Il 13/01/2015 16:34, David Shaw ha scritto:
> I like the idea of adding a proper fingerprint to signature packets. I seem
> to recall this was suggested once in the past, but I don't recall why it
> wasn't pursued.
What I don't understand (surely because of my ignorance of GPG inner
working) is
Il 22/01/2015 21:08, Daniel Kahn Gillmor ha scritto:
> If anyone is considering adding this kind of feature to the FST-01, i'd
> be happy to test and debug it with them.
I proposed to add a button to FST-01 ages ago (IIRC it still was just a
project on Seeedstudio...), as "user presence test", and
Il 28/01/2015 02:46, NIIBE Yutaka ha scritto:
[...]
> specification (and with SHA256). It's default s2kcount is 192 as the
> MCU is slow enough, but you can configure it at compile time (like
> 65535 for host PC, or more).
Uh, I think this exposes a weakness: if the attacker "somehow" accesses
th
Il 13/02/2015 23:23, Daniel Kahn Gillmor ha scritto:
> The traditional argument against this sort of feature is that someone
> with control over your local socket would most likely have control over
> your graphical environment, and therefore could dismiss or hide any
> prompt that comes up (so th
Il 17/04/2013 18:22, Doug Barton ha scritto:
> It's very safe to assume that e-mail address harvesting from the key
> servers is not anything to worry about.
At least for now.
But spam is just one of the possible issues...
Anyway I can see that the easiest and more versatile solution is to have
d
Il 17/04/2013 19:09, Pete Stephenson ha scritto:
> While I don't use OpenPGP at my work, it seems reasonable to me to
> create separate primary keys for work and personal use.
Seems the only reasonable thing... for now :)
> In the US at least, companies have various regulatory requirements
> rela
Il 18/04/2013 05:12, mirimir ha scritto:
> Why would one cross-sign keys for identities used in different
> communities? That would link them, which seems counterproductive.
That would be useful to improve the WoT, and it wouldn't "link" 'em more
than any other signature: signing a key means you a
Il 19/04/2013 00:18, Jay Sulzberger ha scritto:
> 1. Is the stack used for credit card use over the Net sufficiently "secure"?
> Indeed this question is ill defined: "secure" for what, against what?
Just cryptographycally secure: the data you send "cannot" be read by
others except the server. That,
Hello all.
I'm planninng to start work on a "OpenGPGCard TNG" ( :) ) that allows:
- exportable keys only towards user-certified devices
- support for 2048 bit keys -- more if HW allows it
- storage for "many" (thought at least 18 to allow 1 key per year till
2030) encryption keys (current + expire
Il 22/04/2013 09:28, Lema KB ha scritto:
> Is there any other way of using one and the same private-key by several
> users, except exporting the priv-key?
> We are decrypting some csv-files on a virtual machine. and it's for us not
> so appropriate to share private-key through exporting. maybe ther
Il 03/05/2013 09:53, Branko Majic ha scritto:
>> I'm planninng to start work on a "OpenGPGCard TNG" ( :) ) that
>> allows: - exportable keys only towards user-certified devices -
>> support for 2048 bit keys -- more if HW allows it - storage for
>> "many" (thought at least 18 to allow 1 key per ye
Il 03/05/2013 14:29, Lema KB ha scritto:
> It is not appropriate for us to have several public-private-keys.
Then probably you don't need encryption at all. Or you only need
symmetric encryption (same key used both for enc and dec).
> Can GnuPG be downloaded on a virtual machine so, that, if one u
Il 03/05/2013 14:58, Lema KB ha scritto:
> We need encryption, because the files are sent via Email from other
> organisations. These files are then decrypted internally, that's why
> all/several Win-Users of us.
Then you could setup a (different!) machine with a mail robot that
receives those ma
Il 03/05/2013 15:44, Lema KB ha scritto:
> i've made this robot: it receives mail, decrypts files with my
> private-key, and saves them in a folder. But, someone should click on
> run.. This is me only. i need, that some others will be able to run it
> also. But it doesn't decrypt files, as the pri
Il 03/05/2013 14:51, NdK ha scritto:
> Submission can be handled with a correct ACL (in *nix it could be
> rwxrwx-wx on a folder: only members of the group will be able to read
> the files in it, but every user can put his file there -- we used this
> method for lab projects).
Jus
Il 05/05/2013 06:10, Daniel Kahn Gillmor ha scritto:
> If you don't care about high quality entropy
Even if you do: just add a NEUG token (or something similar) to the
system and you have pretty high quality entropy at a good rate.
But since the slow part of key generation is the primes selection,
Hello.
If, recovering from a backup, I "rewind" the signature counter on my
master key, what happens?
In other words: is it just "decorative" (like knowing 'more or less' how
many signatures I did) or it serves some purpose I (yet) don't understand?
That would impact heavily the backup policy...
