Re: GnuPG and SSH_AUTH_SOCK value

On Fri, 21 Jun 2019 11:20, g...@unixarea.de said: > What I do not understand is, why this value without the KDE5 environment > is > > $ gpgconf --list-dirs agent-ssh-socket > /home/guru/.gnupg-ccid/S.gpg-agent.ssh That is because you have a GNUPGHOME=/home/guru/.gnupg-ccid and /var/run/users/100

Re: New keyserver at keys.openpgp.org - what's your take?

On Fri, 21 Jun 2019 12:03, gnupg-users@gnupg.org said: > here is a article (only in german) from Heise: By the very same guy who showed in the past that he has no clue about keyservers and their goals and ignored all comments gathered about this before writing an article [1]. That new thing now

Re: GPG/YubiKey/CentOS7

On Fri, 21 Jun 2019 18:42, gnupg-users@gnupg.org said: > Even though I have had GPG and YubiKey running a few times on CentOS7 Which GnuPG version does it come with: "gpg --version". Does it install gpg under the name gpg2 and provides the legacy GnuPG 1.4 under the name gpg ? > [p42547@cswks20

Re: GnuPG and SSH_AUTH_SOCK value

On Fri, 21 Jun 2019 16:39, g...@unixarea.de said: > Thanks for the explanation. But why GNUPGHOME is not also used for the > place where the sockets should be created when X11/KDE is up? That seems to be deep in the innards of KDE's X startup or Wayland or Systemd configuration. I try to avoid a

Re: New keyserver at keys.openpgp.org - what's your take?

On Tue, 25 Jun 2019 17:54, gnupg-users@gnupg.org said: >> Theres simply one point: "If you do not want your email to be public, don't >> upload your key to a server." > > What if I upload your key to a server though? Keep in mind this is not just > a "nice to have", it is a legal requirement. For

Re: New keyserver at keys.openpgp.org - what's your take?

On Mon, 1 Jul 2019 14:55, andr...@andrewg.com said: > Yes, which is why we've informally had "let the owner choose whether to > publish her incoming certifications" as best practice for a long time. Actually gpg has always set the /Key Server Preferences/ to First octet: 0x80 = No-modify

Re: distributing pubkeys: autocrypt, hagrid, WKD (Re: Your Thoughts)

On Mon, 1 Jul 2019 15:13, gnupg-users@gnupg.org said: > distribution keys in Gentoo. However, the main problem with WKD right > now is that AFAIK GnuPG doesn't support refreshing existing keys via WKD Actually gpg updates expired keys via WKD. However, to not break things and not to go out and

Re: distributing pubkeys: autocrypt, hagrid, WKD

On Mon, 1 Jul 2019 10:27, konstan...@linuxfoundation.org said: > - subkey changes An expired key triggers a reload of the key via WKD or DANE. Modulo the problems I mentioned in the former mail. For new subkeys we have a problem unless we do a regular refresh similar to what should be done for

Re: Your Thoughts

On Mon, 1 Jul 2019 22:58, h...@alyssa.is said: > For example, why isn't ask-cert-level a default? I'm guessing it's just > because at some point it didn't exist, and the developers didn't want to Because we have good defaults and options to chnage them in the config. We do not want to expose all

Re: Your Thoughts

On Mon, 1 Jul 2019 23:47, r...@sixdemonbag.org said: > for development. My donation capped at $500. For several of those > years, I was one of the largest individual contributors to GnuPG. Right, your donation encouraged me to keep on working on this set of tool which is used at many more plac

Re: keyserver-options: self-sigs-only, import-clean, import-minimal

On Tue, 2 Jul 2019 10:23, gnupg-users@gnupg.org said: > Why not make "import-clean" and "import-minimal" strip key signatures > before importing a key? That would make "import-minimal" behave like Because that contradicts what import-clean is supposed to do: After import, compact (remove all

Re: SKS Keyserver Network Under Attack

On Tue, 2 Jul 2019 10:01, gnupg-users@gnupg.org said: > No such issues on keys.openpgp.org, gpg --send-key and the new updated > key is immediately available with no time outs or delays. Unless you are on Windows where the server can't be accessed because it uses a pretty limited set of TLS ciph

