From ekleog at gmail.com Fri Nov 1 00:23:13 2013 From: ekleog at gmail.com (Leo Gaspard) Date: Fri, 1 Nov 2013 00:23:13 +0100 Subject: The symmetric ciphers In-Reply-To: <20131031143608.Horde.s6jAFhmC7BMfti6Tq2kSdw9@mail.sixdemonbag.org> References: <522EF602.3080604@spth.de> <522F1EE6.70308@sixdemonbag.org> <52713F9F.9000207@spth.de> <20131030103907.Horde._UjoNd-rJLtK_uz3b5l8Zg5@sixdemonbag.org> <5271943D.9060409@vulcan.xs4all.nl> <5271D400.6050006@sixdemonbag.org> <52726286.80508@vulcan.xs4all.nl> <20131031143608.Horde.s6jAFhmC7BMfti6Tq2kSdw9@mail.sixdemonbag.org> Message-ID: <20131031232313.GB14302@leortable> > The reason why the cryptanalytic community looked into whether DES forms a > group is because the 56-bit keyspace was too short and we critically needed > a way to compose DES into a stronger algorithm. That's not the case with > AES. Disclaimer : I am not a mathematician, only a student in mathematics. I did not learn mathematics in the English language, but have tried to check on wikipedia the vocabulary I am about to use is the correct in english, but please pardon me if I make a mistake. Anything I have not checked should be redefined. And this text is not intended for people with no insight on basic group theory. Definitions : * [1;n] will be the set of all integers from 1 to n, ends included. * M is the set of possible messages. * C is the set of possible ciphertexts. * F(M, C) is the set of encryption functions (key included), that take a message in M as input, and yields a ciphertext in C as output. IOW, it is the set of bijections from M to C. Assumption : F(M, C) is a group for \circ, the composition, as any encrypted message ought to be decipherable. (Well, not really a group, as the inverse bijection would be in F(C, M), but I will write it is a group for ease of expression. Correcting this would only be adding useless text, so feel free to do it in you mind if you prefer.) First, I'll assume that, when you say "ROT is a group", you mean that (n -> ROTn) is a group morphism between (F(M, C), \circ) and (Z/26Z, +). Let n be a positive integer. So, now, let's assume K = [1; 2^n] is a group for some law *. Let's assume that AES-n is a group morphism between (F(M, C), \circ) and (K, *). In my opinion (and a bit more than that), it changes nothing to the question. Indeed, composing two (or more) AES-n with independantly random-chosen keys is at least as strong as one AES-n with a random-chosen key, which, IIRC, was the heart of thhe matter. As a proof, let's take k1 and k2 two independantly random-chosen keys in K. Then, AES-n(k1) \circ AES-n(k2) = AES-n(k1 * k2). Now, let's prove k1 * k2 is a randomly-chosen key in K. First, (x -> k1 * x) is a bijection. So, if x is chosen randomly, then so is k1 * x. And k2 is chosen randomly (independantly from k1, which is quite important here), so k1 * k2 is a randomly-chosen key in K. Proof of the "first" statement : Let a, b two keys in K. Then k1 * a = k1 * b implies a = b by mere multiplication by k1^{-1}. So (x -> k1 * x) is an injection from K to K, and K is a finite set, so (x -> k1 * x) is a bijection on K. Another way of seeing this would be by exposing the inverse : (x -> k1^{-1} * x) I know this is a well-known result, but preferred to redemonstrate it, just in case. So, whether AES-n is a group morphism or not does not matter for the question, which was trying to find a resulting algorithm at least as strong as the strongest of all. And DES was checked for a group-like behavior because the objective was not to create an algorithm at least as strong as the strongest component, but to create an algorithm as strong as the sum of all components, which is substantially harder. BTW, the example about ROT still fits the proof : remember ROT0 could be selected by a random key with probability 1/26. You can check ROTn \circ ROTm (ie. ROT(n + m)) yields ROT0 with probability 1/26, when n and m are both chosen uniformly. (Well, it's just 26 ways of making 26 from the sum of two numbers from 0 to 25, this divided by the total possibilities of 26^2.) As a conclusion, IMHO (and without proof here, just gut feeling, even though a start of proof was given by Philipp earlier), stacking two algorithms with unrelated randomly-chosen keys makes an algorithm at least as strong as the strongest of the two algorithms, to the cost of transimitting a longer key and spending more time on enc/decryption, which, admittedly, might be quite an issue. Hoping I did not make too much mistakes, both in mathematics and in the English language, Leo From rjh at sixdemonbag.org Fri Nov 1 05:21:10 2013 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Fri, 01 Nov 2013 00:21:10 -0400 Subject: 2048 or 4096 for new keys? aka defaults vs. Debian In-Reply-To: <877gct41yx.fsf@alice.fifthhorseman.net> References: <20131024190545.GA20255@mail.beuc.net> <877gct41yx.fsf@alice.fifthhorseman.net> Message-ID: <52732C36.2070706@sixdemonbag.org> On 10/31/2013 4:31 PM, Daniel Kahn Gillmor wrote: > ENISA (the European Union Agency for Network and Information Security) > recently issued a report recommending that non-legacy systems using RSA > start with keys that are >= 3072 bits (see page 30 of the PDF): Huh -- fascinating! Thank you for this new data point, dkg! From expires2013 at ymail.com Fri Nov 1 15:29:27 2013 From: expires2013 at ymail.com (MFPA) Date: Fri, 1 Nov 2013 14:29:27 +0000 Subject: gpgsm and expired certificates In-Reply-To: <8761si4vrm.fsf@mat.ucm.es> References: <87r4b8ic36.fsf@mat.ucm.es> <87k3gzyhhr.fsf__27502.296298235$1382815337$gmane$org@vigenere.g10code.de> <87ppqriyue.fsf@mat.ucm.es> <87fvrnxkci.fsf__38096.124205231$1382858228$gmane$org@vigenere.g10code.de> <87li1fhz83.fsf@mat.ucm.es> <871u37xbqr.fsf__23314.7300001749$1382869296$gmane$org@vigenere.g10code.de> <8761si4vrm.fsf@mat.ucm.es> Message-ID: <1745551923.20131101142927@my_localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi On Sunday 27 October 2013 at 2:46:05 PM, in , Uwe Brauer wrote: > I would prefer a government based organisation which > provides this service to its citizen (especially > because of all which was lately revealed about the NSA) Isn't the NSA "a government based organisation?" Surely guilt-by-association renders every government based organisation just as nefarious as the NSA. - -- Best regards MFPA mailto:expires2013 at ymail.com Free advice costs nothing until you act upon it -----BEGIN PGP SIGNATURE----- iPQEAQEKAF4FAlJzusxXFIAAAAAALgAgaXNzdWVyLWZwckBub3RhdGlvbnMub3Bl bnBncC5maWZ0aGhvcnNlbWFuLm5ldEJBMjM5QjQ2ODFGMUVGOTUxOEU2QkQ0NjQ0 N0VDQTAzAAoJEKipC46tDG5pit0EAIiKQnBVsZmESaFATJVSGJ5NHCkKAQ3JzvO1 Qnqy6fV+bF1dKbI6fiymsZpRsx1jppnR5lBNGzFWqXsSTfrp3h99k2YzAYnPi67C /XAC3D665XDz0ty3vNKx5p+bO4/BaBHbp7deQcLkNwortGS70Gx1zKRH02IJi+I5 fVjbyLyJ =rXTe -----END PGP SIGNATURE----- From expires2013 at ymail.com Fri Nov 1 16:24:19 2013 From: expires2013 at ymail.com (MFPA) Date: Fri, 1 Nov 2013 15:24:19 +0000 Subject: trust your corporation for keyowner identification? In-Reply-To: <526e2592.vizyzHwEGhmqqHhK%sttob@privatdemail.net> References: <525EEE33.1060304__39450.1849696555$1381953182$gmane$org@dougbarton.us> <109563160.20131016222807__37584.6967836425$1381959035$gmane$org@my_localhost> <525FE12A.5040307__21646.6946680614$1382015420$gmane$org@vulcan.xs4all.nl> <20131017135454.Horde.PF7HtsAisFNCiofjRFOv2w7@mail.sixdemonbag.org> <52669348.+eLRL6ulbwvCCmiJ%sttob@privatdemail.net> <5266F5CA.80509@sixdemonbag.org> <526806e2.PnylUKoa89KDX8qO%sttob@privatdemail.net> <52681AFA.2060102@digitalbrains.com> <52685878.6AXcxDzMhOJmhsWU%sttob@privatdemail.net> <5268E9F2.1050108@digitalbrains.com> <5269588e.wAXyOS+XkCb/A4Oa%sttob@privatdemail.net> <526e2592.vizyzHwEGhmqqHhK%sttob@privatdemail.net> Message-ID: <998560652.20131101152419@my_localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi On Monday 28 October 2013 at 8:51:30 AM, in , Stan Tobias wrote: > I say it does not, because basing one's certification > on that of the notary is not [the same as] basing one's > certification on the notary's verification efforts. What evidence of the Notary's verification efforts do you review? From my reading of this thread, there is only the _assumption_ that sufficient identity checks were properly carried out before the individual started working in a role that carried a corporate email address. - -- Best regards MFPA mailto:expires2013 at ymail.com Beware the deadly donkey falling slowly from the sky -----BEGIN PGP SIGNATURE----- iPQEAQEKAF4FAlJzx6xXFIAAAAAALgAgaXNzdWVyLWZwckBub3RhdGlvbnMub3Bl bnBncC5maWZ0aGhvcnNlbWFuLm5ldEJBMjM5QjQ2ODFGMUVGOTUxOEU2QkQ0NjQ0 N0VDQTAzAAoJEKipC46tDG5pNUIEAMUYiECVOqbZkNqNvc7ql6Dqr0rELL7wSPuV pyeKoV7DVmQwZJBcAfCXOS9JFh1vf9f+ziX+1UjmPWezdyF2Rm5tH3hDnhx3wC4V ieGqimLOP5BllF/E/Yy5XQrw6wwqZzgTQ+tRfXGKc3qJMCd4KUNmkf8uRqa7Bzp/ 57Ih7mWL =s1Md -----END PGP SIGNATURE----- From johannes at zarl.at Fri Nov 1 17:22:20 2013 From: johannes at zarl.at (Johannes Zarl) Date: Fri, 01 Nov 2013 17:22:20 +0100 Subject: make gpg-agent forget the PIN Message-ID: <23871535.8aid4UM92T@mani> Hi, I'm trying to get gpg-agent to automatically forget my credentials as soon as I leave the PC/the screen is locked. So far, I only got it half working: When I send a SIGHUP to the gpg-agent, it correctly forgets cached passphrases. The cached PIN of my OpenPGP card, however remains available. Is there any way to explicitly tell gpg-agent to forget the pin as well? Cheers, Johannes From rjh at sixdemonbag.org Fri Nov 1 19:47:56 2013 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Fri, 01 Nov 2013 11:47:56 -0700 Subject: gpgsm and expired certificates In-Reply-To: <1745551923.20131101142927@my_localhost> References: <87r4b8ic36.fsf@mat.ucm.es> <87k3gzyhhr.fsf__27502.296298235$1382815337$gmane$org@vigenere.g10code.de> <87ppqriyue.fsf@mat.ucm.es> <87fvrnxkci.fsf__38096.124205231$1382858228$gmane$org@vigenere.g10code.de> <87li1fhz83.fsf@mat.ucm.es> <871u37xbqr.fsf__23314.7300001749$1382869296$gmane$org@vigenere.g10code.de> <8761si4vrm.fsf@mat.ucm.es> <1745551923.20131101142927@my_localhost> Message-ID: <20131101114756.Horde.f5Rbb0PJwmQx-cHcO0Kmjg7@mail.sixdemonbag.org> > Isn't the NSA "a government based organisation?" Surely > guilt-by-association renders every government based organisation just > as nefarious as the NSA. This is why grown-ups don't believe in guilt by association. To take an example: the graduate students at the University of Iowa who teach undergraduate courses on classical French literature are University employees. (Unionized ones at that: United Electicalworkers/Committee to Organize Graduate Students, *represent*! [1]) As University employees, they are officially also government employees, since the University is funded by the State. Do you really think a bunch of graduate students obsessing over _La Chanson du Roland_ are "just as nefarious as the NSA"? If you do, then I think your paranoia is so out of hand you really ought consider seeking professional help. And no, I'm not kidding. If you don't, then let's dial back the rhetoric. Governments are *big* *big* things with lots of employees, and they deserve better treatment than this. [1] Yes, I was a card-carrying union man and served as a union officer. Try not to keel over from the shock. ;) From peter at digitalbrains.com Fri Nov 1 20:17:41 2013 From: peter at digitalbrains.com (Peter Lebbing) Date: Fri, 01 Nov 2013 20:17:41 +0100 Subject: make gpg-agent forget the PIN In-Reply-To: <23871535.8aid4UM92T@mani> References: <23871535.8aid4UM92T@mani> Message-ID: <5273FE55.5090400@digitalbrains.com> Hi Johannes, > Is there any way to explicitly tell gpg-agent to forget the pin as well? Based on a post once made by Werner, I have this script: -----------8<----------------->8----------- #!/bin/sh gpg-connect-agent 'SCD RESET' /bye -----------8<----------------->8----------- It's called 'scforget' here. HTH, Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at From rjh at sixdemonbag.org Fri Nov 1 20:25:30 2013 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Fri, 01 Nov 2013 12:25:30 -0700 Subject: gpgsm and expired certificates In-Reply-To: <1745551923.20131101142927@my_localhost> References: <87r4b8ic36.fsf@mat.ucm.es> <87k3gzyhhr.fsf__27502.296298235$1382815337$gmane$org@vigenere.g10code.de> <87ppqriyue.fsf@mat.ucm.es> <87fvrnxkci.fsf__38096.124205231$1382858228$gmane$org@vigenere.g10code.de> <87li1fhz83.fsf@mat.ucm.es> <871u37xbqr.fsf__23314.7300001749$1382869296$gmane$org@vigenere.g10code.de> <8761si4vrm.fsf@mat.ucm.es> <1745551923.20131101142927@my_localhost> Message-ID: <20131101122530.Horde.L0bejumqV5vfMfmqhBR7JQ1@mail.sixdemonbag.org> My previous email was pretty dry and impersonal. This one is very personal. > Isn't the NSA "a government based organisation?" Surely > guilt-by-association renders every government based organisation just > as nefarious as the NSA. My current job is in software forensics -- discovering new ways to pull information off electronic media. Most of the people funding research in this area are connected to the government somehow. I would describe what a typical week for me entails but I'm pretty sure I would terrify and traumatize a good portion of the list. (A great week for me is one in which I don't have to see, hear, or even think about, the three words, "Daddy, no, stop!") But since some of my R&D funding comes from the government, I'm just as nefarious as the NSA. John Moore III, who hasn't been seen on this list in ages, was always quite open about the fact he served in the Marine Corps attached to a signals intelligence unit at Fort Meade. I'll let you do the math and figure out what three letter agency at Fort Meade does signals intelligence. Apparently John's contributions to the GnuPG community mean nothing, because he's just as nefarious as the NSA. Werner has taken money from the German government to do crypto-related software development. Apparently Werner is just as nefarious as the NSA. There are a lot of people on this list who have some kind of connection to the government. Many of them -- us -- are deeply concerned about civil liberties, surveillance, and the future of liberty. We are not your enemies and we do not deserve to be tarred with that brush. You owe all of us an apology. From djjozood004 at gmail.com Sat Nov 2 03:23:07 2013 From: djjozood004 at gmail.com (Djjo Sexman) Date: Sat, 2 Nov 2013 09:23:07 +0700 Subject: 1745551923.20131101142927@my_localhost> Content-Type: text/plain; charset=utf-8 Message-ID: -------------- next part -------------- An HTML attachment was scrubbed... URL: From djjozood004 at gmail.com Sat Nov 2 03:23:33 2013 From: djjozood004 at gmail.com (Djjo Sexman) Date: Sat, 2 Nov 2013 09:23:33 +0700 Subject: 998560652.20131101152419@my_localhost> Message-ID: -------------- next part -------------- An HTML attachment was scrubbed... URL: From djjozood004 at gmail.com Sat Nov 2 03:15:08 2013 From: djjozood004 at gmail.com (Djjo Sexman) Date: Sat, 2 Nov 2013 09:15:08 +0700 Subject: =?TIS-620?B?w9G6ounNwdnF?= Message-ID: -------------- next part -------------- An HTML attachment was scrubbed... URL: From djjozood004 at gmail.com Sat Nov 2 03:21:17 2013 From: djjozood004 at gmail.com (Djjo Sexman) Date: Sat, 2 Nov 2013 09:21:17 +0700 Subject: 20131031151607.Horde.Yk7Djt4bCkh-nfeFp6ZZDg1@mail.sixdemonbag.org Message-ID: -------------- next part -------------- An HTML attachment was scrubbed... URL: From djjozood004 at gmail.com Sat Nov 2 03:24:48 2013 From: djjozood004 at gmail.com (Djjo Sexman) Date: Sat, 2 Nov 2013 09:24:48 +0700 Subject: <5273FE55.5090400@digitalbrains.com> Message-ID: -------------- next part -------------- An HTML attachment was scrubbed... URL: From djjozood004 at gmail.com Sat Nov 2 03:22:10 2013 From: djjozood004 at gmail.com (Djjo Sexman) Date: Sat, 2 Nov 2013 09:22:10 +0700 Subject: 20131031232313.GB14302@leortable Message-ID: -------------- next part -------------- An HTML attachment was scrubbed... URL: From djjozood004 at gmail.com Sat Nov 2 03:24:04 2013 From: djjozood004 at gmail.com (Djjo Sexman) Date: Sat, 2 Nov 2013 09:24:04 +0700 Subject: <23871535.8aid4UM92T@mani> Message-ID: -------------- next part -------------- An HTML attachment was scrubbed... URL: From djjozood004 at gmail.com Sat Nov 2 03:22:35 2013 From: djjozood004 at gmail.com (Djjo Sexman) Date: Sat, 2 Nov 2013 09:22:35 +0700 Subject: 52732C36.2070706@sixdemonbag.org Message-ID: -------------- next part -------------- An HTML attachment was scrubbed... URL: From djjozood004 at gmail.com Sat Nov 2 03:24:29 2013 From: djjozood004 at gmail.com (Djjo Sexman) Date: Sat, 2 Nov 2013 09:24:29 +0700 Subject: <20131101114756.Horde.f5Rbb0PJwmQx-cHcO0Kmjg7@mail.sixdemonbag.org> Message-ID: -------------- next part -------------- An HTML attachment was scrubbed... URL: From johannes at zarl.at Sat Nov 2 12:00:03 2013 From: johannes at zarl.at (Johannes Zarl) Date: Sat, 02 Nov 2013 12:00:03 +0100 Subject: make gpg-agent forget the PIN In-Reply-To: <5273FE55.5090400@digitalbrains.com> References: <23871535.8aid4UM92T@mani> <5273FE55.5090400@digitalbrains.com> Message-ID: <5563173.0S1bcQ6Bev@mani> Thanks! That was exactly what I was looking for. Johannes On Friday 01 November 2013 20:17:41 Peter Lebbing wrote: > Hi Johannes, > > > Is there any way to explicitly tell gpg-agent to forget the pin as well? > > Based on a post once made by Werner, I have this script: > > -----------8<----------------->8----------- > #!/bin/sh > > gpg-connect-agent 'SCD RESET' /bye > -----------8<----------------->8----------- > > It's called 'scforget' here. > > HTH, > > Peter. From wk at gnupg.org Sat Nov 2 12:26:56 2013 From: wk at gnupg.org (Werner Koch) Date: Sat, 02 Nov 2013 12:26:56 +0100 Subject: make gpg-agent forget the PIN In-Reply-To: <5273FE55.5090400@digitalbrains.com> (Peter Lebbing's message of "Fri, 01 Nov 2013 20:17:41 +0100") References: <23871535.8aid4UM92T@mani> <5273FE55.5090400@digitalbrains.com> Message-ID: <87d2mjkprz.fsf@vigenere.g10code.de> On Fri, 1 Nov 2013 20:17, peter at digitalbrains.com said: > It's called 'scforget' here. Or better: pull off the card and take it with you. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From samtuke at gnupg.org Sat Nov 2 13:02:20 2013 From: samtuke at gnupg.org (Sam Tuke) Date: Sat, 02 Nov 2013 13:02:20 +0100 Subject: Quotes from GPG users In-Reply-To: <22329476-9653-4023-ad11-20ab386bda6a@email.android.com> References: <5270E670.3070307@gnupg.org> <22329476-9653-4023-ad11-20ab386bda6a@email.android.com> Message-ID: <5274E9CC.80207@gnupg.org> On 31/10/13 22:47, Paul R. Ramer wrote: > Well, here is my input for your project. > > I wouldn't be able to communicate sensitive documents without it. Many thanks Paul! Sam. -- Sam Tuke Campaign Manager Gnu Privacy Guard 0044 78680 77871 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 295 bytes Desc: OpenPGP digital signature URL: From samtuke at gnupg.org Sat Nov 2 13:06:05 2013 From: samtuke at gnupg.org (Sam Tuke) Date: Sat, 02 Nov 2013 13:06:05 +0100 Subject: Quotes from GPG users In-Reply-To: <20131030183159.GO3866@platinum.gollo.at> References: <5270E670.3070307@gnupg.org> <20131030183159.GO3866@platinum.gollo.at> Message-ID: <5274EAAD.3040807@gnupg.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 30/10/13 19:31, Martin Gollowitzer wrote: > Unfortunately, this is slightly longer (it's really hard to stick to 130 > characters): Yes, it really is :) > GnuPG allows for both proving a message's authenticity and preventing > eavesdropping. It's one of the most important tools I use every day. Thanks Martin - that last sentence is great even by itself. Best, Sam. - -- Sam Tuke Campaign Manager Gnu Privacy Guard 0044 78680 77871 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.15 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iF4EAREIAAYFAlJ06q0ACgkQ1bR1Itj7YQWP0AD+OVEwU+EN3/5/DuHf87k4xjOO jB0SCGPr2GujMdtAvNoBAMH3w2wkQZC2+3Q6vRTp767tRhpzkO3Zq4XT2gLmESA0 =dwhb -----END PGP SIGNATURE----- From peter at digitalbrains.com Sat Nov 2 13:12:47 2013 From: peter at digitalbrains.com (Peter Lebbing) Date: Sat, 02 Nov 2013 13:12:47 +0100 Subject: make gpg-agent forget the PIN In-Reply-To: <87d2mjkprz.fsf@vigenere.g10code.de> References: <23871535.8aid4UM92T@mani> <5273FE55.5090400@digitalbrains.com> <87d2mjkprz.fsf@vigenere.g10code.de> Message-ID: <5274EC3F.7080706@digitalbrains.com> On 02/11/13 12:26, Werner Koch wrote: > Or better: pull off the card and take it with you. I unplug my reader (USB) when I don't use it; I leave the card in. I now have OpenPGP v2 cards, but I earlier had v1 cards that started to malfunction after some time. I had the impression that they were most likely to keep working if I didn't remove them from the cardreader, so I tried to avoid that. Also, a worn out USB connector is very easy to replace when you know which side of a soldering iron is the hot side. If the contacts of my cardreader wear out, I can't replace them as easily. When I suspect I might need the card again soon, I don't unplug the reader. But I know myself: when I leave for a moment, I might not think of a card that's still attached and the PIN unlocked. I live on campus, with 9 other students in this building, and I don't always lock my door. I don't think anyone will come in, notice the unlocked card, and out of curiosity see what encrypted stuff they can read, but I just feel a bit awkward when I leave the card unlocked. It's not a solid argument, but I dislike feeling a bit awkward, so I "lock" the card. I don't even have encrypted stuff that would be interesting to my housemates. For example, even if they knew my credit card details, they wouldn't use them. Or the private key to my own X.509 CA, as another example. It's just that feeling a bit awkward thing :). If people are determined and they are able to acces my cardreader with OpenPGP card in, they are also already sitting at my computer. Then they can do all sorts of interesting stuff. I just trust my OpenPGP card to keep its private key to itself; even though other people can get physical access to the card if they're determined to do so. If I'm up against adversaries that can extract private keys from OpenPGP cards, I'm out of my league anyway. I will move to my own house fairly soon; then my computer will be more secure :). Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at From samtuke at gnupg.org Sat Nov 2 13:13:25 2013 From: samtuke at gnupg.org (Sam Tuke) Date: Sat, 02 Nov 2013 13:13:25 +0100 Subject: Quotes from GPG users In-Reply-To: <20131031073327.GB1855@fritha.org> References: <5270E670.3070307@gnupg.org> <20131031073327.GB1855@fritha.org> Message-ID: <5274EC65.6090601@gnupg.org> On 31/10/13 08:33, Heinz Diehl wrote: > Raised awareness does seldom lead to change (just as knowledge and > attitudes). Before developing a strategy on promoting the use of > GPG, the barriers which prevent people from using it should be > explored and fed back into the implementation strategy. Research would definitely be helpful. There are many well written guides, video tutorials, and even e-learning courses on how to setup GPG however, and some applications make it very easy. While technical complexity is undoubtedly a problem, a huge number of technically proficient people are not using GPG simply because they aren't aware of its existence or importance. At least, that's what my own experiences tell me. > Maybe some principles from social marketing (insight, exchange..) > would fit as a good starting point for a campaign. I'd like to explore this off-list; sounds like you've got some interesting ideas. Best, Sam. -- Sam Tuke Campaign Manager Gnu Privacy Guard 0044 78680 77871 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 295 bytes Desc: OpenPGP digital signature URL: From expires2013 at ymail.com Sat Nov 2 15:11:41 2013 From: expires2013 at ymail.com (MFPA) Date: Sat, 2 Nov 2013 14:11:41 +0000 Subject: gpgsm and expired certificates In-Reply-To: <20131101114756.Horde.f5Rbb0PJwmQx-cHcO0Kmjg7@mail.sixdemonbag.org> References: <87r4b8ic36.fsf@mat.ucm.es> <87k3gzyhhr.fsf__27502.296298235$1382815337$gmane$org@vigenere.g10code.de> <87ppqriyue.fsf@mat.ucm.es> <87fvrnxkci.fsf__38096.124205231$1382858228$gmane$org@vigenere.g10code.de> <87li1fhz83.fsf@mat.ucm.es> <871u37xbqr.fsf__23314.7300001749$1382869296$gmane$org@vigenere.g10code.de> <8761si4vrm.fsf@mat.ucm.es> <1745551923.20131101142927@my_localhost> <20131101114756.Horde.f5Rbb0PJwmQx-cHcO0Kmjg7@mail.sixdemonbag.org> Message-ID: <150670278.20131102141141@my_localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi On Friday 1 November 2013 at 6:47:56 PM, in , Robert J. Hansen wrote: >> Isn't the NSA "a government based organisation?" >> Surely guilt-by-association renders every government >> based organisation just as nefarious as the NSA. > This is why grown-ups don't believe in guilt by > association. Which would mean police who interview people who had contact with a suspect, in order to "eliminate them from their enquiries," are either not grown-ups or are practising something in which they do not believe. > Do you really think a bunch of graduate students > obsessing over _La Chanson du Roland_ are "just as > nefarious as the NSA"? > If you do, then I think your paranoia is so out of hand > you really ought consider seeking professional help. > And no, I'm not kidding. I was merely making use of hyperbole to challenge the previous poster's assertion that a government based organisation would be preferable to the current CA service providers, "especially because of all which was lately revealed about the NSA." What I was trying to convey, was my opinion that the revelation of unpalatable/nefarious behaviour on the part of a government organisation seems a pretty odd reason to call for services, currently provided by private-sector CAs, to instead be provided by a government organisation. - -- Best regards MFPA mailto:expires2013 at ymail.com ETHERNET(n): device used to catch the Ether bunny -----BEGIN PGP SIGNATURE----- iPQEAQEKAF4FAlJ1CDJXFIAAAAAALgAgaXNzdWVyLWZwckBub3RhdGlvbnMub3Bl bnBncC5maWZ0aGhvcnNlbWFuLm5ldEJBMjM5QjQ2ODFGMUVGOTUxOEU2QkQ0NjQ0 N0VDQTAzAAoJEKipC46tDG5psMYD/0oWmmq62IUWF3LIDqxtUyzlbNKwwX2iisIU wdqYDeh5K2ha+sZ7kcIHyDLiGy0qRzoHe+S0LudBWLVk2nuZhpOfGRQj2qh+eCSk bhIp2BHNbb9j6AyHWFOPLnUrCdiH68iLFa3v+S47BptNwlHx+fHvSw4GqGXaISLc t5TWlDEZ =lO5E -----END PGP SIGNATURE----- From expires2013 at ymail.com Sat Nov 2 15:22:35 2013 From: expires2013 at ymail.com (MFPA) Date: Sat, 2 Nov 2013 14:22:35 +0000 Subject: gpgsm and expired certificates In-Reply-To: <20131101122530.Horde.L0bejumqV5vfMfmqhBR7JQ1@mail.sixdemonbag.org> References: <87r4b8ic36.fsf@mat.ucm.es> <87k3gzyhhr.fsf__27502.296298235$1382815337$gmane$org@vigenere.g10code.de> <87ppqriyue.fsf@mat.ucm.es> <87fvrnxkci.fsf__38096.124205231$1382858228$gmane$org@vigenere.g10code.de> <87li1fhz83.fsf@mat.ucm.es> <871u37xbqr.fsf__23314.7300001749$1382869296$gmane$org@vigenere.g10code.de> <8761si4vrm.fsf@mat.ucm.es> <1745551923.20131101142927@my_localhost> <20131101122530.Horde.L0bejumqV5vfMfmqhBR7JQ1@mail.sixdemonbag.org> Message-ID: <1167393703.20131102142235@my_localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi On Friday 1 November 2013 at 7:25:30 PM, in , Robert J. Hansen wrote: > But since some of > my R&D funding comes from the government, I'm just as > nefarious as the NSA. [...] > John Moore III, who hasn't been seen on this list in [...] > Apparently John's > contributions to the GnuPG community mean nothing, > because he's just as nefarious as the NSA. [...] > Werner has taken money from the German government to do > crypto-related software development. Apparently Werner > is just as nefarious as the NSA. > There are a lot of people on this list who have some > kind of connection to the government. [...] > You owe all of us an apology. I wish to extend my sincere and unreserved apologies to all the people I unintentionally offended. - -- Best regards MFPA mailto:expires2013 at ymail.com Wise men learn many things from their enemies. -----BEGIN PGP SIGNATURE----- iPQEAQEKAF4FAlJ1CrBXFIAAAAAALgAgaXNzdWVyLWZwckBub3RhdGlvbnMub3Bl bnBncC5maWZ0aGhvcnNlbWFuLm5ldEJBMjM5QjQ2ODFGMUVGOTUxOEU2QkQ0NjQ0 N0VDQTAzAAoJEKipC46tDG5pbWgD/R8Te7PplXFDJE0Y6TfxOCC5WYQfSqsZTuxO uXzaASDkYC2LuzhaW9T5cCcMxuXWuYLVGUpe3BbyR3ZquTZE0MlRhYDzaSycIDfr EQr3YchjgybnXrvXZL2DOEv66BiHtSxwps4A6+NpV4NH/Rlvkf6i6Smrp1Z42j/N 4PLSP81B =rUME -----END PGP SIGNATURE----- From rjh at sixdemonbag.org Sat Nov 2 15:36:27 2013 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Sat, 02 Nov 2013 10:36:27 -0400 Subject: gpgsm and expired certificates In-Reply-To: <150670278.20131102141141@my_localhost> References: <87r4b8ic36.fsf@mat.ucm.es> <87k3gzyhhr.fsf__27502.296298235$1382815337$gmane$org@vigenere.g10code.de> <87ppqriyue.fsf@mat.ucm.es> <87fvrnxkci.fsf__38096.124205231$1382858228$gmane$org@vigenere.g10code.de> <87li1fhz83.fsf@mat.ucm.es> <871u37xbqr.fsf__23314.7300001749$1382869296$gmane$org@vigenere.g10code.de> <8761si4vrm.fsf@mat.ucm.es> <1745551923.20131101142927@my_localhost> <20131101114756.Horde.f5Rbb0PJwmQx-cHcO0Kmjg7@mail.sixdemonbag.org> <150670278.20131102141141@my_localhost> Message-ID: <52750DEB.6090408@sixdemonbag.org> > I wish to extend my sincere and unreserved apologies to all the people > I unintentionally offended. Thank you for this. (Seriously.) There's an American movie that probably hasn't been seen much in Europe. _High Noon_, starring Gary Cooper, which may be the finest Western ever made. In a nutshell, the Frank Miller Gang comes to town intent on bloodshed and violence, and to protect the town the retired police officer, Marshal Will Kane, puts on the tin star once more. The Frank Miller Gang does something violent and Kane gets in the way -- the gang retaliates and does something else violent, and Kane gets in the way and stops that, too. After a while the townsfolk, who were begging Marshal Kane to come out of retirement at the beginning of the movie, are screaming their outrage at him. "If you'd just quit, the Frank Miller Gang would leave us alone! Can't you see that your meddling is just making them angry and making the problems worse?" In a climactic showdown Marshal Kane shatters the Miller Gang. All the townsfolk, who had begged him to save them and then screamed at him that he was the problem, come around to praise him for his courage and valor. Marshal Kane looks them over in disgust, then tears off his badge, throws it in the dirt, and rides off into the sunset with his girlfriend. The townspeople have finally done what the Frank Miller Gang couldn't do: they've made a good and decent policeman stop caring about his town. I can't help but think, as I see the tenor of the discussion about the NSA, that there are probably thousands of good and decent people in that agency who are concerned with following the law and respecting civil liberties -- and they probably feel an awful lot like Marshal Kane right now, wondering whether it's even worth it. > Which would mean police who interview people who had contact with a > suspect, in order to "eliminate them from their enquiries," are either > not grown-ups or are practising something in which they do not > believe. They are not practicing guilt by suspicion. They are practicing, "hey, let's collect as much information as possible on this crime so that we can find the truly guilty person." Police do not determine guilt. Courts determine guilt. Police are in the business of collecting information. In a very real sense, police are a domestic intelligence agency. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 455 bytes Desc: OpenPGP digital signature URL: From expires2013 at ymail.com Sat Nov 2 16:54:23 2013 From: expires2013 at ymail.com (MFPA) Date: Sat, 2 Nov 2013 15:54:23 +0000 Subject: gpgsm and expired certificates In-Reply-To: <52750DEB.6090408@sixdemonbag.org> References: <87r4b8ic36.fsf@mat.ucm.es> <87k3gzyhhr.fsf__27502.296298235$1382815337$gmane$org@vigenere.g10code.de> <87ppqriyue.fsf@mat.ucm.es> <87fvrnxkci.fsf__38096.124205231$1382858228$gmane$org@vigenere.g10code.de> <87li1fhz83.fsf@mat.ucm.es> <871u37xbqr.fsf__23314.7300001749$1382869296$gmane$org@vigenere.g10code.de> <8761si4vrm.fsf@mat.ucm.es> <1745551923.20131101142927@my_localhost> <20131101114756.Horde.f5Rbb0PJwmQx-cHcO0Kmjg7@mail.sixdemonbag.org> <150670278.20131102141141@my_localhost> <52750DEB.6090408@sixdemonbag.org> Message-ID: <1142347129.20131102155423@my_localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi On Saturday 2 November 2013 at 2:36:27 PM, in , Robert J. Hansen wrote: > They are not practicing guilt by suspicion. They are > practicing, "hey, let's collect as much information as > possible on this crime so that we can find the truly > guilty person." Experiences of people I know, together with footage broadcast on the "reality TV" programmes where TV crews follow real police going about their business, lead me to the conclusion they routinely practice guilt by suspicion/guilt by association. If that approach fails to find somebody the circumstantial evidence doesn't rule out, they will switch to a genuine investigation if the matter is serious enough to warrant the man-hours, or if it affects high-profile individuals. No slur intended on any individual police personnel, just public perception of the police forces' corporate approach. (And for the record, I know many people who have formed a similar impression as well as plenty who have formed a very different impression.) > Police do not determine guilt. Courts determine guilt. > Police are in the business of collecting information. > In a very real sense, police are a domestic > intelligence agency. Unfortunately, police sometimes influence the determination of guilt by being selective in their presentation of information to the courts. In the UK any withholding of evidence by the police has constituted grounds for appeal since R v Fellows in July 1985.[1] [1] The very short quote at is the only reference I can find at the moment. - -- Best regards MFPA mailto:expires2013 at ymail.com The second mouse gets the cheese -----BEGIN PGP SIGNATURE----- iPQEAQEKAF4FAlJ1IEtXFIAAAAAALgAgaXNzdWVyLWZwckBub3RhdGlvbnMub3Bl bnBncC5maWZ0aGhvcnNlbWFuLm5ldEJBMjM5QjQ2ODFGMUVGOTUxOEU2QkQ0NjQ0 N0VDQTAzAAoJEKipC46tDG5pZtwEAKgF9/mzcsvrFECNNGivhHcu+LEBtZMJMN8C 7ZLuEE//enmKy4OCW34pwJQEtTOQJCaA4UjiscrwE2EP+hSQ3Txgq32kf0uZSYY+ 8ZwenQJoX3hai7sU4j9KVJ/nzFuDiKOpVBP+OXs5z40+Zt1Da2cWXHiUZOC81riQ PeE1jeWu =aTqy -----END PGP SIGNATURE----- From htd at fritha.org Sat Nov 2 17:19:24 2013 From: htd at fritha.org (Heinz Diehl) Date: Sat, 2 Nov 2013 17:19:24 +0100 Subject: Quotes from GPG users In-Reply-To: <5274EC65.6090601@gnupg.org> References: <5270E670.3070307@gnupg.org> <20131031073327.GB1855@fritha.org> <5274EC65.6090601@gnupg.org> Message-ID: <20131102161924.GB7614@fritha.org> On 02.11.2013, Sam Tuke wrote: > Research would definitely be helpful. There are many well written guides, video > tutorials, and even e-learning courses on how to setup GPG however, and some > applications make it very easy. When you think of the "common windows user" who solely wants to double click on "install.exe" and send encrypted mail after it finished: are these people aware of those applications? > While technical complexity is undoubtedly a problem, a huge number of > technically proficient people are not using GPG simply because they aren't aware > of its existence or importance. At least, that's what my own experiences tell me. Now that you have the "NSA scandal" and the mass media have done its job, you have a perfect growing place to start an awareness campaign :-) So what do people want? Either they give a shit in the NSA and have "nothign to hide", or they want to encrypt just everything. From htd at fritha.org Sat Nov 2 17:22:29 2013 From: htd at fritha.org (Heinz Diehl) Date: Sat, 2 Nov 2013 17:22:29 +0100 Subject: Quotes from GPG users In-Reply-To: <5270E670.3070307@gnupg.org> References: <5270E670.3070307@gnupg.org> Message-ID: <20131102162229.GC7614@fritha.org> On 30.10.2013, Sam Tuke wrote: > I'll collect them and pick the best for use now and in future. "GPG - keeps the XXX from your door!" :-) [Replace XXX with any three letter agency of your choice] From kwadronaut at aktivix.org Sat Nov 2 17:38:31 2013 From: kwadronaut at aktivix.org (kwadronaut) Date: Sat, 02 Nov 2013 17:38:31 +0100 Subject: Quotes from GPG users In-Reply-To: <5270E670.3070307@gnupg.org> References: <5270E670.3070307@gnupg.org> Message-ID: <52752A87.1040505@aktivix.org> On 30/10/13 11:58, Sam Tuke wrote: > Hi all, > > I'm working with Werner to promote GnuPG and raise awareness. To that end we're > collecting quotes from users - endorsements from people who know and trust GPG, > people like you. > > If you want to help us, send your own statement about why GPG is important to > you. Please keep it less than or equal to 130 characters, so it can be used on > social networks. > > I'll collect them and pick the best for use now and in future. > GnuPG might be clumsy, but it gets my message across, to the intendent recipients! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 836 bytes Desc: OpenPGP digital signature URL: From johannes at zarl.at Sat Nov 2 17:43:15 2013 From: johannes at zarl.at (Johannes Zarl) Date: Sat, 02 Nov 2013 17:43:15 +0100 Subject: Quotes from GPG users In-Reply-To: <5270E670.3070307@gnupg.org> References: <5270E670.3070307@gnupg.org> Message-ID: <1750272.JbdLGX0ukF@mani> On Wednesday 30 October 2013 11:58:56 Sam Tuke wrote: > I'll collect them and pick the best for use now and in future. > > Stimuli: > You trust GPG with what? > It's the only app that does what for you / your business? > Without it you couldn't do what? I wonder why not more respondents have written about authenticity? I'm not terribly good with this sort of thing, but I'll try: "My handwriting is unique. With GPG, so is my email." Cheers, Johannes From johanw at vulcan.xs4all.nl Sat Nov 2 17:46:28 2013 From: johanw at vulcan.xs4all.nl (Johan Wevers) Date: Sat, 02 Nov 2013 17:46:28 +0100 Subject: gpgsm and expired certificates In-Reply-To: <52750DEB.6090408@sixdemonbag.org> References: <87r4b8ic36.fsf@mat.ucm.es> <87k3gzyhhr.fsf__27502.296298235$1382815337$gmane$org@vigenere.g10code.de> <87ppqriyue.fsf@mat.ucm.es> <87fvrnxkci.fsf__38096.124205231$1382858228$gmane$org@vigenere.g10code.de> <87li1fhz83.fsf@mat.ucm.es> <871u37xbqr.fsf__23314.7300001749$1382869296$gmane$org@vigenere.g10code.de> <8761si4vrm.fsf@mat.ucm.es> <1745551923.20131101142927@my_localhost> <20131101114756.Horde.f5Rbb0PJwmQx-cHcO0Kmjg7@mail.sixdemonbag.org> <150670278.20131102141141@my_localhost> <52750DEB.6090408@sixdemonbag.org> Message-ID: <52752C64.80102@vulcan.xs4all.nl> On 2-11-2013 15:36, Robert J. Hansen wrote: > I can't help but think, as I see the tenor of the discussion about the > NSA, that there are probably thousands of good and decent people in that > agency who are concerned with following the law and respecting civil > liberties -- and they probably feel an awful lot like Marshal Kane right > now, wondering whether it's even worth it. Perhaps. But those people make me think more off whet we call here "major in wartime": during WW2, some majors kept their position under the Germans with the intention to prevent someone worse (like a member of the local Nazi party) to take the post and to prevent as much cruelty as possible. This turned out to be nearly impossible, and after the war those majors were ot looked kindly uppon. You can't keep your hands clean when you take such a post. Another example would be the countless Stasi employees who really thought they were doing the people a favor by defending them against those evil capitalists. The people mostly didn't agree. The NSA employees might think they are protecting the people against someone worse than they are, but in many places outside the US the US is now seen as the primary enemy. Not that we like terrorists that much, but we have reached the point where the US causes more problems and deaths of innocents than its enemies. Especially because they more or less admit that all non-US citizens are fair game. > They are not practicing guilt by suspicion. They are practicing, "hey, > let's collect as much information as possible on this crime so that we > can find the truly guilty person." Another problem with the US, they tend to make out for others what "crimes" are. The wars on drugs and copyright infringement are typical examples of where the pressure of the US goes against the interests of the people in other countries (and even their own). > Police do not determine guilt. Courts determine guilt. Police are in > the business of collecting information. In a very real sense, police > are a domestic intelligence agency. That would be true in an ideal world. In the real world the police is often in the buisiness of fabricating and / or witholding evidence. -- Met vriendelijke groet / With kind regards, Johan Wevers PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From johanw at vulcan.xs4all.nl Sat Nov 2 17:50:22 2013 From: johanw at vulcan.xs4all.nl (Johan Wevers) Date: Sat, 02 Nov 2013 17:50:22 +0100 Subject: Quotes from GPG users In-Reply-To: <1750272.JbdLGX0ukF@mani> References: <5270E670.3070307@gnupg.org> <1750272.JbdLGX0ukF@mani> Message-ID: <52752D4E.7080904@vulcan.xs4all.nl> On 2-11-2013 17:43, Johannes Zarl wrote: > I wonder why not more respondents have written about authenticity? Probably because encryption is more the more important use of gpg to most people. If you have sensitive discussions via email, my experience is that if a stranger would imperonate one sender, it would immediately be noticed due to lack of knowledge about things previous said. -- Met vriendelijke groet / With kind regards, Johan Wevers PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From samtuke at gnupg.org Sat Nov 2 18:14:46 2013 From: samtuke at gnupg.org (Sam Tuke) Date: Sat, 02 Nov 2013 18:14:46 +0100 Subject: Quotes from GPG users In-Reply-To: <1750272.JbdLGX0ukF@mani> References: <5270E670.3070307@gnupg.org> <1750272.JbdLGX0ukF@mani> Message-ID: <52753306.5060407@gnupg.org> On 02/11/13 17:43, Johannes Zarl wrote: > "My handwriting is unique. With GPG, so is my email." Brilliant, thanks! Admirably concise. Sam. -- Sam Tuke Campaign Manager Gnu Privacy Guard 0044 78680 77871 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 295 bytes Desc: OpenPGP digital signature URL: From samtuke at gnupg.org Sat Nov 2 18:17:57 2013 From: samtuke at gnupg.org (Sam Tuke) Date: Sat, 02 Nov 2013 18:17:57 +0100 Subject: Quotes from GPG users In-Reply-To: <52752A87.1040505@aktivix.org> References: <5270E670.3070307@gnupg.org> <52752A87.1040505@aktivix.org> Message-ID: <527533C5.2070300@gnupg.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 02/11/13 17:38, kwadronaut wrote: > GnuPG might be clumsy, but it gets my message across, to the intendent > recipients! Thanks kwadronaut. You're highlighting the signing aspect here I presume? Best, Sam. - -- Sam Tuke Campaign Manager Gnu Privacy Guard 0044 78680 77871 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.15 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iF4EAREIAAYFAlJ1M8QACgkQ1bR1Itj7YQXlOAD/eaCjwNr4/VIyQnoEY+P4jMYu iDiWpGRqYkm6TALqtmwA/jn8mYtc8B6FSIelDzdpMdplALPMRfkfmsKyquo0u7qd =fud8 -----END PGP SIGNATURE----- From free10pro at gmail.com Sat Nov 2 19:02:57 2013 From: free10pro at gmail.com (Paul R. Ramer) Date: Sat, 02 Nov 2013 11:02:57 -0700 Subject: trust your corporation for keyowner identification? In-Reply-To: <526e2592.vizyzHwEGhmqqHhK%sttob@privatdemail.net> References: <525EEE33.1060304__39450.1849696555$1381953182$gmane$org@dougbarton.us> <109563160.20131016222807__37584.6967836425$1381959035$gmane$org@my_localhost> <525FE12A.5040307__21646.6946680614$1382015420$gmane$org@vulcan.xs4all.nl> <20131017135454.Horde.PF7HtsAisFNCiofjRFOv2w7@mail.sixdemonbag.org> <52669348.+eLRL6ulbwvCCmiJ%sttob@privatdemail.net> <5266F5CA.80509@sixdemonbag.org> <526806e2.PnylUKoa89KDX8qO%sttob@privatdemail.net> <52681AFA.2060102@digitalbrains.com> <52685878.6AXcxDzMhOJmhsWU%sttob@privatdemail.net> <5268E9F2.1050108@digitalbrains.com> <5269588e.wAXyOS+XkCb/A4Oa%sttob@privatdemail.net> <526e2592.vizyzHwEGhmqqHhK%sttob@privatdemail.net> Message-ID: <72ff7e95-a66b-411c-abd4-4e83af5c0827@email.android.com> Stan Tobias wrote: >Yes, but by remote communication. The reasoning goes like this: The >signature is validated by my certificate (or, in case 2a, by my >friends' >whom I trust fully). The message is authenticated by X's valid >signature, >therefore the message has not been tampered with and its author is X. >X says he uses a new key K2. Because I've got this message from X, >I have verified the ownership of K2, so I can sign it. Sorry, but this is wrong. The certificate of the first key is valid, the signature of the message is valid, but your correspondent's claim to ownership of the second key is not yet proven. While you know that whoever has control of the first key sent you that message, you have not confirmed that he can decrypt and sign with the second key. >> The idea of using a different channel for confirming key details such >as >> a key fingerprint is really a way of trying to avoid a >man-in-the-middle >> attack on the verification of the key and its UIDs. It is not >entirely >> foolproof--nothing is. > >I don't understand how man-in-the-middle fits here, I was explorig an >idea >if a trust (belief) once correctly initiated could later be transferred >purely remotely (electronically), without physical contact. I was commenting on why verification of key details outside of non-secure electronic channels prior to certification is useful rather than receiving a request electronically for you to certify a person's key and assuming it to be verification enough without using another channel to verify the request and purported key details. Cheers, --Paul -- PGP: 3DB6D884 From oub at mat.ucm.es Sat Nov 2 19:48:39 2013 From: oub at mat.ucm.es (Uwe Brauer) Date: Sat, 02 Nov 2013 19:48:39 +0100 Subject: gpgsm and expired certificates References: <87r4b8ic36.fsf@mat.ucm.es> <87k3gzyhhr.fsf__27502.296298235$1382815337$gmane$org@vigenere.g10code.de> <87ppqriyue.fsf@mat.ucm.es> <87fvrnxkci.fsf__38096.124205231$1382858228$gmane$org@vigenere.g10code.de> <87li1fhz83.fsf@mat.ucm.es> <871u37xbqr.fsf__23314.7300001749$1382869296$gmane$org@vigenere.g10code.de> <8761si4vrm.fsf@mat.ucm.es> <1745551923.20131101142927@my_localhost> Message-ID: <87fvreprlk.fsf@mat.ucm.es> >> "MFPA" == MFPA writes: > Hi > On Sunday 27 October 2013 at 2:46:05 PM, in > , Uwe Brauer wrote: > Isn't the NSA "a government based organisation?" Surely > guilt-by-association renders every government based organisation just > as nefarious as the NSA. Your point being? I presume it goes like this: NSA is "a government based organisation" doing, among other things, violations of civil rights. So any other government based organisation cannot be trust, end of argument. Well I just talked about a service, which provides certificates to its citizen. That means it signs a public/private key pair, which is generated by the, hopefully open source, crypto module of your browser. So either you claim to have evidence that this modules have been hacked and the key pair is transferred to some of these evil organisations or I really don't see your point. Uwe Brauer -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 5556 bytes Desc: not available URL: From peter at digitalbrains.com Sat Nov 2 20:20:28 2013 From: peter at digitalbrains.com (Peter Lebbing) Date: Sat, 02 Nov 2013 20:20:28 +0100 Subject: gpgsm and expired certificates In-Reply-To: <87fvreprlk.fsf@mat.ucm.es> References: <87r4b8ic36.fsf@mat.ucm.es> <87k3gzyhhr.fsf__27502.296298235$1382815337$gmane$org@vigenere.g10code.de> <87ppqriyue.fsf@mat.ucm.es> <87fvrnxkci.fsf__38096.124205231$1382858228$gmane$org@vigenere.g10code.de> <87li1fhz83.fsf@mat.ucm.es> <871u37xbqr.fsf__23314.7300001749$1382869296$gmane$org@vigenere.g10code.de> <8761si4vrm.fsf@mat.ucm.es> <1745551923.20131101142927@my_localhost> <87fvreprlk.fsf@mat.ucm.es> Message-ID: <5275507C.1030309@digitalbrains.com> On 02/11/13 19:48, Uwe Brauer wrote: > So either you claim to have evidence that this modules have been hacked > and the key pair is transferred to some of these evil organisations or I > really don't see your point. I think the most common way for an X.509 CA to be deceitful is by giving someone else a certificate with your name on it, not by stealing your key. Then I would be under the impression I was holding an encrypted and signed conversation with /you/, but I would be talking to the well-funded attacker that got the false certificate. That attacker could then re-encrypt and send it on to you, to be a man in the middle. HTH, Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at From gnupg at oneiroi.net Sat Nov 2 20:33:35 2013 From: gnupg at oneiroi.net (Filip M. Nowak) Date: Sat, 02 Nov 2013 20:33:35 +0100 Subject: gpgsm and expired certificates In-Reply-To: <5275507C.1030309@digitalbrains.com> References: <87r4b8ic36.fsf@mat.ucm.es> <87k3gzyhhr.fsf__27502.296298235$1382815337$gmane$org@vigenere.g10code.de> <87ppqriyue.fsf@mat.ucm.es> <87fvrnxkci.fsf__38096.124205231$1382858228$gmane$org@vigenere.g10code.de> <87li1fhz83.fsf@mat.ucm.es> <871u37xbqr.fsf__23314.7300001749$1382869296$gmane$org@vigenere.g10code.de> <8761si4vrm.fsf@mat.ucm.es> <1745551923.20131101142927@my_localhost> <87fvreprlk.fsf@mat.ucm.es> <5275507C.1030309@digitalbrains.com> Message-ID: <5275538F.1080301@oneiroi.net> On 02.11.2013 20:20, Peter Lebbing wrote: > On 02/11/13 19:48, Uwe Brauer wrote: >> So either you claim to have evidence that this modules have been hacked >> and the key pair is transferred to some of these evil organisations or I >> really don't see your point. > > I think the most common way for an X.509 CA to be deceitful is by giving someone > else a certificate with your name on it, not by stealing your key. > > (...) Not mentioning giving away (actually signing) intermediate CA keys. Cheers, Filip From kloecker at kde.org Sat Nov 2 20:44:10 2013 From: kloecker at kde.org (Ingo =?ISO-8859-1?Q?Kl=F6cker?