From doark at mail.com  Sun Jan  1 02:38:11 2017
From: doark at mail.com (David Niklas)
Date: Sat, 31 Dec 2016 20:38:11 -0500
Subject: Gpg key lost in self update
In-Reply-To: <874m1mrfc7.fsf@vps.i-did-not-set--mail-host-address--so-tickle-me>
References: <20161225215059.46dce91a@ulgy_thing>
 <874m1mrfc7.fsf@vps.i-did-not-set--mail-host-address--so-tickle-me>
Message-ID: <20161231203811.002af877@ulgy_thing>

On Thu, 29 Dec 2016 14:15:52 +0000
Christoffer Stjernl?f <k at rdw.se> wrote:

> doark at mail.com writes:
> > I used a config file (hand written), and concatenated several of it's
> > lines to form a super long strong passphrase for my key.  
> 
> There is no way to crack an arbitrary private key. However, since your
> passphrase is limited to the space of valid config files, the search
> space is massively limited. You could try generating several reasonable
> combinations of config options in this file format and see if one of
> them unlocks the key.
> 
Thanks


From markr at signal100.com  Mon Jan  2 00:44:06 2017
From: markr at signal100.com (Mark Rousell)
Date: Sun, 1 Jan 2017 23:44:06 +0000
Subject: File perms for conf files
In-Reply-To: <54b19661-566a-868b-4b71-e366674e03d2@sixdemonbag.org>
References: <dfb50303-61e6-4abb-ae36-c683b96a5240@sixdemonbag.org>
 <54b19661-566a-868b-4b71-e366674e03d2@sixdemonbag.org>
Message-ID: <58699446.7060308@signal100.com>

On 31/12/2016 19:59, Robert J. Hansen wrote:
> I need to add a (c):
>
> (c) What should the perms be on Windows?
>
> Right now I'm just uncompressing files directly into the GnuPG data
> directory on Win32.  For all I know that's sufficient; for all I know
> it's wrong.

If you're uncompressing them into %appdata%\gnupg then they should
inherit permissions from the parent directory which, as far as I can
tell, should be entirely correct.

On my Windows 10, the current permissions are Full Control for SYSTEM,
the Administrators group, and the current user. (I think the
Administrators group is only added if an administrator has used Windows
Explorer to look in the user's home folder hierarchy).


-- 
Mark Rousell

PGP public key: http://www.signal100.com/markr/pgp
Key ID: C9C5C162
 
 
 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20170101/ff9535d9/attachment.html>

From lewisurn at gmail.com  Mon Jan  2 19:27:35 2017
From: lewisurn at gmail.com (Lou Wynn)
Date: Mon, 2 Jan 2017 10:27:35 -0800
Subject: export encryption (subkey) only?
Message-ID: <f5660cbb-4759-9b1c-5ae0-fcee7286442d@gmail.com>

Hi,

I'm developing a key management solution for an organization. For an
employee, I'd like to generate two keys: one for signing and the other
for encryption. In my proposed solution, the encryption key should be
backed up in an organizational central server for auditing purpose, and
the signing key is only accessible to an user without being saved in
another location. This means that I have to separate the encryption key
from the signing key.

However,  the current GPG makes the signing key the master key and the
encryption the subkey. PGP standard seems not to allow transfer a single
subkey (RFC4880 Section 11) because it is always preceded by the master key.

I tried to export an encryption subkey only with GPG2, but importing the
subkey also lists the primary key. The man page of
--export-secret-subkeys reads:

   The second form of the command has the special property to render the
   secret  part  of  the primary key useless; this is a GNU extension to
   OpenPGP and other implementations can not be expected to successfully
   import  such a key.  Its intended use is to generated a full key with
   an additional signing subkey on a dedicated machine  and  then  using
   this  command  to  export the key without the primary key to the main
   machine.

It means that although the primary key is imported and listed, it is not
usable.

Has anyone have experience with this and been able to confirm it?

I'm also thinking about making two separate master keys, and doing so
seems to make me avoid the confusion of master-subkeys and make the
solution more portable in different implementations.

What's your opinion?

-- 
Thanks,
Lou


-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20170102/87f48630/attachment.html>

From beckus at beckus.eu  Mon Jan  2 20:26:20 2017
From: beckus at beckus.eu (Christopher Beck)
Date: Mon, 2 Jan 2017 20:26:20 +0100
Subject: export encryption (subkey) only?
In-Reply-To: <f5660cbb-4759-9b1c-5ae0-fcee7286442d@gmail.com>
References: <f5660cbb-4759-9b1c-5ae0-fcee7286442d@gmail.com>
Message-ID: <469ec47b-d794-4b5d-6162-c21551b85b01@beckus.eu>

Hi Lynn,


well, it is possible. There is an option for exporting only subkeys:

gpg --output secret-subkeys --export-secret-subkeys SUBKEYID!

It is important to use the exclamation mark at the end of the subkey-id!

Instead of this: how about a company-key for trust-signing the exployees
keys? Then, a custumor just hast to set the correct trust level to that
company-key (okay, might be dangerous and not everybody wants to do
this, but might be an option).

Regards

Beckus


Am 02.01.2017 um 19:27 schrieb Lou Wynn:
>
> Hi,
>
> I'm developing a key management solution for an organization. For an
> employee, I'd like to generate two keys: one for signing and the other
> for encryption. In my proposed solution, the encryption key should be
> backed up in an organizational central server for auditing purpose,
> and the signing key is only accessible to an user without being saved
> in another location. This means that I have to separate the encryption
> key from the signing key.
>
> However,  the current GPG makes the signing key the master key and the
> encryption the subkey. PGP standard seems not to allow transfer a
> single subkey (RFC4880 Section 11) because it is always preceded by
> the master key.
>
> I tried to export an encryption subkey only with GPG2, but importing
> the subkey also lists the primary key. The man page of
> --export-secret-subkeys reads:
>
>    The second form of the command has the special property to render the
>    secret  part  of  the primary key useless; this is a GNU extension to
>    OpenPGP and other implementations can not be expected to successfully
>    import  such a key.  Its intended use is to generated a full key with
>    an additional signing subkey on a dedicated machine  and  then  using
>    this  command  to  export the key without the primary key to the main
>    machine.
>
> It means that although the primary key is imported and listed, it is
> not usable.
>
> Has anyone have experience with this and been able to confirm it?
>
> I'm also thinking about making two separate master keys, and doing so
> seems to make me avoid the confusion of master-subkeys and make the
> solution more portable in different implementations.
>
> What's your opinion?
> -- 
> Thanks,
> Lou
>
>
>
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users

-- 
I use GnuPG (GPG) for e-mail encryption and signing. If you want some privacy, my public key ID is 2F9D4F14. The file "singature.asc" this message includes contains a cryptographic signature which enables you to verify this e-mail really was written by me.

Christopher Beck, DL1CHB

Gerhart-Hauptmann-Str. 1
91058 Erlangen
Tel.: 09131 / 9245437
Fax.: 09131 / 8148708
Jabber: beckus at jabber.org

-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20170102/741bf09e/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20170102/741bf09e/attachment.sig>

From lewisurn at gmail.com  Mon Jan  2 22:33:33 2017
From: lewisurn at gmail.com (Lou Wynn)
Date: Mon, 2 Jan 2017 13:33:33 -0800
Subject: export encryption (subkey) only?
In-Reply-To: <469ec47b-d794-4b5d-6162-c21551b85b01@beckus.eu>
References: <f5660cbb-4759-9b1c-5ae0-fcee7286442d@gmail.com>
 <469ec47b-d794-4b5d-6162-c21551b85b01@beckus.eu>
Message-ID: <7cb43779-4c9c-9407-3066-417081ae6237@gmail.com>


On 01/02/2017 11:26 AM, Christopher Beck wrote:
>
> Hi Lynn,
>
>
> well, it is possible. There is an option for exporting only subkeys:
>
> gpg --output secret-subkeys --export-secret-subkeys SUBKEYID!
>
> It is important to use the exclamation mark at the end of the subkey-id!
>
> Instead of this: how about a company-key for trust-signing the
> exployees keys? Then, a custumor just hast to set the correct trust
> level to that company-key (okay, might be dangerous and not everybody
> wants to do this, but might be an option).
>


How about this: I use another company encryption key for auditing
purpose only. When employees send emails, they always use this
encryption key as well as the public keys of recipients for encryption.
This way, I don't have to backup employees' encryption keys, and can
even simplify to use a single key for each employee (this might be
arguable, but it's hard for me to convince myself that it's worthwhile
to use separate encryption key in this case). But I'm not sure if I need
to customize some PGP implementation in order to do so.

-- 
Thanks,
Lou

-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20170102/0506742b/attachment-0001.html>

From christian.heinrich at cmlh.id.au  Tue Jan  3 03:41:48 2017
From: christian.heinrich at cmlh.id.au (Christian Heinrich)
Date: Tue, 3 Jan 2017 13:41:48 +1100
Subject: Counterarguments Supporting GnuPG over Off The Record (OTR)
Message-ID: <CAGKxTUQsxLsL3m0nrY0iYCh5cFRtEJpxegUsPqj4CbX-M8Zsug@mail.gmail.com>

https://www.foo.be/2016/12/OpenPGP-really-works outlines a number of
counter-arguments in support of GnuPG over OTR chat app and other
alternatives.

-- 
Regards,
Christian Heinrich

http://cmlh.id.au/contact


From lewisurn at gmail.com  Tue Jan  3 05:41:07 2017
From: lewisurn at gmail.com (Lou Wynn)
Date: Mon, 2 Jan 2017 20:41:07 -0800
Subject: Counterarguments Supporting GnuPG over Off The Record (OTR)
In-Reply-To: <CAGKxTUQsxLsL3m0nrY0iYCh5cFRtEJpxegUsPqj4CbX-M8Zsug@mail.gmail.com>
References: <CAGKxTUQsxLsL3m0nrY0iYCh5cFRtEJpxegUsPqj4CbX-M8Zsug@mail.gmail.com>
Message-ID: <aa6ade0f-093d-b022-c8ea-d45dcfae15cf@gmail.com>

The author's stand is hilarious to me. He is

"My day-to-day work is in the field of information security and
especially incident handling, analysis and response. "

That's is to say, he's a security expert. But he compares himself with
Johnny by quoting "Why Johnny Can?t Encrypt?

Actually, there is a more recent paper called

"Why Johnny Still, Still Can?t Encrypt: Evaluating the Usability of a
Modern PGP Client"

https://arxiv.org/pdf/1510.08555.pdf

In my observation, what this type of papers point out is obvious:

It is non-trivial for non-technical people to make PGP work.



On 01/02/2017 06:41 PM, Christian Heinrich wrote:
> https://www.foo.be/2016/12/OpenPGP-really-works outlines a number of
> counter-arguments in support of GnuPG over OTR chat app and other
> alternatives.
>

-- 
Thanks,
Lou

-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20170102/c32d6b9d/attachment.html>

From dkg at fifthhorseman.net  Tue Jan  3 08:55:46 2017
From: dkg at fifthhorseman.net (Daniel Kahn Gillmor)
Date: Tue, 03 Jan 2017 02:55:46 -0500
Subject: File perms for conf files
In-Reply-To: <54b19661-566a-868b-4b71-e366674e03d2@sixdemonbag.org>
References: <dfb50303-61e6-4abb-ae36-c683b96a5240@sixdemonbag.org>
 <54b19661-566a-868b-4b71-e366674e03d2@sixdemonbag.org>
Message-ID: <878tqso9vh.fsf@alice.fifthhorseman.net>

On Sat 2016-12-31 14:59:48 -0500, Robert J. Hansen wrote:
>> I'm now at the point where I need to restore files
>> from a zip archive, and part of that means ensuring I have the correct
>> POSIX permissions on each file.
>
> I'm going with 0x0644 (-rw-r--r--) on the .conf files, 0x0755
> (-rwxr-xr-x) on the directories, and 0x0600 (-rw-------) on all files
> other than .confs.

I think this is going to result in a warning about too-loose permissions
for the .gnupg directory itself, which should probably be 0700.

hth,

    --dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 832 bytes
Desc: not available
URL: </pipermail/attachments/20170103/5b7e8354/attachment.sig>

From dkg at fifthhorseman.net  Tue Jan  3 15:05:19 2017
From: dkg at fifthhorseman.net (Daniel Kahn Gillmor)
Date: Tue, 03 Jan 2017 09:05:19 -0500
Subject: export encryption (subkey) only?
In-Reply-To: <f5660cbb-4759-9b1c-5ae0-fcee7286442d@gmail.com>
References: <f5660cbb-4759-9b1c-5ae0-fcee7286442d@gmail.com>
Message-ID: <87inpwme74.fsf@alice.fifthhorseman.net>

On Mon 2017-01-02 13:27:35 -0500, Lou Wynn wrote:
> I tried to export an encryption subkey only with GPG2, but importing the
> subkey also lists the primary key. The man page of
> --export-secret-subkeys reads:
>
>    The second form of the command has the special property to render the
>    secret  part  of  the primary key useless; this is a GNU extension to
>    OpenPGP and other implementations can not be expected to successfully
>    import  such a key.  Its intended use is to generated a full key with
>    an additional signing subkey on a dedicated machine  and  then  using
>    this  command  to  export the key without the primary key to the main
>    machine.
>
> It means that although the primary key is imported and listed, it is not
> usable.
>
> Has anyone have experience with this and been able to confirm it?

yes, the documentation is correct.  When using export-secret-subkeys,
the primary key is exported with a stripped set of secret key
parameters, so it is importable, but not usable.

If you want to inspect this to ensure it's correct, you can look at the
exported transferable secret key with gpg --list-packets (which will
show the stripped secret key material as using "gnu-dummy S2K") or
pgpdump (which will show the stripped secret key material as "GnuPG
gnu-dummy (s2k 1001)").

> I'm also thinking about making two separate master keys, and doing so
> seems to make me avoid the confusion of master-subkeys and make the
> solution more portable in different implementations.

While this might be marginally more usable by some of your
organization's staff, it sounds significantly more complicated and
confusing to the external parties who your staff is going to talk to.

You should stick with a single public certificate per user (containing
the two keys that you describe) so that your users' correspondents don't
have to juggle multiple keys per person they communicate with.

     --dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 832 bytes
Desc: not available
URL: </pipermail/attachments/20170103/0770b7b9/attachment.sig>

From gnupg at oliverklee.de  Tue Jan  3 21:07:42 2017
From: gnupg at oliverklee.de (Oliver Klee)
Date: Tue, 3 Jan 2017 21:07:42 +0100
Subject: informations on installation ubuntu 16.04
In-Reply-To: <488108398.3500821.1483054995700@mail.yahoo.com>
References: <488108398.3500821.1483054995700.ref@mail.yahoo.com>
 <488108398.3500821.1483054995700@mail.yahoo.com>
Message-ID: <4c275f97-9ffe-5c1b-eb29-b6618ddaba5a@oliverklee.de>

Hi Jussi,

Am 30.12.2016 um 00:43 schrieb Jussi Fabre:
> I try to install this software. Here are what is happening.

any particular reason why you are compiling yourself instead of using
the packages provided by Ubuntu? (I'm on Ubuntu 16.04 as well, and GPG
works fine for me there with a YubiKey.)


Oliver


From lewisurn at gmail.com  Tue Jan  3 23:45:57 2017
From: lewisurn at gmail.com (Lou Wynn)
Date: Tue, 3 Jan 2017 14:45:57 -0800
Subject: export encryption (subkey) only?
In-Reply-To: <87inpwme74.fsf@alice.fifthhorseman.net>
References: <f5660cbb-4759-9b1c-5ae0-fcee7286442d@gmail.com>
 <87inpwme74.fsf@alice.fifthhorseman.net>
Message-ID: <61f6cd00-51cf-ab54-d3f9-b02bc44110aa@gmail.com>

On 01/03/2017 06:05 AM, Daniel Kahn Gillmor wrote:
> You should stick with a single public certificate per user (containing
> the two keys that you describe) so that your users' correspondents don't
> have to juggle multiple keys per person they communicate with.
>
>      --dkg

I overlooked this point, and it's important in the PGP world. One of my
goals is simplifying key management for organizational employees, and
it's nice to keep it interchangeable with people outside.

Thank everyone for helpful discussion.

-- 
Thanks,
Lou



From peter at digitalbrains.com  Wed Jan  4 14:53:35 2017
From: peter at digitalbrains.com (Peter Lebbing)
Date: Wed, 4 Jan 2017 14:53:35 +0100
Subject: Meaning of "text user ID's"?
Message-ID: <ad74ea74-be50-9b19-082d-21d893aebcb2@digitalbrains.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

I'm signing keys after a keysigning party, using GnuPG 2.1.16. Issuing
- --edit-key sign, I'm asked:

"Really sign all text user IDs? (y/N)"

Now here's what I see (anonymized):

> gpg (GnuPG) 2.1.16; Copyright (C) 2016 Free Software Foundation, Inc. This
> is free software: you are free to change and redistribute it. There is NO
> WARRANTY, to the extent permitted by law.
> 
> 
> pub  rsa4096/XXXXXXXXXXXXXXXX created: 2015-10-11  expires: never
> usage: SC sub  rsa4096/XXXXXXXXXXXXXXXX created: 2015-10-11  expires: never
> usage: E sub  rsa4096/XXXXXXXXXXXXXXXX created: 2015-10-15  expires: never
> usage: S [ unknown] (1). Bob Alisson <bob at example.com> [ unknown] (2)  Bob
> Alisson <bob-too at example.com> [ unknown] (3)  Bob Alisson
> <bob-tree at example.com> [ unknown] (4)  Bob Alisson
> <somanyaddrs at example.com> [ unknown] (5)  [jpeg image of size 8148]
> 
> Really sign all text user IDs? (y/N) y
> 
> pub  rsa4096/XXXXXXXXXXXXXXXX created: 2015-10-11  expires: never
> usage: SC Primary key fingerprint: [...]
> 
> Bob Alisson <bob at example.com> Bob Alisson <bob-too at example.com> Bob Alisson
> <bob-tree at example.com> Bob Alisson <somanyaddrs at example.com> [jpeg image of
> size 8148]
> 
> Are you sure that you want to sign this key with your key "Peter Lebbing
> <peter at digitalbrains.com>" (AC46EFE6DE500B3E)

So how come that the jpeg image is about to be signed as well? What does "TEXT
user ID" mean? I would have expected only the other UID's to be signed. Is this
a bug in my head or in the code?

Cheers,

Peter.

PS: Alice is Bob's forebear.

- -- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>
-----BEGIN PGP SIGNATURE-----

iQEzBAEBCAAdFiEEZQCNwiCq4qJXTWzVlp4Bj95s3KEFAlhs/l8ACgkQlp4Bj95s
3KGoegf+LnnLUUmT6sYfXI4k1N/6EvRI9oU/7D2oTLEDAsVbPu/9AWSanSjy4703
02C2d68pk4gNognO7VYnou0o6isn8ryogrG0YvcgN3jNVeUcNBN0QJkvxVGM8sHK
KEvTUYk3YxO98Zce5QiYIGGgzqp8Df97ZNR/6c25zrEbSv2TBVLAOkiEYkKdmRlB
lON7CwYB2b/NuMVTABdKdOmizAzWUKDaCcFQQrqncShkBWHOv6q9uGApNxDGY/ZJ
Mfnan4Uqx4mfvsSQgdHOx5qZ7LVq+1O/jzySr5JMo8CUu59Y8r27fnyQ8z964Jzm
OwWMI4gXEHrYOsQk93R0IZDBza+Hbw==
=Vl/k
-----END PGP SIGNATURE-----


From kristian.fiskerstrand at sumptuouscapital.com  Wed Jan  4 14:56:43 2017
From: kristian.fiskerstrand at sumptuouscapital.com (Kristian Fiskerstrand)
Date: Wed, 4 Jan 2017 14:56:43 +0100
Subject: Meaning of "text user ID's"?
In-Reply-To: <ad74ea74-be50-9b19-082d-21d893aebcb2@digitalbrains.com>
References: <ad74ea74-be50-9b19-082d-21d893aebcb2@digitalbrains.com>
Message-ID: <ceffaa30-4ba0-0a81-292e-7677126d3247@sumptuouscapital.com>

On 01/04/2017 02:53 PM, Peter Lebbing wrote:
> So how come that the jpeg image is about to be signed as well? What does "TEXT
> user ID" mean? I would have expected only the other UID's to be signed. Is this
> a bug in my head or in the code?

What gives you the indication that the UAT is about to be signed? (can
try it and not save/delete public key without publishing to see actual
result)

-- 
----------------------------
Kristian Fiskerstrand
Blog: https://blog.sumptuouscapital.com
Twitter: @krifisk
----------------------------
Public OpenPGP keyblock at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3
----------------------------
Cogito ergo sum
I think, therefore I am

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20170104/028d92e1/attachment-0001.sig>

From peter at digitalbrains.com  Wed Jan  4 14:58:27 2017
From: peter at digitalbrains.com (Peter Lebbing)
Date: Wed, 4 Jan 2017 14:58:27 +0100
Subject: Meaning of "text user ID's"?
In-Reply-To: <ad74ea74-be50-9b19-082d-21d893aebcb2@digitalbrains.com>
References: <ad74ea74-be50-9b19-082d-21d893aebcb2@digitalbrains.com>
Message-ID: <46bf8da6-26f3-1c37-9244-c78c22c2224b@digitalbrains.com>

(Ah, isn't that nice, Enigmail reformats the message when I do a signature.
Manually restored some sanity)

I'm signing keys after a keysigning party, using GnuPG 2.1.16. Issuing
--edit-key sign, I'm asked:

"Really sign all text user IDs? (y/N)"

Now here's what I see (anonymized):

> gpg (GnuPG) 2.1.16; Copyright (C) 2016 Free Software Foundation, Inc. This
> is free software: you are free to change and redistribute it. There is NO
> WARRANTY, to the extent permitted by law.
>
>
> pub  rsa4096/XXXXXXXXXXXXXXXX created: 2015-10-11  expires: never  usage: SC
> sub  rsa4096/XXXXXXXXXXXXXXXX created: 2015-10-11  expires: never  usage: E
> sub  rsa4096/XXXXXXXXXXXXXXXX created: 2015-10-15  expires: never  usage: S
> [ unknown] (1). Bob Alisson <bob at example.com>
> [ unknown] (2)  Bob Alisson <bob-too at example.com>
> [ unknown] (3)  Bob Alisson <bob-tree at example.com>
> [ unknown] (4)  Bob Alisson <somanyaddrs at example.com>
> [ unknown] (5)  [jpeg image of size 8148]
>
> Really sign all text user IDs? (y/N) y
>
> pub  rsa4096/XXXXXXXXXXXXXXXX
>      created: 2015-10-11  expires: never     usage: SC
>  Primary key fingerprint: [...]
>
>      Bob Alisson <bob at example.com>
>      Bob Alisson <bob-too at example.com>
>      Bob Alisson  <bob-tree at example.com>
>      Bob Alisson <somanyaddrs at example.com>
>      [jpeg image of size 8148]
>
> Are you sure that you want to sign this key with your key "Peter Lebbing
> <peter at digitalbrains.com>" (AC46EFE6DE500B3E)

So how come that the jpeg image is about to be signed as well? What does "TEXT
user ID" mean? I would have expected only the other UID's to be signed. Is this
a bug in my head or in the code?

Cheers,

Peter.

PS: Alice is Bob's forebear.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>


From peter at digitalbrains.com  Wed Jan  4 15:00:39 2017
From: peter at digitalbrains.com (Peter Lebbing)
Date: Wed, 4 Jan 2017 15:00:39 +0100
Subject: Meaning of "text user ID's"?
In-Reply-To: <ceffaa30-4ba0-0a81-292e-7677126d3247@sumptuouscapital.com>
References: <ad74ea74-be50-9b19-082d-21d893aebcb2@digitalbrains.com>
 <ceffaa30-4ba0-0a81-292e-7677126d3247@sumptuouscapital.com>
Message-ID: <87e34b6e-48f3-2150-25ed-7f6f40958dc5@digitalbrains.com>

On 04/01/17 14:56, Kristian Fiskerstrand wrote:
> What gives you the indication that the UAT is about to be signed?

First and foremost, that it was actually signed when I agreed. I deleted the
signature afterwards.

Secondly, I just posted again with a bit more readable text :-). You can clearly
see it is proposing to do it.

Cheers,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>


From kristian.fiskerstrand at sumptuouscapital.com  Wed Jan  4 15:02:36 2017
From: kristian.fiskerstrand at sumptuouscapital.com (Kristian Fiskerstrand)
Date: Wed, 4 Jan 2017 15:02:36 +0100
Subject: Meaning of "text user ID's"?
In-Reply-To: <87e34b6e-48f3-2150-25ed-7f6f40958dc5@digitalbrains.com>
References: <ad74ea74-be50-9b19-082d-21d893aebcb2@digitalbrains.com>
 <ceffaa30-4ba0-0a81-292e-7677126d3247@sumptuouscapital.com>
 <87e34b6e-48f3-2150-25ed-7f6f40958dc5@digitalbrains.com>
Message-ID: <69537182-962b-0e4e-0103-e80d66fc05b7@sumptuouscapital.com>

On 01/04/2017 03:00 PM, Peter Lebbing wrote:
> On 04/01/17 14:56, Kristian Fiskerstrand wrote:
>> What gives you the indication that the UAT is about to be signed?
> 
> First and foremost, that it was actually signed when I agreed. I deleted the
> signature afterwards.
> 
> Secondly, I just posted again with a bit more readable text :-). You can clearly
> see it is proposing to do it.
> 

Gotcha :)


-- 
----------------------------
Kristian Fiskerstrand
Blog: https://blog.sumptuouscapital.com
Twitter: @krifisk
----------------------------
Public OpenPGP keyblock at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3
----------------------------
Nil desperandum
Never give up

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20170104/cfee31fd/attachment.sig>

From gnupg-users.dirk at o.banes.ch  Wed Jan  4 17:15:16 2017
From: gnupg-users.dirk at o.banes.ch (gnupg-users.dirk at o.banes.ch)
Date: Wed, 4 Jan 2017 17:15:16 +0100
Subject: gpg-agent has to be restarted after GnuPG SmartCard pulled from reader
Message-ID: <98575761-5d20-8202-5123-408afc299532@o.banes.ch>

Hello all,

I recently changed to the GnuPG Smartcard which in general works fine
for eMail and for SSH authentication (on Ubuntu 16.10).
The only problem I encountered was that when I pull the card from the
reader and reinsert it the gpg-agent will not recover.

I have to kill him gpgconf --kill gpg-agent.

I checked the logs for gpg-agent, scdaemon and pcscd.
The only suspicious I found was this in the pcscd output.