Re: SKS Keyserver Network Under Attack

On Tue, 2 Jul 2019 13:47, look@my.amazin.horse said: > Huh, that's interesting. I was not aware of this issue, and wish you had > reached > out to me, or to supp...@keys.openpgp.org, or filed an issue on Hagrid. I assumed that newly launched server software with the goal to take over all existi

Re: Some thoughts on the future of OpenPGP and GnuPG

On Tue, 2 Jul 2019 16:03, gnupg-users@gnupg.org said: > With "big boys" I meaned the German Government, German BSI and Facebook. I, or well my company g10 Code GmbH, has currently no contracts with the German government or the BSI. We had projects with the BSI but no funding whatsoever. These

Re: Some thoughts on the future of OpenPGP and GnuPG

On Tue, 2 Jul 2019 20:41, an...@pgp.16bits.net said: > attachments that you need to extract, then open with a special program > to decrypt. > (In fact, many people _currently_ use OpenPGP in that stony age way) From my experience many people use ZIP or PDF encryption here and not OpenPGP. But a

Re: keyserver-options: self-sigs-only, import-clean, import-minimal

On Tue, 2 Jul 2019 11:00, d...@fifthhorseman.net said: > It sounds like you are saying that the order of operations -- > import-then-clean vs. clean-then-import is part of the API spec that > GnuPG is committed to. No. What I say is that if we want to clean the keys from bogus signatures we nee

Re: keyserver-options: self-sigs-only, import-clean, import-minimal

On Wed, 3 Jul 2019 12:35, gnupg-users@gnupg.org said: > problem but I have read RJH's article). It sounds like SKS servers can > handle these poisoned keys but GPG can't. That suggests that maybe GPG's I think here is a misunderstanding. Sure, processing 150k signatures takes quite some time an

Re: distributing pubkeys: autocrypt, hagrid, WKD

On Tue, 2 Jul 2019 15:40, konstan...@linuxfoundation.org said: > When this happens, a maintainer who tries to verify a signed pull > request will have the operation fail, so they need to have a way to > force-refresh the developer's key. I would say this is the #1 workflow Agreed. A signature c

Re: SKS and GnuPG related issues and possible workarounds

On Wed, 3 Jul 2019 05:06, r...@sixdemonbag.org said: > As I understand it the current list of targeted keys is myself, dkg, > Werner, Patrick, and Kristian. It is clear the attacker's goal is to I am not yet affected except for these few thousand old xmas fun signatures. > Werner will no doubt

Re: keyserver-options: self-sigs-only, import-clean, import-minimal

On Wed, 3 Jul 2019 10:38, tliko...@iki.fi said: >> import-clean does this: >> >>After import, compact (remove all signatures except the >>self-signature) > > ...here you and the manual say that "first import [to local keyring] > then clean". > > So there are conflicting messages. Which of

Re: keyserver-options: self-sigs-only, import-clean, import-minimal

On Wed, 3 Jul 2019 12:29, pe...@digitalbrains.com said: > Ah, based on a new message I just read the penny dropped. self-sigs-only > can be made a default because it only applies to keyservers. > import-minimal cannot be made a default because it affects all other Not quite. When importing from

Re: Local solutions: SKS Keyserver Network Under Attack

On Wed, 3 Jul 2019 12:58, pe...@digitalbrains.com said: > reached its intended goal: dirmngr said "re-reading config". It just > didn't have an effect for some odd reason. For people thinking about Check that you do not have a keyserver entry in your gpg.conf or Enigmail is calling gpg with that

Re: keyserver-options: self-sigs-only, import-clean, import-minimal

On Wed, 3 Jul 2019 13:50, pe...@digitalbrains.com said: > Is there a good use-case for the former? If the latter also filtered out Yes, as I wrote: 0.2s compared to 50s. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. signature.asc Description: PGP s

Re: keyserver-options: self-sigs-only, import-clean, import-minimal

On Wed, 3 Jul 2019 15:42, pe...@digitalbrains.com said: > --keyserver-options self-sigs-only,import-minimal > > as I propose, why would it take longer than 0.2 s? Indeed, we could change the code for import-minimal so that it first does the same what self-sigs-only does. Then it should be very

Re: keyserver-options: self-sigs-only, import-clean, import-minimal

On Wed, 3 Jul 2019 17:08, stef...@sdaoden.eu said: > I (still user of GPG1, it is only your newer key which this cannot Just don't use it unless you need to decrypt very old mails. In particular not with keyservers or cards. The next maintenance release will anyway remove all keyserver and car

Release candidate for 2.2.17

Hi! Due to the SKS keyserver problems we are planning a new release for the next week. That release will have some changes related to keyserver. See below for details. In general we do not provide release candidates because experience showed that they are more or less ignored. However, this tim

Re: Testing WKD setup?