=) Date: Sat, 02 Nov 2013 20:44:10 +0100 Subject: gpgsm and expired certificates In-Reply-To: <87fvreprlk.fsf@mat.ucm.es> References: <87r4b8ic36.fsf@mat.ucm.es> <1745551923.20131101142927@my_localhost> <87fvreprlk.fsf@mat.ucm.es> Message-ID: <2847581.NdkjrvGDoX@thufir.ingo-kloecker.de> On Saturday 02 November 2013 19:48:39 Uwe Brauer wrote: > >> "MFPA" == MFPA writes: > > Hi > > On Sunday 27 October 2013 at 2:46:05 PM, in > > , Uwe Brauer wrote: > > > > Isn't the NSA "a government based organisation?" Surely > > guilt-by-association renders every government based organisation > > just > > as nefarious as the NSA. > > Your point being? > > I presume it goes like this: NSA is "a government based > organisation" doing, among other things, violations of civil rights. > > So any other government based organisation cannot be trust, end of > argument. > > Well I just talked about a service, which provides certificates to > its citizen. That means it signs a public/private key pair, which is > generated by the, hopefully open source, crypto module of your > browser. > > So either you claim to have evidence that this modules have been > hacked and the key pair is transferred to some of these evil > organisations or I really don't see your point. Since I had exactly the same thought as MFPA (namely that the NSA is a goverment based organization), I'll explain my thoughts (which could be different from MFPA's point). You, Uwe Brauer, wrote: > I would prefer a government based organisation which provides this > service to its citizen (especially because of all which was lately > revealed about the NSA) where "this service" refers to the service a commercial, not goverment based CA like comodo offers. I interpreted "especially because of all which was lately revealed about the NSA" to refer to the NSA's ability to forge certificates issued by commercial CAs (e.g. by forcing the CAs to provide such a certificate). Now my thinking was that the NSA (or some other country's secret agency, e.g. the German BND) probably wouldn't have more problems to get forged certificates if they were issued by a government based CA. OTOH, you wrote the above in reply to Werner's > The business model of most CAs is to sell you a subscription by > setting the expiration time very low so that they can ask after a > year for another fee to create a new certificate. Here it does not > make sense to create a new private key every year. So, your point/hope probably was that a government based CA wouldn't have such a business model and would instead offer this service gratis to the people (so that more people would be protected from the NSA reading their mail). If this was your point then apparently I didn't see it when I first read your message. Regards, Ingo -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: This is a digitally signed message part. URL: From sttob at privatdemail.net Sat Nov 2 21:36:32 2013 From: sttob at privatdemail.net (Stan Tobias) Date: Sat, 02 Nov 2013 21:36:32 +0100 Subject: gpgsm and expired certificates In-Reply-To: <20131101122530.Horde.L0bejumqV5vfMfmqhBR7JQ1@mail.sixdemonbag.org> References: <87r4b8ic36.fsf@mat.ucm.es> <87k3gzyhhr.fsf__27502.296298235$1382815337$gmane$org@vigenere.g10code.de> <87ppqriyue.fsf@mat.ucm.es> <87fvrnxkci.fsf__38096.124205231$1382858228$gmane$org@vigenere.g10code.de> <87li1fhz83.fsf@mat.ucm.es> <871u37xbqr.fsf__23314.7300001749$1382869296$gmane$org@vigenere.g10code.de> <8761si4vrm.fsf@mat.ucm.es> <1745551923.20131101142927@my_localhost> <20131101122530.Horde.L0bejumqV5vfMfmqhBR7JQ1@mail.sixdemonbag.org> Message-ID: <52756250.b/FY7V2NJlvyVY9x%sttob@privatdemail.net> "Robert J. Hansen" wrote: > My previous email was pretty dry and impersonal. This one is very personal. > > > Isn't the NSA "a government based organisation?" Surely > > guilt-by-association renders every government based organisation just > > as nefarious as the NSA. > > My current job > John Moore III, > Werner > There are a lot of people on this list > > You owe all of us an apology. To the defense of MFPA, he was speaking of government based *organisations*. Organisations don't have a conscience. People are a different kind, they often work for you against general policies, if you can interpret signs correctly and cooperate. Kindly, Stan Tobias. From sttob at privatdemail.net Sat Nov 2 22:08:56 2013 From: sttob at privatdemail.net (Stan Tobias) Date: Sat, 02 Nov 2013 22:08:56 +0100 Subject: Quotes from GPG users In-Reply-To: <52752A87.1040505@aktivix.org> References: <5270E670.3070307@gnupg.org> <52752A87.1040505@aktivix.org> Message-ID: <527569e8.IGzpR1PWFF0S5+iD%sttob@privatdemail.net> On 30/10/13 11:58, Sam Tuke wrote: > I'm working with Werner to promote GnuPG and raise awareness. To that end we're > collecting quotes from users - endorsements from people who know and trust GPG, > people like you. > > If you want to help us, send your own statement about why GPG is important to > you. Please keep it less than or equal to 130 characters, so it can be used on > social networks. > > I'll collect them and pick the best for use now and in future. >From my past experience a few years ago in a small company I can say that some corporate type people seem to have an irrational distrust to anything "free". When I tried to introduce GnuPG as part of a solution, I had a feeling they treated it as a second rate implementation by a bunch of amateurs. It's not a real quote, I'm afraid, but if I could propose a slogan, it would be something like: "GnuPG is mainstream". Stan T. From free10pro at gmail.com Sun Nov 3 03:08:15 2013 From: free10pro at gmail.com (Paul R. Ramer) Date: Sat, 02 Nov 2013 19:08:15 -0700 Subject: trust your corporation for keyowner identification? In-Reply-To: <20131102212504.GD14302@leortable> References: <52669348.+eLRL6ulbwvCCmiJ%sttob@privatdemail.net> <5266F5CA.80509@sixdemonbag.org> <526806e2.PnylUKoa89KDX8qO%sttob@privatdemail.net> <52681AFA.2060102@digitalbrains.com> <52685878.6AXcxDzMhOJmhsWU%sttob@privatdemail.net> <5268E9F2.1050108@digitalbrains.com> <5269588e.wAXyOS+XkCb/A4Oa%sttob@privatdemail.net> <526e2592.vizyzHwEGhmqqHhK%sttob@privatdemail.net> <72ff7e95-a66b-411c-abd4-4e83af5c0827@email.android.com> <20131102212504.GD14302@leortable> Message-ID: <5275B00F.7030404@gmail.com> On 11/02/2013 02:25 PM, Leo Gaspard wrote: > On Sat, Nov 02, 2013 at 11:02:57AM -0700, Paul R. Ramer wrote: >> Stan Tobias wrote: >>> Yes, but by remote communication. The reasoning goes like this: The >>> signature is validated by my certificate (or, in case 2a, by my >>> friends' >>> whom I trust fully). The message is authenticated by X's valid >>> signature, >>> therefore the message has not been tampered with and its author is X. >>> X says he uses a new key K2. Because I've got this message from X, >>> I have verified the ownership of K2, so I can sign it. >> >> Sorry, but this is wrong. The certificate of the first key is valid, the signature of the message is valid, but your correspondent's claim to ownership of the second key is not yet proven. While you know that whoever has control of the first key sent you that message, you have not confirmed that he can decrypt and sign with the second key. > > Isn't the presence of a UID sufficient for this matter ? No, it is not. Here is why. When you verify a key to sign you are verifying the following: 1) For each UID, that the name is correct and that the purported owner has control of the email in that UID (possibly also verifying the comment if it contains something such as "CEO ABC Corporation"). 2) That the purported owner has control of the key and can decrypt and sign messages. For #1, it is possible that the user has no name or email address in the UID(s). Either way, you need to verify the details of the UIDs that you intend to sign. For #2, you need to verify the key fingerprint, algorithm, and key size (but the fingerprint at a minimum) and then have the user demonstrate that he can decrypt a message encrypted with the key in question and also sign with it. This can be done by sending a message of unknown content (from the purported key owner's perspective) to him to each email that he claims to have in each of his UIDs (provided he has any) and require him to reply with a signed copy of the decrypted message. This serves to verify the control of the key and the email addresses. The reason the presence of a UID on that second key that is in congruence with UID(s) that you have verified on the first key is not sufficient is because although the UID may seem good (or maybe even be identical to the UID(s) on the first key), you have not verified that he indeed has control of the second key. While you may feel that the key *should* be under his control and that there is little chance that it is not, it does not mean that you have verified his control of that second key, which means that you have not verified that key. >> I was commenting on why verification of key details outside of non-secure electronic channels prior to certification is useful rather than receiving a request electronically for you to certify a person's key and assuming it to be verification enough without using another channel to verify the request and purported key details. > > IMHO, exchanging emails with someone whose key you want to sign is at least as > important as meeting him / her in person. > > Indeed, a key could have a UID containing only an email address (thus could be > signed using only an email exchange, by proving the ownership of the email > address more than any discussion with a pretended email owner), while a UID > containing only a name would be, IMHO, quite less common, as AFAIK, the most > common use of PGP is for emails. (Yes, I know, it is not always the case, but > for the average user it is.) Verifying the key fingerprint and exchanging encrypted and signed messages would verify control. This is true. You can't verify control by talking to them in person. Cheers, --Paul From ekleog at gmail.com Sun Nov 3 03:34:25 2013 From: ekleog at gmail.com (Leo Gaspard) Date: Sun, 3 Nov 2013 03:34:25 +0100 Subject: trust your corporation for keyowner identification? In-Reply-To: <5275B00F.7030404@gmail.com> References: <526806e2.PnylUKoa89KDX8qO%sttob@privatdemail.net> <52681AFA.2060102@digitalbrains.com> <52685878.6AXcxDzMhOJmhsWU%sttob@privatdemail.net> <5268E9F2.1050108@digitalbrains.com> <5269588e.wAXyOS+XkCb/A4Oa%sttob@privatdemail.net> <526e2592.vizyzHwEGhmqqHhK%sttob@privatdemail.net> <72ff7e95-a66b-411c-abd4-4e83af5c0827@email.android.com> <20131102212504.GD14302@leortable> <5275B00F.7030404@gmail.com> Message-ID: <20131103023425.GF14302@leortable> (Sorry, I once again sent the message only to you and not to the list -- I really need to get used to mailing lists, sorry !) On Sat, Nov 02, 2013 at 07:08:15PM -0700, Paul R. Ramer wrote: > On 11/02/2013 02:25 PM, Leo Gaspard wrote: > > Isn't the presence of a UID sufficient for this matter ? > > No, it is not. Here is why. When you verify a key to sign you are > verifying the following: > > 1) For each UID, that the name is correct and that the purported owner > has control of the email in that UID (possibly also verifying the > comment if it contains something such as "CEO ABC Corporation"). > 2) That the purported owner has control of the key and can decrypt and > sign messages. > > [...] Well... 1) Checked by the other key's message. Because signed (K1) message from Alice, saying she has access to K2, means any UID on K2 named Alice is as right as the equivalent UID on K1. So the UIDs are correct. 2) Checked by the presence of the UID. Because, to add a UID, one must have control of the secret key, and thus be able to decrypt / sign messages with it. And, as stated in (1), the UIDs are valid. So Alice, who added the UIDs, must have access to the secret key. The only case I could find of (2) invalid would be if Alice herself tried to trick you into signing a key with her name but used by Bob. Except it turns out that she could just as well have the key for the time of the key exchange, and then pass it to Bob. Where am I wrong ? Cheers, Leo From free10pro at gmail.com Sun Nov 3 05:20:38 2013 From: free10pro at gmail.com (Paul R. Ramer) Date: Sat, 02 Nov 2013 21:20:38 -0700 Subject: trust your corporation for keyowner identification? In-Reply-To: <20131103023425.GF14302@leortable> References: <526806e2.PnylUKoa89KDX8qO%sttob@privatdemail.net> <52681AFA.2060102@digitalbrains.com> <52685878.6AXcxDzMhOJmhsWU%sttob@privatdemail.net> <5268E9F2.1050108@digitalbrains.com> <5269588e.wAXyOS+XkCb/A4Oa%sttob@privatdemail.net> <526e2592.vizyzHwEGhmqqHhK%sttob@privatdemail.net> <72ff7e95-a66b-411c-abd4-4e83af5c0827@email.android.com> <20131102212504.GD14302@leortable> <5275B00F.7030404@gmail.com> <20131103023425.GF14302@leortable> Message-ID: <5275CF16.6010707@gmail.com> On 11/02/2013 07:34 PM, Leo Gaspard wrote: > Well... > 1) Checked by the other key's message. Because signed (K1) message from Alice, > saying she has access to K2, means any UID on K2 named Alice is as right as > the equivalent UID on K1. So the UIDs are correct. > 2) Checked by the presence of the UID. Because, to add a UID, one must have > control of the secret key, and thus be able to decrypt / sign messages with > it. And, as stated in (1), the UIDs are valid. So Alice, who added the UIDs, > must have access to the secret key. > > The only case I could find of (2) invalid would be if Alice herself tried to > trick you into signing a key with her name but used by Bob. Except it turns > out that she could just as well have the key for the time of the key exchange, > and then pass it to Bob. In your points, (1) assumes that Key 2 has UIDs that are the same as those on Key 1, i.e. their are no UIDs with new email addresses or different names. Likely, this would be true, but I am not making any assumptions here on the UIDs. As for (2), yes, whoever has control of the key must have created the UIDs and can decrypt and sign messages. But you are still assuming that because Alice said that she owns Key 2, sent you a signed message saying so, and the UIDs match those on Key 1 (most likely) that she has control of the key and that you still do not need to verify that she can decrypt and sign messages. The probability that it is her key and that she does have control of it is, I believe, high. Being probable does not mean that you have verified that she controls the key. Cheers, --Paul From dkg at fifthhorseman.net Sun Nov 3 20:13:41 2013 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Sun, 03 Nov 2013 14:13:41 -0500 Subject: Quotes from GPG users In-Reply-To: <5270E670.3070307@gnupg.org> References: <5270E670.3070307@gnupg.org> Message-ID: <5276A065.20806@fifthhorseman.net> On 10/30/2013 06:58 AM, Sam Tuke wrote: > If you want to help us, send your own statement about why GPG is important to > you. Please keep it less than or equal to 130 characters, so it can be used on > social networks. As a Debian user, I rely on GnuPG to ensure that the software I install hasn't been tampered with. --dkg From markoran at eunet.rs Sun Nov 3 22:01:18 2013 From: markoran at eunet.rs (Marko Randjelovic) Date: Sun, 3 Nov 2013 22:01:18 +0100 Subject: Quotes from GPG users In-Reply-To: <5270E670.3070307@gnupg.org> References: <5270E670.3070307@gnupg.org> Message-ID: <20131103220118.475e96c0@eunet.rs> On Wed, 30 Oct 2013 11:58:56 +0100 Sam Tuke wrote: > If you want to help us, send your own statement about why GPG is important to > you. Please keep it less than or equal to 130 characters, so it can be used on > social networks. > > I'll collect them and pick the best for use now and in future. I send five variants (but the best is all of them :) ): I use GnuPG because I care and because I was taught it was a sin to open other people's letters. I use GnuPG because there was a country where people used to say "OZNA comes to know anything". I use GnuPG because ?I don't trade with my independence. I use GnuPG because ?I don't trade with my freedom. I use GnuPG because ?I take critical attitude towards possibility of abuse of my data. -- http://mr.flossdaily.org -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 801 bytes Desc: not available URL: From oub at mat.ucm.es Sun Nov 3 23:02:14 2013 From: oub at mat.ucm.es (Uwe Brauer) Date: Sun, 03 Nov 2013 23:02:14 +0100 Subject: gpgsm and expired certificates References: <87r4b8ic36.fsf@mat.ucm.es> <1745551923.20131101142927@my_localhost> <87fvreprlk.fsf@mat.ucm.es> <2847581.NdkjrvGDoX__40120.3072433875$1383421546$gmane$org@thufir.ingo-kloecker.de> Message-ID: <87habtnnyx.fsf@mat.ucm.es> >> "Ingo" == Ingo Kl?cker writes: > I interpreted "especially because of all which was lately revealed about > the NSA" No it was more of a general remark, concerning NSA malpractice of reading everybody's (uncrypted) email unconditionally. > So, your point/hope probably was that a government based CA > wouldn't have such a business model and would instead offer this > service gratis to the people (so that more people would be > protected from the NSA reading their mail). If this was your point > then apparently I didn't see it when I first read your message. That was *precisely* my point, thanks for clarifying it Uwe Brauer -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 5556 bytes Desc: not available URL: From cp at axs.org Mon Nov 4 06:45:32 2013 From: cp at axs.org (Chuck Peters) Date: Mon, 04 Nov 2013 00:45:32 -0500 Subject: Changing default digest algo Message-ID: <5277347C.6080404@axs.org> I generated some new keys in Sept and would like to convert the digest from SHA1 to SHA512. I added the following to gpg.conf: personal-digest-preferences SHA512 cert-digest-algo SHA512 default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed I changed the preferences: gpg> setpref SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed And verified: gpg> showpref [ultimate] (1). Charles F. Peters II (Chuck) Cipher: AES256, AES192, AES, CAST5, 3DES Digest: SHA512, SHA384, SHA256, SHA224, SHA1 Compression: ZLIB, BZIP2, ZIP, Uncompressed Features: MDC, Keyserver no-modify When I check the keys, it still shows SHA1: $ gpg --export-options export-minimal --export 23E9EB24 | gpg --list-packets |grep -A 2 signature|grep 'digest algo 2,' digest algo 2, begin of digest a3 6e digest algo 2, begin of digest 3b 34 digest algo 2, begin of digest f2 3e digest algo 2, begin of digest ae 58 digest algo 2, begin of digest 67 fa digest algo 2, begin of digest e6 39 I tried a few things like changing the passphrase, signing my key and gpg --s2k-digest-algo SHA512 --edit-key 23E9EB24 and nothing seems to work. How do I change the digest to SHA512? Thanks, Chuck 1. http://www.debian-administration.org/users/dkg/weblog/48 2, https://we.riseup.net/riseuplabs+paow/openpgp-best-practices From dkg at fifthhorseman.net Mon Nov 4 08:13:37 2013 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Mon, 04 Nov 2013 02:13:37 -0500 Subject: Changing default digest algo In-Reply-To: <5277347C.6080404@axs.org> References: <5277347C.6080404@axs.org> Message-ID: <52774921.9060008@fifthhorseman.net> On 11/04/2013 12:45 AM, Chuck Peters wrote: > I added the following to gpg.conf: > personal-digest-preferences SHA512 > cert-digest-algo SHA512 > default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES > CAST5 ZLIB BZIP2 ZIP Uncompressed > > I changed the preferences: > gpg> setpref SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB > BZIP2 ZIP Uncompressed > > And verified: > gpg> showpref > [ultimate] (1). Charles F. Peters II (Chuck) > Cipher: AES256, AES192, AES, CAST5, 3DES > Digest: SHA512, SHA384, SHA256, SHA224, SHA1 > Compression: ZLIB, BZIP2, ZIP, Uncompressed > Features: MDC, Keyserver no-modify these steps look right to me, though i don't see the updated preferences on the public keyserver network yet. > When I check the keys, it still shows SHA1: > $ gpg --export-options export-minimal --export 23E9EB24 | gpg > --list-packets |grep -A 2 signature|grep 'digest algo 2,' > digest algo 2, begin of digest a3 6e > digest algo 2, begin of digest 3b 34 > digest algo 2, begin of digest f2 3e > digest algo 2, begin of digest ae 58 > digest algo 2, begin of digest 67 fa > digest algo 2, begin of digest e6 39 your key has four signing-capable subkeys and two encryption-capable subkeys. It also has two user IDs. This means that there should be eight self-signatures (4 + 2 + 2 = 8). Above, you're only showing 6 self-sigs with SHA-1. I suspect that your User IDs (where the preference subpackets are stored) are actually being certified with a stronger digest, but your subkey binding signatures have not been adjusted. I just tested with an example profile using configuration options similar to the ones you've described above, and found that newly-created subkeys (after the config change) are bound with a subkey binding signature over the preferred cert-digest-algo. so one approach (if there are no other suggestions for re-creating new subkey binding signatures on the existing subkeys) is that you could generate new subkeys and revoke the old ones. hth, --dkg PS as an aside, having two 4096-bit encryption-capable subkeys is probably not useful. Your peers who encrypt traffic to you will need to choose one to encrypt to, and they will just choose the most recent one. I recommend revoking all but the most recent. If you have a good reason for keeping all 4 signing-capable subkeys (e.g. you are distributing signing-capable subkeys to separate devices which you want to be able to revoke if those devices become compromised), that's fine. If that's not the case, you probably want to revoke most of those signing-capable subkeys too. PPS you may be interested in: http://lists.gnupg.org/pipermail/gnupg-devel/2009-May/024986.html From samtuke at gnupg.org Mon Nov 4 10:26:21 2013 From: samtuke at gnupg.org (Sam Tuke) Date: Mon, 04 Nov 2013 10:26:21 +0100 Subject: Quotes from GPG users In-Reply-To: <5276A065.20806@fifthhorseman.net> References: <5270E670.3070307@gnupg.org> <5276A065.20806@fifthhorseman.net> Message-ID: <5277683D.3010801@gnupg.org> On 03/11/13 20:13, Daniel Kahn Gillmor wrote: > As a Debian user, I rely on GnuPG to ensure that the software I install hasn't > been tampered with. Excellent thanks Daniel! Sam. -- Sam Tuke Campaign Manager Gnu Privacy Guard 0044 78680 77871 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 295 bytes Desc: OpenPGP digital signature URL: From wk at gnupg.org Mon Nov 4 09:22:49 2013 From: wk at gnupg.org (Werner Koch) Date: Mon, 04 Nov 2013 09:22:49 +0100 Subject: [Announce] Details on the GnuPG 1.4.15 and 2.0.22 release In-Reply-To: <877gds3xkv.fsf@vigenere.g10code.de> (Werner Koch's message of "Sat, 05 Oct 2013 10:56:32 +0200") References: <877gds3xkv.fsf@vigenere.g10code.de> Message-ID: <87fvrck23q.fsf@vigenere.g10code.de> Hi! Taylor asked me to forward this background info: On Sat, 5 Oct 2013 10:56, wk at gnupg.org said: > not yet been seen in the wild. Details of the attack will eventually > be published by its inventor. The zlib compression language that OpenPGP uses is powerful enough to express an OpenPGP compression quine -- that is, an OpenPGP compressed data packet that decompresses to itself -- causing infinite nesting of OpenPGP packets. Source code to generate such a quine is at . When fed the quine, older versions of GnuPG would blow the stack and crash. GnuPG 1.4.15 and GnuPG 2.0.22 avoid this by setting a small constant bound on the depth of packet nesting. (This is similar to Tavis Ormandy's IPcomp compression quine, reported in CVE-2011-1547, which I didn't know about at the time I made the OpenPGP compression quine. Both of us had read Russ Cox's article on zlib compression quines: .) Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. _______________________________________________ Gnupg-announce mailing list Gnupg-announce at gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-announce From expires2013 at ymail.com Mon Nov 4 15:02:30 2013 From: expires2013 at ymail.com (MFPA) Date: Mon, 4 Nov 2013 14:02:30 +0000 Subject: gpgsm and expired certificates In-Reply-To: <87fvreprlk.fsf@mat.ucm.es> References: <87r4b8ic36.fsf@mat.ucm.es> <87k3gzyhhr.fsf__27502.296298235$1382815337$gmane$org@vigenere.g10code.de> <87ppqriyue.fsf@mat.ucm.es> <87fvrnxkci.fsf__38096.124205231$1382858228$gmane$org@vigenere.g10code.de> <87li1fhz83.fsf@mat.ucm.es> <871u37xbqr.fsf__23314.7300001749$1382869296$gmane$org@vigenere.g10code.de> <8761si4vrm.fsf@mat.ucm.es> <1745551923.20131101142927@my_localhost> <87fvreprlk.fsf@mat.ucm.es> Message-ID: <563460450.20131104140230@my_localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi On Saturday 2 November 2013 at 6:48:39 PM, in , Uwe Brauer wrote: > Your point being? > I presume it goes like this: NSA is "a government > based organisation" doing, among other things, > violations of civil rights. > So any other government based organisation cannot be > trust, end of argument. Exactly. > Well I just talked about a service, which provides > certificates to its citizen. That means it signs a > public/private key pair, which is generated by the, > hopefully open source, crypto module of your browser. > So either you claim to have evidence that this modules > have been hacked and the key pair is transferred to > some of these evil organisations or I really don't see > your point. Simply stated, it is established that government based organisations sometimes act in a nefarious manner, contrary to the law and contrary to the interests of the population. I view that as a reason not to trust government based organisations. And if I don't trust government based organisations, I cannot trust a certification issued by one. Of course, private companies or individuals who issue certifications are susceptible to coercion. Whether issued by government or by private sector, a single certification on a public key represents a single point of failure. It does not provide any great level of assurance the corresponding private key is controlled by the identity it claims. Such assurance could potentially be derived from numerous certifications that are independent from each other, but how do you tell which are truly independent? Where actual identity is not required, just continuity of communication, I see no value in obtaining any certification at all. - -- Best regards MFPA mailto:expires2013 at ymail.com Can you imagine a world with no hypothetical situations? -----BEGIN PGP SIGNATURE----- iPQEAQEKAF4FAlJ3qQVXFIAAAAAALgAgaXNzdWVyLWZwckBub3RhdGlvbnMub3Bl bnBncC5maWZ0aGhvcnNlbWFuLm5ldEJBMjM5QjQ2ODFGMUVGOTUxOEU2QkQ0NjQ0 N0VDQTAzAAoJEKipC46tDG5pFGMD/3YXsKuEtEf9+H4qiQckLlEkv+ulrQnuepRn PlDE6rsbzdIaa3aU9eRCwa9mydwwIByadgI1YhrdXlnxRk2Aa6mfuoFPkg5MEa8c 3ysvmrVY5DHPkSELkEeUZe6Nk1lcJz1JUUd2vT6cNpks68kYG1Zb/VaLoKbC4sW2 ypuROxWl =1Moi -----END PGP SIGNATURE----- From expires2013 at ymail.com Mon Nov 4 15:33:44 2013 From: expires2013 at ymail.com (MFPA) Date: Mon, 4 Nov 2013 14:33:44 +0000 Subject: gpgsm and expired certificates In-Reply-To: <87habtnnyx.fsf@mat.ucm.es> References: <87r4b8ic36.fsf@mat.ucm.es> <1745551923.20131101142927@my_localhost> <87fvreprlk.fsf@mat.ucm.es> <2847581.NdkjrvGDoX__40120.3072433875$1383421546$gmane$org@thufir.ingo-kloecker.de> <87habtnnyx.fsf@mat.ucm.es> Message-ID: <1469681422.20131104143344@my_localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi On Sunday 3 November 2013 at 10:02:14 PM, in , Uwe Brauer wrote: >>> "Ingo" == Ingo Kl?cker writes: > > So, your point/hope probably was that a government > based CA > wouldn't have such a business model and > would instead offer this > service gratis to the > people (so that more people would be > protected > from the NSA reading their mail). If this was your > point > then apparently I didn't see it when I first > read your message. > That was *precisely* my point, thanks for clarifying it There are already several private sector CAs who provide free S/MIME certificates in the hope that punters may take one of their paid products instead or in addition. Potential sales is their incentive to provide some products free. What would be a government's incentive to provide them free of charge instead of charging for the admin? And what would a government based CA bring to the party that is not already available? If all we are talking about is email encryption to protect people's email from being read in transit, a self-signed certificate takes care of the encryption without the need for a CA. The only value in using a recognised CA rather than a self-signed certificate is convenience for the recipient, whose MUA is likely to automatically "trust" a recognised CA but would need to be "told" to accept a self-signed certificate. - -- Best regards MFPA mailto:expires2013 at ymail.com CAUTION! - Beware of Warnings! -----BEGIN PGP SIGNATURE----- iPQEAQEKAF4FAlJ3sFNXFIAAAAAALgAgaXNzdWVyLWZwckBub3RhdGlvbnMub3Bl bnBncC5maWZ0aGhvcnNlbWFuLm5ldEJBMjM5QjQ2ODFGMUVGOTUxOEU2QkQ0NjQ0 N0VDQTAzAAoJEKipC46tDG5ptlAD/jWuP+IpjL+RRBH1CazALnqMcKfb0M4pyBoe +9SSDpPAR3CLFKBNi9/ThnVR28BAW3DWqILMq7n+5D+0Vu3jT4nC4Tvpz2tt2YfI rTUV37E2U62tpydkIhsHuuD9auqjtS3nwxd3db6jfTf+yzz+1LY4+pXtAipdwKQr JUKD0Rnl =Kt8y -----END PGP SIGNATURE----- From olav at enigmail.net Mon Nov 4 16:11:24 2013 From: olav at enigmail.net (Olav Seyfarth) Date: Mon, 04 Nov 2013 16:11:24 +0100 Subject: Smart card reader issues with Windows 8.1 Pro 64bit Message-ID: <5277B91C.9010909@enigmail.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Hi list, for a couple of years now I use an OpenPGP SmartCard for my daily mail. Every message I sign gets signed by the card, every encrypted message I receive gets decrypted by it. My v1 card failed one day without warning, my v2 card works fine ever since I got it (when v2 cards were released). I used several computers, running Windows most of the time. And had many issues. With Windows, Mac OS X, and Linux. While I was astouned by the lack of support and plug-n-play integration of smart card readers (at least some years ago), I also had trouble with Windows. My Fujitsu Lifebook E780 for example: i7, 8G RAM, SSD, 15" non-glare display,... A configuration one may also buy today. But it's no longer supported by Fujitsu. Support in terms of BIOS and driver updates ended 2009(!), shortly after I bought it, and as soon as the successor model was released. I chose to buy that laptop because it had a self-encrypting SSD, a fingerprint reader - and a built-in smart card reader. But I was never able to use it with my OpenPGP SmartCard: after the laptop went to standby the reader would no longer recognize any card until rebooted. Fujitsu support (3rd Level, Japan!) told me that this must be a SmartCard issue since the reader works fine in many big companies around the globe. Thank you... In all Windows versions, that internal smart card reader needs a special driver, it's not known by Windows/Microsoft. In Windoes 7 and 8 I had the above issues. In Windows 8.1 I could install the W7 drivers and the device would be listed 100% functional. But once I enter ANY SmartCard, I get a blue screen. So I disabled the built-in reader Instead, I bought myself a CardMan 4040 and it worked absolutely smoothly for me - from Windows XP to Windows 8 - without "special" drivers! Not so in Windows 8.1. Here the reader is also recognized and installs its drivers. For some seconds, device properties show that it is up an running fine, but after what sems like no time, it shows a device error and can't be accessed. Asking HID support, I received no answer at all... Since my other SCM readers SCR-335 (USB) and SCR-3340 (PC-Express/54) work fine and there are at least more recent drivers on their website, I bought a used(!) SCR-243 (PCMCIA). It also gets recognized after an automatic initial driver download through Windows Update but it does not recognise any SmartCard. I try to find out now whether just the reader I bought is broken or does not work with Windows 8.1 at all. Does anyone use a SCR-243 with Windows 8.1? Any other good experiences with other PC-Express/54 and/or PCMCIA readers using GnuPG on Windows 8.1? Any hints or recommendations? I own a CryptoStick (1.1) and could use that, but I really would like to use my Card as it is - with a SmartCard reader... on Win 8.1, Mac OS X, and Linux. Olav - -- The Enigmail Project - OpenPGP Email Security For Mozilla Applications -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32) Comment: Dies ist eine elektronische Signatur - http://www.enigmail.net/ iQGcBAEBAwAGBQJSd7kDAAoJEKGX32tq4e9WwikMAIXFP7UuPZgb8IajaSQ87t7d BtQKKoyJiIVhCNwqAE58azoqQcY4IpMSp83AVkUSWjsCzBCJGmMvpW62p6EIojc3 HQ+kux++rwSo/iW2qmmG9S4K8t2veW81v/8sgecaTdxIj2NXu3ssUewIu5N1yVfx gwLqPQ8JcCOmBkCWO0ULAA8AdDy5ayebmkWbY5JHEjXM+Os6g929yhQ6CnYnLCpH yPiNLUBig6/aUHA9xIXWFbuFd5uKGQj6rU/SFhDRrjkLqZKMJoVBAyxNGQaooiaH 7Jy/gAg1Xaye1UogWPmPrM+QjbyD7B/54+rlx22ACotpbTvWCOmVAElUdw6Re4Na EIZpZ9XVrTGty3Ho0JHQnKg9i+QZcZ1WcRdcMb9neYnu38CK/nX00UvWDhQkgotB evFwEEwqznJRbYz5TaxaBl6HKDdna0y4OOTRJSOs6pBSty/LQx/FSqmbHTFPIBnr hRp8TXhYR+v2c0LLpcaRpNzD7Fy7J3DT4SZZ/U1mwg== =DL+2 -----END PGP SIGNATURE----- From expires2013 at ymail.com Mon Nov 4 16:29:23 2013 From: expires2013 at ymail.com (MFPA) Date: Mon, 4 Nov 2013 15:29:23 +0000 Subject: Quotes from GPG users In-Reply-To: <20131102162229.GC7614@fritha.org> References: <5270E670.3070307@gnupg.org> <20131102162229.GC7614@fritha.org> Message-ID: <635410781.20131104152923@my_localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi On Saturday 2 November 2013 at 4:22:29 PM, in , Heinz Diehl wrote: > "GPG - keeps the XXX from your door!" :-) > [Replace XXX with any three letter agency of your > choice] Is that actually true, rather than bringing you to their attention? - -- Best regards MFPA mailto:expires2013 at ymail.com Two wrongs don't make a right. But three lefts do. -----BEGIN PGP SIGNATURE----- iPQEAQEKAF4FAlJ3vVlXFIAAAAAALgAgaXNzdWVyLWZwckBub3RhdGlvbnMub3Bl bnBncC5maWZ0aGhvcnNlbWFuLm5ldEJBMjM5QjQ2ODFGMUVGOTUxOEU2QkQ0NjQ0 N0VDQTAzAAoJEKipC46tDG5ppEkEALUTk4HKS5noJv5oohDxMQwefzfkmJ57QGK4 2YDO/Qb7Y70K0ZC+gO/eiOb5m7ZFR5dTaJTLD/tbf5rdoXRrjdSlMK9PUvwS7AFQ P7vAtRJucgGNbGvlu/T4P+v0mNkXKqCHyvRXUA+jMl8b/H2ZfzfPHg1KVakclhPA wL/yFsKR =Cp/U -----END PGP SIGNATURE----- From expires2013 at ymail.com Mon Nov 4 17:02:00 2013 From: expires2013 at ymail.com (MFPA) Date: Mon, 4 Nov 2013 16:02:00 +0000 Subject: trust your corporation for keyowner identification? In-Reply-To: <5275B00F.7030404@gmail.com> References: <52669348.+eLRL6ulbwvCCmiJ%sttob@privatdemail.net> <5266F5CA.80509@sixdemonbag.org> <526806e2.PnylUKoa89KDX8qO%sttob@privatdemail.net> <52681AFA.2060102@digitalbrains.com> <52685878.6AXcxDzMhOJmhsWU%sttob@privatdemail.net> <5268E9F2.1050108@digitalbrains.com> <5269588e.wAXyOS+XkCb/A4Oa%sttob@privatdemail.net> <526e2592.vizyzHwEGhmqqHhK%sttob@privatdemail.net> <72ff7e95-a66b-411c-abd4-4e83af5c0827@email.android.com> <20131102212504.GD14302@leortable> <5275B00F.7030404@gmail.com> Message-ID: <608638953.20131104160200@my_localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi On Sunday 3 November 2013 at 2:08:15 AM, in , Paul R. Ramer wrote: > When you verify a key to sign you are verifying the following: > 1) For each UID, that the name is correct and that the > purported owner has control of the email in that UID > (possibly also verifying the comment if it contains > something such as "CEO ABC Corporation"). 2) That the > purported owner has control of the key and can decrypt > and sign messages. > For #1, it is possible that the user has no name or > email address in the UID(s). Either way, you need to > verify the details of the UIDs that you intend to sign. > For #2, you need to verify the key fingerprint, > algorithm, and key size (but the fingerprint at a > minimum) and then have the user demonstrate that he can > decrypt a message encrypted with the key in question > and also sign with it. This can be done by sending a > message of unknown content (from the purported key > owner's perspective) to him to each email that he > claims to have in each of his UIDs (provided he has > any) and require him to reply with a signed copy of the > decrypted message. This serves to verify the control > of the key and the email addresses. Why do we need to establish they can also sign? Isn't it enough to demonstrate they control the email address and can decrypt, by signing one UID at a time and sending that signed copy of the key in an encrypted email to the address in that UID? And as an aside, does it really make a difference to only sign some UIDs and not others? Does GnuPG actually take account of which UIDs are signed in its validity or trust calculations? - -- Best regards MFPA mailto:expires2013 at ymail.com Life is far too important a thing ever to talk seriously about -----BEGIN PGP SIGNATURE----- iPQEAQEKAF4FAlJ3xQFXFIAAAAAALgAgaXNzdWVyLWZwckBub3RhdGlvbnMub3Bl bnBncC5maWZ0aGhvcnNlbWFuLm5ldEJBMjM5QjQ2ODFGMUVGOTUxOEU2QkQ0NjQ0 N0VDQTAzAAoJEKipC46tDG5p6WwD/i8S1/IozG/diojvmFKmDfVEe5kEKrIjku1z hGOySg4SkkwF9qI00iKTS29mJe9WeU22gRQk8ODLRvF7UqQgbV85KvmA6uvYmRHJ /Z4O5R9tFS7h7d32FBWF/HQ0uVSaIWKaHvY9M4ZBIzeyQBjwRQrCtPhjxief210N 2r2VwDfA =6C8E -----END PGP SIGNATURE----- From ben at adversary.org Mon Nov 4 15:38:08 2013 From: ben at adversary.org (Ben McGinnes) Date: Tue, 05 Nov 2013 01:38:08 +1100 Subject: Quotes from GPG users In-Reply-To: <5270E670.3070307@gnupg.org> References: <5270E670.3070307@gnupg.org> Message-ID: <5277B150.9080805@adversary.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 30/10/13 9:58 PM, Sam Tuke wrote: > Hi all, > > I'm working with Werner to promote GnuPG and raise awareness. To > that end we're collecting quotes from users - endorsements from > people who know and trust GPG, people like you. Feel free to use any of my public comments on the topic, either on my blog or on Twitter. http://www.adversary.org/wp/2011/01/27/securing-gmail/ http://www.adversary.org/wp/2011/08/20/preventing-political-blunders-with-digital-signatures/ http://www.adversary.org/wp/2012/09/20/protecting-yourself-in-a-surveillance-state/ http://www.adversary.org/wp/2013/09/10/australias-dsd-recommends-weak-encryption/ Related category: http://www.adversary.org/wp/tag/crypto/ Some prior tweets: "Intercepted phone calls and emails caught Standen according to #4corners. Three words: GPG and Zfone." http://twitter.com/benmcginnes/statuses/103053838977728512 "Another reason why people should digitally sign their email. http://t.co/t0q8DtB #crypto #openpgp #auspol #gpg #gnupg" http://twitter.com/benmcginnes/statuses/104452618016915456 That t.co link forwards here (for those of you who hate URL forwards): http://www.abc.net.au/news/2011-08-19/lnp-candidate-expelled-over-email/2847428 If you make a hashtag for this topic, let me know so I can point my fellow Pirates at it all. We've got some very good people on our social media team. Regards, Ben - -- Ben McGinnes http://www.adversary.org/ Twitter: benmcginnes Systems Administrator, Writer, Trainer, ICT Consultant Encrypted email preferred - primary OpenPGP/GPG key: 0x73590E5D OpenPGP/GPG key here: http://goo.gl/GVGwT and http://goo.gl/SDs0D OpenPGP/GPG key transition: http://www.adversary.org/keyswitch.txt.asc -----BEGIN PGP SIGNATURE----- iQGcBAEBCgAGBQJSd7FPAAoJEH/y03E1x1U8wZsL/09VWbKKRh5kWtjcV7VrYMlT CAwNAmBtTetU71BnQAw3qdSnpER5scR1WmT1cYpxqwMMWjKFn8YDKbfW73sC+Yen IqrNxOvJKRn1uhxfp/dh6igJYa+M/+iHuEM9XHcf/0QK/4ln8I4fCXWwsxQ807GJ iAgAqQGDbxrNVSX5huAd1Fs6PRCN5hZe708Nx2ZO28SryAWjdpneReU1m0wxrwn4 j+GgJ0vwVmYVJgk1a85GXEA+jFBoIwy+gtAYzdtWQ3MFVwA0+KU1coW4e2c5Sp6z R7PYN7TrNnbmUL7w9eGPPRgvbdFuQbf5+i1yY2hKDt1Ekbdf8kyUzbrWC1DrcTSe 3DuZYAeck0+OHVjmPcnvPlcQKThj3lwznDatVA8lccPRyf4R5n/BV85iV3D0f2Sp qvSmEjhG850AlsGD9KljFt7WIy6uof20wxym47qgOTfo/GHo0GOOc0fTQy5dq/Og fgH2xpsMOh43C6me17RzP8jXzmAps4843vJgJO3aPA== =pc68 -----END PGP SIGNATURE----- From expires2013 at ymail.com Mon Nov 4 17:31:34 2013 From: expires2013 at ymail.com (MFPA) Date: Mon, 4 Nov 2013 16:31:34 +0000 Subject: gpgsm and expired certificates In-Reply-To: <563460450.20131104140230@my_localhost> References: <87r4b8ic36.fsf@mat.ucm.es> <87k3gzyhhr.fsf__27502.296298235$1382815337$gmane$org@vigenere.g10code.de> <87ppqriyue.fsf@mat.ucm.es> <87fvrnxkci.fsf__38096.124205231$1382858228$gmane$org@vigenere.g10code.de> <87li1fhz83.fsf@mat.ucm.es> <871u37xbqr.fsf__23314.7300001749$1382869296$gmane$org@vigenere.g10code.de> <8761si4vrm.fsf@mat.ucm.es> <1745551923.20131101142927@my_localhost> <87fvreprlk.fsf@mat.ucm.es> <563460450.20131104140230@my_localhost> Message-ID: <176725606.20131104163134@my_localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi On Monday 4 November 2013 at 2:02:30 PM, in , MFPA wrote: > Where actual identity is not required, just continuity > of communication, I see no value in obtaining any > certification at all. Or, indeed, where encryption is required but not actual identity. - -- Best regards MFPA mailto:expires2013 at ymail.com The best way to destroy your enemy is to make him your friend. -----BEGIN PGP SIGNATURE----- iPQEAQEKAF4FAlJ3y/JXFIAAAAAALgAgaXNzdWVyLWZwckBub3RhdGlvbnMub3Bl bnBncC5maWZ0aGhvcnNlbWFuLm5ldEJBMjM5QjQ2ODFGMUVGOTUxOEU2QkQ0NjQ0 N0VDQTAzAAoJEKipC46tDG5pVJoD/i5/w+wDB4bqbDdRD1N0vNFAhOA5tP/nVP5P pXfZV8U3XE3igNz6Y3NCrH4/kSnNyEwXUtPmo0I60TMIOJaPvJn8dkuUeaiNiERS PGNPg4K0EIgng2OqPiUvU67feqdMCByEh1OfdZS0sbsfW7NQ0LhrcFO9gKdAllWO +yufHrcY =+o2F -----END PGP SIGNATURE----- From dkg at fifthhorseman.net Mon Nov 4 17:52:02 2013 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Mon, 04 Nov 2013 11:52:02 -0500 Subject: trust your corporation for keyowner identification? In-Reply-To: <608638953.20131104160200@my_localhost> References: <52669348.+eLRL6ulbwvCCmiJ%sttob@privatdemail.net> <5266F5CA.80509@sixdemonbag.org> <526806e2.PnylUKoa89KDX8qO%sttob@privatdemail.net> <52681AFA.2060102@digitalbrains.com> <52685878.6AXcxDzMhOJmhsWU%sttob@privatdemail.net> <5268E9F2.1050108@digitalbrains.com> <5269588e.wAXyOS+XkCb/A4Oa%sttob@privatdemail.net> <526e2592.vizyzHwEGhmqqHhK%sttob@privatdemail.net> <72ff7e95-a66b-411c-abd4-4e83af5c0827@email.android.com> <20131102212504.GD14302@leortable> <5275B00F.7030404@gmail.com> <608638953.20131104160200@my_localhost> Message-ID: <5277D0B2.9040103@fifthhorseman.net> On 11/04/2013 11:02 AM, MFPA wrote: > And as an aside, does it really make a difference to only sign some > UIDs and not others? Does GnuPG actually take account of which UIDs > are signed in its validity or trust calculations? Yes, it does make a difference. Let's say I make key X and attach to User IDs to it: * Daniel Kahn Gillmor * Alice Munroe You meet me, check my identity, verify that i'm actually dkg, and just sign the first User ID (because you have been unable to verify whether i am also somehow Alice Munroe). (in fact, i am not Alice Munroe, but i would like to be able to read her mail) At some point, you find you want to encrypt a message to Alice Munroe (who you met at a conference, perhaps). If you had certified both User IDs on my key, gpg would be happy to encrypt the message to my key instead of Alice's actual key. If i get a copy of that message, i would be able to read it. This would be bad. An OpenPGP certification (a "keysigning") is an identity assertion, over *both* the key and the User ID. It says "this key K belongs to the person known in the real world by the User ID U", and it is cryptographically signed by the person making the assertion. If you substitute some arbitrary other User ID for U, the meaning of the certification changes radically (and the cryptographic certification breaks). This is an intended feature. --dkg From ben at adversary.org Mon Nov 4 15:52:30 2013 From: ben at adversary.org (Ben McGinnes) Date: Tue, 05 Nov 2013 01:52:30 +1100 Subject: Quotes from GPG users In-Reply-To: <5270E670.3070307@gnupg.org> References: <5270E670.3070307@gnupg.org> Message-ID: <5277B4AE.2000305@adversary.org> On 30/10/13 9:58 PM, Sam Tuke wrote: > Hi all, > > I'm working with Werner to promote GnuPG and raise awareness. To > that end we're collecting quotes from users - endorsements from > people who know and trust GPG, people like you. > > If you want to help us, send your own statement about why GPG is > important to you. Please keep it less than or equal to 130 > characters, so it can be used on social networks. Now, for some new quotes (feel free to point to my Twitter account, @benmcginnes): * As a member of the Pirate Party Australia National Council, GPG is essential to securing confidential data. * Pirate Party Australia uses GPG to secure data transferred amongst the NC, such as financial disclosure data. * GPG was one of the essential tools I taught people at CryptoParty Melbourne. * Once you can use GPG, you can use any encryption tool. BTW, aside from the above quotes you won't be able to list a specific endorsement of Pirate Party Australia, but if you or Werner want I can take it to the next NC meeting. For the record I'm the current Party Treasurer. Contact me at this address or my Party address (it's on my key and very obvious). Encrypt anything to that address, though, because we have not yet completed the migration of the old email system to servers here in Australia. Regards, Ben -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 630 bytes Desc: OpenPGP digital signature URL: From expires2013 at ymail.com Mon Nov 4 18:43:01 2013 From: expires2013 at ymail.com (MFPA) Date: Mon, 4 Nov 2013 17:43:01 +0000 Subject: trust your corporation for keyowner identification? In-Reply-To: <5277D0B2.9040103@fifthhorseman.net> References: <52669348.+eLRL6ulbwvCCmiJ%sttob@privatdemail.net> <5266F5CA.80509@sixdemonbag.org> <526806e2.PnylUKoa89KDX8qO%sttob@privatdemail.net> <52681AFA.2060102@digitalbrains.com> <52685878.6AXcxDzMhOJmhsWU%sttob@privatdemail.net> <5268E9F2.1050108@digitalbrains.com> <5269588e.wAXyOS+XkCb/A4Oa%sttob@privatdemail.net> <526e2592.vizyzHwEGhmqqHhK%sttob@privatdemail.net> <72ff7e95-a66b-411c-abd4-4e83af5c0827@email.android.com> <20131102212504.GD14302@leortable> <5275B00F.7030404@gmail.com> <608638953.20131104160200@my_localhost> <5277D0B2.9040103@fifthhorseman.net> Message-ID: <946982181.20131104174301@my_localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi On Monday 4 November 2013 at 4:52:02 PM, in , Daniel Kahn Gillmor wrote: > Yes, it does make a difference. [snipped] > If you had certified both User IDs on my > key, gpg would be happy to encrypt the message to my > key instead of Alice's actual key. Thank you. I had not realised gpg worried about which User IDs were signed. At some point in the past I thought I tested this and concluded it didn't make a difference, but have just tested again and confirmed to myself that it does. > An OpenPGP certification (a "keysigning") is an > identity assertion, over *both* the key and the User > ID. It says "this key K belongs to the person known > in the real world by the User ID U", and it is > cryptographically signed by the person making the > assertion. > If you substitute some arbitrary other User ID for U, > the meaning of the certification changes radically (and > the cryptographic certification breaks). This is an > intended feature. Thanks for the explanation. - -- Best regards MFPA mailto:expires2013 at ymail.com Two rights do not make a wrong. They make an airplane. -----BEGIN PGP SIGNATURE----- iPQEAQEKAF4FAlJ33LBXFIAAAAAALgAgaXNzdWVyLWZwckBub3RhdGlvbnMub3Bl bnBncC5maWZ0aGhvcnNlbWFuLm5ldEJBMjM5QjQ2ODFGMUVGOTUxOEU2QkQ0NjQ0 N0VDQTAzAAoJEKipC46tDG5px60D/1VDKpSRAjsFM04KBJCMtoyMUJQA/MSu6l0d fckN0TY5E98dTLxF8LI2y3XEszMKh8N76JItSNZyoZYmBW+pcwgnhEZ4Y/jiha3d SZdapAHE91oDoGhnBn1zJ2txz41r0jHN1Y0w6MGuBvV9t92OHWAL1CnBlbMFzjkh nhz6WBw4 =fWqu -----END PGP SIGNATURE----- From htd at fritha.org Mon Nov 4 19:57:43 2013 From: htd at fritha.org (Heinz Diehl) Date: Mon, 4 Nov 2013 19:57:43 +0100 Subject: Quotes from GPG users In-Reply-To: <635410781.20131104152923@my_localhost> References: <5270E670.3070307@gnupg.org> <20131102162229.GC7614@fritha.org> <635410781.20131104152923@my_localhost> Message-ID: <20131104185742.GA2652@fritha.org> On 04.11.2013, MFPA wrote: > > "GPG - keeps the XXX from your door!" :-) > > > [Replace XXX with any three letter agency of your > > choice] > Is that actually true, rather than bringing you to their attention? It depends. My key is publically available, with my current email address in it. Thus, anybody knows that I'm using gpg from time to time, at least those who are interested to. But that doesn't mean that I'm encrypting information which could be of importance for a three letter agency. In fact, I'm much more concerned about all the people sitting "in-between" (e.g. provider employees etc.) who could use content of my emails to spam on me or to sell it to advertisers and the like. After all, I have a private life.. http://papers.ssrn.com/sol3/papers.cfm?abstract_id=998565 From jhs at berklix.com Mon Nov 4 21:07:01 2013 From: jhs at berklix.com (Julian H. Stacey) Date: Mon, 04 Nov 2013 21:07:01 +0100 Subject: UK Guardian newspaper publishes USA NSA papers In-Reply-To: Your message "Mon, 04 Nov 2013 19:57:43 +0100." <20131104185742.GA2652@fritha.org> Message-ID: <201311042007.rA4K71qh085388@fire.js.berklix.net> > information which could be of importance for a three letter agency. In Talking about an alien loathed three letter agency ... See 4 top secret papers from it published by UK's Guardian newspaper today :-) at the bottom of this link http://www.theguardian.com/world/interactive/2013/nov/01/snowden-nsa-files-surveillance-revelations-decoded I haven't had time to read it all yet, but IMO if they say Gnupg makes their life hard, it'll make me happy. Cheers, Julian -- Julian Stacey, BSD Unix Linux C Sys Eng Consultant, Munich http://berklix.com Interleave replies below like a play script. Indent old text with "> ". Send plain text, not quoted-printable, HTML, base64, or multipart/alternative. Extradite NSA spy chief Alexander. http://berklix.eu/jhs/blog/2013_10_30 From expires2013 at ymail.com Mon Nov 4 22:29:24 2013 From: expires2013 at ymail.com (MFPA) Date: Mon, 4 Nov 2013 21:29:24 +0000 Subject: UK Guardian newspaper publishes USA NSA papers In-Reply-To: <201311042007.rA4K71qh085388@fire.js.berklix.net> References: Your message "Mon, 04 Nov 2013 19:57:43 +0100." <20131104185742.GA2652@fritha.org> <201311042007.rA4K71qh085388@fire.js.berklix.net> Message-ID: <909795965.20131104212924@my_localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi On Monday 4 November 2013 at 8:07:01 PM, in , Julian H. Stacey wrote: > Talking about an alien loathed three letter agency ... > See 4 top secret papers from it published by UK's > Guardian newspaper today :-) at the bottom of this link > http://www.theguardian.com/world/interactive/2013/nov/01/snowden-nsa-files-surveillance-revelations-decoded "You don't need to be talking to a terror suspect to have your communications data analysed by the NSA. The agency is allowed to travel "three hops" from its targets." That's phenomenal: isn't everybody in the world separated by an average of just six hops? - -- Best regards MFPA mailto:expires2013 at ymail.com Why is the universe here? Well, where else would it be? -----BEGIN PGP SIGNATURE----- iPQEAQEKAF4FAlJ4Ec1XFIAAAAAALgAgaXNzdWVyLWZwckBub3RhdGlvbnMub3Bl bnBncC5maWZ0aGhvcnNlbWFuLm5ldEJBMjM5QjQ2ODFGMUVGOTUxOEU2QkQ0NjQ0 N0VDQTAzAAoJEKipC46tDG5pHbkD/0IXO5XUkNE9+2Lebn6Oz3em9B1iXojVH0n5 x3jrjc9vnYy7BmNWU37fpy1f16YJi/Jy3dkOUuLAOvYoEDdN+mrUfDqPwT167zht M74WA0wStyGu99qSCF0tQ1WV2LoNHHB5JDSFKyyYqNmbPisJbnOX35Nl2aecWWTv SFDVZqWu =4VzI -----END PGP SIGNATURE----- From free10pro at gmail.com Mon Nov 4 22:44:51 2013 From: free10pro at gmail.com (Paul R. Ramer) Date: Mon, 04 Nov 2013 13:44:51 -0800 Subject: trust your corporation for keyowner identification? In-Reply-To: <608638953.20131104160200@my_localhost> References: <52669348.+eLRL6ulbwvCCmiJ%sttob@privatdemail.net> <5266F5CA.80509@sixdemonbag.org> <526806e2.PnylUKoa89KDX8qO%sttob@privatdemail.net> <52681AFA.2060102@digitalbrains.com> <52685878.6AXcxDzMhOJmhsWU%sttob@privatdemail.net> <5268E9F2.1050108@digitalbrains.com> <5269588e.wAXyOS+XkCb/A4Oa%sttob@privatdemail.net> <526e2592.vizyzHwEGhmqqHhK%sttob@privatdemail.net> <72ff7e95-a66b-411c-abd4-4e83af5c0827@email.android.com> <20131102212504.GD14302@leortable> <5275B00F.7030404@gmail.com> <608638953.20131104160200@my_localhost> Message-ID: <21c08d45-b1cd-423d-8c1c-74d7b292e8d5@email.android.com> MFPA wrote: >Why do we need to establish they can also sign? Isn't it enough to >demonstrate they control the email address and can decrypt, by signing >one UID at a time and sending that signed copy of the key in an >encrypted email to the address in that UID? You are right. Decryption is sufficient to demonstrate control of the private key, because if he can decrypt, he can also sign. What I said, "decrypt and sign," was redundant. Cheers, --Paul -- PGP: 3DB6D884 From jeandavid8 at verizon.net Mon Nov 4 23:20:06 2013 From: jeandavid8 at verizon.net (Jean-David Beyer) Date: Mon, 04 Nov 2013 17:20:06 -0500 Subject: UK Guardian newspaper publishes USA NSA papers In-Reply-To: <909795965.20131104212924@my_localhost> References: Your message "Mon, 04 Nov 2013 19:57:43 +0100." <20131104185742.GA2652@fritha.org> <201311042007.rA4K71qh085388@fire.js.berklix.net> <909795965.20131104212924@my_localhost> Message-ID: <52781D96.7040304@verizon.