Hello Werner and all,
after seeing Facebook's public key a couple of days ago,
i was wondering if it's possible to enhance GnuPG in a
future version, so that it no longer allows someone to
sign a public key without approval of the owner.
As an example: Bob likes to sign Alice's pub key and
issues
On Sun, Aug 16, 2015 at 12:15:03PM +0100, MFPA wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA512
>
> Hi
>
>
> On Sunday 16 August 2015 at 9:10:28 AM, in
> , Stefan Claas wrote:
>
>
>
> > after seeing Facebook's public key a couple of days
On Sun, Aug 16, 2015 at 11:18:20AM +, Philipp Schafft wrote:
> reflum,
>
> On Sun, 2015-08-16 at 10:10 +0200, Stefan Claas wrote:
> > Hello Werner and all,
> >
> > after seeing Facebook's public key a couple of days ago,
> > i was wondering if it'
On Sun, Aug 16, 2015 at 05:31:10PM +0200, Viktor Dick wrote:
> On 16.08.2015 16:26, Stefan Claas wrote:
> > if i understand you correctly it would not help me if someone
> > would sign my key without my approval, so to speak.
>
> Sure it helps. If Alice signs my key and
On Sun, Aug 16, 2015 at 06:04:38PM +0200, Einar Ryeng wrote:
> On Sun, Aug 16, 2015 at 04:26:16PM +0200, Stefan Claas wrote:
> >
> > What i meaned whith my initial post was that it should in the
> > future not be possible to sign someones pub key directly, to
> > preven
On Sun, Aug 16, 2015 at 11:24:38AM -0700, Schlacta, Christ wrote:
> I'll reiterate that there's really no such thing as unwanted signatures.
> The more signatures on a key, the stronger the Web of Trust. End of story.
> Please try to understand that no signature is inherently unwanted. Your
> prop
1-05-26]
Schl.-Fingerabdruck = 2BAF 85F9 281A BD54 3823 C7C5 981E B7C3 82EC 52B4
uid [ uneing.] Stefan Claas
sub 2048R/64C48933 2017-05-26 [verfällt: 2021-05-26]
I also received my X.509 classIII certificate from the "Volkverschlüsselung"
initiative fr
On 30.05.17 08:05, Daniel Pocock wrote:
>
> Does anybody know of certificate authorities who are willing to sign PGP
> keys or has anybody ever looked into making that happen?
Hi Daniel,
please check those two links:
https://pgp.governikus-eid.de/pgp/
https://www.heise.de/security/dienste/PGP-S
I don't recommend that anyone make a sig1, sig2, or sig3 for any
third-party certification (sig3 is fine for self-signatures, where the
keyholder asserts their own identity).
sig0 -- the default, generic certification -- is fine, does what people
need of it, and doesn't intentionally leak any m
Am 31.05.2017 um 01:22 schrieb Damien Goutte-Gattat:
Hi,
On 05/30/2017 09:25 PM, Stefan Claas wrote:
The classical procedure would be to sign a key with a sig3 after seeing
the persons id-card in a real meeting. But who guarantees that the
id-card is not fake (if the person is a complete
Am 31.05.2017 um 03:43 schrieb Phil Pennock:
It's unfortunate really that the default is to make public attestations,
telling the world "trust me, this key belongs to this person" instead of
locally useful data and then, only once someone knows what they're
doing, offering them the option to act
Am 31.05.2017 um 12:18 schrieb Daniel Pocock:
Hi Stefan,
Thanks for sharing these. Unfortunately my German skills are not great,
could you make any comment about those companies?
In particular,
- does a signature from either of these comply with eIDAS (and therefore
ZertES)?
- what effort
Hi all,
i wonder why message padding was never considered in GnuPG, as
additional parameter?
http://www.wiredyne.com/software/padding.html
Regards
Stefan
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/
Hi,
i like to ask application developers if it's possible to implement,
in the future, identicons like for example Bitmessage has?
https://github.com/jakobvarmose/go-qidenticon
The reason why i ask, i started to use Thunderbird with Enigmail and
Enigmail shows me always Untrusted Good Signature
On 04.06.17 11:50, Ben McGinnes wrote:
> On Sun, Jun 04, 2017 at 11:21:33AM +0200, Stefan Claas wrote:
>> The reason why i ask, i started to use Thunderbird with Enigmail and
>> Enigmail shows me always Untrusted Good Signature with a 32bit key ID,
>> when i have not c
On 04.06.17 12:50, Robert J. Hansen wrote:
>> P.S. With scallion it took me only seconds/or a minute to generate
>> a fake pub-key with the same 32bit key id, on my old notebook.
