wrote:
> On 23/04/14 00:56, Robert J. Hansen wrote:
>> I can see it, actually.
>
> Yes, after dkg's last message yesterday I also realised I had overlooked that
> scenario. I think it can be generalised as "different roles", as even the
> verification effort /
On 04/23/2014 06:13 PM, t...@piratemail.se wrote:
> This is a tiny bit philosophical. Perhaps a little off-topic. I think this is
> probably the best list to ask never-the-less.
>
> So I've been working on this pgp base web based mail service.
> https://github.com/timprepscius/mv
>
> Here is th
On 04/25/2014 12:38 AM, Hauke Laging wrote:
> Am Mi 23.04.2014, 20:32:27 schrieb MFPA:
>
>> Say a user has two keys, 0x0123456789abcdef and 0xfedcba9876543210. I
>> propose each key could sign the other with a signature notation
>> something like:-
>> siblings-0x0123456789abcdef-0xfedcba9876543...
On 04/24/2014 10:49 PM, Hauke Laging wrote:
> a) Many keys are certified without being verified. This is IMHO not so
> much a problem if this is transparent. Think of --ask-cert-level. BTW: I
> really don't like the --min-cert-level default to be 2 because this
> forces the users to either igno
On 04/25/2014 09:23 AM, Mark H. Wood wrote:
> What about abandoning terms of art and just saying things more simply:
> "This message was signed by key . You have indicated that you
> trust that key."
trust that key to do what? to belong to some mystery person? to make
valid OpenPGP sign
On 04/22/2014 06:50 PM, Nicolai Josuttis wrote:
> me: you either can sign the key
> or trust somebody else who signed the key
> (such as pg...@ct.heise.de)
> he: Oh, I even registered my email/key there
>but what else is missing?
> me: load the key for pg...@ct.heise.de
> he
On 04/24/2014 06:19 PM, Gabriel Niebler wrote:
> """
> A key on my keyring is "valid" if it is not expired or revoked.
> It is "authentic" if it bears one signature from one of my keys, or
> several signatures from other keys to which I have granted marginal
> authority to authenticate keys.
> """
On 04/26/2014 06:21 PM, John Sockwell wrote:
> I’m looking for best practices in creating and managing multiple subkeys and
> uids.
>
> In my scenario, I have a personal computer and personal email address. In
> addition, I have an employer provided computer and employer email address.
>
> I’d
On 04/29/2014 06:40 PM, Koen wrote:
> I use '--keyserver --search-keys to get info on a number of
> keys. As far as I can tell, that doesn't return an expiration date (if
> that exists).
>
> Are there other ways to easily check on the exp. date, besides importing
> the key and then verifying th
On 04/30/2014 03:40 PM, Faramir wrote:
> It is like providing free airplane tickets, and then charging for the
> parachute.
I like this analogy, but it only covers one part of the CA's
relationships -- the relationship with the subscriber. But the CA also
has other relationships, including its re
On 04/26/2014 08:20 AM, MFPA wrote:
> On Friday 25 April 2014 at 5:47:46 PM, in
> , Daniel Kahn Gillmor wrote:
>
>> PS MFPA's original idea of using a notation to link two
>> primary keys is interesting, and i see how it could be
>> useful, but i don't think i
On 04/26/2014 06:01 PM, Gabriel Niebler wrote:
> GnuPG will also allow me to encrypt some text to (an encryption subkey
> of) such a mixed-case certificate (I think), because it cannot
> possibly know the intended recipient, so checking
> validity/authenticity/... of that specific UserID is up to m
On 05/01/2014 10:02 PM, Hauke Laging wrote:
> Let's not try to protect the users against themselves even in non-
> technical contexts. Your opinion about leaking social information is not
> better that that of somebody who likes to leak it. The result should not
> be you making that impossible fo
On 05/02/2014 06:03 PM, Faramir wrote:
> El 28-04-2014 14:35, Daniel Kahn Gillmor escribió:
> ...
>> But I also want to point out that some employers may have a
>> legitimate need (even a legal compulsion) to be able to decrypt
>> communications coming to your work-related
On 05/02/2014 01:21 PM, Peter Lebbing wrote:
> As a public statement; now we're going into trust signature territory, which
> is
> not really a common deployment in the WoT. But I guess you could simply make a
> normal signature instead of a trust signature. True, you do not make a public
> statem
texts.
>
> Imagine this: you're a purchasing agent at Yoyodyne. You've established
> WoT connections with all your providers using a certificate whose only
> UID is:
>
> "Daniel Kahn Gillmor (sales orders only) "
>
> Now you go out on vacation for th
On 05/03/2014 02:56 PM, William Hay wrote:
> Once you start doing things publicly one would need to pick a
> certification level in order to inter-operate with the existing WoT.
> It isn't clear to me that there is a good default.
There is a good default for certifying someone else's key. the defa
hi gnupg folks--
https://gpg4win.org/download.html says:
Please note: Does not use portable applications - especially crypto
applications - on potentially infected systems.
I think you want to change "Does" to "Do" to turn the note into an
imperative:
Please note: Do not use portable a
Hi Tomer--
On 05/10/2014 05:23 AM, Tomer Altman wrote:
> 1. Find a computer that you think is relatively free of malware
> 2. Download a Live Linux distro CD/DVD/USB, and verify its signatures to make
> sure you are not installing a tainted version
> 3. Launch the verified Linux distro.