#normal operation

00500755 winscard_svc.c:353:ContextThread() Received command:
CMD_GET_READERS_STATE from client 14
00500775 winscard_svc.c:353:ContextThread() Received command:
CMD_GET_READERS_STATE from client 14
00500746 winscard_svc.c:353:ContextThread() Received command:
CMD_GET_READERS_STATE from client 14
00500754 winscard_svc.c:353:ContextThread() Received command:
CMD_GET_READERS_STATE from client 14

#remove card

00481042 eventhandler.c:357:EHStatusHandlerThread() Card Removed From
OMNIKEY AG 3121 USB 00 00
00019695 winscard_svc.c:353:ContextThread() Received command:
CMD_GET_READERS_STATE from client 14


#insert card

03660811 ifdhandler.c:1146:IFDHPowerICC() action: PowerUp,
usb:076b/3022:libudev:0:/dev/bus/usb/001/008 (lun: 0)
0032199 eventhandler.c:405:EHStatusHandlerThread() powerState:
POWER_STATE_POWERED
00000025 eventhandler.c:422:EHStatusHandlerThread() Card inserted into
OMNIKEY AG 3121 USB 00 00
00000013 Card ATR: 3B DA 18 FF 81 B1 FE 75 1F 03 00 31 C5 73 C0 01 40 00
90 00 0C

#query card

02063947 winscard_msg_srv.c:253:ProcessEventsServer() Common channel
packet arrival
00000025 winscard_msg_srv.c:265:ProcessEventsServer()
ProcessCommonChannelRequest detects: 15
00000007 pcscdaemon.c:134:SVCServiceRunLoop() A new context thread
creation is requested: 15
00000093 winscard_svc.c:331:ContextThread() Authorized PC/SC client
00000018 winscard_svc.c:335:ContextThread() Thread is started:
dwClientID=15, threadContext @0x9d5560
00000019 winscard_svc.c:353:ContextThread() Received command:
CMD_VERSION from client 15
00000009 winscard_svc.c:365:ContextThread() Client is protocol version 4:3
00000006 winscard_svc.c:385:ContextThread() CMD_VERSION rv=0x0 for client 15
00000083 winscard_svc.c:353:ContextThread() Received command:
ESTABLISH_CONTEXT from client 15
00000014 winscard.c:215:SCardEstablishContext() Establishing Context:
0x5FFCC3AF
00000005 winscard_svc.c:446:ContextThread() ESTABLISH_CONTEXT rv=0x0 for
client 15
00000059 winscard_svc.c:353:ContextThread() Received command:
CMD_GET_READERS_STATE from client 15
00000037 winscard_svc.c:353:ContextThread() Received command:
CMD_GET_READERS_STATE from client 15
00000269 winscard_svc.c:353:ContextThread() Received command: CONNECT
from client 15
00000035 winscard_svc.c:484:ContextThread() Authorized client for
'OMNIKEY AG 3121 USB 00 00'
00000006 winscard.c:257:SCardConnect() Attempting Connect to OMNIKEY AG
3121 USB 00 00 using protocol: 3
00000006 readerfactory.c:768:RFReaderInfo() RefReader() count was: 1

# Suspicious ?

00000005 winscard.c:284:SCardConnect() Error Reader Exclusive

00000004 winscard.c:512:SCardConnect() UnrefReader() count was: 2
00000006 winscard_svc.c:498:ContextThread() CONNECT rv=0x8010000B for
client 15
02935987 ifdhandler.c:1146:IFDHPowerICC() action: PowerDown,
usb:076b/3022:libudev:0:/dev/bus/usb/001/008 (lun: 0)
00000474 eventhandler.c:481:EHStatusHandlerThread() powerState:
POWER_STATE_UNPOWERED


I can not figure out what is the problem. Neiter I found anything in the
documentation / google . Is this  common ? 

Does anyone have an ideas where this problem comes from ?
Maybe it is just that I'm doing something wrong.
Happy to provide more information if needed.

thanks and best regards

Dirk





From peter at digitalbrains.com  Wed Jan  4 18:51:49 2017
From: peter at digitalbrains.com (Peter Lebbing)
Date: Wed, 4 Jan 2017 18:51:49 +0100
Subject: gpg-agent has to be restarted after GnuPG SmartCard pulled from
 reader
In-Reply-To: <98575761-5d20-8202-5123-408afc299532@o.banes.ch>
References: <98575761-5d20-8202-5123-408afc299532@o.banes.ch>
Message-ID: <fe551882-0f37-4e09-5dfa-855d656075db@digitalbrains.com>

I think you should be able to use this card reader without pcscd, using the
internal CCID driver of GnuPG[1]. Just stop and disable pcscd, hopefully GnuPG
will find the reader and use it right away. That might solve your problem. I use
GnuPG's internal CCID driver, and it is completely resilient against both
pulling the card as well as unplugging the reader.

HTH,

Peter.

[1] https://www.gnupg.org/howtos/card-howto/en/ch02s02.html

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>


From gnupg-users.dirk at o.banes.ch  Wed Jan  4 21:14:46 2017
From: gnupg-users.dirk at o.banes.ch (gnupg-users.dirk at o.banes.ch)
Date: Wed, 4 Jan 2017 21:14:46 +0100
Subject: gpg-agent has to be restarted after GnuPG SmartCard pulled from
 reader
In-Reply-To: <fe551882-0f37-4e09-5dfa-855d656075db@digitalbrains.com>
References: <98575761-5d20-8202-5123-408afc299532@o.banes.ch>
 <fe551882-0f37-4e09-5dfa-855d656075db@digitalbrains.com>
Message-ID: <77510ea2-780f-2974-0c16-813047ab0d22@o.banes.ch>

Hi Peter,

thanks for you reply but it is now not working at all. Even if my reader
- Ominkey 3121 is listed in you link.

o.k. I removed pcscd and changed the scdaemon.conf to this:
card-timeout 5
#disable-ccid
debug-level basic
log-file /home/dirk/scdaemon.log
debug-ccid-driver

scdaemon Log

2017-01-04 21:08:31 scdaemon[3398] listening on socket
'/run/user/1000/gnupg/S.scdaemon'
2017-01-04 21:08:31 scdaemon[3398] handler for fd -1 started
2017-01-04 21:08:31 scdaemon[3398] DBG: ccid-driver: using CCID reader 0
(ID=076B:3022:X:0)
2017-01-04 21:08:31 scdaemon[3398] DBG: ccid-driver: idVendor: 076B 
idProduct: 3022  bcdDevice: 0204
2017-01-04 21:08:31 scdaemon[3398] DBG: ccid-driver: ChipCard Interface
Descriptor:
2017-01-04 21:08:31 scdaemon[3398] DBG: ccid-driver:  
bLength                54
2017-01-04 21:08:31 scdaemon[3398] DBG: ccid-driver:  
bDescriptorType        33
2017-01-04 21:08:31 scdaemon[3398] DBG: ccid-driver:  
bcdCCID              1.00
2017-01-04 21:08:31 scdaemon[3398] DBG: ccid-driver:  
nMaxSlotIndex           0
2017-01-04 21:08:31 scdaemon[3398] DBG: ccid-driver:  
bVoltageSupport         7  ?
2017-01-04 21:08:31 scdaemon[3398] DBG: ccid-driver:  
dwProtocols             3  T=0 T=1
2017-01-04 21:08:31 scdaemon[3398] DBG: ccid-driver:  
dwDefaultClock       4800
2017-01-04 21:08:31 scdaemon[3398] DBG: ccid-driver:  
dwMaxiumumClock      8000
2017-01-04 21:08:31 scdaemon[3398] DBG: ccid-driver:  
bNumClockSupported      4
2017-01-04 21:08:31 scdaemon[3398] DBG: ccid-driver:  
dwDataRate          10752 bps
2017-01-04 21:08:31 scdaemon[3398] DBG: ccid-driver:  
dwMaxDataRate      412903 bps
2017-01-04 21:08:31 scdaemon[3398] DBG: ccid-driver:  
bNumDataRatesSupp.    106
2017-01-04 21:08:31 scdaemon[3398] DBG: ccid-driver:  
dwMaxIFSD             492
2017-01-04 21:08:31 scdaemon[3398] DBG: ccid-driver:   dwSyncProtocols 
00000007  2-wire 3-wire I2C
2017-01-04 21:08:31 scdaemon[3398] DBG: ccid-driver:   dwMechanical    
00000000
2017-01-04 21:08:31 scdaemon[3398] DBG: ccid-driver:   dwFeatures      
000407B2
2017-01-04 21:08:31 scdaemon[3398] DBG: ccid-driver:     Auto
configuration based on ATR (assumes auto voltage)
2017-01-04 21:08:31 scdaemon[3398] DBG: ccid-driver:     Auto clock change
2017-01-04 21:08:31 scdaemon[3398] DBG: ccid-driver:     Auto baud rate
change
2017-01-04 21:08:31 scdaemon[3398] DBG: ccid-driver:     Auto PPS made
by CCID
2017-01-04 21:08:31 scdaemon[3398] DBG: ccid-driver:     CCID can set
ICC in clock stop mode
2017-01-04 21:08:31 scdaemon[3398] DBG: ccid-driver:     NAD value other
than 0x00 accepted
2017-01-04 21:08:31 scdaemon[3398] DBG: ccid-driver:     Auto IFSD exchange
2017-01-04 21:08:31 scdaemon[3398] DBG: ccid-driver:     Short and
extended APDU level exchange
2017-01-04 21:08:31 scdaemon[3398] DBG: ccid-driver:  
dwMaxCCIDMsgLen       502
2017-01-04 21:08:31 scdaemon[3398] DBG: ccid-driver:  
bClassGetResponse    echo
2017-01-04 21:08:31 scdaemon[3398] DBG: ccid-driver:  
bClassEnvelope       echo
2017-01-04 21:08:31 scdaemon[3398] DBG: ccid-driver:  
wlcdLayout           none
2017-01-04 21:08:31 scdaemon[3398] DBG: ccid-driver:  
bPINSupport             0
2017-01-04 21:08:31 scdaemon[3398] DBG: ccid-driver:  
bMaxCCIDBusySlots       1
2017-01-04 21:08:36 scdaemon[3398] DBG: ccid-driver: usb_bulk_write
error: LIBUSB_ERROR_TIMEOUT
2017-01-04 21:08:36 scdaemon[3398] reader slot 0: using ccid driver
2017-01-04 21:08:36 scdaemon[3398] DBG: chan_5 -> OK GNU Privacy Guard's
Smartcard server ready
2017-01-04 21:08:41 scdaemon[3398] DBG: ccid-driver: usb_bulk_write
error: LIBUSB_ERROR_TIMEOUT
2017-01-04 21:08:41 scdaemon[3398] DBG: chan_5 <- GETINFO socket_name
2017-01-04 21:08:41 scdaemon[3398] DBG: chan_5 -> D
/run/user/1000/gnupg/S.scdaemon
2017-01-04 21:08:41 scdaemon[3398] DBG: chan_5 -> OK
2017-01-04 21:08:41 scdaemon[3398] DBG: chan_5 <- OPTION event-signal=12
2017-01-04 21:08:41 scdaemon[3398] DBG: chan_5 -> OK
2017-01-04 21:08:41 scdaemon[3398] DBG: chan_5 <- GETINFO version
2017-01-04 21:08:41 scdaemon[3398] DBG: chan_5 -> D 2.1.15
2017-01-04 21:08:41 scdaemon[3398] DBG: chan_5 -> OK
2017-01-04 21:08:41 scdaemon[3398] DBG: chan_5 <- SERIALNO openpgp
2017-01-04 21:08:46 scdaemon[3398] DBG: ccid-driver: usb_bulk_write
error: LIBUSB_ERROR_TIMEOUT
2017-01-04 21:08:46 scdaemon[3398] DBG: Removal of a card: 0
2017-01-04 21:08:46 scdaemon[3398] DBG: chan_5 -> ERR 100696144 No such
device <SCD>


On 04.01.2017 18:51, Peter Lebbing wrote:
> I think you should be able to use this card reader without pcscd, using the
> internal CCID driver of GnuPG[1]. Just stop and disable pcscd, hopefully GnuPG
> will find the reader and use it right away. That might solve your problem. I use
> GnuPG's internal CCID driver, and it is completely resilient against both
> pulling the card as well as unplugging the reader.
>
> HTH,
>
> Peter.
>
> [1] https://www.gnupg.org/howtos/card-howto/en/ch02s02.html
>




From lewisurn at gmail.com  Wed Jan  4 22:29:50 2017
From: lewisurn at gmail.com (Lou Wynn)
Date: Wed, 4 Jan 2017 13:29:50 -0800
Subject: exported subkey usage?
Message-ID: <a74dbb33-fc93-8af3-68f3-9d3a0403cb7d@gmail.com>

Hi,

I created a master key and two subkeys with one subkey being signing and
the other encryption. I then exported the two subkeys only.

However, when I used pgpdump to inspect packet types, both subkeys are
been marked as "RSA Encrypt or Sign (pub 1)." When I used another
program whose backend is BouncyCastle's PGP engine, the program cannot
tell which subkey is for what.

I deleted the key in my keyring and used GPG2 to import the two subkeys
back. To my surprise, they are correctly marked as [S] and [E].

What is going on here? Does GPG2 use some special way to mark the usage
of a subkey? How can I make it interchangeable with other programs?

I've attached the master key and the two subkeys to this letter so that
you can inspect them (I made up other info just for testing, so don't
worry about it). The OneMasterTwoSubkey has the master key with two
subkeys, and the other only has the subkeys. The passphrase is "1".


-- 
Thanks,
Lou

-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20170104/bf9817ee/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OneMasterTwoSubkey
Type: application/octet-stream
Size: 4393 bytes
Desc: not available
URL: </pipermail/attachments/20170104/bf9817ee/attachment-0002.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: TwoSubkeyOnly
Type: application/octet-stream
Size: 3704 bytes
Desc: not available
URL: </pipermail/attachments/20170104/bf9817ee/attachment-0003.obj>

From dkg at fifthhorseman.net  Wed Jan  4 23:46:50 2017
From: dkg at fifthhorseman.net (Daniel Kahn Gillmor)
Date: Wed, 04 Jan 2017 17:46:50 -0500
Subject: exported subkey usage?
In-Reply-To: <a74dbb33-fc93-8af3-68f3-9d3a0403cb7d@gmail.com>
References: <a74dbb33-fc93-8af3-68f3-9d3a0403cb7d@gmail.com>
Message-ID: <87wpeaigth.fsf@alice.fifthhorseman.net>

On Wed 2017-01-04 16:29:50 -0500, Lou Wynn wrote:
> What is going on here? Does GPG2 use some special way to mark the usage
> of a subkey? How can I make it interchangeable with other programs?

the "public key algorithm" is "RSA (Encrypt or Sign)".  The usage info is
stored in the "key flags" subpackets in self-signatures (over uids for
the primary key, and binding signatures for the subkeys).  Please see:

  https://tools.ietf.org/html/rfc4880#section-5.2.3.21
  https://tools.ietf.org/html/rfc4880#section-9.1

the "public key algorithm" values 2 (RSA Encrypt-only) and 3 (RSA
sign-only) are deprecated.

           --dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 832 bytes
Desc: not available
URL: </pipermail/attachments/20170104/74c12343/attachment.sig>

From rogerx.oss at gmail.com  Thu Jan  5 06:35:35 2017
From: rogerx.oss at gmail.com (Roger)
Date: Thu, 5 Jan 2017 00:35:35 -0500
Subject: Test Mail
Message-ID: <20170105053534.GB15311@localhost4.local>

Test mail to mailing list testing GNUPG signing, appearance and hopefully 
conforming to mailing list standards.

-- 
Roger
http://rogerx.freeshell.org/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: Digital signature
URL: </pipermail/attachments/20170105/e52dd75d/attachment.sig>

From wk at gnupg.org  Thu Jan  5 20:18:27 2017
From: wk at gnupg.org (Werner Koch)
Date: Thu, 05 Jan 2017 20:18:27 +0100
Subject: gpg-agent has to be restarted after GnuPG SmartCard pulled from
 reader
In-Reply-To: <77510ea2-780f-2974-0c16-813047ab0d22@o.banes.ch> (gnupg-users
 dirk's message of "Wed, 4 Jan 2017 21:14:46 +0100")
References: <98575761-5d20-8202-5123-408afc299532@o.banes.ch>
 <fe551882-0f37-4e09-5dfa-855d656075db@digitalbrains.com>
 <77510ea2-780f-2974-0c16-813047ab0d22@o.banes.ch>
Message-ID: <87inpt71to.fsf@wheatstone.g10code.de>

On Wed,  4 Jan 2017 21:14, gnupg-users.dirk at o.banes.ch said:

> thanks for you reply but it is now not working at all. Even if my reader
> - Ominkey 3121 is listed in you link.

Omnikey readers simply don't work correctly with 2k keys or larger.  Get
a real reader and not that messy hardware which needs its proprietary
Windows driver to work correctly which standard key lengths.


Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: </pipermail/attachments/20170105/aaa248ea/attachment.sig>

From pablo-gnupg at duckdalbe.org  Thu Jan  5 21:07:04 2017
From: pablo-gnupg at duckdalbe.org (Pablo Santee)
Date: Thu, 5 Jan 2017 21:07:04 +0100
Subject: Non-interactive password-change with gnupg 2.0?
Message-ID: <2857ad40-f138-94bf-59d5-b37b520fa534@duckdalbe.org>

Hello,

I'm trying to write code to change the passphrase of a key without
user-interaction that works with both, gpg 2.0 and gpg 2.1.

For gpg 2.1 I'm using
'--pinentry-mode loopback --command-fd 0 --status-fd 2'
and an expect-style script (not a pretty concept, IMHO, but it works).

For gpg 2.0 the only way I found was to write a custom pinentry-script,
pass it the passwords in PINENTRY_USER_DATA and give its path to the
gpg-agent with '--pinentry-program'. The custom pinentry-script stores
its state (how many times has the passphrase been asked for) in the
filesystem to access it across the three executions.

But I'd rather like to avoid to start a gpg-agent manually, and to
maintain another script (which has to write into the filesystem), if any
possible.

Is there another way to do it?


Thankful for pointers,
Pablo


From rogerx.oss at gmail.com  Thu Jan  5 21:56:18 2017
From: rogerx.oss at gmail.com (Roger)
Date: Thu, 5 Jan 2017 15:56:18 -0500
Subject: Test Mail
In-Reply-To: <3794B39B-EDA0-49DD-B193-2741B0FCE555@yahoo.com>
References: <20170105053534.GB15311@localhost4.local>
 <3794B39B-EDA0-49DD-B193-2741B0FCE555@yahoo.com>
Message-ID: <20170105205617.GA30176@localhost4.local>

Great.  However I had no idea my mailing list post finally made it to the 
mailing list, as the mailing list did not send a copy of my post; even though 
this option is activated within the mailing list settings.  (I see similar 
activity on other mailing lists, with some merrily returning a notice the 
poster's email made it to the mailing list.)

Veiwing this email online, the GNUPG signature looks in similar format to 
others' emails with the signature with email addresses removed or stripped.  
...looks good to me.

> On Thu, Jan 05, 2017 at 12:33:30PM -0500, Ahmad wrote:
>Got it... 
>
>Sent from my iPhone
>
>> On Jan 5, 2017, at 12:35 AM, Roger <rogerx.oss at gmail.com> wrote:
>> 
>> Test mail to mailing list testing GNUPG signing, appearance and hopefully 
>> conforming to mailing list standards.
>> 
>> -- 
>> Roger
>> http://rogerx.freeshell.org/
>> _______________________________________________
>> Gnupg-users mailing list
>> Gnupg-users at gnupg.org
>> http://lists.gnupg.org/mailman/listinfo/gnupg-users

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: Digital signature
URL: </pipermail/attachments/20170105/178455a5/attachment.sig>

From kloecker at kde.org  Thu Jan  5 23:11:13 2017
From: kloecker at kde.org (Ingo =?ISO-8859-1?Q?Kl=F6cker?=)
Date: Thu, 05 Jan 2017 23:11:13 +0100
Subject: Test Mail
In-Reply-To: <20170105205617.GA30176@localhost4.local>
References: <20170105053534.GB15311@localhost4.local>
 <3794B39B-EDA0-49DD-B193-2741B0FCE555@yahoo.com>
 <20170105205617.GA30176@localhost4.local>
Message-ID: <3791125.TNGCCcvjR0@thufir>

On Thursday 05 January 2017 15:56:18 Roger wrote:
> Great.  However I had no idea my mailing list post finally made it to
> the mailing list, as the mailing list did not send a copy of my post;
> even though this option is activated within the mailing list
> settings.

As others have pointed out in the past, that's due to Google thinking 
that they know better than you how you want your email to be handled. 
Gmail discards the copies of your own posts received from the mailing 
list because those posts are already in your sent-mail folder.


Regards,
Ingo
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20170105/1f07e95e/attachment.sig>

From rogerx.oss at gmail.com  Fri Jan  6 01:23:41 2017
From: rogerx.oss at gmail.com (Roger)
Date: Thu, 5 Jan 2017 19:23:41 -0500
Subject: Test Mail
In-Reply-To: <3791125.TNGCCcvjR0@thufir>
References: <20170105053534.GB15311@localhost4.local>
 <3794B39B-EDA0-49DD-B193-2741B0FCE555@yahoo.com>
 <20170105205617.GA30176@localhost4.local>
 <3791125.TNGCCcvjR0@thufir>
Message-ID: <20170106002341.GA10544@localhost4.local>

> On Thu, Jan 05, 2017 at 11:11:13PM +0100, Ingo Kl?cker wrote:
>On Thursday 05 January 2017 15:56:18 Roger wrote:
>> Great.  However I had no idea my mailing list post finally made it to
>> the mailing list, as the mailing list did not send a copy of my post;
>> even though this option is activated within the mailing list
>> settings.
>
>As others have pointed out in the past, that's due to Google thinking 
>that they know better than you how you want your email to be handled. 
>Gmail discards the copies of your own posts received from the mailing 
>list because those posts are already in your sent-mail folder.
>

Yup.  Sure enough, changing from the currently viewed default INBOX folder to 
the GMail/"All Mail" folder reveals my posted emails to the list.  Only took me 
2-4+ years to figure this one out.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: Digital signature
URL: </pipermail/attachments/20170105/6cfb731a/attachment.sig>

From gnupg-users.dirk at o.banes.ch  Fri Jan  6 10:06:40 2017
From: gnupg-users.dirk at o.banes.ch (gnupg-users.dirk at o.banes.ch)
Date: Fri, 6 Jan 2017 10:06:40 +0100
Subject: gpg-agent has to be restarted after GnuPG SmartCard pulled from
 reader
In-Reply-To: <87inpt71to.fsf@wheatstone.g10code.de>
References: <98575761-5d20-8202-5123-408afc299532@o.banes.ch>
 <fe551882-0f37-4e09-5dfa-855d656075db@digitalbrains.com>
 <77510ea2-780f-2974-0c16-813047ab0d22@o.banes.ch>
 <87inpt71to.fsf@wheatstone.g10code.de>
Message-ID: <74d2c302-f47c-ef08-15c9-85f86c2101fb@o.banes.ch>

Hi Werner,

thanks for your reply.
I was under the impression the OmniKey 3121 is a real reader since it is
on the how to [1].

What would be a good alternative bevore I buy another bad one.

And I have problems understanding how the issue is connected to the key
length.

The Problem as I see it from user perspective:
Everything works fine with my 4096 RSA keys (agent, Card access,
en/decryption/authentication) until I pull the card.
When I insert it it again pcscd knows of it but the agent somehow does
not "retry".
I kill the agent (which also kills the scdaemon ) and then everything is
fine again.
Seems unrelated to key length since the general access does not work.

I'm happy to provide some logs.

best regards

Dirk

p.s. in the meantime a made a script which tails the scdaemon.log and
waits for "Removal of a card:"
and then kills the gpg-agent. Not a proper solution - but working so far.

[1] https://www.gnupg.org/howtos/card-howto/en/ch02s02.html

> Omnikey readers simply don't work correctly with 2k keys or larger.  Get
> a real reader and not that messy hardware which needs its proprietary
> Windows driver to work correctly which standard key lengths.
>
>
> Salam-Shalom,
>
>    Werner
>




From kristian.fiskerstrand at sumptuouscapital.com  Fri Jan  6 10:30:25 2017
From: kristian.fiskerstrand at sumptuouscapital.com (Kristian Fiskerstrand)
Date: Fri, 6 Jan 2017 10:30:25 +0100
Subject: gpg-agent has to be restarted after GnuPG SmartCard pulled from
 reader
In-Reply-To: <74d2c302-f47c-ef08-15c9-85f86c2101fb@o.banes.ch>
References: <98575761-5d20-8202-5123-408afc299532@o.banes.ch>
 <fe551882-0f37-4e09-5dfa-855d656075db@digitalbrains.com>
 <77510ea2-780f-2974-0c16-813047ab0d22@o.banes.ch>
 <87inpt71to.fsf@wheatstone.g10code.de>
 <74d2c302-f47c-ef08-15c9-85f86c2101fb@o.banes.ch>
Message-ID: <3644e989-2532-1899-af32-3fc187b2dfd0@sumptuouscapital.com>

On 01/06/2017 10:06 AM, gnupg-users.dirk at o.banes.ch wrote:
> p.s. in the meantime a made a script which tails the scdaemon.log and
> waits for "Removal of a card:"
> and then kills the gpg-agent. Not a proper solution - but working so far.

Why not use udev rule to watch for removal event?

-- 
----------------------------
Kristian Fiskerstrand
Blog: https://blog.sumptuouscapital.com
Twitter: @krifisk
----------------------------
Public OpenPGP keyblock at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3
----------------------------
Dura necessitas
Necessity is harsh

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20170106/5525a52a/attachment.sig>

From andrewg at andrewg.com  Fri Jan  6 12:23:26 2017
From: andrewg at andrewg.com (Andrew Gallagher)
Date: Fri, 6 Jan 2017 11:23:26 +0000
Subject: gpg-agent has to be restarted after GnuPG SmartCard pulled from
 reader
In-Reply-To: <3644e989-2532-1899-af32-3fc187b2dfd0@sumptuouscapital.com>
References: <98575761-5d20-8202-5123-408afc299532@o.banes.ch>
 <fe551882-0f37-4e09-5dfa-855d656075db@digitalbrains.com>
 <77510ea2-780f-2974-0c16-813047ab0d22@o.banes.ch>
 <87inpt71to.fsf@wheatstone.g10code.de>
 <74d2c302-f47c-ef08-15c9-85f86c2101fb@o.banes.ch>
 <3644e989-2532-1899-af32-3fc187b2dfd0@sumptuouscapital.com>
Message-ID: <b6a14e22-ac2d-9e84-f5e2-33885bc35aab@andrewg.com>

On 06/01/17 09:30, Kristian Fiskerstrand wrote:
> On 01/06/2017 10:06 AM, gnupg-users.dirk at o.banes.ch wrote:
>> p.s. in the meantime a made a script which tails the scdaemon.log and
>> waits for "Removal of a card:"
>> and then kills the gpg-agent. Not a proper solution - but working so far.
> 
> Why not use udev rule to watch for removal event?

Indeed.

Dirk,

I suspect you don't need to kill gpg-agent, just pcscd. I had to do the
same thing when I used an ACS USB reader on my work laptop, because it
already had a built in full-size reader that I couldn't use (I had
already punched out the SIM) but which would override the (removable)
USB reader because it was always found at startup.

Put the following in /etc/udev/rules.d/99-local.rules (one line) :

ACTION=="add", SUBSYSTEM=="usb", ATTR{idVendor}=="072f",
ATTR{idProduct}=="90cc", RUN+="/usr/sbin/service pcscd restart"

You will need to change the idVendor and idProduct to match your
hardware - these can be found using `lsusb` while the reader is plugged in.

A


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20170106/c4852993/attachment.sig>

From gnupg-users.dirk at o.banes.ch  Fri Jan  6 10:51:26 2017
From: gnupg-users.dirk at o.banes.ch (gnupg-users.dirk at o.banes.ch)
Date: Fri, 6 Jan 2017 10:51:26 +0100
Subject: gpg-agent has to be restarted after GnuPG SmartCard pulled
 from reader
In-Reply-To: <3644e989-2532-1899-af32-3fc187b2dfd0@sumptuouscapital.com>
References: <98575761-5d20-8202-5123-408afc299532@o.banes.ch>
 <fe551882-0f37-4e09-5dfa-855d656075db@digitalbrains.com>
 <77510ea2-780f-2974-0c16-813047ab0d22@o.banes.ch>
 <87inpt71to.fsf@wheatstone.g10code.de>
 <74d2c302-f47c-ef08-15c9-85f86c2101fb@o.banes.ch>
 <3644e989-2532-1899-af32-3fc187b2dfd0@sumptuouscapital.com>
Message-ID: <0ec9570a-d2f8-6878-1ef6-b22b49f80a21@banes.ch>

Hi Kristian,

it is not the reader (USB Device) which is removed. It is the Card in
the reader.
I would not know how to monitor this with udev.  Is this possible ?

Best regards

Dirk

On 06.01.2017 10:30, Kristian Fiskerstrand wrote:
On 01/06/2017 10:06 AM, gnupg-users.dirk at o.banes.ch wrote:
> p.s. in the meantime a made a script which tails the scdaemon.log and
> waits for "Removal of a card:"
> and then kills the gpg-agent. Not a proper solution - but working so far.
Why not use udev rule to watch for removal event?