> The question then becomes how hard it would be to forge a qidenticon.
> There's not a whole lot of entropy there.
I'm
On 04.06.17 13:19, Ludwig Hügelschäfer wrote:
> On 04.06.17 12:39, Stefan Claas wrote:
>> On 04.06.17 11:50, Ben McGinnes wrote:
> (...)
>
>>> then add "keyid-format 0xLONG" to your gpg.conf file.
>>>
>> I did that, but Enigmail still shows me
On 04.06.17 20:29, Kristian Fiskerstrand wrote:
> On 06/04/2017 11:21 AM, Stefan Claas wrote:
>> The reason why i ask, i started to use Thunderbird with Enigmail and
>> Enigmail shows me always Untrusted Good Signature with a 32bit key ID,
>> when i have not carefully verifie
On 04.06.17 22:32, Kristian Fiskerstrand wrote:
> On 06/04/2017 10:25 PM, Stefan Claas wrote:
>> With Thunderbird/Enigmail (i can't speak for other apps) a user new to GnuPG
>> and and not savvy with checking email headers and not carefully checking the
>> fingerprint (h
On 05.06.17 01:05, Ben McGinnes wrote:
> On Sun, Jun 04, 2017 at 10:47:56PM +0200, Stefan Claas wrote:
>> I'm not yet familar with the TOFU model, but if it helps to spot a
>> fake pub key imediately, in addition to the regular trust-model i
>> see no reason why not.
&g
On 04.06.17 22:20, Daniel Kahn Gillmor wrote:
> Hi Stefan--
>
> I think you're asking about two sort of different things.
>
> on the one hand, you're asserting that the 32-bit keyid isn't sufficient
> for any sort of cryptographic verification. that's absolutely correct,
> and enigmail really sho
On 05.06.17 16:22, Stefan Claas wrote:
> On 04.06.17 22:20, Daniel Kahn Gillmor wrote:
>
>> I'd generally think that if you're looking for a tool to help people
>> remember and recognize keys that they've seen before, then a mail user
>> agent is in a great
On 05.06.17 17:40, Stefan Claas wrote:
> And another thought, since this thread says "app developers". How would
> services like StartMail, ProtonMail or gmx.de for example handle this...?
>
> If i remember correctly users have not the possibillity to sign someone
> els
On 05.06.17 22:26, Daniel Kahn Gillmor wrote:
> On Mon 2017-06-05 16:22:26 +0200, Stefan Claas wrote:
>>> * in the "distinguishing" model, it's not clear that any of the schemes
>>>i've seen are actually better for most humans against a dedicated
&
On 06.06.17 04:11, Daniel Kahn Gillmor wrote:
> On Tue 2017-06-06 01:24:43 +0200, Stefan Claas wrote:
>> On 05.06.17 22:26, Daniel Kahn Gillmor wrote:
>>> what does "bullet-proof" mean, specifically?
>> For me it means that the idendicons should be visually eas
On 06.06.17 18:07, Stefan Claas wrote:
> On 06.06.17 04:11, Daniel Kahn Gillmor wrote:
>> On Tue 2017-06-06 01:24:43 +0200, Stefan Claas wrote:
>>> On 05.06.17 22:26, Daniel Kahn Gillmor wrote:
>>>> what does "bullet-proof" mean, specifically?
>>&
ut TOFU isn't for everyone, and neither is the Web of Trust. It's your
> call.
>
> By the way, it is my feeling Stefan Claas is looking for TOFU. The
> Identicon scheme feels like TOFU with the database on external storage,
> to wit, the user's brain :). Better to sto
On 06.06.17 20:46, Charlie Jonas wrote:
> On 2017-06-06 19:12, Stefan Claas wrote:
>> I tried also with Enigmail under OS X but when checking the signatures here
>> from the list members i always get the blue "Untrusted Good Signature".