On Mon, 8 Jul 2019 16:17, gnupg-users@gnupg.org said: > false negatives. It only supports the 'direct' method, where the key > has to be hosted on `example.org` instead of `openpgpkey.example.org`. BTW, the openpgpkey subdomain method was accidently not available in 2.2. This will be fixed wit

Re: Third-Party Confirmation signature?

On Mon, 8 Jul 2019 18:45, gnupg-users@gnupg.org said: > Is there a way to create a "Third-Party Confirmation signature"[1] > using the gnupg command line interface? No. You need to add code for this which also requires that you have a way to specify another signature packet. Are you considerin

[Announce] GnuPG 2.2.17 released to mitigate attacks on keyservers

Hello! We are pleased to announce the availability of a new GnuPG release: version 2.2.17. This is maintenance release to mitigate the effects of the denial-of-service attacks on the keyserver network. See below for a list changes. About GnuPG === The GNU Privacy Guard (GnuPG, GPG) is

Re: Third-Party Confirmation signature?

On Tue, 9 Jul 2019 10:10, gnupg-users@gnupg.org said: > However, if gpg doesn't support a way of adding that subpacket, then > creating easy-to-copy-and-paste commands for users to use to approve > signatures becomes difficult. The problem I see is that the keyservers need to check the validity

Re: WKD documentation (Re: Testing WKD setup?)

On Tue, 9 Jul 2019 15:50, gnupg-users@gnupg.org said: > setting it up and the feedback has been overwhelmingly positive. The > only thing I needed was basically the local-part hash and actually > that's what I built the checker for, to generate the URL in an easy I think things are even easier n

Re: How to delete flooded key

On Wed, 10 Jul 2019 10:23, patr...@enigmail.net said: > Is it sufficient to run "gpg --delete-keys 0x...", and wait for quite a > while, or does it require other measures? --edit-key and then use "clean" to remove them. And well, install 2.2.17 to avoid future trouble. Shalom-Salam, Werner

Re: WKD: mutt integration status

On Wed, 10 Jul 2019 10:53, gnupg-users@gnupg.org said: > If you convince Mutt community that WKD is a good idea I can prepare > the patch for you. As far as I remember it's very minimal and I'd be Actually I started to work on Mutt (not NeoMutt, though) but had to give up due to time constraints.

Re: WKD: mutt integration status

On Wed, 10 Jul 2019 11:59, andr...@andrewg.com said: > In this instance, I wonder if the apostrophe hasn't screwed something up > - are apostrophes valid in the MIME boundary charset? I use that for ages and believe this is all valid. But new Emacs versions sometimes chnage the spooky list and t

Re: WKD documentation (Re: Testing WKD setup?)

On Tue, 9 Jul 2019 23:33, johan...@zarl-zierl.at said: > Now that I have done it once, I think the setup without /usr/lib/gnupg/gpg- > wks-client isn't that complicated either: Please use gpg-wks-tool instead; it is much easier and less error prone. > b. Manually, using gpg: gpg --homedir "$(mk

Re: WKD documentation (Re: Testing WKD setup?)

On Wed, 10 Jul 2019 21:47, johan...@zarl-zierl.at said: > ...except it isn't installed by default. Will this be part of gpg-wks-client? Ooops. I meant gpg-wks-client. There is no gpg-wks-tool. > won't be installed to libexec), it would still be beneficial to describe the > actual file system

Re: WKD: Publishing a key for multiple user IDs

On Mon, 15 Jul 2019 18:03, gnupg-users@gnupg.org said: > So if I have two email addresses/user IDs m...@my.org and m...@my.org > associated with the same key, I cannot just export the key and publish > it, right? I have to somehow publish two different ‘stripped’ public Sight. GnuPG handles this