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 11/04/2013 04:29 PM, MFPA wrote: > That's phenomenal: isn't everybody in the world separated by an > average of just six hops? I tried to check that out, and I have never needed more than about three hops. Three hops to former president Richard Nixon. Two hops from me to Mikhail Gorbachev, Albert Einstein. One hop from me to Margaret Leng Tan, Maurice Wilkes, Phyllis Chen, Claire Chase, David Wagner (I met him when he was a baby), Eric Lamb, Ronald Coase, Sylvia Milo, Nathan Davis. Some of these are very famous, and some are famous in their own fields. - -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key:166D840A 0C610C8B Registered Machine 1935521. /( )\ Shrewsbury, New Jersey http://counter.li.org ^^-^^ 17:00:01 up 19:21, 2 users, load average: 4.77, 4.67, 4.52 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJSeB2QAAoJEBZthAoMYQyLbTgIAKn1VLcsgXEAUgwacr/fU09Q teXaJ6JnUNfVmEH/hdwlyfwTlBkbV8SmFQ3aN8LZjz5b2osI659P9tNA3LXEi7Jz +H0wa0aE/HBy/neumxv24Bu0s5bdeI3CU+FYqPBYtYjx1Q0Qeoug6VZqqI4TbJZo lcby5oWvXldwFunS9jvAbmtpl5G9uchzDSP+Y2hI3XEmT4OISb3jZPP0LHt8sPYc kv1qAedpg67GrANlPOJqsZaPbfm/hJnNm0z2qGbc+l5tl/hoXM6M30pFrNFoB6n4 ZFqPrwHjxgGfoaHD+sO9ZEWjLg8bKz70dmdQmtoKANQY9PuXSplkfBWsD4aH2y8= =IzJe -----END PGP SIGNATURE----- From ekleog at gmail.com Mon Nov 4 23:20:12 2013 From: ekleog at gmail.com (Leo Gaspard) Date: Mon, 4 Nov 2013 23:20:12 +0100 Subject: trust your corporation for keyowner identification? In-Reply-To: <21c08d45-b1cd-423d-8c1c-74d7b292e8d5@email.android.com> References: <52685878.6AXcxDzMhOJmhsWU%sttob@privatdemail.net> <5268E9F2.1050108@digitalbrains.com> <5269588e.wAXyOS+XkCb/A4Oa%sttob@privatdemail.net> <526e2592.vizyzHwEGhmqqHhK%sttob@privatdemail.net> <72ff7e95-a66b-411c-abd4-4e83af5c0827@email.android.com> <20131102212504.GD14302@leortable> <5275B00F.7030404@gmail.com> <608638953.20131104160200@my_localhost> <21c08d45-b1cd-423d-8c1c-74d7b292e8d5@email.android.com> Message-ID: <20131104222012.GA470@leortable> On Mon, Nov 04, 2013 at 01:44:51PM -0800, Paul R. Ramer wrote: > MFPA wrote: > >Why do we need to establish they can also sign? Isn't it enough to > >demonstrate they control the email address and can decrypt, by signing > >one UID at a time and sending that signed copy of the key in an > >encrypted email to the address in that UID? > > You are right. Decryption is sufficient to demonstrate control of the private key, because if he can decrypt, he can also sign. What I said, "decrypt and sign," was redundant. Well... I still do not understand why decryption is sufficient to demonstrate control of the private key and not adding a UID (note I'm talking about signed UID's, not unsigned ones, of course). Sorry. Cheers, Leo From richard.ibbotson at gmail.com Mon Nov 4 22:45:04 2013 From: richard.ibbotson at gmail.com (Richard Ibbotson) Date: Mon, 04 Nov 2013 21:45:04 +0000 Subject: UK Guardian newspaper publishes USA NSA papers In-Reply-To: <201311042007.rA4K71qh085388@fire.js.berklix.net> References: <201311042007.rA4K71qh085388@fire.js.berklix.net> Message-ID: <1491637.9SEs7iBCk1@sheflug> On Monday 04 Nov 2013 21:07:01 Julian H. Stacey wrote: > http://www.theguardian.com/world/interactive/2013/nov/01/snowden-nsa > -files-surveillance-revelations-decoded And in other news... http://slashdot.org/topic/datacenter/google-chief-eric-schmidt-slams-nsa-for-tapping-datacenters/ Google Chief Eric Schmidt Slams NSA. -- Richard https://twitter.com/SleepyPenguin1 From rjh at sixdemonbag.org Mon Nov 4 23:35:41 2013 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Mon, 04 Nov 2013 14:35:41 -0800 Subject: UK Guardian newspaper publishes USA NSA papers In-Reply-To: <909795965.20131104212924@my_localhost> References: <909795965.20131104212924@my_localhost> Message-ID: <20131104143541.Horde.lb_2V8Dq3GbJU_UbpwQrCw9@mail.sixdemonbag.org> > That's phenomenal: isn't everybody in the world separated by an > average of just six hops? That's more urban myth than reality. Reality is hard to model. An isolated village in a remote area of Africa might have a very hard time connecting to London in six hops, but the instant one villager gets a cell phone suddenly they're on the phone jawing with 10 Downing Street. It's hard to give simple "six hops is about it, yes" answers: what we have to talk about instead is the degree of connectivity within a network. Given a network with a certain set of nodes and a certain set of connections between nodes, how many hops will it take to traverse the network? This is a function of both how many nodes there are, and the particular connections they have. When the network forms a bunch of neighborhoods and there are few if any long-distance connections, the hop count quickly goes out of control. As a historical example, look at the Black Death. Despite the worldwide conditions being virtually ideal for the various forms of plague (principally bubonic), it still took many years for the Black Death to spread from China to Europe. At that time in history the overwhelming majority of people not only had never traveled more than 30km from their homes, they didn't even know someone who had traveled more than 30km from their homes. The Black Death was condemned to spread 30km at a time -- ravaging a 'neighborhood' of the network and then moving on. Today, though, many of us have traveled internationally and virtually all of us are connected to someone who has traveled intercontinentally. (Including all of you. I've traveled to Europe multiple times and you know me, so even if you've never left your small rural village you're still connected to someone who has traveled a long distance.) It turns out that if you have even a small number of long-distance connections, neighborhoods get bridged *very* quickly. Let's connect me to Vladimir Putin as an example. I'm looking for a good long-distance hop that will get me most of the way to Russia. I attended undergrad with a Russian woman named Yelena (last name omitted for her privacy), whose great-uncle sat on Gorbachev's Politburo (his name omitted again for her privacy). He, in turn, is *scary*-well connected among the political elite. If he doesn't have a certain former KGB counterintelligence agent on speed-dial, I'll eat my hat. So: Rob --> Yelena --> Y's Great-Uncle --> Vladimir Putin Three hops. It's worth asking: if I didn't have that long-distance hop, could I still make it to Putin? Sure. I just need a different hop. It turns out my co-worker Greg, who was born and raised in Moscow, knew Yelena's great-uncle (and hated him something fierce, but that's beside the point). So now it's: Rob --> Greg --> Y's Great-Uncle --> Vladimir Putin Okay, so the real 'focus' node is Yelena's great-uncle. Let's get rid of that. And let's do something weird, like require that the connection be made through official government contacts and coordinated through the Department of State. Well, my father is a federal judge who has professional and personal connections with Senator Tom Harkin (D-IA). Senator Harkin happens to be a close friend of John Kerry, the United States Secretary of State. Secretary Kerry in turn has Vladimir Putin on speed-dial. So there's... Rob --> Rob's dad --> Harkin --> Kerry --> Putin It's not hard to come up with ways I'm connected to Vladimir Putin. Try to connect yourself to Putin: seriously, it's a fun game. :) Hop counts will be lowest where each node in the network is connected to a modestly-large neighborhood, and where each of those neighbors has a good chance of having one or more long-distance connections. It used to be that a neighborhood consisted of no more than a couple of hundred people, none of whom had long-distance connections of their own. This would be the case for a medieval village, for instance. Nowadays we may have *thousands* of connections, and each connection has an extremely good chance of having one or more long-distance connections. The combination of large neighborhoods and long-distance connections is called the "Small World Effect," and it has a lot of academic literature backing it. You may want to check out the Wikipedia page for more information: http://en.wikipedia.org/wiki/Small-world_network From rjh at sixdemonbag.org Mon Nov 4 23:40:06 2013 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Mon, 04 Nov 2013 14:40:06 -0800 Subject: UK Guardian newspaper publishes USA NSA papers In-Reply-To: <52781D96.7040304@verizon.net> References: <52781D96.7040304@verizon.net> Message-ID: <20131104144006.Horde.pHMyrPUKBpILh-mWrXW6CA1@mail.sixdemonbag.org> > I tried to check that out, and I have never needed more than about > three hops. Sure, but then again you're trying to hit people with *extremely* large networks, and whose first-order networks are themselves *extremely* well-connected. Even the exotic ones like Ronald Coase -- he co-authored a ton of papers and attended a lot of conferences and advised a lot of Ph.D. candidates and taught a lot of courses. If you can map out a line to my great-uncle Ormo Rasmussen in three hops without using me as a link, I'll be impressed. ;) From richard.ibbotson at gmail.com Mon Nov 4 22:37:55 2013 From: richard.ibbotson at gmail.com (Richard Ibbotson) Date: Mon, 04 Nov 2013 21:37:55 +0000 Subject: UK Guardian newspaper publishes USA NSA papers In-Reply-To: <201311042007.rA4K71qh085388@fire.js.berklix.net> References: <201311042007.rA4K71qh085388@fire.js.berklix.net> Message-ID: <2680104.nVyr6ERDGo@sheflug> On Monday 04 Nov 2013 21:07:01 Julian H. Stacey wrote: > http://www.theguardian.com/world/interactive/2013/nov/01/snowden-nsa > -files-surveillance-revelations-decoded And in other news... http://slashdot.org/topic/datacenter/google-chief-eric-schmidt-slams-nsa-for-tapping-datacenters/ Google Chief Eric Schmidt Slams NSA. I met him in North Korea once. -- Richard https://twitter.com/SleepyPenguin1 From jeandavid8 at verizon.net Tue Nov 5 00:16:34 2013 From: jeandavid8 at verizon.net (Jean-David Beyer) Date: Mon, 04 Nov 2013 18:16:34 -0500 Subject: UK Guardian newspaper publishes USA NSA papers In-Reply-To: <20131104144006.Horde.pHMyrPUKBpILh-mWrXW6CA1@mail.sixdemonbag.org> References: <52781D96.7040304@verizon.net> <20131104144006.Horde.pHMyrPUKBpILh-mWrXW6CA1@mail.sixdemonbag.org> Message-ID: <52782AD2.7040500@verizon.net> On 11/04/2013 05:40 PM, Robert J. Hansen wrote: >> I tried to check that out, and I have never needed more than about >> three hops. > > Sure, but then again you're trying to hit people with *extremely* large > networks, and whose first-order networks are themselves *extremely* > well-connected. Even the exotic ones like Ronald Coase -- he > co-authored a ton of papers and attended a lot of conferences and > advised a lot of Ph.D. candidates and taught a lot of courses. > > If you can map out a line to my great-uncle Ormo Rasmussen in three hops > without using me as a link, I'll be impressed. ;) > I would not even know how to go about it. In my little list, I did not pick these people and see how to link to them; they were people I new directly (the one-hop ones), Or I knew someone who knew them (my piano teacher: Gorgbachev, my grandfather: Albert Einstein). Getting to Richard Nixon was a bit harder. A friend of mine knew his mother. I am actually surprised and impressed by my list. Not that anyone else should care. And on this list, David Wagner was easy since I worked with his mother at Bell Labs and met him not long after he was born. He surely has no recollection of me. Speaking of Bell Labs, kind of a name-dropping switchboard. My grandfather worked there, so I am a two handshakes away from Clinton Davisson. And I worked there and knew Doug McIlroy, and knew Ken Thompson and Dennis Ritchie very slightly. Also Bela Julesz. And Vic Vyssotsky was the most compulsive cigarette smokers I ever met, but a uniquely brilliant computer scientist. Jean Felker, who lead the TRADIC project (possibly the first transistorized electronic computer) interviewed me when I first tried, as a high school student, to get a summer job there. We talked about round-off problems when using fixed-length and fixed-point arithmetic. Oh! Well! Memories. -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key:166D840A 0C610C8B Registered Machine 1935521. /( )\ Shrewsbury, New Jersey http://counter.li.org ^^-^^ 17:55:01 up 20:16, 2 users, load average: 4.74, 4.61, 4.54 From free10pro at gmail.com Tue Nov 5 09:40:11 2013 From: free10pro at gmail.com (Paul R. Ramer) Date: Tue, 05 Nov 2013 00:40:11 -0800 Subject: trust your corporation for keyowner identification? In-Reply-To: <20131104222012.GA470@leortable> References: <52685878.6AXcxDzMhOJmhsWU%sttob@privatdemail.net> <5268E9F2.1050108@digitalbrains.com> <5269588e.wAXyOS+XkCb/A4Oa%sttob@privatdemail.net> <526e2592.vizyzHwEGhmqqHhK%sttob@privatdemail.net> <72ff7e95-a66b-411c-abd4-4e83af5c0827@email.android.com> <20131102212504.GD14302@leortable> <5275B00F.7030404@gmail.com> <608638953.20131104160200@my_localhost> <21c08d45-b1cd-423d-8c1c-74d7b292e8d5@email.android.com> <20131104222012.GA470@leortable> Message-ID: Leo Gaspard wrote: >> You are right. Decryption is sufficient to demonstrate control of >the private key, because if he can decrypt, he can also sign. What I >said, "decrypt and sign," was redundant. > >Well... I still do not understand why decryption is sufficient to >demonstrate >control of the private key and not adding a UID (note I'm talking about >signed >UID's, not unsigned ones, of course). >Sorry. I don't know how I can explain it any better than I have. I think you are confusing assertion with verification. Unless you can differentiate between the two in this case, I don't think you will see what I am talking about. The process of certifying someone else's key involves the following: (1) He claims that a key with n number of UIDs and fingerprint of x is his key. (2) You verify his identity and compare it with the information in his UID(s). (3) You send encrypted emails to each email address in his UIDs. (4) He replies with the decrypted messages that you sent. (5) If all went well, you certify his key. In the case that we have been discussing, it is assumed that all of those steps have been followed for the first key. With the second key, only the first two steps, and part of the third, have been followed. And now you are assuming that the second key (being independent from the first) is valid without following through all of those steps simply because you have validated the first key which, according to what you are suggesting, was used to sign the second key. Simply, assertion is not verification; probability is not certainty. If you didn't verify control of the key (wasn't that the point behind signing someone's key?), then your signature on his key will be baseless. If on the other hand we were talking about a new UID on the first key, we would just need to verify control of the email address in the new UID if the UID contains the same name as the other UIDs. No one is going to stop you from signing someone's key if that person sends you an email saying, "Hey, would you sign my other key?" But if I know you sign any keys without following the same thorough verification process each time, don't expect me to assign ownertrust to you. I guess all I can say is that one should have a key signing policy to let others know how he verifies keys. There. I said it all over again, just differently (and a whole lot more). --Paul -- PGP: 3DB6D884 From rwest at countermail.com Tue Nov 5 08:39:42 2013 From: rwest at countermail.com (rwest at countermail.com) Date: Tue, 5 Nov 2013 08:39:42 +0100 Subject: BitMail.sf.net v 0.6 - Secure Encrypting Email Client Message-ID: <1a9dac14d5d12e1373bcea91257c1c01.cm1@countermail.com> Hello, can BitMail.sf.net as a p2p email tool for encrypted Email (and hybrid with IMAP-Email) be regarded as a reference model for research to create a secure Email Client? as it uses both, gnupg and openssl! http://bitmail.sourceforge.net/ https://sourceforge.net/projects/bitmail/files/BitMail_0.6_2088RC1/ Does anyone know, if it runs over Tor? Sincerely, Robert From rwest at countermail.com Tue Nov 5 08:38:42 2013 From: rwest at countermail.com (rwest at countermail.com) Date: Tue, 5 Nov 2013 08:38:42 +0100 Subject: BitMail.sf.net v 0.6 - Secure Encrypting Email Client Message-ID: Hello, can BitMail.sf.net as a p2p email tool for encrypted Email (and hybrid with IMAP-Email) be regarded as a reference model for research to create a secure Email Client? as it uses both, gnupg and openssl! http://bitmail.sourceforge.net/ https://sourceforge.net/projects/bitmail/files/BitMail_0.6_2088RC1/ Does anyone know, if it runs over Tor? Sincerely, Robert From oub at mat.ucm.es Mon Nov 4 23:43:43 2013 From: oub at mat.ucm.es (Uwe Brauer) Date: Mon, 04 Nov 2013 23:43:43 +0100 Subject: gpgsm and expired certificates References: <87r4b8ic36.fsf@mat.ucm.es> <1745551923.20131101142927@my_localhost> <87fvreprlk.fsf@mat.ucm.es> <2847581.NdkjrvGDoX__40120.3072433875$1383421546$gmane$org@thufir.ingo-kloecker.de> <87habtnnyx.fsf@mat.ucm.es> <1469681422.20131104143344@my_localhost> Message-ID: <87habrrdnk.fsf@mat.ucm.es> >> "MFPA" == MFPA writes: Hello > There are already several private sector CAs who provide free S/MIME > certificates in the hope that punters may take one of their paid > products instead or in addition. Potential sales is their incentive to > provide some products free. What would be a government's incentive to > provide them free of charge instead of charging for the admin? And > what would a government based CA bring to the party that is not > already available? > If all we are talking about is email encryption to protect people's > email from being read in transit, a self-signed certificate takes care > of the encryption without the need for a CA. The only value in using a > recognised CA rather than a self-signed certificate is convenience for > the recipient, whose MUA is likely to automatically "trust" a > recognised CA but would need to be "told" to accept a self-signed > certificate. Ok let me try to answer this point by point. Before doing I want to emphasise that I am taking a very pragmatic point of view here.[1] - NSA (among others) has abused its resource to read email worldwide at a very large scale. - so if a lot of people, say 30 % of all users would encrypt their email, then NSA statistical approach would *not* work that smooth and this is a good thing. - so encrypting email should be easy and look trustful for a majority of users - usually public/private key based methods are considered relative secure (Even Snowden claimed that you could rely on them), this does not mean that the NSA could not read your email. They would usually try to enter your machine installing a keylogger or something like this. But this is beyond the statistical method I mentioned above. - if I understand correctly the real problem is not security of the the cipher but the authenticity of the sender and so the most common attack is a man in the middle attack. This is true for both smime and gpg. So comparing fingerprints of public key is a good thing, which most of us, I presume, don't do. - from my own experience I am convinced that smime is much easier than gpg[2] for reasons I am not going to repeat here. (I got 7 out of 10 of my friends/colleagues to use smime, but 0 of 10 to use gpg.) - one of the reasons some of them hesitated was the fact that the certificates were offered by some commercial company they did not know and trust.[3] They would have had installed it from a government based organisation, say the ministry of justice though. - so if some government based organisation would do what say commodo does it would send a signal to the public that it takes privacy seriously and I think it would encourage more people to use smime. - Private certificates, are unfortunately no solution. Yes it is possible with openssl to generate them, I have done that myself. However it is very difficult till impossible to convince the main email programs, such as outlook, thunderbird or Apple mail to use them or to use public keys sent by such certificates. [4] Uwe Brauer Footnotes: [1] I must add that I don't share your general view about government based organisations. I still hope that abuse is the exception not the rule.. [2] although pgp seems technically better, since some implementations of smime allow a relative short symmetric key [3] (Besides these companies have a certain business model and their free certificates last short and expire usually after one year.) [4] I finally managed to use them in thunderbird, but is was complicated not something the regular user would like to do. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 5556 bytes Desc: not available URL: From tapio.sokura at iki.fi Tue Nov 5 12:26:05 2013 From: tapio.sokura at iki.fi (Tapio Sokura) Date: Tue, 05 Nov 2013 13:26:05 +0200 Subject: Sharing a card reader between pkcs11 and gnupg card? Message-ID: <5278D5CD.604@iki.fi> Hello, I'm having some troubles using both a PKCS #11 accessed card (national electronic ID card) and an OpenPGP card in the same computer. I haven't really looked deep into this yet, but it looks like the smart card reader is claimed by the driver that is first started (scdaemon or the national ID card driver) and the other one doesn't see any readers. Is this the expected beahvior, i.e. I can't share one card reader between different card types without stopping/starting services when changing from one card to another? I have several card readers, so I could use two readers at the same time and I understand I should be able to dedicate one reader for one card type by configuration. But for laptop use that gets clumsy, especially when you have (one) integrated reader already in the laptop. I'm running 12.04 LTS Ubuntu with the packaged gnupg (2.0.17-2ubuntu2.12.04.3). Tapio From samtuke at gnupg.org Tue Nov 5 16:40:36 2013 From: samtuke at gnupg.org (Sam Tuke) Date: Tue, 05 Nov 2013 16:40:36 +0100 Subject: Quotes from GPG users In-Reply-To: <5277B150.9080805@adversary.org> References: <5270E670.3070307@gnupg.org> <5277B150.9080805@adversary.org> Message-ID: <52791174.9000105@gnupg.org> > Feel free to use any of my public comments on the topic, either on my > blog or on Twitter. Those are great resources I hadn't seen before, thanks for the links! What do you think about these two? I had a hard time finding quotes from your articles that fit into 130 chars, so I reworded them: "GnuPG provides encrypted email and file encryption...this technology is an integral part of the survival skills of the digital age" Source: http://www.adversary.org/wp/2012/09/20/protecting-yourself-in-a-surveillance-state/ "Scalps have been claimed in Australian politics due to forged emails, yet GPG has been able to prevent this for years" Source: http://www.adversary.org/wp/2011/08/20/preventing-political-blunders-with-digital-signatures/ > If you make a hashtag for this topic, let me know so I can point my > fellow Pirates at it all. We've got some very good people on our > social media team. Great - I am planning to use one, and I'll keep you posted. Sam. -- Sam Tuke Campaign Manager Gnu Privacy Guard 0044 78680 77871 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 295 bytes Desc: OpenPGP digital signature URL: From ekleog at gmail.com Tue Nov 5 18:26:07 2013 From: ekleog at gmail.com (Leo Gaspard) Date: Tue, 5 Nov 2013 18:26:07 +0100 Subject: trust your corporation for keyowner identification? In-Reply-To: References: <5269588e.wAXyOS+XkCb/A4Oa%sttob@privatdemail.net> <526e2592.vizyzHwEGhmqqHhK%sttob@privatdemail.net> <72ff7e95-a66b-411c-abd4-4e83af5c0827@email.android.com> <20131102212504.GD14302@leortable> <5275B00F.7030404@gmail.com> <608638953.20131104160200@my_localhost> <21c08d45-b1cd-423d-8c1c-74d7b292e8d5@email.android.com> <20131104222012.GA470@leortable> Message-ID: <20131105172607.GB470@leortable> On Tue, Nov 05, 2013 at 12:40:11AM -0800, Paul R. Ramer wrote: > I don't know how I can explain it any better than I have. I think you are confusing assertion with verification. Unless you can differentiate between the two in this case, I don't think you will see what I am talking about. > > [...] > > I guess all I can say is that one should have a key signing policy to let others know how he verifies keys. > > There. I said it all over again, just differently (and a whole lot more). OK, I think I understood your point. (That is, assertion is not as strong as verification.) However, I think in this case (assuming there are no more UID on key 2 than on key 1), assertions are sufficient, *because* there are two assertions, one in both ways. I mean : * Owner of Key 1 says (s)he is owner of Key 2 (through signed message saying you so) * Owner of Key 2 says (s)he is owner of Key 1 (through signed UID on Key 2) So, except in case of collusion between owners of Keys 1 and 2, I believe there is no way one can be wrong in signing Key 2 (of course, if Key 1 is signed). IIUC, your point is that verification would enable one to avoid collusion, as it is the only flaw I can see in this verification scheme. Except collusion can not be avoided in any way, AFAIK. If that is not your point, could you exhibit a scenario in which there is a signed UID on Key 2, a signed statement from Key 1 owner saying he owns Key 2, and Key 2 not being usable by Key 1 owner ? (Of course, excepting collusion, which as stated above can not be avoided.) Cheers, Leo From mailinglisten at hauke-laging.de Tue Nov 5 23:13:58 2013 From: mailinglisten at hauke-laging.de (Hauke Laging) Date: Tue, 05 Nov 2013 23:13:58 +0100 Subject: bug-like: strange behaviour of addrevoker Message-ID: <1836639.J6foN1a9h5@inno.berlin.laging.de> Hello, I have created another key for me (higher security level) so its user ID has obviously the same name like the ones of my old key. I did this with Knoppix 7.2 (i.e. gpg 1.4.x). After key creation I wanted to add the keys to each other as designated revokers. But that didn't work as expected. After entering the command "addrevoker" I was asked to enter the user ID of the respective key. Why the user ID and not the key ID or fingerprint? Does that make any sense? However, gpg has a quite strange user ID matching behaviour here. If I enter the complete user ID Hauke Laging (Standardadresse) then it is not found. If I enter just "Hauke Laging" I get a clever error message that a key cannot be its own designated revoker... Neither 1a571df5 nor 0x1a571df5 works. Even worse: The email address doesn't work either (both hauke at laging.de and ). So I had to create a new user id (and throw the others away in order to avoid changes to the other key). With the new name it worked. I assume this is a bug as you would expect it to happen quite often that there are several keys with the same name. Probably this feature is rarely used. CU Hauke -- Crypto f?r alle: http://www.openpgp-schulungen.de/fuer/unterstuetzer/ OpenPGP: 7D82 FB9F D25A 2CE4 5241 6C37 BF4B 8EEF 1A57 1DF5 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 572 bytes Desc: This is a digitally signed message part. URL: From expires2013 at ymail.com Wed Nov 6 00:41:53 2013 From: expires2013 at ymail.com (MFPA) Date: Tue, 5 Nov 2013 23:41:53 +0000 Subject: gpgsm and expired certificates In-Reply-To: <87habrrdnk.fsf@mat.ucm.es> References: <87r4b8ic36.fsf@mat.ucm.es> <1745551923.20131101142927@my_localhost> <87fvreprlk.fsf@mat.ucm.es> <2847581.NdkjrvGDoX__40120.3072433875$1383421546$gmane$org@thufir.ingo-kloecker.de> <87habtnnyx.fsf@mat.ucm.es> <1469681422.20131104143344@my_localhost> <87habrrdnk.fsf@mat.ucm.es> Message-ID: <1752243747.20131105234153@my_localhost> Hi On Monday 4 November 2013 at 10:43:43 PM, in , Uwe Brauer wrote: > - NSA (among others) has abused its resource to > read email worldwide at a very large scale. Indeed. > - so if a lot of people, say 30 % of all users > would encrypt their email, then NSA statistical > approach would *not* work that smooth and this > is a good thing. Why do you describe it as a statistical approach? I guess 30% was plucked out of the air. It would seem self-evident that if a sizeable proportion of emails travelled encrypted, the NSA etc. would have to do more work to read them. > - so encrypting email should be easy and look > trustful for a majority of users I like the idea, but have a bit of an issue with security made too easy. Security has to be inconvenient; just a lot more so for a would-be attacker than for the person using the security. > - usually public/private key based methods are > considered relative secure (Even Snowden claimed > that you could rely on them), this does not mean > that the NSA could not read your email. They would > usually try to enter your machine installing a > keylogger or something like this. But this is > beyond the statistical method I mentioned above. Hopefully, if it was more effort and more cost to read an individual's mail, that individual might be left alone unless they are a suspect. But what about an individual two or three communication hops from a suspect? > - if I understand correctly the real problem is > not security of the the cipher but the > authenticity of the sender and so the most > common attack is a man in the middle attack. This > is true for both smime and gpg. So comparing > fingerprints of public key is a good thing, > which most of us, I presume, don't do. For most people's communication, it is not encrypted so the main problem is simply being read in transit, and/or stored. Once you start encrypting, even without putting the effort in for sender authentication, it takes more effort to snoop on your mail than on the majority of people's. > - from my own experience I am convinced that smime > is much easier than gpg[2] for reasons I am not > going to repeat here. (I got 7 out of 10 of my > friends/colleagues to use smime, but 0 of 10 to > use gpg.) Depending on the software people are using. I'm willing to accept that there are probably more people for whom S/MIME is easier to use. > - one of the reasons some of them hesitated was > the fact that the certificates were offered by > some commercial company they did not know and > trust.[3] They would have had installed it from > a government based organisation, say the > ministry of justice though. I think "know" is the key factor, but "know and trust" is even better. I suspect a whole lot of people would also be perfectly comfortable if a certificate were available from the company that supplied their operating system, or their email application or webmail account. Or maybe from their bank or ISP. > - so if some government based organisation would > do what say commodo does it would send a signal > to the public that it takes privacy seriously > and I think it would encourage more people to use > smime. The actions of governments and government organisations in so many countries send signals that they are anti-privacy, or at least not pro-privacy. I think this small contradictory signal would be in severe danger of being drowned out. But now I understand what you meant. > - Private certificates, are unfortunately no > solution. Yes it is possible with openssl to > generate them, I have done that myself. However > it is very difficult till impossible to convince > the main email programs, such as outlook, > thunderbird or Apple mail to use them or to use > public keys sent by such certificates. [4] The email app I am using to write this message can (almost trivially) generate and use self-signed certificates for the email accounts it has configured. The difficulty is getting other people to persuade their MUA to accept them. > Footnotes: [1] I must add that I don't share your > general view about government based organisations. > I still hope that abuse is the exception not the > rule.. I think I mentioned in one of my other postings that I was using hyperbole to make my point. I'm not quite _that_ paranoid, but I believe in exercising a healthy skepticism. -- Best regards MFPA mailto:expires2013 at ymail.com Experience is the name everyone gives to their mistakes -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 1075 bytes Desc: S/MIME Cryptographic Signature URL: From free10pro at gmail.com Wed Nov 6 00:03:19 2013 From: free10pro at gmail.com (Paul R. Ramer) Date: Tue, 05 Nov 2013 15:03:19 -0800 Subject: trust your corporation for keyowner identification? In-Reply-To: <20131105172607.GB470@leortable> References: <5269588e.wAXyOS+XkCb/A4Oa%sttob@privatdemail.net> <526e2592.vizyzHwEGhmqqHhK%sttob@privatdemail.net> <72ff7e95-a66b-411c-abd4-4e83af5c0827@email.android.com> <20131102212504.GD14302@leortable> <5275B00F.7030404@gmail.com> <608638953.20131104160200@my_localhost> <21c08d45-b1cd-423d-8c1c-74d7b292e8d5@email.android.com> <20131104222012.GA470@leortable> <20131105172607.GB470@leortable> Message-ID: <52797937.5090404@gmail.com> On 11/05/2013 09:26 AM, Leo Gaspard wrote: > On Tue, Nov 05, 2013 at 12:40:11AM -0800, Paul R. Ramer wrote: >> I don't know how I can explain it any better than I have. I think you are confusing assertion with verification. Unless you can differentiate between the two in this case, I don't think you will see what I am talking about. >> >> [...] >> >> I guess all I can say is that one should have a key signing policy to let others know how he verifies keys. >> >> There. I said it all over again, just differently (and a whole lot more). > > OK, I think I understood your point. (That is, assertion is not as strong as > verification.) > > However, I think in this case (assuming there are no more UID on key 2 than on > key 1), assertions are sufficient, *because* there are two assertions, one in > both ways. > > I mean : > * Owner of Key 1 says (s)he is owner of Key 2 (through signed message saying > you so) > * Owner of Key 2 says (s)he is owner of Key 1 (through signed UID on Key 2) > > So, except in case of collusion between owners of Keys 1 and 2, I believe there > is no way one can be wrong in signing Key 2 (of course, if Key 1 is signed). There could be collusion with only one key. Verification of the key details cannot address this. > IIUC, your point is that verification would enable one to avoid collusion, as it > is the only flaw I can see in this verification scheme. > Except collusion can not be avoided in any way, AFAIK. No. Avoiding collusion is impossible here. It just comes down to you vouching through your signature on the second key that you have *verified* it. Nothing more, nothing less. If you didn't follow all of the steps to verify it, why would you sign it with an exportable signature? You could just sign it with a local signature for your use, because you believe the key to be valid. But if you sign it with an exportable signature, you are saying to others that you have verified the key. It is reasonable to expect that if you signed someone's key you did verify it without skipping any steps (whether you felt they were unnecessary in this case or not). Signing keys with exportable signatures is not for your benefit. It is for others you may extend ownertrust to your signatures. I have communicated with plenty of people via email who I believe were who they said that they were, that they did have control of their accounts, and that if they did have an OpenPGP key, it seemed to me to be valid. Would I sign their keys with exportable signatures to tell others that I have checked their keys and believe them to be valid when I have not fully verified their keys? No. > If that is not your point, could you exhibit a scenario in which there is a > signed UID on Key 2, a signed statement from Key 1 owner saying he owns Key 2, > and Key 2 not being usable by Key 1 owner ? (Of course, excepting collusion, > which as stated above can not be avoided.) Collusion is the only way that I know of, and there is nothing you can do about it if it is happening. Cheers, --Paul -- PGP: 3DB6D884 From ben at adversary.org Wed Nov 6 01:28:42 2013 From: ben at adversary.org (Ben McGinnes) Date: Wed, 06 Nov 2013 11:28:42 +1100 Subject: Quotes from GPG users In-Reply-To: <52791174.9000105@gnupg.org> References: <5270E670.3070307@gnupg.org> <5277B150.9080805@adversary.org> <52791174.9000105@gnupg.org> Message-ID: <52798D3A.7020000@adversary.org> On 6/11/13 2:40 AM, Sam Tuke wrote: >> Feel free to use any of my public comments on the topic, either on my >> blog or on Twitter. > > Those are great resources I hadn't seen before, thanks for the links! > > What do you think about these two? I had a hard time finding quotes > from your articles that fit into 130 chars, Yeah, I can be a bit of a wordy bastard sometimes. ;) > so I reworded them: > > "GnuPG provides encrypted email and file encryption...this > technology is an integral part of the survival skills of the digital > age" > Source: > http://www.adversary.org/wp/2012/09/20/protecting-yourself-in-a-surveillance-state/ > > "Scalps have been claimed in Australian politics due to forged > emails, yet GPG has been able to prevent this for years" > Source: > http://www.adversary.org/wp/2011/08/20/preventing-political-blunders-with-digital-signatures/ I approve them both! :) Especially after seeing which paragraphs you converted into that. Regards, Ben -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 630 bytes Desc: OpenPGP digital signature URL: From expires2013 at ymail.com Wed Nov 6 01:47:23 2013 From: expires2013 at ymail.com (MFPA) Date: Wed, 6 Nov 2013 00:47:23 +0000 Subject: trust your corporation for keyowner identification? In-Reply-To: <52797937.5090404@gmail.com> References: <5269588e.wAXyOS+XkCb/A4Oa%sttob@privatdemail.net> <526e2592.vizyzHwEGhmqqHhK%sttob@privatdemail.net> <72ff7e95-a66b-411c-abd4-4e83af5c0827@email.android.com> <20131102212504.GD14302@leortable> <5275B00F.7030404@gmail.com> <608638953.20131104160200@my_localhost> <21c08d45-b1cd-423d-8c1c-74d7b292e8d5@email.android.com> <20131104222012.GA470@leortable> <20131105172607.GB470@leortable> <52797937.5090404@gmail.com> Message-ID: <1652666925.20131106004723@my_localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi On Tuesday 5 November 2013 at 11:03:19 PM, in , Paul R. Ramer wrote: > But if you sign it with an exportable > signature, you are saying to others that you have > verified the key. In the absence of a published keysigning policy, isn't that an assumption? > Collusion is the only way that I know of, I guess coercion would fit, as well. - -- Best regards MFPA mailto:expires2013 at ymail.com The greatest of faults is to be conscious of none. -----BEGIN PGP SIGNATURE----- iPQEAQEKAF4FAlJ5kaRXFIAAAAAALgAgaXNzdWVyLWZwckBub3RhdGlvbnMub3Bl bnBncC5maWZ0aGhvcnNlbWFuLm5ldEJBMjM5QjQ2ODFGMUVGOTUxOEU2QkQ0NjQ0 N0VDQTAzAAoJEKipC46tDG5pyMMD/37UAP0abP2L6tVKQPbH/ie77fo79Pg4OKop jKwDuzBGFrdxKhgV1Y4+Q6h4u8N/xyahtp6yqBjlEj74K+8UBSEtvc8qbNw4g2BU hk3meLpwJw9N92fLJxOvoUQamuotLBOt8ebbKMy3PZgh1jKPponrc54YfoHQ0zI+ tlo6P27m =SN+2 -----END PGP SIGNATURE----- From cscheng at cpce-polyu.edu.hk Wed Nov 6 02:00:57 2013 From: cscheng at cpce-polyu.edu.hk (Griffin Cheng [CLIB]) Date: Wed, 6 Nov 2013 09:00:57 +0800 Subject: Newbie question on GPG and PHP running from a webpage Message-ID: Hello, I am new to GPG, especially writing programs to decrypt stuff. Is this the right mailing list to ask? Regards, Griffin CHENG. -------------- next part -------------- An HTML attachment was scrubbed... URL: From free10pro at gmail.com Wed Nov 6 02:32:38 2013 From: free10pro at gmail.com (Paul R. Ramer) Date: Tue, 05 Nov 2013 17:32:38 -0800 Subject: trust your corporation for keyowner identification? In-Reply-To: <1652666925.20131106004723@my_localhost> References: <5269588e.wAXyOS+XkCb/A4Oa%sttob@privatdemail.net> <526e2592.vizyzHwEGhmqqHhK%sttob@privatdemail.net> <72ff7e95-a66b-411c-abd4-4e83af5c0827@email.android.com> <20131102212504.GD14302@leortable> <5275B00F.7030404@gmail.com> <608638953.20131104160200@my_localhost> <21c08d45-b1cd-423d-8c1c-74d7b292e8d5@email.android.com> <20131104222012.GA470@leortable> <20131105172607.GB470@leortable> <52797937.5090404@gmail.com> <1652666925.20131106004723@my_localhost> Message-ID: >On Tuesday 5 November 2013 at 11:03:19 PM, in >, Paul R. Ramer wrote: > >> But if you sign it with an exportable >> signature, you are saying to others that you have >> verified the key. > >In the absence of a published keysigning policy, isn't that an >assumption? Signing is to be an attestation to the validity of the key. But, yes, in absence of a keysigning policy (or in some other way of knowing how that person signs keys) it is just an assumption as to what that signature means. I would not assume what the value of a signature is without knowing how that person signs keys, and I would still need to believe that person's methods are acceptable to me. Cheers, --Paul -- PGP: 3DB6D884 From free10pro at gmail.com Wed Nov 6 07:29:11 2013 From: free10pro at gmail.com (Paul R. Ramer) Date: Tue, 05 Nov 2013 22:29:11 -0800 Subject: Newbie question on GPG and PHP running from a webpage In-Reply-To: References: Message-ID: <8033115e-9b92-492e-8d29-bff4338b99d7@email.android.com> "Griffin Cheng [CLIB]" wrote: >Hello, > >I am new to GPG, especially writing programs to decrypt stuff. Is this >the right mailing list to ask? gnupg-users is for most discussions and gnupg-devel is for programming/development specific questions. HTH. Cheers, --Paul -- PGP: 3DB6D884 From cscheng at cpce-polyu.edu.hk Wed Nov 6 08:46:50 2013 From: cscheng at cpce-polyu.edu.hk (Griffin Cheng [CLIB]) Date: Wed, 6 Nov 2013 15:46:50 +0800 Subject: unsubscribe Message-ID: -------------- next part -------------- An HTML attachment was scrubbed... URL: From samtuke at gnupg.org Wed Nov 6 13:12:28 2013 From: samtuke at gnupg.org (Sam Tuke) Date: Wed, 06 Nov 2013 13:12:28 +0100 Subject: Quotes from GPG users In-Reply-To: <5277B4AE.2000305@adversary.org> References: <5270E670.3070307@gnupg.org> <5277B4AE.2000305@adversary.org> Message-ID: <527A322C.3000304@gnupg.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 04/11/13 15:52, Ben McGinnes wrote: > Now, for some new quotes Thanks Ben, I couldn't have asked for more :) Don't worry about official endorsement from the Pirate Party AU - your quote communicate GPG's importance sufficiently. Best, Sam. - -- Sam Tuke Campaign Manager Gnu Privacy Guard 0044 78680 77871 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.15 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iF4EAREIAAYFAlJ6MiwACgkQ1bR1Itj7YQXMTAEAgFLrka0zg5O1PSYY3payscWI /G7aRd8EO0Zx+seFTN0A/AhmH+E8OcNtUnw/5E7U2Ar7qKJ7SFrwbFHNsjnFhgDS =yIJl -----END PGP SIGNATURE----- From samtuke at gnupg.org Wed Nov 6 13:17:16 2013 From: samtuke at gnupg.org (Sam Tuke) Date: Wed, 06 Nov 2013 13:17:16 +0100 Subject: Quotes from GPG users In-Reply-To: <20131103220118.475e96c0@eunet.rs> References: <5270E670.3070307@gnupg.org> <20131103220118.475e96c0@eunet.rs> Message-ID: <527A334C.5090600@gnupg.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 03/11/13 22:01, Marko Randjelovic wrote: > I send five variants (but the best is all of them :) ): Thanks Marko! Is it OK if I rephrase two of them like this?: "I use GnuPG because I was taught it's a sin to open other people's letters" "I use GnuPG because ?I won't trade my independence for anything" Best, Sam. - -- Sam Tuke Campaign Manager Gnu Privacy Guard 0044 78680 77871 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.15 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iF4EAREIAAYFAlJ6M0wACgkQ1bR1Itj7YQVtrAEAvPu9c1aAfOwrI66a1tq7ipW3 OBS5jT4gwUQ3qlTnlUIA/Rii6TwlkNtbmvvyKUiD0/804iqChK6AF6rkuToKneR2 =LI+x -----END PGP SIGNATURE----- From oub at mat.ucm.es Wed Nov 6 12:42:49 2013 From: oub at mat.ucm.es (Uwe Brauer) Date: Wed, 06 Nov 2013 12:42:49 +0100 Subject: gpgsm and expired certificates References: <87r4b8ic36.fsf@mat.ucm.es> <1745551923.20131101142927@my_localhost> <87fvreprlk.fsf@mat.ucm.es> <2847581.NdkjrvGDoX__40120.3072433875$1383421546$gmane$org@thufir.ingo-kloecker.de> <87habtnnyx.fsf@mat.ucm.es> <1469681422.20131104143344@my_localhost> <87habrrdnk.fsf@mat.ucm.es> <1752243747.20131105234153@my_localhost> Message-ID: <87txfpg3ie.fsf@gilgamesch.quim.ucm.es> >> "MFPA" == MFPA writes: Hi > Hi > On Monday 4 November 2013 at 10:43:43 PM, in > , Uwe Brauer wrote: >> - from my own experience I am convinced that smime >> is much easier than gpg[2] for reasons I am not >> going to repeat here. (I got 7 out of 10 of my >> friends/colleagues to use smime, but 0 of 10 to >> use gpg.) > Depending on the software people are using. I'm willing to accept > that there are probably more people for whom S/MIME is easier to > use. Well take for example iOs: using pgp is a sort of a nightmare. The reasons why I think smime is easier to use for the average user are: smime is already installed in most MUA (so no additional software+plugin) keypairs are generated and signed by the "trust center". Public keys are automatically embedded in the signatures. > The email app I am using to write this message can (almost > trivially) generate and use self-signed certificates for the email > accounts it has configured. The difficulty is getting other people > to persuade their MUA to accept them. Aha I see you use the BAT, an email program I have not seen in use, for almost a decade. Good and bad news. Gpgsm allowed my to use your public keys after having fireing up a series of questions, iOs also, (if you don't mind I send you to test messages later privately) However thunderbird refuses to use yoru public key claiming it cannot be trusted. So I am afraid the issue is to persuade the not only the people but also the software. > I think I mentioned in one of my other postings that I was using > hyperbole to make my point. I'm not quite _that_ paranoid, but I > believe in exercising a healthy skepticism. Ok I have seen this now. regards Uwe -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 5556 bytes Desc: not available URL: From rjh at sixdemonbag.org Wed Nov 6 23:17:49 2013 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Wed, 06 Nov 2013 14:17:49 -0800 Subject: BitMail.sf.net v 0.6 - Secure Encrypting Email Client In-Reply-To: <1a9dac14d5d12e1373bcea91257c1c01.cm1@countermail.com> References: <1a9dac14d5d12e1373bcea91257c1c01.cm1@countermail.com> Message-ID: <20131106141749.Horde.vRZnzEXAtcQ2hHGuvNGjZg1@mail.sixdemonbag.org> > can BitMail.sf.net as a p2p email tool for encrypted Email (and > hybrid with IMAP-Email) be regarded as a reference model for > research to create a secure Email Client? as it uses both, gnupg and > openssl! I would suggest figuring out very precisely what you intend by "secure." Once you have that definition, look at the BitMail project and see if their notion of "secure" has a lot in common with your notion. If they do, then it's time to take a look at the design of BitMail and its implementation. Look for areas where they do not closely follow their definition of 'security'. Every nontrivial program has some of these areas. Once you have a good idea of how BitMail works, then it will be time to learn from their mistakes. In the process you will undoubtedly make mistakes of your own. Don't be disheartened: the only hackers who have not made completely humiliating errors are ones who have not been programming long. The trick is to never make the same one twice. :) From ekleog at gmail.com Wed Nov 6 23:28:35 2013 From: ekleog at gmail.com (Leo Gaspard) Date: Wed, 6 Nov 2013 23:28:35 +0100 Subject: trust your corporation for keyowner identification? In-Reply-To: References: <20131102212504.GD14302@leortable> <5275B00F.7030404@gmail.com> <608638953.20131104160200@my_localhost> <21c08d45-b1cd-423d-8c1c-74d7b292e8d5@email.android.com> <20131104222012.GA470@leortable> <20131105172607.GB470@leortable> <52797937.5090404@gmail.com> <1652666925.20131106004723@my_localhost> Message-ID: <20131106222835.GD470@leortable> (Sorry, failed again to reply to the list, so you probably have this message twice again.) On Tue, Nov 05, 2013 at 05:32:38PM -0800, Paul R. Ramer wrote: > >On Tuesday 5 November 2013 at 11:03:19 PM, in > >, Paul R. Ramer wrote: > > > >> But if you sign it with an exportable > >> signature, you are saying to others that you have > >> verified the key. > > > >In the absence of a published keysigning policy, isn't that an > >assumption? > > Signing is to be an attestation to the validity of the key. [...] Well, thus my reasoning (last message) allows me to prove that I can have the same level of confidence in Key 2 than in Key 1, even though I have not done again all the steps of verification. Thus, signing being an attestation of the validity of the key (I assume you meant of the confidence in the validity of the key), why should one sign Key 1 and not Key 2 ? For the same reason, signing (and exporting signatures) based on people I blindly trust is not an issue to me. (I know, I just released the troll.) Because if I blindly trust these persons, I believe with absolute certainty that the person is who (s)he says (s)he is. And so I can announce this certainty by signing the key. (I use the term blindly to mean even more than the technical "ultimately", as this one could be expressed using trust signatures. Just really blindly trust, as when you would let them to decide your fate, knowing they could be better off by sending you to hell.) Of course, if I sign the key only because it is validated through technical means, not by hand-checking for a signature from a blindly trusted owner, I would never sign that other key. The fact that others could get just the same effect by twisting their WoT parameters is not an issue to me. Firstly, because there are few trust signatures (according to best practices I read, that said trust signatures are mainly made for closed-system environments), so WoT rarely expands outwards of one signature by someone you know. But mostly because signing is an attestion of your belief someone is who (s)he is. Thus, if you believe someone is who the UID states (s)he is as much as if you met him/her in person and followed the whole verification process, I would not mind your exporting signatures of the key. And saying that it allows the blindly trusted person to force you to see a key as validated through three persons you marginally trust is meaning nothing to me. Indeed, these three persons are all asserting they believe with certainty that the key owner is who (s)he says (s)he is. That all used the same information source is just commonly done. Indeed, how do you check an identity ? * Name : Passport. Any government could make a passport as wanted, not even speaking about forgery. Thus everyone you know who signed some UID probably based their verification work on a single passport. * Comment : Depends of the comment. For "CEO company X", it is probably based on public archives. Them referring to a person by his/her name, any forged passport also means forged name. * Email : Probably a mere exchange of emails. Thus, anyone doing MitM could intercept the exchange and reply so as to make you validate the key, and even without MitM, the email provider could do as well. Every time, the certainty of the UID element is heavily dependent on other's work. Thus, why should we refuse to base our work on other's signatures ? (*assuming* you believe in the UID validity as much as you would have done using full verification) I just found a "counter-example" : in case the message (signed by Key 1) telling owner of Key 1 is owner of Key 2 is signed by a subkey, which might have been compromised. However, I assumed such a message would only be sent signed using the master key, as it must be totally relied upon. Thus, anyone able to forge such a message would be able to forge any message using the master key, and especially to add new encryption subkeys... Thus, such a scenario is not a threat IMHO. Cheers, Leo From expires2013 at ymail.com Thu Nov 7 00:29:05 2013 From: expires2013 at ymail.com (MFPA) Date: Wed, 6 Nov 2013 23:29:05 +0000 Subject: gpgsm and expired certificates In-Reply-To: <87txfpg3ie.fsf@gilgamesch.quim.ucm.es> References: <87r4b8ic36.fsf@mat.ucm.es> <1745551923.20131101142927@my_localhost> <87fvreprlk.fsf@mat.ucm.es> <2847581.NdkjrvGDoX__40120.3072433875$1383421546$gmane$org@thufir.ingo-kloecker.de> <87habtnnyx.fsf@mat.ucm.es> <1469681422.20131104143344@my_localhost> <87habrrdnk.fsf@mat.ucm.es> <1752243747.20131105234153@my_localhost> <87txfpg3ie.fsf@gilgamesch.quim.ucm.es> Message-ID: <1823118545.20131106232905@my_localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi On Wednesday 6 November 2013 at 11:42:49 AM, in , Uwe Brauer wrote: > Well take for example iOs: using pgp is a sort of a > nightmare. So I have heard. > The reasons why I think smime is easier to use for the > average user are: smime is already installed in most > MUA (so no additional software+plugin) But all the hordes who use webmail are pretty-much still out of luck, though. (With certain exceptions, such as hushmail.) > keypairs are > generated and signed by the "trust center". I don't know about the "trust centre." The Bat! gives me the choice of its own internal implementation or Microsoft Crypto-API, which is part of Windows. (The Bat! and Windows are closed-source proprietary products that we probably shouldn't discuss too much on this list.) > Public > keys are automatically embedded in the signatures. That is simpler and avoids the web-bug-like effect you have if you choose to auto-retrieve OpenPGP keys from keyservers for new contacts. But must waste a lot of bandwidth between regular correspondents. > Aha I see you use the BAT, an email program I have not > seen in use, for almost a decade. I have used it myself for over nine years. > Good and bad news. > Gpgsm allowed my to use your public keys after having > fireing up a series of questions, iOs also, Good. > (if you > don't mind I send you to test messages later privately) I don't mind. > However thunderbird refuses to use yoru public key > claiming it cannot be trusted. Fair enough. Using its internal implementation, The Bat! accepts signatures from the S/MIME certificate I created last night (because I added it to the trusted root CA address book) and does not accept your S/MIME signature (because Comodo's root certificate is not in the trusted root CA address book - but adding it would be just a few clicks). MS Crypto-API is fine with Comodo's root cert, but says my certificate has an invalid signature algorithm specified. I just searched and found [1] about Thunderbird, which says you can import a copy of other people's self-signed S/MIME certificate from a ".cer" file into your "Authorities" tab. So much for "being easier because keys are automatically embedded in the signatures." > So I am afraid the > issue is to persuade the not only the people but also > the software. As I said, getting other people to persuade their MUA to accept it. [1] . - -- Best regards MFPA mailto:expires2013 at ymail.com Courage is not the absence of fear, but the mastery of it. -----BEGIN PGP SIGNATURE----- iPQEAQEKAF4FAlJ60MxXFIAAAAAALgAgaXNzdWVyLWZwckBub3RhdGlvbnMub3Bl bnBncC5maWZ0aGhvcnNlbWFuLm5ldEJBMjM5QjQ2ODFGMUVGOTUxOEU2QkQ0NjQ0 N0VDQTAzAAoJEKipC46tDG5pfXkEALs5FK+Llmn4wqCq+GUO0+qJ+TjHyHoEFd2R 3RRCHLG1ZcwhP0tOAX9Xo5439N16M31x6FB5u6CglI4RNcMvHK/FwqE1Y6e0I3SR WLqUiX0Oq+JMKQnRBW1DaIGGCIB4uqPQ6DwFKikcA4p4fUSoXpRaKJA7Sar4Sj32 6o35st6x =AcqD -----END PGP SIGNATURE----- From wk at gnupg.org Thu Nov 7 09:22:16 2013 From: wk at gnupg.org (Werner Koch) Date: Thu, 07 Nov 2013 09:22:16 +0100 Subject: bug-like: strange behaviour of addrevoker In-Reply-To: <1836639.J6foN1a9h5@inno.berlin.laging.de> (Hauke Laging's message of "Tue, 05 Nov 2013 23:13:58 +0100") References: <1836639.J6foN1a9h5@inno.berlin.laging.de> Message-ID: <87eh6s7haf.fsf@vigenere.g10code.de> On Tue, 5 Nov 2013 23:13, mailinglisten at hauke-laging.de said: > revokers. But that didn't work as expected. After entering the command > "addrevoker" I was asked to enter the user ID of the respective key. Why the > user ID and not the key ID or fingerprint? Does that make any sense? You may use any way to specify a user id. It is the same code as used when you fire up "gpg --key-edit USERID" with the only restriction that the key must have certify capability which is always the case for a primary key. > nor 0x1a571df5 works. Even worse: The email address doesn't work either (both > hauke at laging.de and ). If you have the two user IDs, gpg can't decide which to use. Thus you need to use the keyid or the fingerprint. Please check again and if you can't make it work, please create a test case for us. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From Cathy.Smith at pnnl.gov Thu Nov 7 00:57:42 2013 From: Cathy.Smith at pnnl.gov (Smith, Cathy) Date: Wed, 6 Nov 2013 23:57:42 +0000 Subject: question about public keys Message-ID: <270838A78E5A5342BB9669898FB4CF20042C6B0A@EX10MBOX01.pnnl.gov> Hi A couple of years ago I created a gpg key for an account that is use to transfer documents with vendors. It's worked fine. We now have a new vendor that won't accept the public key because of the expiration date. I don't see a way to create another public key for this account with the shorter expiration date. Replacing the current public key will disrupt business with existing customers. Is there a solution other than creating another account with its own gpg key? Thanks Cathy --- Cathy L. Smith IT Engineer Pacific Northwest National Laboratory Operated by Battelle for the U.S. Department of Energy Phone:? 509.375.2687 Fax:??? ????509.375.2330 Email:? cathy.smith at pnnl.gov From peter at digitalbrains.com Thu Nov 7 11:48:07 2013 From: peter at digitalbrains.com (Peter Lebbing) Date: Thu, 07 Nov 2013 11:48:07 +0100 Subject: trust your corporation for keyowner identification? In-Reply-To: <20131106222835.GD470@leortable> References: <20131102212504.GD14302@leortable> <5275B00F.7030404@gmail.com> <608638953.20131104160200@my_localhost> <21c08d45-b1cd-423d-8c1c-74d7b292e8d5@email.android.com> <20131104222012.GA470@leortable> <20131105172607.GB470@leortable> <52797937.5090404@gmail.com> <1652666925.20131106004723@my_localhost> <20131106222835.GD470@leortable> Message-ID: <527B6FE7.6000000@digitalbrains.com> On 06/11/13 23:28, Leo Gaspard wrote: > The fact that others could get just the same effect by twisting their WoT > parameters is not an issue to me. Firstly, because there are few trust > signatures (according to best practices I read, that said trust signatures > are mainly made for closed-system environments), so WoT rarely expands > outwards of one signature by someone you know. Let's leave trust signatures out of the equation, it makes it a lot more complicated and they are rarely used. I also don't see the relation between the statements in this quote here. > But mostly because signing is an attestion of your belief someone is who > (s)he is. Thus, if you believe someone is who the UID states (s)he is as > much as if you met him/her in person and followed the whole verification > process, I would not mind your exporting signatures of the key. I get the feeling you're partly responding to my adamant statements earlier, but you're confusing the situation I was responding to. I think you're saying: Person X tells me their key is K1. I blindly trust person X, and I know for a fact that person X was the one who told me K1 is his key. That is, you were in the same room, or you recognised their voice on the telephone, or something similar. This is acceptable to many people as a verification. But this is not the situation I was talking about. It's this: Person X (having key K1) has signed key K2, asserting that it is held by Y. Since you blindly trust X, you can assign him full (or hell, ultimate if you prefer) ownertrust, and key K2 is valid for you. You don't need to sign K2 anymore, because it is already valid since you expressed your trust to GnuPG, and GnuPG uses it to validate that it belongs to Y. Now, what Stan Tobias appeared to want, is sign key K2 himself, probably to express to others in the Web of Trust that he believes K2 to be valid. But this doesn't add any additional verification of key validity to the Web of Trust, it's noise. Because anyone else can look at the signature made by X, and decide: I trust X fully as well. They assign full trust to X, and K2 becomes valid. Let's get back to ownertrust: in the Web of Trust, ownertrust is an expression of how well you think other people verify identities before they sign a key. If you sign key K2 based on X's signature, you haven't verified Y's identity. You've probably verified X's identity, but not Y's. So you shouldn't sign K2. You might believe Y when he or she walks up to you and says: my name is Y and K2 is my key. But that is not what happened; X said: K2 is Y's key. Y didn't say anything to you, let alone that you verified it was actually Y talking. That's the absolutely necessary part of verification: you believe that it was actually Y that told you K2 is theirs. Just believing K2 is Y's key is not verification; it's key validity. I'll give an example. In the Web of Trust, key validity is a thing that can gradually build up until it passes a certain point where we say: I have so much proof that it appears to be valid, that I conclude it's, within reason, valid. This is why you have "completes needed", "marginals needed", and "max cert depth". The latter says: once we pass a certain depth, my proof of identity becomes so indirect I don't wish to trust that information anymore. I will paint a picture with the default settings, completes 1, marginals 3, max depth 5. Suppose A has signed B. There are three people C, D and E, who have full trust in A. They do what I'm arguing against: they sign key B as well, based on their trust of A. Now I come along. I actually have key A valid as well, but quite indirectly: it is at level 4. I know A, but ownertrust is very personal. I think A does an okay job of verifying identities, but not to the rigorous level I personally demand. I work with pretty sensitive stuff, and my standards are high (I'm painting a picture here, not describing reality). So I assign him marginal ownertrust. Now what I would expect, is that I need some more signatures, and B will become valid at level 5, the level where I have configured GnuPG to say: okay, this is deep enough, I will not take into account B's signatures on other keys because the proof becomes too indirect. However, I also know C, D and E, signed their keys and assigned them marginal ownertrust because I was under the impression they also verify identities pretty well. I don't know that they go around signing keys based on other people's signatures. C, D and E are thus at level 1 in my web. They all signed B's key, so I think: that's reasonable proof that B is valid. Not only do I think that, so does GnuPG. It leads to B's key being valid at level 2. B can have another few levels of indirection before I consider the path too long. In fact, for signature paths through B, it effectively just changed my "max cert depth". B belongs at level 5, because the proof of validity is very indirect in my *own* web, but he's at level 2, so my "max cert depth" has effectively become 8 instead of 5 for paths through B. Furthermore, what does my Web of Trust seem to imply? It implies that 3 reasonably trustworthy people all individually certified B's identity. That's a fair amount of proof that the identity is correct. More eyes have seen the passport or more people have known B for very long. What is actually the case? This one person, A, whom I somewhat trust, has certified B's identity. It's almost as if I'd set my "marginals needed" to 1, because no more verification has ever been done of B's identity. This is why I am adamant that you should not sign based on other people's certifications. You are muddling my view, and I think I'm basing validity on one thing whereas I'm accidentally basing it on something else. I have keys on my ring that are valid, even though they did not pass my personal demands of verification. Lying was also brought into the discussion, as if that changes things. We are talking about trust here; I'm making a mistake when I assign ownertrust to a liar, but that in no way implies that it's okay to sign keys without verification. When I find out people lie about their verifications, I set those people to "I do NOT trust". When I find out people sign keys they haven't verified, I set those people to "I do NOT trust". The rest of your message about how you check an identity is a different topic altogether. But let me say this: when I sign an UID, I primarily sign the name. I prefer there's no comment, so I don't have to think about that, and ownership of an e-mail address is an interesting topic. Who owns l.gaspard at yourisp.com? You or your ISP? Both? Neither? If you wish to debate about how you check an identity, please create a separate thread, because it is a different topic. HTH, Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at From Dave.Smith at st.com Thu Nov 7 12:08:33 2013 From: Dave.Smith at st.com (David Smith) Date: Thu, 7 Nov 2013 11:08:33 +0000 Subject: question about public keys In-Reply-To: <270838A78E5A5342BB9669898FB4CF20042C6B0A@EX10MBOX01.pnnl.gov> References: <270838A78E5A5342BB9669898FB4CF20042C6B0A@EX10MBOX01.pnnl.gov> Message-ID: <527B74B1.3010903@st.com> On 11/06/13 23:57, Smith, Cathy wrote: > Hi > > A couple of years ago I created a gpg key for an account that is use to transfer documents with vendors. It's worked fine. We now have a new vendor that won't accept the public key because of the expiration date. I don't see a way to create another public key for this account with the shorter expiration date. Replacing the current public key will disrupt business with existing customers. Is there a solution other than creating another account with its own gpg key? You have a number of options: 1. Edit the expiration date of the existing key, and then re-circulate it. Vendors with the old key will be able to carry on working, the new one can use the key with the shorter expiration date. As it comes close to expiration, you can re-edit the expiration date to extend it. However, this might not suit your new client's requirements. 2. Generate a new keypair with the same email address as the old one, and only send it to the new client. However, if it gets circulated to other clients, it might cause confusion over which key to use. You can generate a new keypair with "gpg --gen-key". 3. Depending on what your new client's objections are, it might be sufficient to generate a new encryption subkey within your existing master key. The new subkey can have a different expiration date to the master key. Most of your existing clients will continue using the existing encryption subkey with a long expiration date; the new client can specifically choose to use the new subkey with a shorter expiration date. When the new subkey expires, you can simply create another one with a new expiration date. You can add a subkey by running "gpg --edit-key " and then running the command "addkey". HTH... From ekleog at gmail.com Thu Nov 7 17:09:30 2013 From: ekleog at gmail.com (Leo Gaspard) Date: Thu, 7 Nov 2013 17:09:30 +0100 Subject: trust your corporation for keyowner identification? In-Reply-To: <527B6FE7.6000000@digitalbrains.com> References: <608638953.20131104160200@my_localhost> <21c08d45-b1cd-423d-8c1c-74d7b292e8d5@email.android.com> <20131104222012.GA470@leortable> <20131105172607.GB470@leortable> <52797937.5090404@gmail.com> <1652666925.20131106004723@my_localhost> <20131106222835.GD470@leortable> <527B6FE7.6000000@digitalbrains.com> Message-ID: <20131107160930.GE470@leortable> On Thu, Nov 07, 2013 at 11:48:07AM +0100, Peter Lebbing wrote: > On 06/11/13 23:28, Leo Gaspard wrote: > > But mostly because signing is an attestion of your belief someone is who > > (s)he is. Thus, if you believe someone is who the UID states (s)he is as > > much as if you met him/her in person and followed the whole verification > > process, I would not mind your exporting signatures of the key. > > I get the feeling you're partly responding to my adamant statements earlier, but > you're confusing the situation I was responding to. Well... The answer to your previous message was in my first two paragraphs. The rest of my answer, to which you answered, was mostly thinking over some debate that aroused earlier, and whose authors I do not remember. Anyway, I think you answered the most important part of my last message. > I think you're saying: Person X tells me their key is K1. I blindly trust person > X, and I know for a fact that person X was the one who told me K1 is his key. > That is, you were in the same room, or you recognised their voice on the > telephone, or something similar. This is acceptable to many people as a > verification. > > But this is not the situation I was talking about. It's this: > > Person X (having key K1) has signed key K2, asserting that it is held by Y. > Since you blindly trust X, you can assign him full (or hell, ultimate if you > prefer) ownertrust, and key K2 is valid for you. You don't need to sign K2 > anymore, because it is already valid since you expressed your trust to GnuPG, > and GnuPG uses it to validate that it belongs to Y. > > Now, what Stan Tobias appeared to want, is sign key K2 himself, probably to > express to others in the Web of Trust that he believes K2 to be valid. But this > doesn't add any additional verification of key validity to the Web of Trust, > it's noise. Because anyone else can look at the signature made by X, and decide: > I trust X fully as well. They assign full trust to X, and K2 becomes valid. Except they do not have to know X, nor that he makes perfectly reasonable decisions in signing keys. And I believe it's not noise. Let's make an example in the real world : * I would entrust X with my life * X would entrust Y with his life, without my knowing it * Thus, if I actually entrusted X with my life, why should I be frightened if X asked Y to take care of me ? Provided, of course, X told me he was letting Y take care of me. After all, I would entrust X with my life, so I should just agree to any act he believes is good for me. (That's what I called blind trust. Somewhat more than full trust, I believe.) > Let's get back to ownertrust: in the Web of Trust, ownertrust is an expression > of how well you think other people verify identities before they sign a key. If > you sign key K2 based on X's signature, you haven't verified Y's identity. > You've probably verified X's identity, but not Y's. So you shouldn't sign K2. So, is a signature a matter of belief in the validity of the key or of actual work to verify the key ? > You might believe Y when he or she walks up to you and says: my name is Y and K2 > is my key. But that is not what happened; X said: K2 is Y's key. Y didn't say > anything to you, let alone that you verified it was actually Y talking. That's > the absolutely necessary part of verification: you believe that it was actually > Y that told you K2 is theirs. Just believing K2 is Y's key is not verification; > it's key validity. > > I'll give an example. > > In the Web of Trust, key validity is a thing that can gradually build up until > it passes a certain point where we say: I have so much proof that it appears to > be valid, that I conclude it's, within reason, valid. This is why you have > "completes needed", "marginals needed", and "max cert depth". The latter says: > once we pass a certain depth, my proof of identity becomes so indirect I don't > wish to trust that information anymore. I will paint a picture with the default > settings, completes 1, marginals 3, max depth 5. If I understood correctly, the depth parameter you are talking about is useless, except in case there are trust signature. And you agreed with me for them to be taken out of the equation. > Suppose A has signed B. There are three people C, D and E, who have full trust > in A. They do what I'm arguing against: they sign key B as well, based on their > trust of A. > > Now I come along. I actually have key A valid as well, but quite indirectly: it > is at level 4. I know A, but ownertrust is very personal. I think A does an okay > job of verifying identities, but not to the rigorous level I personally demand. > I work with pretty sensitive stuff, and my standards are high (I'm painting a > picture here, not describing reality). So I assign him marginal ownertrust. Now > what I would expect, is that I need some more signatures, and B will become > valid at level 5, the level where I have configured GnuPG to say: okay, this is > deep enough, I will not take into account B's signatures on other keys because > the proof becomes too indirect. > > However, I also know C, D and E, signed their keys and assigned them marginal > ownertrust because I was under the impression they also verify identities pretty > well. I don't know that they go around signing keys based on other people's > signatures. If you do not know their key signing policy, and assign them any ownertrust, then are you working with such sensitive stuff ? At least, a key signing policy such as mine would be clear enough : I sign a key when I believe it is valid as much as if I had met its owner in person. > C, D and E are thus at level 1 in my web. They all signed B's key, so I think: > that's reasonable proof that B is valid. Not only do I think that, so does > GnuPG. It leads to B's key being valid at level 2. B can have another few levels > of indirection before I consider the path too long. In fact, for signature paths > through B, it effectively just changed my "max cert depth". B belongs at level > 5, because the proof of validity is very indirect in my *own* web, but he's at > level 2, so my "max cert depth" has effectively become 8 instead of 5 for paths > through B. Which is, as pointed above about trust signatures, quite irrelevant. (sorry for being so blunt, I found no other wording) > Furthermore, what does my Web of Trust seem to imply? It implies that 3 > reasonably trustworthy people all individually certified B's identity. That's a > fair amount of proof that the identity is correct. More eyes have seen the > passport or more people have known B for very long. > > What is actually the case? This one person, A, whom I somewhat trust, has > certified B's identity. It's almost as if I'd set my "marginals needed" to 1, > because no more verification has ever been done of B's identity. Wrong. More verification has been done for B's identity than you would have thought. Because you believe A is marginally reliable, while your web of trust believes A is fully reliable : C, D and E did enough work to check A is trustworthy, which apparently you did not do. If you believe they were wrong in this checking of A's trustworthiness, just don't assign them ownertrust. Sure, this would weaken the WoT, but as you conflict on whether A is trustworthy, why would you not conflict on whether B is who (s)he is ? > This is why I am adamant that you should not sign based on other people's > certifications. You are muddling my view, and I think I'm basing validity on one > thing whereas I'm accidentally basing it on something else. I have keys on my > ring that are valid, even though they did not pass my personal demands of > verification. In fact, they did. Because you assigned ownertrust to C, D, and E, which you should not have done. BTW, if I understood the WoT correctly, if C, D and E trust-signed A with full ownertrust (after all, you're talking about max depth, so why not?), then your WoT would have validated B any way, as you marginally trusted C, D and E. > Lying was also brought into the discussion, as if that changes things. We are > talking about trust here; I'm making a mistake when I assign ownertrust to a > liar, but that in no way implies that it's okay to sign keys without verification. We do totally agree. > When I find out people lie about their verifications, I set those people to "I > do NOT trust". When I find out people sign keys they haven't verified, I set > those people to "I do NOT trust". So, finally your meaning of signatures is no longer about key validity, but rather about key verification ? I still do not sort this out, sorry. BTW, I do not know anyone I would trust enough to assign full ownertrust, let alone re-signing keys signed by (s)he. > The rest of your message about how you check an identity is a different topic > altogether. But let me say this: when I sign an UID, I primarily sign the name. > I prefer there's no comment, so I don't have to think about that, and ownership > of an e-mail address is an interesting topic. Who owns l.gaspard at yourisp.com? > You or your ISP? Both? Neither? If you wish to debate about how you check an > identity, please create a separate thread, because it is a different topic. I did not mean to raise a topic on identity check, only to raise the issue that, in fact, you are already relying on a single assertion for UID assessment, whether it is the government or whatever. However, if the government started to sign keys, would you assign it full ownertrust ? I think that, due to NSA scandals, most would not. But they would just be fooled into thinking they are out of the reach of the government, as most identity checks would be based on government assertion. But you would expect people to continue checking information based on passports, right ? So you would implicitly condone this re-signing the key. Now, change the word "government" with the word "person A", and you are back with your example. Cheers, Leo From peter at digitalbrains.com Thu Nov 7 19:21:28 2013 From: peter at digitalbrains.com (Peter Lebbing) Date: Thu, 07 Nov 2013 19:21:28 +0100 Subject: trust your corporation for keyowner =?UTF-8?Q?identification?= =?UTF-8?Q?=3F?= In-Reply-To: <20131107160930.GE470@leortable> References: <608638953.20131104160200@my_localhost> <21c08d45-b1cd-423d-8c1c-74d7b292e8d5@email.android.com> <20131104222012.GA470@leortable> <20131105172607.GB470@leortable> <52797937.5090404@gmail.com> <1652666925.20131106004723@my_localhost> <20131106222835.GD470@leortable> <527B6FE7.6000000@digitalbrains.com> <20131107160930.GE470@leortable> Message-ID: <19393fe4832c8e2f33eac8bb9c1af797@butters.digitalbrains.com> On 2013-11-07 17:09, Leo Gaspard wrote: > If I understood correctly, the depth parameter you are talking about > is useless, except in case there are trust signature. And you agreed > with me for > them to be taken out of the equation. Of course it's not useless. You seem to misunderstand the Web of Trust. I'll give an example. I know and trust the people A, B, C, D and E. A has signed B, B has signed C, C has signed D, D has signed E, and E has signed F. I meet up with A, verify their identity, and sign their key. I assign ownertrust to A, B, C, D and E. Et voil?, the keys A, B, C, D and E are all valid, without me needing to meet up with my other friends to verify their key details. A is at level 1, B at 2, C at 3, D at 4, and E at 5. Unfortunately, F won't get valid because it is at level 6. Now suppose C signs F as well. F is now at level 4, so it becomes valid. However, I don't trust F, so even if F now signs G, G won't become valid. Signatures indicate verification, not trust or belief. Trust is in your trust database or in trust signatures, but the latter are not commonly used. Belief is expressed in validity calculated from your trust database and signatures. I don't know if you can choose to disagree with GnuPG, that is, if you don't believe a key is valid even though GnuPG calculated that it is. I could get back to all the other points you raise, but I think it's a waste of time when you have reasoned from the standpoint that to get a key to be valid, you need to sign it, and that is how it looks to me. It's not much of a Web when you don't have any depth... it's more of two intertwined strands then ;). HTH, Peter. PS: My ownertrust for E is useless for now, because he/she is at level 5. However, if I get a shorter path to him or her later, it will become useful then. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at From dkg at fifthhorseman.net Thu Nov 7 19:40:22 2013 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Thu, 07 Nov 2013 13:40:22 -0500 Subject: trust your corporation for keyowner identification? In-Reply-To: <20131107160930.GE470@leortable> References: <608638953.20131104160200@my_localhost> <21c08d45-b1cd-423d-8c1c-74d7b292e8d5@email.android.com> <20131104222012.GA470@leortable> <20131105172607.GB470@leortable> <52797937.5090404@gmail.com> <1652666925.20131106004723@my_localhost> <20131106222835.GD470@leortable> <527B6FE7.6000000@digitalbrains.com> <20131107160930.GE470@leortable> Message-ID: <527BDE96.5060501@fifthhorseman.net> On 11/07/2013 11:09 AM, Leo Gaspard wrote: > Except they do not have to know X, nor that he makes perfectly reasonable > decisions in signing keys. > > And I believe it's not noise. Let's make an example in the real world : > * I would entrust X with my life > * X would entrust Y with his life, without my knowing it > * Thus, if I actually entrusted X with my life, why should I be frightened if X > asked Y to take care of me ? Provided, of course, X told me he was letting Y > take care of me. After all, I would entrust X with my life, so I should just > agree to any act he believes is good for me. > (That's what I called blind trust. Somewhat more than full trust, I believe.) if we're talking about gpg's concept of "ownertrust", please do not muddy the waters with "entrust X with my life"? gpg's "ownertrust" is much more narrow than that: it says "I am willing to rely on OpenPGP certifications made by the holder of this key". "entrust with my life" is not simply a superset of all other trust. I have friends who would take care of me if i was deathly ill. I would place my life in their hands. But they have never thought about how to do rigorous cryptographic identity certification, and I would not rely on their OpenPGP certifications. >> Let's get back to ownertrust: in the Web of Trust, ownertrust is an expression >> of how well you think other people verify identities before they sign a key. If >> you sign key K2 based on X's signature, you haven't verified Y's identity. >> You've probably verified X's identity, but not Y's. So you shouldn't sign K2. > > So, is a signature a matter of belief in the validity of the key or of actual > work to verify the key ? An OpenPGP certification says "I believe that Key X belongs to the person identified by User ID U". Most people would not want to make that statement publicly without having thought about it and convinced themselves somehow that it is true. What it takes to convince each person may well vary, which is why we assign different ownertrust to different people. When making a public assertion like an OpenPGP certification, it is also probably reasonable to ask what the parties involved (or the rest of the world) gains from making that statement. Just because you believe a statement to be true doesn't mean you need to make it publicly, with strong cryptographic assurances, and it may have bad consequences. Also, consider that certifications are not necessarily forever. If Alice relies solely on Carol's certification to believe that key X belongs to Bob, and Alice then certifies (Bob,X), what does Alice do if Carol revokes her certification? If Alice doesn't pay attention and revoke her own certification, then she is announcing as fact to the world something that she should no longer believe to be true (assuming that she was relying only on Carol's certification for that belief). This sounds like an untenable maintenance situation I personally would rather avoid, which is why i do not make public certifications based solely on other people's certifications. > If I understood correctly, the depth parameter you are talking about is useless, > except in case there are trust signature. And you agreed with me for them to be > taken out of the equation. The depth parameter is useful even without trust signatures. Peter Lebbings response upthread describes the scenario. Regards, --dkg From ekleog at gmail.com Thu Nov 7 20:10:11 2013 From: ekleog at gmail.com (Leo Gaspard) Date: Thu, 7 Nov 2013 20:10:11 +0100 Subject: trust your corporation for keyowner identification? In-Reply-To: <19393fe4832c8e2f33eac8bb9c1af797@butters.digitalbrains.com> References: <20131104222012.GA470@leortable> <20131105172607.GB470@leortable> <52797937.5090404@gmail.com> <1652666925.20131106004723@my_localhost> <20131106222835.GD470@leortable> <527B6FE7.6000000@digitalbrains.com> <20131107160930.GE470@leortable> <19393fe4832c8e2f33eac8bb9c1af797@butters.digitalbrains.com> Message-ID: <20131107191011.GF470@leortable> On Thu, Nov 07, 2013 at 07:21:28PM +0100, Peter Lebbing wrote: > On 2013-11-07 17:09, Leo Gaspard wrote: > >If I understood correctly, the depth parameter you are talking about > >is useless, except in case there are trust signature. And you agreed with > >me for > >them to be taken out of the equation. > > Of course it's not useless. You seem to misunderstand the Web of Trust. > > I'll give an example. > > I know and trust the people A, B, C, D and E. A has signed B, B has signed > C, C has signed D, D has signed E, and E has signed F. I meet up with A, > verify their identity, and sign their key. I assign ownertrust to A, B, C, D > and E. Et voil?, the keys A, B, C, D and E are all valid, without me needing > to meet up with my other friends to verify their key details. A is at level > 1, B at 2, C at 3, D at 4, and E at 5. Unfortunately, F won't get valid > because it is at level 6. Indeed, I never thought someone would assign ownertrust without verifying the key. Please accept my apologies. However, I still believe that, under the condition any ownertrusted key has been verified (which, I assumed, was commonplace, but I was apparently wrong), the depth parameter is useless. > Now suppose C signs F as well. F is now at level 4, so it becomes valid. > However, I don't trust F, so even if F now signs G, G won't become valid. > > Signatures indicate verification, not trust or belief. Trust is in your > trust database or in trust signatures, but the latter are not commonly used. > Belief is expressed in validity calculated from your trust database and > signatures. I don't know if you can choose to disagree with GnuPG, that is, > if you don't believe a key is valid even though GnuPG calculated that it is. I'm sorry, I think I gave too much importance to your earlier statement ("Signing is to be an attestation to the validity of the key."), incorrectly deducing from it that signatures indicates that you should sign whenever you believe a key is correct as much as if you met in person > I could get back to all the other points you raise, but I think it's a waste > of time when you have reasoned from the standpoint that to get a key to be > valid, you need to sign it, and that is how it looks to me. > > It's not much of a Web when you don't have any depth... it's more of two > intertwined strands then ;). I think this time, you gave too much importance to some of my sentences. Or maybe was I too bad at making myself understood. Anyway, I meant I should sign a key whenever I believe a key to be valid as much as if I met with the keyowner. Which, of course, does not equates with merely believing a key is valid. Indeed, on the WoT, one is rarely sure of the quality of signatures. (Indeed, I believe(d) full ownertrust must be quite rare., for that same reason ; but I am probably wrong.) And, now I know assigning ownertrust to not-personnally-checked keys is relatively common, I know I should not sign keys based on other people's verification. However, to come back to the initial problem, I still believe the key change problem (ie. owner of K1 switchs to K2) does not require re-verifying ownership etc. (BTW, isn't this also why transition statements, like https://we.riseup.net/assets/77263/key%20transition were written ?) But I still wonder how one should deal with key duplication (ie. owner of K1 now has a second key K2)... > HTH, > > Peter. > > PS: My ownertrust for E is useless for now, because he/she is at level 5. > However, if I get a shorter path to him or her later, it will become useful > then. Anyway, thanks for you detailed explanations about the WoT ! Cheers, Leo From ekleog at gmail.com Thu Nov 7 20:20:54 2013 From: ekleog at gmail.com (Leo Gaspard) Date: Thu, 7 Nov 2013 20:20:54 +0100 Subject: trust your corporation for keyowner identification? In-Reply-To: <20131107191011.GF470@leortable> References: <20131105172607.GB470@leortable> <52797937.5090404@gmail.com> <1652666925.20131106004723@my_localhost> <20131106222835.GD470@leortable> <527B6FE7.6000000@digitalbrains.com> <20131107160930.GE470@leortable> <19393fe4832c8e2f33eac8bb9c1af797@butters.digitalbrains.com> <20131107191011.GF470@leortable> Message-ID: <20131107192053.GH470@leortable> On Thu, Nov 07, 2013 at 08:10:11PM +0100, Leo Gaspard wrote: > I'm sorry, I think I gave too much importance to your earlier statement > ("Signing is to be an attestation to the validity of the key.") [...] Sorry again, just noticed it actually wasn't you statement, but Paul's ! So, double mistake... From ekleog at gmail.com Thu Nov 7 20:19:31 2013 From: ekleog at gmail.com (Leo Gaspard) Date: Thu, 7 Nov 2013 20:19:31 +0100 Subject: trust your corporation for keyowner identification? In-Reply-To: <527BDE96.5060501@fifthhorseman.net> References: <20131104222012.GA470@leortable> <20131105172607.GB470@leortable> <52797937.5090404@gmail.com> <1652666925.20131106004723@my_localhost> <20131106222835.GD470@leortable> <527B6FE7.6000000@digitalbrains.com> <20131107160930.GE470@leortable> <527BDE96.5060501@fifthhorseman.net> Message-ID: <20131107191931.GG470@leortable> On Thu, Nov 07, 2013 at 01:40:22PM -0500, Daniel Kahn Gillmor wrote: > On 11/07/2013 11:09 AM, Leo Gaspard wrote: > >Except they do not have to know X, nor that he makes perfectly reasonable > >decisions in signing keys. > > > >And I believe it's not noise. Let's make an example in the real world : > > * I would entrust X with my life > > * X would entrust Y with his life, without my knowing it > > * Thus, if I actually entrusted X with my life, why should I be frightened if X > > asked Y to take care of me ? Provided, of course, X told me he was letting Y > > take care of me. After all, I would entrust X with my life, so I should just > > agree to any act he believes is good for me. > >(That's what I called blind trust. Somewhat more than full trust, I believe.) > > if we're talking about gpg's concept of "ownertrust", please do not muddy > the waters with "entrust X with my life"? gpg's "ownertrust" is much more > narrow than that: it says "I am willing to rely on OpenPGP certifications > made by the holder of this key". > > "entrust with my life" is not simply a superset of all other trust. I have > friends who would take care of me if i was deathly ill. I would place my > life in their hands. But they have never thought about how to do rigorous > cryptographic identity certification, and I would not rely on their OpenPGP > certifications. Indeed, I thought of this case after having sent my email. Anyway, by "blind trust", I did mean a superset of all trusts related to keysigning. > >>Let's get back to ownertrust: in the Web of Trust, ownertrust is an expression > >>of how well you think other people verify identities before they sign a key. If > >>you sign key K2 based on X's signature, you haven't verified Y's identity. > >>You've probably verified X's identity, but not Y's. So you shouldn't sign K2. > > > >So, is a signature a matter of belief in the validity of the key or of actual > >work to verify the key ? > > An OpenPGP certification says "I believe that Key X belongs to the person > identified by User ID U". Most people would not want to make that statement > publicly without having thought about it and convinced themselves somehow > that it is true. What it takes to convince each person may well vary, which > is why we assign different ownertrust to different people. When making a > public assertion like an OpenPGP certification, it is also probably > reasonable to ask what the parties involved (or the rest of the world) gains > from making that statement. Just because you believe a statement to be true > doesn't mean you need to make it publicly, with strong cryptographic > assurances, and it may have bad consequences. > > Also, consider that certifications are not necessarily forever. If Alice > relies solely on Carol's certification to believe that key X belongs to Bob, > and Alice then certifies (Bob,X), what does Alice do if Carol revokes her > certification? If Alice doesn't pay attention and revoke her own > certification, then she is announcing as fact to the world something that > she should no longer believe to be true (assuming that she was relying only > on Carol's certification for that belief). This sounds like an untenable > maintenance situation I personally would rather avoid, which is why i do not > make public certifications based solely on other people's certifications. Indeed. I just backed off in my answer to Peter, by understanding why it was not needed. However, I believe that for the initial problem (ie. key change), information provided by a signed message accompanied from a UID on the other key is significant enough, and moreover definite, so I would not be bothered signing such a new key (of course, also revoking the signature on the old key). > >If I understood correctly, the depth parameter you are talking about is useless, > >except in case there are trust signature. And you agreed with me for them to be > >taken out of the equation. > > The depth parameter is useful even without trust signatures. Peter Lebbings > response upthread describes the scenario. Indeed. Thanks for your answer, clarifying once again what signatures mean ! (I know, I'm slow to understand, but I think I'm OK no.) Cheers, Leo From oub at mat.ucm.es Thu Nov 7 12:16:36 2013 From: oub at mat.ucm.es (Uwe Brauer) Date: Thu, 07 Nov 2013 12:16:36 +0100 Subject: gpgsm and expired certificates References: <87r4b8ic36.fsf@mat.ucm.es> <1745551923.20131101142927@my_localhost> <87fvreprlk.fsf@mat.ucm.es> <2847581.NdkjrvGDoX__40120.3072433875$1383421546$gmane$org@thufir.ingo-kloecker.de> <87habtnnyx.fsf@mat.ucm.es> <1469681422.20131104143344@my_localhost> <87habrrdnk.fsf@mat.ucm.es> <1752243747.20131105234153@my_localhost> <87txfpg3ie.fsf@gilgamesch.quim.ucm.es> <1823118545.20131106232905@my_localhost> Message-ID: <87txfotqaz.fsf@gilgamesch.quim.ucm.es> >> "MFPA" == MFPA writes: Hello [snip] > But all the hordes who use webmail are pretty-much still out of luck, > though. (With certain exceptions, such as hushmail.) Yep, there is penango fore firefox+gmail. >> Public >> keys are automatically embedded in the signatures. > That is simpler and avoids the web-bug-like effect you have if you > choose to auto-retrieve OpenPGP keys from keyservers for new contacts. > But must waste a lot of bandwidth between regular correspondents. Well given that a lot of users write emails with html markup, this really does not bother me. >> However thunderbird refuses to use yoru public key >> claiming it cannot be trusted. > I just searched and found [1] about Thunderbird, which says you can > import a copy of other people's self-signed S/MIME certificate from a > ".cer" file into your "Authorities" tab. So much for "being easier > because keys are automatically embedded in the signatures." Well I was referring to the following 10 years old bug https://bugzilla.mozilla.org/show_bug.cgi?id=209182 I have the feeling this is a design decision by "philosophy": thunderbird/semonkey don't encourage the use of self-signed certificates (BTW I just learn that there is a add-on, key-manager which generates self-signed certificates, similar as it seems to me to the BAT. At first I thought that I need to use openssl in order to extract your cert and import in under authorities like openssl pkcs7 -in MFPA.p7 -inform DER -print_certs > out.cert (Which would be bad, because command line openssl is not what the average user would call, comfortable and windows users have to install openssl a part) However it is not necessary I just export our signature as a pem file and import in under authorities. Still this is very uncomfortable... regards Uwe Brauer BTW, I see you switched back to pgp, but why do you use old inline mode and not pgpmine? -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 5556 bytes Desc: not available URL: From Cathy.Smith at pnnl.gov Thu Nov 7 21:52:01 2013 From: Cathy.Smith at pnnl.gov (Smith, Cathy) Date: Thu, 7 Nov 2013 20:52:01 +0000 Subject: question about public key usage Message-ID: <270838A78E5A5342BB9669898FB4CF20042C93F2@EX10MBOX01.pnnl.gov> Hi Is it possible to have 2 public keys with different expiration dates for the same user? I created a public key a couple of years ago to be used to exchange documents with vendors for a batch processing account. That is working just fine. A new vendor wants our public key but requires the key to have a shorter expiration date. I don't want to distribute a new public key to existing customers. Thank you. Cathy --- Cathy L. Smith IT Engineer Pacific Northwest National Laboratory Operated by Battelle for the U.S. Department of Energy Phone: 509.375.2687 Fax: 509.375.2330 Email: cathy.smith at pnnl.gov -------------- next part -------------- An HTML attachment was scrubbed... URL: From dougb at dougbarton.us Thu Nov 7 21:56:47 2013 From: dougb at dougbarton.us (Doug Barton) Date: Thu, 07 Nov 2013 12:56:47 -0800 Subject: question about public key usage In-Reply-To: <270838A78E5A5342BB9669898FB4CF20042C93F2@EX10MBOX01.pnnl.gov> References: <270838A78E5A5342BB9669898FB4CF20042C93F2@EX10MBOX01.pnnl.gov> Message-ID: <527BFE8F.5010208@dougbarton.us> On 11/07/2013 12:52 PM, Smith, Cathy wrote: > Hi > Is it possible to have 2 public keys with different expiration dates for > the same user? I created a public key a couple of years ago to be used > to exchange documents with vendors for a batch processing account. That > is working just fine. A new vendor wants our public key but requires > the key to have a shorter expiration date. I don?t want to distribute a > new public key to existing customers. Someone else already answered this question for you, but the answer effectively is "yes," however you don't need to do that. Edit the expiration date on the existing key to match the requirement for the new vendor, and then give them that version of the key. There is no reason to have multiple keys in this situation. hope this helps, Doug From Cathy.Smith at pnnl.gov Thu Nov 7 22:02:44 2013 From: Cathy.Smith at pnnl.gov (Smith, Cathy) Date: Thu, 7 Nov 2013 21:02:44 +0000 Subject: question about public key usage In-Reply-To: <527BFE8F.5010208@dougbarton.us> References: <270838A78E5A5342BB9669898FB4CF20042C93F2@EX10MBOX01.pnnl.gov> <527BFE8F.5010208@dougbarton.us> Message-ID: <270838A78E5A5342BB9669898FB4CF20042C943F@EX10MBOX01.pnnl.gov> Thank you The earlier answer got caught at the firewall. I apologize for posting twice. Best regards, Cathy --- Cathy L. Smith IT Engineer Pacific Northwest National Laboratory Operated by Battelle for the U.S. Department of Energy Phone:? 