> Yes I get this as well. Intere
On 07.06.17 00:04, MFPA wrote:
>
>
> On Tuesday 6 June 2017 at 5:07:18 PM, in
> , Stefan Claas
> wrote:-
>
>
> > Therefore qualified CA's
> > in my opinion are mandatory where each user in each
> > country [may] register
> > with his/her id-card
Am 07.06.2017 um 08:50 schrieb Andrew Gallagher:
On 7 Jun 2017, at 06:55, Stefan Claas wrote:
The procedure went like this: I inserted my id-card in a certified
card reader, which i purchased, startet the german certified id-card
software "AusweisApp2" to connect to the CA Serv
Am 07.06.2017 um 10:57 schrieb Peter Lebbing:
On 07/06/17 07:55, Stefan Claas wrote:
The procedure went like this: I inserted my id-card in a certified
card reader, which i purchased, startet the german certified id-card
software "AusweisApp2" to connect to the CA Server and the serv
Am 07.06.2017 um 11:04 schrieb Peter Lebbing:
On 06/06/17 20:12, Stefan Claas wrote:
Is TOFU verifying the email address from the from: header of the message
and then compares it with the email address in the UID?
Yes.
I ask, because
if i would use a free form UID with no email address
Am 07.06.2017 um 13:21 schrieb Peter Lebbing:
On 07/06/17 11:04, Peter Lebbing wrote:
On 06/06/17 20:12, Stefan Claas wrote:
Is TOFU verifying the email address from the from: header of the message
and then compares it with the email address in the UID?
Yes.
Actually, that's not r
Am 07.06.2017 um 14:24 schrieb Peter Lebbing:
On 07/06/17 13:49, Stefan Claas wrote:
In Enigmail with the blue and green bar (without showing statistics) it
would simply mean
that it switches from green to blue, right?
Not necessarily!
I don't know if Enigmail checks whether the Fro
On 07.06.17 22:23, Ludwig Hügelschäfer wrote:
> Hi Stefan,
>
> On 06.06.17 22:19, Stefan Claas wrote:
>> On 06.06.17 20:46, Charlie Jonas wrote:
>>> On 2017-06-06 19:12, Stefan Claas wrote:
>>>> I tried also with Enigmail under OS X but when checking the
>&g
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
On 07.06.17 14:24, Peter Lebbing wrote:
> I hope Enigmail will add the TOFU statistics to the displayed > information.
> Or maybe they already did, I see that I'm using Debian >
jessie's enigmail package for Enigmail, and Debian jessie/stable has >
On 08.06.17 22:33, Stefan Claas wrote:
[snip]
bad signature and mangled text. I don't like
how the Editor in Thunderbird works! I look like
an idiot here on the list with my postings.
Regards
Stefan
___
Gnupg-users mailing list
Gnupg-users@gnup
On 07.06.17 14:24, Peter Lebbing wrote:
> On 07/06/17 13:49, Stefan Claas wrote:
>> In Enigmail with the blue and green bar (without showing statistics) it
>> would simply mean
>> that it switches from green to blue, right?
> Not necessarily!
>
I have one more question i
On 07.06.17 22:23, Ludwig Hügelschäfer wrote:
> Hi Stefan,
>
> On 06.06.17 22:19, Stefan Claas wrote:
>> On 06.06.17 20:46, Charlie Jonas wrote:
>>> On 2017-06-06 19:12, Stefan Claas wrote:
>>>> I tried also with Enigmail under OS X but when checking th
On 12.06.17 16:06, Peter Lebbing wrote:
> On 12/06/17 14:52, Stefan Claas wrote:
>> I just checked again. On my Mac and on my Windows Notebook
>> i get a green bar , from a blue "Untrusted" key when i go into
>> Enigmails Key Management and set the trust of that k
On 12.06.17 16:31, Peter Lebbing wrote:
> I hadn't gotten round to answer your earlier questions yet, since I
> noticed a point I should first spend some effort and thinking on.
>
> On 12/06/17 16:14, Stefan Claas wrote:
>> And a question for this... If Mallory would get
On 12.06.17 17:28, Robert J. Hansen wrote:
>> I agree with you and it makes perfect sense, but then it would raise
>> another question. How should an average user of GnuPG, like me,
>> then handle this.
> It cannot be the job of the GnuPG team to teach people how to safely
> administer their oper
On 12.06.17 20:18, Ludwig Hügelschäfer wrote:
> Hi,
>
> On 12.06.17 14:52, Stefan Claas wrote:
>
>> Hi Ludwig,
>>
>> I just checked again. On my Mac and on my Windows Notebook i get a
>> green bar , from a blue "Untrusted" key when i go into Enigmai
On 12.06.17 21:15, Peter Lebbing wrote:
> On 12/06/17 20:51, Stefan Claas wrote:
>> Maybe as an additional security feature Enigmail should give
>> a key with a set trust level of "Ultimate" a different color than
>> green.