Re: WKD auto-key-retrieve method

On Tue, 16 Jul 2019 17:18, gnupgpac...@on.yourweb.de said: > how to put "--sender email at address" to gpg.conf file if using several > different email addresses from sender? You can't it is the task of the MUA (cf. gpgme_set_sender). > Is it possible to put "--sender" option to public key itsel

Re: I deleted 80 % of my keyring, but my keybox file isn't shrinking

On Wed, 17 Jul 2019 23:41, i...@zeromail.org said: > But the keybox file didn't get any smaller: Good catch. In gpg we have not implenteted the compression run: /* FIXME: Do a compress run if needed and no other user is currently using the keybox. */ However, in gpgsm this is done

Re: --lsign --add-me or the invisible WoT

On Sat, 20 Jul 2019 11:57, gnupg-users@gnupg.org said: > additional paramemter like --add-me for --lsign would make sense, for --quick-sign-key fpr [names] --quick-lsign-key fpr [names] Directly sign a key from the passphrase without any further u

Re: allow-non-selfsigned-uid issue with key from keys.openpgp.org that contains no identity information

On Mon, 29 Jul 2019 09:43, gnupg-users@gnupg.org said: > it that way", i think. Perhaps Werner can provide more background on > why GnuPG is generally resistant to holding OpenPGP certificates that > have no User ID at all in its local keyring. The user ID is important because the accompanying se

Re: Commands supported by extra socket

On Fri, 26 Jul 2019 15:57, gnupg-users@gnupg.org said: > Where can I find information on what commands are supported by > S.gpg-agent and S.gpg-agent.extra socket? I am looking for some > information which clearly differentiates these two sockets. Here is an overview on the allowed commands for t

Re: allow-non-selfsigned-uid issue with key from keys.openpgp.org that contains no identity information

On Thu, 1 Aug 2019 09:27, gnupg-users@gnupg.org said: > We're already in uncharted waters with the inevitable abuse of SKS, we > need to figure out how to stabilize the ecosystem. Most businesses do not use public keyservers at all but use their internal PKI. > If the PGP implementation of Open

Re: skipped packet 12

On Thu, 1 Aug 2019 20:46, da...@gbenet.com said: > Do you have any ideas why am getting multiple lines of: > gpg: skipped packet of type 12 in keybox You gpg version is older than 2.1.20 but you used a newer version on that keybox too. Shalom-Salam, Werner -- Die Gedanken sind frei. Au

Re: About support of RFC 2437, 4056 and 6979

On Sat, 20 Jul 2019 10:07, persm...@hardenedlinux.org said: > Does GnuPG support OAEP for RSA (PKCS#1 v2 and RFC 2437), RSA-PSS (RFC gpg does not support this because OpenPGP requires pkcs-1.5. There are no plans to change this because there is not real world issue with pcsc-15. when using in th

Re: BSI withdraws approval of GnuPG for confidential documents

On Thu, 8 Aug 2019 17:22, gnupg-users@gnupg.org said: > maybe interesting for some community members, living in Germany. We learned about that last week and are trying to figure out what is going on. It is likely an internal coordination or content admin problem at the BSI. We do not know abou

Re: PGP Key Poisoner

On Tue, 13 Aug 2019 09:54, gnupg-users@gnupg.org said: > The bug, however, is in the program that chokes on poisoned keys! Nope. This is a long standing DoS protection by limiting the total length of a keyblock. The diagnostics were a bit misleading, though. The time it took to process all the

Re: Difficulty of fixing reconciliation

On Wed, 14 Aug 2019 15:45, r...@sixdemonbag.org said: > developed *more than twenty years ago* it was decided to support > arbitrary numbers of third-party signatures. GnuPG faithfully At least OpenPGP has this: 5.2.3.17. Key Server Preferences (N octets of flags) This is a list of o

Re: Difficulty of fixing reconciliation

On Thu, 15 Aug 2019 00:02, gnupg-users@gnupg.org said: > But at least then we will want to add cryptography to see which > selfsigs are truly legitimate, right? That would be the first and most important step to get the keyservers back for the WoT Shalom-Salam, Werner -- Die Gedanken sind

Re: how to recover secret key passphrase?