From gnupg-users.dirk at o.banes.ch  Fri Jan  6 14:05:10 2017
From: gnupg-users.dirk at o.banes.ch (gnupg-users.dirk at o.banes.ch)
Date: Fri, 6 Jan 2017 14:05:10 +0100
Subject: gpg-agent has to be restarted after GnuPG SmartCard pulled from
 reader
In-Reply-To: <b6a14e22-ac2d-9e84-f5e2-33885bc35aab@andrewg.com>
References: <98575761-5d20-8202-5123-408afc299532@o.banes.ch>
 <fe551882-0f37-4e09-5dfa-855d656075db@digitalbrains.com>
 <77510ea2-780f-2974-0c16-813047ab0d22@o.banes.ch>
 <87inpt71to.fsf@wheatstone.g10code.de>
 <74d2c302-f47c-ef08-15c9-85f86c2101fb@o.banes.ch>
 <3644e989-2532-1899-af32-3fc187b2dfd0@sumptuouscapital.com>
 <b6a14e22-ac2d-9e84-f5e2-33885bc35aab@andrewg.com>
Message-ID: <b5e411dd-6a6d-f1f8-eef4-d3d4d1ca0379@o.banes.ch>

Hi Andrew,

thanks for you input. And I will gave it a try.

1) deactivated my script
2) added udev rule ACTION=="add", SUBSYSTEM=="usb",
ATTR{idVendor}=="076b", ATTR{idProduct}=="3022", RUN+="/usr/sbin/service
pcscd restart"
3) testdrive - reader unplug - plug in (USB)

Jan 06 13:55:00 compd kernel: usb 1-5: USB disconnect, device number 7
Jan 06 13:55:00 compd systemd[1]: smartcard.target: Unit not needed
anymore. Stopping.
Jan 06 13:55:00 compd systemd[1]: Stopped target Smart Card.
Jan 06 13:55:00 compd pcscd[2532]: 99999999 ccid_usb.c:783:WriteUSB()
write failed (1/7): -4 LIBUSB_ERROR_NO_DEVICE
Jan 06 13:55:03 compd kernel: usb 1-5: new full-speed USB device number
8 using xhci_hcd
Jan 06 13:55:03 compd kernel: usb 1-5: New USB device found,
idVendor=076b, idProduct=3022
Jan 06 13:55:03 compd kernel: usb 1-5: New USB device strings: Mfr=1,
Product=2, SerialNumber=0
Jan 06 13:55:03 compd kernel: usb 1-5: Product: Smart Card Reader USB
Jan 06 13:55:03 compd kernel: usb 1-5: Manufacturer: OMNIKEY AG
Jan 06 13:55:03 compd mtp-probe[2713]: checking bus 1, device 8:
"/sys/devices/pci0000:00/0000:00:14.0/usb1/1-5"
Jan 06 13:55:03 compd mtp-probe[2713]: bus: 1, device: 8 was not an MTP
device
Jan 06 13:55:03 compd systemd[1]: Stopping PC/SC Smart Card Daemon...
Jan 06 13:55:03 compd systemd[1]: pcscd.service: Main process exited,
code=exited, status=1/FAILURE
Jan 06 13:55:03 compd systemd[1]: Stopped PC/SC Smart Card Daemon.
Jan 06 13:55:03 compd systemd[1]: pcscd.service: Unit entered failed state.
Jan 06 13:55:03 compd systemd[1]: pcscd.service: Failed with result
'exit-code'.
Jan 06 13:55:03 compd systemd[1]: Started PC/SC Smart Card Daemon.
Jan 06 13:55:03 compd systemd[1]: Reached target Smart Card.

=> works for replugging USB.

4) testrun without unpluging the reader only pulling the card from the
reader
dirk at compd:~$ gpg --card-status
gpg: selecting openpgp failed: No such device
gpg: OpenPGP card not available: No such device
dirk at compd:~$ gpg --card-status
gpg: selecting openpgp failed: No such device
gpg: OpenPGP card not available: No such device
dirk at compd:~$ gpg --card-status
gpg: selecting openpgp failed: No such device
gpg: OpenPGP card not available: No such device
dirk at compd:~$ gpg --card-status
gpg: selecting openpgp failed: Card error
gpg: OpenPGP card not available: Card error


=> no usb activty in syslog =>Failed

5)Works again

Your use case was you plugin the usb Card reader with a an ID-1 Card
(SIM). I have a fulle sized ID-000 card (Credit Card Size). I never
unplug the reader.


thanks
best regards Dirk

On 06.01.2017 12:23, Andrew Gallagher wrote:
> On 06/01/17 09:30, Kristian Fiskerstrand wrote:
>> On 01/06/2017 10:06 AM, gnupg-users.dirk at o.banes.ch wrote:
>>> p.s. in the meantime a made a script which tails the scdaemon.log and
>>> waits for "Removal of a card:"
>>> and then kills the gpg-agent. Not a proper solution - but working so far.
>> Why not use udev rule to watch for removal event?
> Indeed.
>
> Dirk,
>
> I suspect you don't need to kill gpg-agent, just pcscd. I had to do the
> same thing when I used an ACS USB reader on my work laptop, because it
> already had a built in full-size reader that I couldn't use (I had
> already punched out the SIM) but which would override the (removable)
> USB reader because it was always found at startup.
>
> Put the following in /etc/udev/rules.d/99-local.rules (one line) :
>
> ACTION=="add", SUBSYSTEM=="usb", ATTR{idVendor}=="072f",
> ATTR{idProduct}=="90cc", RUN+="/usr/sbin/service pcscd restart"
>
> You will need to change the idVendor and idProduct to match your
> hardware - these can be found using `lsusb` while the reader is plugged in.
>
> A
>
>
>
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users





From dgouttegattat at incenp.org  Fri Jan  6 14:52:57 2017
From: dgouttegattat at incenp.org (Damien Goutte-Gattat)
Date: Fri, 6 Jan 2017 14:52:57 +0100
Subject: gpg-agent has to be restarted after GnuPG SmartCard pulled from
 reader
In-Reply-To: <74d2c302-f47c-ef08-15c9-85f86c2101fb@o.banes.ch>
References: <98575761-5d20-8202-5123-408afc299532@o.banes.ch>
 <fe551882-0f37-4e09-5dfa-855d656075db@digitalbrains.com>
 <77510ea2-780f-2974-0c16-813047ab0d22@o.banes.ch>
 <87inpt71to.fsf@wheatstone.g10code.de>
 <74d2c302-f47c-ef08-15c9-85f86c2101fb@o.banes.ch>
Message-ID: <603a0683-7faf-20d7-eb32-b22f57532509@incenp.org>

On 01/06/2017 10:06 AM, gnupg-users.dirk at o.banes.ch wrote:
> I was under the impression the OmniKey 3121 is a real reader since it is
> on the how to [1].

For what is worth, I have two such readers, which are working flawlessly 
with the ccid driver [1] and with 2048-bit keys. I have not tried them 
with the internal driver.


> What would be a good alternative bevore I buy another bad one.

I also have a SCM 3500 reader from SCM Microsystems (now Identiv), again 
working flawlessly with the ccid driver.


> p.s. in the meantime a made a script which tails the scdaemon.log and
> waits for "Removal of a card:"
> and then kills the gpg-agent. Not a proper solution - but working so far.

Instead of watching the log, you could use a feature of Scdaemon: if the 
file $GNUPGHOME/scd-event exists and is executable, it will be called on 
every card reader status change.

For example, to act upon card removal, you could have the following:

   #!/bin/sh

   case "$8" in
   NOCARD)
       # do something
       ;;
   esac

See doc/examples/scd-event in GnuPG's source for more details of what 
this script can do.


Damien


[1] http://pcsclite.alioth.debian.org/ccid.html

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20170106/f9b07821/attachment.sig>

From wk at gnupg.org  Fri Jan  6 20:23:02 2017
From: wk at gnupg.org (Werner Koch)
Date: Fri, 06 Jan 2017 20:23:02 +0100
Subject: gpg-agent has to be restarted after GnuPG SmartCard pulled from
 reader
In-Reply-To: <603a0683-7faf-20d7-eb32-b22f57532509@incenp.org> (Damien
 Goutte-Gattat's message of "Fri, 6 Jan 2017 14:52:57 +0100")
References: <98575761-5d20-8202-5123-408afc299532@o.banes.ch>
 <fe551882-0f37-4e09-5dfa-855d656075db@digitalbrains.com>
 <77510ea2-780f-2974-0c16-813047ab0d22@o.banes.ch>
 <87inpt71to.fsf@wheatstone.g10code.de>
 <74d2c302-f47c-ef08-15c9-85f86c2101fb@o.banes.ch>
 <603a0683-7faf-20d7-eb32-b22f57532509@incenp.org>
Message-ID: <878tqo56y1.fsf@wheatstone.g10code.de>

On Fri,  6 Jan 2017 14:52, dgouttegattat at incenp.org said:

> For what is worth, I have two such readers, which are working
> flawlessly with the ccid driver [1] and with 2048-bit keys. I have not
> tried them with the internal driver.

IIRC, I added some workarounds but eventually gave up due to too many
problems.  Key generation always failed with Omnikey based readers and
signature creation only works in some cases.  

I have a whole bunch of those readers and they are all crap.  Well,
except for the Cherry keyboard, it does work well in the server room
(w/o card).

> the file $GNUPGHOME/scd-event exists and is executable, it will be
> called on every card reader status change.

I was about to tell this, too ;-)


Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: </pipermail/attachments/20170106/dd649331/attachment-0001.sig>

From gnupg-users.dirk at o.banes.ch  Fri Jan  6 22:53:42 2017
From: gnupg-users.dirk at o.banes.ch (gnupg-users.dirk at o.banes.ch)
Date: Fri, 6 Jan 2017 22:53:42 +0100
Subject: gpg-agent has to be restarted after GnuPG SmartCard pulled from
 reader
In-Reply-To: <878tqo56y1.fsf@wheatstone.g10code.de>
References: <98575761-5d20-8202-5123-408afc299532@o.banes.ch>
 <fe551882-0f37-4e09-5dfa-855d656075db@digitalbrains.com>
 <77510ea2-780f-2974-0c16-813047ab0d22@o.banes.ch>
 <87inpt71to.fsf@wheatstone.g10code.de>
 <74d2c302-f47c-ef08-15c9-85f86c2101fb@o.banes.ch>
 <603a0683-7faf-20d7-eb32-b22f57532509@incenp.org>
 <878tqo56y1.fsf@wheatstone.g10code.de>
Message-ID: <2d302f6e-4f6c-6425-7831-d3a7f8fc0836@o.banes.ch>

Hi all,

thank you Damien and Werner for your recent replies.
Even if the reader is performing o.k. now to my amassment.
When I used the feature to create the keys on the card I ran to some
strange and not reproducible problems.
I think this is what Werner refers to. Once I decided to create the keys
on my PC and uploaded them to the Card everything works fine.

For the time being I think the solution is to go for scd-event. This
obviously beats to tail the logs. I will try this as soon I will get to it.

However - for me it really looks like the scdaemon or gpg-agent are not
handling the existing events correctly. It might be worth looking into
it as well.
I will not rule out misconfiguration by ubuntu or myself.

Recent publications are giving up on PGP/GPG which is clearly wrong in
my humble opinion. The key questions is for all crypto -> how to
securely store your key.
Even if SmartCards and alike (Yubikey) are "old fashioned" and geek
technology I think for security they are irreplaceable.

Thanks and best regards

Dirk


On 06.01.2017 20:23, Werner Koch wrote:
> On Fri,  6 Jan 2017 14:52, dgouttegattat at incenp.org said:
>
>> For what is worth, I have two such readers, which are working
>> flawlessly with the ccid driver [1] and with 2048-bit keys. I have not
>> tried them with the internal driver.
> IIRC, I added some workarounds but eventually gave up due to too many
> problems.  Key generation always failed with Omnikey based readers and
> signature creation only works in some cases.  
>
> I have a whole bunch of those readers and they are all crap.  Well,
> except for the Cherry keyboard, it does work well in the server room
> (w/o card).
>
>> the file $GNUPGHOME/scd-event exists and is executable, it will be
>> called on every card reader status change.
> I was about to tell this, too ;-)
>
>
> Salam-Shalom,
>
>    Werner
>
>
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users





From tlikonen at iki.fi  Sat Jan  7 07:33:40 2017
From: tlikonen at iki.fi (Teemu Likonen)
Date: Sat, 07 Jan 2017 08:33:40 +0200
Subject: Alternatives for Omnikey
In-Reply-To: <74d2c302-f47c-ef08-15c9-85f86c2101fb@o.banes.ch> (gnupg-users
 dirk's message of "Fri, 6 Jan 2017 10:06:40 +0100")
References: <98575761-5d20-8202-5123-408afc299532@o.banes.ch>
 <fe551882-0f37-4e09-5dfa-855d656075db@digitalbrains.com>
 <77510ea2-780f-2974-0c16-813047ab0d22@o.banes.ch>
 <87inpt71to.fsf@wheatstone.g10code.de>
 <74d2c302-f47c-ef08-15c9-85f86c2101fb@o.banes.ch>
Message-ID: <87h95btm4b.fsf_-_@iki.fi>

gnupg-users dirk [2017-01-06 10:06:40+01] wrote:

> I was under the impression the OmniKey 3121 is a real reader since it
> is on the how to [1].
>
> What would be a good alternative bevore I buy another bad one.

I don't know about official recommendations but I have Yubikey 4? and
Nitrokey Pro? and they work fine. Software packages scdaemon and pcscd
(libccid 1.4.20) are needed but otherwise the keys work out-of-the-box
in Debian GNU/Linux 8 (Jessie).


1. https://www.yubico.com/products/yubikey-hardware/
2. https://shop.nitrokey.com/shop

-- 
/// Teemu Likonen   - .-..   <https://keybase.io/tlikonen> //
// PGP: 4E10 55DC 84E9 DFF6 13D7 8557 719D 69D3 2453 9450 ///
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 454 bytes
Desc: not available
URL: </pipermail/attachments/20170107/c8f8d3bd/attachment.sig>

From list.gnupg-users at acme.nu  Sun Jan  8 16:26:06 2017
From: list.gnupg-users at acme.nu (Jorgen Ottosson)
Date: Sun, 8 Jan 2017 16:26:06 +0100
Subject: fetch yields "rejected by import filter"
Message-ID: <0c33245fae52af50696aad74d47e07b5.squirrel@10.99.199.22>

Hi,

I'm having problems importing and thereafter using keys on another pc.
This is kinda annoying since it interfers with using cards smoothly on
different computers.

I have the privkey on a card, use the admin/fetch command to get the
pubkey down and therafter use the card-status to generate the stubs,
right?
The thing is that when I enter 'fetch' I get error messages:
gpg: key xxxx: rejected by import filter

The URL on key, 'URL of public key' is indeed korrekt and I can easily put
it in a browser and see the pubkey.

So what is the problem? I noticed there are quite a few hits of "rejected
by import filter" when googling.

I have seen this issue several times before trying to use/test different
cards on both Win and Linux.

There seem to exist options relating to this:

--import-filter name=expr
--export-filter name=expr

but should I need to use these in config file to make these card commands
to work?

Right now I'm on: gpg (GnuPG) 2.0.30 (Gpg4win 2.3.3)
Card (in this particular case) 2.0 and keys 3072 bits.
Reader SCR335 seem not to have any issues.

What am I missing?
TIA,





From peter at digitalbrains.com  Sun Jan  8 18:29:56 2017
From: peter at digitalbrains.com (Peter Lebbing)
Date: Sun, 8 Jan 2017 18:29:56 +0100
Subject: fetch yields "rejected by import filter"
In-Reply-To: <0c33245fae52af50696aad74d47e07b5.squirrel@10.99.199.22>
References: <0c33245fae52af50696aad74d47e07b5.squirrel@10.99.199.22>
Message-ID: <4d0bb953-ee6f-77bb-ec09-e67bcb6ddf53@digitalbrains.com>

Hi,

> The URL on key, 'URL of public key' is indeed korrekt and I can easily put
> it in a browser and see the pubkey.

So what happens when you invoke

$ gpg2 -v --fetch-key [URL]?

Or for even more verbosity, do -vv.

HTH,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>


From list.gnupg-users at acme.nu  Mon Jan  9 00:19:56 2017
From: list.gnupg-users at acme.nu (Jorgen Ottosson)
Date: Mon, 9 Jan 2017 00:19:56 +0100
Subject: fetch yields "rejected by import filter"
Message-ID: <861787d04b2a9b7a8ba59b5ba400a291.squirrel@10.99.199.22>

Hi,

> So what happens when you invoke
>
> $ gpg2 -v --fetch-key [URL]?
>
> Or for even more verbosity, do -vv.
>
> HTH,
>
> Peter.

Well, that does work, after I put URL in quotes ("URL"), otherwise it does
not. Maybe the 'fetch' command in card-edit/admin is more picky about what
URLs actually work then.

I'll try to keep that in mind.

If not other local issues played in, I got a card daemon error when
generating keys earlier too, but then the same procedure worked right
after.

Thanx,





From peter at digitalbrains.com  Mon Jan  9 10:25:03 2017
From: peter at digitalbrains.com (Peter Lebbing)
Date: Mon, 9 Jan 2017 10:25:03 +0100
Subject: fetch yields "rejected by import filter"
In-Reply-To: <861787d04b2a9b7a8ba59b5ba400a291.squirrel@10.99.199.22>
References: <861787d04b2a9b7a8ba59b5ba400a291.squirrel@10.99.199.22>
Message-ID: <fe0c4243-8ded-0cd8-1829-58927b2cc8b1@digitalbrains.com>

On 09/01/17 00:19, Jorgen Ottosson wrote:
> Maybe the 'fetch' command in card-edit/admin is more picky about what
> URLs actually work then.

Or keys...

Perhaps GnuPG somehow thinks that the downloaded key does not match the
key on card, and that is the reason it rejects the key by an "import
filter".

Could you either simply post the public key stuff and public output of
gpg about this key, or otherwise anonymise it in such a way that we can
still see the correspondences between key ID's?

Cheers,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>


From gnupg-users.dirk at o.banes.ch  Mon Jan  9 20:49:14 2017
From: gnupg-users.dirk at o.banes.ch (gnupg-users.dirk at o.banes.ch)
Date: Mon, 9 Jan 2017 20:49:14 +0100
Subject: Alternatives for Omnikey
In-Reply-To: <87h95btm4b.fsf_-_@iki.fi>
References: <98575761-5d20-8202-5123-408afc299532@o.banes.ch>
 <fe551882-0f37-4e09-5dfa-855d656075db@digitalbrains.com>
 <77510ea2-780f-2974-0c16-813047ab0d22@o.banes.ch>
 <87inpt71to.fsf@wheatstone.g10code.de>
 <74d2c302-f47c-ef08-15c9-85f86c2101fb@o.banes.ch> <87h95btm4b.fsf_-_@iki.fi>
Message-ID: <e206c480-d4e0-a45a-39ad-26807484e9dc@o.banes.ch>

Hi Teemu,

thanks - I looked at those before. I guess I just have a prefernce for
the Card's - I can not really point the finger to - why.

best regards

Dirk

On 07.01.2017 07:33, Teemu Likonen wrote:
> gnupg-users dirk [2017-01-06 10:06:40+01] wrote:
>
>> I was under the impression the OmniKey 3121 is a real reader since it
>> is on the how to [1].
>>
>> What would be a good alternative bevore I buy another bad one.
> I don't know about official recommendations but I have Yubikey 4? and
> Nitrokey Pro? and they work fine. Software packages scdaemon and pcscd
> (libccid 1.4.20) are needed but otherwise the keys work out-of-the-box
> in Debian GNU/Linux 8 (Jessie).
>
>
> 1. https://www.yubico.com/products/yubikey-hardware/
> 2. https://shop.nitrokey.com/shop
>



From AliAjmi at bankmuscat.com  Thu Jan 12 12:14:06 2017
From: AliAjmi at bankmuscat.com (Ali Hassan Hamed Al Ajmi (eChannels))
Date: Thu, 12 Jan 2017 11:14:06 +0000
Subject: GnuPG to create CSR
Message-ID: <1E46221211FBA6429BADC35084A32174CB9891@HO-EXMBX-01.bmoman.bankmuscat.com>

Hi,

We are using GPG4win as files encryption tool which utilize "GnuPG" crypto engine. One of our requirements is to have certificate signed by our internal CA. since we have Microsoft CA, we need to create certification request that is compatible with Microsoft CA . Via gpg4win GUI, we are able to generate a X.509 keys CR (p10) that does not seem compatible with Microsoft CA.

The questions are:

Does "GnuPG" support creating CR (CSR) that is compatible with Microsoft CA (from command line/ other tools with GUI)?
If Yes, how to generate a certification request that is compatible with Microsoft CA (CSR)?
Can you please guide us to a manual /documentation where we will find such information.

Best Regards

Ali Al Ajmi
Assistant Manager - eChannels
Information Technology
AliAjmi at bankmuscat.com<mailto:AliAjmi at bankmuscat.com>



T. +968 24801222


P.O. Box 134, P.C. 112 Ruwi, Sultanate of Oman

[cid:image001.png at 01D2508F.518FA700]
[cid:image005.jpg at 01CF3304.C768E5A0]<http://www.bankmuscat.com/facebook> [cid:image006.jpg at 01CF3304.C768E5A0] <http://www.instagram.com/bankmuscat>  [cid:image007.jpg at 01CF3304.C768E5A0] <http://www.twitter.com/bank_muscat> [cid:image008.jpg at 01CF3304.C768E5A0] <http://www.youtube.com/user/bankmuscat4net>



"Disclaimer! This email message is intended for the named recipient only. If you are not the intended recipient and if you have received this message by error, please immediately notify us through E-Mail at notify at bankmuscat.com and please delete this message from your system. E-mail communications are insecure and capable of interception and corruption, bank muscat would not be liable for incorrect, incomplete transmission, loss or damage on this account or delayed receipt of this e-mail."
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20170112/d6df00a1/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 153996 bytes
Desc: image001.png
URL: </pipermail/attachments/20170112/d6df00a1/attachment-0001.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.jpg
Type: image/jpeg
Size: 721 bytes
Desc: image002.jpg
URL: </pipermail/attachments/20170112/d6df00a1/attachment-0004.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image003.jpg
Type: image/jpeg
Size: 729 bytes
Desc: image003.jpg
URL: </pipermail/attachments/20170112/d6df00a1/attachment-0005.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image004.jpg
Type: image/jpeg
Size: 750 bytes
Desc: image004.jpg
URL: </pipermail/attachments/20170112/d6df00a1/attachment-0006.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image005.jpg
Type: image/jpeg
Size: 774 bytes
Desc: image005.jpg
URL: </pipermail/attachments/20170112/d6df00a1/attachment-0007.jpg>

From antony at blazrsoft.com  Thu Jan 12 23:35:25 2017
From: antony at blazrsoft.com (Antony Prince)
Date: Thu, 12 Jan 2017 17:35:25 -0500
Subject: GnuPG to create CSR
In-Reply-To: <1E46221211FBA6429BADC35084A32174CB9891@HO-EXMBX-01.bmoman.bankmuscat.com>
References: <1E46221211FBA6429BADC35084A32174CB9891@HO-EXMBX-01.bmoman.bankmuscat.com>
Message-ID: <a6d77fd4-1d71-6a72-61e2-c42223d30881@blazrsoft.com>

On 1/12/2017 6:14 AM, Ali Hassan Hamed Al Ajmi (eChannels) wrote:
> 
> Does *"GnuPG" *support creating CR (CSR) that is compatible with
> Microsoft CA (from command line/ other tools with GUI)?

Not sure on that one.

> If Yes, how to generate a certification request that is compatible with
> Microsoft CA (CSR)?

Also not sure.

> Can you please guide us to a manual /documentation where we will find
> such information.

Personally, I use OpenSSL[1] for creating CSR's and signing them. It
appears that OpenSSL generated CSR's can be signed using Microsoft CA
according to the documentation in an article[2] I found.

HTH,
Antony

[1]https://www.openssl.org
[2]https://support.forcepoint.com/KBArticle?id=How-to-use-OpenSSL-and-Microsoft-Certification-Authority

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 898 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20170112/69632d20/attachment.sig>

From antony at blazrsoft.com  Fri Jan 13 02:06:58 2017
From: antony at blazrsoft.com (Antony Prince)
Date: Thu, 12 Jan 2017 20:06:58 -0500
Subject: GnuPG to create CSR
In-Reply-To: <a6d77fd4-1d71-6a72-61e2-c42223d30881@blazrsoft.com>
References: <1E46221211FBA6429BADC35084A32174CB9891@HO-EXMBX-01.bmoman.bankmuscat.com>
 <a6d77fd4-1d71-6a72-61e2-c42223d30881@blazrsoft.com>
Message-ID: <daf97931-d2df-b6af-f728-9823a88b4339@blazrsoft.com>

On 1/12/2017 5:35 PM, Antony Prince wrote:
> On 1/12/2017 6:14 AM, Ali Hassan Hamed Al Ajmi (eChannels) wrote:
>>
>> Does *"GnuPG" *support creating CR (CSR) that is compatible with
>> Microsoft CA (from command line/ other tools with GUI)?
> 
> Not sure on that one.
> 
>> If Yes, how to generate a certification request that is compatible with
>> Microsoft CA (CSR)?
> 
> Also not sure.
> 
>> Can you please guide us to a manual /documentation where we will find
>> such information.
> 
> Personally, I use OpenSSL[1] for creating CSR's and signing them. It
> appears that OpenSSL generated CSR's can be signed using Microsoft CA
> according to the documentation in an article[2] I found.
> 
> [1]https://www.openssl.org
> [2]https://support.forcepoint.com/KBArticle?id=How-to-use-OpenSSL-and-Microsoft-Certification-Authority
> 

After considering your question a bit more, I could see that your
purpose might be to create CSR's for existing keys to be signed by your
internal CA. I searched around a bit, but couldn't find anything
specifically about GnuPG and Microsoft CA. For creating x.509 CSR's in
PKCS/#12 format, this[3] is what I could find. I would think that
Microsoft CA should be able to handle a PKCS/#12 CSR, but a quick search
could not confirm that.

[3]https://www.gnupg.org/documentation/manuals/gnupg-devel/Howto-Create-a-Server-Cert.html

--
Antony


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 898 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20170112/3d605e09/attachment.sig>

From dkg at fifthhorseman.net  Fri Jan 13 22:40:35 2017
From: dkg at fifthhorseman.net (Daniel Kahn Gillmor)
Date: Fri, 13 Jan 2017 16:40:35 -0500
Subject: GnuPG to create CSR
In-Reply-To: <1E46221211FBA6429BADC35084A32174CB9891@HO-EXMBX-01.bmoman.bankmuscat.com>
References: <1E46221211FBA6429BADC35084A32174CB9891@HO-EXMBX-01.bmoman.bankmuscat.com>
Message-ID: <87ziiuocz0.fsf@alice.fifthhorseman.net>

On Thu 2017-01-12 06:14:06 -0500, Ali Hassan Hamed Al Ajmi (eChannels) wrote:
> Hi,
>
> We are using GPG4win as files encryption tool which utilize "GnuPG"
> crypto engine. One of our requirements is to have certificate signed
> by our internal CA. since we have Microsoft CA, we need to create
> certification request that is compatible with Microsoft CA . Via
> gpg4win GUI, we are able to generate a X.509 keys CR (p10) that does
> not seem compatible with Microsoft CA.

When you say "does not seem compatible with Microsoft CA", i don't know
what that means.  Is there a specific Microsoft CA product that you're
using?  can you provide pointers to it?

can you provide error messages, warnings, or behaviors that indicate
that the CSR you generated is incompatible?  What specific steps did you
take with the Gpg4win gui to generate the CSR?

> Does "GnuPG" support creating CR (CSR) that is compatible with Microsoft CA (from command line/ other tools with GUI)?
> If Yes, how to generate a certification request that is compatible with Microsoft CA (CSR)?
> Can you please guide us to a manual /documentation where we will find such information.

If you want to use a command-line part of the GnuPG suite to create an
X.509 CSR, the tool "gpgsm" should be capable of doing it.

Use:

   gpgsm --gen-key


and follow the prompts.

If it asks you "Create self-signed certificate? (y/N)", you want to
answer "N" (no) because you want the csr instead.