509.375.2687 Fax:??? ????509.375.2330 Email:? cathy.smith at pnnl.gov -----Original Message----- From: Doug Barton [mailto:dougb at dougbarton.us] Sent: Thursday, November 07, 2013 12:57 PM To: Smith, Cathy; 'gnupg-users at gnupg.org' Subject: Re: question about public key usage On 11/07/2013 12:52 PM, Smith, Cathy wrote: > Hi > Is it possible to have 2 public keys with different expiration dates > for the same user? I created a public key a couple of years ago to be > used to exchange documents with vendors for a batch processing > account. That is working just fine. A new vendor wants our public > key but requires the key to have a shorter expiration date. I don't > want to distribute a new public key to existing customers. Someone else already answered this question for you, but the answer effectively is "yes," however you don't need to do that. Edit the expiration date on the existing key to match the requirement for the new vendor, and then give them that version of the key. There is no reason to have multiple keys in this situation. hope this helps, Doug From expires2013 at ymail.com Thu Nov 7 22:23:40 2013 From: expires2013 at ymail.com (MFPA) Date: Thu, 7 Nov 2013 21:23:40 +0000 Subject: gpgsm and expired certificates In-Reply-To: <87txfotqaz.fsf@gilgamesch.quim.ucm.es> References: <87r4b8ic36.fsf@mat.ucm.es> <1745551923.20131101142927@my_localhost> <87fvreprlk.fsf@mat.ucm.es> <2847581.NdkjrvGDoX__40120.3072433875$1383421546$gmane$org@thufir.ingo-kloecker.de> <87habtnnyx.fsf@mat.ucm.es> <1469681422.20131104143344@my_localhost> <87habrrdnk.fsf@mat.ucm.es> <1752243747.20131105234153@my_localhost> <87txfpg3ie.fsf@gilgamesch.quim.ucm.es> <1823118545.20131106232905@my_localhost> <87txfotqaz.fsf@gilgamesch.quim.ucm.es> Message-ID: <888054636.20131107212340@my_localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi On Thursday 7 November 2013 at 11:16:36 AM, in , Uwe Brauer wrote: > BTW, I see you switched back to pgp, but why do you use > old inline mode and not pgpmine? Because I prefer it. I like to see the pgp signature in the message body instead of hidden away. - -- Best regards MFPA mailto:expires2013 at ymail.com Those who do not read are no better off than those who cannot. -----BEGIN PGP SIGNATURE----- iPQEAQEKAF4FAlJ8BO5XFIAAAAAALgAgaXNzdWVyLWZwckBub3RhdGlvbnMub3Bl bnBncC5maWZ0aGhvcnNlbWFuLm5ldEJBMjM5QjQ2ODFGMUVGOTUxOEU2QkQ0NjQ0 N0VDQTAzAAoJEKipC46tDG5psUsD/iQhZWfXfzbDmVs/8vNg4nFRIZ5IXTb3LRU9 MbiKAdH6V6p55PMQ8/z/qJHBXHbnhacnKUMXPvyK71w5kKAnWb2gZfJivJj36axI h0btBJjCA3d2899fuODBdON1y+q/VgZLfMA5Uj1ILN9AC8SnDrUHUqGDHzeH1xZm OMbGJVaC =5KUo -----END PGP SIGNATURE----- -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 1075 bytes Desc: S/MIME Cryptographic Signature URL: From dougb at dougbarton.us Thu Nov 7 23:58:49 2013 From: dougb at dougbarton.us (Doug Barton) Date: Thu, 07 Nov 2013 14:58:49 -0800 Subject: question about public key usage In-Reply-To: <270838A78E5A5342BB9669898FB4CF20042C943F@EX10MBOX01.pnnl.gov> References: <270838A78E5A5342BB9669898FB4CF20042C93F2@EX10MBOX01.pnnl.gov> <527BFE8F.5010208@dougbarton.us> <270838A78E5A5342BB9669898FB4CF20042C943F@EX10MBOX01.pnnl.gov> Message-ID: <527C1B29.3010402@dougbarton.us> On 11/07/2013 01:02 PM, Smith, Cathy wrote: > Thank you > > The earlier answer got caught at the firewall. I apologize for posting twice. Np, it happens. :) From johannes at zarl.at Fri Nov 8 00:11:38 2013 From: johannes at zarl.at (Johannes Zarl) Date: Fri, 08 Nov 2013 00:11:38 +0100 Subject: Signing keys on a low-entropy system Message-ID: <1804301.84YmblyzLC@mani> Hi, I'm currently thinking about using a raspberry pi as a non-networked stand- alone system for signing keys. Since I haven't heard anything to the contrary, I'm pretty sure that entropy is relatively scarce on the pi. How is GnuPG affected by such a low-entropy system? Will operations just take a bit longer, or can this affect the quality/security of generated keys or signatures? I heard that low entropy or a bad entropy source is generall less of a problem for RSA. Is this true? Does this affect me in practice? Cheers, Johannes From ekleog at gmail.com Fri Nov 8 00:23:29 2013 From: ekleog at gmail.com (Leo Gaspard) Date: Fri, 8 Nov 2013 00:23:29 +0100 Subject: Signing keys on a low-entropy system In-Reply-To: <1804301.84YmblyzLC@mani> References: <1804301.84YmblyzLC@mani> Message-ID: <20131107232329.GB458@leortable> (Failed again to answer to list. I really ought to replace this shortcut...) On Fri, Nov 08, 2013 at 12:11:38AM +0100, Johannes Zarl wrote: > Hi, > > I'm currently thinking about using a raspberry pi as a non-networked stand- > alone system for signing keys. Since I haven't heard anything to the contrary, > I'm pretty sure that entropy is relatively scarce on the pi. I heard haveged is quite good at gathering entropy from anywhere it can (processor cycles, etc.) > How is GnuPG affected by such a low-entropy system? Will operations just take > a bit longer, or can this affect the quality/security of generated keys or > signatures? > > I heard that low entropy or a bad entropy source is generall less of a problem > for RSA. Is this true? Does this affect me in practice? In theory, if /dev/random is configured to allow only random enough data to pass, it should just mean operations would just take longer. However, I am not absolutely sure of this -- but I know in theory /dev/random ensures some minimum entropy, thus sometimes blocking reads. Cheers & HTH, Leo From expires2013 at ymail.com Fri Nov 8 00:25:15 2013 From: expires2013 at ymail.com (MFPA) Date: Thu, 7 Nov 2013 23:25:15 +0000 Subject: gpgsm and expired certificates In-Reply-To: <87txfotqaz.fsf@gilgamesch.quim.ucm.es> References: <87r4b8ic36.fsf@mat.ucm.es> <1745551923.20131101142927@my_localhost> <87fvreprlk.fsf@mat.ucm.es> <2847581.NdkjrvGDoX__40120.3072433875$1383421546$gmane$org@thufir.ingo-kloecker.de> <87habtnnyx.fsf@mat.ucm.es> <1469681422.20131104143344@my_localhost> <87habrrdnk.fsf@mat.ucm.es> <1752243747.20131105234153@my_localhost> <87txfpg3ie.fsf@gilgamesch.quim.ucm.es> <1823118545.20131106232905@my_localhost> <87txfotqaz.fsf@gilgamesch.quim.ucm.es> Message-ID: <1824147606.20131107232515@my_localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi On Thursday 7 November 2013 at 11:16:36 AM, in , Uwe Brauer wrote: > However it is not necessary I just export our signature > as a pem file and import in under authorities. Still > this is very uncomfortable... I had to search for and import some more root certificates from the Comodo website before I could encrypt to you using my mailer's built-in s/mime. Microsoft Crypto-API no use, even after your and comodo's certificates imported into certmgr.msc. I'm probably doing something wrong there, but it's not clear what to do. For something that is supposed to be easier than OpenPGP, s/mime doesn't seem easy to me. - -- Best regards MFPA mailto:expires2013 at ymail.com My mind works like lightning... one brilliant flash and it's gone -----BEGIN PGP SIGNATURE----- iPQEAQEKAF4FAlJ8IW9XFIAAAAAALgAgaXNzdWVyLWZwckBub3RhdGlvbnMub3Bl bnBncC5maWZ0aGhvcnNlbWFuLm5ldEJBMjM5QjQ2ODFGMUVGOTUxOEU2QkQ0NjQ0 N0VDQTAzAAoJEKipC46tDG5p2hIEAJuUrJYztL/8jLXZ525+nGHHzIkKtXDUOTDn o1DtWyAYMd0UDhAaJsK4aZl5KeiyP+AwjPSAtQExFwz8pg4ywhMx0SUC/3PcmmEs BlxHRXOhf31d71ndv0gTu1XFVi/2N1dfXZSlI4DO0iOICgnNqIWubwsxkuA8zzBd 3q/j95// =V2Ln -----END PGP SIGNATURE----- From expires2013 at ymail.com Fri Nov 8 00:55:05 2013 From: expires2013 at ymail.com (MFPA) Date: Thu, 7 Nov 2013 23:55:05 +0000 Subject: trust your corporation for keyowner identification? In-Reply-To: <20131107191011.GF470@leortable> References: <20131104222012.GA470@leortable> <20131105172607.GB470@leortable> <52797937.5090404@gmail.com> <1652666925.20131106004723@my_localhost> <20131106222835.GD470@leortable> <527B6FE7.6000000@digitalbrains.com> <20131107160930.GE470@leortable> <19393fe4832c8e2f33eac8bb9c1af797@butters.digitalbrains.com> <20131107191011.GF470@leortable> Message-ID: <456527012.20131107235505@my_localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi On Thursday 7 November 2013 at 7:10:11 PM, in , Leo Gaspard wrote: > But I still wonder how one should deal with key > duplication (ie. owner of K1 now has a second key > K2)... If the owner doesn't revoke one, you could always disable one. One approach might be to contact the owner and ask which key to use. Or use the newest available key. Or just pick at random. Or encrypt to both. Or use whichever the owner seems to use themself. But they might have multiple keys for a reason, such as purpose of communication. Or one for their phone and another for their computer. - -- Best regards MFPA mailto:expires2013 at ymail.com Volvo, Video, Velcro. (I came, I saw, I stuck around.) -----BEGIN PGP SIGNATURE----- iPQEAQEKAF4FAlJ8KGhXFIAAAAAALgAgaXNzdWVyLWZwckBub3RhdGlvbnMub3Bl bnBncC5maWZ0aGhvcnNlbWFuLm5ldEJBMjM5QjQ2ODFGMUVGOTUxOEU2QkQ0NjQ0 N0VDQTAzAAoJEKipC46tDG5pP6QEALCiKSGC/EnSauln6vySoDer3fua90MUrsGN ymE70UZ/f7tpe2GfPt7pMiMoLxXubxKXWRK0soSDk77E+FoQlN98jMVt9pwrd+dZ BFvlIXCJHyIQml4njLn9cOtlnAqY4MAMkPKVMEbTNQOChZRokQylQIFfby4M+D7v J6nj6a8O =vTwh -----END PGP SIGNATURE----- From expires2013 at ymail.com Fri Nov 8 00:59:11 2013 From: expires2013 at ymail.com (MFPA) Date: Thu, 7 Nov 2013 23:59:11 +0000 Subject: unsubscribe In-Reply-To: References: Message-ID: <1913837369.20131107235911@my_localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi On Wednesday 6 November 2013 at 7:46:50 AM, in , Griffin Cheng [CLIB] wrote: > [nothing] I thought "subscribe" and "unsubscribe" and "help" requests went to - -- Best regards MFPA mailto:expires2013 at ymail.com If you are afraid to speak against tyranny, then you are already a slave. -----BEGIN PGP SIGNATURE----- iPQEAQEKAF4FAlJ8KVVXFIAAAAAALgAgaXNzdWVyLWZwckBub3RhdGlvbnMub3Bl bnBncC5maWZ0aGhvcnNlbWFuLm5ldEJBMjM5QjQ2ODFGMUVGOTUxOEU2QkQ0NjQ0 N0VDQTAzAAoJEKipC46tDG5p5dcD/2dPvtp9IU1WQfDKDIyjHk9G4yn3pj7dLglH y9+oGbrBouymtRIA+sNiN67XobrZn3iFzsb3XdKYddTrda/T1ST+qZdR0TY8CGjo lr0jnSvVgXqdobo2rOjfu7hg9BIa4pH85jtzyAuq1uy2yuUuiV0f+gKxkToA2Wxd aJmk7s3y =pY0R -----END PGP SIGNATURE----- From rpuls at kcore.de Fri Nov 8 08:31:09 2013 From: rpuls at kcore.de (=?UTF-8?B?UmVuw6k=?= Puls) Date: Fri, 8 Nov 2013 08:31:09 +0100 Subject: Signing keys on a low-entropy system In-Reply-To: <1804301.84YmblyzLC@mani> References: <1804301.84YmblyzLC@mani> Message-ID: <20131108083109.4a7b0f35@kcore.de> Hi, On Fri, 08 Nov 2013 00:11:38 +0100 Johannes Zarl wrote: > I'm currently thinking about using a raspberry pi as a non-networked > stand- alone system for signing keys. Since I haven't heard anything > to the contrary, I'm pretty sure that entropy is relatively scarce on > the pi. The Raspberry Pi has a hardware RNG that is supported by rng-tools, which is more than most desktop PCs have: http://scruss.com/blog/2013/06/07/well-that-was-unexpected-the-raspberry-pis-hardware-random-number-generator/ Not sure about its quality though... Ren? -- https://home.kianga.eu/ PGP key fingerprints: 4096R/0x5FC59EAE = 1FF3 00CE C1A7 68A9 594A 5F1F B45B 1439 5FC5 9EAE 2048R/0x8B64D678 = 28F9 48E9 8B59 F97F 6AFB E0B4 D8C3 477F 8B64 D678 From johannes at zarl.at Fri Nov 8 14:17:53 2013 From: johannes at zarl.at (Johannes Zarl) Date: Fri, 08 Nov 2013 14:17:53 +0100 Subject: Signing keys on a low-entropy system In-Reply-To: <20131108083109.4a7b0f35@kcore.de> References: <1804301.84YmblyzLC@mani> <20131108083109.4a7b0f35@kcore.de> Message-ID: <7867595.FkKyxT7aqj@mani> The hardware-RNG somehow slipped under my radar. Thanks for pointing that out. Out of curiosity: how does GnuPG deal with a system where entropy is scarce (or worse yet, where the RNG is partly predictable)? Cheers, Johannes On Friday 08 November 2013 08:31:09 Ren? Puls wrote: > Hi, > > On Fri, 08 Nov 2013 00:11:38 +0100 Johannes Zarl > > wrote: > > I'm currently thinking about using a raspberry pi as a non-networked > > stand- alone system for signing keys. Since I haven't heard anything > > to the contrary, I'm pretty sure that entropy is relatively scarce on > > the pi. > > The Raspberry Pi has a hardware RNG that is supported by rng-tools, > which is more than most desktop PCs have: > > http://scruss.com/blog/2013/06/07/well-that-was-unexpected-the-raspberry-pis > -hardware-random-number-generator/ > > Not sure about its quality though... > > Ren? From mwood at IUPUI.Edu Fri Nov 8 16:17:58 2013 From: mwood at IUPUI.Edu (Mark H. Wood) Date: Fri, 8 Nov 2013 10:17:58 -0500 Subject: gpgsm and expired certificates In-Reply-To: <87txfotqaz.fsf@gilgamesch.quim.ucm.es> References: <1745551923.20131101142927@my_localhost> <87fvreprlk.fsf@mat.ucm.es> <2847581.NdkjrvGDoX__40120.3072433875$1383421546$gmane$org@thufir.ingo-kloecker.de> <87habtnnyx.fsf@mat.ucm.es> <1469681422.20131104143344@my_localhost> <87habrrdnk.fsf@mat.ucm.es> <1752243747.20131105234153@my_localhost> <87txfpg3ie.fsf@gilgamesch.quim.ucm.es> <1823118545.20131106232905@my_localhost> <87txfotqaz.fsf@gilgamesch.quim.ucm.es> Message-ID: <20131108151758.GE22660@IUPUI.Edu> On Thu, Nov 07, 2013 at 12:16:36PM +0100, Uwe Brauer wrote: > >> "MFPA" == MFPA writes: [snip] > >> However thunderbird refuses to use yoru public key > >> claiming it cannot be trusted. > > > > I just searched and found [1] about Thunderbird, which says you can > > import a copy of other people's self-signed S/MIME certificate from a > > ".cer" file into your "Authorities" tab. So much for "being easier > > because keys are automatically embedded in the signatures." > > Well I was referring to the following 10 years old bug > https://bugzilla.mozilla.org/show_bug.cgi?id=209182 > > I have the feeling this is a design decision by "philosophy": > thunderbird/semonkey don't encourage the use of self-signed certificates > (BTW I just learn that there is a add-on, key-manager which generates > self-signed certificates, similar as it seems to me to the BAT. This bug seems to cry out for an add-on. Then people who (think they) know what they are doing can have the additional convenience, and the rest can do whatever it is they do now. I would guess there is resistance to putting this into the base product on the theory that 99.9% of users will just hit "yes", meaning "get rid of this unintelligible dialog and let me read the message", which is arguably a Bad Thing. Since we're getting offtopic anyway, I'll continue and opine that this add-on would only be doing for self-signed cert.s and other unknown CAs the same thing that the user *should* have done with those commercial root cert.s: evaluate and install them individually. (Of course hardly any of us have done this.) -- Mark H. Wood, Lead System Programmer mwood at IUPUI.Edu Machines should not be friendly. Machines should be obedient. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 6967 bytes Desc: not available URL: From tapio.sokura at iki.fi Fri Nov 8 18:07:21 2013 From: tapio.sokura at iki.fi (Tapio Sokura) Date: Fri, 08 Nov 2013 19:07:21 +0200 Subject: Signing keys on a low-entropy system In-Reply-To: <1804301.84YmblyzLC@mani> References: <1804301.84YmblyzLC@mani> Message-ID: <527D1A49.8080109@iki.fi> On 8.11.2013 1:11, Johannes Zarl wrote: > How is GnuPG affected by such a low-entropy system? Will operations just take > a bit longer, or can this affect the quality/security of generated keys or > signatures? Key generation definitely needs good random data. But generating an RSA signature is completely deterministic; the RSA operations themselves do not use or need random data. Another thing is that some signature schemes that use RSA also add random padding data into the data that is being signed, but I don't think signatures in PGP do that. I may be wrong though, haven't combed through the PGP specs thoroughly. Tapio From peter at digitalbrains.com Fri Nov 8 19:01:34 2013 From: peter at digitalbrains.com (Peter Lebbing) Date: Fri, 08 Nov 2013 19:01:34 +0100 Subject: Signing keys on a low-entropy system In-Reply-To: <527D1A49.8080109@iki.fi> References: <1804301.84YmblyzLC@mani> <527D1A49.8080109@iki.fi> Message-ID: <527D26FE.5000402@digitalbrains.com> On 08/11/13 18:07, Tapio Sokura wrote: > Another thing is that some signature schemes that use RSA also add > random padding data into the data that is being signed, but I don't > think signatures in PGP do that. I may be wrong though, haven't combed > through the PGP specs thoroughly. Nope, OpenPGP uses EMSA-PKCS1-v1_5, which is completely deterministic. I /think/ GnuPG doesn't need any randomness for RSA signatures. I moved my random_seed file, and performed the following steps: - Extend the expiration date on an RSA testkey that was expired[1] - Sign a testfile - Verify the signature; this launched a trustdb check since I had edited the key And no new random_seed was ever generated. Then I tried encrypting to that key (after having extended the expiry date of the subkey as well), and now a random_seed was generated. So my guess is that indeed, RSA signatures do not use randomness. And that as soon as you use randomness, a random_seed file will be created. In fact, I seem to get the same results when not removing my old random_seed, but simply by looking at the modification time of the file: it will not be touched when randomness isn't used. Obviously, this is all conjecture. HTH, Peter. [1] Format: primary 2048R has SC capabilities, sub 2048R has E. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at From rjh at sixdemonbag.org Fri Nov 8 20:09:10 2013 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Fri, 08 Nov 2013 11:09:10 -0800 Subject: gpgsm and expired certificates In-Reply-To: <20131108151758.GE22660@IUPUI.Edu> References: <1745551923.20131101142927@my_localhost> <87fvreprlk.fsf@mat.ucm.es> <2847581.NdkjrvGDoX__40120.3072433875$1383421546$gmane$org@thufir.ingo-kloecker.de> <87habtnnyx.fsf@mat.ucm.es> <1469681422.20131104143344@my_localhost> <87habrrdnk.fsf@mat.ucm.es> <1752243747.20131105234153@my_localhost> <87txfpg3ie.fsf@gilgamesch.quim.ucm.es> <1823118545.20131106232905@my_localhost> <87txfotqaz.fsf@gilgamesch.quim.ucm.es> <20131108151758.GE22660@IUPUI.Edu> Message-ID: <20131108110910.Horde.y1jegFqtggLG-z41o0eVAg9@mail.sixdemonbag.org> (Before I begin I should say I agree with Mark -- this is commentary, not disagreement.) > This bug seems to cry out for an add-on. Then people who (think they) > know what they are doing can have the additional convenience, and the > rest can do whatever it is they do now. I would guess there is > resistance to putting this into the base product on the theory that > 99.9% of users will just hit "yes", meaning "get rid of this > unintelligible dialog and let me read the message", which is arguably > a Bad Thing. A detail oft-overlooked is that the question isn't whether the *sender* is part of the 0.1%; the question is whether the *recipient* is part of the 0.1%. If I use a self-signed S/MIME cert, will my recipient be savvy enough to understand the risks and take appropriate steps? I think 0.1% is a reasonable approximation: of all Thunderbird users, maybe one in a thousand has the skill necessary to safely and responsibly use a self-signed S/MIME cert, or to safely and responsibly check someone else's usage of a self-signed S/MIME cert. So one in a thousand senders, multiplied by one in a thousand recipients... What I'm getting at here is that this isn't just a case of "99.9% of users will just hit 'yes', which is arguably a Bad Thing." It's also a case of the user base for this being so small as to be indistinguishable from statistical noise. > CAs the same thing that the user *should* have done with those > commercial root cert.s: evaluate and install them individually. (Of > course hardly any of us have done this.) Well, 'should' is a pretty strong word. So long as someone understands the risks involved in letting Mozilla define your list of trusted CAs rather than taking individual responsibility yourself, that's really all we can ask for. I do agree, though, that the default list of trusted CAs is eye-poppingly large. From oub at mat.ucm.es Fri Nov 8 13:00:56 2013 From: oub at mat.ucm.es (Uwe Brauer) Date: Fri, 08 Nov 2013 13:00:56 +0100 Subject: gpgsm and expired certificates References: <87r4b8ic36.fsf@mat.ucm.es> <1745551923.20131101142927@my_localhost> <87fvreprlk.fsf@mat.ucm.es> <2847581.NdkjrvGDoX__40120.3072433875$1383421546$gmane$org@thufir.ingo-kloecker.de> <87habtnnyx.fsf@mat.ucm.es> <1469681422.20131104143344@my_localhost> <87habrrdnk.fsf@mat.ucm.es> <1752243747.20131105234153@my_localhost> <87txfpg3ie.fsf@gilgamesch.quim.ucm.es> <1823118545.20131106232905@my_localhost> <87txfotqaz.fsf@gilgamesch.quim.ucm.es> <1824147606.20131107232515@my_localhost> Message-ID: <87zjpfxfuv.fsf@gilgamesch.quim.ucm.es> >> "MFPA" == MFPA writes: > Hi > On Thursday 7 November 2013 at 11:16:36 AM, in > , Uwe Brauer wrote: > I had to search for and import some more root certificates from the > Comodo website before I could encrypt to you using my mailer's > built-in s/mime. > Microsoft Crypto-API no use, even after your and comodo's certificates > imported into certmgr.msc. I'm probably doing something wrong there, > but it's not clear what to do. > For something that is supposed to be easier than OpenPGP, s/mime > doesn't seem easy to me. That is really odd, I have successfully interchanged s/mime emails, with users using thunderbird or outlook + windows + Comodo certificates. None of them had to install the root certificates. It seems to me that the BAT does not support Comodo CA. Uwe -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 5556 bytes Desc: not available URL: From expires2013 at ymail.com Sat Nov 9 17:45:27 2013 From: expires2013 at ymail.com (MFPA) Date: Sat, 9 Nov 2013 16:45:27 +0000 Subject: gpgsm and expired certificates In-Reply-To: <87zjpfxfuv.fsf@gilgamesch.quim.ucm.es> References: <87r4b8ic36.fsf@mat.ucm.es> <1745551923.20131101142927@my_localhost> <87fvreprlk.fsf@mat.ucm.es> <2847581.NdkjrvGDoX__40120.3072433875$1383421546$gmane$org@thufir.ingo-kloecker.de> <87habtnnyx.fsf@mat.ucm.es> <1469681422.20131104143344@my_localhost> <87habrrdnk.fsf@mat.ucm.es> <1752243747.20131105234153@my_localhost> <87txfpg3ie.fsf@gilgamesch.quim.ucm.es> <1823118545.20131106232905@my_localhost> <87txfotqaz.fsf@gilgamesch.quim.ucm.es> <1824147606.20131107232515@my_localhost> <87zjpfxfuv.fsf@gilgamesch.quim.ucm.es> Message-ID: <1619551221.20131109164527@my_localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi On Friday 8 November 2013 at 12:00:56 PM, in , Uwe Brauer wrote: > > It > seems to me that the BAT does not support Comodo CA. > Uwe Aside from the ones I have added, The Bat has about 120 root CA certificates. I guess it is a minority-use mailer and a lot of the CAs won't pay for their certificates to be included. But Microsoft Crypto-API has nearly 400 root CA certificates, and Comodo's were missing there too. In researching, I read (I think on a Comodo help forum) that their certificates are only included in relatively recent windows versions, and Microsoft tags root certificate updates as "non-critical." - -- Best regards MFPA mailto:expires2013 at ymail.com If you are afraid to speak against tyranny, then you are already a slave. -----BEGIN PGP SIGNATURE----- iPQEAQEKAF4FAlJ+ZshXFIAAAAAALgAgaXNzdWVyLWZwckBub3RhdGlvbnMub3Bl bnBncC5maWZ0aGhvcnNlbWFuLm5ldEJBMjM5QjQ2ODFGMUVGOTUxOEU2QkQ0NjQ0 N0VDQTAzAAoJEKipC46tDG5plCwD/3TjEnWaQpal4Urn3fMiF06NK93zBXCACV+C 1niL4DrS9E1dHJ3On+zEFRswk0/35UEhShMgTR7nfU+eys99xdXrDl0X0DWaIsji tFhqHUtov65CRSDC4PjaM4STc9daowvCdaWi+EvusV14MKGMW50XJIpsFxWDUWtR 8lHXOOLW =HeHs -----END PGP SIGNATURE----- From shavital at gmail.com Sat Nov 9 23:48:18 2013 From: shavital at gmail.com (Charly Avital) Date: Sun, 10 Nov 2013 00:48:18 +0200 Subject: Threema. Message-ID: <527EBBB2.70209@gmail.com> Hi, in German: What do you think of it? Charly From shavital at mac.com Sat Nov 9 23:49:11 2013 From: shavital at mac.com (Charly Avital) Date: Sun, 10 Nov 2013 00:49:11 +0200 Subject: Threema. Message-ID: <527EBBE7.10705@mac.com> Hi, in German: What do you think of it? Charly From rjh at sixdemonbag.org Sun Nov 10 02:46:23 2013 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Sat, 09 Nov 2013 20:46:23 -0500 Subject: Threema. Message-ID: <5jgt252q57eblh3qdtn1ng98.1384047983483@email.android.com> Looking over their site briefly I was unable to find a link for source code. As a result, I think very little of it. I don't think it's wise to trust unknown third-party binaries that don't provide source. From shavital at gmail.com Sun Nov 10 02:54:14 2013 From: shavital at gmail.com (Charly Avital) Date: Sun, 10 Nov 2013 03:54:14 +0200 Subject: Threema. In-Reply-To: References: <527EBBE7.10705@mac.com> Message-ID: <527EE746.7060000@gmail.com> kendrick eastes wrote on 11/10/13, 3:17 AM: > might be better received at a cryptography based mailing list, also, do > you plan on releasing source? > > > apologies if this double sends, I've been having network issues recently. The source belongs to the company whose web site figures in the link I sent. I have no connection whatsoever with that company, I was just asking the GnuPG-users list for an opinion. Sorry for the misunderstanding. Charly 0x15E4F2EA Mac OS X 10.9 13A603 MacBook Intel C2Duo 2GHz 13-inch, Aluminum, Late 2008 . (GnuPG/MacGPG2) 2.0.20 - gpg (GnuPG) 1.4.15 TB 24.0.1 Enigmail version 1.6 (20131006-1849) From keastes at gmail.com Sun Nov 10 02:17:01 2013 From: keastes at gmail.com (kendrick eastes) Date: Sat, 9 Nov 2013 18:17:01 -0700 Subject: Threema. In-Reply-To: <527EBBE7.10705@mac.com> References: <527EBBE7.10705@mac.com> Message-ID: might be better received at a cryptography based mailing list, also, do you plan on releasing source? apologies if this double sends, I've been having network issues recently. On Sat, Nov 9, 2013 at 3:49 PM, Charly Avital wrote: > Hi, > > > > in German: > > > What do you think of it? > Charly > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From ms at it-infrastrukturen.org Sun Nov 10 12:02:31 2013 From: ms at it-infrastrukturen.org (Mark Schneider) Date: Sun, 10 Nov 2013 12:02:31 +0100 Subject: Threema. / don't trust closed source software In-Reply-To: <5jgt252q57eblh3qdtn1ng98.1384047983483@email.android.com> References: <5jgt252q57eblh3qdtn1ng98.1384047983483@email.android.com> Message-ID: <527F67C7.3020205@it-infrastrukturen.org> Am 10.11.2013 02:46, schrieb Robert J. Hansen: > Looking over their site briefly I was unable to find a link for source code. As a result, I think very little of it. I don't think it's wise to trust unknown third-party binaries that don't provide source. It is commercial iOS and Androif application without source code and evenn such important details like the used encryption. Don't trust closed source software products! regards, Mark -- ms at it-infrastrukturen.org http://rsync.it-infrastrukturen.org http://git.it-infrastrukturen.org From hasgarion at hellshell.de Sun Nov 10 11:50:15 2013 From: hasgarion at hellshell.de (Alexander Truemper) Date: Sun, 10 Nov 2013 11:50:15 +0100 Subject: Duplicating smartcard Message-ID: <527F64E7.6070107@hellshell.de> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello everyone, since I could not reveal anything useful on google, here my question. I want to have a safe backup of my smartcard which contains my primary key and two subkeys. I guessed the private keys can not be exported as it would make no sense then to have a smartcard. But if I run 'gpg --export-secret-keys' for my keys, it actually seems to export the private keys according to pgpdump. How can this be? (I see no smartcard activity on the terminal and no PIN is asked) Since I'm new to gpg and smartcards I don't know what to think of this. And still I don't know how to make a backup copy of my smartcard. Any ideas or further readings highly welcome. Best regards, Alexander -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQGcBAEBAgAGBQJSf2TiAAoJEPz3sbTK12N5VcQL/iLOi2v78nNwN5E9D+M+6JxI 80z4L6i1ZHKT/5257d4a6SAI12CrgqjZyhtM9rHg3jq0u8LObWuW2Y41yhKE2CZH GY0cIuMkIQe1/i8Tmf7hf81KY30p/fGq/9VF5wzzQEjuQxOgBgjjEvv9T5/PSG0f Fzcpk8mf8OSRZ6dkotJYRioLFnBMfsNOdU5Q+g2I6n2hqDjYR7K4lty3RZ/WYZAJ o7oK4DIByoWz5wiXu/HyiEAU7bqdt9biFmpYDdO31DJ6hDwZN59xJ4lqnPLNCJb+ nk4eeHTCaN/8/k5AsOnSoNZa+ItmH/WYlp0zwRxStPhNuVPwMDqy7NMTq3IM5QVm rc3MXiRXYx5hiZ8bJEp3WxxLERthZqSGQUQTIcyNVA2IlK0VxmVZ9u1eECVfcrA3 aR2vzntPeFuxVU3tTrpkFzs3JnN9g1MjnXRc2TpMjcKZwZiB0BZWgFXH5PFVqC0q adpss5H5lAKwfvcxYVZTsOjr5t6CxvIgqMTESmM4pw== =bmtb -----END PGP SIGNATURE----- From gnupg at oneiroi.net Sun Nov 10 12:57:47 2013 From: gnupg at oneiroi.net (Filip M. Nowak) Date: Sun, 10 Nov 2013 12:57:47 +0100 Subject: Threema. / don't trust closed source software In-Reply-To: <527F67C7.3020205@it-infrastrukturen.org> References: <5jgt252q57eblh3qdtn1ng98.1384047983483@email.android.com> <527F67C7.3020205@it-infrastrukturen.org> Message-ID: <527F74BB.4060709@oneiroi.net> Hello, On 10.11.2013 12:02, Mark Schneider wrote: > (...) > It is commercial iOS and Androif application without source code and > evenn such important details like the used encryption. > (...) Actually such information are available here: https://threema.ch/en/faq.html. They are stating that they are using NaCl (http://nacl.cr.yp.to/) for ECC and NSFileProtectionComplete (iOS) or/and self-implemented AES256 (Android) for stored messages encryption. Cheers, Filip From pete at heypete.com Sun Nov 10 13:02:33 2013 From: pete at heypete.com (Pete Stephenson) Date: Sun, 10 Nov 2013 13:02:33 +0100 Subject: Duplicating smartcard In-Reply-To: <527F64E7.6070107@hellshell.de> References: <527F64E7.6070107@hellshell.de> Message-ID: On Sun, Nov 10, 2013 at 11:50 AM, Alexander Truemper wrote: > Hello everyone, > > since I could not reveal anything useful on google, here my question. > > I want to have a safe backup of my smartcard which contains my primary > key and two subkeys. Did you generate the keys on the smartcard, or did you generate them on the computer and then later transfer them to the smartcard? If you generated them on the card itself, you cannot backup the keys. If you generated them on the computer, you can back up the keys to other media prior to transferring the keys to the smartcard. Once they're on the card the private keys cannot be exported. > I guessed the private keys can not be exported as it would make no > sense then to have a smartcard. Correct. > But if I run 'gpg --export-secret-keys' for my keys, it actually seems > to export the private keys according to pgpdump. > > How can this be? (I see no smartcard activity on the terminal and no > PIN is asked) It exports the "stub" private keys that, in essence, say "The actual private keys exist on the smartcard with $SERIAL_NUMBER". These stubs are not private at all, and contain no actual key material. Cheers! -Pete From jhs at berklix.com Sun Nov 10 13:26:32 2013 From: jhs at berklix.com (Julian H. Stacey) Date: Sun, 10 Nov 2013 13:26:32 +0100 Subject: Threema. In-Reply-To: Your message "Sun, 10 Nov 2013 03:54:14 +0200." <527EE746.7060000@gmail.com> Message-ID: <201311101226.rAACQWRi056851@fire.js.berklix.net> Charly Avital wrote: > > kendrick eastes wrote on 11/10/13, 3:17 AM: > > might be better received at a cryptography based mailing list, also, do > > you plan on releasing source? > > > > > > apologies if this double sends, I've been having network issues recently. > > The source belongs to the company whose web site figures in the link I sent. No source = Don't use. Companies have their own commercial interests, can die & be bought, can be leaned on by their home nation state, plus states can spy, emit trojans, & want to weaken cryptography/ security. > I have no connection whatsoever with that company, I was just asking the > GnuPG-users list for an opinion. > > Sorry for the misunderstanding. > Charly Cheers, Julian -- Julian Stacey, BSD Unix Linux C Sys Eng Consultant, Munich http://berklix.com Interleave replies below like a play script. Indent old text with "> ". Send plain text, not quoted-printable, HTML, base64, or multipart/alternative. Extradite NSA spy chief Alexander. http://berklix.eu/jhs/blog/2013_10_30 From htd at fritha.org Sun Nov 10 13:49:49 2013 From: htd at fritha.org (Heinz Diehl) Date: Sun, 10 Nov 2013 13:49:49 +0100 Subject: Duplicating smartcard In-Reply-To: <527F64E7.6070107@hellshell.de> References: <527F64E7.6070107@hellshell.de> Message-ID: <20131110124949.GB3964@fritha.org> On 10.11.2013, Alexander Truemper wrote: > But if I run 'gpg --export-secret-keys' for my keys, it actually seems > to export the private keys according to pgpdump. > How can this be? (I see no smartcard activity on the terminal and no > PIN is asked) It's not the real secret key, but the stub which points to it which gets exported. So don't panic :-) From johanw at vulcan.xs4all.nl Sun Nov 10 17:30:27 2013 From: johanw at vulcan.xs4all.nl (Johan Wevers) Date: Sun, 10 Nov 2013 17:30:27 +0100 Subject: Threema. In-Reply-To: <527EBBB2.70209@gmail.com> References: <527EBBB2.70209@gmail.com> Message-ID: <527FB4A3.3080200@vulcan.xs4all.nl> On 09-11-2013 23:48, Charly Avital wrote: > > What do you think of it? As others have mentioned, it seems to be closed source (and since it's payware I doubt they'll release the code). Further the Android version strongly suggests to use it with a Google account for push notifications and updates, which in itself is of course a security risk. Although they do offer a version without having to use Google stuff. -- ir. J.C.A. Wevers PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From sttob at privatdemail.net Mon Nov 11 00:03:53 2013 From: sttob at privatdemail.net (Stan Tobias) Date: Mon, 11 Nov 2013 00:03:53 +0100 Subject: trust your corporation for keyowner identification? In-Reply-To: <72ff7e95-a66b-411c-abd4-4e83af5c0827@email.android.com> References: <525EEE33.1060304__39450.1849696555$1381953182$gmane$org@dougbarton.us> <109563160.20131016222807__37584.6967836425$1381959035$gmane$org@my_localhost> <525FE12A.5040307__21646.6946680614$1382015420$gmane$org@vulcan.xs4all.nl> <20131017135454.Horde.PF7HtsAisFNCiofjRFOv2w7@mail.sixdemonbag.org> <52669348.+eLRL6ulbwvCCmiJ%sttob@privatdemail.net> <5266F5CA.80509@sixdemonbag.org> <526806e2.PnylUKoa89KDX8qO%sttob@privatdemail.net> <52681AFA.2060102@digitalbrains.com> <52685878.6AXcxDzMhOJmhsWU%sttob@privatdemail.net> <5268E9F2.1050108@digitalbrains.com> <5269588e.wAXyOS+XkCb/A4Oa%sttob@privatdemail.net> <526e2592.vizyzHwEGhmqqHhK%sttob@privatdemail.net> <72ff7e95-a66b-411c-abd4-4e83af5c0827@email.android.com> Message-ID: <528010d9.LtXrLzJXjxQgH19J%sttob@privatdemail.net> "Paul R. Ramer" wrote: > Stan Tobias wrote: > >Yes, but by remote communication. The reasoning goes like this: The > >signature is validated by my certificate (or, in case 2a, by my > >friends' > >whom I trust fully). The message is authenticated by X's valid > >signature, > >therefore the message has not been tampered with and its author is X. > >X says he uses a new key K2. Because I've got this message from X, > >I have verified the ownership of K2, so I can sign it. > > Sorry, but this is wrong. The certificate of the first key is valid, > the signature of the message is valid, but your correspondent's claim > to ownership of the second key is not yet proven. While you know that > whoever has control of the first key sent you that message, you have > not confirmed that he can decrypt and sign with the second key. This is a "technicality" that can be fixed by sending and an encrypted unknown message and awaiting a decrypted version, just as you've described elsewhere. I haven't tried to cover every minute detail of verification, my general idea is to replace direct contact with electronic signed messages, after having properly initialized the exchange (verified, etc.). The question is: do signatures supply an authenticated channel which can serve instead of physical contact, or not? For me, at this point, the question is still open. I've been reading subsequent discussion, I think Leo Gaspard has made a few excellent points. I have nothing significant to add here. I have one question, though. My understanding is that e-mail verification by sending encrypted message is part of identity verification (it defends against petty fraud, but that's the least we can do). Why is it important to verify the owner can _decrypt_ a message? Can you sketch a problem this verification defends against? Stan Tobias From sttob at privatdemail.net Mon Nov 11 00:28:11 2013 From: sttob at privatdemail.net (Stan Tobias) Date: Mon, 11 Nov 2013 00:28:11 +0100 Subject: trust your corporation for keyowner identification? In-Reply-To: <52797937.5090404@gmail.com> References: <5269588e.wAXyOS+XkCb/A4Oa%sttob@privatdemail.net> <526e2592.vizyzHwEGhmqqHhK%sttob@privatdemail.net> <72ff7e95-a66b-411c-abd4-4e83af5c0827@email.android.com> <20131102212504.GD14302@leortable> <5275B00F.7030404@gmail.com> <608638953.20131104160200@my_localhost> <21c08d45-b1cd-423d-8c1c-74d7b292e8d5@email.android.com> <20131104222012.GA470@leortable> <20131105172607.GB470@leortable> <52797937.5090404@gmail.com> Message-ID: <5280168b.PjQIF5fkSJpLDodU%sttob@privatdemail.net> "Paul R. Ramer" wrote: > On 11/05/2013 09:26 AM, Leo Gaspard wrote: > > However, I think in this case (assuming there are no more UID on key 2 than on > > key 1), assertions are sufficient, *because* there are two assertions, one in > > both ways. > > > > I mean : > > * Owner of Key 1 says (s)he is owner of Key 2 (through signed message saying > > you so) > > * Owner of Key 2 says (s)he is owner of Key 1 (through signed UID on Key 2) > > > > So, except in case of collusion between owners of Keys 1 and 2, I believe there > > is no way one can be wrong in signing Key 2 (of course, if Key 1 is signed). > > There could be collusion with only one key. Verification of the key > details cannot address this. > > > IIUC, your point is that verification would enable one to avoid collusion, as it > > is the only flaw I can see in this verification scheme. > > Except collusion can not be avoided in any way, AFAIK. > > No. Avoiding collusion is impossible here. It just comes down to you > vouching through your signature on the second key that you have > *verified* it. Nothing more, nothing less. If you didn't follow all of > the steps to verify it, why would you sign it with an exportable > signature? You verify the key(s) by inspecting them and drawing conclusions. You have a mathematical proof in front of your eyes. If "verification" is not gathering evidence (for building certainty, or strong belief), then what is it? Stan Tobias From peter at digitalbrains.com Mon Nov 11 11:58:28 2013 From: peter at digitalbrains.com (Peter Lebbing) Date: Mon, 11 Nov 2013 11:58:28 +0100 Subject: trust your corporation for keyowner identification? In-Reply-To: <20131107191931.GG470@leortable> References: <20131104222012.GA470@leortable> <20131105172607.GB470@leortable> <52797937.5090404@gmail.com> <1652666925.20131106004723@my_localhost> <20131106222835.GD470@leortable> <527B6FE7.6000000@digitalbrains.com> <20131107160930.GE470@leortable> <527BDE96.5060501@fifthhorseman.net> <20131107191931.GG470@leortable> Message-ID: <5280B854.9070100@digitalbrains.com> On 07/11/13 20:19, Leo Gaspard wrote: > (I know, I'm slow to understand, but I think I'm OK no.) Actually, I think the whole Web of Trust business is deceptively complicated, even though at first glance it seems not to be. So there's no need to be apologetic about it. Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at From free10pro at gmail.com Mon Nov 11 18:32:58 2013 From: free10pro at gmail.com (Paul R. Ramer) Date: Mon, 11 Nov 2013 09:32:58 -0800 Subject: trust your corporation for keyowner identification? In-Reply-To: <5280168b.PjQIF5fkSJpLDodU%sttob@privatdemail.net> References: <5269588e.wAXyOS+XkCb/A4Oa%sttob@privatdemail.net> <526e2592.vizyzHwEGhmqqHhK%sttob@privatdemail.net> <72ff7e95-a66b-411c-abd4-4e83af5c0827@email.android.com> <20131102212504.GD14302@leortable> <5275B00F.7030404@gmail.com> <608638953.20131104160200@my_localhost> <21c08d45-b1cd-423d-8c1c-74d7b292e8d5@email.android.com> <20131104222012.GA470@leortable> <20131105172607.GB470@leortable> <52797937.5090404@gmail.com> <5280168b.PjQIF5fkSJpLDodU%sttob@privatdemail.net> Message-ID: <6c7871af-46e2-40de-9bb2-840ebd28d91b@email.android.com> Stan Tobias wrote: >> > IIUC, your point is that verification would enable one to avoid >collusion, as it >> > is the only flaw I can see in this verification scheme. >> > Except collusion can not be avoided in any way, AFAIK. >> >> No. Avoiding collusion is impossible here. It just comes down to >you >> vouching through your signature on the second key that you have >> *verified* it. Nothing more, nothing less. If you didn't follow all >of >> the steps to verify it, why would you sign it with an exportable >> signature? > >You verify the key(s) by inspecting them and drawing conclusions. >You have a mathematical proof in front of your eyes. If "verification" >is not gathering evidence (for building certainty, or strong belief), >then what is it? The issue I was talking about here was whether my insistence on following all of the necessary steps for verification in the scenario that we had been discussing was because I believed that such seeming pedanticism was a method to prevent collusion. I just pointed out that no amount of verification of the key can prevent the key owner from sharing the key or messages encrypted to it with other people. There is no need to believe that verification does not yield certainty in the ownership of the key. Cheers, --Paul -- PGP: 3DB6D884 From free10pro at gmail.com Mon Nov 11 18:56:15 2013 From: free10pro at gmail.com (Paul R. Ramer) Date: Mon, 11 Nov 2013 09:56:15 -0800 Subject: trust your corporation for keyowner identification? In-Reply-To: <20131107191011.GF470@leortable> References: <20131104222012.GA470@leortable> <20131105172607.GB470@leortable> <52797937.5090404@gmail.com> <1652666925.20131106004723@my_localhost> <20131106222835.GD470@leortable> <527B6FE7.6000000@digitalbrains.com> <20131107160930.GE470@leortable> <19393fe4832c8e2f33eac8bb9c1af797@butters.digitalbrains.com> <20131107191011.GF470@leortable> Message-ID: Leo Gaspard wrote: >However, to come back to the initial problem, I still believe the key >change >problem (ie. owner of K1 switchs to K2) does not require re-verifying >ownership >etc. (BTW, isn't this also why transition statements, like >https://we.riseup.net/assets/77263/key%20transition were written ?) > >But I still wonder how one should deal with key duplication (ie. owner >of K1 now >has a second key K2)... I would verify ownership before signing. Just as I would read a document before signing it even if I was told what was in it by someone I know. It is not hard to do and it would be easy to justify. The other way, IMO, requires more effort to justify. There is nothing special about this scenario that makes it require less thoroughness than any other key signing scenario. Do things thoroughly and correctly. It is that simple. Cheers, --Paul -- PGP: 3DB6D884 From johannes at zarl.at Tue Nov 12 11:35:55 2013 From: johannes at zarl.at (Johannes Zarl) Date: Tue, 12 Nov 2013 11:35:55 +0100 Subject: Signing keys on a low-entropy system In-Reply-To: <527D26FE.5000402@digitalbrains.com> References: <1804301.84YmblyzLC@mani> <527D1A49.8080109@iki.fi> <527D26FE.5000402@digitalbrains.com> Message-ID: <6503601.zfaQKPJWGL@mani> Thank you both for your detailed answers - they were really helpful for me! Johannes On Friday 08 November 2013 19:01:34 Peter Lebbing wrote: > On 08/11/13 18:07, Tapio Sokura wrote: > Nope, OpenPGP uses EMSA-PKCS1-v1_5, which is completely deterministic. > > I /think/ GnuPG doesn't need any randomness for RSA signatures. > Obviously, this is all conjecture. From adrelanos at riseup.net Tue Nov 12 16:50:10 2013 From: adrelanos at riseup.net (adrelanos) Date: Tue, 12 Nov 2013 15:50:10 +0000 Subject: subkey comments? Message-ID: <52824E32.1060601@riseup.net> Hi! Is it possible to have subkeys with different comments than the main key? How? Cheers, adrelanos From mailinglisten at hauke-laging.de Tue Nov 12 18:29:19 2013 From: mailinglisten at hauke-laging.de (Hauke Laging) Date: Tue, 12 Nov 2013 18:29:19 +0100 Subject: subkey comments? In-Reply-To: <52824E32.1060601@riseup.net> References: <52824E32.1060601@riseup.net> Message-ID: <2296083.5nck7TDPcC@inno.berlin.laging.de> Am Di 12.11.2013, 15:50:10 schrieb adrelanos: > Is it possible to have subkeys with different comments than the main > key? How? The main question is: What do you mean by "comments"? You probably refer to the comment part of a user ID. But it has not been determined what exactly that refers to. A key comment in a technically more correct sense would be a signature notation (which you can see with --list-sigs only and you also need --list- options show-notations). You can create these notations with --cert-notation. You must call gpg once for every key then: 1) gpg --expert --cert-notation comment_en at openpgp-notations.org="mainkey" \ --gen-key 2) gpg --cert-notation comment_en at openpgp-notations.org="encryption subkey" \ --edit-key 0x12345678 addkey 3) gpg --cert-notation comment_en at openpgp-notations.org="signature subkey" \ --edit-key 0x12345678 addkey Hauke -- Crypto f?r alle: http://www.openpgp-schulungen.de/fuer/unterstuetzer/ OpenPGP: 7D82 FB9F D25A 2CE4 5241 6C37 BF4B 8EEF 1A57 1DF5 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 572 bytes Desc: This is a digitally signed message part. URL: From markoran at eunet.rs Wed Nov 13 01:03:47 2013 From: markoran at eunet.rs (Marko Randjelovic) Date: Wed, 13 Nov 2013 01:03:47 +0100 Subject: Quotes from GPG users In-Reply-To: <527A334C.5090600@gnupg.org> References: <5270E670.3070307@gnupg.org> <20131103220118.475e96c0@eunet.rs> <527A334C.5090600@gnupg.org> Message-ID: <20131113010347.536b42d0@eunet.rs> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wed, 06 Nov 2013 13:17:16 +0100 Sam Tuke wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > On 03/11/13 22:01, Marko Randjelovic wrote: > > I send five variants (but the best is all of them :) ): > > Thanks Marko! Is it OK if I rephrase two of them like this?: > > "I use GnuPG because I was taught it's a sin to open other people's letters" > > "I use GnuPG because ?I won't trade my independence for anything" > > Best, > > Sam. > Of course, no problem. - -- http://mr.flossdaily.org -----BEGIN PGP SIGNATURE----- iQIcBAEBAgAGBQJSgsHjAAoJENa1qRkYGfv5KaEP/3MTrsfMpFd8avilV6GJYniD IcsMMUXqKjOC8lrbL4G+y9ugdF+oX/wQmouX5N96HbWWdz2MCqh5gZT60j9/dtGi RxNvVpgGhpVUFUgdWCaXghUQkNfZ9P242wCV+REyz8i6/+W2J4fpIw5H8Qx8JVbz Htlb2Uk3Q8j8FpGTErzN4jZynFTfZeSgTZ63/bcAksL+nzEzMgS+rvpXJ8bPqZoG xb5fetBTj9W02jUFYzc661jhWt+zltlumTfvFmd4GH/SaLl2bK7wA6GDaQChnwJI iUytyBLSHuj+HiemQF5pNMm9gw8HqL+SxMAms/MRowS3IgP1WjP0gb7XvFVdURxF spg8M8w7YAFXhw+/jTDpd3tt/bFGmcs4Qn++6WsFqtfjLJBgYVhyTQGFGQ1GjADN vegE3Dl83oLOWERqXFd6DadU4fsADQ0JRSKAQSLmxlYjzcfLb82D/IOYSofemAga XOT9gjsxU8LUouCIm2DuDJnWpemUMSzu2Jn1OOomdBMyvwCVfAxXuS0VJJg3JvoD 6nro8pvUBKt5DD2HnM57JIqUNOp9MUSZsqYH8TIwlW0fgu77d4+DQuQSHs4JoQuz PbyOpQxFhlpGMQNL6FcuA9zDa7hzptAO82DFuejWV8VEgVTrDfP3ljF0jNKIYNxW BDjuK7okarY4y3OIIYwN =szQu -----END PGP SIGNATURE----- From adrelanos at riseup.net Wed Nov 13 01:34:38 2013 From: adrelanos at riseup.net (adrelanos) Date: Wed, 13 Nov 2013 00:34:38 +0000 Subject: subkey comments? In-Reply-To: <2296083.5nck7TDPcC@inno.berlin.laging.de> References: <52824E32.1060601@riseup.net> <2296083.5nck7TDPcC@inno.berlin.laging.de> Message-ID: <5282C91E.5090102@riseup.net> Hauke Laging: > Am Di 12.11.2013, 15:50:10 schrieb adrelanos: > >> Is it possible to have subkeys with different comments than the main >> key? How? > > The main question is: What do you mean by "comments"? You probably refer to > the comment part of a user ID. I am referring this... When you run gpg --fingerprint, you'll see something like this: pub ..../..... .... Key fingerprint = .... uid name (I mean this field.) sub ..../... ... > But it has not been determined what exactly > that refers to. I don't understand what you mean by that sentence. > A key comment in a technically more correct sense would be a signature > notation. Notations and comment part of a user ID are different things? I guess I prefer the comment part of a user ID, because that is shown by default. (The --list-options show-notations does not seem to be very popular.) Is it possible to add a comment to the user ID of sub keys? From mailinglisten at hauke-laging.de Wed Nov 13 01:52:24 2013 From: mailinglisten at hauke-laging.de (Hauke Laging) Date: Wed, 13 Nov 2013 01:52:24 +0100 Subject: subkey comments? In-Reply-To: <5282C91E.5090102@riseup.net> References: <52824E32.1060601@riseup.net> <2296083.5nck7TDPcC@inno.berlin.laging.de> <5282C91E.5090102@riseup.net> Message-ID: <2962148.aoh9mMcxuk@inno.berlin.laging.de> Am Mi 13.11.2013, 00:34:38 schrieb adrelanos: > > But it has not been determined what exactly > > that refers to. > > I don't understand what you mean by that sentence. I mean: It is difficult to say "A UID comment refers to the mainkey" or "A UID comment refers to the subkey" (and make sense). A user ID is simply a string describing some person or other entity. If the comment is "CEO of Example Inc." how should that be related to the mainkey other than to a subkey? There are other situations: I use (abuse?) an additional user ID to make statements about both mainkey and subkeys (by stating that the mainkey is offline and how secure the subkeys are). > > A key comment in a technically more correct sense would be a signature > > notation. > > Notations and comment part of a user ID are different things? For several reasons. A notation is a subpacket (i.e. some additional information) to a signature (self-signature in this case). The UID comment ist just text between round brackets. Self signatures are used to bind both user IDs and subkeys (and some other stuff) to a mainkey. You can have a comment in the user ID and a notation in the signature. They are independent of each other. All four cases are possible. > I guess I prefer the comment part of a user ID, because that is shown by > default. (The --list-options show-notations does not seem to be very > popular.) > > Is it possible to add a comment to the user ID of sub keys? You (as most people) have not understood how mainkey, user IDs and subkeys are related. And it seems that I haven't figured out yet how to explain that well. Both subkeys and user IDs are related to a mainkey. In this sense user IDs and subkeys are on the same level. There is no such thing as a subkey user ID or a user ID subkey. User IDs are just "names" for a mainkey. You can add and remove user IDs and subkeys. They do not affect the other group. Hauke -- Crypto f?r alle: http://www.openpgp-schulungen.de/fuer/bekannte/ OpenPGP: 7D82 FB9F D25A 2CE4 5241 6C37 BF4B 8EEF 1A57 1DF5 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 572 bytes Desc: This is a digitally signed message part. URL: From adrelanos at riseup.net Wed Nov 13 23:36:48 2013 From: adrelanos at riseup.net (adrelanos) Date: Wed, 13 Nov 2013 22:36:48 +0000 Subject: subkey comments? In-Reply-To: <2962148.aoh9mMcxuk@inno.berlin.laging.de> References: <52824E32.1060601@riseup.net> <2296083.5nck7TDPcC@inno.berlin.laging.de> <5282C91E.5090102@riseup.net> <2962148.aoh9mMcxuk@inno.berlin.laging.de> Message-ID: <5283FF00.5090507@riseup.net> Okay, thank you, Hauke! I now understood this whole thing better. Maybe I am guilty of a XyProblem. I should have said what I really wanted to do and will post a hopefully better formulated question. Hauke Laging: > You (as most people) have not understood how mainkey, user IDs and subkeys are > related. And it seems that I haven't figured out yet how to explain that well. I know how that feels. :) From adrelanos at riseup.net Thu Nov 14 00:08:14 2013 From: adrelanos at riseup.net (adrelanos) Date: Wed, 13 Nov 2013 23:08:14 +0000 Subject: How to add information about purpose/security of sub keys? Message-ID: <5284065E.2080207@riseup.net> Hi! I would like to partition my key like this: - long term identity key (air gapped, master key) [a] -- short term e-mail encryption key (less secured sub key, only on mail machine) [b] -- short term e-mail signing key (less secured sub key, only on mail machine) [c] -- short term images/repository key (less secured sub key, only on software build machine) [d] -- long term encryption key (air gapped, sub key) [f] In other words, I would use: - [b] and [c] for convenience, communication which isn't that important - [c] to sign software / apt repository - [a] to sign important messages (key transition etc.) - [f] little convenience, for receiving important messages What is the best way to make key [b] the default, so anyone writing an encrypted mail will use key [b] and not key [f] unless a conscious decision was made? What is the best way to communicate...? - if you want to send a mail, in most cases, use key [b], - unless it is really important, then use key [f] - most of my mails will be encrypted with key [c], unless it's important, then I use key [a] - software I sign will be signed with key [d], do not use software signed with key [c] It would be best if this information was presented by default, such as when importing my key or at least when running --fingerprint. What is the best way to communicate that, sub packets (notations), UUID comments or something else? Are sub packets (notations) signed by the master key [a]? Are UID comment signed by the master key [a]? Cheers, adrelanos From dshaw at jabberwocky.com Thu Nov 14 02:29:33 2013 From: dshaw at jabberwocky.com (David Shaw) Date: Wed, 13 Nov 2013 20:29:33 -0500 Subject: How to add information about purpose/security of sub keys? In-Reply-To: <5284065E.2080207@riseup.net> References: <5284065E.2080207@riseup.net> Message-ID: <66C34001-BC66-40EB-8F61-CB9EA8784C0B@jabberwocky.com> On Nov 13, 2013, at 6:08 PM, adrelanos wrote: > Hi! > > I would like to partition my key like this: > > - long term identity key (air gapped, master key) [a] > -- short term e-mail encryption key (less secured sub key, only on mail > machine) [b] > -- short term e-mail signing key (less secured sub key, only on mail > machine) [c] > -- short term images/repository key (less secured sub key, only on > software build machine) [d] > -- long term encryption key (air gapped, sub key) [f] > > In other words, I would use: > > - [b] and [c] for convenience, communication which isn't that important > - [c] to sign software / apt repository > - [a] to sign important messages (key transition etc.) > - [f] little convenience, for receiving important messages > > What is the best way to make key [b] the default, so anyone writing an > encrypted mail will use key [b] and not key [f] unless a conscious > decision was made? There isn't a standard way to do this - the encrypting client is free to pick either b or f, as it desires, when encrypting to your key. That said, many (most?) clients will pick the most recent key, so if you generate b after f, you should get what you want, at least most of the time. > What is the best way to communicate...? > - if you want to send a mail, in most cases, use key [b], > - unless it is really important, then use key [f] > - most of my mails will be encrypted with key [c], unless it's > important, then I use key [a] > - software I sign will be signed with key [d], do not use software > signed with key [c] > > It would be best if this information was presented by default, such as > when importing my key or at least when running --fingerprint. What is > the best way to communicate that, sub packets (notations), UUID comments > or something else? The standard way to express how you intend to use