On Wed, 21 Aug 2019 12:03, pe...@digitalbrains.com said: > So what ilf probably needs is something that can read the private keybox > format. That's where my advice falls short: I can't help with that. That is right. You need a new tool for John to do that. The format is descriped in gnupg/agen

Re: BSI withdraws approval of GnuPG for confidential documents

On Thu, 22 Aug 2019 00:04, pe...@digitalbrains.com said: > And heck, it might lend urgency to the topic should Werner subsequently > also ask them. We are in contact with them and have regular meetings. It does not help the case if I would disclose details. The problems around the OpenPGP part

Re: Questions on code signing

On Tue, 27 Aug 2019 00:18, gnupg-users@gnupg.org said: > (1) If a file is signed but the signature is incorrect, 'gpg2 -d' > returns a non-zero status code, so the remote script knows not to Right but as stated somewhere in the docs, you should never ever rely on the status code fomr the binary.

[Announce] Libgcrypt 1.8.5 released

Hi! The GnuPG Project is pleased to announce the availability of Libgcrypt version 1.8.5. This release fixes an ECDSA side-channel attack. Libgcrypt is a general purpose library of cryptographic building blocks. It is originally based on code used by GnuPG. It does not provide any implementatio

Re: Info for GnuPG users which have a keybase account

On Tue, 10 Sep 2019 18:58, gnupg-users@gnupg.org said: > Well, Werner and other prominent ML members are on keybase, so I am not. I once tested it and thus there may still be an account or whatever. And I do not know what Stellar or Lumen are in this context. But no need to explain it. Anyway,

Re: Generating bitwise identical keyrings with GnuPG 1 + 2

On Fri, 13 Sep 2019 21:28, io...@ionic.de said: > Either way, my best guess is that GPG 2.2+ drops the trust packets > because the trust is not explicitly set (i.e., default value) - as an The trust packets are for internal use of gpg and are never exported. These packets are one of the reasons w

Re: 37.191.231.105 (part of keyserver pool) redirects to ... unknown location?

On Mon, 16 Sep 2019 10:11, io...@ionic.de said: > which also means that requests to URLs like http://keys.gnupg.net will > sometimes > redirect a user to that location. That is not correct. For quite some time that address is a hardwired to avoid problems DNS problems (https://dev.gnupg.org/T37

Re: Generating bitwise identical keyrings with GnuPG 1 + 2

On Mon, 16 Sep 2019 15:41, io...@ionic.de said: > * On 9/15/19 3:56 PM, Werner Koch wrote: >> The trust packets are for internal use of gpg and are never exported. > > But... that's the whole point. gpg 1.4 seems to export them, while gpg > 2.x does not. I just checked the code and I can't see how

Re: Which version of GnuPG to use?

On Mon, 16 Sep 2019 23:49, gnupg-users@gnupg.org said: > speak, with a specially crafted software, when using an online computer > with a SmardCard? I have read that the secret key can not been copied from > the card, but what about the 'bits and pieces' in memory when decrypting? Side-channel at

Re: Regenerate Openpgp Public Key from Private Key

On Tue, 17 Sep 2019 06:51, m...@halfdog.net said: > Regenerating private keys is mathematically trivial but tool-wise > a little tricky. It seems that quite some people were troubled What's wrong with gpg --import backup-of-private-key.gpg the private key include the entire public key. Sal

Re: keys.openpgp.org not sending confirmation email

On Tue, 17 Sep 2019 09:12, li...@binarus.de said: > I am asking myself why Enigmail doesn't. I am not sure (and can't test > at the moment) how GnuPG would behave if given a problematic name when > generating a key; I hope it would give a warning or would add the gpg generates such a key just fin

Re: Regenerate Openpgp Public Key from Private Key

On Tue, 17 Sep 2019 11:09, m...@halfdog.net said: > Therefore some exports (or copies of old secring.gpg) just do > no include the public key, otherwise import would be trivial. Nope. It is not possible to create an OpenPGP secret keyblok without the public key parts. > As the key causing me pr

Re: keys.openpgp.org not sending confirmation email

On Tue, 17 Sep 2019 14:57, li...@binarus.de said: > to use only key IDs consisting solely of the actual mail address > hereafter (with or without the angle brackets - I can live with both That is actually what I suggest for quite some time. The extra stuff is not required and may lead only to co