> 4. Use
On 05/12/2014 03:35 AM, Tomer Altman wrote:
> You recommend creating a revocation certificate against the private key, but
> the GPG documentation seems to recommend creating the revocation certificate
> against the public (sub-)key:
>
> https://www.gnupg.org/gph/en/manual.html#REVOCATION
>
>
On 05/22/2014 01:04 PM, martijn.list wrote:
> The sub key of the following key (key ID 0549B8A5640444E6) is valid for
> signing (RSA Encrypt or Sign) but it does not contain a primary key
> binding signature:
>
> http://pgp.mit.edu/pks/lookup?search=0x0549B8A5640444E6&op=index
The subkey here (0
On 06/02/2014 11:30 AM, Suspekt wrote:
> Am 02.06.2014 17:01, schrieb David Shaw:
>> One problem with multiple encryption subkeys is that the person
>> encrypting to you doesn't know which one to use. As things stand in
>> OpenPGP clients today, unless the person encrypting explicitly
>> specifies
On 06/04/2014 12:53 PM, Michael B. Harris wrote:
> I have not been able to use OpenPGP since I upgraded to
> Ubuntu 14.04 on my 64 bit Laptop.
>
> Can anyone help?
If you can state the problems you're seeing more specifically, we can
probably help better.
Can you describe your system in more det
We've had this same discussion recently, i think on this very list.
please also review the archives.
On 06/05/2014 05:44 AM, Suspekt wrote:
> Am 05.06.2014 09:26, schrieb Cpp:
>> cert-digest-algo SHA512
> This will you incompatibility with many (I think all) versions of PGP.
> Maybe its not releva
On 06/06/2014 04:19 AM, Cpp wrote me privately (but later OKed publication):
> On 6/5/14, Daniel Kahn Gillmor wrote:
>> there is a link to an explanation about it. you can read the rationale
>> for it here:
>>
>> http://thread.gmane.org/gmane.mail.notmuch.general/372
On 06/06/2014 12:46 PM, Cpp wrote:
> Alright, thanks for elaborating it. Does this mean that the notation
> (the "sig-notation issuer-...@notations.openpgp.fifthhorseman.net=%g"
> line) is final, and is not going to change in the future?
I don't know if anyone is going to introduce another extensi
Hi Philip--
over on enigmail-users,
On 06/16/2014 09:58 AM, Philip Jackson wrote:
> me@me-desktop:~$ gpg --sign test-message
>
> You need a passphrase to unlock the secret key for
> user: "Philip Jackson "
> 2048-bit RSA key, ID 23543A63, created 2013-01-22
> (here I entered the passphrase)
> gpg
On 06/18/2014 04:46 AM, Richard Ulrich wrote:
> $ gpg -d test.txt.gpg
> gpg: Anonymer Empfänger; Versuch mit geheimem Schlüssel 0AE275A9 …
> gpg: sending command `SCD PKDECRYPT' to agent failed: ec=6.91
> gpg: Anonymer Empfänger; Versuch mit geheimem Schlüssel 8760DB3E …
> gpg: Alles klar, wir sin
On 06/18/2014 09:43 AM, Daniel Kahn Gillmor wrote:
> On 06/18/2014 04:46 AM, Richard Ulrich wrote:
>> $ gpg -d test.txt.gpg
>> gpg: Anonymer Empfänger; Versuch mit geheimem Schlüssel 0AE275A9 …
>> gpg: sending command `SCD PKDECRYPT' to agent failed: ec=6.91
>>
On 06/24/2014 03:55 AM, Werner Koch wrote:
> On Fri, 13 Dec 2013 23:51, d...@fifthhorseman.net said:
>
>> securely. Exposing the UID validity is a step toward making the trust
>> model calculations more visible to users, which is necessary for
>> understanding.
>
> 2.0.24 will use
>
>--list
On 06/25/2014 02:25 AM, Werner Koch wrote:
> This misunderstanding is actually an indication of the problem. You are
> talking 4096 vs. 2048 while the more important case is to read the
> security announcements and update your gpg.
That's a great point. I've just proposed a pull request on that
On 06/26/2014 10:26 AM, Robert J. Hansen wrote:
> So in a very real sense, anything past RSA-2048 is at best a "you
> *might* get some additional security, depending on what symmetric
> algorithm your correspondent uses. Oh, and you can't forbid your
> correspondent from using 3DES, either."
Of c
On 06/24/2014 07:28 AM, Gabriel Niebler wrote:
> I consider myself quite the amateur (I haven't even read most of RFC
> 4880 yet), but I do take issue with one point in the riseup.net Best
> Practices page, namely the bit where it says "self-signatures must not
> use SHA1".
> I find that statement
On 06/26/2014 05:45 PM, Robert J. Hansen wrote:
> On 6/26/2014 2:25 PM, Daniel Kahn Gillmor wrote:
>> If you know of a modern OpenPGP implementation that supports SHA-1 but
>> not SHA-256 or SHA-512, please point it out (and no, creating one just
>> to be able to point t
On 06/28/2014 12:09 AM, Robert J. Hansen wrote:
> When faced with that, it's only a matter of time until Alice decides to
> put 3DES first in her own preference list. And then all her
> communications to Bob have 112 bits of keyspace, not the 256 Bob
> demands.
I think you're talking about person
201 - 300 of 930 matches
Mail list logo