your key is via a notation or a policy URL pointing to some document where you set out your desires. It does not display when importing your key, but is present if anyone cares to look for it. Do note that few people read these documents unless they have a specific reason to (you're in control of what you generate - you can't place requirements on how people process it). > Are sub packets (notations) signed by the master key [a]? Notations are a signature subpacket (i.e. live on a signature themselves), so if the signature was issued by the master key, then yes, they're signed by the master key. If you're making a notation on a self-signature (like the one binding your user ID or a subkey), then this would of course be issued by the master key. > Are UID comment signed by the master key [a]? Yes. All parts of the UID string are signed by the master key. David From free10pro at gmail.com Thu Nov 14 17:32:26 2013 From: free10pro at gmail.com (Paul R. Ramer) Date: Thu, 14 Nov 2013 08:32:26 -0800 Subject: How to add information about purpose/security of sub keys? In-Reply-To: <5284065E.2080207@riseup.net> References: <5284065E.2080207@riseup.net> Message-ID: <4ee2370e-69d1-4e3d-b56c-cacea2c09bf2@email.android.com> adrelanos wrote: >- [b] and [c] for convenience, communication which isn't that important >- [c] to sign software / apt repository >- [a] to sign important messages (key transition etc.) >- [f] little convenience, for receiving important messages > >What is the best way to make key [b] the default, so anyone writing an >encrypted mail will use key [b] and not key [f] unless a conscious >decision was made? The only way of making certain of this is to use separate keypairs, otherwise as David has said you have no control over this because of how the user's software selects the key. But even if you used separate keypairs, you would still need your correspondent to know which to use for what kind of communication. You could put this information in a UID or in a policy that you keep online or give personally to each person that needs to know. But the issue is still the same, you need the person communicating with you to know which key or subkey to use, and you cannot assume that that person knows automatically. >What is the best way to communicate...? >- if you want to send a mail, in most cases, use key [b], >- unless it is really important, then use key [f] >- most of my mails will be encrypted with key [c], unless it's >important, then I use key [a] >- software I sign will be signed with key [d], do not use software >signed with key [c] The question that I think that you must ask yourself before your question can be answered is, "Who needs your key?" Who do you expect to communicate with you and under what circumstances? Based on the answers to those questions, you will then have to find the most "dumby-proof" way of communicating your intent whether it be through separate keypairs, a policy, or something else. Cheers, --Paul -- PGP: 3DB6D884 From rs at ruslansagitov.name Thu Nov 14 17:42:23 2013 From: rs at ruslansagitov.name (Ruslan Sagitov) Date: Thu, 14 Nov 2013 20:42:23 +0400 Subject: Does anyone use an NXP JCOP J3A smart card? Message-ID: <1384447343.2750.17.camel@mezzo> Hello! It?s my first question here. I want to buy a smart card reader and a smart card to use with GnuPG 2. I already know about the OpenPGP smart card and about the Fellowship Smartcard but both are not selling in my country. I?m looking for a combo of a SCM SCR3500 card reader and a NXP JCOP J3A smart card. I want to know whether this combo works with GnuPG or not. I tried to ask on IRC and got an advice to ask in mailing lists. It seems SCM SCR3500 is quite popular but the card is not. The specification for the card is here: Main cryptographic algorithms and functionality Transport level: * ISO 7816, T=0, T=1 (speed, kbit/s): up to 223,2; * ISO 14443 T=CL (speed, kbit/s): up to 848. Storage: * EEPROM, KBytes: 80; * ROM (for applets, KBytes): up to 76; * APDU buffer (RAM, bytes): 1462. JC&GP: * Java Card Version: 2.2.2; * Global Platform: 2.1.1; * SCP Secure Channel Protocol: SCP01, SCP02. Cryptography: * DES/3DES: 56/112/168; * AES: 256; * RSA: 2048; * ECC GF(p): 320; * SEED: 128; * SHA-1 / 2; * MD5; * Random Number Generation; * RSA Key Generation. Additional: * Logical channels: 1; * RMI (Remote Method Invocation); * SSD (Supplementary Security Domain); * Mifare API; * Extended Length APDU; * Random UID; * Customizable ROM mask; * 0,14 ?m technology. eGov and BAC (EAC): * BAC (ICAO9303); * EAC (ICAO9303, BSI TR 03110 v1.1.1); * BAC/EAC Accelerator API; * EAC v1.0. Certificates: * EMVCo; * Common Criteria (EAL) - 5+. So many scary words. ;-) I know that the card should support APDU and extended length APDU, and both are here, as you see. Are there any other requirements? Does anyone use this combo? From peter at digitalbrains.com Thu Nov 14 19:45:09 2013 From: peter at digitalbrains.com (Peter Lebbing) Date: Thu, 14 Nov 2013 19:45:09 +0100 Subject: Does anyone use an NXP JCOP J3A smart card? In-Reply-To: <1384447343.2750.17.camel@mezzo> References: <1384447343.2750.17.camel@mezzo> Message-ID: <52851A35.6020505@digitalbrains.com> On 14/11/13 17:42, Ruslan Sagitov wrote: > I?m looking for a combo of a SCM SCR3500 card reader and a NXP JCOP J3A > smart card. I want to know whether this combo works with GnuPG or not. You can't just take some smartcard and expect it to function as an OpenPGP card, because the OpenPGP card is a specific application on the card. Think of the smartcard as a computer, and the OpenPGP application as some piece of software. Thing is, you don't normally change the software on smartcards like you would with computers. The only way to have a different card function as OpenPGP card is by writing your own firmware(=software), which is hard and likely will require you to sign a Non-Disclosure Agreement with the manufacturer of the card you are targetting. I think your only option is to find some distributor that does sell OpenPGP cards in your area, or somehow get a foreigner to buy one and send it in the mail or something like that. HTH, Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at From ndk.clanbo at gmail.com Thu Nov 14 20:24:31 2013 From: ndk.clanbo at gmail.com (NdK) Date: Thu, 14 Nov 2013 20:24:31 +0100 Subject: Does anyone use an NXP JCOP J3A smart card? In-Reply-To: <1384447343.2750.17.camel@mezzo> References: <1384447343.2750.17.camel@mezzo> Message-ID: <5285236F.10000@gmail.com> Il 14/11/2013 17:42, Ruslan Sagitov ha scritto: > I?m looking for a combo of a SCM SCR3500 card reader and a NXP JCOP J3A > smart card. I want to know whether this combo works with GnuPG or not. You have to load an OpenPGP-compatible applet to the card. It's not too hard, since that card supports JC222 and GP211. One such app is MyPGPID (available on GitHub) that (till I find some time to develop it further) is mostly a basic OpenPGPCard applet. Make sure the seller gives you the keys needed for loading the applet! BYtE, Diego. From europus at gmail.com Fri Nov 15 12:48:35 2013 From: europus at gmail.com (Ulex Europae) Date: Fri, 15 Nov 2013 06:48:35 -0500 Subject: [tor-talk] BitMail.sf.net v 0.6 - Secure Encrypting Email Client In-Reply-To: References: Message-ID: <52860a15.43e3440a.4abd.ffffe2e3@mx.google.com> At 09:04 PM 11/13/2013, grarpamp wrote: >On Tue, Nov 5, 2013 at 2:38 AM, wrote: > > Hello, > > > > can BitMail.sf.net as a p2p email tool for encrypted Email (and > hybrid with IMAP-Email) be regarded as a reference model for > research to create a secure Email Client? as it uses both, gnupg and openssl! > > > > http://bitmail.sourceforge.net/ > > https://sourceforge.net/projects/bitmail/files/BitMail_0.6_2088RC1/ > > > > Does anyone know, if it runs over Tor? > > > > Sincerely, Robert > >So... 'Robert', who do you work for? NSA? Financial crime? >I mean, with the net moving to encrypt everything >we'd expect to see many new and unknown yet seemingly >polished tools being dropped on unsuspecting first time >users just to collect their key material. >Surely someone will have fun with your windows binaries. Hmm, lots of lists I'm not subscribed to on the To: line, bad juju on someone's part for the initial crosspost. Hopefully, those other list maintainers will see and approve my comment, even though I'm not subscribed to all those other lists: I'm replying because, Sourceforge? They fell out of vogue when they started bundling binary downloads with other executables, they deserve to die a quick death for that as users flock to safer environs. 'Robert' should upload his binaries to Github. Along with his source code. Then, if the MD5 checksum on his compiled binaries matches the MD5 checksum on the source code when it is compiled independently, he's golden. That is how that works, how it is supposed to work. Accept no substitutes. -- From phil at philcalvin.com Wed Nov 13 17:49:35 2013 From: phil at philcalvin.com (Phil Calvin) Date: Wed, 13 Nov 2013 11:49:35 -0500 Subject: Proof of possession when exchanging keys Message-ID: <5283AD9F.80501@philcalvin.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I seem to recall reading somewhere that when exchanging keys in person, you should not only have the person verify the key fingerprint, but you should also present them with 1) an unpredictable challenge document to sign or 2) verify that they can decrypt an encrypted message using the key in question. This would ensure they have access to the secret half of the keypair in question. Is verifying proof of possession necessary or good practice, or is checking fingerprints (and, when you don't know the person, photo ID or similar) enough? Phil -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (Darwin) iQIcBAEBAgAGBQJSg62LAAoJEDe3IfDa5pYf6jwP/ApNoDfMbn3RtF8m494BAOFj 4S1EcJD+hn0nIhwABsZSpR3JsIFdK+5Sc4LDT2RnEmBhvo21Bn6l1W8GyCmbKqbA GOSPNBdSWLmnyNMQfOQ4pzKIyexs0qM610BG81pZaIEiDPTpNJxkZt1Uu4/Xlfvo mVnxf06tfp7h4ue04gznrKpAAKWPO7OG9XukCe93QxuOuP9L7B83jYQsg/wMBaFS x3smYgHfM8wrm4tsenbmnq8rCAMrZunl9n/BERjITcjQSPD8vZY5Ko81YyW47Fel qyiIVVJR6/xW0+LHLn3dx5Uyj3Da/vdfK43GKc5YDp76XdrMkk1Ts/KobfmgilGI WuWZesFlKb5zij93rKCIiEoKxkDnX3QvfgertXeHxZwsnEdxJyEtoGHDgb3lV0Gl jgaw/iWdJ9cJJIT8tIhvl6SMLV0Wa61OSjDk5XvfppFKU7WncqRn4UGjJKR1Q+9P ik7q2eyG6TjqtW3FTLCO165q/QF2BvWGDvoHqcymaw3Q1SzKKZ/Kq5L7kAc9UGXZ diZ3NOCZfPf608fqFF37zgZZlNVsbkThQcN4xhjqBoxeqch/0quvRXM/nWBnTXAk HDHe2DW3vy+BJ7wT1JKyAPKr19LNKvNlKi5og/4/3+FfVFELisgphUY+kf0m2Ops GzTfJIrwHTmwatg8rS4+ =4ll+ -----END PGP SIGNATURE----- From grarpamp at gmail.com Thu Nov 14 03:04:59 2013 From: grarpamp at gmail.com (grarpamp) Date: Wed, 13 Nov 2013 21:04:59 -0500 Subject: [tor-talk] BitMail.sf.net v 0.6 - Secure Encrypting Email Client In-Reply-To: References: Message-ID: On Tue, Nov 5, 2013 at 2:38 AM, wrote: > Hello, > > can BitMail.sf.net as a p2p email tool for encrypted Email (and hybrid with IMAP-Email) be regarded as a reference model for research to create a secure Email Client? as it uses both, gnupg and openssl! > > http://bitmail.sourceforge.net/ > https://sourceforge.net/projects/bitmail/files/BitMail_0.6_2088RC1/ > > Does anyone know, if it runs over Tor? > > Sincerely, Robert So... 'Robert', who do you work for? NSA? Financial crime? I mean, with the net moving to encrypt everything we'd expect to see many new and unknown yet seemingly polished tools being dropped on unsuspecting first time users just to collect their key material. Surely someone will have fun with your windows binaries. From jurgenpolster at gmail.com Fri Nov 15 15:40:30 2013 From: jurgenpolster at gmail.com (Juergen Polster) Date: Fri, 15 Nov 2013 15:40:30 +0100 Subject: ENISA Recommendation for Crypto processes Message-ID: <5286325E.5020602@gmail.com> Heise security news published an article "ENISA-Empfehlungen zu Krypto-Verfahren" (ENISA Recommendation for Crypto processes). The article is in German language and can be found under http://heise.de/-2043356. It holds a summary of the latest recommendations of ENISA, the European Union Agency for Network and Information Security (http://www.enisa.europa.eu/). For those not reading German the "summary" of the summary report is: Symmetric 80 bit keys are accepted for transaction data and existing systems to be replaced in the next 5 -10 years. Symmetric keys of 128 bit are OK for mid-term and 256 bit for long-term use. * Cryptographic Primitives * Block Cipher -> AES 128, long-term AES 256 bit Hash Function -> SHA-256, long-term SHA-512 (Camellia, SHA-3 and Whirlpool are discussed) Stream Ciphers -> Rabbit + Snow 3G (RC4 to be removed) * Public Keys* Elliptic Curve Cryptography is recommended: Transactions -> 160 bit, mid-term storage -> 256 bit, long-term storage -> 512 bit RSA still can be used, recommendations are: legacy systems only -> key size smaller than 3072, mid-term storage -> minimum 3072 (!), long-term storage -> 15360 (corresponds to 256 bit key symmetric encryption) * Protocols * Some detailed recommendations are made for protocols as TLS (Camellia_128_GCM_SHA256, AES_128_GCM_SHA256), SSH (inter alia aes128-ctr with hmac-sha2-256) Kerberos and IPSEC. The original ENISA article "Recommended cryptographic measures - Securing personal data" is available under http://www.enisa.europa.eu/activities/identity-and-trust/library/deliverables/algorithms-key-sizes-and-parameters-report. Regards Juergen Polster 0xA3FCFD07 From harningt at gmail.com Fri Nov 15 17:02:33 2013 From: harningt at gmail.com (Thomas Harning Jr.) Date: Fri, 15 Nov 2013 11:02:33 -0500 Subject: Proof of possession when exchanging keys In-Reply-To: <5283AD9F.80501@philcalvin.com> References: <5283AD9F.80501@philcalvin.com> Message-ID: The general practice I follow is to verify fingerprint and ID separately then, in order to verify control of email address and private key, send the signed ID encrypted to the provided email address. On Wed, Nov 13, 2013 at 11:49 AM, Phil Calvin wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > I seem to recall reading somewhere that when exchanging keys in > person, you should not only have the person verify the key > fingerprint, but you should also present them with 1) an unpredictable > challenge document to sign or 2) verify that they can decrypt an > encrypted message using the key in question. This would ensure they > have access to the secret half of the keypair in question. > > Is verifying proof of possession necessary or good practice, or is > checking fingerprints (and, when you don't know the person, photo ID > or similar) enough? > > Phil > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.13 (Darwin) > > iQIcBAEBAgAGBQJSg62LAAoJEDe3IfDa5pYf6jwP/ApNoDfMbn3RtF8m494BAOFj > 4S1EcJD+hn0nIhwABsZSpR3JsIFdK+5Sc4LDT2RnEmBhvo21Bn6l1W8GyCmbKqbA > GOSPNBdSWLmnyNMQfOQ4pzKIyexs0qM610BG81pZaIEiDPTpNJxkZt1Uu4/Xlfvo > mVnxf06tfp7h4ue04gznrKpAAKWPO7OG9XukCe93QxuOuP9L7B83jYQsg/wMBaFS > x3smYgHfM8wrm4tsenbmnq8rCAMrZunl9n/BERjITcjQSPD8vZY5Ko81YyW47Fel > qyiIVVJR6/xW0+LHLn3dx5Uyj3Da/vdfK43GKc5YDp76XdrMkk1Ts/KobfmgilGI > WuWZesFlKb5zij93rKCIiEoKxkDnX3QvfgertXeHxZwsnEdxJyEtoGHDgb3lV0Gl > jgaw/iWdJ9cJJIT8tIhvl6SMLV0Wa61OSjDk5XvfppFKU7WncqRn4UGjJKR1Q+9P > ik7q2eyG6TjqtW3FTLCO165q/QF2BvWGDvoHqcymaw3Q1SzKKZ/Kq5L7kAc9UGXZ > diZ3NOCZfPf608fqFF37zgZZlNVsbkThQcN4xhjqBoxeqch/0quvRXM/nWBnTXAk > HDHe2DW3vy+BJ7wT1JKyAPKr19LNKvNlKi5og/4/3+FfVFELisgphUY+kf0m2Ops > GzTfJIrwHTmwatg8rS4+ > =4ll+ > -----END PGP SIGNATURE----- > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > -- Thomas Harning Jr. (http://about.me/harningt) -------------- next part -------------- An HTML attachment was scrubbed... URL: From rjh at sixdemonbag.org Fri Nov 15 17:53:07 2013 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Fri, 15 Nov 2013 08:53:07 -0800 Subject: [tor-talk] BitMail.sf.net v 0.6 - Secure Encrypting Email Client In-Reply-To: References: Message-ID: <20131115085307.Horde.pZFvAWc234ECmnFHI1ikAQ6@mail.sixdemonbag.org> > So... 'Robert', who do you work for? NSA? Financial crime? FBI, actually, in counterintelligence. No, wait, whoops, wrong Robert Hanssen. Sorry, I get confused about myself sometimes. All kidding aside, we don't need to cast aspersions on the motives of people who post here. It is far, far more likely that someone is innocently unwise about something than that someone is being deliberately malicious. > I mean, with the net moving to encrypt everything > we'd expect to see many new and unknown yet seemingly > polished tools being dropped on unsuspecting first time > users just to collect their key material. And this is, frankly, just paranoia. New and unknown yet seemingly polished tools have *always* been dropped on the computing community. Always. I remember a really neatly polished Mac OS file encryption program that conveniently put the decryption key as plaintext in the first few bytes of the output. Making a beautiful-looking user interface is easy. Making rock-solid crypto is hard. Those two facts by themselves mean there will always be an abundance of beautiful-looking bad systems, and always a shortage of primitive-looking solid systems. Let's remember that this list is a community. Let's not malign other people's motives, and let's keep a sense of perspective about things, okay? :) From rjh at sixdemonbag.org Fri Nov 15 18:06:22 2013 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Fri, 15 Nov 2013 09:06:22 -0800 Subject: [tor-talk] BitMail.sf.net v 0.6 - Secure Encrypting Email Client In-Reply-To: <52860a15.43e3440a.4abd.ffffe2e3@mx.google.com> References: <52860a15.43e3440a.4abd.ffffe2e3@mx.google.com> Message-ID: <20131115090622.Horde.gNW5ukiHsdZ0hDgI831rdQ8@mail.sixdemonbag.org> > I'm replying because, Sourceforge? They fell out of vogue... For a service that's "out of vogue" they still host an awful lot of Free Software, and for that I think perhaps we should be a bit thankful. Their bundling is distasteful, yes, but it's hardly the end of the world given they've only done it with the explicit permission of the projects involved. Let's keep a sense of perspective and remember this is GnuPG-Users, not a Sourceforge list. > 'Robert' should upload his binaries to Github. Whenever I hear someone say what another developer 'should' do, I always mentally substitute 'I want this developer to...' instead. That seems quite a lot more honest. That said, there are two major problems with this demand: * The 'Robert' who asked about BitMail never claimed to be the author and may not have the legal right to host the binaries * GitHub hasn't allowed projects to host binary files in well over a year. So yes, there are good legal and technical reasons why your demand cannot be complied with. > if the MD5 checksum on his compiled binaries matches the MD5 checksum > on the source code when it is compiled independently, he's golden. That > is how that works, how it is supposed to work. Accept no substitutes. Goes against current US-CERT guidance, which deprecates MD5 for all purposes. The newer SHAs are the way to go. Further, getting two computers to generate the exact same binary code from the exact same source code is a surprisingly difficult challenge. It requires a perfect match of everything from compiler versions to C library versions right down to identical *clocks* -- because often, compilers will incorporate timestamps into the output. Doing checksum validation of source code is feasible. Of binary code, not really. From dkg at fifthhorseman.net Fri Nov 15 18:23:09 2013 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Fri, 15 Nov 2013 12:23:09 -0500 Subject: reproducible builds [was: Re: BitMail.sf.net v 0.6 - Secure Encrypting Email Client] In-Reply-To: <20131115090622.Horde.gNW5ukiHsdZ0hDgI831rdQ8@mail.sixdemonbag.org> References: <52860a15.43e3440a.4abd.ffffe2e3@mx.google.com> <20131115090622.Horde.gNW5ukiHsdZ0hDgI831rdQ8@mail.sixdemonbag.org> Message-ID: <5286587D.1090208@fifthhorseman.net> On 11/15/2013 12:06 PM, Robert J. Hansen wrote: > getting two > computers to generate the exact same binary code from the exact same > source code is a surprisingly difficult challenge. It requires a > perfect match of everything from compiler versions to C library versions > right down to identical *clocks* -- because often, compilers will > incorporate timestamps into the output. > > Doing checksum validation of source code is feasible. Of binary code, > not really. Robert's right that reproducible binary builds are a non-trivial task. However, they're not impossible, and this is an active and ongoing field of work. For those interested, i recommend this as a jumping off point: https://wiki.debian.org/ReproducibleBuilds#References Regards, --dkg -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 1027 bytes Desc: OpenPGP digital signature URL: From jurgenpolster at gmail.com Fri Nov 15 21:31:53 2013 From: jurgenpolster at gmail.com (Juergen Polster) Date: Fri, 15 Nov 2013 21:31:53 +0100 Subject: ENISA Recommendation for Crypto processes Message-ID: <528684B9.9020302@gmail.com> Heise security news published an article "ENISA-Empfehlungen zu Krypto-Verfahren" (ENISA Recommendation for Crypto processes). The article is in German language and can be found under http://heise.de/-2043356. It holds a summary of the latest recommendations of ENISA, the European Union Agency for Network and Information Security (http://www.enisa.europa.eu/). For those not reading German the "summary" of the summary report is: Symmetric 80 bit keys are accepted for transaction data and existing systems to be replaced in the next 5 -10 years. Symmetric keys of 128 bit are OK for mid-term and 256 bit for long-term use. * Cryptographic Primitives * Block Cipher -> AES 128, long-term AES 256 bit Hash Function -> SHA-256, long-term SHA-512 (Camellia, SHA-3 and Whirlpool are discussed) Stream Ciphers -> Rabbit + Snow 3G (RC4 to be removed) * Public Keys* Elliptic Curve Cryptography is recommended: Transactions -> 160 bit, mid-term storage -> 256 bit, long-term storage -> 512 bit RSA still can be used, recommendations are: legacy systems only -> key size smaller than 3072, mid-term storage -> minimum 3072 (!), long-term storage -> 15360 (corresponds to 256 bit key symmetric encryption) * Protocols * Some detailed recommendations are made for protocols as TLS (Camellia_128_GCM_SHA256, AES_128_GCM_SHA256), SSH (inter alia aes128-ctr with hmac-sha2-256) Kerberos and IPSEC. The original ENISA article "Recommended cryptographic measures - Securing personal data" is available under http://www.enisa.europa.eu/activities/identity-and-trust/library/deliverables/algorithms-key-sizes-and-parameters-report. Regards Juergen Polster 0xA3FCFD07 PS: I send this twice as it seems that the first one did not make it. In case it comes double I already apologize :-) From ms at it-infrastrukturen.org Fri Nov 15 21:33:08 2013 From: ms at it-infrastrukturen.org (Mark Schneider) Date: Fri, 15 Nov 2013 21:33:08 +0100 Subject: Implementation idea of CURVE25519 for gnupg 2.1 Message-ID: <52868504.8090607@it-infrastrukturen.org> Hi, There is GPL 3 based implementation of CURVE25519 called Pretty Curved Privacy (pcp1). http://www.daemon.de/PrettyCurvedPrivacy What do you think about using parts of the ppc1 source code to implement such functionality into gnupg 2.1? http://www.daemon.de/idisk/Apps/PrettyCurvedPrivacy/pretty-curved-privacy-0.1.4.tag.gz Myself I like this "SCII Case Demo" video how to use this utility: http://asciinema.org/a/6135 Short description (from the website): # --- Pretty Curved Privacy (pcp1) is a commandline utility which can be used to encrypt files. pcp1 uses eliptc curve cryptography for encryption (CURVE25519 by Dan J. Bernstein). While CURVE25519 is no worldwide accepted standard it hasn't been compromised by the NSA - which might be better, depending on your point of view. Caution: since CURVE25519 is no accepted standard, pcp1 has to be considered as experimental software. In fact, I wrote it just to learn about the curve and see how it works. Beside some differences it works like GNUPG. So, if you already know how to use gpg, you'll feel almost home. # --- Kind regards, Mark -- ms at it-infrastrukturen.org http://rsync.it-infrastrukturen.org From phil at philcalvin.com Fri Nov 15 17:39:30 2013 From: phil at philcalvin.com (Phil Calvin) Date: Fri, 15 Nov 2013 11:39:30 -0500 Subject: Proof of possession when exchanging keys In-Reply-To: References: <5283AD9F.80501@philcalvin.com> Message-ID: <18E0A358-C782-4E0B-A449-8C56E3E62ABF@philcalvin.com> That makes perfect sense. That's the approach I took on the most recent key I signed. What attacks are mitigated by verifying control of the secret key, though? I am having a hard time grokking the benefit for someone whose ID you have verified to present and fingerprint a key which she does not control. There is the possibility of an external party replacing the exchanged key with another, but doesn't the fingerprint adequately protect against that? On Nov 15, 2013, at 11:02, "Thomas Harning Jr." wrote: > The general practice I follow is to verify fingerprint and ID separately then, in order to verify control of email address and private key, send the signed ID encrypted to the provided email address. > > > > On Wed, Nov 13, 2013 at 11:49 AM, Phil Calvin wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> I seem to recall reading somewhere that when exchanging keys in >> person, you should not only have the person verify the key >> fingerprint, but you should also present them with 1) an unpredictable >> challenge document to sign or 2) verify that they can decrypt an >> encrypted message using the key in question. This would ensure they >> have access to the secret half of the keypair in question. >> >> Is verifying proof of possession necessary or good practice, or is >> checking fingerprints (and, when you don't know the person, photo ID >> or similar) enough? >> >> Phil >> -----BEGIN PGP SIGNATURE----- >> Version: GnuPG v1.4.13 (Darwin) >> >> iQIcBAEBAgAGBQJSg62LAAoJEDe3IfDa5pYf6jwP/ApNoDfMbn3RtF8m494BAOFj >> 4S1EcJD+hn0nIhwABsZSpR3JsIFdK+5Sc4LDT2RnEmBhvo21Bn6l1W8GyCmbKqbA >> GOSPNBdSWLmnyNMQfOQ4pzKIyexs0qM610BG81pZaIEiDPTpNJxkZt1Uu4/Xlfvo >> mVnxf06tfp7h4ue04gznrKpAAKWPO7OG9XukCe93QxuOuP9L7B83jYQsg/wMBaFS >> x3smYgHfM8wrm4tsenbmnq8rCAMrZunl9n/BERjITcjQSPD8vZY5Ko81YyW47Fel >> qyiIVVJR6/xW0+LHLn3dx5Uyj3Da/vdfK43GKc5YDp76XdrMkk1Ts/KobfmgilGI >> WuWZesFlKb5zij93rKCIiEoKxkDnX3QvfgertXeHxZwsnEdxJyEtoGHDgb3lV0Gl >> jgaw/iWdJ9cJJIT8tIhvl6SMLV0Wa61OSjDk5XvfppFKU7WncqRn4UGjJKR1Q+9P >> ik7q2eyG6TjqtW3FTLCO165q/QF2BvWGDvoHqcymaw3Q1SzKKZ/Kq5L7kAc9UGXZ >> diZ3NOCZfPf608fqFF37zgZZlNVsbkThQcN4xhjqBoxeqch/0quvRXM/nWBnTXAk >> HDHe2DW3vy+BJ7wT1JKyAPKr19LNKvNlKi5og/4/3+FfVFELisgphUY+kf0m2Ops >> GzTfJIrwHTmwatg8rS4+ >> =4ll+ >> -----END PGP SIGNATURE----- >> >> >> _______________________________________________ >> Gnupg-users mailing list >> Gnupg-users at gnupg.org >> http://lists.gnupg.org/mailman/listinfo/gnupg-users > > > > -- > Thomas Harning Jr. (http://about.me/harningt) -------------- next part -------------- An HTML attachment was scrubbed... URL: From kloecker at kde.org Fri Nov 15 22:50:14 2013 From: kloecker at kde.org (Ingo =?ISO-8859-1?Q?Kl=F6cker?=) Date: Fri, 15 Nov 2013 22:50:14 +0100 Subject: Implementation idea of CURVE25519 for gnupg 2.1 In-Reply-To: <52868504.8090607@it-infrastrukturen.org> References: <52868504.8090607@it-infrastrukturen.org> Message-ID: <10907526.auz9sgRokU@colossus.ingo-kloecker.de> On Friday 15 November 2013 21:33:08 Mark Schneider wrote: > Hi, > > There is GPL 3 based implementation of CURVE25519 called Pretty Curved > Privacy (pcp1). > http://www.daemon.de/PrettyCurvedPrivacy > > What do you think about using parts of the ppc1 source code to implement > such functionality into gnupg 2.1? FYi: Werner already implemented Ed25519 (based on Curve25519, but with a different signature algorithm) in GnuPG: http://www.ietf.org/mail-archive/web/openpgp/current/msg07194.html Regards, Ingo -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: This is a digitally signed message part. URL: From kloecker at kde.org Fri Nov 15 23:28:12 2013 From: kloecker at kde.org (Ingo =?ISO-8859-1?Q?Kl=F6cker?=) Date: Fri, 15 Nov 2013 23:28:12 +0100 Subject: Proof of possession when exchanging keys In-Reply-To: <18E0A358-C782-4E0B-A449-8C56E3E62ABF@philcalvin.com> References: <5283AD9F.80501@philcalvin.com> <18E0A358-C782-4E0B-A449-8C56E3E62ABF@philcalvin.com> Message-ID: <2127764.vi6qNEKjju@colossus.ingo-kloecker.de> On Friday 15 November 2013 11:39:30 Phil Calvin wrote: > On Nov 15, 2013, at 11:02, "Thomas Harning Jr." wrote: > > The general practice I follow is to verify fingerprint and ID separately > > then, in order to verify control of email address and private key, send > > the signed ID encrypted to the provided email address. > > That makes perfect sense. That's the approach I took on the most recent key > I signed. > > What attacks are mitigated by verifying control of the secret key, though? I > am having a hard time grokking the benefit for someone whose ID you have > verified to present and fingerprint a key which she does not control. By signing the UIDs connected to a key you certify that the UIDs (most commonly email addresses) belong to the same person. You and people trusting your certifications could be lead into sending an encrypted message meant for the owner of an email address not belonging to the key owner to one of the email addresses of the key owner. It may seem a bit far-fetched that somebody would use one of the email addresses of the key owner instead of the email address of the intended recipient, but a possible reason for this could be that the email address of the intended recipient stopped working (e.g. because he changed his ISP or his employer). Regards, Ingo -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: This is a digitally signed message part. URL: From mailinglisten at hauke-laging.de Sat Nov 16 00:48:45 2013 From: mailinglisten at hauke-laging.de (Hauke Laging) Date: Sat, 16 Nov 2013 00:48:45 +0100 Subject: ENISA Recommendation for Crypto processes In-Reply-To: <5286325E.5020602@gmail.com> References: <5286325E.5020602@gmail.com> Message-ID: <3893445.HprfmRJIiq@inno.berlin.laging.de> Am Fr 15.11.2013, 15:40:30 schrieb Juergen Polster: > For those not reading German the "summary" of the summary report is: > > Symmetric 80 bit keys are accepted for transaction data and existing > systems to be replaced in the next 5 -10 years. Symmetric keys of 128 > bit are OK for mid-term and 256 bit for long-term use. > > * Cryptographic Primitives * > Block Cipher -> AES 128, long-term AES 256 bit > Hash Function -> SHA-256, long-term SHA-512 (Camellia, SHA-3 and > Whirlpool are discussed) > Stream Ciphers -> Rabbit + Snow 3G (RC4 to be removed) > > * Public Keys* > Elliptic Curve Cryptography is recommended: Transactions -> 160 bit, > mid-term storage -> 256 bit, long-term storage -> 512 bit > RSA still can be used, recommendations are: legacy systems only -> key > size smaller than 3072, mid-term storage -> minimum 3072 (!), long-term > storage -> 15360 (corresponds to 256 bit key symmetric encryption) That is a strange paper. The text is not even consistent: "We have focused on 128 bit security in this document for future use recommendations; clearly this offers a good long term security gaurantee. It is plausible that a similar recommendation could be made at (say) the 112 bit security level (which would correspond to roughly 2048 bit RSA keys). The line has to be drawn somewhere and there is general agreement this should be above the 100-bit level; whether one selects 112 bits or 128 bits as the correct level is a matter of taste. Due to the need to protect long term data we have taken the conservative choice and settled on 128 bits; with a higher level for very long term use." "Thus in recommending key sizes we make two distinct cases for schemes relevant for future use. The first cases is for security which you want to ensure for at least ten years (which we call near term), and secondly for security for thirty to fifty years (which we call long term)." "For near term use we recommend AES-128 and for long term use AES-256." Hauke -- Crypto f?r alle: http://www.openpgp-schulungen.de/fuer/bekannte/ OpenPGP: 7D82 FB9F D25A 2CE4 5241 6C37 BF4B 8EEF 1A57 1DF5 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 572 bytes Desc: This is a digitally signed message part. URL: From adrelanos at riseup.net Sun Nov 17 01:38:34 2013 From: adrelanos at riseup.net (adrelanos) Date: Sun, 17 Nov 2013 00:38:34 +0000 Subject: [liberationtech] [tor-talk] BitMail.sf.net v 0.6 - Secure Encrypting Email Client In-Reply-To: <52860a15.43e3440a.4abd.ffffe2e3@mx.google.com> References: <52860a15.43e3440a.4abd.ffffe2e3@mx.google.com> Message-ID: <5288100A.3070400@riseup.net> I am not in contact with bitmail in any way, I wouldn't use it myself because I find the communication about bitmail very poor, namely no responses to points raised by others. Anyway, I like to comment on a few things raised here. Ulex Europae: > Robert' > should upload his binaries to Github. No one can host binaries on github at the moment. They deprecated that service. > Along with his source code. Then, > if the MD5 checksum on his compiled binaries matches the MD5 checksum > on the source code when it is compiled independently, he's golden. Sure. > That > is how that works, how it is supposed to work. This should be our ideal, but we're far from it, very few software packages support this. > Accept no substitutes. I don't think that's possible at the moment. There are no deterministically built operating systems yet. From mailinglisten at hauke-laging.de Sun Nov 17 14:36:34 2013 From: mailinglisten at hauke-laging.de (Hauke Laging) Date: Sun, 17 Nov 2013 14:36:34 +0100 Subject: AES attack calculations (money and time) Message-ID: <4730156.RMOSiWWGuo@inno.berlin.laging.de> Hello, from time to time someone asks how secure (a)symmetric crypto really was and then our math and physics teacher Rob has his performance. Somebody just pointed me at this: http://2012.sharcs.org/slides/biryukov.pdf Of course, they say "No practical impact due to reliance on related keys" because they had to stay below 2^100 but considering that they refer to real hardware whereas here the theoretical lower energy limits are used I am a bit surprised. Is this paper correct? I am not an expert in these areas. The only point that came to my mind is that if you need energy of the magnitude of the US overall electricity consumption than you cannot ignore the energy costs. :-) Not even the impact on the prices for oil, gas and uranium at the world market. They calculated the price for chip fabs but not the one for power plants. So what may be the upport bound there: The NSA will never have access to more than 1% (or rather 10%?) of the US electricity consumption? IIRC then electricity generation costs is supposed to be about 4ct (Euro cent) per kWh in Germany. Lower for the old nuclear plants but even higher if you build new ones. So the 4TW mentioned in the paper would result in about four billion (10^9) EUR per year for electricity if I calculated that correctly. So maybe the rising energy prices turn out to at least protect our privacy... ;-) Another question as I am not familiar with crypto attacks: They are talking about plaintext there. Does that mean they need both plaintext and ciphertext to tun this kind of attack? If so then I assume the real computational effort is higher by orders of magnitude because you have to check whether each key is the right one. Is that correct? BTW: OpenPGP key generation on European TV again (starting at 28:30, 33:20 respectively) in German: http://www.arte.tv/guide/de/048515-004/tracks in French: http://www.arte.tv/guide/fr/048515-004/tracks Hauke -- Crypto f?r alle: http://www.openpgp-schulungen.de/fuer/unterstuetzer/ OpenPGP: 7D82 FB9F D25A 2CE4 5241 6C37 BF4B 8EEF 1A57 1DF5 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 572 bytes Desc: This is a digitally signed message part. URL: From martin.vegter at aol.com Sun Nov 17 19:02:12 2013 From: martin.vegter at aol.com (Martin Vegter) Date: Sun, 17 Nov 2013 19:02:12 +0100 Subject: unable to use gnupg on a read-only filesystem In-Reply-To: <5288FB3E.4000205@aol.com> References: <5288FB3E.4000205@aol.com> Message-ID: <528904A4.4020209@aol.com> Dear list, I am working on a read-only filesystem and I am using following command: echo "hello" | gpg -e -a -r martin at example.com This command fails with the following errors: gpg: failed to create temporary file `/root/.gnupg/.#lk0x847421': Read-only file system gpg: fatal: can't create lock for `/root/.gnupg/trustdb.gpg' I don't have the option "use-temp-files" enabled in my config. Even when I explicitly disable it, I get the same errors: echo "asdf" | gpg --keyserver-options no-use-temp-files -e -a -r martin at example.com Could somebody please advice how I can use gpg without temporary files ? many thanks, Martin From mailinglisten at hauke-laging.de Sun Nov 17 19:09:05 2013 From: mailinglisten at hauke-laging.de (Hauke Laging) Date: Sun, 17 Nov 2013 19:09:05 +0100 Subject: unable to use gnupg on a read-only filesystem In-Reply-To: <528904A4.4020209@aol.com> References: <5288FB3E.4000205@aol.com> <528904A4.4020209@aol.com> Message-ID: <2011062.atL8vZMkMR@inno.berlin.laging.de> Am So 17.11.2013, 19:02:12 schrieb Martin Vegter: > gpg: fatal: can't create lock for `/root/.gnupg/trustdb.gpg' > Could somebody please advice how I can use gpg without temporary files ? That is a lock file. Try --lock-never Hauke -- Crypto f?r alle: http://www.openpgp-schulungen.de/fuer/unterstuetzer/ OpenPGP: 7D82 FB9F D25A 2CE4 5241 6C37 BF4B 8EEF 1A57 1DF5 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 572 bytes Desc: This is a digitally signed message part. URL: From dan at geer.org Sun Nov 17 17:44:14 2013 From: dan at geer.org (dan at geer.org) Date: Sun, 17 Nov 2013 11:44:14 -0500 Subject: [tor-talk] BitMail.sf.net v 0.6 - Secure Encrypting Email Client In-Reply-To: Your message of "Fri, 15 Nov 2013 09:06:22 PST." <20131115090622.Horde.gNW5ukiHsdZ0hDgI831rdQ8@mail.sixdemonbag.org> Message-ID: <20131117164414.CD41622832F@palinka.tinho.net> | ... Further, getting two | computers to generate the exact same binary code from the exact same | source code is a surprisingly difficult challenge. It requires a | perfect match of everything from compiler versions to C library | versions right down to identical *clocks* -- because often, compilers | will incorporate timestamps into the output. | | Doing checksum validation of source code is feasible. Of binary code, | not really. Well said. Two binaries can be execution identical except for their use of registers -- their use of registers being an artefact of the compiler. --dan From rjh at sixdemonbag.org Mon Nov 18 06:21:14 2013 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Mon, 18 Nov 2013 00:21:14 -0500 Subject: [tor-talk] BitMail.sf.net v 0.6 - Secure Encrypting Email Client In-Reply-To: <20131117164414.CD41622832F@palinka.tinho.net> References: <20131117164414.CD41622832F@palinka.tinho.net> Message-ID: <5289A3CA.9080008@sixdemonbag.org> On 11/17/2013 11:44 AM, dan at geer.org wrote: > Well said. Two binaries can be execution identical except for their > use of registers -- their use of registers being an artefact of the > compiler. In fact, it goes even deeper than that: many architectures allow their processor to dynamically reorganize and/or modify the code being executed. (Out-of-order execution is one example of this.) So even if you're running two binaries that are completely identical, the CPU may process them quite differently depending on the state of the system. This has some extraordinary implications for those who are trying to guarantee their CPU is operating exactly the same as another CPU! Every couple of years I look at this problem, read a couple of papers, and walk away muttering about now is a great time to start drinking heavily... From johanw at vulcan.xs4all.nl Mon Nov 18 07:52:47 2013 From: johanw at vulcan.xs4all.nl (Johan Wevers) Date: Mon, 18 Nov 2013 07:52:47 +0100 Subject: [tor-talk] BitMail.sf.net v 0.6 - Secure Encrypting Email Client In-Reply-To: <5289A3CA.9080008@sixdemonbag.org> References: <20131117164414.CD41622832F@palinka.tinho.net> <5289A3CA.9080008@sixdemonbag.org> Message-ID: <5289B93F.9050606@vulcan.xs4all.nl> On 18-11-2013 6:21, Robert J. Hansen wrote: > So even if > you're running two binaries that are completely identical, the CPU may > process them quite differently depending on the state of the system. > This has some extraordinary implications for those who are trying to > guarantee their CPU is operating exactly the same as another CPU! > Every couple of years I look at this problem, read a couple of papers, > and walk away muttering about now is a great time to start drinking > heavily... Dijkstra's goal of formally prooving entire programs more complicated than hello world seems further away than ever. Don't loose any sleep over it, noone even tried that in practice anyway. -- ir. J.C.A. Wevers PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From rjh at sixdemonbag.org Mon Nov 18 12:30:47 2013 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Mon, 18 Nov 2013 06:30:47 -0500 Subject: [tor-talk] BitMail.sf.net v 0.6 - Secure Encrypting Email Client In-Reply-To: <5289B93F.9050606@vulcan.xs4all.nl> References: <20131117164414.CD41622832F@palinka.tinho.net> <5289A3CA.9080008@sixdemonbag.org> <5289B93F.9050606@vulcan.xs4all.nl> Message-ID: <5289FA67.9040608@sixdemonbag.org> On 11/18/2013 1:52 AM, Johan Wevers wrote: > Dijkstra's goal of formally prooving entire programs more complicated > than hello world seems further away than ever. Don't loose any sleep > over it, noone even tried that in practice anyway. Well, yes and no. Provably-correct software is still a very hot thing in engineering, particularly in life-critical applications like avionics or nuclear reactor control software. The Ada programming language has a couple of variants -- SPARK and its descendants -- that support provable code. The problem with provably correct code is that it only proves the code correctly implements the specification. It doesn't prove the specification completely encapsulates the problem... From adrelanos at riseup.net Mon Nov 18 18:21:22 2013 From: adrelanos at riseup.net (adrelanos) Date: Mon, 18 Nov 2013 17:21:22 +0000 Subject: article about Air Gapped OpenPGP Key Message-ID: <528A4C92.1090102@riseup.net> Hi, An article about air gapped OpenPGP keys has been written by me: https://www.whonix.org/wiki/Air_Gapped_OpenPGP_Key Please leave feedback or hit the edit button. Maybe it's useful for someone. It's under public domain. Cheers, adrelanos From rjh at sixdemonbag.org Mon Nov 18 19:53:18 2013 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Mon, 18 Nov 2013 10:53:18 -0800 Subject: AES attack calculations (money and time) In-Reply-To: <4730156.RMOSiWWGuo@inno.berlin.laging.de> References: <4730156.RMOSiWWGuo@inno.berlin.laging.de> Message-ID: <20131118105318.Horde.ZZrtczUIS0B0PWcyAVzYxQ1@mail.sixdemonbag.org> > from time to time someone asks how secure (a)symmetric crypto really was and > then our math and physics teacher Rob has his performance. No, people ask how difficult it is to brute-force crypto. That's a very narrow question and can be answered with great precision. When it comes to the fuzzier question of how secure crypto is, I, like most people, hem and haw and start things off by saying, "Well, it really kinda depends, you know?" > Of course, they say "No practical impact due to reliance on related > keys" because they had to stay below 2^100 but considering that they refer to > real hardware whereas here the theoretical lower energy limits are > used I am a bit surprised. Why? There's no real contradiction here. The theoretical lower limit for brute-forcing a 128-bit cipher involves on the order of 10**17 joules of energy (100 megatons). That's not particularly high, although if you were to do it enough times you would significantly accelerate global climate change. His back-of-the-envelope calculation for cryptanalysis (not brute-forcing!) says a sustained 4 terawatts (10**12 joules per second, sustained for a long period) is enough. If you sustain terawatts for a long period you're going to significantly accelerate global climate change. (Note: one terawatt held for 30 seconds = 100 megatons.) Either way, the power requirements become absurd. As he says, "Energy seems to be the main bottleneck." I haven't phrased it that way: usually I phrase things more like, "Extremely large amounts of energy are required, but those extremely large amounts of energy have side effects we really don't want to experience." > Is this paper correct? What do you mean by 'correct'? As far as a back of the envelope calculation goes it seems reasonable enough, but I'm not sure I'd like to wager money on it being correct in each detail. > I am not an expert in these areas. The only point that > came to my mind is that if you need energy of the magnitude of the US overall > electricity consumption than you cannot ignore the energy costs. :-) 4 terawatts multiplied by one year equals 35 billion megawatt-hours. Per Wikipedia (http://en.wikipedia.org/wiki/Cost_of_electricity_by_source), nuclear power costs $60 per megawatt-hour. That's $2.1 trillion just to run the nuclear power plants to power this hypothetical computer. That's a jaw-dropping number. > Another question as I am not familiar with crypto attacks: They are talking > about plaintext there. Does that mean they need both plaintext and ciphertext > to tun this kind of attack? If so then I assume the real computational effort > is higher by orders of magnitude because you have to check whether > each key is the right one. Is that correct? They're talking about doing sophisticated mathematical analysis of the system in order to recover the key. This isn't a brute-force setup. From pete at heypete.com Mon Nov 18 20:45:46 2013 From: pete at heypete.com (Pete Stephenson) Date: Mon, 18 Nov 2013 20:45:46 +0100 Subject: article about Air Gapped OpenPGP Key In-Reply-To: <528A4C92.1090102@riseup.net> References: <528A4C92.1090102@riseup.net> Message-ID: <528A6E6A.1060803@heypete.com> On 11/18/2013 6:21 PM, adrelanos wrote: > Hi, > > An article about air gapped OpenPGP keys has been written by me: > https://www.whonix.org/wiki/Air_Gapped_OpenPGP_Key > > Please leave feedback or hit the edit button. Maybe it's useful for > someone. It's under public domain. > > Cheers, > adrelanos Excellent work! Here's some minor suggestions and personal opinions. 1. If you set the keyprefs in your gpg.conf configuration file before you generate a new key it will generate new keys with these stronger defaults rather than having you need to edit them later. See for details and examples. I'd like to call your attention to the "cert-digest-algo SHA256" line -- this means that your primary key will make stronger signatures on other keys (e.g. your subkeys and other people's public keys). This is probably a Good Thing. 2. Have you considered adding TWOFISH and BLOWFISH to the list of ciphers? I put TWOFISH after AES256 and before AES192, and I put BLOWFISH after AES but before CAST5. I like having diverse, strong ciphers available to those who might elect to use them. Since the versions of GnuPG I use support those ciphers and they're generally well-regarded I see no reason to exclude them, but your mileage may vary. I've been tempted to add prefs showing I can use the CAMELLIA cipher -- does anyone know of a good reason not to? 3. When generating the key and you're prompted to pick a key type, I recommend selecting #4 ("RSA (sign only)"). This generates only the primary signing/certification key but does not generate an encryption subkey at the same time. Later you can add the encryption and signing subkeys. This can be useful if you want to mix-and-match algorithms and expiration dates. For example, I have a 3072-bit DSA sign/cert primary key, a 2048-bit RSA encryption subkey, and a 2048-bit RSA signing subkey. The two subkeys have a 5-year expiration time while the primary key has no expiration time. Of course, selecting option #1 and creating an RSA sign/cert primary key with an RSA subkey of equal strength with the same (if any) expiration date, followed by adding a new signing subkey also works. It's simply a matter of personal preference -- I like generating each key individually so I have control over that specific key. 4. Are there any known issues with your "air gapped" system being the same physical hardware as your everyday system even if you use a LiveCD? I don't know if there'd be the potential for hardware compromises. Depending on one's security needs, it might be useful to get a separate, isolated, never-connected-to-the-internet computer specifically for high-security needs. (See for some pointers.) 5. Smartcards are also useful, as you can generate keys on your isolated computer, back them up safely, then copy the keys to the smartcard. You can then use the smartcard on your everyday system without risk of exposing the private keys. I have an RSA primary key on one smartcard and RSA signing/encryption subkeys on another smartcard. (I also have a third card which has the RSA subkeys for the key I mentioned in point #3 above. I rather like smartcards.) Cheers! -Pete Cheers! -Pete From rjh at sixdemonbag.org Mon Nov 18 21:35:24 2013 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Mon, 18 Nov 2013 12:35:24 -0800 Subject: article about Air Gapped OpenPGP Key In-Reply-To: <528A6E6A.1060803@heypete.com> References: <528A4C92.1090102@riseup.net> <528A6E6A.1060803@heypete.com> Message-ID: <20131118123524.Horde.qfUghQglyqQcKwdmH1DUug1@mail.sixdemonbag.org> > 4. Are there any known issues with your "air gapped" system being the > same physical hardware as your everyday system even if you use a LiveCD? The airgap networks I've seen have run in separate rooms from the regular network and use a different kind of networking hardware in order to make cross-contamination impossible. For instance, if the network uses gigabit Ethernet then the airgap will use 10base2 coaxial cable, or some other incompatible networking system. (This may be the only remaining legitimate use for 10base2...) If your airgap system is network-compatible with the regular system, then you don't have an airgap. What you have instead is something that looks like an airgap until somebody has a five-second braino while hooking up network cables, and you don't discover for two weeks afterwards that your airgap was breached. From david at systemoverlord.com Mon Nov 18 22:07:49 2013 From: david at systemoverlord.com (David Tomaschik) Date: Mon, 18 Nov 2013 13:07:49 -0800 Subject: article about Air Gapped OpenPGP Key In-Reply-To: <528A6E6A.1060803@heypete.com> References: <528A4C92.1090102@riseup.net> <528A6E6A.1060803@heypete.com> Message-ID: On Mon, Nov 18, 2013 at 11:45 AM, Pete Stephenson wrote: > On 11/18/2013 6:21 PM, adrelanos wrote: > > Hi, > > > > An article about air gapped OpenPGP keys has been written by me: > > https://www.whonix.org/wiki/Air_Gapped_OpenPGP_Key > > > > Please leave feedback or hit the edit button. Maybe it's useful for > > someone. It's under public domain. > > > > Cheers, > > adrelanos > > > > 4. Are there any known issues with your "air gapped" system being the > same physical hardware as your everyday system even if you use a LiveCD? > I don't know if there'd be the potential for hardware compromises. > Depending on one's security needs, it might be useful to get a separate, > isolated, never-connected-to-the-internet computer specifically for > high-security needs. (See > for some > pointers.) > > If you haven't seen it already, check out the story on "BadBIOS" -- Dragos Ruiu, one of the organizers of CANSEC West has alledgedly uncovered a complex hardware rootkit. (One story here: https://www.schneier.com/blog/archives/2013/11/badbios.html) I haven't decided yet if I believe all of it, but it's still a scary thought. > > Cheers! > -Pete > > Cheers! > -Pete > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > -- David Tomaschik OpenPGP: 0x5DEA789B http://systemoverlord.com david at systemoverlord.