> No, that's beside the point.
On 12.06.17 21:21, Ludwig Hügelschäfer wrote:
> What you can do: Learn, learn by playing, learn by trying to
> understand what others write and by asking questions and become a
> reasonable critical user. That's the hard way, but you learn best.
> Second possibility would be to have a good experien
On 12.06.17 21:15, Peter Lebbing wrote:
>> (Remember there are two types of companies. Those who know they got
>> hacked and those who don't know yet that they got hacked.)
>>
>>
I should put that as a signature in my email and Usenet client! :-)
Regards
Stefan
On 12.06.17 22:10, Robert J. Hansen wrote:
>> and transfer signed/encrypted messages from my online usage
>> computer with a USB stick to my offline computer and verify
>> decrypt the messages there. :-)
> If you think your online computer may be compromised, then you have no
> business sharing USB
On 12.06.17 22:35, Robert J. Hansen wrote:
>> Is there something like a Standard Operating Procedure for GnuPG
>> available, which fulfills security experts demands, and which can
>> easily be adapted by an average GnuPG user, regardless of platform
>> and client he/she uses?
> No. More to the po
Am 12.06.2017 um 23:50 schrieb Duane Whitty:
Thanks for your input much appreciated!
I would also add one word about USB sticks: It is very difficult to
know if they've been compromised and there are no tell-tale signs when
an attack is taking place. I never put a USB in my computer that has
On 13.06.17 14:16, Peter Lebbing wrote:
> On 13/06/17 09:43, Stefan Claas wrote:
>> Another thing i will do in the future, which i haven't read in popular
>> tutorials,
>> is that once checking the hash/sig of the provided package i will also hash
>> the binaries af
Hi all,
when i sign a message and do a gpg --verify it shows "using RSA
key 2BAF85F9281ABD543823C7C5981EB7C382EC52B4", in Terminal under
macOS, with my own key, but when doing the verify again with a
message from someone else it shows the long key-ID, instead of
the full key. Is this a bug?
Rega
Am 15.06.17 um 17:49 schrieb Peter Lebbing:
> On 15/06/17 17:24, Stefan Claas wrote:
>> when i sign a message and do a gpg --verify it shows "using RSA
>> key 2BAF85F9281ABD543823C7C5981EB7C382EC52B4", in Terminal under
>> macOS, with my own key, but when doing the
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Am 15.06.17 um 18:59 schrieb Stefan Claas:
> I will now also sign my message and hope i don't mess this post up, > so that
> you can verify my sig and tell me if it shows you also the >
long-key ID or full key on your system. &
Am 15.06.17 um 19:36 schrieb Stefan Claas:
>
> Am 15.06.17 um 18:59 schrieb Stefan Claas:
>
> > I will now also sign my message and hope i don't mess this post up,
> > so that you can verify my sig and tell me if it shows you also the >
> long-key ID or full key on
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
On Thu, 15 Jun 2017 23:29:41 +0300
Teemu Likonen wrote:
> Stefan Claas [2017-06-15 18:59:41+02] wrote:
>
> > I clearsign a text file and verify it and modern GnuPG shows me this:
> >
> > gpg --verify my_message.txt
>
On Thu, 15 Jun 2017 22:47:00 +0200
Stefan Claas wrote:
> Well, then let's wait and see what other people say, who know the code.
> Maybe members can confirm the same behaviour under Windows and Linux.
O.k., i checked the Windows version of modern GnuPG and there it is correct.
The
On Fri, 16 Jun 2017 20:39:31 +0200
Stefan Claas wrote:
> On Thu, 15 Jun 2017 22:47:00 +0200
> Stefan Claas wrote:
>
> > Well, then let's wait and see what other people say, who know the code.
> > Maybe members can confirm the same behaviour under Windows and Linux
Am Mon, 19 Jun 2017 10:23:58 +0800
schrieb Long Si :
> Hi
>
> I am on Linux, and would like to generate a key with "unique 40"
> fingerprint.
>
> eg 1: Starts with ABCD ...
>
> eg 2: Starts with AXXX ... XXXA ends with A
>
> eg 3: ... without any '0' character at all
>
On Wed, 21 Jun 2017 19:02:26 +0200, Peter Lebbing wrote:
> On 08/06/17 22:33, Stefan Claas wrote:
> > I did a test today with Enigmail and with TOFU in command line mode.