Re: Automatically delete old keys from servers

On Tue, 17 Sep 2019 15:12, daniel.boss...@dabo.ch said: > On the key servers are many old keys lying around which aren't valid anymore. Old keys are still useful to verify signatures. This is even true for expired keys. The user then needs to decide what to do with the verification result. Sh

Re: keys.openpgp.org not sending confirmation email

On Tue, 17 Sep 2019 15:08, gnupg-users@gnupg.org said: > See also dkg's thoughts on the matter on the openpgp-wg mailing list, to align > the specification with reality: OpenPGP has never defined what goes into the User ID except for the encoding which should be UTF-8. Anything else does not bel

Re: keys.openpgp.org not sending confirmation email

On Tue, 17 Sep 2019 17:35, look@my.amazin.horse said: > convention or otherwise. The spec is factually wrong and misleading for > implementors in this aspect, and should be updated to reflect reality. The specs are not wrong if you would read them: | the name and email address of the key holder

Re: Need Help with C Compiler Error in AIX 5.3 During GnuPG Build

On Mon, 23 Sep 2019 02:36, gnupg-users@gnupg.org said: > configure:3554: error: C compiler cannot create executables configure does an early test to see whether your C compiler works. This is done to detect crippled compilers delivered on some systems. Seems not the case here, though. > config

Re: ed25519 and sha256

On Wed, 25 Sep 2019 16:35, r...@sixdemonbag.org said: > Wikipedia is not a very good reference for low-level technical details. > Ed25519 is shorthand for "EdDSA on a specific curve": it is silent on > the subject of hash algorithms, although you can specify one as > "Ed25519-SHA-512" or what-hav

Re: unknown modified files in GNUPGHOME

On Sun, 29 Sep 2019 10:27, g...@unixarea.de said: > Hello, > > While doing a backup of my $HOME it turned out (what I never saw > before), that some file were changed in GNUPGHOME: > > -rw--- 1 guru wheel157316 21 sept. 10:07 .gnupg-ccid/pubring.kbx > -rw--- 1 guru wheel155467 2

Re: We have GOT TO make things simpler

On Fri, 4 Oct 2019 21:28, Stefan Claas said: > Well, I was wrong. It seems that the U.S. ESIGN Act is pretty relaxed > and does not need such strong requirements like in the EU. The EU neither. Even the Qualifizierte Elektronische Signatur, introduced in Germany ages ago, is not anymore a requi

Re: We have GOT TO make things simpler

On Sat, 5 Oct 2019 12:15, Stefan Claas said: > installing MUAs and plug-ins, besides of GnuPG) point them to the FAQ as > learning resource and then show them as modern alternative Mailvelope And don't forget to point them to all the HOWTOS and RFCs required to to use and admin a MUA, sendmail,

How to improve our GUIs (was: We have GOT TO make things simpler)

On Mon, 30 Sep 2019 10:58, Roland Siemons said: > 4/ Here is my proposal: > 4.1/ Stimulate that people use a GUI like GPA or Kleopatra. Not Enigmail, Enigmail folks won't like that suggestion. Users need to install a second tool which behaves different (because Enigmail implements parts of GnuPG

Re: How to improve our GUIs

On Sat, 5 Oct 2019 21:21, vedaal said: > and then a separate option of > "Export Secret Keys" The OP explictly suggested to make the exporting of the secret key not too easy so that users don't accidently send out their secret keys. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausn

Re: How to improve our GUIs

On Mon, 7 Oct 2019 10:15, john doe said: > In the above link, only the cli version of the 1.4 release is available. > I got it from (1). Nope. That is always the current 2.2. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. signature.asc Description

Re: We have GOT TO make things simpler

On Sat, 5 Oct 2019 12:30, Robert J. Hansen said: > *absolutely no way* integrated into the email message. That had to wait > until the PGP/MIME RFCs -- that was when OpenPGP became an email protocol. MIME types for PGP inline were used on Unix soon after the introduction of MIME in 1992 at abou

Re: can not se and run gpg2 command

On Wed, 9 Oct 2019 15:42, Fta said: > I have installed Gnup in me windows 7, but I can not se and run the > command gpg2 On some systems (mainly older Linux distributions), the current gpg is still installed under the name gpg2. On Windows we are using the name gpg.exe now for many years. Some