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From mailinglisten at hauke-laging.de Tue Nov 19 05:02:57 2013 From: mailinglisten at hauke-laging.de (Hauke Laging) Date: Tue, 19 Nov 2013 05:02:57 +0100 Subject: article about Air Gapped OpenPGP Key In-Reply-To: <528A4C92.1090102@riseup.net> References: <528A4C92.1090102@riseup.net> Message-ID: <15063313.vE5rGUbaWf@inno.berlin.laging.de> Am Mo 18.11.2013, 17:21:22 schrieb adrelanos: > Hi, > > An article about air gapped OpenPGP keys has been written by me: > https://www.whonix.org/wiki/Air_Gapped_OpenPGP_Key > > Please leave feedback or hit the edit button. #################################### > By default GPG creates one signing subkey (your identity) and one encryption > subkey That's wrong. The default is a mainkey for signing and a subkey for encryption. > This new subkey is linked to the first signing key. ? > Your master keypair is the one whose loss would be truly catastrophic. I would not put it that way. If it is just lost then the key will expire (if it has an expiration date as it should) as you cannot extend its validity time. So you need a new key. That is unpleasant but usually not as unpleasant as compromised decryption or signature keys. If you state something like that I think you should explain it. > Using the highest possible value for key length helps protect you from that > scenario. Don?t use GPG?s default of 2048! That argument doesn't make any sense for a key "copied to your every day operating system". > If your master keypair gets lost or stolen, this certificate file is the > only way you?ll be able to tell people to ignore the stolen key. This is > important, don?t skip this step! I have never understood why people seem to believe that they cannot safely store a key backup (including the passphrase if necessary) but can safely store a revocation certificate. > Clean up our temporary file. > rm subkeys Why should one remove this file? And it it really a good idea to use the same passphrase for both mainkey and subkeys? > The pound sign means the signing subkey is not in the keypair located in the > keyring. No, it means that the mainkey has been replaced by a stub. > Securely wiping of data is a difficult issue. We believe it is safer to > create a new keypair (a new secring.gpg) than trusting gpg to remove the > private master key from secring.gpg. We are talking about a secring.gpg in RAM as the key is generated on a secure system running some live Linux CD/DVD? > Our every day operating system never gets to see our OpenPGP master key But it sees the mainkey's passphrase... It will take me some time to translate this in English but I have written a bash script which creates a new key with two subkeys and outputs a set of files (with different passphrases) and two directories and even allows you to easily certify other keys and create mainkey signatures immediately after key creation: 0x11DB2900.public.asc 0x11DB2900.public.asc.asc 0x11DB2900.secret-mainkey.asc 0x11DB2900.secret-mainkey-only.asc 0x11DB2900.secret-subkeys.asc _gnupg-mainkey/ _gnupg-subkeys/ http://www.openpgp-schulungen.de/scripte/keygeneration/ explained here: http://www.openpgp-schulungen.de/inhalte/einrichtung/materialien/keygen-anleitung-info.html Or download the whole script collection here and run ./start.sh: http://www.openpgp-schulungen.de/download/ Hauke -- Crypto f?r alle: http://www.openpgp-schulungen.de/fuer/bekannte/ OpenPGP: 7D82 FB9F D25A 2CE4 5241 6C37 BF4B 8EEF 1A57 1DF5 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 572 bytes Desc: This is a digitally signed message part. URL: From rjh at sixdemonbag.org Tue Nov 19 07:07:17 2013 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Tue, 19 Nov 2013 01:07:17 -0500 Subject: article about Air Gapped OpenPGP Key In-Reply-To: <15063313.vE5rGUbaWf@inno.berlin.laging.de> References: <528A4C92.1090102@riseup.net> <15063313.vE5rGUbaWf@inno.berlin.laging.de> Message-ID: <528B0015.6030206@sixdemonbag.org> > I have never understood why people seem to believe that they cannot safely > store a key backup (including the passphrase if necessary) but can safely > store a revocation certificate. It comes into play more when entrusting others. If I give my lawyer a copy of my certificate and passphrase with instructions of "revoke these when I die," I'm giving my lawyer the power to impersonate me should my lawyer suddenly go rogue. If I give my lawyer a revocation certificate, I'm exposed to far less risk. > And it it really a good idea to use the same passphrase for both mainkey and > subkeys? This can't be answered without knowing about a specific threat that the person is trying to mitigate. I think that most models will find this to be a negligible risk. (This next quote belongs to adrelanos, not Hauke.) > Securely wiping of data is a difficult issue. We believe it is safer to > create a new keypair (a new secring.gpg) than trusting gpg to remove the > private master key from secring.gpg. First, using the royal "we" is... well, royal. "We" is appropriate when writing a committee report or if the speaker is a sitting monarch. Otherwise, "I" should be used. Second, why is a secure wipe necessary? The only information that's recoverable is public metadata. The key material itself is encrypted. If people doubt me on this, I am quite happy to post my private key to the list. So long as you've got a good passphrase on your certificate, you can post your private key in the _New York Times_. I'm unaware of any model in which a private key needs to be securely scrubbed, unless you're not putting a strong passphrase on the certificate. Even then, scrubbing data is usually a sign you've misunderstood the problem you're trying to solve. If you're concerned about sensitive data lurking on your hard drive the solution isn't to scrub the drive, it's to use an encrypted filesystem. From fuzzykitties at riseup.net Tue Nov 19 08:28:58 2013 From: fuzzykitties at riseup.net (fuzzykitties at riseup.net) Date: Mon, 18 Nov 2013 23:28:58 -0800 Subject: Unusual (unintended?) behavor upon decryption of a message Message-ID: Upon decryption of the attached message, the program requests a new passphrase. Then after any arbitrary string is entered (or nothing), decryption of the message fails. It does not matter if any private keys are held in gnupg (including the key of the intended recipient). Here is the message in question. How is this possible? -----BEGIN PGP MESSAGE----- Comment: GPGTools - https://gpgtools.org hQEMA8sGafEL0jk+AQgAkw42Raga96t+3DtGR2Hy0xLsOiabSrPIrdNP6gymn6Lw 8VLnKHcedpByZyOUd7ifgS+QiV6MlDov9z//9U5KTiD2oyAfJ5dB6/ZSpGiUftm/ 82dxSFfxhOASEQ5Cik1BViLK+n9+cYBUdPY/F2zh58x9Cr/g7RTIhHpyDwdzPW5X suYlxofpIV2R43/VNI4T6Mln6Ja4N5poadJVrbIkajPdRjFKBJ7xF5f8VDc4zIus hoJvfPQpUoWqn4SKXNpmjPGSMftUhMyHUMrIePbm0H/57tsd7GmPDfRcQ3eZZYP/ vFkhVY/HJnBIE283I0Vygo/Tgd5iJr71uFZFSy2Ko4wuBAMDAogT9pWed09F0u+G goArYxi0LD1f6cVlyNvNDqG9HrtC3Cae6YA03j1Z09LpAYrPm3wOGKKZIilc4frh alWflwPEbsxqBXYBJjUGRDMqMgsidX8QveJOKZpbSdW6edSurmMfRPxKA6RjWz9p C3L0N9XC6gZV2kludw8qfR8+AR9Hv+eGjaSm6K9Tk8tJNMTdnafPIKDIo5rAN4qV YDM+wVv6hs3x9Ng1BZfGWXAY37sclLjvRri/uIr1snQkfah/uvrWa+Zl9CfraEjA CSDNYTYDu4M0tkvf+ky0GMjeA84JS6OA9X6YsIDu9llsSKAfrNFmJszVRkNP/uqO gstLj0CEgS3noljhrvIsKbzNxmBmhoftIP+txeh0vpOw58cpB5XhV8jh4h/wBN+9 YNLeIz6uKN39tlU5E9zJ08OlWw7GxA6fkOqwGpVpI25A43ZWfG2WBvcueQFckq38 PgkfNrB+vgOODbwq0PAaA5oq6YXn7raXxmC+7p7cOUHXZlvq19ZN8YSM0lZi8GWs z2oVEGlkLgS95Mz1cwqe7CvhcZeKdsgWT+Gw0Pa32YKtXqgfdySZLttT/+5W2OI+ Q5o4gpRQ/269wGgRTJYSyQoxWgwWTRwkDq+1GVTMwP/M5hQNCWRIP30I48Gal1tr igyTtlXS/EG8PEbCs8hU86WdWWHGI7P8HbAhrkRmuQzF/KZ3hx8+7fmK3ULWxgb1 VvuRjtC6cerFWRGX9bONcnHAU6tuwHAN45/TVERNFrsuyRnjSCFnRQ2d0PcOVPvs Ed6pEjOn4QWP1qhyKvyPTJd6R+MBtJqRlZzCSNcXqCjGU6Z126Nx1WqjkxVv9m7c sW4HwS9VNSbjebypUtwHjSn/QORqKSNul1BEPe9x2YIOHHsFpYtsUzbzXvDblJ4F fx+pqkC7TKYcGTHcwEjQIy4F3ny3KkVNeJdU6/xfz39k/LJhyuAQ43bo1SyJA0Rg FyPTYCBajofY7jNrLzgNBRlbInMHv1SKGoiO5RKP2iW28W1y82fKujFYmmE1k0g2 8eBvkac8A/3B9gVc7/JCrpMAy3+bqM1MEb1dRtv92Uf1+aPGFSgboNhSAePZzGQZ ulTfoOUU =I9Fr -----END PGP MESSAGE----- From laurent.jumet at skynet.be Tue Nov 19 10:15:55 2013 From: laurent.jumet at skynet.be (Laurent Jumet) Date: Tue, 19 Nov 2013 10:15:55 +0100 Subject: Unusual (unintended?) behavor upon decryption of a message In-Reply-To: References: Message-ID: <528B2C4B.8090209@skynet.be> Le 19/11/2013 08:28, fuzzykitties at riseup.net a ?crit : > Upon decryption of the attached message, the program requests a new > passphrase. Then after any arbitrary string is entered (or nothing), > decryption of the message fails. It does not matter if any private keys > are held in gnupg (including the key of the intended recipient). > > Here is the message in question. How is this possible? > In my opinion, this is a symetric crypted message. You need the exact password (called passphrase as well) to decrypt it, but it's not a double key cipher. -- Laurent Jumet KeyID: 0xCFAF704C From grarpamp at gmail.com Sun Nov 17 07:44:48 2013 From: grarpamp at gmail.com (grarpamp) Date: Sun, 17 Nov 2013 01:44:48 -0500 Subject: [tor-talk] [liberationtech] BitMail.sf.net v 0.6 - Secure Encrypting Email Client In-Reply-To: <5288100A.3070400@riseup.net> References: <52860a15.43e3440a.4abd.ffffe2e3@mx.google.com> <5288100A.3070400@riseup.net> Message-ID: > I don't think that's possible at the moment. There are no > deterministically built operating systems yet. This is rather sad. I think FreeBSD has a project somewhere trying to move that way. Hopefully all of the unix-likes are at least aware of the concept, if not having an actual project for it. Also, none of the BSD's have any built-in integrity in their repositories, they just insist their infrastructure and committers are infallible among other escuses. (Excepting DragonFly which uses git, don't know if they sign it though. Monotone seems better at that sort of embedded pki thing.). From peter at digitalbrains.com Tue Nov 19 12:07:00 2013 From: peter at digitalbrains.com (Peter Lebbing) Date: Tue, 19 Nov 2013 12:07:00 +0100 Subject: Unusual (unintended?) behavor upon decryption of a message In-Reply-To: <528B2C4B.8090209@skynet.be> References: <528B2C4B.8090209@skynet.be> Message-ID: <528B4654.4070303@digitalbrains.com> On 19/11/13 10:15, Laurent Jumet wrote: > In my opinion, this is a symetric crypted message. You need the exact > password (called passphrase as well) to decrypt it, but it's not a double key > cipher. You're only partly correct. Letting 'gpg2 --list-packets --list-only' inspect the message, I see: :pubkey enc packet: version 3, algo 1, keyid CB0669F10BD2393E data: [2048 bits] :symkey enc packet: version 4, cipher 3, s2k 3, hash 2, seskey 256 bits salt 8813f6959e774f45, count 9437184 (210) gpg: CAST5 encrypted session key :encrypted data packet: length: unknown mdc_method: 2 gpg: encrypted with 1 passphrase gpg: encrypted with RSA key, ID 0BD2393E So it can be decrypted either with the mentioned RSA key, or by some passphrase. There are two ways to get at the data. If you don't have that RSA key, programs will likely query you for the passphrase. If you do have the secret key for that RSA key, I suppose it will ask that first, although I'm not sure. It will ask for the passphrase for the RSA key, but I'm unsure if it will be the first passphrase it asks for. HTH, Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at From adrelanos at riseup.net Tue Nov 19 12:50:25 2013 From: adrelanos at riseup.net (adrelanos) Date: Tue, 19 Nov 2013 11:50:25 +0000 Subject: article about Air Gapped OpenPGP Key In-Reply-To: <20131118102956.Horde.EfSM20TLSt3y47uLBN4tFw2@mail.sixdemonbag.org> References: <528A4C92.1090102@riseup.net> <20131118102956.Horde.EfSM20TLSt3y47uLBN4tFw2@mail.sixdemonbag.org> Message-ID: <528B5081.5070805@riseup.net> Robert J. Hansen:>> Please leave feedback or hit the edit button. Maybe it's useful for >> someone. It's under public domain. > > A major omission: > > "What is this, why should I care, and what security risks does it > mitigate?" > > Without that, the article is useful only to people who have already been > convinced of the importance of an airgapped certificate. If you can > address those three questions the page will become much more useful to > people who don't know what an airgapped certificate is or in which > circumstances it might be useful. I agree with that, I've never been good at explaining the why, so this time I omitted it. From adrelanos at riseup.net Tue Nov 19 12:50:41 2013 From: adrelanos at riseup.net (adrelanos) Date: Tue, 19 Nov 2013 11:50:41 +0000 Subject: article about Air Gapped OpenPGP Key In-Reply-To: <15063313.vE5rGUbaWf@inno.berlin.laging.de> References: <528A4C92.1090102@riseup.net> <15063313.vE5rGUbaWf@inno.berlin.laging.de> Message-ID: <528B5091.6090305@riseup.net> Hauke Laging: > Am Mo 18.11.2013, 17:21:22 schrieb adrelanos: >> Hi, >> >> An article about air gapped OpenPGP keys has been written by me: >> https://www.whonix.org/wiki/Air_Gapped_OpenPGP_Key >> >> Please leave feedback or hit the edit button. > > #################################### > >> By default GPG creates one signing subkey (your identity) and one encryption >> subkey > > That's wrong. The default is a mainkey for signing and a subkey for > encryption. Fixed that. > >> This new subkey is linked to the first signing key. > > ? Fixed that. > >> Your master keypair is the one whose loss would be truly catastrophic. > > I would not put it that way. If it is just lost then the key will expire (if > it has an expiration date as it should) as you cannot extend its validity > time. So you need a new key. That is unpleasant but usually not as unpleasant > as compromised decryption or signature keys. If you state something like that > I think you should explain it. > I agree with that. Originally intended to write "compromise" instead of "loss". When I write "compromise", that sentence should be correct. >> Using the highest possible value for key length helps protect you from that >> scenario. Don?t use GPG?s default of 2048! > > That argument doesn't make any sense for a key "copied to your every day > operating system". The whole context is: > When you create your new keypair, use the highest possible values for key length. As computers get more powerful and storage gets cheaper, it?s conceivable that a nasty person could archive a message that?s unbreakable today, then in the future break it using a more powerful computer. Using the highest possible value for key length helps protect you from that scenario. Don?t use GPG?s default of 2048! Why doesn't tbhat make sense? > >> If your master keypair gets lost or stolen, this certificate file is the >> only way you?ll be able to tell people to ignore the stolen key. This is >> important, don?t skip this step! > > I have never understood why people seem to believe that they cannot safely > store a key backup (including the passphrase if necessary) but can safely > store a revocation certificate. I don't understand. > >> Clean up our temporary file. > >> rm subkeys > > Why should one remove this file? Probably not that important. It's not required anymore. When later new subkeys are created, that file would have to be updated. Removing it to avoid confusion. > And it it really a good idea to use the same passphrase for both mainkey and > subkeys? >From a security perspective, clearly no. From a usability perspective, yes. Above I am suggesting to store the key backup on a fully encrypted disk, so the passphrase for the mainkey doesn't matter if you assume, the full disk encryption of that disk is safe. > >> The pound sign means the signing subkey is not in the keypair located in the >> keyring. > > No, it means that the mainkey has been replaced by a stub. I added this as a footnote. > >> Securely wiping of data is a difficult issue. We believe it is safer to >> create a new keypair (a new secring.gpg) than trusting gpg to remove the >> private master key from secring.gpg. > > We are talking about a secring.gpg in RAM as the key is generated on a secure > system running some live Linux CD/DVD? That would be advisable. > >> Our every day operating system never gets to see our OpenPGP master key > > But it sees the mainkey's passphrase... True. > > It will take me some time to translate this in English but I have written a > bash script which creates a new key with two subkeys and outputs a set of > files (with different passphrases) and two directories and even allows you to > easily certify other keys and create mainkey signatures immediately after key > creation: > > 0x11DB2900.public.asc > 0x11DB2900.public.asc.asc > 0x11DB2900.secret-mainkey.asc > 0x11DB2900.secret-mainkey-only.asc > 0x11DB2900.secret-subkeys.asc > _gnupg-mainkey/ > _gnupg-subkeys/ > > > > http://www.openpgp-schulungen.de/scripte/keygeneration/ > > explained here: > http://www.openpgp-schulungen.de/inhalte/einrichtung/materialien/keygen-anleitung-info.html > > Or download the whole script collection here and run ./start.sh: > http://www.openpgp-schulungen.de/download/ This is most interesting. From adrelanos at riseup.net Tue Nov 19 12:50:34 2013 From: adrelanos at riseup.net (adrelanos) Date: Tue, 19 Nov 2013 11:50:34 +0000 Subject: article about Air Gapped OpenPGP Key In-Reply-To: <528A6E6A.1060803@heypete.com> References: <528A4C92.1090102@riseup.net> <528A6E6A.1060803@heypete.com> Message-ID: <528B508A.3080902@riseup.net> Pete Stephenson: > 1. If you set the keyprefs in your gpg.conf configuration file before > you generate a new key it will generate new keys with these stronger > defaults rather than having you need to edit them later. See > for details > and examples. I also thought about recommending a gpg.conf with specific settings. Maybe this one: https://github.com/ioerror/torbirdy/pull/11 https://github.com/ioerror/torbirdy/blob/master/gpg.conf Not sure... What makes the page less complex and confusing? Explain how to set such options using command line or creating a gpg.conf? When one uses a Live system for its air gapped OpenPGP key, one would have to constantly remember re-creating this that gpg.conf. (Gone after reboot.) > I'd like to call your attention to the "cert-digest-algo SHA256" line -- > this means that your primary key will make stronger signatures on other > keys (e.g. your subkeys and other people's public keys). This is > probably a Good Thing. This is important. Can this be set without using gpg.conf? > 2. Have you considered adding TWOFISH and BLOWFISH to the list of > ciphers? I put TWOFISH after AES256 and before AES192, and I put > BLOWFISH after AES but before CAST5. I like having diverse, strong > ciphers available to those who might elect to use them. Since the > versions of GnuPG I use support those ciphers and they're generally > well-regarded I see no reason to exclude them, but your mileage may vary. No, I haven't considered it, don't feel I am competent for such a discussion. I am ignorant about the nuances which ciphers are better/worse/when/etc. and following recommendations from here: https://github.com/ioerror/torbirdy/blob/master/gpg.conf > 3. When generating the key and you're prompted to pick a key type, I > recommend selecting #4 ("RSA (sign only)"). This generates only the > primary signing/certification key but does not generate an encryption > subkey at the same time. Later you can add the encryption and signing > subkeys. This can be useful if you want to mix-and-match algorithms and > expiration dates. > [...] Implemented this suggestion. > 4. Are there any known issues with your "air gapped" system being the > same physical hardware as your everyday system even if you use a LiveCD? > I don't know if there'd be the potential for hardware compromises. > Depending on one's security needs, it might be useful to get a separate, > isolated, never-connected-to-the-internet computer specifically for > high-security needs. (See > for some > pointers.) I added this: > You can boot a Live DVD or an operating system installed on external media such as USB (recommendation: use full disk encryption). Using a separate physical hardware is better than just booting another operating system, but still, using another operating system is better than nothing. > 5. Smartcards are also useful, as you can generate keys on your isolated > computer, back them up safely, then copy the keys to the smartcard. You > can then use the smartcard on your everyday system without risk of > exposing the private keys. I added this suggestion as well. From vedaal at nym.hush.com Tue Nov 19 18:14:31 2013 From: vedaal at nym.hush.com (vedaal at nym.hush.com) Date: Tue, 19 Nov 2013 12:14:31 -0500 Subject: Unusual (unintended?) behavor upon decryption of a message In-Reply-To: Message-ID: <20131119171431.D38D7601CC@smtp.hushmail.com> On Tuesday, November 19, 2013 at 3:51 AM, fuzzykitties at riseup.net wrote: > >Upon decryption of the attached message, the program requests a new >passphrase. Then after any arbitrary string is entered (or >nothing), >decryption of the message fails. It does not matter if any private >keys >are held in gnupg (including the key of the intended recipient). > >Here is the message in question. How is this possible? ===== As Peter answered, this is message encrypted both to a Public Key and also symmetrically to a passphrase only. If, after gnupg asks for the message, any string other than the correct passphrase is entered, then there will be an error message. (The interesting part is that the error message changes with the string used as a passphrase.) Here is my recreation of this type of encrypted message, both to my public key, and conventionally, to only a passphrase, using the following command: V:\gnupg>gpg -a -c -e -r D35FB186 e:\de1.txt -----BEGIN PGP MESSAGE----- Version: GnuPG v1.4.15 (MingW32) Comment: Acts of Kindness better the World, and protect the Soul hQIMA1BvT6HTX7GGAQ//Wi164/mZry2Iwe87izC/lNKfaKswBHMuon5oBDoAa1lm RkcA7Ohv4ahAW7DZh6ugsiNOZogmcNx02BTalAeGzt1INwvM1D3dXraC+wRHE/39 tgx7DsLDK8gbwtTja2iFhbWSsh/Bpxyt8+37wy6eS6NYiWRFsbi7unxbKkfNQtRg WQufOhYcSY2SytW6xPxC0Va/CTSYI8++RHOWeZRLVW89irv48U60vZQOHx1xQ3JB 3Hq5PsJeMAmBXr/W6b7ivYWlExrxMdiF8AeuGsxOzarViAzYUYP/cd7M1HI4gpYK DtQ4ZIT+x6BWQmibBIh5y2R0ZoGJLEHSsS6vMV5oXiB5w8wTMFUWj0HKFlb8nPgH fGR7B2E6RPVJ8VFOhOhLkeOf7vJc4FtAQCUvEznViqhgrsJa+is7pcBmF2/ny78f N9rYKHGQdDXyu4WOOz+gecdDq6H7SwFaqe0hGs0bDx/8FH4/9q4wHIr7K+rYvGOY hGwetUgNdPTafkTdXCUoaPlGxG3tObfUc4UtP+v+FyHDfkJ9pwHits5PO4Pzr+kE 71ogzObe127cr2Tw2VJiyieAWHhTR59T2pXWIfbzmA1+e+yMHUdaV1XgyzQwBGlG bbi5MsAcKdprN8SgeSTRB/1Vd9Rrr4iRkYoNuPTIUCEhf1o6xdOXpBJjL6JPX3uM LgQKAwhNVbIC8B7iZ2CA8sUfrvT1/XNrk63FLcMeB+SENdrto5kqyeMUUj3xLKTS RwHyCW71fhEfZoi6Qe/t0+OelLVRjsv5OmIrstTovMCFDpm7T8dFLbMgv2sMi48Y 7gEyEa0b3m1oOzXQIVAlU3Cn0TRicSMy =AwHd -----END PGP MESSAGE----- (the passphrase is: sss) Here is what gnupg does when I enter the wrong passphrase for my key, but the correct one for the symmetrically encrypted part: V:\gnupg>gpg --list-packets e:\det1.txt.asc gpg: armor: BEGIN PGP MESSAGE gpg: armor header: Version: GnuPG v1.4.15 (MingW32) gpg: armor header: Comment: Acts of Kindness better the World, and protect the S oul :pubkey enc packet: version 3, algo 1, keyid 506F4FA1D35FB186 data: [4095 bits] gpg: public key is D35FB186 You need a passphrase to unlock the secret key for user: "vedaal nistar (previous addresses were spam flooded) " 4096-bit RSA key, ID D35FB186, created 2008-01-22 gpg: Invalid passphrase; please try again ... You need a passphrase to unlock the secret key for user: "vedaal nistar (previous addresses were spam flooded) " 4096-bit RSA key, ID D35FB186, created 2008-01-22 gpg: Invalid passphrase; please try again ... You need a passphrase to unlock the secret key for user: "vedaal nistar (previous addresses were spam flooded) " 4096-bit RSA key, ID D35FB186, created 2008-01-22 :symkey enc packet: version 4, cipher 10, s2k 3, hash 8, seskey 256 bits salt 4d55b202f01ee267, count 65536 (96) gpg: TWOFISH encrypted session key :encrypted data packet: length: 71 mdc_method: 2 gpg: encrypted with 1 passphrase gpg: encrypted with 4096-bit RSA key, ID D35FB186, created 2008-01-22 "vedaal nistar (previous addresses were spam flooded) " gpg: public key decryption failed: bad passphrase :symkey enc packet: version 4, cipher 10, s2k 3, hash 8, seskey 256 bits salt 4d55b202f01ee267, count 65536 (96) gpg: TWOFISH encrypted session key Enter passphrase: gpg: TWOFISH encrypted data :compressed packet: algo=1 :literal data packet: mode b (62), created 1384876034, name="de1.txt", raw data: 11 bytes gpg: decryption okay gpg: session key: `10:549F3BBBA12DD79C0019854AED854964931A9C2349870785130B0E863F C4C3F0' Now, here is what gnupg does when the 'incorrect' passphrase is given for the symmetric part: V:\gnupg>gpg e:\de1.txt.asc gpg: armor: BEGIN PGP MESSAGE gpg: armor header: Version: GnuPG v1.4.15 (MingW32) gpg: armor header: Comment: Acts of Kindness better the World, and protect the S oul :pubkey enc packet: version 3, algo 1, keyid 506F4FA1D35FB186 data: [4095 bits] gpg: public key is D35FB186 You need a passphrase to unlock the secret key for user: "vedaal nistar (previous addresses were spam flooded) " 4096-bit RSA key, ID D35FB186, created 2008-01-22 gpg: Invalid passphrase; please try again ... You need a passphrase to unlock the secret key for user: "vedaal nistar (previous addresses were spam flooded) " 4096-bit RSA key, ID D35FB186, created 2008-01-22 gpg: Invalid passphrase; please try again ... You need a passphrase to unlock the secret key for user: "vedaal nistar (previous addresses were spam flooded) " 4096-bit RSA key, ID D35FB186, created 2008-01-22 :symkey enc packet: version 4, cipher 10, s2k 3, hash 8, seskey 256 bits salt 4d55b202f01ee267, count 65536 (96) gpg: TWOFISH encrypted session key :encrypted data packet: length: 71 mdc_method: 2 gpg: encrypted with 1 passphrase gpg: encrypted with 4096-bit RSA key, ID D35FB186, created 2008-01-22 "vedaal nistar (previous addresses were spam flooded) " :symkey enc packet: version 4, cipher 10, s2k 3, hash 8, seskey 256 bits salt 4d55b202f01ee267, count 65536 (96) gpg: TWOFISH encrypted session key Enter passphrase: gpg: public key decryption failed: bad passphrase gpg: encrypted with unknown algorithm 163 gpg: decryption failed: unknown cipher algorithm (the passphrase used was: 12345) Now here is the last part of the error message when a 'different incorrect' passphrase ( boo) is used: gpg: public key decryption failed: bad passphrase gpg: encrypted with unknown algorithm 231 gpg: decryption failed: unknown cipher algorithm Why does gnupg give these types of error message, as opposed to simply stating 'decryption failed: bad passphrase' ?? What kind of relationship is there between the number listed for the 'unknown algorithm' and the passphrase string that was given, and might this be used in any way to try attack gnupg by determining the length of the passphrase or the correctness of any character in the string ? vedaal From vedaal at nym.hush.com Tue Nov 19 20:47:21 2013 From: vedaal at nym.hush.com (vedaal at nym.hush.com) Date: Tue, 19 Nov 2013 14:47:21 -0500 Subject: Unusual (unintended?) behavor upon decryption of a message // follow-up correction In-Reply-To: Message-ID: <20131119194721.BBDDD601CC@smtp.hushmail.com> vedaal at nym.hush.com vedaal at nym.hush.com wrote onTue Nov 19 18:14:31 CET 2013 : >gpg: public key decryption failed: bad passphrase >gpg: encrypted with unknown algorithm 163 >gpg: decryption failed: unknown cipher algorithm >(the passphrase used was: 12345) >Now here is the last part of the error message when a 'different incorrect' passphrase ( boo) is used: >gpg: public key decryption failed: bad passphrase >gpg: encrypted with unknown algorithm 231 >gpg: decryption failed: unknown cipher algorithm The above happens 'only' on windows ( the box I used for Testing was Windows 7 Pro) and even then, doesn't happen on Cygwin. The error message on Ubuntu, or on Cygwin in Win 7 is just: gpg: decryption failed: unknown cipher algorithm This is still unusual, as gnupg already identified it as TWOFISH, not as an unknown algorithm, so the expected error message would be: decryption failed: bad passphrase vedaal vedaal From peter at digitalbrains.com Tue Nov 19 21:01:56 2013 From: peter at digitalbrains.com (Peter Lebbing) Date: Tue, 19 Nov 2013 21:01:56 +0100 Subject: Unusual (unintended?) behavor upon decryption of a message In-Reply-To: <20131119171431.D38D7601CC@smtp.hushmail.com> References: <20131119171431.D38D7601CC@smtp.hushmail.com> Message-ID: <528BC3B4.3040705@digitalbrains.com> On 19/11/13 18:14, vedaal at nym.hush.com wrote: > Why does gnupg give these types of error message, as opposed to simply > stating 'decryption failed: bad passphrase' ?? > > What kind of relationship is there between the number listed for the > 'unknown algorithm' and the passphrase string that was given The passphrase is used to decrypt the concatenation of an octet specifying what cipher was used for the symmetrically-encrypted data packet and the key for that data packet. If you give the wrong passphrase, this comes out as random rubbish, and that first octet specifying the cipher for the data is rubbish as well. This is what GnuPG reports. There is no check if the decryption was succesful; it just results in garbage. After a few tens of tries, I suppose you can actually hit the case where the algorithm identifier is something usable, and GnuPG will probably try to decrypt the data packet with the rubbish it got from the symmetrically encrypted session key packet :). > and might > this be used in any way to try attack gnupg by determining the length of > the passphrase or the correctness of any character in the string ? This line of reasoning is wrong. You are thinking of a system that knows the passphrase, and through its error messages, leaks data about it. But GnuPG knows as much as you. The security of the system is in the encrypted file, not in the program you use to access that file[1]. If GnuPG gave error messages that leaked data and this problem was fixed, you could simply write your own program that gives leaky error messages to you and use that to crack the key. Obviously it doesn't work that way. HTH, Peter. [1] Actually, DRM borders on exactly this: it gives you everything, but then tries to prevent your use of it. Which is why it has been called Broken By Design. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at http://wwwhome.cs.utwente.nl/~lebbing/pubkey.txt From peter at digitalbrains.com Tue Nov 19 21:05:06 2013 From: peter at digitalbrains.com (Peter Lebbing) Date: Tue, 19 Nov 2013 21:05:06 +0100 Subject: Unusual (unintended?) behavor upon decryption of a message // follow-up correction In-Reply-To: <20131119194721.BBDDD601CC@smtp.hushmail.com> References: <20131119194721.BBDDD601CC@smtp.hushmail.com> Message-ID: <528BC472.4030508@digitalbrains.com> On 19/11/13 20:47, vedaal at nym.hush.com wrote: > This is still unusual, as gnupg already identified it as TWOFISH, not as an unknown algorithm, TWOFISH was used to encrypt the session key. What was used to encrypt the data is still unknown, since that knowledge is encrypted. (With TWOFISH. Are you still following? ;P) There are potentially two symmetric ciphers at play, one to encrypt the session key, and one to encrypt the data. HTH, Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at http://wwwhome.cs.utwente.nl/~lebbing/pubkey.txt From johanw at vulcan.xs4all.nl Tue Nov 19 21:06:18 2013 From: johanw at vulcan.xs4all.nl (Johan Wevers) Date: Tue, 19 Nov 2013 21:06:18 +0100 Subject: article about Air Gapped OpenPGP Key In-Reply-To: <528B0015.6030206@sixdemonbag.org> References: <528A4C92.1090102@riseup.net> <15063313.vE5rGUbaWf@inno.berlin.laging.de> <528B0015.6030206@sixdemonbag.org> Message-ID: <528BC4BA.6090100@vulcan.xs4all.nl> On 19-11-2013 7:07, Robert J. Hansen wrote: > Even then, scrubbing data is usually a sign you've misunderstood the > problem you're trying to solve. If you're concerned about sensitive > data lurking on your hard drive the solution isn't to scrub the drive, > it's to use an encrypted filesystem. That depends on your threat model. If you fear juridical problems (say, for example, some encrypted mails have been intercepted by the police but they can't decrypt them), destroying the key will prevent you from having to hand it over. In some jurisdictions this may be seen as "contempt of court", and even be punishable, but in most EU countries you're safe when you do this. -- ir. J.C.A. Wevers PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From vedaal at nym.hush.com Tue Nov 19 22:37:53 2013 From: vedaal at nym.hush.com (vedaal at nym.hush.com) Date: Tue, 19 Nov 2013 16:37:53 -0500 Subject: Unusual (unintended?) behavor upon decryption of a message In-Reply-To: <528BC3B4.3040705@digitalbrains.com> References: <20131119171431.D38D7601CC@smtp.hushmail.com> <528BC3B4.3040705@digitalbrains.com> Message-ID: <20131119213754.2317B20363@smtp.hushmail.com> On Tuesday, November 19, 2013 at 3:02 PM, "Peter Lebbing" wrote: > >On 19/11/13 18:14, vedaal at nym.hush.com wrote: >> Why does gnupg give these types of error message, as opposed to >simply >> stating 'decryption failed: bad passphrase' ?? >> >> What kind of relationship is there between the number listed for >the >> 'unknown algorithm' and the passphrase string that was given > >The passphrase is used to decrypt the concatenation of an octet >specifying >what cipher was used for the symmetrically-encrypted data packet >and the key >for that data packet. If you give the wrong passphrase, this comes >out as >random rubbish, and that first octet specifying the cipher for the >data is >rubbish as well. This is what GnuPG reports. There is no check if >the >decryption was succesful; it just results in garbage. After a few >tens of >tries, I suppose you can actually hit the case where the algorithm >identifier is something usable, and GnuPG will probably try to >decrypt the >data packet with the rubbish it got from the symmetrically >encrypted session >key packet :). >There are potentially two symmetric ciphers at play, one to encrypt the >session key, and one to encrypt the data. ===== But this isn't the way hybrid gnupg messages work. If a message is encrypted to two different keys, gnupg will use the same symmetric algorithm to encrypt the session key to the public key, and also the plaintext to the ciphertext. If the message is encrypted to one public key, and also encrypted symmetrically instead of to a second public key, then the symmetric algorithm used by gnupg is the same for the encryption of the session key to the public key, as well as the session key to the symmetrically encrypted part, as well as the encryption of the plaintext. Gnupg does not use one symmetric algorithm to encrypt the session key, and then another to encrypt the message. The user can choose 'which' symmetric algorithm to use, but it will be the same for both. The symmetric algorithm is known, and is discoverable from gpg list-packets or from pgp-dump. My question is, is there oracle behavior on gnupg's part which will allow an attack on the string-to-key part of the symmetric encryption? If an attacker knows which symmetric algorithm was used, then concentrating of the first few characters of the passphrase, and trying variations of those, until gnupg identifies the correct algorithm, then gnupg may 'leak' the first few characters of the passphrase when the correct algorithm is identified, even if the message is not yet decrypted. From peter at digitalbrains.com Tue Nov 19 22:54:10 2013 From: peter at digitalbrains.com (Peter Lebbing) Date: Tue, 19 Nov 2013 22:54:10 +0100 Subject: Unusual (unintended?) behavor upon decryption of a message In-Reply-To: <20131119213754.2317B20363@smtp.hushmail.com> References: <20131119171431.D38D7601CC@smtp.hushmail.com> <528BC3B4.3040705@digitalbrains.com> <20131119213754.2317B20363@smtp.hushmail.com> Message-ID: <528BDE02.8020507@digitalbrains.com> On 19/11/13 22:37, vedaal at nym.hush.com wrote: > But this isn't the way hybrid gnupg messages work. > > Gnupg does not use one symmetric algorithm to encrypt the session key, and > then another to encrypt the message. The user can choose 'which' symmetric > algorithm to use, but it will be the same for both. I only did a quick check of RFC 4880, and that (section 5.3) clearly states there is an octet for the symmetric algo used inside the encrypted part: > The decryption result consists of a one-octet algorithm identifier that > specifies the symmetric-key encryption algorithm used to encrypt the > following Symmetrically Encrypted Data packet, followed by the session key > octets themselves. So even if GnuPG always picks the same algo for both, the format of an OpenPGP message still separately specifies the algo for the data. > My question is, is there oracle behavior on gnupg's part which will allow an > attack on the string-to-key part of the symmetric encryption? > > If an attacker knows which symmetric algorithm was used, then concentrating > of the first few characters of the passphrase, and trying variations of > those, until gnupg identifies the correct algorithm, then gnupg may 'leak' > the first few characters of the passphrase when the correct algorithm is > identified, even if the message is not yet decrypted. How is this different from just writing your own implementation for decrypting the symmetrically-encrypted session key packet? Why would you abuse the GnuPG binary for this? The GnuPG binary doesn't provide the security, the encryption on the file does that. Furthermore, since the password is iteratively hashed with a salt, I don't think it would be possible to leak anything about the first few characters of the password. A hash evenly spreads all characters over the key (I'm oversimplifying a bit here). You just know the first octet of the plaintext of the symmetrically encrypted session key packet; the rest is utterly random. This is even a better situation than with "Monthly results.doc.gpg" where you probably know a lot of the header of a Microsoft Word document; it would be a lot easier to immediately attack the symmetrically-encrypted data than to first attack the session key packet and then try that on the data. When I say a lot easier, I still mean utterly impossible, though ;). HTH, Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at From vedaal at nym.hush.com Tue Nov 19 23:08:05 2013 From: vedaal at nym.hush.com (vedaal at nym.hush.com) Date: Tue, 19 Nov 2013 17:08:05 -0500 Subject: Unusual (unintended?) behavor upon decryption of a message // follow-up correction In-Reply-To: <528BC3B4.3040705@digitalbrains.com> References: <20131119171431.D38D7601CC@smtp.hushmail.com> <528BC3B4.3040705@digitalbrains.com> Message-ID: <20131119220805.97FBF20362@smtp.hushmail.com> >If the message is encrypted to one public key, and also encrypted symmetrically instead of to a second public key, then the symmetric algorithm used by gnupg is the >same for the encryption of the session key to the public key, as well as the session key to the symmetrically encrypted part, as well as the encryption of the plaintext. Sorry, was not writing clearly ;-(( Meant to say that the session key together with the prefix denoting which symmetric algorithm was used to encrypt the plaintext, is encrypted to the public key (using either RSA, DH, (or, hopefully soon, ECC), and also as a symmetrically encrypted packet containing the session key and identifying algorithm prefix, and then the symmetrically encrypted plaintext packet. These two latter symmetrically encrypted packets, while the could 'theoretically' be using two different symmetric algorithms, in fact use the same one, and that is the one identified as the algorithm used to encrypt the plaintext. Here is the PGP Dump results for the ciphertext I originally posted: PGPdump Results Old: Public-Key Encrypted Session Key Packet(tag 1)(524 bytes) New version(3) Key ID - 0x506F4FA1D35FB186 Pub alg - RSA Encrypt or Sign(pub 1) RSA m^e mod n(4095 bits) - 5a 2d 7a e3 f9 99 af 2d 88 c1 ef 3b 8b 30 bf 94 d2 9f 68 ab 30 04 73 2e a2 7e 68 04 3a 00 6b 59 66 46 47 00 ec e8 6f e1 a8 40 5b b0 d9 87 ab a0 b2 23 4e 66 88 26 70 dc 74 d8 14 da 94 07 86 ce dd 48 37 0b cc d4 3d dd 5e b6 82 fb 04 47 13 fd fd b6 0c 7b 0e c2 c3 2b c8 1b c2 d4 e3 6b 68 85 85 b5 92 b2 1f c1 a7 1c ad f3 ed fb c3 2e 9e 4b a3 58 89 64 45 b1 b8 bb ba 7c 5b 2a 47 cd 42 d4 60 59 0b 9f 3a 16 1c 49 8d 92 ca d5 ba c4 fc 42 d1 56 bf 09 34 98 23 cf be 44 73 96 79 94 4b 55 6f 3d 8a bb f8 f1 4e b4 bd 94 0e 1f 1d 71 43 72 41 dc 7a b9 3e c2 5e 30 09 81 5e bf d6 e9 be e2 bd 85 a5 13 1a f1 31 d8 85 f0 07 ae 1a cc 4e cd aa d5 88 0c d8 51 83 ff 71 de cc d4 72 38 82 96 0a 0e d4 38 64 84 fe c7 a0 56 42 68 9b 04 88 79 cb 64 74 66 81 89 2c 41 d2 b1 2e af 31 5e 68 5e 20 79 c3 cc 13 30 55 16 8f 41 ca 16 56 fc 9c f8 07 7 c 64 7b 07 61 3a 44 f5 49 f1 51 4e 84 e8 4b 91 e3 9f ee f2 5c e0 5b 40 40 25 2f 13 39 d5 8a a8 60 ae c2 5a fa 2b 3b a5 c0 66 17 6f e7 cb bf 1f 37 da d8 28 71 90 74 35 f2 bb 85 8e 3b 3f a0 79 c7 43 ab a1 fb 4b 01 5a a9 ed 21 1a cd 1b 0f 1f fc 14 7e 3f f6 ae 30 1c 8a fb 2b ea d8 bc 63 98 84 6c 1e b5 48 0d 74 f4 da 7e 44 dd 5c 25 28 68 f9 46 c4 6d ed 39 b7 d4 73 85 2d 3f eb fe 17 21 c3 7e 42 7d a7 01 e2 b6 ce 4f 3b 83 f3 af e9 04 ef 5a 20 cc e6 de d7 6e dc af 64 f0 d9 52 62 ca 27 80 58 78 53 47 9f 53 da 95 d6 21 f6 f3 98 0d 7e 7b ec 8c 1d 47 5a 57 55 e0 cb 34 30 04 69 46 6d b8 b9 32 c0 1c 29 da 6b 37 c4 a0 79 24 d1 07 fd 55 77 d4 6b af 88 91 91 8a 0d b8 f4 c8 50 21 21 7f 5a 3a c5 d3 97 a4 12 63 2f a2 4f 5f 7b -> m = sym alg(1 byte) + checksum(2 bytes) + PKCS-1 block type 02 Old: Symmetric-Key Encrypted Session Key Packet(tag 3)(46 bytes) New version(4) Sym alg - Twofish with 256-bit key(sym 10) Iterated and salted string-to-key(s2k 3): Hash alg - SHA256(hash 8) Salt - 4d 55 b2 02 f0 1e e2 67 Count - 65536(coded count 96) Encrypted session key -> sym alg(1 bytes) + session key New: Symmetrically Encrypted and MDC Packet(tag 18)(71 bytes) Ver 1 Encrypted data [sym alg is specified in sym-key encrypted session key] (plain text + MDC SHA1(20 bytes)) vedaal From ekleog at gmail.com Tue Nov 19 23:19:29 2013 From: ekleog at gmail.com (Leo Gaspard) Date: Tue, 19 Nov 2013 23:19:29 +0100 Subject: article about Air Gapped OpenPGP Key In-Reply-To: <528BC4BA.6090100@vulcan.xs4all.nl> References: <528A4C92.1090102@riseup.net> <15063313.vE5rGUbaWf@inno.berlin.laging.de> <528B0015.6030206@sixdemonbag.org> <528BC4BA.6090100@vulcan.xs4all.nl> Message-ID: <20131119221929.GA13328@leortable> On Tue, Nov 19, 2013 at 09:06:18PM +0100, Johan Wevers wrote: > On 19-11-2013 7:07, Robert J. Hansen wrote: > > Even then, scrubbing data is usually a sign you've misunderstood the > > problem you're trying to solve. If you're concerned about sensitive > > data lurking on your hard drive the solution isn't to scrub the drive, > > it's to use an encrypted filesystem. > > That depends on your threat model. If you fear juridical problems (say, > for example, some encrypted mails have been intercepted by the police > but they can't decrypt them), destroying the key will prevent you from > having to hand it over. In some jurisdictions this may be seen as > "contempt of court", and even be punishable, but in most EU countries > you're safe when you do this. Especially knowing in most EU countries judges are not allowed to force you to hand over your secret key, only to decrypt specific messages for them. (Don't remember where I read that.) From rjh at sixdemonbag.org Tue Nov 19 23:50:20 2013 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Tue, 19 Nov 2013 14:50:20 -0800 Subject: article about Air Gapped OpenPGP Key In-Reply-To: <20131119221929.GA13328@leortable> References: <528A4C92.1090102@riseup.net> <15063313.vE5rGUbaWf@inno.berlin.laging.de> <528B0015.6030206@sixdemonbag.org> <528BC4BA.6090100@vulcan.xs4all.nl> <20131119221929.GA13328@leortable> Message-ID: <20131119145020.Horde.9ZF7dnHY104sjN85X379qA8@mail.sixdemonbag.org> >> That depends on your threat model. If you fear juridical problems (say, >> for example, some encrypted mails have been intercepted by the police >> but they can't decrypt them), destroying the key will prevent you from >> having to hand it over. In some jurisdictions this may be seen as >> "contempt of court", and even be punishable, but in most EU countries >> you're safe when you do this. > > Especially knowing in most EU countries judges are not allowed to > force you to > hand over your secret key, only to decrypt specific messages for them. (Don't > remember where I read that.) Most encrypted drive software doesn't actually work the way people seem to think they work. The drive is encrypted with a random nonce. This nonce is written to disk in an encrypted format. When you enter a passphrase to unlock the drive, the encrypted random nonce is read in and decrypted using the passphrase. The newly-recovered random nonce is then used to do all further crypto operations. To put the data forever beyond recovery, you generate a new nonce, encrypt it with the same passphrase, and write it over the old nonce. If someone demands your cryptographic key you can honestly and genuinely give it up without any fear of your old data being compromised. The investigator will be able to verify that you've complied with the court's order, and the investigator will also be able to verify that you never knew the original nonce. "This drive was originally encrypted with a random nonce which the defendant never knew. The defendant cannot be compelled to produce information the defendant never possessed. This random nonce is irretrievably gone. The defendant *can* be compelled to produce the key used to encrypt that random nonce, and the defendant seems to have complied with that order -- but the random nonce itself is gone, and with it, any hope of recovering the data on the encrypted drive." I cannot think of a single use case for scrubbing plaintext storage devices. In every use case I can come up with, the user would be better served by using an encrypted storage device. That doesn't mean no such use case exists, mind you -- just that I can't think of one. From chd at chud.net Wed Nov 20 00:03:19 2013 From: chd at chud.net (Chris De Young) Date: Tue, 19 Nov 2013 16:03:19 -0700 Subject: article about Air Gapped OpenPGP Key In-Reply-To: <20131119145020.Horde.9ZF7dnHY104sjN85X379qA8@mail.sixdemonbag.org> References: <528A4C92.1090102@riseup.net> <15063313.vE5rGUbaWf@inno.berlin.laging.de> <528B0015.6030206@sixdemonbag.org> <528BC4BA.6090100@vulcan.xs4all.nl> <20131119221929.GA13328@leortable> <20131119145020.Horde.9ZF7dnHY104sjN85X379qA8@mail.sixdemonbag.org> Message-ID: <528BEE37.6070709@chud.net> On 11/19/2013 3:50 PM, Robert J. Hansen wrote: [...] > then used to do all further crypto operations. To put the data forever > beyond recovery, you generate a new nonce, encrypt it with the same > passphrase, and write it over the old nonce. If someone demands your > cryptographic key you can honestly and genuinely give it up without any > fear of your old data being compromised. The investigator will be able > to verify that you've complied with the court's order, and the > investigator will also be able to verify that you never knew the > original nonce. I'd be surprised if this gets you very far in a US court. Technical details aside, what the court will likely see is that you deliberately took action intended to put the data beyond the reach of the court in order to avoid whatever legal ramifications that access might have. The results of that will probably not be very good (US judges have quite broad powers when it comes to contempt of court). -C -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 553 bytes Desc: OpenPGP digital signature URL: From ekleog at gmail.com Wed Nov 20 01:21:55 2013 From: ekleog at gmail.com (Leo Gaspard) Date: Wed, 20 Nov 2013 01:21:55 +0100 Subject: article about Air Gapped OpenPGP Key In-Reply-To: <20131119145020.Horde.9ZF7dnHY104sjN85X379qA8@mail.sixdemonbag.org> References: <528A4C92.1090102@riseup.net> <15063313.vE5rGUbaWf@inno.berlin.laging.de> <528B0015.6030206@sixdemonbag.org> <528BC4BA.6090100@vulcan.xs4all.nl> <20131119221929.GA13328@leortable> <20131119145020.Horde.9ZF7dnHY104sjN85X379qA8@mail.sixdemonbag.org> Message-ID: <20131120002155.GB13328@leortable> On Tue, Nov 19, 2013 at 02:50:20PM -0800, Robert J. Hansen wrote: > >>That depends on your threat model. If you fear juridical problems (say, > >>for example, some encrypted mails have been intercepted by the police > >>but they can't decrypt them), destroying the key will prevent you from > >>having to hand it over. In some jurisdictions this may be seen as > >>"contempt of court", and even be punishable, but in most EU countries > >>you're safe when you do this. > > > >Especially knowing in most EU countries judges are not allowed to force > >you to > >hand over your secret key, only to decrypt specific messages for them. (Don't > >remember where I read that.) > > Most encrypted drive software doesn't actually work the way people seem to > think they work. The drive is encrypted with a random nonce. > [...] Actually, I answered the "encrypted mails" part. Thanks anyway. > I cannot think of a single use case for scrubbing plaintext storage devices. > In every use case I can come up with, the user would be better served by > using an encrypted storage device. That doesn't mean no such use case > exists, mind you -- just that I can't think of one. Well... I can see one : the user used a plaintext storage device without thinking about it, and then understands he needs an encrypted device and scrubs his hard drive when the encrypted drive is set up with the necessary information. Another one would be (paranoid) fear about the long long term : who knows some three-letter agency would not steal your computer, and store its hard drive content until decryption is available (say, 10 years from now, being quite optimistic?). So scrubbing the already-encrypted data would help ensure data is never recovered. Maybe scrubbing a specific file, without need to reset files on full blocks, block-based encryption being AFAICT the most frequent way of encrypting complete hard drives. That's all I can figure out. Cheers, Leo From rjh at sixdemonbag.org Wed Nov 20 01:31:02 2013 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Tue, 19 Nov 2013 19:31:02 -0500 Subject: article about Air Gapped OpenPGP Key In-Reply-To: <528BEE37.6070709@chud.net> References: <528A4C92.1090102@riseup.net> <15063313.vE5rGUbaWf@inno.berlin.laging.de> <528B0015.6030206@sixdemonbag.org> <528BC4BA.6090100@vulcan.xs4all.nl> <20131119221929.GA13328@leortable> <20131119145020.Horde.9ZF7dnHY104sjN85X379qA8@mail.sixdemonbag.org> <528BEE37.6070709@chud.net> Message-ID: <528C02C6.9010008@sixdemonbag.org> On 11/19/2013 6:03 PM, Chris De Young wrote: > I'd be surprised if this gets you very far in a US court. Depends on when you did it and why. Many businesses have document retention policies (crafted with the assistance of counsel) that specify old documents are to be put beyond recovery, and scrapping a crypto key is generally seen as more cost-effective than shipping the