For example (this is not on windows, this is on a GNU/Linux machine, but
it should look similar to what you see in the windows cmd.exe shell:

0 dkg at alice:~$ gpgsm --gen-key
gpgsm (GnuPG) 2.1.17; Copyright (C) 2016 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Please select what kind of key you want:
   (1) RSA
   (2) Existing key
   (3) Existing key from card
Your selection? 1
What keysize do you want? (2048) 
Requested keysize is 2048 bits
Possible actions for a RSA key:
   (1) sign, encrypt
   (2) sign
   (3) encrypt
Your selection? 1
Enter the X.509 subject name: CN=bananas.example
Enter email addresses (end with an empty line):
> 
Enter DNS names (optional; end with an empty line):
> bananas.example
> www.bananas.example
> 
Enter URIs (optional; end with an empty line):
> 
Create self-signed certificate? (y/N) 
These parameters are used:
    Key-Type: RSA
    Key-Length: 2048
    Key-Usage: sign, encrypt
    Name-DN: CN=bananas.example
    Name-DNS: bananas.example
    Name-DNS: www.bananas.example

Proceed with creation? (y/N) y
Now creating certificate request.  This may take a while ...
gpgsm: about to sign the CSR for key: &C6962BE32BF3CA7C3207BCECC0FC1CD3C24CC2E7
gpgsm: certificate request created
Ready.  You should now send this request to your CA.
-----BEGIN CERTIFICATE REQUEST-----
MIICsTCCAZkCAQAwGjEYMBYGA1UEAxMPYmFuYW5hcy5leGFtcGxlMIIBIjANBgkq
hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuFLyvrSVb75agoi43FWQJwr4da7IraU1
iv2DBpFQU54Kst8sgs7ocHtgHQAVlCbiJ3XNVAv4brt+kb8ASp6xGXpTVKe5bzCw
/+OPPW5o/ymSF6wlHar7hKWSylTD3Xl6fyQaw1h6LRpY9S0QG2ua3kX1QIp6rWLd
K3Eq/X41+NFBIVeMtlu0FBCVoUDAC65BsIDahPZwDSsXhVNU2lO1TQXyr4ZCZGQb
c6qYnerlplvzjDT/a7WgaKQgYJzbxa6IM1COCCwDQMW4GH9ZsUi77iu+io/A3h/v
8B3WcVe6m6rg8lIChKSXvd1kmC8ueiCTnYKFHGpKZECPS0ec8hcOkQIDAQABoFIw
UAYJKoZIhvcNAQkOMUMwQTAvBgNVHREEKDAmgg9iYW5hbmFzLmV4YW1wbGWCE3d3
dy5iYW5hbmFzLmV4YW1wbGUwDgYDVR0PAQH/BAQDAgTwMA0GCSqGSIb3DQEBCwUA
A4IBAQARmLx97fNMd2JdPlllA0Kl5bOafXdraLMw7E0gdqoGTcgSy4oKwzYXVXCE
8PcQ5Ld+QSzZRcaEr/cWoZJSPEXX4ahhYPDs14PxNUvDX1R5MUrUGIqUmMQU28Vc
+vxTSmSY/ehvCaCDXDqcTVZjX7pyQ2LGxiy44Sqf8weGL1aHHq6znCJtPUWqpW8n
bMGj34lNPYBXW/95WAAPuLQP6zUDAq6oFf69jVJUKhIZ9Jlkr6XhAKHRpS5VjEeP
Q7PIUMKKM6PMXU1IPMo0X/TfJ7ApUJ0bWWwUTBoHcjAoIIcQCDfBZ+Wh7T9Rvrdm
wKfK8jbgQph4k/9lJXzrEKnXejo7
-----END CERTIFICATE REQUEST-----
0 dkg at alice:$ 


Then you'd copy/paste the stuff between the
"-----BEGIN CERTIFICATE REQUEST-----" and
"-----END CERTIFICATE REQUEST-----" lines (including those lines as
well) into a file that you can import into your CA.

make sense?

     --dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 832 bytes
Desc: not available
URL: </pipermail/attachments/20170113/f77d12e7/attachment.sig>

From 2014-667rhzu3dc-lists-groups at riseup.net  Sat Jan 14 13:17:01 2017
From: 2014-667rhzu3dc-lists-groups at riseup.net (MFPA)
Date: Sat, 14 Jan 2017 12:17:01 +0000
Subject: Signatures on a subkey?
Message-ID: <1512400762.20170114121701@riseup.net>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512



I was just looking at key 0x2B9880E1E6602099 because GnuPG was
flagging up that the key is newer than some of the signatures on it. I
noticed that a large number of the signatures visible with
gpg --with-sig-list --list-keys 0x2B9880E1E6602099
are not visible at the delsig command when editing the key. They are
also not stripped by --minimize or --clean. In fact, nearly a hundred
signatures seem to be on the subkey 0x73CC004C3EE4249E rather than
on any of the UIDs. See the block beginning with "sub  2048R/3EE4249E"
near the bottom of this page:-
https://pgp.mit.edu/pks/lookup?search=0x2B9880E1E6602099&op=vindex

Can anybody explain?


- --
Best regards

MFPA                  <mailto:2014-667rhzu3dc-lists-groups at riseup.net>

Two rights do not make a wrong. They make an airplane.
-----BEGIN PGP SIGNATURE-----

iL4EARYKAGYFAlh6Fr1fFIAAAAAALgAoaXNzdWVyLWZwckBub3RhdGlvbnMub3Bl
bnBncC5maWZ0aGhvcnNlbWFuLm5ldDMzQUNFRDRFRTkxMzRFRUJERTZBODUwNjE3
MTJCQzQ2MUFGNzc4RTQACgkQFxK8Rhr3eORWjgD/Vr1OMOr+EBNOjCmdU0vH86p7
Nyj3SdBs9q7XCd3R+QQA/RInn7xZxCXo0TnqzvQHii3WL+6g+ABOl1yArVclWiMJ
iQF8BAEBCgBmBQJYeha9XxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRCM0FFN0VDQTlBOEM4QjMwMjZBNUEwRjU2
QjdDNzRDRUIzMUYyNUYwAAoJEGt8dM6zHyXwEf4H/0TkJ3+1NpZAQakPGEDESNKU
jW2Lyrzp7yEiyVXp9UdYJIQv0WUUFqh4eReVVxkilTEGH/ShTe9FwLB3SkfI8aoK
8NzLWmtMqAy7D1/pE40U43fy3/zFMBqoIUFyQgdZyNDr3o0vSII3A+7NjyfsZSG5
iLSOuL3ZHut9XmDK2nwRIPrcOzmjpwvBqkUKWS/PFH8U9gnaqQ1tUwUI37NbRgB4
TDFxgyp2bf6kPnShlvZ+Z5HcqqR33xngu93BFm62ttKzwfM5czQ4P67R2XqsjnV6
/m12buvWN1+iudK3+9J0n+uQGxsJ0oyRUNfkllTS4R1zJCGDbRe+QrqnvEIDTyQ=
=slKj
-----END PGP SIGNATURE-----



From guilhem at fripost.org  Sat Jan 14 13:28:15 2017
From: guilhem at fripost.org (Guilhem Moulin)
Date: Sat, 14 Jan 2017 13:28:15 +0100
Subject: Signatures on a subkey?
In-Reply-To: <1512400762.20170114121701@riseup.net>
References: <1512400762.20170114121701@riseup.net>
Message-ID: <20170114122815.3c2px4boxdh3yhfc@localhost.localdomain>

Hi,

On Sat, 14 Jan 2017 at 12:17:01 +0000, MFPA wrote:
> In fact, nearly a hundred signatures seem to be on the subkey
> 0x73CC004C3EE4249E rather than on any of the UIDs.
> [?]
> Can anybody explain?

Using GnuPG ?2.1.13, running `gpg --edit-key $keyID check save` should
fix it locally, cf. https://bugs.gnupg.org/gnupg/issue2236 .  (But the
packets will remain badly ordered on the server.)

-- 
Guilhem.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: </pipermail/attachments/20170114/edb2ae16/attachment.sig>

From gnupg at jelmail.com  Sun Jan 15 00:39:20 2017
From: gnupg at jelmail.com (John Lane)
Date: Sat, 14 Jan 2017 23:39:20 +0000
Subject: GPG homedir path length limit
Message-ID: <29305133-bb58-ff79-f467-12690a5f8dd2@jelmail.com>

Just experimenting in a sandbox homedir, I noticed that the homedir path
needs to be below a certain size.

    $ pwd


/home/user/aaaaa/bbbbbbbb/cccccccc/dddd/eee/fffffffffff/ggggggggggggggggggggggg

    $ mkdir -m 700 alice.gpg

    $ gpg --homedir alice.gpg --gen-key

    gpg: can't connect to the agent: IPC connect call failed

    $ gpg-agent --homedir alice.gpg --daemon

    gpg-agent[3857]: socket name
'/home/user/aaaaa/bbbbbbbb/cccccccc/dddd/eee/fffffffffff/ggggggggggggggggggggggg/alice.gpg/S.gpg-agent.extra'
is too long


Changing to a shorter path works fine.



From anton at marchukov.com  Sun Jan 15 20:54:12 2017
From: anton at marchukov.com (Anton Marchukov)
Date: Sun, 15 Jan 2017 20:54:12 +0100
Subject: Primary and Signing Key on Different Smart Cards
In-Reply-To: <78ed0c7b-ac5e-cd02-95e8-27264ab638f8@digitalbrains.com>
References: <CAGAucFbsbURMxD+a4MUNTbofqLyjDRQ+YLbCBtuL3Ri4jCxhVg@mail.gmail.com>
 <bd3c03e1-88ad-4db2-1fe1-a3b136fc8805@digitalbrains.com>
 <CAGAucFbQzwQBjCpjJc9qptftnnFTfp8thKnm4bhVcjX71RLKPw@mail.gmail.com>
 <543a356c-5014-94d0-c96b-b31c74e4c7a4@digitalbrains.com>
 <78ed0c7b-ac5e-cd02-95e8-27264ab638f8@digitalbrains.com>
Message-ID: <CAGAucFYnQmArfxPC=9gBRc6W8-6YwGh+NwBU9zP=aRO7r7A48g@mail.gmail.com>

Hello Peter.

Thanks for your detailed instructions. As FOSDEM keysigning is
approaching I finally found some time to test it with my setup.
Unfortunately I am unable to pass through the step when you need to
swap the cards during subkey generation:

>
> Now let's add subkeys on the other card. GnuPG 2.1 totally does the right thing
> here! Insert a new blank smartcard and do:
> $ gpg2 --edit-key 367D1BCF
> At this point the pinentry will prompt:
> ---------------------------8<--------------->8---------------------------
>         Please remove the current card and insert the one with serial number:
>
> Note that that is our card with the primary key.

Here when I remove the "subkey" card and insert the primary card and
then confirm the prompt I immediately have gpg fail with the following
error:

gpg: signing failed: End of file
gpg: make_keysig_packeto failed: End of file
gpg: Key generation failed: End of file

Now not sure what might be the difference between your setup and mine,
let's try to spot the difference:

1. I have gpg 2.1.11. What is your gpg2 --version ?
2. Since YubiKey is a usb token and my primary card is a plastic
smartcard from ZeithControl they are in fact located in two different
readers. I found that gpg is not able to locate card if more than one
reader is present and somehow always default to some first card it
sees. To mitigate this I had to always remove the reader along with
the card. And then of cause have to reinsert it back. May it be that
gpg expects cards to be in the same reader?
3. Any other thoughts? Any debug logs I can enable?

I also kept detailed steps and output so far and hope to publish an
article somewhere if manage to get everything working properly.

Anton.


From rick at nakroshis.com  Sun Jan 15 20:36:08 2017
From: rick at nakroshis.com (Rick Nakroshis)
Date: Sun, 15 Jan 2017 14:36:08 -0500
Subject: Renewing expired keys
Message-ID: <CAAa9ha0hA7o8AGGCK1OiwfjB2Fe6TguChEfxbVCAftJC+j5K6A@mail.gmail.com>

List,

Been a while since I used my GPG installation, and my keys have expired.
Looking at the docs, I see how to set up an initial set of keys, but how
about a follow-on set?  Do I generate a new set with same email address,
and sign them with my expired key to show they come from the same person?
Not quite sure   Suggestions/advice, please?

Rick
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20170115/01c17efc/attachment.html>

From juanmi.3000 at gmail.com  Sun Jan 15 22:17:39 2017
From: juanmi.3000 at gmail.com (=?UTF-8?Q?Juan_Miguel_Navarro_Mart=c3=adnez?=)
Date: Sun, 15 Jan 2017 22:17:39 +0100
Subject: Renewing expired keys
In-Reply-To: <CAAa9ha0hA7o8AGGCK1OiwfjB2Fe6TguChEfxbVCAftJC+j5K6A@mail.gmail.com>
References: <CAAa9ha0hA7o8AGGCK1OiwfjB2Fe6TguChEfxbVCAftJC+j5K6A@mail.gmail.com>
Message-ID: <0685060c-f366-1375-85dc-0f1a640246df@gmail.com>

On 2017-01-15 at 20:36, Rick Nakroshis wrote:
> List,
> 
> Been a while since I used my GPG installation, and my keys have
> expired.  Looking at the docs, I see how to set up an initial set of
> keys, but how about a follow-on set?  Do I generate a new set with same
> email address, and sign them with my expired key to show they come from
> the same person?  Not quite sure   Suggestions/advice, please?
> 
> Rick
> 
> 
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
> 
If you want to keep the same keys (assuming they are still strong
enough) you can just extend its expiration date by editing your key with
`gpg[2] --edit-key (UID|KeyID|Fingerprint)` then use `expire` in `gpg>`
promt. If it has any subkeys, use `key n` (n = 1, 2, 3..) for all the
subkeys and use the `expire` command agan. Lastly `save` the changes.

Otherwise, you can also create a new master key and sign the new one
with the old one.
If you have a blog, personal or project's website or something that
people usually come to visit and know about your PGP keys, also make a
transtition statement signed with both keys telling which key you had,
which is the new one, their fringerprints and so on. Here are some examples:

http://fifthhorseman.net/key-transition-2007-06-15.txt
https://upsilon.cc/~zack/key-transition.2010.txt
https://vincent.bernat.im/en/blog/2012-gpg-transition-new-key.html

Lastly, revoke the old one if you aren't going to use it publicly anymore.

-- 
Juan Miguel Navarro Mart?nez

GPG Keyfingerprint:
5A91 90D4 CF27 9D52 D62A
BC58 88E2 947F 9BC6 B3CF

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20170115/9b2fbd07/attachment.sig>

From fa-ml at ariis.it  Sun Jan 15 22:09:23 2017
From: fa-ml at ariis.it (Francesco Ariis)
Date: Sun, 15 Jan 2017 22:09:23 +0100
Subject: Renewing expired keys
In-Reply-To: <CAAa9ha0hA7o8AGGCK1OiwfjB2Fe6TguChEfxbVCAftJC+j5K6A@mail.gmail.com>
References: <CAAa9ha0hA7o8AGGCK1OiwfjB2Fe6TguChEfxbVCAftJC+j5K6A@mail.gmail.com>
Message-ID: <20170115210923.GA764@casa.casa>

On Sun, Jan 15, 2017 at 02:36:08PM -0500, Rick Nakroshis wrote:
> Been a while since I used my GPG installation, and my keys have expired.
> Looking at the docs, I see how to set up an initial set of keys, but how
> about a follow-on set?  Do I generate a new set with same email address,
> and sign them with my expired key to show they come from the same person?
> Not quite sure   Suggestions/advice, please?

Hello Rick,

    gpg --edit-key <your-key>

and then type `help`. You probably are looking for:

    expire      change the expiration date for the key or selected subkeys


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: </pipermail/attachments/20170115/925a4cb5/attachment.sig>

From rjh at sixdemonbag.org  Mon Jan 16 01:12:03 2017
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Sun, 15 Jan 2017 19:12:03 -0500
Subject: Sherpa 0.3.0
Message-ID: <cbb431d3-316b-daa3-9706-3a790ac010ad@sixdemonbag.org>

Sherpa, a tool I've been working on off-and-on, now only blows up
infrequently.  That means I need brave, intrepid souls who aren't afraid
to frag their hard drives.  Bwahahahahahaha!

Windows users are preferred right now (since most GnuPG users are on
Windows).  A signed Windows installer package is available.  I also have
a Fedora 25 RPM, if any F25 users would like to try.

If it works correctly you'll think it's a tiny little app that does one
thing well and is thoroughly unremarkable.  If that's your experience
I'll sing hallelujah.  If it's not, I'll forgive you for cursing my name
as your hard drive catches fire.

        https://rjhansen.github.io/sherpa/

(Note: not kidding -- this is not ready for production systems!)


From gnupg at jelmail.com  Mon Jan 16 17:52:15 2017
From: gnupg at jelmail.com (John Lane)
Date: Mon, 16 Jan 2017 16:52:15 +0000
Subject: Trust signature domain
Message-ID: <74b25291-4069-e089-7207-9309a533d451@jelmail.com>

I'm trying to experiment with trust signatures but I can't work out how
the 'domain' question is used ?

I think I understand what it is for, but I can't enter a value and get
it to work.

I have a key A that has signed B at example.com and C at example.org

If I tsign A at level 2 with the domain blank then B and C are fully valid.

If I tsign A at level 2 with a domain of example.com then neither are
valid. I expected B to be valid.

>From what I've read, I think this value might be a regular expression
and need to be entered in a certain way.

Any pointers appreciated.....



From wk at gnupg.org  Mon Jan 16 20:16:28 2017
From: wk at gnupg.org (Werner Koch)
Date: Mon, 16 Jan 2017 20:16:28 +0100
Subject: GPG homedir path length limit
In-Reply-To: <29305133-bb58-ff79-f467-12690a5f8dd2@jelmail.com> (John Lane's
 message of "Sat, 14 Jan 2017 23:39:20 +0000")
References: <29305133-bb58-ff79-f467-12690a5f8dd2@jelmail.com>
Message-ID: <87d1fmg6ib.fsf@wheatstone.g10code.de>

On Sun, 15 Jan 2017 00:39, gnupg at jelmail.com said:
> Just experimenting in a sandbox homedir, I noticed that the homedir path
> needs to be below a certain size.

That is because on most Unix systems the file name for local socket is
limited in size.  Local sockets are used for communication between the
components (e.g. gpg and gpg-agent).


The suggested solution is to create the socket in the /var/run
directory:  Make sure that 

  /var/run/user/$(id -u)

exists before starting gpg or gpg-agent the socket will be created
there.  Only is you use a non-default home directory (GNUPGHOME) you
need to manually create a sub-directory by using

  export GNUPGHOME=/foo/bar
  gpgconf --create-socketdir

To view the current directory used for the sockets, use:

  gpgconf --list-dirs socketdir


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: </pipermail/attachments/20170116/24bbdc6e/attachment.sig>

From rjh at sixdemonbag.org  Mon Jan 16 20:28:19 2017
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Mon, 16 Jan 2017 14:28:19 -0500
Subject: gpgme: error in OS X app bundle
Message-ID: <a8ac78bf-9bb4-cd3f-5f20-19c4b25d98dd@sixdemonbag.org>

I've packaged Sherpa up into an OS X application.  It works when opened
at the command line with "open sherpa.app"; it fails when double-clicked
from Finder.  The offender seems to be:

GPGME 2017-01-16 14:14:55 <0x0d3f>  gpgme-walk_path: 'gpgconf' not found
in '/usr/bin:/bin:/usr/sbin:/sbin'

When launched from the command line, the child process inherits my PATH
and thus GnuPG can find gpgconf; when double-clicked in Finder, PATH
isn't inherited and thus gpgconf can't be found.

Now, I could blunder my way to a solution but I thought I'd ask here
first.  Has anyone else encountered this problem?  How did you solve it
in your own code?

I can think of a few ways to approach this, but they all seem inelegant.
 Looking for a .profile in $HOME, parsing it for PATH information, and
looking for gpgconf in those dirs?  Or should I just raise a, "Please
navigate to your gpgconf executable" file-chooser, which would likely be
too complicated for many novice users?  Etc.


From anton at marchukov.com  Mon Jan 16 22:58:06 2017
From: anton at marchukov.com (Anton Marchukov)
Date: Mon, 16 Jan 2017 22:58:06 +0100
Subject: Primary and Signing Key on Different Smart Cards
In-Reply-To: <CAGAucFYnQmArfxPC=9gBRc6W8-6YwGh+NwBU9zP=aRO7r7A48g@mail.gmail.com>
References: <CAGAucFbsbURMxD+a4MUNTbofqLyjDRQ+YLbCBtuL3Ri4jCxhVg@mail.gmail.com>
 <bd3c03e1-88ad-4db2-1fe1-a3b136fc8805@digitalbrains.com>
 <CAGAucFbQzwQBjCpjJc9qptftnnFTfp8thKnm4bhVcjX71RLKPw@mail.gmail.com>
 <543a356c-5014-94d0-c96b-b31c74e4c7a4@digitalbrains.com>
 <78ed0c7b-ac5e-cd02-95e8-27264ab638f8@digitalbrains.com>
 <CAGAucFYnQmArfxPC=9gBRc6W8-6YwGh+NwBU9zP=aRO7r7A48g@mail.gmail.com>
Message-ID: <CAGAucFatR58LS=uMkQRE3t1yUKX5cohvj_9d01fJ9JmtTbct7A@mail.gmail.com>

> readers. I found that gpg is not able to locate card if more than one
> reader is present and somehow always default to some first card it
> sees. To mitigate this I had to always remove the reader along with
> the card. And then of cause have to reinsert it back. May it be that
> gpg expects cards to be in the same reader?

So far I was not able to have gpg working with subkey generated on
card  due to above mentioned problem. However you can use secure
machine (I used the Tails distribution on a write protected flash
drive) and generate subkeys on file and then transfer them to
individual cards/tokens. This somehow worked well, with the few only
exceptions:

1. Between loading the next card I sometimes had to wipe ~/.gnupg
completely and reload public key there following "gpg2 --card-status".
But anyway it is also a good way to check your keys before wiping
memory off. I also uploaded public keys to the keyserver right from
the tails once I verified they are ok.
2. You need to use "--local-user" to specify which subkey to use for
signing, e.g. "local-user 0x29240005AAD6C87A!". Exclamation mark is
essential here. Otherwise gpg will try to choose the latest available
subkey as I understood or complain it is not available.  I put it to
my ~/.gnupg/gpg.conf

Overall after those manipulations I have a primary plastic card and 2
separate YubiKey tokens for signing only. Tokens are permanently
installed in each of system I use. Besides that after additional
configuration [1] YubiKey requires to touch its sensor as a presence
check each time a crypto operation is done using secret key material.

I have some empty cards left along with few readers, so can continue
troubleshooting it further. Maybe we can make it work with cards in
separate readers.

[1] https://gist.github.com/a-dma/797e4fa2ac4b5c9024cc

Anton.


From wk at gnupg.org  Mon Jan 16 23:16:29 2017
From: wk at gnupg.org (Werner Koch)
Date: Mon, 16 Jan 2017 23:16:29 +0100
Subject: GnuPG this Past Fall
Message-ID: <87pojmejlu.fsf@wheatstone.g10code.de>

Hi!

Here is a plain text copy of Neal's recent blog entry.  The permanent
URL is: <https://gnupg.org/blog/20170116-gnupg-this-past-fall.html>.  If
you like to comment, please follow up on this mail.


                    ???????????????????????????????
                     20170116-GNUPG-THIS-PAST-FALL


                                  Neal
                    ???????????????????????????????


                            January 6, 2017


Table of Contents
?????????????????

1 GnuPG this Past Fall
.. 1.1 Development
.. 1.2 Releases
.. 1.3 Public Appearances
.. 1.4 Ecosystem
.. 1.5 Press
.. 1.6 Donations


1 GnuPG this Past Fall
??????????????????????

1.1 Development
???????????????

  The focus of development the past few months has been on polishing the
  GnuPG 2.1 code base so that we can release GnuPG 2.2.  This is
  particularly important to us, because we want the latest features to
  be available in the next release of Debian stable, which is about to
  freeze.  All of the main developers have participated in this effort,
  but I want to particularly point out Daniel Kahn Gillmor?s many
  patches in this area.  Even prior to this effort, Daniel has regularly
  submitted patches for relatively minor, boring issues.  But, it is
  exactly these types of fixes that result in a polished product.

  A relatively major change that went into the most recent release of
  GnuPG is the replacement of ADNS with William Ahern?s [libdns].
  Unfortunately, our patches for Tor support for ADNS have been in limbo
  for such a long time, that [we decided to change to a different DNS
  resolver].

  Daniel Kahn Gillmor also helped implement and debug GnuPG?s new
  supervisor mode.  This mode allows GnuPG?s daemons to be auto-started
  and auto-stopped by systemd.  If you are tracking Debian testing or
  Debian unstable, you can try enabling this by following the
  instructions in `/usr/share/doc/gnupg-agent/README.Debian'.  This is
  based on the [reference implementation for starting GnuPG?s daemons
  from systemd] that Daniel also contributed and is included in GnuPG
  proper.  Linux distributions that use systemd are encouraged to base
  their systemd unit files on this implementation.

  Justus also made significant improvements to our relatively new
  Scheme-based testing framework.  He?s also written many new tests,
  fixed bugs in [TinyScheme], the Scheme interpreter that we are using,
  and radically improved TinyScheme?s debugging facilities.
  Furthermore, TinyScheme used to spent about 75% of the execution time
  in the garbage collector alone, now it typically spends less than 40%
  of the time in the memory allocator.  Unfortunately, although he
  submitted some patches upstream, they have been mostly ignored.  Thus,
  if you are using TinyScheme, you might want to consider including our
  patches.

  We?ve decided to change the [default expiration time for new keys to 2
  years].  (Previously, keys did not expire by default.)  Using an
  expiration provides an emergency break for users who lose access to
  their secret key material and any revocation certificate.  But note:
  just because a key has expired does not mean that one has to create a
  new key; it is entirely possible to extend a key?s expiration, even
  after the key has expired.

  Another minor, but notable improvement that Justus implemented is to
  GnuPG?s search algorithm.  Justus changed gpg?s behavior to [take the
  best match instead of the first match].

  Niibe has continued to polish the smart card support including
  improving support for v3 of the [OpenPGPcard] specification, and
  initial support for [multiple card readers].  He has also reviewed and
  integrated a number of bugs fixes and small improvements contributed
  by Arnaud Fontaine.

  Andre has made significant progress on GPGOL, our plugin for Outlook.
  He plans to release a beta in the coming week.  Part of this work
  included fleshing out [how the automatic encryption system should
  work], and thinking about what it can and cannot protect against.
  We?ve documented this in the wiki.  Comments (to the mailing list) are
  welcome!

  As usual, Jussi Kivilinna contributed a number of improvements to
  libgcrypt.  Alon Bar-Lev, a GnuPG maintainer for Gentoo, submitted a
  number of patches.  Mike Blumenkrantz contributed a new [EFL-based
  pinentry].  And, Tobias Mueller provided a number of improvements to
  the Python bindings.

  After a [long discussion], we decided to change the Python GPGME
  bindings to use the [`gpg'] namespace instead of the `pyme3'
  namespace.  This should make finding the bindings easier.

  There was also a discussion about [the right way to deal with any
  missing dependencies (in particular, a sufficiently new GPGME) for the
  Python bindings] when they are installed from pip.  Unfortunately, we
  don?t have sufficient resources to properly package them so any users
  will need to make sure they have a recent operating system or build
  GPGME themselves.


  [libdns] http://25thandclement.com/~william/projects/dns.c.html

  [we decided to change to a different DNS resolver]
  https://lists.gnupg.org/pipermail/gnupg-devel/2016-December/032350.html

  [reference implementation for starting GnuPG?s daemons from systemd]
  https://git.gnupg.org/cgi-bin/gitweb.cgi?p%3Dgnupg.git%3Ba%3Dtree%3Bf%3Ddoc/examples/systemd-user%3Bh%3D2d589564e565b0b886d8c8d9071ca52290fb87e3%3Bhb%3Drefs/heads/master

  [TinyScheme] http://tinyscheme.sourceforge.net/

  [default expiration time for new keys to 2 years]
  https://lists.gnupg.org/pipermail/gnupg-devel/2016-December/032298.html

  [take the best match instead of the first match]
  https://lists.gnupg.org/pipermail/gnupg-devel/2016-October/031994.html

  [OpenPGPcard] http://g10code.com/docs/openpgp-card-3.0.pdf

  [multiple card readers]
  https://lists.gnupg.org/pipermail/gnupg-devel/2016-December/032403.html

  [how the automatic encryption system should work]
  https://wiki.gnupg.org/EasyGpg2016/AutomatedEncryption

  [EFL-based pinentry]
  https://lists.gnupg.org/pipermail/gnupg-devel/2016-October/031807.html

  [long discussion]
  https://lists.gnupg.org/pipermail/gnupg-devel/2016-October/031810.html

  [`gpg'] https://pypi.python.org/pypi/gpg

  [the right way to deal with any missing dependencies (in particular, a
  sufficiently new GPGME) for the Python bindings]
  https://lists.gnupg.org/pipermail/gnupg-devel/2016-December/032366.html


1.2 Releases
????????????

  We?ve released new versions of GPGME including [1.7.0] and [1.8.0].
  1.7.0 includes our new [Python bindings for GPGME], and 1.8.0 includes
  the renaming of the namespace from `pyme3' to `gpg'.