> > I posted 3 messages with a fantasy name to a Usenet test group where
> > the 3rd message was signe
On Wed, 21 Jun 2017 21:04:09 +0200, Peter Lebbing wrote:
> On 21/06/17 20:49, Peter Lebbing wrote:
> > which would still
> > be marginally safe until computers are much faster, and certainly
> > not a short ID which is utterly unsafe and has always been.
>
> Which *might* still be marginally saf
On Sun, 25 Jun 2017 20:09:13 +0200, Neal H. Walfield wrote:
> At Fri, 23 Jun 2017 02:07:19 +0100,
> MFPA wrote:
> > On Wednesday 21 June 2017 at 7:49:42 PM, in
> > , Peter
> > Lebbing wrote:-
> >
> > > I think it's a bad UX choice to
> > > name an invalid
> > > signature "UNTRUSTED Good" and a v
On Fri, 30 Jun 2017 18:38:45 +0200, Peter Lebbing wrote:
> Somebody could put their own public key in your keyring, assign that
> Ultimate trust, and then certify another public key they wish to pop
> up as valid. Ultimately trusted keys make other keys valid by their
> certification. There is no
On Fri, 30 Jun 2017 20:35:48 +0200, Peter Lebbing wrote:
> On 30/06/17 20:01, Stefan Claas wrote:
> > Correct. But what i mean was an attacker would replace on of my pub
> > keys (which i signed) with one he/she only replaced with one that
> > has only the Trust Level set to U
On Fri, 30 Jun 2017 21:02:38 +0200, Peter Lebbing wrote:
> PS: As a final note, what prevents your attacker from grabbing your
> passphrase when you enter it? They control your computer! If you
> could use your passphrase to verify it was really you, they would
> immediately also have that passphr
Hi all,
when clear signing a text file, with the latest version of GnuPG under
macOS, i get the following message:
gpg --clearsign loremipsum.txt
gpg: selecting openpgp failed: Operation not supported by device
The file is signed and can be verified. Just wondering (after googling)
what this mea
established
gpg: selecting openpgp failed: Operation not supported by device
gpg: using "2BAF85F9281ABD543823C7C5981EB7C382EC52B4" as default secret key for
signing
gpg: writing to 'loremipsum.txt.asc'
gpg: pinentry launched (787 unknown 0.9.4 ? ? ?)
gpg: RSA/SHA256 signature from:
On Wed, 26 Jul 2017 23:41:23 +0200, Kristian Fiskerstrand wrote:
> On 07/24/2017 04:27 PM, Stefan Claas wrote:
> > The file is signed and can be verified. Just wondering (after
> > googling) what this means, because i have no card reader etc. for
> > GnuPG.
>
> ht
On Thu, 27 Jul 2017 17:35:55 +0200, Kristian Fiskerstrand wrote:
> A bit more verbosely, if no scdaemon exists you will get an error
> value that was not suppressed for a few versions, you can safely
> ignore the warning and it is fixed in alter versions again, or you can
> install/build gnupg wit
Hi all,
just wondering if there is an easy way to generate a Bitcoin secret key
from a GnuPG secp256k1 secret key. If so, how would you do that?
Regards
Stefan
--
https://www.behance.net/futagoza
https://keybase.io/stefan_claas
pgpHOekjs9Zdr.pgp
Description: Digitale Signatur von OpenPGP
__
On Wed, 2 Aug 2017 16:06:13 +0200, Stefan Claas wrote:
> Hi all,
>
> just wondering if there is an easy way to generate a Bitcoin secret
> key from a GnuPG secp256k1 secret key. If so, how would you do that?
To be more precise, i would like to see the secret Bitcoin key in WIF or
On Thu, 03 Aug 2017 07:00:04 +0900, NIIBE Yutaka wrote:
> Stefan Claas wrote:
> > just wondering if there is an easy way to generate a Bitcoin secret
> > key from a GnuPG secp256k1 secret key. If so, how would you do
> > that?
>
> I don't know about secret key
Beginn der weitergeleiteten Nachricht:
Datum: Thu, 3 Aug 2017 09:57:47 +0200
Von: Stefan Claas
An: NIIBE Yutaka
Betreff: Re: Bitcoin private key from GnuPG secp256k1 secret key?