drive off to be shredded. IronMountain charges $X per drive, but wiping a crypto key is effectively free. If you do this in response to an investigation then yes, you're likely going to make the judge very unhappy. If you do this as part of normal business practices that were devised with the assistance of counsel, you're likely to fare much better. From Josef.Bauer at web.de Wed Nov 20 19:21:47 2013 From: Josef.Bauer at web.de (Josef G. Bauer) Date: Wed, 20 Nov 2013 19:21:47 +0100 Subject: Theoretical and maybe stupid questions about security Message-ID: <528CFDBB.9080701@web.de> Hi, I wonder how easily my private key(s) ('secgring.gpg') can be cracked once somebody get access to it. Q: Is the number of 2.8 billions password tries per day from the FAQs up-to-date? Q: Is the password stored as an hash and can it be cracked using Rainbow Tables? Is it maybe salted? Greetings Josef From dshaw at jabberwocky.com Wed Nov 20 21:37:53 2013 From: dshaw at jabberwocky.com (David Shaw) Date: Wed, 20 Nov 2013 15:37:53 -0500 Subject: Theoretical and maybe stupid questions about security In-Reply-To: <528CFDBB.9080701@web.de> References: <528CFDBB.9080701@web.de> Message-ID: <45CB7BAD-8D99-4961-A622-62CD62AB856C@jabberwocky.com> On Nov 20, 2013, at 1:21 PM, Josef G. Bauer wrote: > Hi, > > I wonder how easily my private key(s) ('secgring.gpg') can be cracked > once somebody get access to it. Not at all easily, *if* you have a good passphrase on your private key(s). > Q: Is the password stored as an hash and can it be cracked using Rainbow > Tables? Is it maybe salted? In OpenPGP, a S2K (string-to-key) algorithm is used, where the passphrase entered by the user is hashed multiple times (with added salt) to transform it into the key used to decrypt the secret key. David From rjh at sixdemonbag.org Wed Nov 20 22:55:18 2013 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Wed, 20 Nov 2013 13:55:18 -0800 Subject: Theoretical and maybe stupid questions about security In-Reply-To: <528CFDBB.9080701@web.de> References: <528CFDBB.9080701@web.de> Message-ID: <20131120135518.Horde.YTViSe3pdna2I9VznD1Lqw1@mail.sixdemonbag.org> > I wonder how easily my private key(s) ('secgring.gpg') can be cracked > once somebody get access to it. No one with two brain cells to rub together will try brute-forcing a strong passphrase. No one. Assuming your passphrase is strong you could publish your secret key in the _New York Times_ and still be completely confident in the security of your communications. > Q: Is the password stored as an hash and can it be cracked using Rainbow > Tables? Is it maybe salted? The passphrase isn't stored as a hash, so much as the passphrase is hashed (many, many times -- with salt) and the output is used to attempt to decrypt the secret key. The passphrase is never stored, though, either in plaintext or in hashed form. From johanw at vulcan.xs4all.nl Wed Nov 20 23:33:39 2013 From: johanw at vulcan.xs4all.nl (Johan Wevers) Date: Wed, 20 Nov 2013 23:33:39 +0100 Subject: Setting encryption algorithm for specific key In-Reply-To: <528B0015.6030206@sixdemonbag.org> References: <528A4C92.1090102@riseup.net> <15063313.vE5rGUbaWf@inno.berlin.laging.de> <528B0015.6030206@sixdemonbag.org> Message-ID: <528D38C3.2030802@vulcan.xs4all.nl> Hello, I communicate with someone whose key tells me it supports IDEA, and since that's my prefered algorithm my gpg uses it to encrypt the message. However, het setup does not in fact support it (any more, it used to do in the past). Re-signing the key is no option, this is as computer-literate as she'll get. I have now hardcoded cipher-algo in gpg.conf but is there an option I can select a specific cipher-algo for a particular key or recipient? -- ir. J.C.A. Wevers PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From dshaw at jabberwocky.com Wed Nov 20 23:58:53 2013 From: dshaw at jabberwocky.com (David Shaw) Date: Wed, 20 Nov 2013 17:58:53 -0500 Subject: Setting encryption algorithm for specific key In-Reply-To: <528D38C3.2030802@vulcan.xs4all.nl> References: <528A4C92.1090102@riseup.net> <15063313.vE5rGUbaWf@inno.berlin.laging.de> <528B0015.6030206@sixdemonbag.org> <528D38C3.2030802@vulcan.xs4all.nl> Message-ID: <454D9AF4-76AB-4BF5-980A-05E729F342EB@jabberwocky.com> On Nov 20, 2013, at 5:33 PM, Johan Wevers wrote: > Hello, > > I communicate with someone whose key tells me it supports IDEA, and > since that's my prefered algorithm my gpg uses it to encrypt the > message. However, het setup does not in fact support it (any more, it > used to do in the past). Re-signing the key is no option, this is as > computer-literate as she'll get. > > I have now hardcoded cipher-algo in gpg.conf but is there an option I > can select a specific cipher-algo for a particular key or recipient? Not really. This is one of the limitations of the preference algorithm in OpenPGP (well, a limitation of most algorithms): GIGO. There is no easy workaround for a key falsely claiming support for a particular algorithm. If you really can't get her to change her key, probably the best you can do is use personal-cipher-prefs to remove IDEA from the list of algorithm you'll consider. That's a good bit better than hardcoding a particular algorithm, but is still global rather than per key or recipient. There is a ugly hack you could use, which would be to create a dummy key, and set the preferences to not include IDEA. Then make a group alias for her name that includes both her real key, and the dummy key. Thus, when encrypting to the alias, you'll be encrypting to both her and the dummy. Since the dummy doesn't allow IDEA, IDEA cannot be chosen overall. That's per recipient, but pretty messy. David From dougb at dougbarton.us Thu Nov 21 07:01:58 2013 From: dougb at dougbarton.us (Doug Barton) Date: Wed, 20 Nov 2013 22:01:58 -0800 Subject: Setting encryption algorithm for specific key In-Reply-To: <528D38C3.2030802@vulcan.xs4all.nl> References: <528A4C92.1090102@riseup.net> <15063313.vE5rGUbaWf@inno.berlin.laging.de> <528B0015.6030206@sixdemonbag.org> <528D38C3.2030802@vulcan.xs4all.nl> Message-ID: <528DA1D6.2050702@dougbarton.us> Please don't reply to a message off the list and change the subject line because it causes your new topic to show under the previous one for those using mail readers that thread properly, and may cause your message to be missed altogether if someone has blocked that thread. Instead, save the list address and start a completely new message. hope this helps, Doug From eye.of.the.8eholder at gmail.com Thu Nov 21 17:17:52 2013 From: eye.of.the.8eholder at gmail.com (Khelben Blackstaff) Date: Thu, 21 Nov 2013 18:17:52 +0200 Subject: Removing Policy URLs Message-ID: <20131121181752.7870ff5c@tardis.info> Greetings. I would like to know how can i remove a policy url from a (sub)key (it isn't stored on a key server). There is probably a very easy way to do it but i could not find it in the manpage or the mailing list archive. I use set-policy-url in gpg.conf and it works fine but i forgot it when i generated a new authentication key and it got the policy url. I tried "set-policy-url none" together with a expire date change so that the signature is modified but the policy wasn't touched. I tried "key 3" and delsig but delsig needs a uid and not a subkey. How can i delete the policy url (or the whole signature and recreate it) from a subkey ? Thank you for your time. From expires2013 at ymail.com Fri Nov 22 01:14:01 2013 From: expires2013 at ymail.com (MFPA) Date: Fri, 22 Nov 2013 00:14:01 +0000 Subject: article about Air Gapped OpenPGP Key In-Reply-To: <528BC4BA.6090100@vulcan.xs4all.nl> References: <528A4C92.1090102@riseup.net> <15063313.vE5rGUbaWf@inno.berlin.laging.de> <528B0015.6030206@sixdemonbag.org> <528BC4BA.6090100@vulcan.xs4all.nl> Message-ID: <1287755226.20131122001401@my_localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi On Tuesday 19 November 2013 at 8:06:18 PM, in , Johan Wevers wrote: > destroying the key will prevent > you from having to hand it over. In some jurisdictions > this may be seen as "contempt of court" Logically, wouldn't you have to destroy it after being ordered to hand it over to be in contempt of court? - -- Best regards MFPA mailto:expires2013 at ymail.com A nod is as good as a wink to a blind bat! -----BEGIN PGP SIGNATURE----- iPQEAQEKAF4FAlKOodtXFIAAAAAALgAgaXNzdWVyLWZwckBub3RhdGlvbnMub3Bl bnBncC5maWZ0aGhvcnNlbWFuLm5ldEJBMjM5QjQ2ODFGMUVGOTUxOEU2QkQ0NjQ0 N0VDQTAzAAoJEKipC46tDG5pEOYD/02EIvOPdtX5H7QnnxyLhtDvddA2cWg3HKXC HQBzIuvd09T2hy2wC2+TdsjHxLNFpRxvc7tGaY+yERKeu4IOoT2sm57NY7Z6KcAZ hkrKwG/lm1vXCbtl6TKpSR0aC00n9sxDHrewQeGCKeUxqDIc0p+RtlSAfHBfh7N3 lNK+hzZG =iRc7 -----END PGP SIGNATURE----- From rjh at sixdemonbag.org Fri Nov 22 02:20:10 2013 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Thu, 21 Nov 2013 20:20:10 -0500 Subject: article about Air Gapped OpenPGP Key In-Reply-To: <1287755226.20131122001401@my_localhost> References: <528A4C92.1090102@riseup.net> <15063313.vE5rGUbaWf@inno.berlin.laging.de> <528B0015.6030206@sixdemonbag.org> <528BC4BA.6090100@vulcan.xs4all.nl> <1287755226.20131122001401@my_localhost> Message-ID: <528EB14A.1070502@sixdemonbag.org> On 11/21/2013 7:14 PM, MFPA wrote: > Logically, wouldn't you have to destroy it after being ordered to hand > it over to be in contempt of court? Depends on the meaning of "contempt of court" in your jurisdiction and what your local rules are with respect to document discovery. We're getting pretty far afield of email crypto. Let's try and bring it back on topic. :) From free10pro at gmail.com Sat Nov 23 04:09:14 2013 From: free10pro at gmail.com (Paul R. Ramer) Date: Fri, 22 Nov 2013 19:09:14 -0800 Subject: article about Air Gapped OpenPGP Key In-Reply-To: <528B508A.3080902@riseup.net> References: <528A4C92.1090102@riseup.net> <528A6E6A.1060803@heypete.com> <528B508A.3080902@riseup.net> Message-ID: adrelanos wrote: >When one uses a Live system for its air gapped OpenPGP key, one would >have to constantly remember re-creating this that gpg.conf. (Gone after >reboot.) Not necessarily. You can plug in a USB drive with your custom gpg.conf file on it, for example. A more elegant solution would be to modify your Live CD (or whatever you use) to have a gpg.conf file in your gpg home directory. You can search the web on how to make a custom Live CD. >> I'd like to call your attention to the "cert-digest-algo SHA256" line >-- >> this means that your primary key will make stronger signatures on >other >> keys (e.g. your subkeys and other people's public keys). This is >> probably a Good Thing. > >This is important. Can this be set without using gpg.conf? You can run gpg by specifying this as an option on the command line, e.g. gpg --cert-digest-algo sha256. Any command line option that you can pass to gpg when you run it can be put into your gpg.conf file. But if your thinking is, "How can I have this set permanently without using gpg.conf?"--you can't. gpg.conf is the configuration file for gpg. Cheers, --Paul -- PGP: 3DB6D884 From free10pro at gmail.com Sat Nov 23 04:24:23 2013 From: free10pro at gmail.com (Paul R. Ramer) Date: Fri, 22 Nov 2013 19:24:23 -0800 Subject: Setting encryption algorithm for specific key In-Reply-To: <528D38C3.2030802@vulcan.xs4all.nl> References: <528A4C92.1090102@riseup.net> <15063313.vE5rGUbaWf@inno.berlin.laging.de> <528B0015.6030206@sixdemonbag.org> <528D38C3.2030802@vulcan.xs4all.nl> Message-ID: <7275a44a-94b1-4f82-add8-c9ec79c302a8@email.android.com> Johan Wevers >I communicate with someone whose key tells me it supports IDEA, and >since that's my prefered algorithm my gpg uses it to encrypt the >message. However, het setup does not in fact support it (any more, it >used to do in the past). Re-signing the key is no option, this is as >computer-literate as she'll get. > >I have now hardcoded cipher-algo in gpg.conf but is there an option I >can select a specific cipher-algo for a particular key or recipient? If you have the skills such as Bash scripting, Perl, etc., you could create a wrapper for gpg that could make gpg select an algorithm other than IDEA, or a specific one, when specifying this particular recipient with her problematic key. Cheers, --Paul -- PGP: 3DB6D884 From adrelanos at riseup.net Sat Nov 23 15:53:51 2013 From: adrelanos at riseup.net (adrelanos) Date: Sat, 23 Nov 2013 14:53:51 +0000 Subject: article about Air Gapped OpenPGP Key In-Reply-To: References: <528A4C92.1090102@riseup.net> <528A6E6A.1060803@heypete.com> <528B508A.3080902@riseup.net> Message-ID: <5290C17F.3080605@riseup.net> Paul R. Ramer: > adrelanos wrote: >> When one uses a Live system for its air gapped OpenPGP key, one >> would have to constantly remember re-creating this that gpg.conf. >> (Gone after reboot.) > > Not necessarily. You can plug in a USB drive with your custom > gpg.conf file on it, for example. > A more elegant solution would be > to modify your Live CD (or whatever you use) to have a gpg.conf file > in your gpg home directory. You can search the web on how to make a > custom Live CD. That would work. Well, for the context of that article asking readers to create their own custom Live CD seems like over complicating an awfully complicated problem even further. >>> I'd like to call your attention to the "cert-digest-algo SHA256" >>> line >> -- >>> this means that your primary key will make stronger signatures >>> on >> other >>> keys (e.g. your subkeys and other people's public keys). This is >>> probably a Good Thing. >> >> This is important. Can this be set without using gpg.conf? > > You can run gpg by specifying this as an option on the command line, > e.g. gpg --cert-digest-algo sha256. Any command line option that you > can pass to gpg when you run it can be put into your gpg.conf file. "gpg --cert-digest-algo sha256" is what the article now uses. > But if your thinking is, "How can I have this set permanently without > using gpg.conf?"--you can't. gpg.conf is the configuration file for > gpg. Okay. Cheers, adrelanos From nb.linux at xandea.de Sat Nov 23 17:19:57 2013 From: nb.linux at xandea.de (nb.linux) Date: Sat, 23 Nov 2013 16:19:57 +0000 Subject: Smart card reader security In-Reply-To: <877gdbgfow.fsf@vigenere.g10code.de> References: <1382025329.2267.15.camel@mars.weinz> <877gdbgfow.fsf@vigenere.g10code.de> Message-ID: <5290D5AD.9030903@xandea.de> Hi, (I know this is an old thread, sorry) Werner Koch: > On Thu, 17 Oct 2013 17:55, christian.weinz at gmail.com said: >> I bought a cyberJack go [1] to use it with my openPGP smart card for > > This is not just a reader but an identification token with lots of > embedded and upgradable software. It has already been shown that such > smart cards readers are fun to play with. IIRC, there have been > demonstrations turning the doctors health card terminals and PIN+chip > terminals into space invaders consoles. Do you have a source for that? I'd love to see some video or so :) From bill at napfn.com Sun Nov 24 22:06:14 2013 From: bill at napfn.com (Bill Albert) Date: Sun, 24 Nov 2013 16:06:14 -0500 Subject: Setting encryption algorithm for specific key In-Reply-To: <528DA1D6.2050702@dougbarton.us> References: <528A4C92.1090102@riseup.net> <15063313.vE5rGUbaWf@inno.berlin.laging.de> <528B0015.6030206@sixdemonbag.org> <528D38C3.2030802@vulcan.xs4all.nl> <528DA1D6.2050702@dougbarton.us> Message-ID: <52926A46.3040900@napfn.com> On 11/21/2013 01:01 AM, Doug Barton wrote: > Please don't reply to a message off the list and change the subject > line because it causes your new topic to show under the previous one > for those using mail readers that thread properly, and may cause your > message to be missed altogether if someone has blocked that thread. > > Instead, save the list address and start a completely new message. > > hope this helps, > > Doug > > Objection: your preference of an esoteric mail reader is not relevant to the rest of us. -- /wm -------------- next part -------------- An HTML attachment was scrubbed... URL: From kententen at me.com Mon Nov 25 14:48:40 2013 From: kententen at me.com (Kenneth Jones) Date: Mon, 25 Nov 2013 21:48:40 +0800 Subject: Changing the subject WAS Re: Setting encryption algorithm for specific key In-Reply-To: <52926A46.3040900@napfn.com> References: <528A4C92.1090102@riseup.net> <15063313.vE5rGUbaWf@inno.berlin.laging.de> <528B0015.6030206@sixdemonbag.org> <528D38C3.2030802@vulcan.xs4all.nl> <528DA1D6.2050702@dougbarton.us> <52926A46.3040900@napfn.com> Message-ID: <52935538.8060509@Me.com> Sorry Bill, Esoteric mail reader or not, changing the subject while maintaining the subject line is bad form, and has been forever. Maybe you're new. ;-) Cheers, Ken On 2013-11-25 05:06, Bill Albert wrote: > > Objection: your preference of an esoteric mail reader is not relevant > to the rest of us -------------- next part -------------- An HTML attachment was scrubbed... URL: From dougb at dougbarton.us Mon Nov 25 19:38:27 2013 From: dougb at dougbarton.us (Doug Barton) Date: Mon, 25 Nov 2013 10:38:27 -0800 Subject: Setting encryption algorithm for specific key In-Reply-To: <52926A46.3040900@napfn.com> References: <528A4C92.1090102@riseup.net> <15063313.vE5rGUbaWf@inno.berlin.laging.de> <528B0015.6030206@sixdemonbag.org> <528D38C3.2030802@vulcan.xs4all.nl> <528DA1D6.2050702@dougbarton.us> <52926A46.3040900@napfn.com> Message-ID: <52939923.3090801@dougbarton.us> On 11/24/2013 01:06 PM, Bill Albert wrote: > On 11/21/2013 01:01 AM, Doug Barton wrote: >> Please don't reply to a message off the list and change the subject >> line because it causes your new topic to show under the previous one >> for those using mail readers that thread properly, and may cause your >> message to be missed altogether if someone has blocked that thread. >> >> Instead, save the list address and start a completely new message. >> >> hope this helps, >> >> Doug >> >> > Objection: your preference of an esoteric mail reader is not relevant to > the rest of us. I'm using precisely the same mail reader you are. :) Doug From holtzm at cox.net Mon Nov 25 20:41:28 2013 From: holtzm at cox.net (Robert Holtzman) Date: Mon, 25 Nov 2013 12:41:28 -0700 Subject: Setting encryption algorithm for specific key In-Reply-To: <52926A46.3040900@napfn.com> References: <528A4C92.1090102@riseup.net> <15063313.vE5rGUbaWf@inno.berlin.laging.de> <528B0015.6030206@sixdemonbag.org> <528D38C3.2030802@vulcan.xs4all.nl> <528DA1D6.2050702@dougbarton.us> <52926A46.3040900@napfn.com> Message-ID: <20131125194128.GA6873@cox.net> On Sun, Nov 24, 2013 at 04:06:14PM -0500, Bill Albert wrote: > On 11/21/2013 01:01 AM, Doug Barton wrote: > > Please don't reply to a message off the list and change the subject > > line because it causes your new topic to show under the previous one > > for those using mail readers that thread properly, and may cause your > > message to be missed altogether if someone has blocked that thread. > > > > Instead, save the list address and start a completely new message. > > > > hope this helps, > > > > Doug > > > > > Objection: your preference of an esoteric mail reader is not relevant to > the rest of us. If it was Doug Barton's post you were referring to, and from your quote, it was 1) Not sure what you're talking about. You and Barton seem to be using the same mail reader. From the headers Barton: User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.1.0 Albert: User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.1.1 Now, what was that about an esoteric news reader? 2) What does what you replied to have to do with mail readers? -- Bob Holtzman Your mail is being read by tight lipped NSA agents who fail to see humor in Doctor Strangelove Key ID 8D549279 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: Digital signature URL: From expires2013 at ymail.com Mon Nov 25 22:54:53 2013 From: expires2013 at ymail.com (MFPA) Date: Mon, 25 Nov 2013 21:54:53 +0000 Subject: Setting encryption algorithm for specific key In-Reply-To: <52926A46.3040900@napfn.com> References: <528A4C92.1090102@riseup.net> <15063313.vE5rGUbaWf@inno.berlin.laging.de> <528B0015.6030206@sixdemonbag.org> <528D38C3.2030802@vulcan.xs4all.nl> <528DA1D6.2050702@dougbarton.us> <52926A46.3040900@napfn.com> Message-ID: <941451432.20131125215453@my_localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi On Sunday 24 November 2013 at 9:06:14 PM, in , Bill Albert wrote: > Objection: your preference of an esoteric mail reader > is not relevant to the rest of us. "Mail readers that thread properly" hardly equates to "an esoteric mail reader." And whilst an individual's choice of software for reading the list is irrelevant to everybody else, abruptly changing subject matter part way through a thread is relevant to everybody who was trying to follow that thread. - -- Best regards MFPA mailto:expires2013 at ymail.com Dreams come true on this side of the Rainbow too! -----BEGIN PGP SIGNATURE----- iPQEAQEKAF4FAlKTxz1XFIAAAAAALgAgaXNzdWVyLWZwckBub3RhdGlvbnMub3Bl bnBncC5maWZ0aGhvcnNlbWFuLm5ldEJBMjM5QjQ2ODFGMUVGOTUxOEU2QkQ0NjQ0 N0VDQTAzAAoJEKipC46tDG5pryIEAK0b+33eO0ecSWp1wNhgTeIyVB9kjFLOvLJY 5Go4YxvCll4F/OvFls8FLf109qjNcADUHyFZyjHTV9j6qt4ThKLn1UHjAnK1NbKI OZEW/7yu32g5CaS+HXbCRiKBBFzYt9qn+4vE+8bjs01ejRntOWJJxdIvmgoKh8wQ ECeDHSug =hiv5 -----END PGP SIGNATURE----- From askquestion at consultant.com Tue Nov 26 22:46:39 2013 From: askquestion at consultant.com (Michael) Date: Tue, 26 Nov 2013 16:46:39 -0500 Subject: Using Gnupg from the command line with no arguments Message-ID: <20131126214639.219280@gmx.com> Hi, I am a new GPG user. (New to the command line, that is.) I know that if you type "gpg" without any arguments in a command line it starts a primitive sort of text editor where you can type a message that you later encrypt, sign, etc. How do you tell the text editor when you are done with the message? I have actually been flipping madly through the GPG documentation; I am not sure this is scenario is exactly covered. Can someone point me in the right direction? Using GPG Tools on Mac OS 10.9 and just trying to get more command line fluent. Thank you for your help. Mike -------------- next part -------------- An HTML attachment was scrubbed... URL: From jhs at berklix.com Wed Nov 27 00:36:39 2013 From: jhs at berklix.com (Julian H. Stacey) Date: Wed, 27 Nov 2013 00:36:39 +0100 Subject: Using Gnupg from the command line with no arguments In-Reply-To: Your message "Tue, 26 Nov 2013 16:46:39 EST." <20131126214639.219280@gmx.com> Message-ID: <201311262336.rAQNadQI039501@fire.js.berklix.net> > Hi, I am a new GPG user. (New to the command line, that is.) I know that if you type "gpg" without any arguments in a command line it starts a primitive sort of text editor where you can type a message that you later encrypt, sign, etc. How do you tell the text editor when you are done with the message? I have actually been flipping madly through the GPG documentation; I am not sure this is scenario is exactly covered. Can someone point me in the right direction? Using GPG Tools on Mac OS 10.9 and just trying to get more command line fluent. > Thank you for your help. > Mike I would assume Control D = ^D = EOT = Ascii End Of Text Octal 004 = standard default fr end of data stream in Unix. I vaguely recall decades back with DOS, Microsoft used ^T As you'r using Mac I dont know, but try ^D first Cheers, Julian -- Julian Stacey, BSD Unix Linux C Sys Eng Consultant, Munich http://berklix.com Interleave replies below like a play script. Indent old text with "> ". Send plain text, not quoted-printable, HTML, base64, or multipart/alternative. Extradite NSA spy chief Alexander. http://berklix.eu/jhs/blog/2013_10_30 From gnupg at tim.thechases.com Wed Nov 27 01:36:27 2013 From: gnupg at tim.thechases.com (Tim Chase) Date: Tue, 26 Nov 2013 18:36:27 -0600 Subject: Using Gnupg from the command line with no arguments In-Reply-To: <201311262336.rAQNadQI039501@fire.js.berklix.net> References: <20131126214639.219280@gmx.com> <201311262336.rAQNadQI039501@fire.js.berklix.net> Message-ID: <20131126183627.7658a166@bigbox.christie.dr> On 2013-11-27 00:36, Julian H. Stacey wrote: > I would assume Control D = ^D = EOT = Ascii End Of Text Octal 004 = > standard default fr end of data stream in Unix. > > I vaguely recall decades back with DOS, Microsoft used ^T Close...control+Z on DOS/Win32 -tkc From wk at gnupg.org Wed Nov 27 08:36:42 2013 From: wk at gnupg.org (Werner Koch) Date: Wed, 27 Nov 2013 08:36:42 +0100 Subject: Smart card reader security In-Reply-To: <5290D5AD.9030903@xandea.de> (nb linux's message of "Sat, 23 Nov 2013 16:19:57 +0000") References: <1382025329.2267.15.camel@mars.weinz> <877gdbgfow.fsf@vigenere.g10code.de> <5290D5AD.9030903@xandea.de> Message-ID: <87iovegut0.fsf@vigenere.g10code.de> On Sat, 23 Nov 2013 17:19, nb.linux at xandea.de said: >> smart cards readers are fun to play with. IIRC, there have been >> demonstrations turning the doctors health card terminals and PIN+chip >> terminals into space invaders consoles. > > Do you have a source for that? I'd love to see some video or so :) Sorry, I have not the time to dig into this. A good starting point will be http://www.cl.cam.ac.uk/research/security/banking/. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From shavital at gmail.com Wed Nov 27 10:48:19 2013 From: shavital at gmail.com (Charly Avital) Date: Wed, 27 Nov 2013 11:48:19 +0200 Subject: Using Gnupg from the command line with no arguments In-Reply-To: <20131126214639.219280@gmx.com> References: <20131126214639.219280@gmx.com> Message-ID: <5295BFE3.8090502@gmail.com> Michael wrote on 11/26/13, 11:46 PM: > Hi, I am a new GPG user. (New to the command line, that is.) I know > that if you type "gpg" without any arguments in a command line it starts > a primitive sort of text editor where you can type a message that you > later encrypt, sign, etc. How do you tell the text editor when you are > done with the message? I have actually been flipping madly through the > GPG documentation; I am not sure this is scenario is exactly covered. > Can someone point me in the right direction? Using GPG Tools on Mac OS > 10.9 and just trying to get more command line fluent. > > > > Thank you for your help. > > > > Mike Mike, after I type gpg without arguments I get: gpg: Go ahead and type your message ... and when I type immediately after ControlC, I get: ^C gpg: Interrupt caught ... exiting I'm not sure this answers your query. Charly 0x15E4F2EA Mac OS X 10.9 13A603 MacBook Intel C2Duo 2GHz 13-inch, Aluminum, Late 2008 . (GnuPG/MacGPG2) 2.0.20 - gpg (GnuPG) 1.4.15 TB 24.1.1 Enigmail version 1.6 (20131006-1849) From peter at digitalbrains.com Wed Nov 27 11:43:19 2013 From: peter at digitalbrains.com (Peter Lebbing) Date: Wed, 27 Nov 2013 11:43:19 +0100 Subject: Using Gnupg from the command line with no arguments In-Reply-To: <20131126214639.219280@gmx.com> References: <20131126214639.219280@gmx.com> Message-ID: <5295CCC7.1060708@digitalbrains.com> On 26/11/13 22:46, Michael wrote: > Hi, I am a new GPG user. (New to the command line, that is.) I know that > if you type "gpg" without any arguments in a command line it starts a > primitive sort of text editor where you can type a message that you later > encrypt, sign, etc. I'm pretty sure this is not correct. When you start it without arguments, it expects an OpenPGP message on stdin (pronounce "standard in"). Since you're working from the command line, stdin is your keyboard. You're calling this "a primitive sort of text editor" but it's no more a text editor than the command line itself, where you enter commands to execute, is a text editor. On Linux, you can type Ctrl-D to signal the end of a stdin stream. Look what happens when I do that: peter at tweek:~$ gpg2 gpg: Go ahead and type your message ... Blah gpg: no valid OpenPGP data found. gpg: processing message failed: Unknown system error peter at tweek:~$ I typed: Blah The lines "peter at tweek: ~$" are my command prompt. Charly Avital mentioned pressing Ctrl-C; this would be to signal to gpg2 you want it to exit. Here's what happens when I type Blah: peter at tweek:~$ gpg2 gpg: Go ahead and type your message ... Blah ^C gpg: signal Interrupt caught ... exiting peter at tweek:~$ This does not process the input on stdin, because you're signalling you want gpg2 to stop what it is doing and quit, which is different than signalling that you're done with typing on stdin. The ^C is the shells way of telling me I pressed ; this doesn't happen for all control codes. Now what you're probably thinking of is something like this: peter at tweek:~$ gpg2 -r peter -ae I'm talking to myself. -----BEGIN PGP MESSAGE----- Version: GnuPG v2.0.20 (GNU/Linux) hQEMAyb3Vj5zozvuAQgAxEf2hNJJEwOKWPk5p0wGUk7LMH4HpKe/xY10uXRO3BiL UVbKdBL95NeaYKcVQ/jM5FvU9GKn718SijAVkxpSZwmxCt0QdtD8WJNbNub0OvxS tx4O5WwtLK+s4cQGEfnFeXQOrYhZwoJwicy3rwD1+TypWlmwI0XHywCayY6uaVHr Of8tiRLkEdQMQs37LzXsJRXGUxTPUBGvkiPtBOBAT7opLOyPpfvC7FUoGeO0qKJ5 /7iZlPKDDTJtwHgE+k1C+kAqojcbUnGJj+yS/7nmhc9gioaCdaqtLNKH5bzrl7v4 MKDpUnTyj+B2/TCugsJ0NMfk+9rZ1OIkC89M1SwGYtJSAch1U4mHnbRq1uG8LcM1 eXrCA+fMAfTe0ZgaToSCSDaUckKMTfQRqsrOkSnnqiZCJ2P3r6KeYMfORGbUIbEn /1I95F4ZpeLafUqVMXt44Wpe7Q== =8C00 -----END PGP MESSAGE----- peter at tweek:~$ I typed the line of input, However, I had to specify up front I wanted to encrypt to myself, it's not, like you said > you can type a message that you later encrypt, sign, etc. Also, your cursor keys will most likely not work. You can type in text, erase it with , and make a line final with . It's a really unfriendly environment, because it's not an environment really meant for the user. So you're much better off with a (primitive or not) text editor. One final point: MacOS shares UNIX roots and POSIX stuff with Linux, so I expect that ends the stdin just like it does on Linux. If you like, I can explain you where and come from. If you don't care, you can stop reading and I wish you a good day :). It might help you remember why these keys work, which is why I think it's very slightly on topic. Actually, I just like telling this and I'm looking for a justification. When you type letters from the Latin alphabet, these letters are passed to the system as ASCII, which is a table of 127 characters that contain the alphabet, numbers, some more stuff, as well as so-called control codes. The control codes are right at the beginning of the table: the first 32 entries (entries 0-31, computers usually start counting at 0). On many systems, you can enter these control codes by holding down "Control"[1] and using the keys @ followed by A-Z followed by [, \, ], ^ and _. If you look at the ASCII table, you'll notice that these are the entries numbered 64-96[2]. So when we're pressing , we're passing ASCII 3, passes ASCII 4, and passes ASCII 28. , ASCII 3, is called ETX, End of Text. , ASCII 4, is called EOT, End of Transmission. , ASCII 28, is called FS, File Separator. These are ancient names, and the names don't always still match current usage, although there still is something reminiscent of logic. Now I happen to know that asks the program to "dump core"[3], so I entered "ascii 1c dump core" in startpage.com (1c is hexadecimal for 28, I expected more results for hexadecimal numbers), and it linked to a nice page[4]. It describes the three as (amongst others): Ctrl-C: > Most UNIX systems used ETX as the default code to generate a SIGINT signal > for the foreground process. (Exception: Solaris responds to ETX by sending > the SIGINT signal to all processes on the given controlling terminal.) SIGINT is "signal Interrupt", compare to the GnuPG output. Ctrl-D: > In C language environments with a Standard In (stdin) device, a EOT can > indicate that the end of input has been reached. Ctrl-\: > By default, the command shells in UNIX systems treat this as a QUIT signal, > and will pass a signal to the current foreground process that it should > abort, and if allowed and possible, make a core dump. Now if you from now on think of Ctrl-D as "End of Transmission" instead of the awkward "control dee", maybe you can remember better. It's unfortunate that Ctrl-C is called "End of Text", though. And File Separator just doesn't make sense ;). Just as a bonus: is called DC3 "Device Control 3", but also XOFF "Transmission off". You can use it to pause the output on the terminal screen. When two systems are communicating through ASCII, it is usually sent when the receiving system can't keep up with the flow of data that the other system is producing. When you press , you're basically saying "hey I can't read that fast!". When you've caught up, you press , DC1 "Device Control 1", also XON "Transmission on". The output on the terminal will resume, and you can read the rest of the text. HTH, Peter. [1] You hold down "Control" to enter control codes on your keyboard. I don't think this is a coincidence, but I didn't check the etymology. [2] If you make an ASCII table in two columns they'll line up next to eachother because you're putting entries 0-63 left and 64-127 right. [3] I'm already explaining a lot, I'm not really going to touch that one... :) [4] http://nemesis.lonestar.org/reference/telecom/codes/ascii.html -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at From biggles.trenton at gmail.com Wed Nov 27 12:35:51 2013 From: biggles.trenton at gmail.com (Sin Trenton) Date: Wed, 27 Nov 2013 12:35:51 +0100 Subject: Decrypting symmetrically encrypted text in Command Line (CL) results in error message? In-Reply-To: References: Message-ID: <5295D917.6000900@gmail.com> Hello everyone, I've tried to find info regarding this but no real luck so far. It was discussed in the thread "encryption/decryption without files", but I haven't found a reply there that covers 'symmetric decryption'. And yes, I am aware of plaintext, shell, bash, etc. These are generally short text snippets, which can be considered internal, not even confidential (I'm not familiar with the names of levels up to "Ultraviolet Top Secret", but this would barely reach "Just don't forget too many print outs on the tube" level. :) ) We use it mainly for small txt files stored in the cloud, some things sent over Google or stored temporarily in some docs at Google Drive, etc. Anyway, I often use -ac in command line to encrypt these text snippets. I write the text or message, finish with Ctrl+Z (We use Windows at work), and copy the encrypted text. One thing I would like to do is the opposite, however, but I haven't figured out how to, yet. If I want to decrypt a short text snippet, I have to 1. copy the snippet 2. paste it into a txt file 3. save the file 4. use "gpg -d file.txt" (The text is then read in the CL window, I have no interest in this case to save the decrypted text, just read it and e.g. check a reference) Is it possible to replace steps 2 and 3 by pasting in the text in the CL? I've tried "gpg [Enter]", but I always get the message "decryption failed: bad key" as you can see below. Everything below the encrypted message happened automatically when I pasted in the text first time, though next time it did wait for me to supply the passphrase, with same "bad key" result, however. Note that the last line "-----END PGP MESSAGE-----" disappears. Also, the prompt does not return to the standard ">", until I have done a Ctrl+Z or Ctrl+C. >gpg gpg: Go ahead and type your message ... -----BEGIN PGP MESSAGE----- Version: GnuPG v1.4.15 (MingW32) jA0ECgMCpM [snip] zHEHXtFP3 =uNdz gpg: TWOFISH encrypted data gpg: encrypted with 1 passphrase gpg: decryption failed: bad key As I wrote in the subject line, this is when using symmetric encryption (as you can see), since we use that in these particular cases. It does work with asymmetric encryption, though the workflow is a bit dodgy even there, I think? The END PGP MESSAGE line disappears here as well and the first failed attempt for the passphrase happened without my input too. >gpg gpg: Go ahead and type your message ... -----BEGIN PGP MESSAGE----- Version: GnuPG v1.4.15 (MingW32) hQIMA [snip] /HaL1 =ZWgL You need a passphrase to unlock the secret key for user: "Sin Trenton" 4096-bit RSA key, ID 0x0A0A0A0A0A0A0A0A, created 2010-01-01 (subkey on main key ID 0x0A0A0A0A0A0A0A0A) gpg: Invalid passphrase; please try again ... You need a passphrase to unlock the secret key for user: "Sin Trenton" 4096-bit RSA key, ID 0x0A0A0A0A0A0A0A0A, created 2010-01-01 (subkey on main key ID 0x0A0A0A0A0A0A0A0A) gpg: encrypted with 4096-bit RSA key, ID 0x0A0A0A0A0A0A0A0A, created 2010-01-01 "Sin Trenton" ^Z (Ctrl+Z, my input) [The decrypted text appears here after my input] > Thankful for any pointers or help. Best regards, Sin Trenton From vedaal at nym.hush.com Wed Nov 27 19:45:25 2013 From: vedaal at nym.hush.com (vedaal at nym.hush.com) Date: Wed, 27 Nov 2013 13:45:25 -0500 Subject: Decrypting symmetrically encrypted text in Command Line (CL) results in error message? In-Reply-To: <5295D917.6000900@gmail.com> References: <5295D917.6000900@gmail.com> Message-ID: <20131127184526.26AE7C0696@smtp.hushmail.com> On Wednesday, November 27, 2013 at 7:46 AM, "Sin Trenton" wrote: >If I want to decrypt a short text snippet, I have to > > 1. copy the snippet > 2. paste it into a txt file > 3. save the file > 4. use "gpg -d file.txt" > >(The text is then read in the CL window, I have no interest in >this case >to save the decrypted text, just read it and e.g. check a >reference) > >Is it possible to replace steps 2 and 3 by pasting in the text in >the CL? > >I've tried "gpg [Enter]", but I always get the message "decryption >failed: bad key" as you can see below. >Everything below the encrypted message happened automatically when >I >pasted in the text first time, though next time it did wait for me >to >supply the passphrase, with same "bad key" result, however. > >Note that the last line "-----END PGP MESSAGE-----" disappears. >Also, >the prompt does not return to the standard ">", until I have done >a >Ctrl+Z or Ctrl+C. > > >gpg > gpg: Go ahead and type your message ... > -----BEGIN PGP MESSAGE----- > Version: GnuPG v1.4.15 (MingW32) > > jA0ECgMCpM [snip] zHEHXtFP3 > =uNdz > gpg: TWOFISH encrypted data > gpg: encrypted with 1 passphrase > gpg: decryption failed: bad key ===== I get the same problem on windows, It is very puzzling that it should work with a message encrypted to a public key, but not with a symmetrically encrypted message. the same thing happens with cygwin and msys, *but* using msys, and printf you can accomplish what you want to do. (you can either install msys on windows, or use portableApps (www.portableApps.com) and install MSYSPortable. Once msys is installed, copy the following files into the MSYSPortable\Data\usr\local\bin\ gpg.exe , gpgsplit.exe , gpgv.exe gpg-zip ) Here is a symmetrical test message to try out: -----BEGIN PGP MESSAGE----- Version: GnuPG v2.0.17 (MingW32) Comment: Acts of Kindness better the World, and protect the Soul jA0ECgMIq6s05aP/yK+u0kYB/HlkU1MH0shFYGpzYZDUAklckj4WOGBNYSsqW1Kv FAiTjIdj8vJCowfWIALk+5YrUoMgwHXYZsGLm1dbM8AwUmXt0GSD =Xhjy -----END PGP MESSAGE----- Copy this into notepad, or any editor, and then add the line before the message and the line after the message to result in the following: " -----BEGIN PGP MESSAGE----- Version: GnuPG v2.0.17 (MingW32) Comment: Acts of Kindness better the World, and protect the Soul jA0ECgMIq6s05aP/yK+u0kYB/HlkU1MH0shFYGpzYZDUAklckj4WOGBNYSsqW1Kv FAiTjIdj8vJCowfWIALk+5YrUoMgwHXYZsGLm1dbM8AwUmXt0GSD =Xhjy -----END PGP MESSAGE----- " | gpg -d Copy the above segment into clipboard. Now open the MSYS window, and type; printf (and add a space afterward) Now, right-click on the border of the MSYS window, and a dropdown menu aooears, click on 'edit' then on 'paste' and press enter gpg then does the following: gpg: armor: BEGIN PGP MESSAGE gpg: armor header: Version: GnuPG v2.0.17 (MingW32) gpg: armor header: Comment: Acts of Kindness better the World, and protect the S oul :symkey enc packet: version 4, cipher 10, s2k 3, hash 8 salt abab34e5a3ffc8af, count 1966080 (174) gpg: TWOFISH encrypted data Enter passphrase: (the passphrase is: sss after typing in sss gpg then does): :encrypted data packet: length: 70 mdc_method: 2 gpg: encrypted with 1 passphrase :compressed packet: algo=1 :literal data packet: mode b (62), created 1350586272, name="", raw data: 17 bytes gpg: original file name='' just another testgpg: decryption okay gpg: session key: `10:985CBBC1E03403B08D6A407AF06F87228248BCBCA0E0F0A3C3F0257821 E09D57' The plaintext ('just another test') appears above in the MSMS window as the line: just another testgpg: decryption okay Maybe people here can figure out why it works this way, but not in the way you tried, and if this is a 'windows' issue ... ;-(( vedaal From ndk.clanbo at gmail.com Wed Nov 27 21:15:11 2013 From: ndk.clanbo at gmail.com (NdK) Date: Wed, 27 Nov 2013 21:15:11 +0100 Subject: Smart card reader security In-Reply-To: <87iovegut0.fsf@vigenere.g10code.de> References: <1382025329.2267.15.camel@mars.weinz> <877gdbgfow.fsf@vigenere.g10code.de> <5290D5AD.9030903@xandea.de> <87iovegut0.fsf@vigenere.g10code.de> Message-ID: <529652CF.4090607@gmail.com> Il 27/11/2013 08:36, Werner Koch ha scritto: >>> smart cards readers are fun to play with. IIRC, there have been >>> demonstrations turning the doctors health card terminals and PIN+chip >>> terminals into space invaders consoles. >> Do you have a source for that? I'd love to see some video or so :) > Sorry, I have not the time to dig into this. A good starting point will > be http://www.cl.cam.ac.uk/research/security/banking/. Found: http://www.lightbluetouchpaper.org/2006/12/24/chip-pin-terminal-playing-tetris/ BYtE, Diego. From einarr at pvv.org Wed Nov 27 20:56:44 2013 From: einarr at pvv.org (Einar Ryeng) Date: Wed, 27 Nov 2013 20:56:44 +0100 Subject: Decrypting symmetrically encrypted text in Command Line (CL) results in error message? In-Reply-To: <5295D917.6000900@gmail.com> References: <5295D917.6000900@gmail.com> Message-ID: <20131127195644.GA28604@pvv.ntnu.no> On Wed, Nov 27, 2013 at 12:35:51PM +0100, Sin Trenton wrote: > > 1. copy the snippet > 2. paste it into a txt file > 3. save the file > 4. use "gpg -d file.txt" > > Is it possible to replace steps 2 and 3 by pasting in the text in the CL? It would surprise me if that wasn't possible. > I've tried "gpg [Enter]", but I always get the message "decryption > failed: bad key" as you can see below. > Everything below the encrypted message happened automatically when I > pasted in the text first time, though next time it did wait for me > to supply the passphrase, with same "bad key" result, however. > > Note that the last line "-----END PGP MESSAGE-----" disappears. > Also, the prompt does not return to the standard ">", until I have > done a Ctrl+Z or Ctrl+C. I'm guessing that one of two things is happening here, due to the use of STDIN both to provide the encrypted message and as the way to enter the password: 1) Some buffer gets full and gpg asks for the password to start processing the encrypted input. The next line of input is then taken to be the password, which is obviously wrong. 2) The CR/LF line endings in windows is confusing the data/password input in gpg. As I couldn't reproduce your problem in linux, I'm leaning towards this explanation. You can try giving the password on the command line. > gpg --passphrase test However, I might add that I'm not able to reproduce the problem on linux and I don't have any Windows computers at hand right now so this is just guesswork. -- Einar Ryeng From peter at digitalbrains.com Thu Nov 28 10:10:01 2013 From: peter at digitalbrains.com (Peter Lebbing) Date: Thu, 28 Nov 2013 10:10:01 +0100 Subject: Smart card reader security In-Reply-To: <529652CF.4090607@gmail.com> References: <1382025329.2267.15.camel@mars.weinz> <877gdbgfow.fsf@vigenere.g10code.de> <5290D5AD.9030903@xandea.de> <87iovegut0.fsf@vigenere.g10code.de> <529652CF.4090607@gmail.com> Message-ID: <52970869.3000209@digitalbrains.com> On 27/11/13 21:15, NdK wrote: > Found: > > http://www.lightbluetouchpaper.org/2006/12/24/chip-pin-terminal-playing-tetris/ Meh. They just replaced all hardware inside and only re-used the shell of the device. While it illustrates the point they're making in the article, it's not nearly as cool as modding the firmware of the actual hardware through a rogue firmware update. And even then I'm missing some nice details: how did they take care of the special sticker that is supposed to crack when you try to open the device? (It's usually holographic to prevent reproduction). And did the case crack or snap when disassembling, leaving obvious marks where it did? I'm not saying these are sufficient methods to prevent access to the inside[1], I'm asking if they could take care of these things. For all I know, the underside of the device in the video is a mess of broken plastic with some strips of holographic sticker keeping it all together. They compare it to the hack on the voting machine. I absolutely disagree: that hack is what I'm talking about, a rogue firmware update, throw in a little electromagnetic emission analysis for extra goodness. I could do the PIN pad hack. I certainly can't do the voting machine hack. Again, it illustrates the point they're trying to make, but it's not spectacular. [1] For instance, you could take two or more devices, and saw them through at different places. Once you have them somewhat open, you can probably carefully pry pieces apart until you have an undamaged specimen of each part of the case. By the way, you could prevent access to the insides fairly well by filling it up with polyurethane once assembled, obviously making sure you have sealed all gaps like card insertion slot and keyboard :). -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at From peter at digitalbrains.com Thu Nov 28 10:16:34 2013 From: peter at digitalbrains.com (Peter Lebbing) Date: Thu, 28 Nov 2013 10:16:34 +0100 Subject: Decrypting symmetrically encrypted text in Command Line (CL) results in error message? In-Reply-To: <20131127195644.GA28604@pvv.ntnu.no> References: <5295D917.6000900@gmail.com> <20131127195644.GA28604@pvv.ntnu.no> Message-ID: <529709F2.6070501@digitalbrains.com> On 27/11/13 20:56, Einar Ryeng wrote: > I'm guessing that one of two things is happening here, due to the use of STDIN > both to provide the encrypted message and as the way to enter the password: Yes, that is what I was thinking, that it tries to read the password from stdin as well. No matter the specific mechanisms at play, it is simply impossible to reliably get both the message and the password from stdin, AFAIK. Which is why I wanted to ask: are you using gpg-agent? Could you try configuring (and using) gpg-agent such that it will ask for the password with a pinentry window popping up? Because it should be possible to decrypt from a pasted text in the command line as long as it's not necessary to enter the password in the same command line window, which the agent should allow you to do. I don't have access to Windows machines to try this myself. HTH, Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at From gpgml at gmx-topmail.de Sat Nov 30 18:58:07 2013 From: gpgml at gmx-topmail.de (Klaus) Date: Sat, 30 Nov 2013 18:58:07 +0100 (CET) Subject: multiple keys with different UIDs and common WoT? Message-ID: Hi, I am currently planning how I set up my keys and I ran into the problem, that I have to read work-related mail on an theoretically unsecure machine at my workplace. This means I don't want to use or even install my keys on this machine. This led me to the idea of having two keys: one for work and one for private stuff i.e. more paranoid. I first thought about using one master key for this with multiple subkeys (which I'd also use without this particular problem), of which I install the private one only at home and the other one both at home and at work. However, apparently it is not possible to assign UIDs to subkeys, but only to the master key, with no possibility to indicate which subkey to use for which email. The only possibility I see currently, is having two master keys, which requires me to build a WoT for both keys and even rebuilding it from scratch when I get a job somewhere else. While this is the preferred way for completely disjunct identities (e.g. job and political activities), it is an unnecessary bulk of additional work in my case. Another way would be to have one ultra-master-key (TM) with only my name, which I use to sign the master keys for different emails. But as far as I read about gpg, this is somehow bad because I will be the only one signing the keys that are actually used as master-keys. So my question is: Is there some mechanism that allows me to have the features mentioned above, or do I really have to build multiple separate WoTs? Klaus -- Diese E-Mail wurde aus dem Sicherheitsverbund E-Mail made in Germany versendet: http://www.gmx.net/e-mail-made-in-germany From peter at digitalbrains.com Sat Nov 30 22:48:13 2013 From: peter at digitalbrains.com (Peter Lebbing) Date: Sat, 30 Nov 2013 22:48:13 +0100 Subject: multiple keys with different UIDs and common WoT? In-Reply-To: References: Message-ID: <529A5D1D.4030805@digitalbrains.com> On 30/11/13 18:58, Klaus wrote: > So my question is: Is there some mechanism that allows me to have the > features mentioned above, or do I really have to build multiple separate > WoTs? You could build the WoT only on your personal key (which survives switching jobs), and set your personal key as ultimately trusted on your work PC (work PC only has the public key for your personal key). An ultimately trusted public key is no different from installing the private key for trust calculations, I think. I tested the situation, it seems the same to me with or without the private key[1]. BTW, some people frown on signing a key both with the personal and the work key as in your scenario, because you will count as two people in trust calculations done by GnuPG. HTH, Peter. [1] Specifically, assigning ultimate trust moves the key to depth 0 in the trust calculations, and it is used to validate keys at depth 1, just like an ultimately trusted public/private keypair. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at From gpgml at gmx-topmail.de Sat Nov 30 23:42:26 2013 From: gpgml at gmx-topmail.de (Klaus) Date: Sat, 30 Nov 2013 23:42:26 +0100 (CET) Subject: Aw: Re: multiple keys with different UIDs and common WoT? In-Reply-To: <529A5D1D.4030805@digitalbrains.com> References: , <529A5D1D.4030805@digitalbrains.com> Message-ID: > From: "Peter Lebbing" > You could build the WoT only on your personal key (which survives switching > jobs), and set your personal key as ultimately trusted on your work PC (work PC > only has the public key for your personal key). An ultimately trusted public key > is no different from installing the private key for trust calculations, I think. > I tested the situation, it seems the same to me with or without the private key[1]. Ok, this will fix the WoT from my perspective. What about other users importing my work key? Especially when they don't fully trust my personal key, they will never trust the work-key, because there are no other links that may generate trust by having multiple marginally trusted links. They might decide to manually change that when they see the two keys are actually from the same person, but I guess this will never be handeled automatically. > BTW, some people frown on signing a key both with the personal and the work key > as in your scenario, because you will count as two people in trust calculations > done by GnuPG. That shouldn't be a problem, as long as I don't ask people to sign my work key and don't sign with my work key. Klaus -- Diese E-Mail wurde aus dem Sicherheitsverbund E-Mail made in Germany versendet: http://www.gmx.net/e-mail-made-in-germany