  The GnuPG proper saw two releases: version [2.1.16] and version
  [2.1.17].  The latter was released exactly [19 years after Werner
  released version 0.0.0]!

  We released version 1.7.5 of [Libgcrypt], which includes an important
  bug fix for a [secure memory exhaustion regression] ([see also this
  post]), which was introduced in 1.7.4.


  [1.7.0]
  https://lists.gnupg.org/pipermail/gnupg-announce/2016q3/000397.html

  [1.8.0]
  https://lists.gnupg.org/pipermail/gnupg-devel/2016-November/032182.html

  [Python bindings for GPGME]
  https://gnupg.org/blog/20160921-python-bindings-for-gpgme.html

  [2.1.16]
  https://lists.gnupg.org/pipermail/gnupg-announce/2016q4/000398.html

  [2.1.17]
  https://lists.gnupg.org/pipermail/gnupg-announce/2016q4/000398.html

  [19 years after Werner released version 0.0.0]
  https://www.gnupg.org/download/release_notes.html#sec-1-2-70

  [Libgcrypt]
  https://lists.gnupg.org/pipermail/gnupg-announce/2016q4/000399.html

  [secure memory exhaustion regression]
  https://bugs.gnupg.org/gnupg/issue2870

  [see also this post]
  https://lists.gnupg.org/pipermail/gnupg-devel/2016-November/032157.html


1.3 Public Appearances
??????????????????????

  In October and November, I traveled a fair amount.  Before leaving, I
  contacted a few local groups about giving my "An Advanced Introduction
  to GnuPG" presentation.  In the end, I held it in New York City at the
  [NYLUG meetup] ([recording]), in Baltimore at [JHU?s ACM chapter], and
  in San Francisco at [OpenLate], at [NoiseBridge], ([recording]) and at
  the [Intercept].  The interest in GnuPG in New York is impressive: we
  filled the 150 person room and there was a waiting list.  The audience
  was also very engaged and asked many questions.  Joe Nelson?s
  [recording at NoiseBridge] is probably the best recording so far (I
  had a lapel mic and the slides were recorded separately).  If you are
  interested in seeing the presentation, that is the recording that I
  currently recommend.

  While traveling, I also interviewed a number of GnuPG users
  (journalists, lawyers, activists, and companies) for our upcoming
  donation campaign.  If you or your company/organization are willing to
  talk about how you use GnuPG on camera, [please get in touch with me].

  At the end of December, I attended the [CCC?s annual congress].  I
  participated in a [panel discussion] with Volker Birk from [pEp] and
  Holger Krekel from [Autocrypt].  Unfortunately, we only had half an
  hour, which made the discussion rather superficial.  Other talks more
  or less related to GnuPG were presented in the [#wefixthenet session].

  A few GnuPG team members will be present at this year?s [FOSDEM].
  And, I, Daniel, and some of the Autocrypt people attend the Internet
  Freedom Festival in March in Valencia, Spain.


  [NYLUG meetup] https://www.meetup.com/nylug-meetings/events/234083247/

  [recording] https://www.youtube.com/watch?v%3DfX0pgV8hPq8

  [JHU?s ACM chapter] https://www.acm.jhu.edu/

  [OpenLate] https://www.meetup.com/de-DE/OpenLate/events/234006159/

  [NoiseBridge]
  https://noisebridge.net/wiki/Advanced_Introduction_to_GnuPG

  [recording]
  https://begriffs.com/posts/2016-11-05-advanced-intro-gnupg.html

  [Intercept] https://theintercept.com/

  [recording at NoiseBridge]
  https://begriffs.com/posts/2016-11-05-advanced-intro-gnupg.html

  [please get in touch with me]
  http://k.gnupg.net/8F17777118A33DDA9BA48E62AACB3243630052D9

  [CCC?s annual congress] https://events.ccc.de/tag/33c3/

  [panel discussion]
  https://fossil.net2o.de/33c3/doc/trunk/wiki/panel.md

  [pEp] https://pep.foundation/

  [Autocrypt] https://github.com/autocrypt/autocrypt

  [#wefixthenet session]
  https://fossil.net2o.de/33c3/doc/trunk/wiki/33c3.md

  [FOSDEM] https://fosdem.org/2017/


1.4 Ecosystem
?????????????

  [K9] had a major release (5.2) with significantly better OpenPGP
  support.  Of particular note is support for PGP/MIME.
  Congratulations!

  The developers of GPGTools have released a [beta version of GPGTools
  for macOSX Sierra].

  [Autocrypt] is a new, loose knit group working on a new key discovery
  protocol for opportunistic encryption.  Autocrypt is different from
  WKD in that it transmits keys via email, and, as such, doesn?t require
  any new third-party infrastructure, but is more susceptible to attacks
  than WKD.  This approach is complementary to WKD, and similar to what
  pEp is doing.

  pEp has also begun to [document their protocols].  Their intent
  appears to be to submit them as IETF internet drafts.


  [K9] https://www.openkeychain.org/k-9-5.200

  [beta version of GPGTools for macOSX Sierra]
  https://gpgtools.tenderapp.com/discussions/problems/49449-will-not-work-on-macosx-sierra

  [Autocrypt] http://autocrypt.readthedocs.io/en/latest/

  [document their protocols]
  https://letsencrypt.pep.foundation/dev/repos/internet-drafts/


1.5 Press
?????????

  [The EFF expects surveillance and censorship to increase] under
  President Trump.  And, the same appears to be inevitable in Great
  Britain with their recently introduced [Snoopers? Charter].  The EFF
  encourages technology companies to, among other things, improve their
  support for end-to-end encryption.  We agree, and add that even
  individuals can help: start using encryption tools, and, if you know
  how, volunteer at a local [CryptoParty].

  Filippo Valsorda wrote an article about [why he is giving up on PGP],
  which got picked up by Ars Technica, and endorsed by [Matthew Green]
  and [Bruce Schneier] ([again]).  [I composed a response], which Ars
  Technica also carried.  In short, one of the major reasons that
  Filippo is giving up on PGP in favor of Signal and WhatsApp is due to
  the lack of forward secrecy.  It?s true that OpenPGP doesn?t support
  forward secrecy (although it can be approximated with a bit of work).
  But, it?s not clear to us whether that should be the most important
  consideration.  We know from Snowden, that when properly implemented,
  "[encryption ? really is one of the few things that we can rely on]."
  In other words, when nation states crack encryption, they aren?t
  breaking the actual encryption, they are circumventing it.  Thus, if
  you are like Filippo and are really worried about something like an
  [evil maid attack], then you are probably better off storing your
  encryption keys on a smart card, which is something that GnuPG
  supports, but Signal does not.  Another major problem with Signal,
  which Filippo does not address, is its use of telephone numbers as
  identifiers.  This seriously undermines anonymity, and makes
  harassment easier, which is a particular problem for women who post on
  the Internet.  There are been other responses including those from
  [Bjarni R?nar] (Mailpile), [Perry Donham] (BU), and [Alexandre
  Dulaunoy] ([HN comments]).

  Tobias M?ller recently wrote a blog post about his [impressions of the
  OpenPGP conference].

  [Micah Lee was interviewed about his project about GPG Sync] by the
  FSF.

  Heise published an article with [tips for encrypting emails] (in
  German).

  LinuxFR published a primer covering [key validity and trust models],
  including TOFU (in French).  And, NextInpact published an article with
  [a brief history of PGP and GnuPG, a number of tips for using GnuPG,
  and some tradeoffs] (in French).


  [The EFF expects surveillance and censorship to increase]
  https://supporters.eff.org/donate/eff-wired%20

  [Snoopers? Charter]
  http://www.theregister.co.uk/2016/11/30/investigatory_powers_act_backdoors/

  [CryptoParty] https://www.cryptoparty.in/

  [why he is giving up on PGP]
  http://arstechnica.com/security/2016/12/op-ed-im-giving-up-on-pgp/

  [Matthew Green]
  https://twitter.com/matthew_d_green/status/806135647199252480

  [Bruce Schneier]
  https://www.schneier.com/blog/archives/2016/12/giving_up_on_pg.html

  [again]
  https://www.schneier.com/blog/archives/2016/12/the_pro-pgp_pos.html

  [I composed a response]
  http://arstechnica.com/information-technology/2016/12/signal-does-not-replace-pgp/

  [encryption ? really is one of the few things that we can rely on]
  https://www.seas.harvard.edu/news/2015/01/reengineering-privacy-post-snowden

  [evil maid attack]
  https://www.schneier.com/blog/archives/2009/10/evil_maid_attac.html

  [Bjarni R?nar]
  https://www.mailpile.is/blog/2016-12-13_Too_Cool_for_PGP.html

  [Perry Donham]
  http://sites.bu.edu/perryd/2016/12/17/rethinking-pgp-encryption/

  [Alexandre Dulaunoy] https://www.foo.be/2016/12/OpenPGP-really-works

  [HN comments] https://news.ycombinator.com/item?id%3D13301307

  [impressions of the OpenPGP conference]
  https://blogs.gnome.org/muelli/2016/10/first-openpgp-conf-2016-in-cologne-germany/

  [Micah Lee was interviewed about his project about GPG Sync]
  https://www.fsf.org/blogs/licensing/the-licensing-and-compliance-lab-interviews-micah-lee-of-gpg-sync

  [tips for encrypting emails]
  https://www.heise.de/download/specials/E-Mails-mit-PGP-verschluesseln-3342397

  [key validity and trust models]
  http://linuxfr.org/users/gouttegd/journaux/de-la-confiance-dans-le-monde-openpgp

  [a brief history of PGP and GnuPG, a number of tips for using GnuPG,
  and some tradeoffs]
  https://www.nextinpact.com/news/98509-openpgp-et-gnupg-25-ans-chiffrement-pour-tous-ce-quil-faut-savoir-avant-sy-mettre.htm


1.6 Donations
?????????????

  We recently received [an account statement] from the Wau Holland
  foundation on the GnuPG account that they manage for us.


  [an account statement]
  https://lists.gnupg.org/pipermail/gnupg-devel/2016-November/032211.html


-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: </pipermail/attachments/20170116/d40621ba/attachment-0001.sig>

From lewisurn at gmail.com  Tue Jan 17 08:41:26 2017
From: lewisurn at gmail.com (Lou Wynn)
Date: Mon, 16 Jan 2017 23:41:26 -0800
Subject: Trust signature domain
In-Reply-To: <74b25291-4069-e089-7207-9309a533d451@jelmail.com>
References: <74b25291-4069-e089-7207-9309a533d451@jelmail.com>
Message-ID: <48a52de5-26a4-73c5-7e50-b0c37907c4e0@gmail.com>

I also want to know if someone is actually using trust levels in
practice. You're the first one whom I came across, so I obviously can't
answer your question.

Thanks,
Lou

On 01/16/2017 08:52 AM, John Lane wrote:
> I'm trying to experiment with trust signatures but I can't work out how
> the 'domain' question is used ?
>
> I think I understand what it is for, but I can't enter a value and get
> it to work.
>
> I have a key A that has signed B at example.com and C at example.org
>
> If I tsign A at level 2 with the domain blank then B and C are fully valid.
>
> If I tsign A at level 2 with a domain of example.com then neither are
> valid. I expected B to be valid.
>
> >From what I've read, I think this value might be a regular expression
> and need to be entered in a certain way.
>
> Any pointers appreciated.....
>
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20170116/2ed0980a/attachment.html>

From peter at digitalbrains.com  Tue Jan 17 12:10:53 2017
From: peter at digitalbrains.com (Peter Lebbing)
Date: Tue, 17 Jan 2017 12:10:53 +0100
Subject: Primary and Signing Key on Different Smart Cards
In-Reply-To: <CAGAucFYnQmArfxPC=9gBRc6W8-6YwGh+NwBU9zP=aRO7r7A48g@mail.gmail.com>
References: <CAGAucFbsbURMxD+a4MUNTbofqLyjDRQ+YLbCBtuL3Ri4jCxhVg@mail.gmail.com>
 <bd3c03e1-88ad-4db2-1fe1-a3b136fc8805@digitalbrains.com>
 <CAGAucFbQzwQBjCpjJc9qptftnnFTfp8thKnm4bhVcjX71RLKPw@mail.gmail.com>
 <543a356c-5014-94d0-c96b-b31c74e4c7a4@digitalbrains.com>
 <78ed0c7b-ac5e-cd02-95e8-27264ab638f8@digitalbrains.com>
 <CAGAucFYnQmArfxPC=9gBRc6W8-6YwGh+NwBU9zP=aRO7r7A48g@mail.gmail.com>
Message-ID: <560063b1-16a0-4ab7-4205-e02950888b82@digitalbrains.com>

Hello Anton,

> 1. I have gpg 2.1.11. What is your gpg2 --version ?

I did that with Debian package 2.1.11-7.

> 2. Since YubiKey is a usb token and my primary card is a plastic
> smartcard from ZeithControl they are in fact located in two different
> readers.

Ah, that sounds like a likely culprit to me. I've thought more often
that scdaemon would be improved if it handled missing and changed
readers exactly the same as missing or changed smartcards.

I can't think of a way to solve this right now.

> I found that gpg is not able to locate card if more than one
> reader is present and somehow always default to some first card it
> sees.

Yes, multiple reader support is a work in progress.

> 3. Any other thoughts? Any debug logs I can enable?

Something like:

debug-level expert
log-file /home/<you>/scdaemon.log

added to $GNUPGHOME/scdaemon.conf could help. But note that it may
contain the card PIN in the APDU dumps! The easiest way, IMHO, to
prevent leaking private data is to use a PIN like 123456 for your tests,
and only when you've got it working do it all for real with a real PIN
and real OpenPGP keys and *no more logs*. This also prevents leaking
your PIN to your storage or your backups for instance, which could be a
problem depending on your threat model.

I've never had any luck with anything other than a plain absolute path
for the log-file directive, so I'm always just writing them out completely.

(Similar debug log directives are available for other components)

HTH,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>


From peter at digitalbrains.com  Tue Jan 17 12:23:09 2017
From: peter at digitalbrains.com (Peter Lebbing)
Date: Tue, 17 Jan 2017 12:23:09 +0100
Subject: Feature request: treat missing smartcard reader as missing smartcard
Message-ID: <8faa5a56-ba3e-eebd-1546-c091774c1a0f@digitalbrains.com>

Hi devs,

I think scdaemon would behave more predictably and more *correct* if it
treated a missing or changed card reader as a missing or changed card.

For instance, if I open an encrypted mail in Thunderbird/Enigmail, I see
the following:

- Card reader is plugged in but no card or different card present in reader:

I am prompted to insert the correct OpenPGP card. Once I do this and
okay the prompt, decryption is succesful.

- Card reader not plugged in:

Empty message window with Enigmail error on the lines of "Decryption
failed. No secret key available."


These days, it is quite common to see readers with either integrated
smartcards or smartcards that can't be changed or removed easily. I
think these devices should be treated as currently the smartcard is.
I.e., if the reader is not plugged in, prompt the user to insert their
smartcard just like scdaemon would if the reader were present but empty.

I think this is also the reason why in this[1] mail to gnupg-users,
Anton is not able to do the same procedure as I could. I used a desktop
smartcard reader and two regular OpenPGP cards. Anton used one regular
OpenPGP card and one Yubikey. Where I was prompted to change cards, his
attempt likely failed because he had to swap *readers* as well as cards.

Peter.

[1] <https://lists.gnupg.org/pipermail/gnupg-users/2017-January/057445.html>

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>


From wk at gnupg.org  Tue Jan 17 13:50:05 2017
From: wk at gnupg.org (Werner Koch)
Date: Tue, 17 Jan 2017 13:50:05 +0100
Subject: gpgme: error in OS X app bundle
In-Reply-To: <a8ac78bf-9bb4-cd3f-5f20-19c4b25d98dd@sixdemonbag.org> (Robert
 J. Hansen's message of "Mon, 16 Jan 2017 14:28:19 -0500")
References: <a8ac78bf-9bb4-cd3f-5f20-19c4b25d98dd@sixdemonbag.org>
Message-ID: <877f5tetqa.fsf@wheatstone.g10code.de>

On Mon, 16 Jan 2017 20:28, rjh at sixdemonbag.org said:

> GPGME 2017-01-16 14:14:55 <0x0d3f>  gpgme-walk_path: 'gpgconf' not found
> in '/usr/bin:/bin:/usr/sbin:/sbin'

Is there another directory which should be included into the default
PATH on macOS?  We can't add private directories  (that is for what PATH
is used for), but adding standard directories would be fine.

> I can think of a few ways to approach this, but they all seem inelegant.
>  Looking for a .profile in $HOME, parsing it for PATH information, and
> looking for gpgconf in those dirs?  Or should I just raise a, "Please

You could build gpgme with this option

  ./configure --enable-fixed-path=/foo:/foo/bar:/baz

so that PATH will be ignored and the given fixed PATH is used to locate
gppgconf.


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: </pipermail/attachments/20170117/b3831e87/attachment.sig>

From rjh at sixdemonbag.org  Tue Jan 17 14:52:00 2017
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Tue, 17 Jan 2017 08:52:00 -0500
Subject: gpgme: error in OS X app bundle
In-Reply-To: <877f5tetqa.fsf@wheatstone.g10code.de>
References: <a8ac78bf-9bb4-cd3f-5f20-19c4b25d98dd@sixdemonbag.org>
 <877f5tetqa.fsf@wheatstone.g10code.de>
Message-ID: <e9962a09-84c5-3ee9-1deb-df039a8fdb5a@sixdemonbag.org>

> Is there another directory which should be included into the default
> PATH on macOS?  We can't add private directories  (that is for what PATH
> is used for), but adding standard directories would be fine.

Well, the problem we run into is there's so many different places people
install GnuPG on OS X.

Homebrew uses /usr/local, GPGTools uses /usr/local, GPGOSX uses
/usr/local/gnupg-2.1, hand-installed often goes to $HOME, some people
use /opt, and so on.

I have a hack around it, but it's kind of gross, and I'm really hoping
there's a better way.


From wk at gnupg.org  Tue Jan 17 17:30:22 2017
From: wk at gnupg.org (Werner Koch)
Date: Tue, 17 Jan 2017 17:30:22 +0100
Subject: gpgme: error in OS X app bundle
In-Reply-To: <e9962a09-84c5-3ee9-1deb-df039a8fdb5a@sixdemonbag.org> (Robert
 J. Hansen's message of "Tue, 17 Jan 2017 08:52:00 -0500")
References: <a8ac78bf-9bb4-cd3f-5f20-19c4b25d98dd@sixdemonbag.org>
 <877f5tetqa.fsf@wheatstone.g10code.de>
 <e9962a09-84c5-3ee9-1deb-df039a8fdb5a@sixdemonbag.org>
Message-ID: <87ziipd4yp.fsf@wheatstone.g10code.de>

On Tue, 17 Jan 2017 14:52, rjh at sixdemonbag.org said:

> Homebrew uses /usr/local, GPGTools uses /usr/local, GPGOSX uses
> /usr/local/gnupg-2.1, hand-installed often goes to $HOME, some people
> use /opt, and so on.

So, this is the standard Unix pattern.  We should add /usr/local/bin to
the default PATH, though.


Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: </pipermail/attachments/20170117/47ee9312/attachment.sig>

From gnupg at jelmail.com  Tue Jan 17 18:17:06 2017
From: gnupg at jelmail.com (John Lane)
Date: Tue, 17 Jan 2017 17:17:06 +0000
Subject: Trust signature domain
In-Reply-To: <48a52de5-26a4-73c5-7e50-b0c37907c4e0@gmail.com>
References: <74b25291-4069-e089-7207-9309a533d451@jelmail.com>
 <48a52de5-26a4-73c5-7e50-b0c37907c4e0@gmail.com>
Message-ID: <a75422d2-ed9d-5445-f7e6-3ee4cb6b3fc4@jelmail.com>


>> I'm trying to experiment with trust signatures but I can't work out how
>> the 'domain' question is used ?
>>
the only thing I've been able to find is this regular expression

|<[^>]+ at example.net>$|

(http://linuxfr.org/users/gouttegd/journaux/de-la-confiance-dans-le-monde-openpgp#limitation-du-champ-des-trust-signatures)

I still can't make it work though!

FWIW gpg (GnuPG) 2.1.17
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20170117/7afe4d04/attachment.html>

From peter at digitalbrains.com  Tue Jan 17 20:51:45 2017
From: peter at digitalbrains.com (Peter Lebbing)
Date: Tue, 17 Jan 2017 20:51:45 +0100
Subject: Trust signature domain
In-Reply-To: <a75422d2-ed9d-5445-f7e6-3ee4cb6b3fc4@jelmail.com>
References: <74b25291-4069-e089-7207-9309a533d451@jelmail.com>
 <48a52de5-26a4-73c5-7e50-b0c37907c4e0@gmail.com>
 <a75422d2-ed9d-5445-f7e6-3ee4cb6b3fc4@jelmail.com>
Message-ID: <ef93c31a-a2b6-732b-116b-c7d6f9870e20@digitalbrains.com>

On 17/01/17 18:17, John Lane wrote:
> <[^>]+ at example.net>$

Seems like an extended regexp with a mistake. The dot would actually match any
character, it needs to be quoted:

<[^>]+ at example\.net>$

(and quoted even further if provided through a shell).

I hope I didn't miss any other mistakes.

(I haven't actually tried to do anything at all with trust signatures, I just
noticed a mistake while reading your message.)

HTH,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>


From gnupg at jelmail.com  Tue Jan 17 21:32:19 2017
From: gnupg at jelmail.com (John Lane)
Date: Tue, 17 Jan 2017 20:32:19 +0000
Subject: Trust signature domain
In-Reply-To: <ef93c31a-a2b6-732b-116b-c7d6f9870e20@digitalbrains.com>
References: <74b25291-4069-e089-7207-9309a533d451@jelmail.com>
 <48a52de5-26a4-73c5-7e50-b0c37907c4e0@gmail.com>
 <a75422d2-ed9d-5445-f7e6-3ee4cb6b3fc4@jelmail.com>
 <ef93c31a-a2b6-732b-116b-c7d6f9870e20@digitalbrains.com>
Message-ID: <e1f998e9-7e2b-2948-ac00-c6064907bf94@jelmail.com>

On 17/01/17 19:51, Peter Lebbing wrote:

> Seems like an extended regexp with a mistake. The dot would actually match any
> character, it needs to be quoted:
> 

Quite right, but it would match a dot too!

I did try it with and without an escape without success.

There seems to be very little information available about this feature
beyond the high-level description in the prompt output from gpg.



From rsv869 at runbox.com  Tue Jan 17 21:09:16 2017
From: rsv869 at runbox.com (Reid Vail)
Date: Tue, 17 Jan 2017 15:09:16 -0500
Subject: I'm confused about GPG, and it's confused about me
Message-ID: <20170117150916.5dc94f90@rsv2-Serval-Pro>

Hello GPG team -

I have tried to get GPG working but am stuck and need some help isolating the
issue, please.

I'm running GnuPG 1.4.20-1 on Linuxmint KDE 18.  My mail package is
Claws-mail 1.13.2, but I don't think it's a mail issue.

I can run GnuPG at the command line and  can create a new key pair, and the output
from the --fingerprint option is shown directly below, but encrypting through Claws
fails with a error that simply says "encryption failed".

Next I tried to get a basic signature to work, and that fails also, shown next.  

I'm not sure how to troubleshoot my issue.  Pointers welcome.

Reid

------------------------------------------------------
rsv2 at rsv2-Serval-Pro ~ $ gpg --fingerprint rsv869 at runbox.com
pub   2048R/26F66FEB 2016-11-09
      Key fingerprint = 3A74 A1DB 2C79 6657 D14B  A6B8 3EDE 6A32 26F6 6FEB
uid                  Reid Vail <rsv869 at runbox.com>
sub   2048R/14C2E935 2016-11-09

pub   2048R/A780EFF6 2017-01-17
      Key fingerprint = 1F35 6DC3 3182 016A 8E59  E509 9A72 F153 A780 EFF6
uid                  Reid Vail (runbox) <rsv869 at runbox.com>
sub   2048R/1ED8FE07 2017-01-17

-------------------------------------------------------

rsv2 at rsv2-Serval-Pro ~ $ 
rsv2 at rsv2-Serval-Pro ~ $ 
rsv2 at rsv2-Serval-Pro ~ $ gpg --clearsign --local-user --default-key encryption\ test
gpg: skipped "--default-key": secret key not available
gpg: encryption test: clearsign failed: secret key not available
rsv2 at rsv2-Serval-Pro ~ $ 



From alfortnertrucking at gmail.com  Tue Jan 17 21:35:31 2017
From: alfortnertrucking at gmail.com (Loy Fortner)
Date: Tue, 17 Jan 2017 15:35:31 -0500
Subject: Trust signature domain
In-Reply-To: <e1f998e9-7e2b-2948-ac00-c6064907bf94@jelmail.com>
References: <74b25291-4069-e089-7207-9309a533d451@jelmail.com>
 <48a52de5-26a4-73c5-7e50-b0c37907c4e0@gmail.com>
 <a75422d2-ed9d-5445-f7e6-3ee4cb6b3fc4@jelmail.com>
 <ef93c31a-a2b6-732b-116b-c7d6f9870e20@digitalbrains.com>
 <e1f998e9-7e2b-2948-ac00-c6064907bf94@jelmail.com>
Message-ID: <CAFu6r=V=ZBYZfajqK5_hf07AyWWVP=RYf+D_XQLrYWZZ-XSUJA@mail.gmail.com>

I don't know what you are talking about

On Jan 17, 2017 3:33 PM, "John Lane" <gnupg at jelmail.com> wrote:

> On 17/01/17 19:51, Peter Lebbing wrote:
>
> > Seems like an extended regexp with a mistake. The dot would actually
> match any
> > character, it needs to be quoted:
> >
>
> Quite right, but it would match a dot too!
>
> I did try it with and without an escape without success.
>
> There seems to be very little information available about this feature
> beyond the high-level description in the prompt output from gpg.
>
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20170117/54579a7f/attachment.html>

From juanmi.3000 at gmail.com  Tue Jan 17 22:26:17 2017
From: juanmi.3000 at gmail.com (=?UTF-8?Q?Juan_Miguel_Navarro_Mart=c3=adnez?=)
Date: Tue, 17 Jan 2017 22:26:17 +0100
Subject: I'm confused about GPG, and it's confused about me
In-Reply-To: <20170117150916.5dc94f90@rsv2-Serval-Pro>
References: <20170117150916.5dc94f90@rsv2-Serval-Pro>
Message-ID: <e29ee3ec-e6c0-294b-fe6b-135fc765872d@gmail.com>

On 2017-01-17 at 21:09, Reid Vail wrote:
> rsv2 at rsv2-Serval-Pro ~ $ gpg --clearsign --local-user --default-key encryption\ test
> 
You are telling GnuPG to clear sign a file called "encryption test" with
a local key that has a User ID (UID) containing "--default-key".

Try using:

    gpg --clearsign --local-user
0x3A74A1DB2C796657D14BA6B83EDE6A3226F66FEB encryption\ test

or, this one if you use the other key:

    gpg --clearsign --local-user
0x1F356DC33182016A8E59E5099A72F153A780EFF6 encryption\ test

Same fron encryption:

    Key 1: gpg --armor --encrypt --recipient
0x3A74A1DB2C796657D14BA6B83EDE6A3226F66FEB encryption\ test

    Key 2: gpg --armor --encrypt --recipient
0x1F356DC33182016A8E59E5099A72F153A780EFF6 encryption\ test

Normally, you use "default-key" as an option in gpg.conf (usually on
~/.gnupg/) like this:

default-key 0xDEADBEEF

Where DEADBEEF is your master key keyID or, more secure yet, fingerprint
(like I did above).