On Thu, 03 Aug 2017 16:24:05 +0900, NIIBE Yutaka wrote:
> Stefan Claas wrote:
> > I could imagine th
Hi all,
i don't know how many of you folks use social media sites like Twitter
and Facebook etc. and wondered what's a way to post a GnuPG clear
signed message on those sites, due to line width limits or characters
per message limits.
Well, i thought about that to and i like to share an idea with
On Fri, 4 Aug 2017 23:13:26 +0100, da...@gbenet.com wrote:
> (8) zbarimg can display a png like any other but seems not capable of
> converting it back to its original form. Am working on a solution
Hi,
sorry to hear that it is not working for you!
I tried this already several times and it alwa
On Sat, 5 Aug 2017 02:55:39 +0200, Stefan Claas wrote:
> On Fri, 4 Aug 2017 23:13:26 +0100, da...@gbenet.com wrote:
>
> > (8) zbarimg can display a png like any other but seems not capable
> > of converting it back to its original form. Am working on a
> > solution
>
On Sat, 5 Aug 2017 11:30:08 +0100, da...@gbenet.com wrote:
> Hello Stefan,
>
> Firstly the "<" did the trick - I used QtQr - to decode back and then
> to decrypt Kleopatra - and it worked fine QtQR creates pngs but did
> not use this feature.
Hi David,
glad that it works now for you.
> I've tr
On Sat, 5 Aug 2017 13:14:13 +0100, MFPA wrote:
> For Facebook, pasting in the signed and/or encrypted message and
> clicking "post" is the simplest way.
Well, to me the formatting then looks a bit ugly. :-)
I also tried it again with a document created with Text Wrangler under
OS X, clear signed
On Sat, 5 Aug 2017 18:55:51 +0100, da...@gbenet.com wrote:
> My experience has been from te early 80s I thought encrypted
> communications would grow to a world wide phenomena - but I was a bit
> optimistic. Top security professional in my opinion don't tell people
> to encrypt which is there best
On Sun, 6 Aug 2017 00:29:37 -0500, Werewolf wrote:
> A simpler methode on a linux system
> gpg --clearsign|qrencode -o message.png
> For Decoding message and verifying signature
> zbarimg message.jpg| sed "s/QR-Code:-/-/g"|gpg
>
> or just to verify signature
> zbarimg message.png| sed "s/QR-C
On Sun, 6 Aug 2017 11:16:19 +0100, MFPA wrote:
> I tested using text written in Notepad under Windows 10, then
> clearsigned using GnuPG, pasted into Facebook, and hit "post". When
> the post appeared on my timeline, I copied the text back from the post
> and verified the signature without any err
On Thu, 03 Aug 2017 16:24:05 +0900, NIIBE Yutaka wrote:
> Stefan Claas wrote:
> > I could imagine that no one will do this, because if you have no
> > private key for "your" public address (according to your reply),
> > you have no control of that address, like spen
On Sat, 26 Aug 2017 07:39:10 +0200, Stefan Claas wrote:
> If GnuPG would allow a user in the future to use an additional flag,
> when signing with a secp256k1 sub key, which would produce
> signatures that would work like Bitcoin key signatures, users would
> not need to collect a t
On Tue, 29 Aug 2017 13:21:58 -0500, Mario Castelán Castro wrote:
> Is there any existing, convenient way to do deniable authentication
> for e-mail?
If your communication partners would use the same software, like opmsg.
https://github.com/stealth/opmsg
Or if you would use Bitmessage instead of
Am 30.08.2017 um 11:43 schrieb Peter Lebbing:
With a little scripting, you could create a new ECC keypair (fast!)
for each
message, sign the keypair with your normal key, sign the message with the ECC
keypair. And when you want to backpedal on a signed message, publish the private
ECC key and s
Here you can see that i did it:
https://blockchain.info/address/12rY4qgjXbL3h8gCSaJUJMJ9g9TaPtypC4
People who want to check if it was really me, who did the transaction,
can do the following:
Step 1 : Download my public key from key servers.
Step 2 : Do a gpg -k --with-colons --with-key-data &
Hi all,
http://pgp.zdv.uni-mainz.de:11371/pks/lookup?op=vindex&search=Erika+Mustermann
Question for the experts, how can a casual or new GnuPG user, like Alice
and Bob, detect a Signature forgery on a pub key, when using Web based
key servers?
Note for native English speakers, Erika Mustermann
On Thu, 21 Sep 2017 10:55:26 -0400, Robert J. Hansen wrote:
> > Question for the experts, how can a casual or new GnuPG user, like
> > Alice and Bob, detect a Signature forgery on a pub key, when using
> > Web based key servers?