Re: Future OpenPGP Support in Thunderbird

On Fri, 11 Oct 2019 20:18, Philipp Klaus Krause said: > They don't want users to require to install gpg first. And they don't > want to ship gpg with Windows installers, since it isn't MPL. The latter is just plain bullshit. There are even many proprietary products which bundle gpg or other GPL

Re: Future OpenPGP Support in Thunderbird

On Sat, 12 Oct 2019 02:23, Robert J. Hansen said: > on Enigmail was very real. It was created by an ambiguity in how GnuPG > returns error states: just because GnuPG says "decryption OK" doesn't Nope. They did not read the documentation and did not checked error codes. We suggest for a reason

Re: Future OpenPGP Support in Thunderbird

On Fri, 11 Oct 2019 21:48, qwrd said: > Storing private keys on a smartcard is a noteworthy security > enhancement, and I would like to see smartcard support being available > in Thunderbird. Either via GnuPG or some other mechanism. Take a Yubikey or an OpenPGP smartcard, install Scute (pcks#11

Re: Future OpenPGP Support in Thunderbird

On Sat, 12 Oct 2019 12:43, Chris Narkiewicz said: > Do you know why they resited OpenPGP adoption it so much? iirc, they said that they want to support only one protocol and settled for S/MIME. This still did not explain why they rejected our proposal to clean up their S/MIME code and implement

Re: Future OpenPGP Support in Thunderbird

On Sun, 13 Oct 2019 18:27, Binarus said: > keys' IDs were formally wrong so that key servers didn't accept the > keys. The easiest possible solution was to re-generate these keys using For the records: Not /keyservers/ but one specific keyserver which runs on a not yet matured enough code base an

Re: Future OpenPGP Support in Thunderbird

On Mon, 14 Oct 2019 10:54, Phillip Susi said: >> encryption protocol is S/MIME and the last time I checked S/MIME (well, >> CMS for the nitpickers) does not supoport any kind of authenticated >> encryption. In contarst OpenPGP provides this nearly for 2 decades. > > What do you mean? S/MIME auth

Re: Future OpenPGP Support in Thunderbird

On Mon, 14 Oct 2019 20:43, Kristian Fiskerstrand said: > was suggested by Kristian and Andre: talking to SCDaemon (scd) with IPC. > Details need to be discussed, but it would be an optional solution, that Given that TB already has smartcard support it would be easy if the new code just makes use

Re: FAQ October 2019 update

On Tue, 15 Oct 2019 15:17, Robert J. Hansen said: > * Every reference to the SKS keyserver network now points to > keys.openpgp.org. Reason: the SKS attacks a few months ago. I have to object against this change. The SKS server network is still useful and definitely more useful than an non-matu

Re: GPG Agent discarding cache before ttl/max ttl

On Tue, 15 Oct 2019 09:14, Chip Senkbeil said: > Is there some separate setting for GPG agent to discard its cache > earlier than the ttl/max ttl settings? I've checked the GPG agent You can follow the cache operations by adding log-file /some/log/file debug cache to gpg-agent.conf and relo

Re: A place for discussing WKD spec clarifications?

On Tue, 15 Oct 2019 09:06, Bjarni Runar Einarsson said: > Would the GnuPG issue tracker be a good place to file "bug > reports" against the spec, to work towards clarifications? That is okay for bug reports, but often it is more important to get the opinions from more people than those who triage

Re: Future OpenPGP Support in Thunderbird

On Wed, 16 Oct 2019 13:07, Patrick Brunschwig said: > something on their PC and more. Gpgme may handle some of these issues, > but the fact remains: an external component makes things a lot more > complex, especially for support. Right GPGME handles this all pretty well and I have suggested often

Re: Future OpenPGP Support in Thunderbird

On Wed, 16 Oct 2019 10:46, Martijn Brinkers said: > I actually spend a lot of time investigating the impact of EFAIL on > S/MIME and it's my opinion that the real impact has been overblown. In > all my experiments, and I can tell you I have done a lot of them, I have > not been able to force a mai

Re: are angle brackets around email address allowed for auto-key-locate?