Il 23/05/2013 17:37, Zece Anonimescu ha scritto:
> Anyway, would a onscreen keyboard would help against a keylogger?
Nope. I heard of keyloggers that take a snapshot of the screen at click
time. If you are so concerned about security, use a smartcard inserted
in a reader w/ pinpad -- but I don't k
Il 23/05/2013 18:22, Pete Stephenson ha scritto:
> The card reader + pinpad sold at
> http://shop.kernelconcepts.de/product_info.php?cPath=1_26&products_id=61
> claims to be supported with GnuPG >1.4.0 so it should work fine.
...as long your passphrase is numeric-only.
[OT] *great* support page:
Il 23/05/2013 20:43, Peter Lebbing ha scritto:
>> Really useful, IMVHO. Unless you have to sign *a lot* of things...
> Werner Koch does not agree it's a security feature (and I suppose that's why
> you
> think it's useful), as he said in this[1] thread:
> [1] http://lists.gnupg.org/pipermail/gnup
Il 25/05/2013 03:36, Henry Hertz Hobbit ha scritto:
> I suspect most people just select and delete all email messages
> in their active email account every few weeks or months. This
> does not bode well for the usage of GnuPG.
Actually it seems the ideal use for OpenPGPCard: once you change DEC
k
Il 30/05/2013 13:17, Zece Anonimescu ha scritto:
> Me thinks the difference is the people never bother to think the
> concepts all the way. So it can be PLAUSIBLE DENIABILITY (PD) with
> certain organisations which are willing to let go because they are
> swamped in cases or the particular agent h
Il 11/06/2013 16:10, ved...@nym.hush.com ha scritto:
> (It might attract also a criminal element clientele and be fairly profitable,
> but then law enforcement can try to go the hardware key-logger route.)
As long as decryption is done client-side (I've used JS libraries that
could do RSA2048 in
Il 17/06/2013 20:22, T L ha scritto:
> Under GPA in windows there is a option to backup the private key from a
> OpenPGP smartcard.
The smartcard protocol of a standard OpenPGP card doesn't allow it.
MyPGPid card will allow a controlled export.
> My understanding is that one of the main purposes o
Il 22/06/2013 09:35, Heinz Diehl ha scritto:
> The whole point with a smartcard is that it's a lot easier to memorize
> the PIN than a long and complicated passphrase, and that the private
> key can't be exported. If it can, there's no need for a smartcard.
I quite disagree, here.
A smartcard coul
Il 24/06/2013 10:15, Werner Koch ha scritto:
>> A smartcard could be useful anyway, at least as a "portable keyring"
>> (if it didn't need initialization on every machine...).
> A USB memory stick fulfills the same purpose.
Not really secure...
>> And key export could be controlled (like in MyPGP
Il 24/06/2013 16:01, Josef Schneider ha scritto:
> Then you need a secure way to store the CA key. That is essentially
> exactly the same problem!
Nope. Throwaway CA!
> I mean you can put it on a card and allow export of the CA key only if
> the request is signed by a SuperSecureCA key...
There's
Il 25/06/2013 09:55, Werner Koch ha scritto:
>> First: I trust more the RNG on a card than a SW one
> A card based RNG is often nothing more than a PRNG with a card specific
> seed. Modern cards seem to have a real hardware RNG.
I'm referring to cards compatible with GlobalPlatform 2.1.1 (minimum
Il 02/08/2013 14:25, Martin T ha scritto:
> I'm afraid this doesn't work because at the beginning I need to have
> both the private and public key in order to carry out operations in
> RIPE database. I don't see a difference if he generates the key pair,
> uploads the ASCII armored public key to R
Il 07/04/2017 11:51, mogliii ha scritto:
> +offline (for example, a primary key can be taken offline by exported
Shouldn't it be "exporting" instead of "exported"?
BYtE,
Diego
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/m
Hello all.
I'd need to handle an archive with many big files (~200GB each). The
system receives "plain" files in a "dropbox" folder, then encrypts 'em
to a (set of) public key(s) (no corresponding private keys on this
system) and deletes source files.
Up to this point it should be OK (a cronnable
Il 06/06/2017 20:13, Konstantin Gribov ha scritto:
> I can think of more simpler approach:
> - generate secure random for symmetrical data encryption key (DEK);
> - encrypt that key for authorized users on their public keys;
> - encrypt data itself with something like ChaCha20 or AES in appropriat
Il 06/06/2017 22:40, Konstantin Gribov ha scritto:
> In first scheme DEK is never stored in plain text. It used while
> encrypting archive and encrypted with gpg (or any other cryptographic
> means) and plain text version is removed right after that.
There's a big misunderstanding here: the encryp
Il 09/06/2017 08:24, Werner Koch ha scritto:
> ( gpg --status-fd 1 --show-session-key --max-output 1 \
> -o /dev/null 2>/dev/null FILE || true ) \
>| awk '$1=="[GNUPG:]" && $2=="SESSION_KEY" {print $3}'
> The output can then be used with --override-session-key
Tks! That's exactly what I
ded infos...