>
> By remembering that anyone can create a key claiming to be anyo
On Thu, 21 Sep 2017 21:11:17 +0200, Ralph Seichter wrote:
> On 21.09.17 20:49, Stefan Claas wrote:
>
> > How could customers, not pros like all you guys here on the list,
> > could verify that we both are the persons the keys/signatures are
> > claiming?
>
> Le
On Thu, 21 Sep 2017 21:59:26 +0200, Ralph Seichter wrote:
> On 21.09.17 21:38, Stefan Claas wrote:
>
> > The thing is someone could issue a fake sig3 from Heise's CA key to
> > someone else's pub key, without that that customers would detect it,
> > nor Heise w
On Thu, 21 Sep 2017 16:16:12 -0400, Robert J. Hansen wrote:
> > If someone would issue a fake sig3 from Governikus to someone
> > else how could you, for example, verify that the sig3 is from
> > Governikus?
>
> By validating Governikus's certificate.
Do i understand you right, i validate Werne
On Thu, 21 Sep 2017 22:38:06 +0200, Ralph Seichter wrote:
> On 21.09.17 22:11, Stefan Claas wrote:
>
> > > You can only ever be certain of a signature if you have personally
> > > verified the signing key and the signer's identity.
> >
> > Well, call me
On Thu, 21 Sep 2017 17:06:18 -0400, Robert J. Hansen wrote:
> > Do i understand you right, i validate Werner's pub key and when
> > i get a signed email from Erika Mustermann the sig should be then
> > o.k. from her, because i signed Werner's key?
>
> No. When you see something claiming to be W
On Thu, 21 Sep 2017 23:11:23 +0200, Ralph Seichter wrote:
> On 21.09.17 22:37, Stefan Claas wrote:
>
> > If i would be a programmer of software like GnuPG, my software would
> > not allow to receive unwanted signatures on my pub key, nor would it
> > allow that someon
On Thu, 21 Sep 2017 17:05:35 -0400, Daniel Kahn Gillmor wrote:
> If by "key-id" you mean the 32-bit long thing like "D21739E9", then
> there's no way to cryptographically secure that -- it's just too
> low-entropy. I've written elsewhere about why key ids are bad:
>
> https://debian-administ
Am 22.09.2017 um 02:37 schrieb Ángel:
On 2017-09-21 at 23:37 +0200, Stefan Claas wrote:
Long ago when we had a discussion here on the Mailing List on
how to prevent unwanted signatures i made a proposal that
signing someone's public key should work similar to revocation
certificates. I
On Thu, 21 Sep 2017 16:44:57 +0200, Stefan Claas wrote:
> Hi all,
>
> http://pgp.zdv.uni-mainz.de:11371/pks/lookup?op=vindex&search=Erika+Mustermann
>
> Question for the experts, how can a casual or new GnuPG user, like
> Alice and Bob, detect a Signature forgery on a pub
On Fri, 22 Sep 2017 20:29:07 +0200, Werner Koch wrote:
> On Fri, 22 Sep 2017 19:23, stefan.cl...@posteo.de said:
>
> > O.k. i just tested a bit and this is a bug int the Web Interface
> > and in GnuPG's CLI Interface.
>
> I don't see a bug here.
Now i am a bit confused... Then maybe a "funny"
On Fri, 22 Sep 2017 21:40:41 +0200, Kristian Fiskerstrand wrote:
> On 09/22/2017 09:34 PM, Stefan Claas wrote:
> >>> O.k. i just tested a bit and this is a bug int the Web Interface
> >>> and in GnuPG's CLI Interface.
> >> I don't see a bug here.
On Fri, 22 Sep 2017 21:44:06 +0200, Kristian Fiskerstrand wrote:
> On 09/22/2017 09:40 PM, Kristian Fiskerstrand wrote:
> > So all is as it is supposed to be
>
> Just to add, the alternative if not considering WoT is a direct
> validation structure, a user in this case should only (locally) sign
On Fri, 22 Sep 2017 22:17:17 +0200, Kristian Fiskerstrand wrote:
> On 09/22/2017 10:08 PM, Stefan Claas wrote:
> > Thanks for the information! Can you tell me please how to import
> > a pub key with a local client, so that invalid data get's removed
> > automatically?
1 - 100 of 789 matches
Mail list logo