On Tue, 15 Oct 2019 22:23, David Hebbeker said: > The manual [1] says that GnuPG can automatically retrieve keys for > emails in the "u...@example.com" form. Does this exclude emails wrapped > by angle brackets like ""? That is fine. Find below our test addresses. Salam-Shalom, Werner ps

Re: libgcrypt license

On Tue, 22 Oct 2019 12:27, Fuse Hiroaki said: > https://github.com/gpg/libgcrypt/commit/915570db198f2cf15db5c034096a444a8a79476e#diff-c55728a8e1162a431e4754734d27a041 I don't known what you found on github, which seems to be an inofficial mirror of GnuPG (and I do not want to check that specific

Re: Should gpg try to connect to TCP/993?

On Fri, 25 Oct 2019 12:23, Jay Sulzberger said: > Is the following correct: > > When I use gpg to just encrypt or decrypt a file already on my > computer/OS's file system, then gpg does not open any formal > channels of communication going outside my computer/OS. No. By default gpg may go

Re: Question about symmetric AES cipher in GnuPG

On Wed, 30 Oct 2019 17:19, Brian Minton said: > My guess is, the gpg one also is doing MDC, so you'd have to add the > equivalent HMAC code to openssl, but that's just a complete guess.   The OpenPGP MDC is a SHA-1 hash appended to the plaintext and then encrypted along with the data. The usual

Re: How to decrypt a message while preserving the signature?

On Sun, 3 Nov 2019 10:15, Peter Lebbing said: >> --unwrap is not documented and has the minor problem that it also keeps the >> compression layer. However, gpgv groks that compression layer and works I'll document it for future releases. Salam-Shalom, Werner -- Die Gedanken sind frei.

Re: encrypt file in batch mode

On Sun, 3 Nov 2019 08:31, Fourhundred Thecat said: > $ gpg --list-secret-keys > gpg: can't connect to the agent: No such file or directory > gpg: failed to start agent '/usr/bin/gpg-agent': No such file or directory Your system is not properly installed. It is missing the gpg-agent which is a m

Re: gpg-agent only checks for smartcard not for local keys

On Sat, 2 Nov 2019 12:20, Horst Skatmus said: > I do not understand how the gpg-agent determines where to look for the > private key (disk or smartcard) and where this is configured. I can switch > off the scdaemon via --disable-scdaemon but this has no effect. At the time you use ssh-add (putty

Re: encrypt file in batch mode

On Mon, 4 Nov 2019 16:49, Fourhundred Thecat said: > Yes, that is exactly the problem. Why should simple operations require > gpg agent ? The manual has a chapter on the architecture, please read it to understand the design goals and how it was implemented nearly 20 years ago. > Imagine the aut

Re: BSI withdraws approval of GnuPG (revisited after 3 month)

On Mon, 4 Nov 2019 08:58, karel-v_g--- said: > In a message to this list on August 8th Werner Koch said he is > permanent contact with BSI and the reason for the withdrawal is in the > OpenPGP part of GnuPG. Once again no further details were > provided. [4] We received a new approval BSI-VS-104

Re: BSI withdraws approval of GnuPG (revisited after 3 month)

On Mon, 4 Nov 2019 12:39, Art Silva said: > What do they approve for securing data of higher security classifications? There is a public list at: Salam-Shalom, Werner -- D

Re: BSI withdraws approval of GnuPG (revisited after 3 month)

On Mon, 4 Nov 2019 11:40, Robert J. Hansen said: > requirements. This could be as simple as, "we prohibit the use of 3DES, > but OpenPGP lists it as a MUST algorithm". It is even less technical see my other mail. FWIW, GnuPG knows all allowed algorithms for the VS-NfD use case and can be switc

Re: encrypt file in batch mode

On Mon, 4 Nov 2019 18:10, Tony Lane said: > was made with the unix philosophy in mind. Perhaps it would've been > better to write the gpg-agent as a shared library to be called by the > core instead. Well, we're probably too far down down the rabbit hole The process boundary has security advanta

Re: gpg-agent SSH agent returned incorrect signature type

On Tue, 5 Nov 2019 17:49, Sebastian Wiesinger said: > debug3: sign_and_send_pubkey: signing using rsa-sha2-512 AFAICS that method is not supported. We support "ssh-rsa" and "ssh-rsa-cert-...@openssh.com" but not this method. However, I do not have the debug out of gpg-agent so I can't tell for

  1   2   3   4   5   6   7   >