-- 
Juan Miguel Navarro Mart?nez

GPG Keyfingerprint:
5A91 90D4 CF27 9D52 D62A
BC58 88E2 947F 9BC6 B3CF

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20170117/7c8133de/attachment.sig>

From gniibe at fsij.org  Wed Jan 18 00:21:18 2017
From: gniibe at fsij.org (NIIBE Yutaka)
Date: Wed, 18 Jan 2017 08:21:18 +0900
Subject: Feature request: treat missing smartcard reader as missing
 smartcard
In-Reply-To: <8faa5a56-ba3e-eebd-1546-c091774c1a0f@digitalbrains.com>
References: <8faa5a56-ba3e-eebd-1546-c091774c1a0f@digitalbrains.com>
Message-ID: <87pojli87l.fsf@iwagami.gniibe.org>

Peter Lebbing <peter at digitalbrains.com> wrote:
> For instance, if I open an encrypted mail in Thunderbird/Enigmail, I see
> the following:
>
> - Card reader is plugged in but no card or different card present in reader:
>
> I am prompted to insert the correct OpenPGP card. Once I do this and
> okay the prompt, decryption is succesful.
>
> - Card reader not plugged in:
>
> Empty message window with Enigmail error on the lines of "Decryption
> failed. No secret key available."

Good point.

In the development branch, I'm currently working for multiple card/token
support (currently only with internal CCID driver).  And I also happened
to notice this difference this month.

Now in the repo (master), signing and decryption work well with multiple
card/token and a user is prompted when there is no relevant card/token.

This is just a lucky coincidence, but I'm glad to see the development of
GnuPG goes well.

Thank you for your support of GnuPG.  Your support encourages me
(hopefully, all of us) fixing bugs and adding feature(s).
-- 


From alfortnertrucking at gmail.com  Wed Jan 18 00:58:56 2017
From: alfortnertrucking at gmail.com (Loy Fortner)
Date: Tue, 17 Jan 2017 18:58:56 -0500
Subject: Feature request: treat missing smartcard reader as missing
 smartcard
In-Reply-To: <87pojli87l.fsf@iwagami.gniibe.org>
References: <8faa5a56-ba3e-eebd-1546-c091774c1a0f@digitalbrains.com>
 <87pojli87l.fsf@iwagami.gniibe.org>
Message-ID: <CAFu6r=V0zCRccLMZu+PxCQbykd6u+kq-OyfM8rb-n2UQBjreuA@mail.gmail.com>

Please stop sending me this message I don't know what you are talking about
so stop

On Jan 17, 2017 6:54 PM, "NIIBE Yutaka" <gniibe at fsij.org> wrote:

> Peter Lebbing <peter at digitalbrains.com> wrote:
> > For instance, if I open an encrypted mail in Thunderbird/Enigmail, I see
> > the following:
> >
> > - Card reader is plugged in but no card or different card present in
> reader:
> >
> > I am prompted to insert the correct OpenPGP card. Once I do this and
> > okay the prompt, decryption is succesful.
> >
> > - Card reader not plugged in:
> >
> > Empty message window with Enigmail error on the lines of "Decryption
> > failed. No secret key available."
>
> Good point.
>
> In the development branch, I'm currently working for multiple card/token
> support (currently only with internal CCID driver).  And I also happened
> to notice this difference this month.
>
> Now in the repo (master), signing and decryption work well with multiple
> card/token and a user is prompted when there is no relevant card/token.
>
> This is just a lucky coincidence, but I'm glad to see the development of
> GnuPG goes well.
>
> Thank you for your support of GnuPG.  Your support encourages me
> (hopefully, all of us) fixing bugs and adding feature(s).
> --
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20170117/c62d5a45/attachment.html>

From gnupg at raf.org  Tue Jan 17 22:58:32 2017
From: gnupg at raf.org (gnupg at raf.org)
Date: Wed, 18 Jan 2017 08:58:32 +1100
Subject: gpgme: error in OS X app bundle
In-Reply-To: <87ziipd4yp.fsf@wheatstone.g10code.de>
References: <a8ac78bf-9bb4-cd3f-5f20-19c4b25d98dd@sixdemonbag.org>
 <877f5tetqa.fsf@wheatstone.g10code.de>
 <e9962a09-84c5-3ee9-1deb-df039a8fdb5a@sixdemonbag.org>
 <87ziipd4yp.fsf@wheatstone.g10code.de>
Message-ID: <20170117215832.GB27480@raf.org>

Werner Koch wrote:

> On Tue, 17 Jan 2017 14:52, rjh at sixdemonbag.org said:
> 
> > Homebrew uses /usr/local, GPGTools uses /usr/local, GPGOSX uses
> > /usr/local/gnupg-2.1, hand-installed often goes to $HOME, some people
> > use /opt, and so on.
> 
> So, this is the standard Unix pattern.  We should add /usr/local/bin to
> the default PATH, though.
> 
> Salam-Shalom,
> 
>    Werner

and macports uses /opt/local/bin.



From alfortnertrucking at gmail.com  Wed Jan 18 02:20:27 2017
From: alfortnertrucking at gmail.com (Loy Fortner)
Date: Tue, 17 Jan 2017 20:20:27 -0500
Subject: gpgme: error in OS X app bundle
In-Reply-To: <20170117215832.GB27480@raf.org>
References: <a8ac78bf-9bb4-cd3f-5f20-19c4b25d98dd@sixdemonbag.org>
 <877f5tetqa.fsf@wheatstone.g10code.de>
 <e9962a09-84c5-3ee9-1deb-df039a8fdb5a@sixdemonbag.org>
 <87ziipd4yp.fsf@wheatstone.g10code.de> <20170117215832.GB27480@raf.org>
Message-ID: <CAFu6r=U5JYHT8F4cfNAvJ8C52XsXOmtP8+OizPHJq0XFsWDTFw@mail.gmail.com>

Stop the bull shit now

On Jan 17, 2017 8:12 PM, <gnupg at raf.org> wrote:

> Werner Koch wrote:
>
> > On Tue, 17 Jan 2017 14:52, rjh at sixdemonbag.org said:
> >
> > > Homebrew uses /usr/local, GPGTools uses /usr/local, GPGOSX uses
> > > /usr/local/gnupg-2.1, hand-installed often goes to $HOME, some people
> > > use /opt, and so on.
> >
> > So, this is the standard Unix pattern.  We should add /usr/local/bin to
> > the default PATH, though.
> >
> > Salam-Shalom,
> >
> >    Werner
>
> and macports uses /opt/local/bin.
>
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20170117/08254264/attachment.html>

From junkemail at paulapplegate.com  Wed Jan 18 02:24:32 2017
From: junkemail at paulapplegate.com (Paul Applegate)
Date: Tue, 17 Jan 2017 20:24:32 -0500
Subject: gpgme: error in OS X app bundle
In-Reply-To: <CAFu6r=U5JYHT8F4cfNAvJ8C52XsXOmtP8+OizPHJq0XFsWDTFw@mail.gmail.com>
References: <a8ac78bf-9bb4-cd3f-5f20-19c4b25d98dd@sixdemonbag.org>
 <877f5tetqa.fsf@wheatstone.g10code.de>
 <e9962a09-84c5-3ee9-1deb-df039a8fdb5a@sixdemonbag.org>
 <87ziipd4yp.fsf@wheatstone.g10code.de> <20170117215832.GB27480@raf.org>
 <CAFu6r=U5JYHT8F4cfNAvJ8C52XsXOmtP8+OizPHJq0XFsWDTFw@mail.gmail.com>
Message-ID: <BF51E82B-13AA-4126-BCBB-7471B401DF23@paulapplegate.com>

Here is what I sent you an hour and a half ago:
You can use the website listed at the bottom of the email to unsubscribe.
https://lists.gnupg.org/mailman/listinfo/gnupg-users <https://lists.gnupg.org/mailman/listinfo/gnupg-users>

You signed up for a mailing list, so you get every email until you unsubscribe.


> On Jan 17, 2017, at 8:20 PM, Loy Fortner <alfortnertrucking at gmail.com> wrote:
> 
> Stop the bull shit now
> 
> On Jan 17, 2017 8:12 PM, <gnupg at raf.org <mailto:gnupg at raf.org>> wrote:
> Werner Koch wrote:
> 
> > On Tue, 17 Jan 2017 14:52, rjh at sixdemonbag.org <mailto:rjh at sixdemonbag.org> said:
> >
> > > Homebrew uses /usr/local, GPGTools uses /usr/local, GPGOSX uses
> > > /usr/local/gnupg-2.1, hand-installed often goes to $HOME, some people
> > > use /opt, and so on.
> >
> > So, this is the standard Unix pattern.  We should add /usr/local/bin to
> > the default PATH, though.
> >
> > Salam-Shalom,
> >
> >    Werner
> 
> and macports uses /opt/local/bin.
> 
> 
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org <mailto:Gnupg-users at gnupg.org>
> http://lists.gnupg.org/mailman/listinfo/gnupg-users <http://lists.gnupg.org/mailman/listinfo/gnupg-users>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20170117/d613ad08/attachment.html>

From dshaw at jabberwocky.com  Wed Jan 18 04:03:02 2017
From: dshaw at jabberwocky.com (David Shaw)
Date: Tue, 17 Jan 2017 22:03:02 -0500
Subject: Trust signature domain
In-Reply-To: <74b25291-4069-e089-7207-9309a533d451@jelmail.com>
References: <74b25291-4069-e089-7207-9309a533d451@jelmail.com>
Message-ID: <00DF89EC-6D22-4197-9395-2D6F399B6D09@jabberwocky.com>

On Jan 16, 2017, at 11:52 AM, John Lane <gnupg at jelmail.com> wrote:
> 
> I'm trying to experiment with trust signatures but I can't work out how
> the 'domain' question is used ?
> 
> I think I understand what it is for, but I can't enter a value and get
> it to work.
> 
> I have a key A that has signed B at example.com and C at example.org
> 
> If I tsign A at level 2 with the domain blank then B and C are fully valid.
> 
> If I tsign A at level 2 with a domain of example.com then neither are
> valid. I expected B to be valid.
> 
>> From what I've read, I think this value might be a regular expression
> and need to be entered in a certain way.

The value is a regular expression internally, but you don't need to enter it as one.   GnuPG automatically takes what you enter into the domain field and converts it to a regexp.  For example:

  example.com

becomes:

  <[^>]+[@.]example\.com>$

Can you post the actual user IDs of the keys you are testing with (or a similar example.com set) so I can try them as well?

David



From wk at gnupg.org  Wed Jan 18 10:34:43 2017
From: wk at gnupg.org (Werner Koch)
Date: Wed, 18 Jan 2017 10:34:43 +0100
Subject: Renewing expired keys
In-Reply-To: <20170115210923.GA764@casa.casa> (Francesco Ariis's message of
 "Sun, 15 Jan 2017 22:09:23 +0100")
References: <CAAa9ha0hA7o8AGGCK1OiwfjB2Fe6TguChEfxbVCAftJC+j5K6A@mail.gmail.com>
 <20170115210923.GA764@casa.casa>
Message-ID: <87o9z4d83w.fsf@wheatstone.g10code.de>

On Sun, 15 Jan 2017 22:09, fa-ml at ariis.it said:

>     gpg --edit-key <your-key>

Since 2.1.17 you can also do this without using the menu: 

  gpg --quick-set-expire YOUR_FINGERPRINT EXPIRE_DATE

EXPIRE_DATE can have the usual formats for example "2018-11-30"


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: </pipermail/attachments/20170118/7b7689d8/attachment.sig>

From miro.rovis at croatiafidelis.hr  Wed Jan 18 13:18:23 2017
From: miro.rovis at croatiafidelis.hr (Miroslav Rovis)
Date: Wed, 18 Jan 2017 13:18:23 +0100
Subject: Renewing expired keys
In-Reply-To: <0685060c-f366-1375-85dc-0f1a640246df@gmail.com>
References: <CAAa9ha0hA7o8AGGCK1OiwfjB2Fe6TguChEfxbVCAftJC+j5K6A@mail.gmail.com>
 <0685060c-f366-1375-85dc-0f1a640246df@gmail.com>
Message-ID: <20170118121823.GA5764@g0n.xdwgrp>

On 170115-22:17+0100, Juan Miguel Navarro Mart?nez wrote:
...
> Lastly, revoke the old one if you aren't going to use it publicly anymore.
Isn't is wrong to revoke a key which you don't consider was compromised?
If you don't want to use it, it suffices that it is expired, or?

-- 
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Digital signature
URL: </pipermail/attachments/20170118/18358e2e/attachment.sig>

From lachlan at twopif.net  Wed Jan 18 13:29:33 2017
From: lachlan at twopif.net (Lachlan Gunn)
Date: Wed, 18 Jan 2017 22:59:33 +1030
Subject: Renewing expired keys
In-Reply-To: <20170118121823.GA5764@g0n.xdwgrp>
References: <CAAa9ha0hA7o8AGGCK1OiwfjB2Fe6TguChEfxbVCAftJC+j5K6A@mail.gmail.com>
 <0685060c-f366-1375-85dc-0f1a640246df@gmail.com>
 <20170118121823.GA5764@g0n.xdwgrp>
Message-ID: <d9615082-a2e8-4a98-daa5-89b768ffc3f1@twopif.net>

Le 2017-01-18 ? 22:48, Miroslav Rovis a ?crit :
> On 170115-22:17+0100, Juan Miguel Navarro Mart?nez wrote:
> ...
>> Lastly, revoke the old one if you aren't going to use it publicly anymore.
> Isn't is wrong to revoke a key which you don't consider was compromised?
> If you don't want to use it, it suffices that it is expired, or?

No, compromise is only one reason---there are lots of reason-codes that
can go into the revocation packet, and compromise is only one.
Specificially, "superseded" is such a reason.

Otherwise, if you switch to a new key, people won't know that your old
one is no longer in use.

Thanks,
Lachlan



From stefan.boehringer at posteo.de  Wed Jan 18 13:06:10 2017
From: stefan.boehringer at posteo.de (Stefan Boehringer)
Date: Wed, 18 Jan 2017 13:06:10 +0100
Subject: Did I break my Ubuntu GPG installation?
Message-ID: <87k29sshcd.fsf@ubuntu.ubuntu>

Hello there.

I'm quite new to GnuPG. In November I played around with it and
generated my first key.

In the meantime I started to read more about it and decided to start
anew, generating a masterkey under more secure conditions (I used
Tails), keeping it offline afterwards and generated signing and
encryption subkeys for daily use.

The problem now is as follows: on my Ubuntu machine I deleted my old key
and imported the new subkeys. But GPG wouldn't let me en- or decrypt
anything. So I thought, maybe it would be a good idea to uninstall GPG,
delete the .gnupg-folder and install it again. I did that and imported
the subkeys, but it still doesn't work. The error is as follows:

>> gpg: Auf geht's - Botschaft eintippen ...
>> test
>> gpg: Keine g?ltigen OpenPGP-Daten gefunden.
>> gpg: processing message failed: Unbekannter Systemfehler

Could translate to: "no valid OpenPGP-Data" and "unknown system error"?

But gpg --edit-key stefan.boehringer at posteo.de shows me:

>> gpg (GnuPG) 2.1.15; Copyright (C) 2016 Free Software Foundation, Inc.
>> This is free software: you are free to change and redistribute it.
>> There is NO WARRANTY, to the extent permitted by law.
>> 
>> Geheimer Schl?ssel ist vorhanden.
>> 
>> pub  rsa4096/98723XXXXXXXXX
>>      erzeugt: 2017-01-11  verf?llt: niemals       Aufruf: SC  
>>      Vertrauen: unbekannt     G?ltigkeit: unbekannt
>> ssb  rsa4096/42B4XXXXXXXXXXX
>>      erzeugt: 2017-01-11  verf?llt: niemals       Aufruf: E   
>> ssb  rsa2048/6E101XXXXXXXXXX
>>      erzeugt: 2017-01-11  verf?llt: 2019-01-11  Aufruf: S   
>> ssb  rsa2048/209F5XXXXXXXXX
>>      erzeugt: 2017-01-11  verf?llt: 2019-01-11  Aufruf: E   
>> [ unbekannt ] (1). Stefan B?hringer (born Oct. 29. 1980, Regensburg, Germany) <stefan.boehringer at posteo.de>

I don't know why so much is stated as "unbekannt = unknown"...

On another Arch-Installation and on my Android-Phone using OpenKeyChain
it works just fine. What could I do?

Best regards
Stefan


From dgouttegattat at incenp.org  Wed Jan 18 15:24:11 2017
From: dgouttegattat at incenp.org (Damien Goutte-Gattat)
Date: Wed, 18 Jan 2017 15:24:11 +0100
Subject: Did I break my Ubuntu GPG installation?
In-Reply-To: <87k29sshcd.fsf@ubuntu.ubuntu>
References: <87k29sshcd.fsf@ubuntu.ubuntu>
Message-ID: <21993eb9-6f6c-65af-ca42-03019ba15699@incenp.org>

On 01/18/2017 01:06 PM, Stefan Boehringer wrote:
> I don't know why so much is stated as "unbekannt = unknown"...

It looks like you didn't save and restore your trust database when you 
deleted your .gnupg folder (it's a file called trustdb.gpg). As a 
result, GnuPG does not know what level of ownertrust should be assigned 
to your key.

Your own key should normally be "ultimately trusted", and is the root 
from which all key validity computation are done. Without an ultimately 
trusted key, no key can be valid.

> What could I do?

Editing your key and manually setting its ownertrust to "ultimate" 
(using the "trust" command in the key editor) should be enough.

Hope that helps,

Damien

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20170118/90495410/attachment.sig>

From stefan.boehringer at posteo.de  Wed Jan 18 15:41:31 2017
From: stefan.boehringer at posteo.de (Stefan Boehringer)
Date: Wed, 18 Jan 2017 15:41:31 +0100
Subject: Did I break my Ubuntu GPG installation?
In-Reply-To: <21993eb9-6f6c-65af-ca42-03019ba15699@incenp.org> (Damien
 Goutte-Gattat's message of "Wed, 18 Jan 2017 15:24:11 +0100")
References: <87k29sshcd.fsf@ubuntu.ubuntu>
 <21993eb9-6f6c-65af-ca42-03019ba15699@incenp.org>
Message-ID: <87fukgsa5g.fsf@ubuntu.ubuntu>

Damien Goutte-Gattat <dgouttegattat at incenp.org> writes:

>> I don't know why so much is stated as "unbekannt = unknown"...
>
> It looks like you didn't save and restore your trust database when you
> deleted your .gnupg folder (it's a file called trustdb.gpg). As a
> result, GnuPG does not know what level of ownertrust should be
> assigned to your key.
>
> Your own key should normally be "ultimately trusted", and is the root
> from which all key validity computation are done. Without an
> ultimately trusted key, no key can be valid.
>
>> What could I do?
>
> Editing your key and manually setting its ownertrust to "ultimate"
> (using the "trust" command in the key editor) should be enough.
>
> Hope that helps,

Thank you Damien for your suggestion. I set trust to ultimate, but still
the "no valid OpenPGP-Data" error occurs.

>
> Damien


From miro.rovis at croatiafidelis.hr  Wed Jan 18 15:49:03 2017
From: miro.rovis at croatiafidelis.hr (Miroslav Rovis)
Date: Wed, 18 Jan 2017 15:49:03 +0100
Subject: Renewing expired keys
In-Reply-To: <d9615082-a2e8-4a98-daa5-89b768ffc3f1@twopif.net>
References: <CAAa9ha0hA7o8AGGCK1OiwfjB2Fe6TguChEfxbVCAftJC+j5K6A@mail.gmail.com>
 <0685060c-f366-1375-85dc-0f1a640246df@gmail.com>
 <20170118121823.GA5764@g0n.xdwgrp>
 <d9615082-a2e8-4a98-daa5-89b768ffc3f1@twopif.net>
Message-ID: <20170118144903.GA7487@g0n.xdwgrp>

On 170118-22:59+1030, Lachlan Gunn wrote:
> Le 2017-01-18 ? 22:48, Miroslav Rovis a ?crit :
> > On 170115-22:17+0100, Juan Miguel Navarro Mart?nez wrote:
> > ...
> >> Lastly, revoke the old one if you aren't going to use it publicly anymore.
> > Isn't is wrong to revoke a key which you don't consider was compromised?
> > If you don't want to use it, it suffices that it is expired, or?
> 
> No, compromise is only one reason---there are lots of reason-codes that
> can go into the revocation packet, and compromise is only one.
> Specificially, "superseded" is such a reason.
> 
> Otherwise, if you switch to a new key, people won't know that your old
> one is no longer in use.
> 
> Thanks,
> Lachlan

Thank *you*!
-- 
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Digital signature
URL: </pipermail/attachments/20170118/d636d6f7/attachment.sig>

From gnupg at jelmail.com  Wed Jan 18 15:51:02 2017
From: gnupg at jelmail.com (John Lane)
Date: Wed, 18 Jan 2017 14:51:02 +0000
Subject: Trust signature domain
In-Reply-To: <00DF89EC-6D22-4197-9395-2D6F399B6D09@jabberwocky.com>
References: <74b25291-4069-e089-7207-9309a533d451@jelmail.com>
 <00DF89EC-6D22-4197-9395-2D6F399B6D09@jabberwocky.com>
Message-ID: <769078fd-fcf5-2cc3-7c22-eb2c8d57752c@jelmail.com>

On 18/01/17 03:03, David Shaw wrote:

> 
> Can you post the actual user IDs of the keys you are testing with (or a similar example.com set) so I can try them as well?

Hi David,

I have written a test shell script to experiment with trust signatures.
The script is at https://git.io/vMXMQ

There are six participants: 'myself', who knows 'introducer' who knows
'alice' and 'blake'. 'blake' knows 'chloe' and 'david'

'introducer' signs 'alice' and trust-signs 'blake', who signs 'chloe'
and 'david'

'myself' trust-signs 'introducer'

I'm working on the belief that:

(a) by trust-signing introducer at level 1, any keys certified by
introducer (i.e. alice and blake) become valid for me.
(b) by trust signing introducer at level 2 I extend (a) so that any keys
certified by a key trust-certified by introducer (blake) also become
valid for me (chloe and david).
(c) by trust signing with a domain restriction I limit the scope of (a)
and (b) but it is not clear to me how this applies.

I think things look ok up to step 9 and point (a) and (b) appear to work
as I expect but (c) doesn't. I'd really appreciate some feedback about
what is happening in:
step 10 (trust level 1 restricted to example.org)
step 14 (trust level 2 restricted to example.org)
step 16 (trust level 2 restricted to example.es)

It would appear that any domain restriction disables trust completely!

My test output is at https://git.io/vMXDa

Much appreciated.



From peter at digitalbrains.com  Wed Jan 18 15:55:14 2017
From: peter at digitalbrains.com (Peter Lebbing)
Date: Wed, 18 Jan 2017 15:55:14 +0100
Subject: Did I break my Ubuntu GPG installation?
In-Reply-To: <87k29sshcd.fsf@ubuntu.ubuntu>
References: <87k29sshcd.fsf@ubuntu.ubuntu>
Message-ID: <5c5ed0c1-c660-befd-8789-5bb2061a4cfd@digitalbrains.com>

On 18/01/17 13:06, Stefan Boehringer wrote:
> The error is as follows:
> 
>>> gpg: Auf geht's - Botschaft eintippen ...
>>> test
>>> gpg: Keine g?ltigen OpenPGP-Daten gefunden.
>>> gpg: processing message failed: Unbekannter Systemfehler

What was the command line you used to invoke gpg? It looks like it is
expecting you to type in an OpenPGP message, i.e., one that begins with
"-----BEGIN PGP MESSAGE-----" for example. "test" is not valid OpenPGP
data. I think you made a mistake in the invocation.

A test for encrypting and decrypting stuff from the command line looks
something like this:

$ echo Hello >test.txt
$ gpg -r stefan.boehringer at posteo.de -e test.txt
$ rm test.txt
$ gpg test.txt.gpg

And at the end, you'll have your test.txt back. If (like me) you think
pipes are cool, try this:

$ echo Hello | gpg -r stefan.boehringer at posteo.de -e | gpg

HTH,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>


From peter at digitalbrains.com  Wed Jan 18 16:02:25 2017
From: peter at digitalbrains.com (Peter Lebbing)
Date: Wed, 18 Jan 2017 16:02:25 +0100
Subject: Feature request: treat missing smartcard reader as missing
 smartcard
In-Reply-To: <87pojli87l.fsf@iwagami.gniibe.org>
References: <8faa5a56-ba3e-eebd-1546-c091774c1a0f@digitalbrains.com>
 <87pojli87l.fsf@iwagami.gniibe.org>
Message-ID: <63d77298-533f-6715-2d81-106318925137@digitalbrains.com>

On 18/01/17 00:21, NIIBE Yutaka wrote:
> This is just a lucky coincidence, but I'm glad to see the development of
> GnuPG goes well.

Ah, two birds with one stone! Thank you for working on multi-card-reader
setups!

> Thank you for your support of GnuPG.  Your support encourages me
> (hopefully, all of us) fixing bugs and adding feature(s).

I'm real happy to hear that! Thank you! I love the improvements GnuPG
2.1 brings!

Cheers,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>


From dgouttegattat at incenp.org  Wed Jan 18 16:39:27 2017
From: dgouttegattat at incenp.org (Damien Goutte-Gattat)
Date: Wed, 18 Jan 2017 16:39:27 +0100
Subject: Trust signature domain
In-Reply-To: <769078fd-fcf5-2cc3-7c22-eb2c8d57752c@jelmail.com>
References: <74b25291-4069-e089-7207-9309a533d451@jelmail.com>
 <00DF89EC-6D22-4197-9395-2D6F399B6D09@jabberwocky.com>
 <769078fd-fcf5-2cc3-7c22-eb2c8d57752c@jelmail.com>
Message-ID: <3f21747e-96ed-5e7c-b323-24c63c687825@incenp.org>

Hi,

On 01/18/2017 03:51 PM, John Lane wrote:
> I think things look ok up to step 9 and point (a) and (b) appear to work
> as I expect but (c) doesn't. I'd really appreciate some feedback about
> what is happening in:
> step 10 (trust level 1 restricted to example.org)
> step 14 (trust level 2 restricted to example.org)
> step 16 (trust level 2 restricted to example.es)
>
> It would appear that any domain restriction disables trust completely!

I believe there's a bug in the handling of the regular expression 
associated with a trust signature. I've just submitted a patch to fix it 
[1]. With that patch applied, I get the expected result for step 10 
(Blake's key is fully valid, not the others') and step 14 (Blake's key 
is fully valid, and so are Chloe's and David's keys).

For step 16, none of the keys are valid, but I think that's the expected 
behavior: you signed Introducer with a level 2 trust signature 
restricted to example.es, so the signature of Blake's key (which as an 
example.org UID) is rightly ignored. Blake's key is thus of unknown 
validity and his signatures on Chloe's and David's keys are ignored as well.

(Side note: you can use the '%transient-key' directive when 
batch-generating keys for testing purposes. This instructs GnuPG to use 
a less secure but faster random number generator, thus speeding up the 
generation process.)

Damien

[1] https://lists.gnupg.org/pipermail/gnupg-devel/2017-January/032472.html

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20170118/97bfe25f/attachment.sig>

From gnupg at jelmail.com  Wed Jan 18 17:34:13 2017
From: gnupg at jelmail.com (John Lane)
Date: Wed, 18 Jan 2017 16:34:13 +0000
Subject: Trust signature domain
In-Reply-To: <3f21747e-96ed-5e7c-b323-24c63c687825@incenp.org>
References: <74b25291-4069-e089-7207-9309a533d451@jelmail.com>
 <00DF89EC-6D22-4197-9395-2D6F399B6D09@jabberwocky.com>
 <769078fd-fcf5-2cc3-7c22-eb2c8d57752c@jelmail.com>
 <3f21747e-96ed-5e7c-b323-24c63c687825@incenp.org>
Message-ID: <fb5f4df7-89cb-9bea-0d7b-c7c55a0001a3@jelmail.com>

On 18/01/17 15:39, Damien Goutte-Gattat wrote:

> 
> I believe there's a bug in the handling of the regular expression
> associated with a trust signature. I've just submitted a patch to fix it
> [1]. With that patch applied, I get the expected result for step 10
> (Blake's key is fully valid, not the others') and step 14 (Blake's key
> is fully valid, and so are Chloe's and David's keys).

thanks for that. I thought I was going mad!
I will look out for an update that contains your patch...