I generated some test keys on the token (ssh one is imported, for
another test):
$ pkcs15-tool -D
Using reader with a card: Feitian ePass2003 00 00
PKCS#15 Card [NdK-test]:
Version: 0
Serial number : 0843420916091101
Manufacturer ID: EnterSafe
Il 17/06/2017 10:35, Werner Koch ha scritto:
> gpg expects an OpenPGP card. For pkcs#15 you need to use gpgsm. As a
> starter do
> gpgsm --learn-card
> which imports the certificates from such cards. There is no --card-edit
> etc, because in general PKCS#15 cards are distributed personalized.
Il 11/07/2017 09:44, Binarus ha scritto:
> - If somebody tries to brute force the pin (or online banking password),
> the access will be permanently denied if there are more than 3 failures
> (the exact number may vary). That means that the length of the pin /
> password is not as important as one
Il 11/07/2017 12:32, Binarus ha scritto:
>> If you routinely use your card twice a day, they can make two or four
>> guesses each day: every correct PIN you insert resets the counter.
> I am not completely sure if I got you right. Wouldn't that mean that I
> have to lose my card, the bad person th
Il 12/07/2017 12:01, Binarus ha scritto:
> Not sure about that. Similar to serious websites which don't store your
> password in clear text, but do store the password's hash instead, I
> would expect that banks don't store your PIN in clear text as well.
Even with 6-digits PIN it would take *secon
Il 18/07/2017 14:23, Daniel Villarreal ha scritto:
> Have you ever asked Werner about what he thinks about "ease" of
> backing up?"
Security = confidentiality + integrity + availability
If you're not considering availability, you only can have partial security.
BYtE,
Diego
Il 12/09/2017 19:39, lesto fante ha scritto:
> i think my user-case if one of the most common, especially if we want
> to create something like a state-provided identity (on you
> smartacard-document), that want want to make easily usable on everyday
> services (remeber, all services is really "po
Il 03/10/2017 12:40, Werner Koch ha scritto:
[...]
> scrutinized the Intel ME, fixed all bugs in gpg, live in tempest
At least they should have shared the bugfixes! :)
BYtE,
Diego
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.o
Il 05/10/2017 21:06, Daniel Kahn Gillmor ha scritto:
> gpg isn't currently constructed to do this kind of asynchronous user
> interaction, however.
But the mail client could flag the message "key retrieval failed". Then,
the delay is only on the first attempt. Unless the user un-flags that
message
Il 06/02/2018 06:47, Matthias Apitz ha scritto:
> Is there any way to export the secret keys from the OpenPGP card to use
> them directly (with a passphrase) and without the OpenPGP card?
Not possible by design.
What you can do is generate the key on the machine, then copy (not move)
it to the ca
Il 18/05/2018 07:31, Fiedler Roman ha scritto:
> I thought about that also, but shouldn't 99%+ of systems perform no pinning
> whatsoever of packages to repositories? In that case, the "wrong" repository
> could publish just a slightly increased package version number of a package
> from anothe
Il 23/05/2018 04:35, Craig P Hicks ha scritto:
> When decrypted by the user in its raw form the total message will be
> human readable but a little ugly because it contains the obfuscation
> string *o*, but it will be safe from EFAIL.
While that could be OK for human-readable files, it silently al
Il 06/06/2018 17:49, Tom Li via Gnuk-users ha scritto:
> BTW, BasicCard and JavaCard seemed even more obscure and I cannot find
> any public service of cracking.
Because those are (at least should be) based on secure chips.
> But it does not solve any real problem in the perspective of cryptograp
Il 07/06/2018 02:01, Leo Gaspard via Gnupg-users ha scritto:
>> The only secure (even against decapping attacks) device I know of is a
>> very old parallel-port "key" a friend described me ~25y ago.
>> It was made of 3 silicon layers: the outer ones only contained interface
>> circuits and 'random
Il 09/06/2018 19:08, Jeff Martin ha scritto:
> For a fresh install of GnuPG, I was following the integrity check
> directions. I have no prior version for GnuPG.
Why not fetch some (unrelated) live distributions, possibly some older
ones and some newer ones?
GPG is usually included and you can use
Il 16/06/2018 19:48, Jeff Martin ha scritto:
> I'm not on Linux. I'm on macOS, which does not come with any built-in
> GPG. I must build GPG from source files. The only way to verify the
> source files in this situation (I think) is by checksum.
You can just fire up a VM booting with an "old enoug
On 05/11/18 17:56, Viktor wrote:
> If my counterparty had signed some contract or document, he/she should
> not be able to delete his/her public key certificate and data used for
> its verification.
IMVHO You're just (badly) reinventing X509.
> This is exactly the part that is difficult to ensure
101 - 151 of 151 matches
Mail list logo