> 
> For step 16, none of the keys are valid, but I think that's the expected
> behavior: you signed Introducer with a level 2 trust signature
> restricted to example.es, so the signature of Blake's key (which as an
> example.org UID) is rightly ignored. Blake's key is thus of unknown
> validity and his signatures on Chloe's and David's keys are ignored as
> well.

I agree, I added that test because I wondered if I had misunderstood how
it ought to work.

> 
> (Side note: you can use the '%transient-key' directive when
> batch-generating keys for testing purposes. This instructs GnuPG to use
> a less secure but faster random number generator, thus speeding up the
> generation process.)
> 

I don't know how I missed that... right below %no-protection which I did
use :)

much appreciated your fast response to my query.




From stefan.boehringer at posteo.de  Wed Jan 18 20:29:00 2017
From: stefan.boehringer at posteo.de (Stefan Boehringer)
Date: Wed, 18 Jan 2017 20:29:00 +0100
Subject: Did I break my Ubuntu GPG installation?
In-Reply-To: <5c5ed0c1-c660-befd-8789-5bb2061a4cfd@digitalbrains.com> (Peter
 Lebbing's message of "Wed, 18 Jan 2017 15:55:14 +0100")
References: <87k29sshcd.fsf@ubuntu.ubuntu>
 <5c5ed0c1-c660-befd-8789-5bb2061a4cfd@digitalbrains.com>
Message-ID: <874m0wjhfn.fsf@ubuntu.ubuntu>


Hello Peter and thank you very much!

> On 18/01/17 13:06, Stefan Boehringer wrote:
>> The error is as follows:
>> 
>>>> gpg: Auf geht's - Botschaft eintippen ...
>>>> test
>>>> gpg: Keine g?ltigen OpenPGP-Daten gefunden.
>>>> gpg: processing message failed: Unbekannter Systemfehler
>
> What was the command line you used to invoke gpg? It looks like it is
> expecting you to type in an OpenPGP message, i.e., one that begins with
> "-----BEGIN PGP MESSAGE-----" for example. "test" is not valid OpenPGP
> data. I think you made a mistake in the invocation.
>
> A test for encrypting and decrypting stuff from the command line looks
> something like this:
>
> $ echo Hello >test.txt
> $ gpg -r stefan.boehringer at posteo.de -e test.txt
> $ rm test.txt
> $ gpg test.txt.gpg
>
> And at the end, you'll have your test.txt back. If (like me) you think
> pipes are cool, try this:
>
> $ echo Hello | gpg -r stefan.boehringer at posteo.de -e | gpg

That worked. I really misunderstood the gpg commandline. :-)

>
> HTH,
>
> Peter.


From stebe at mailbox.org  Thu Jan 19 10:06:00 2017
From: stebe at mailbox.org (Stephan Beck)
Date: Thu, 19 Jan 2017 09:06:00 +0000
Subject: Counterarguments Supporting GnuPG over Off The Record (OTR)
In-Reply-To: <CAGKxTUQsxLsL3m0nrY0iYCh5cFRtEJpxegUsPqj4CbX-M8Zsug@mail.gmail.com>
References: <CAGKxTUQsxLsL3m0nrY0iYCh5cFRtEJpxegUsPqj4CbX-M8Zsug@mail.gmail.com>
Message-ID: <6760790b-9d89-b2b1-c50b-322afbaf9e43@mailbox.org>

15-20 years from now, OpenPGP will have expired and be a case of study
for computer historians.

Christian Heinrich:
> https://www.foo.be/2016/12/OpenPGP-really-works outlines a number of
> counter-arguments in support of GnuPG over OTR chat app and other
> alternatives.
> 


From bernhard.kleine at gmx.net  Thu Jan 19 10:56:58 2017
From: bernhard.kleine at gmx.net (Bernhard Kleine)
Date: Thu, 19 Jan 2017 10:56:58 +0100
Subject: Counterarguments Supporting GnuPG over Off The Record (OTR)
In-Reply-To: <6760790b-9d89-b2b1-c50b-322afbaf9e43@mailbox.org>
References: <CAGKxTUQsxLsL3m0nrY0iYCh5cFRtEJpxegUsPqj4CbX-M8Zsug@mail.gmail.com>
 <6760790b-9d89-b2b1-c50b-322afbaf9e43@mailbox.org>
Message-ID: <719a75d9-ba7a-7620-a8a5-1151844687e1@gmx.net>

Nice to have a clairvoyant and soothsayer in this mailing list. Would
you dare to make a similar statement on the fate of windows or Linux?

:)

Bernhard


Am 19.01.2017 um 10:06 schrieb Stephan Beck:
> 15-20 years from now, OpenPGP will have expired and be a case of study
> for computer historians.
>
> Christian Heinrich:
>> https://www.foo.be/2016/12/OpenPGP-really-works outlines a number of
>> counter-arguments in support of GnuPG over OTR chat app and other
>> alternatives.
>>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users

-- 
spitzhalde9
D-79853 lenzkirch
bernhard.kleine at gmx.net
www.b-kleine.com, www.urseetal.net
-
thunderbird mit enigmail
GPG schl?ssel: D5257409
fingerprint:
08 B7 F8 70 22 7A FC C1 15 49 CA A6 C7 6F A0 2E D5 25 74 09


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20170119/1c2207a0/attachment.sig>

From rjh at sixdemonbag.org  Thu Jan 19 14:27:06 2017
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Thu, 19 Jan 2017 08:27:06 -0500
Subject: Counterarguments Supporting GnuPG over Off The Record (OTR)
In-Reply-To: <6760790b-9d89-b2b1-c50b-322afbaf9e43@mailbox.org>
References: <CAGKxTUQsxLsL3m0nrY0iYCh5cFRtEJpxegUsPqj4CbX-M8Zsug@mail.gmail.com>
 <6760790b-9d89-b2b1-c50b-322afbaf9e43@mailbox.org>
Message-ID: <1a5e623d-f1d8-1c40-a0f2-83632a4832ec@sixdemonbag.org>

> 15-20 years from now, OpenPGP will have expired and be a case of study
> for computer historians.

Maybe.  So what?  15-20 years from now many of us will have expired and
only be of interest to our families.

Everything dies.  That doesn't make things less valuable.


From jeandavid8 at verizon.net  Thu Jan 19 17:13:15 2017
From: jeandavid8 at verizon.net (Jean-David Beyer)
Date: Thu, 19 Jan 2017 11:13:15 -0500
Subject: Counterarguments Supporting GnuPG over Off The Record (OTR)
In-Reply-To: <6760790b-9d89-b2b1-c50b-322afbaf9e43@mailbox.org>
References: <CAGKxTUQsxLsL3m0nrY0iYCh5cFRtEJpxegUsPqj4CbX-M8Zsug@mail.gmail.com>
 <6760790b-9d89-b2b1-c50b-322afbaf9e43@mailbox.org>
Message-ID: <f6be526f-4b42-03fe-0486-d43108841d59@verizon.net>

On 01/19/2017 04:06 AM, Stephan Beck wrote:
> 15-20 years from now, OpenPGP will have expired and be a case of study
> for computer historians.
> 

I agree. 20 years from now, we will all be using telepathy, and the
telephone and Internet will be redundant. Without electromagnetic
communication, and without paper communication, we will be unable to
encrypt anything. Will there be an equivalent to OpenPGP that works with
telepathy?


-- 
  .~.  Jean-David Beyer          Registered Linux User 85642.
  /V\  PGP-Key:166D840A 0C610C8B Registered Machine  1935521.
 /( )\ Shrewsbury, New Jersey    http://linuxcounter.net
 ^^-^^ 11:10:01 up 8 days, 19:55, 3 users, load average: 5.18, 4.96, 4.87


From gnudevliz at gmail.com  Thu Jan 19 15:09:20 2017
From: gnudevliz at gmail.com (Elizabeth Ferdman)
Date: Thu, 19 Jan 2017 06:09:20 -0800
Subject: spr332 vs spr532
Message-ID: <20170119140919.GB3026@localhost>

Hello, 
I'm interning for the PGP Clean Room and am trying to get an OpenPGP
Card reader. Kernelconcepts is offering a SPR332 which is the successor
to the 532. According to this page, though,

https://wiki.gnupg.org/CardReader/PinpadInput

the 532 seems to be recommended but the 332 is not. I'm wondering if
there's a specific reason why it was left out and if I should go for the
532 instead.

Thank you,
Elizabeth
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: Digital signature
URL: </pipermail/attachments/20170119/bad8a83d/attachment.sig>

From gniibe at fsij.org  Fri Jan 20 00:17:02 2017
From: gniibe at fsij.org (NIIBE Yutaka)
Date: Fri, 20 Jan 2017 08:17:02 +0900
Subject: spr332 vs spr532
In-Reply-To: <20170119140919.GB3026@localhost>
References: <20170119140919.GB3026@localhost>
Message-ID: <871svyej2p.fsf@iwagami.gniibe.org>

Hello,

Elizabeth Ferdman <gnudevliz at gmail.com> wrote:
> I'm interning for the PGP Clean Room and am trying to get an OpenPGP
> Card reader. Kernelconcepts is offering a SPR332 which is the successor
> to the 532. According to this page, though,
>
> https://wiki.gnupg.org/CardReader/PinpadInput

I wrote this page, when I added the support of pinpad input to scdaemon.

> the 532 seems to be recommended but the 332 is not. I'm wondering if
> there's a specific reason why it was left out and if I should go for the
> 532 instead.

Since Werner has SCM SPR 532, it was tested and listed.  Please note
that the list is not for recommendation (as of today); Vasco DigiPASS
920 (which I have) worked, but it only supports key length <= 1024-bit
of RSA.  Gnuk Token is listed, but it has no hardware pinpad, in fact.
Some other readers were listed because they requires special handling to
work around issues of their firmware.

I think that: if you need a tested reader, go for the 532.  If you have
time and energy, go for the 332 and please let us know if it works or
not.  I guess that it is likely work well with PC/SC and we need a bit
of change for the internal CCID driver of GnuPG.  If it will work, I'll
put it on the list.  That will be a great contribution to GnuPG
community.
-- 


From christian.heinrich at cmlh.id.au  Thu Jan 19 22:46:37 2017
From: christian.heinrich at cmlh.id.au (Christian Heinrich)
Date: Fri, 20 Jan 2017 08:46:37 +1100
Subject: Counterarguments Supporting GnuPG over Off The Record (OTR)
In-Reply-To: <6760790b-9d89-b2b1-c50b-322afbaf9e43@mailbox.org>
References: <CAGKxTUQsxLsL3m0nrY0iYCh5cFRtEJpxegUsPqj4CbX-M8Zsug@mail.gmail.com>
 <6760790b-9d89-b2b1-c50b-322afbaf9e43@mailbox.org>
Message-ID: <CAGKxTUTs1n6oLNRdUrm6CHpPPyy05=WeF1XcKBbj2-gx=q+aVQ@mail.gmail.com>

Stephan,

On Thu, Jan 19, 2017 at 8:06 PM, Stephan Beck <stebe at mailbox.org> wrote:
> 15-20 years from now, OpenPGP will have expired and be a case of study
> for computer historians.

I doubt this as PGP was published ~25 years ago (on 5 June 1991) and
has outlasted the modern operating system support to hardware
manufactured in the 1990s.


-- 
Regards,
Christian Heinrich

http://cmlh.id.au/contact


From miro.rovis at croatiafidelis.hr  Fri Jan 20 07:10:37 2017
From: miro.rovis at croatiafidelis.hr (Miroslav Rovis)
Date: Fri, 20 Jan 2017 07:10:37 +0100
Subject: Counterarguments Supporting GnuPG over Off The Record (OTR)
In-Reply-To: <f6be526f-4b42-03fe-0486-d43108841d59@verizon.net>
References: <CAGKxTUQsxLsL3m0nrY0iYCh5cFRtEJpxegUsPqj4CbX-M8Zsug@mail.gmail.com>
 <6760790b-9d89-b2b1-c50b-322afbaf9e43@mailbox.org>
 <f6be526f-4b42-03fe-0486-d43108841d59@verizon.net>
Message-ID: <20170120061037.GA22582@g0n.xdwgrp>

On 170119-11:13-0500, Jean-David Beyer wrote:
> On 01/19/2017 04:06 AM, Stephan Beck wrote:
> > 15-20 years from now, OpenPGP will have expired and be a case of study
> > for computer historians.
> > 
> 
> I agree. 20 years from now, we will all be using telepathy, and the
> telephone and Internet will be redundant. Without electromagnetic
> communication, and without paper communication, we will be unable to
> encrypt anything. Will there be an equivalent to OpenPGP that works with
> telepathy?

You probably meant:
> ...Without electromagnetic
> communication, without paper communication, we will be *able* to
> encrypt anything. Will there be an equivalent to OpenPGP that works with
> telepathy?

Oh, c'mon! "We will be gods!" is a really old argument! But it has never
made it, never will, nor it could. There's a Perfection infinitely
greater than us, and to that Living Perfection we will never ever be
equal to. Not even close to, not for the most miopic of minds!

Pls. just first do make one single hair on your head turn another color
with your own mind!

Then we might talk!

Besides, the argument in this thread misses on the evil of the
communication of today, and that evil is posed to only grow: the
wholesale spying, you know, like the Schmoog the Schmoogle does, like
the NSA and likely every single other, be it small, be it large, secret
state subject of the kind. The spying on all and everybody, or, if you
prefer euphemisms: mass surveillance, bulk data collection.

We're already half-slaves because you are not free if you are controled,
and (since the huge spying is about acting, where needed, on the
information collected, spying is not just about some only and purely
insane curiosity)...

And we all are controled, exception, to varying extent, being only the
very advanced among us that people like GnuPG developers enpower, to
whom my thanks go!

But I agree that it's unpredictable where the road will take us...

Although some limits will always be there, and at the Will of the
Perfection that rules, unseen by the miopic views of the subjects that
do not want to admit they are not, and can't be, and never will be gods,
in the sense of complete control, say, of even their own lives, let
alone any wider reality around their lives.

Regards!
-- 
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Digital signature
URL: </pipermail/attachments/20170120/e73a1103/attachment.sig>

From tokktokk at riseup.net  Fri Jan 20 14:39:57 2017
From: tokktokk at riseup.net (unknown)
Date: Fri, 20 Jan 2017 14:39:57 +0100
Subject: Fresh OS installation
In-Reply-To: <mailman.1995.1479504779.8714.gnupg-users@gnupg.org>
References: <mailman.1995.1479504779.8714.gnupg-users@gnupg.org>
Message-ID: <f580f12e-f3d0-bbcf-be55-a3c49b18b06b@riseup.net>

Hi,


it worked fine, altough i got this message on the terminal: 

process at process ~ $ tar cf gnupg-backup.tar .gnupg/
tar: .gnupg/S.gpg-agent: socket ignored

Is this important?


Greetings!


On 11/18/2016 10:32 PM, gnupg-users-request at gnupg.org wrote:
> Send Gnupg-users mailing list submissions to
> 	gnupg-users at gnupg.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> 	http://lists.gnupg.org/mailman/listinfo/gnupg-users
> or, via email, send a message with subject or body 'help' to
> 	gnupg-users-request at gnupg.org
>
> You can reach the person managing the list at
> 	gnupg-users-owner at gnupg.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Gnupg-users digest..."
>
>
> Today's Topics:
>
>    1. Fresh OS installation (unknown)
>    2. RE: Fresh OS installation (Robert J. Hansen)
>    3. Re: gpg4win HKPS in gpg.conf correct slash (Werner Koch)
>    4. Re: gpg4win HKPS in gpg.conf correct slash (Lukas Tr?binger)
>    5. Re: gpg-agent crashes on Windows 10 (Matthias Wachs)
>    6. Re: gpg-agent crashes on Windows 10 (Peter Lebbing)
>    7. Re: gpgme 1.8 build failure (Robert J. Hansen)
>    8. [Announce] GnuPG 2.1.16 released (Werner Koch)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Thu, 17 Nov 2016 20:34:19 +0100
> From: unknown <tokktokk at riseup.net>
> To: gnupg-users at gnupg.org
> Subject: Fresh OS installation
> Message-ID: <980b9088-96d4-627e-d065-c6b0494b5da6 at riseup.net>
> Content-Type: text/plain; charset=utf-8; format=flowed
>
> Hi,
>
> I'd like to make a fresh linux installation.
> What is the best way to use my keys and settings I've already configured 
> on my old OS? Do I back things up, or make a copy from the config. file?
> I've just started using Gnupg (and Linux).
>
> Thank you.
>
>
>
> ------------------------------
>
> Message: 2
> Date: Thu, 17 Nov 2016 16:28:28 -0500
> From: "Robert J. Hansen" <rjh at sixdemonbag.org>
> To: <gnupg-users at gnupg.org>
> Subject: RE: Fresh OS installation
> Message-ID: <020001d24119$8a7d6ff0$9f784fd0$@sixdemonbag.org>
> Content-Type: text/plain;	charset="us-ascii"
>
>> What is the best way to use my keys and settings I've already configured
> on
>> my old OS? Do I back things up, or make a copy from the config. file?
> Good question: there really isn't a good, standardized way to do this.
> There are three different branches of GnuPG that are in common use (1.4,
> 2.0, 2.1), and it's possible that your old keys were set up on 1.4, your new
> machine will be a 2.1 install, and so on.
>
> The easiest way will not necessarily be the best way.  It will probably be
> good enough for your purposes.
>
> On your old machine:
>
> 	$ cd ~
> 	$ tar cf gnupg-backup.tar .gnupg/
>
> Copy the tarfile to your new installation.  Place it in your home directory.
> Then, on your new machine:
>
> 	$ cd ~
> 	$ rm -rf .gnupg
> 	$ tar xf ./gnupg-backup.tar
> 	$ rm -f .gnupg/random_seed
> 	$ gpg --list-secret-keys
> 	$ gpg --list-keys
>
> If you can list your secret keys and public keys OK, then you're probably
> good to go.  Let us know if you have any problems.
>
>
>
>
>
> ------------------------------
>
> Message: 3
> Date: Fri, 18 Nov 2016 08:22:09 +0100
> From: Werner Koch <wk at gnupg.org>
> To: Lukas Tr?binger <lukas.troebinger at gmail.com>
> Cc: gnupg-users at gnupg.org
> Subject: Re: gpg4win HKPS in gpg.conf correct slash
> Message-ID: <87lgwhqmla.fsf at wheatstone.g10code.de>
> Content-Type: text/plain; charset="us-ascii"
>
> On Thu, 17 Nov 2016 20:25, lukas.troebinger at gmail.com said:
>
>> ca-cert-file=/path/to/CA/sks-keyservers.netCA.pem". In Windows, what is the
>> correct slash to use?
>> Is it / or \?
> Windows officially supports a forward slash in its core APIs but not in
> the shell.  We do not use the shell and thus the use of a forward slash
> in GnuPG configuration files is okay.
>
>
> Shalom-Salam,
>
>    Werner
>



From antony at blazrsoft.com  Fri Jan 20 20:36:00 2017
From: antony at blazrsoft.com (Antony Prince)
Date: Fri, 20 Jan 2017 14:36:00 -0500
Subject: Fresh OS installation
In-Reply-To: <f580f12e-f3d0-bbcf-be55-a3c49b18b06b@riseup.net>
References: <mailman.1995.1479504779.8714.gnupg-users@gnupg.org>
 <f580f12e-f3d0-bbcf-be55-a3c49b18b06b@riseup.net>
Message-ID: <64abae3f-2f40-a17f-7430-259cdc0cc3ec@blazrsoft.com>

On 1/20/2017 8:39 AM, unknown wrote:
> Hi,
> 
> 
> it worked fine, altough i got this message on the terminal: 
> 
> process at process ~ $ tar cf gnupg-backup.tar .gnupg/
> tar: .gnupg/S.gpg-agent: socket ignored
> 
> Is this important?

No. It just means that tar skipped the socket file for gpg-agent.
gpg-agent will recreate this socket when it is started. So no worries.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 898 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20170120/dc6b257d/attachment.sig>

From aranea at aixah.de  Fri Jan 20 20:41:45 2017
From: aranea at aixah.de (Luis Ressel)
Date: Fri, 20 Jan 2017 20:41:45 +0100
Subject: Fresh OS installation
In-Reply-To: <f580f12e-f3d0-bbcf-be55-a3c49b18b06b@riseup.net>
References: <mailman.1995.1479504779.8714.gnupg-users@gnupg.org>
 <f580f12e-f3d0-bbcf-be55-a3c49b18b06b@riseup.net>
Message-ID: <20170120204145.55e7e0ce@gentp.lnet>

On Fri, 20 Jan 2017 14:39:57 +0100
unknown <tokktokk at riseup.net> wrote:

> Hi,
> 
> 
> it worked fine, altough i got this message on the terminal: 
> 
> process at process ~ $ tar cf gnupg-backup.tar .gnupg/
> tar: .gnupg/S.gpg-agent: socket ignored
> 
> Is this important?
> 

Nope.

This filesystem entry just reprents the socket that gnupg uses to
communicate with gpg-agent. It's not a file, and no data is stored in
it.

Regards,
Luis Ressel


From aranea at aixah.de  Fri Jan 20 23:29:55 2017
From: aranea at aixah.de (Luis Ressel)
Date: Fri, 20 Jan 2017 23:29:55 +0100
Subject: Choosing between multiple signing keys
Message-ID: <20170120232943.3f2def2f@gentp.lnet>

Hello,

today I created a new key with two separate signing keys and moved
those to my two yubikeys. But now, gpg insists on always using the
second of those subkeys for signing operations, even when the yubikey
with the first subkey is plugged in.

How can I explicitly specify which subkey should be used? I've tried
passing in the subkey ID via the '-u'-option, but this didn't work.

I'm using GnuPG 2.1.17.

Regards,
Luis Ressel


From aranea at aixah.de  Sat Jan 21 01:26:14 2017
From: aranea at aixah.de (Luis Ressel)
Date: Sat, 21 Jan 2017 01:26:14 +0100
Subject: tofu: Missing entry in the bindings table for new key
Message-ID: <20170121012614.3c67ca2a@gentp.lnet>

Hello,

I created a new key today. When I tried to verify a signature made by
this key, I got the error message

gpg: Signature made Sat Jan 21 01:07:59 2017 CET
gpg:                using RSA key DEADBEEF
gpg: Good signature from "foo <foo at example.org>" [ultimate]
gpg: aka "foo <foo at example.com>" [ultimate]
gpg: error updating TOFU database: NOT NULL constraint failed: signatures.binding
gpg: TOFU: error registering signature: General error

Apparently no entry for my key/userid had been recorded in the bindings
table. I was of course able to fix this by calling
"gpg --tofu-policy good DEADBEEF", but it still looks like a bug to me.
Any ideas how this could happen?

Potentially relevant facts:
* The new key's userid collides with that of my old key.
* I'm using the setting "tofu-default-policy unknown".

Regards,
Luis Ressel


From 2014-667rhzu3dc-lists-groups at riseup.net  Sat Jan 21 11:45:05 2017
From: 2014-667rhzu3dc-lists-groups at riseup.net (MFPA)
Date: Sat, 21 Jan 2017 10:45:05 +0000
Subject: Counterarguments Supporting GnuPG over Off The Record (OTR)
In-Reply-To: <20170120061037.GA22582@g0n.xdwgrp>
References: <CAGKxTUQsxLsL3m0nrY0iYCh5cFRtEJpxegUsPqj4CbX-M8Zsug@mail.gmail.com> 
 <6760790b-9d89-b2b1-c50b-322afbaf9e43@mailbox.org>
 <f6be526f-4b42-03fe-0486-d43108841d59@verizon.net>
 <20170120061037.GA22582@g0n.xdwgrp>
Message-ID: <3110628794.20170121104505@riseup.net>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512



On Friday 20 January 2017 at 6:10:37 AM, in
<mid:20170120061037.GA22582 at g0n.xdwgrp>, Miroslav Rovis wrote:-



> And we all are controled, exception, to varying
> extent,

We are all completely controlled in modern society: we are enslaved to
money and those who control it.


- --
Best regards

MFPA                  <mailto:2014-667rhzu3dc-lists-groups at riseup.net>

Zorba the Greek - before he zorbas you
-----BEGIN PGP SIGNATURE-----

iL4EARYKAGYFAliDO99fFIAAAAAALgAoaXNzdWVyLWZwckBub3RhdGlvbnMub3Bl
bnBncC5maWZ0aGhvcnNlbWFuLm5ldDMzQUNFRDRFRTkxMzRFRUJERTZBODUwNjE3
MTJCQzQ2MUFGNzc4RTQACgkQFxK8Rhr3eORaCAEA2u9j18CmehyGctnZF+DQ8nk6
OW25JAv4H6pboCysEa8BAL+49IXLY+AiikRVjZa+f6TShLlbBBBeVOZvOpKF0WEP
iQF8BAEBCgBmBQJYgzvrXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRCM0FFN0VDQTlBOEM4QjMwMjZBNUEwRjU2
QjdDNzRDRUIzMUYyNUYwAAoJEGt8dM6zHyXww00IAI5zFBYS9tVi/pu5g/Mf3mxd
EDs8rJ4RbDYtYOC1clutrsEj/xVrsk94B6qmz3ocfoSHgc8z+kTvMt/mnrBYZTAo
NYxkO5xPr2A59UDvXwPwUEa1z5b2AW7M83d8KMJuoX6lcm4vdjl8wDgXqgP/18NY
ZVqLI7g6kDbme97W2WX4GipsGmIBLaSh6IC/CnE4DGybG3g9t4Zvp+iU8vZ3MjOJ
R7zyHeoijacbLbC3OvCsY7XpXhHbQGPpVc95K9m71Y4s4Z6wB6mJ81aUXlvSlQZo
NYH28zIUNRAnhkpGZLOVmQ/r4k5N2kRsx7F31neREsgSliTaLQda7OwYuzmRE0I=
=tRhH
-----END PGP SIGNATURE-----



From peter at digitalbrains.com  Sat Jan 21 11:55:46 2017
From: peter at digitalbrains.com (Peter Lebbing)
Date: Sat, 21 Jan 2017 11:55:46 +0100
Subject: Choosing between multiple signing keys
In-Reply-To: <20170120232943.3f2def2f@gentp.lnet>
References: <20170120232943.3f2def2f@gentp.lnet>
Message-ID: <fa794f06e9620b09c5235c286433682b@butters.digitalbrains.com>

On 2017-01-20 23:29, Luis Ressel wrote:
> How can I explicitly specify which subkey should be used? I've tried
> passing in the subkey ID via the '-u'-option, but this didn't work.

You should append a ! to the key ID. This specifies you want this 
specific key and not the keyset to which it belongs.

HTH,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>


From aranea at aixah.de  Sat Jan 21 18:11:11 2017
From: aranea at aixah.de (Luis Ressel)
Date: Sat, 21 Jan 2017 18:11:11 +0100
Subject: Choosing between multiple signing keys
In-Reply-To: <fa794f06e9620b09c5235c286433682b@butters.digitalbrains.com>
References: <20170120232943.3f2def2f@gentp.lnet>
 <fa794f06e9620b09c5235c286433682b@butters.digitalbrains.com>
Message-ID: <20170121181111.557910bc@gentp.lnet>

On Sat, 21 Jan 2017 11:55:46 +0100
Peter Lebbing <peter at digitalbrains.com> wrote:

> You should append a ! to the key ID. This specifies you want this 
> specific key and not the keyset to which it belongs.

Thanks for the hint! This did indeed fix my problem.

Regards,
Luis
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20170121/d7259f8a/attachment.sig>

From rsv869 at runbox.com  Sat Jan 21 22:57:09 2017
From: rsv869 at runbox.com (Reid Vail)
Date: Sat, 21 Jan 2017 16:57:09 -0500
Subject: I'm confused about GPG, and it's confused about me
In-Reply-To: <20170117221832.BE46B200EC@smtp.hushmail.com>
References: <20170117150916.5dc94f90@rsv2-Serval-Pro>
 <20170117221832.BE46B200EC@smtp.hushmail.com>
Message-ID: <20170121165709.316f9aef@rsv2-Serval-Pro>

Hello Vedaal -

Thanks for your reply. 

I executed the steps you listed (see below) and they completed without any errors.
However I am not yet successful at getting my GPG implementation to work.

Working in Claws-mail I try to send a encrypted test message to the address with
the available public key (the one I exported and imported as you mentioned).  I
would expected the key just mentioned should appear as one I could select in Claws
pop-up box but it doesn't and I have to search for it with the "Other" selection, and
then it's found and I select it.

Next I get a message that the Key is "not fully trusted" and do I want to use it
anyway?  I do.  I get another message saying the "signature failed. Unusable secret
Key."

When I look in the lLnux app called Seahorse I do see the key.  When I look within
the Trust tab I see that the Trust box is selected but when I try to sign it this
fails, saying "no usable keys"

I'm confused on my next trouble-shooting steps.  Any advice is appreciated.

TIA,

rsv869

On Tue, 17 Jan 2017 17:18:32 -0500
vedaal at nym.hush.com wrote:

> 
> 
> On 1/17/2017 at 4:14 PM, "Reid Vail"  wrote:I can run GnuPG at the
> command line and  can create a new key pair, and the output
> from the --fingerprint option is shown directly below, but encrypting
> through Claws
> fails with a error that simply says "encryption failed".
> 
> Next I tried to get a basic signature to work, and that fails also,
> shown next.  
> rsv2 at rsv2-Serval-Pro ~ $ gpg --clearsign --local-user --default-key
> encryption test
> gpg: skipped "--default-key": secret key not available
> gpg: encryption test: clearsign failed: secret key not available
> 
> =====
> 
> You have imported only your public key not your secret key
> 
> Export your public and secret key as an .asc file, (lets say RV.asc)
> 
> Then do gpg --import RV.asc
> 
> Your secret key will be added to your keyring.
> 


From adam at sherman.ca  Sun Jan 22 19:47:37 2017
From: adam at sherman.ca (Adam Sherman)
Date: Sun, 22 Jan 2017 13:47:37 -0500
Subject: Full Workflow with Smart Card(s)
Message-ID: <80bd4afc-5232-75c7-9bcc-2686e052f779@sherman.ca>

Good Afternoon All,

I would like to put together a full workflow for creating and using GPG.
Having read a few articles about using air-gapped systems and
Smartcards, I'm almost there.

I currently have a setup where the master key is on a USB key, which is
only inserted into an air-gapped system when required. Day-to-day
subkeys are stored on a Yubikey for regular use. This works.

But, using an air-gapped system to sign keys that you trust seems rather
unwieldy, particularly when you include in the process the need to copy
the public keys to media accessible by the air-gapped system.

Could a second smartcard be used to generate and store the master key,
instead?

What do others do?

Thanks for your input,

A.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20170122/e61fa428/attachment.sig>

From andrewg at andrewg.com  Mon Jan 23 00:11:31 2017
From: andrewg at andrewg.com (Andrew Gallagher)
Date: Sun, 22 Jan 2017 23:11:31 +0000
Subject: Full Workflow with Smart Card(s)
In-Reply-To: <80bd4afc-5232-75c7-9bcc-2686e052f779@sherman.ca>
References: <80bd4afc-5232-75c7-9bcc-2686e052f779@sherman.ca>
Message-ID: <4163A076-4833-4314-88CB-B7349F951F5F@andrewg.com>

On 22 Jan 2017, at 18:47, Adam Sherman <adam at sherman.ca> wrote:
> 
> But, using an air-gapped system to sign keys that you trust seems rather
> unwieldy, particularly when you include in the process the need to copy
> the public keys to media accessible by the air-gapped system.

Working out what to do with your primary key is the big conundrum. I don't think there is a perfect solution. 

> Could a second smartcard be used to generate and store the master key,
> instead?

Yes, and there are some on this list (not me!) who have done so and can share their experiences.

> What do others do?

I keep my primary keys on a Tails persistent volume, and use a smartcard for the subkeys. I find Tails an acceptable compromise between completely airgapped keys and convenience. YMMV. 

https://tails.boum.org

I've written utilities to simplify key management and persistent volume backups, but these should be considered experimental and beta (respectively). I've been meaning to polish them up but can't seem to find the time - they both need extensive refactoring. But if you feel like living on the bleeding edge, go for it. :-)

https://andrewg.com/frith.html

Andrew




From ankostis at gmail.com  Mon Jan 23 01:06:38 2017
From: ankostis at gmail.com (ankostis)
Date: Mon, 23 Jan 2017 01:06:38 +0100
Subject: pyme3 for Windows
Message-ID: <CA+dhYEW9cm3Bd2S-C4aC8wcp-5nUcis0J0R_y7zxsrd0dL3UYg@mail.gmail.com>

Has anybody managed to compile pyme3 on Windows?

Thanks for all the Hard Work,
  Kostis
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20170123/d227627d/attachment.html>

From gnupg at jelmail.com  Mon Jan 23 11:01:41 2017
From: gnupg at jelmail.com (John Lane)
Date: Mon, 23 Jan 2017 10:01:41 +0000
Subject: Changing passphrase parameters (s2k options)
Message-ID: <161314f8-d3cf-fe35-db68-8ef6e35024fd@jelmail.com>

I've been reading about symmetric encryption of the private key.

When I tried to experiment with the `--s2k` options, attempting to
change the passphrase on my key, I found that they were ignored. A brief
search identified issue 1800 [1] on the bug tracker which was last
updated in 2015, some 20 months ago.

Is it possible with gpg2.x to re-encrypt a private key with new s2k
options ?

I have gpg (GnuPG) 2.1.17 libgcrypt 1.7.5.


[1]: https://bugs.gnupg.org/gnupg/issue1800



From peter at digitalbrains.com  Mon Jan 23 12:22:19 2017
From: peter at digitalbrains.com (Peter Lebbing)
Date: Mon, 23 Jan 2017 12:22:19 +0100
Subject: Changing passphrase parameters (s2k options)
In-Reply-To: <161314f8-d3cf-fe35-db68-8ef6e35024fd@jelmail.com>
References: <161314f8-d3cf-fe35-db68-8ef6e35024fd@jelmail.com>
Message-ID: <0e4ff183-0a16-4729-66f1-160c4598d9e5@digitalbrains.com>

On 23/01/17 11:01, John Lane wrote:
> I've been reading about symmetric encryption of the private key.
> 
> When I tried to experiment with the `--s2k` options, attempting to
> change the passphrase on my key, I found that they were ignored.

GnuPG 2.1 handles the private key in a completely different manner than
earlier versions. I couldn't find any other configurable things than the
s2k-count. Look at the difference between the man page for 2.1.16 and
1.4.18:

1.4.18:
>        --s2k-cipher-algo name
>               Use name as the cipher algorithm used  to  protect  secret  keys.
>               The default cipher is CAST5. This cipher is also used for conven?
>               tional encryption if --personal-cipher-preferences and  --cipher-
>               algo is not given.

2.1.16:
>        --s2k-cipher-algo name
>               Use  name as the cipher algorithm for symmetric encryption with a
>               passphrase if --personal-cipher-preferences and --cipher-algo are
>               not given.  The default is AES-128.


> A brief
> search identified issue 1800 [1] on the bug tracker which was last
> updated in 2015, some 20 months ago.

It's close to what you're talking about, but not exactly. That is
specifically about *exporting* an OpenPGP secret key, not how it is
*stored* in your keyring. The protection on private-keys-v1.d is
implemented differently than the protection of the OpenPGP standard
which is used for export.

HTH,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>


From gnupg at jelmail.com  Mon Jan 23 12:54:02 2017
From: gnupg at jelmail.com (John Lane)
Date: Mon, 23 Jan 2017 11:54:02 +0000
Subject: Changing passphrase parameters (s2k options)
In-Reply-To: <0e4ff183-0a16-4729-66f1-160c4598d9e5@digitalbrains.com>
References: <161314f8-d3cf-fe35-db68-8ef6e35024fd@jelmail.com>
 <0e4ff183-0a16-4729-66f1-160c4598d9e5@digitalbrains.com>
Message-ID: <caac02d5-f030-9e54-34a6-49b2a52ead94@jelmail.com>

On 23/01/17 11:22, Peter Lebbing wrote:

> It's close to what you're talking about, but not exactly. That is
> specifically about *exporting* an OpenPGP secret key, not how it is
> *stored* in your keyring. The protection on private-keys-v1.d is
> implemented differently than the protection of the OpenPGP standard
> which is used for export.

Ok, so - if I understand you correctly - when I *export* the secret key
I can choose which algorithms are applied to the exported copy ?

So I tried:

    $ gpg --export-secret-key my-key | gpg --list-packets | grep S2K
    gnu-dummy S2K, algo: 0, simple checksum, hash: 0
    iter+salt S2K, algo: 7, SHA1 protection, hash: 2, salt: ...
    iter+salt S2K, algo: 7, SHA1 protection, hash: 2, salt: ...

(I presume the first line is like that because the primary secret isn't
in my ring)

Then:

    $ gpg --export-secret-key --s2k-cipher-algo AES256 --s2k-digest-algo
SHA512 my-key | gpg --list-packets | grep S2K
    gnu-dummy S2K, algo: 0, simple checksum, hash: 0
    iter+salt S2K, algo: 7, SHA1 protection, hash: 2, salt: ...
    iter+salt S2K, algo: 7, SHA1 protection, hash: 2, salt: ...

Surely I would expect it to look like

    iter+salt S2K, algo: 9, SHA512 protection, hash: 10, salt: ...

Thanks.




From peter at digitalbrains.com  Mon Jan 23 13:34:46 2017
From: peter at digitalbrains.com (Peter Lebbing)
Date: Mon, 23 Jan 2017 13:34:46 +0100
Subject: Changing passphrase parameters (s2k options)
In-Reply-To: <caac02d5-f030-9e54-34a6-49b2a52ead94@jelmail.com>
References: <161314f8-d3cf-fe35-db68-8ef6e35024fd@jelmail.com>
 <0e4ff183-0a16-4729-66f1-160c4598d9e5@digitalbrains.com>
 <caac02d5-f030-9e54-34a6-49b2a52ead94@jelmail.com>
Message-ID: <b8380123-05d4-f7a5-4160-90719e4f2139@digitalbrains.com>

On 23/01/17 12:54, John Lane wrote:
> Ok, so - if I understand you correctly - when I *export* the secret key
> I can choose which algorithms are applied to the exported copy ?

No, I meant that the bug report (turned feature request) is about
choosing the options for export. As long as the bug is open, it's not
possible to change it for export either.

However, in your initial mail you said:
> When I tried to experiment with the `--s2k` options, attempting to
> change the passphrase on my key, I found that they were ignored.

>From "chang[ing] the passphrase" I inferred you were talking about how
the key is stored in the keyring, not about exporting the secret key.

What are you trying to do? Change the encryption on an exported private
key or changing the encryption of the private key store of GnuPG?

(FWIW, I don't think you can currently do either. Possibly you can
change the s2k-count via the agent protocol, but that might not pertain
to the private key store, I just don't know).

Cheers,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>


From gnupg at jelmail.com  Mon Jan 23 14:08:19 2017
From: gnupg at jelmail.com (John Lane)
Date: Mon, 23 Jan 2017 13:08:19 +0000
Subject: Changing passphrase parameters (s2k options)
In-Reply-To: <b8380123-05d4-f7a5-4160-90719e4f2139@digitalbrains.com>
References: <161314f8-d3cf-fe35-db68-8ef6e35024fd@jelmail.com>
 <0e4ff183-0a16-4729-66f1-160c4598d9e5@digitalbrains.com>
 <caac02d5-f030-9e54-34a6-49b2a52ead94@jelmail.com>
 <b8380123-05d4-f7a5-4160-90719e4f2139@digitalbrains.com>
Message-ID: <34c6812f-a338-e802-b2c0-b110bebf6e90@jelmail.com>

On 23/01/17 12:34, Peter Lebbing wrote:
> On 23/01/17 12:54, John Lane wrote:
>> Ok, so - if I understand you correctly - when I *export* the secret key
>> I can choose which algorithms are applied to the exported copy ?
> 
> No, I meant that the bug report (turned feature request) is about
> choosing the options for export. As long as the bug is open, it's not
> possible to change it for export either.
> 
ah, ok.

> However, in your initial mail you said:
>> When I tried to experiment with the `--s2k` options, attempting to
>> change the passphrase on my key, I found that they were ignored.
> 
>>From "chang[ing] the passphrase" I inferred you were talking about how
> the key is stored in the keyring, not about exporting the secret key.
> 
> What are you trying to do? Change the encryption on an exported private
> key or changing the encryption of the private key store of GnuPG?
>

I started out trying to change the encryption of the key in the keyring
(because that is how I understood it to work) so that I could export a
copy of the key protected with better encryption. I did not appreciate
the implications of the difference brought about by 2.x wrt private key
storage (but was aware of it).

I then read your email and thought, "great! the options are applied
during the export.", and went off to try that but discovered quickly
(and as you have clarified) that it doesn't work that way.

I was going to pose a follow-up question, which is now moot, about
controlling how the encryption within the agent keyring is done. But I
was going to go away and do my own research first.

> (FWIW, I don't think you can currently do either. Possibly you can
> change the s2k-count via the agent protocol, but that might not pertain
> to the private key store, I just don't know).
> 

So, I guess, to summarise... until issue 1800 is addressed there is no
way to change the encryption of an existing secret key?

FWIW I started looking at this because I was researching keybase and its
storage of private keys. Whilst I have not stored my private key on any
host I don't control, I was curious to understand how it could be done
securely by understanding how private keys are protected and how that
can be enhanced should there be desire to externally them.

Thanks,
John
> 



From jerry at seibercom.net  Mon Jan 23 16:28:01 2017
From: jerry at seibercom.net (Jerry)
Date: Mon, 23 Jan 2017 10:28:01 -0500
Subject: pyme3 for Windows
In-Reply-To: <CA+dhYEW9cm3Bd2S-C4aC8wcp-5nUcis0J0R_y7zxsrd0dL3UYg@mail.gmail.com>
References: <CA+dhYEW9cm3Bd2S-C4aC8wcp-5nUcis0J0R_y7zxsrd0dL3UYg@mail.gmail.com>
Message-ID: <20170123102801.00001402@seibercom.net>

On Mon, 23 Jan 2017 01:06:38 +0100, ankostis stated:

>Has anybody managed to compile pyme3 on Windows?
>
>Thanks for all the Hard Work,
>  Kostis
>

I don't know if this is what yo are looking for.

https://sourceforge.net/projects/pyme/files/latest/download?source=files

-- 
Jerry


From ankostis at gmail.com  Mon Jan 23 20:08:42 2017
From: ankostis at gmail.com (ankostis)
Date: Mon, 23 Jan 2017 20:08:42 +0100
Subject: pyme3 for Windows
In-Reply-To: <20170123102801.00001402@seibercom.net>
References: <CA+dhYEW9cm3Bd2S-C4aC8wcp-5nUcis0J0R_y7zxsrd0dL3UYg@mail.gmail.com>
 <20170123102801.00001402@seibercom.net>
Message-ID: <CA+dhYEXw=XeNMra4TLvVjDLVFKOXWeAyFt8BD5mpOVD8Bjs0xQ@mail.gmail.com>

On 23 January 2017 at 16:28, Jerry <jerry at seibercom.net> wrote:

> On Mon, 23 Jan 2017 01:06:38 +0100, ankostis stated:
>
> >Has anybody managed to compile pyme3 on Windows?
> >
> >Thanks for all the Hard Work,
> >  Kostis
> >
>
> I don't know if this is what yo are looking for.
>
> https://sourceforge.net/projects/pyme/files/latest/download?source=files
>
>
Almost!
These are `pyme-0.8.1` win32-bindings for python-2.

The latest bindings have been ported to python-3 and renamed to `pyme3`,
currently in version `1.7.1`,[1]  and are now part of `libgpgme` project.[2]

I need them compiled for python 3.5 & 3.6 (due to differences in MSVCR
Ithink).
- The easiest would be to be compatible with GPGvWin.[3]
- The optimal would be to include them in Gohlke's "Python Unofficial
binaries" [4],
  or upload them as a 32bit-wheel in PyPi.


So far I downloaded from GnuPG-downloads [5] and managed to compile
`Libgpg-error` and `Libassuan` dev-libraries using MinGW cross-compiler in
Debian.
But I do not know what to do next (or if this is the right path)?


Any more help appreciated, but thank you Jerry anyway,
  Kostis


[1] https://pypi.python.org/pypi/pyme3
[2] https://www.gnupg.org/blog/20160921-python-bindings-for-gpgme.html
[3] http://gpg4win.org/download.html
[4] http://www.lfd.uci.edu/~gohlke/pythonlibs/
[5] https://www.gnupg.org/download/index.html


--
> Jerry
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20170123/9c1b39c5/attachment.html>

From brian at minton.name  Mon Jan 23 19:53:54 2017
From: brian at minton.name (Brian Minton)
Date: Mon, 23 Jan 2017 13:53:54 -0500
Subject: Test Mail
In-Reply-To: <20170105053534.GB15311@localhost4.local>
References: <20170105053534.GB15311@localhost4.local>
Message-ID: <bd42698e-7c59-6fbd-d438-6a89f2e8ff2e@minton.name>

On 01/05/2017 12:35 AM, Roger wrote:
> Test mail to mailing list testing GNUPG signing, appearance and hopefully 
> conforming to mailing list standards.

I received your post to the list.  I also verified a good signature.



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 390 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20170123/94aff968/attachment.sig>

From andrew.long at me.com  Mon Jan 23 17:50:54 2017
From: andrew.long at me.com (Andrew Long)
Date: Mon, 23 Jan 2017 16:50:54 +0000
Subject: Getting at a PGPDisk's contents
Message-ID: <1A9C994E-5F68-4872-AF1F-6B2D6A7DCCE2@me.com>

Hi all. Bit of an embarassing question.
I used to have PGP Deskto, with whole disk encryption, installed (although my disk wasn?t encrypted).
I had created a ?PGPDisk? archive (and I still have the underlying file)
HOWEVER? As part of the upgrade process to El Capitan, I had to completely uninstall PGP and I no longer have it installed so I can?t directly access the contents of this encrypted archive.
Is there a way to square this circle?  i imagine that it?s something like an encrypted ZIP file.
Amy help will be appreciated.
Thank & Regards, Andy
-- 
Andrew Long
Andrew dot Long at Mac dot com



From wk at gnupg.org  Mon Jan 23 22:46:23 2017
From: wk at gnupg.org (Werner Koch)
Date: Mon, 23 Jan 2017 22:46:23 +0100
Subject: [Announce] GnuPG 2.1.18 released
Message-ID: <87d1fd8n68.fsf@wheatstone.g10code.de>

Hello!

The GnuPG team is pleased to announce the availability of a new release
of GnuPG: Version 2.1.18.  See below for a list of new features and bug
fixes.


About GnuPG
=============

The GNU Privacy Guard (GnuPG) is a complete and free implementation
of the OpenPGP standard which is commonly abbreviated as PGP.

GnuPG allows to encrypt and sign data and communication, features a
versatile key management system as well as access modules for public key
directories.  GnuPG itself is a command line tool with features for easy
integration with other applications.  A wealth of frontend applications
and libraries making use of GnuPG are available.  Since version 2 GnuPG
provides support for S/MIME and Secure Shell in addition to OpenPGP.

GnuPG is Free Software (meaning that it respects your freedom). It can
be freely used, modified and distributed under the terms of the GNU
General Public License.

Three different branches of GnuPG are actively maintained:

- GnuPG "modern" (2.1) comes with the latest features and is suggested
  for most users.  This announcement is about this branch.

- GnuPG "stable" (2.0) is the currently mostly used branch which will be
  maintain until 2017-12-31.

- GnuPG "classic" (1.4) is a simplified version of GnuPG, required on
  very old platforms or to decrypt data created with PGP-2 keys.

You may not install "modern" (2.1) and "stable" (2.0) at the same time.
However, it is possible to install "classic" (1.4) along with any of the
other versions.


Noteworthy changes in version 2.1.18
====================================

  * gpg: Remove bogus subkey signature while cleaning a key (with
    export-clean, import-clean, or --edit-key's sub-command clean)

  * gpg: Allow freezing the clock with --faked-system-time.

  * gpg: New --export-option flag "backup", new --import-option flag
    "restore".

  * gpg-agent: Fixed long delay due to a regression in the progress
    callback code.

  * scd: Lots of code cleanup and internal changes.

  * scd: Improved the internal CCID driver.

  * dirmngr: Fixed problem with the DNS glue code (removal of the
    trailing dot in domain names).

  * dirmngr: Make sure that Tor is actually enabled after changing the
    conf file and sending SIGHUP or "gpgconf --reload dirmngr".

  * dirmngr: Fixed Tor access to IPv6 addresses.  Note that current
    versions of Tor may require that the flag "IPv6Traffic" is used
    with the option "SocksPort" in torrc to actually allow IPv6
    traffic.

  * dirmngr: Fixed HKP for literally given IPv6 addresses.

  * dirmngr: Enabled reverse DNS lookups via Tor.

  * dirmngr: Added experimental SRV record lookup for WKD.
    See commit 88dc3af3d4ae1afe1d5e136bc4c38bc4e7d4cd10 for details.

  * dirmngr: For HKP use "pgpkey-hkps" and "pgpkey-hkp" in SRV record
    lookups.  Avoid SRV record lookup when a port is explicitly
    specified.  This fixes a regression from the 1.4 and 2.0 behavior.

  * dirmngr: Gracefully handle a missing /etc/nsswitch.conf.  Ignore
    negation terms (e.g. "[!UNAVAIL=return]" instead of bailing out.

  * dirmngr: Better debug output for flags "dns" and "network".

  * dirmngr: On reload mark all known HKP servers alive.

  * gpgconf: Allow keyword "all" for --launch, --kill, and --reload.

  * tools: gpg-wks-client now ignores a missing policy file on the
    server.

  * Avoid unnecessary ambiguity error message in the option parsing.

  * Further improvements of the regression test suite.

  * Fixed building with --disable-libdns configure option.

  * Fixed a crash running the tests on 32 bit architectures.

  * Fixed spurious failures on BSD system in the spawn functions.
    This affected for example gpg-wks-client and gpgconf.

A detailed description of the changes found in this 2.1 branch can be
found at <https://gnupg.org/faq/whats-new-in-2.1.html>.


Getting the Software
====================

Please follow the instructions found at <https://gnupg.org/download/> or
read on:

GnuPG 2.1.18 may be downloaded from one of the GnuPG mirror sites or
direct from its primary FTP server.  The list of mirrors can be found at
<https://gnupg.org/download/mirrors.html>.  Note that GnuPG is not
available at ftp.gnu.org.

The GnuPG source code compressed using BZIP2 and its OpenPGP signature
are available here:

 ftp://ftp.gnupg.org/gcrypt/gnupg/gnupg-2.1.18.tar.bz2  (6160k)
 ftp://ftp.gnupg.org/gcrypt/gnupg/gnupg-2.1.18.tar.bz2.sig
or here:
 https://gnupg.org/ftp/gcrypt/gnupg/gnupg-2.1.18.tar.bz2
 https://gnupg.org/ftp/gcrypt/gnupg/gnupg-2.1.18.tar.bz2.sig

An installer for Windows without any graphical frontend except for a
very minimal Pinentry tool is available here:

 ftp://ftp.gnupg.org/gcrypt/binary/gnupg-w32-2.1.18_20170123.exe  (3670k)
 ftp://ftp.gnupg.org/gcrypt/binary/gnupg-w32-2.1.18_20170123.exe.sig
or here
 https://gnupg.org/ftp/gcrypt/binary/gnupg-w32-2.1.18_20170123.exe
 https://gnupg.org/ftp/gcrypt/binary/gnupg-w32-2.1.18_20170123.exe.sig

The source used to build the Windows installer can be found in the same
directory with a ".tar.xz" suffix.  This Windows installer comes with
TOFU support, translations, and support for Tor; it is still missing
HKPS and Web Key Directory support, though.


Checking the Integrity
======================

In order to check that the version of GnuPG which you are going to
install is an original and unmodified one, you can do it in one of
the following ways:

 * If you already have a version of GnuPG installed, you can simply
   verify the supplied signature.  For example to verify the signature
   of the file gnupg-2.1.18.tar.bz2 you would use this command:

     gpg --verify gnupg-2.1.18.tar.bz2.sig gnupg-2.1.18.tar.bz2

   This checks whether the signature file matches the source file.
   You should see a message indicating that the signature is good and
   made by one or more of the release signing keys.  Make sure that
   this is a valid key, either by matching the shown fingerprint
   against a trustworthy list of valid release signing keys or by
   checking that the key has been signed by trustworthy other keys.
   See the end of this mail for information on the signing keys.

 * If you are not able to use an existing version of GnuPG, you have
   to verify the SHA-1 checksum.  On Unix systems the command to do
   this is either "sha1sum" or "shasum".  Assuming you downloaded the
   file gnupg-2.1.18.tar.bz2, you run the command like this:

     sha1sum gnupg-2.1.18.tar.bz2

   and check that the output matches the next line:

b698012cc2d77c2652afd168a15e679d1394fa89  gnupg-2.1.18.tar.bz2
8d068811acef74619ca435b8bb7e77135bc4277b  gnupg-w32-2.1.18_20170123.exe
744ddb22719262006945bbe36229dedc5d6f94e1  gnupg-w32-2.1.18_20170123.tar.xz


Internationalization
====================

This version of GnuPG has support for 26 languages with Chinese, Czech,
French, German, Japanese, Norwegian, Russian, and Ukrainian being almost
completely translated.  Due to expected changes in forthcoming releases
some strings pertaining to the TOFU code are not yet translated.


Documentation
=============

If you used GnuPG in the past you should read the description of
changes and new features at doc/whats-new-in-2.1.txt or online at

  https://gnupg.org/faq/whats-new-in-2.1.html

The file gnupg.info has the complete user manual of the system.
Separate man pages are included as well but they have not all the
details available as are the manual.  It is also possible to read the
complete manual online in HTML format at

  https://gnupg.org/documentation/manuals/gnupg/

or in Portable Document Format at

  https://gnupg.org/documentation/manuals/gnupg.pdf .

The chapters on gpg-agent, gpg and gpgsm include information on how
to set up the whole thing.  You may also want search the GnuPG mailing
list archives or ask on the gnupg-users mailing lists for advise on
how to solve problems.  Many of the new features are around for
several years and thus enough public knowledge is already available.

You may also want to follow our postings at <https://gnupg.org/blob/>
and <https://twitter.com/gnupg>.


Support
========

Please consult the archive of the gnupg-users mailing list before
reporting a bug <https://gnupg.org/documentation/mailing-lists.html>.
We suggest to send bug reports for a new release to this list in favor
of filing a bug at <https://bugs.gnupg.org>.  If you need commercial
support check out <https://gnupg.org/service.html>.

If you are a developer and you need a certain feature for your project,
please do not hesitate to bring it to the gnupg-devel mailing list for
discussion.

Maintenance and development of GnuPG is mostly financed by donations.
The GnuPG project employs 3 full-time developers, one part-timer, and
one contractor.  They all work exclusivly on GnuPG and closely related
software like Libgcrypt, GPGME, and GPA.  Please consider to donate via:

                  https://gnupg.org/donate/


Thanks
======

We have to thank all the people who helped with this release, be it
testing, coding, translating, suggesting, auditing, administering the
servers, spreading the word, answering questions on the mailing
lists, and donating money.


The GnuPG hackers,

   Andre, dkg, gniibe, Justus, Neal, and Werner


p.s.
This is an announcement only mailing list.  Please send replies only to
the gnupg-users'at'gnupg.org mailing list.

p.p.s
List of Release Signing Keys:

To guarantee that a downloaded GnuPG version has not been tampered by
malicious entities we provide signature files for all tarballs and
binary versions.  The keys are also signed by the long term keys of
their respective owners.  Current releases are signed by one or more
of these four keys:

  2048R/4F25E3B6 2011-01-12 [expires: 2019-12-31]
  Key fingerprint = D869 2123 C406 5DEA 5E0F  3AB5 249B 39D2 4F25 E3B6
  Werner Koch (dist sig)

  rsa2048/E0856959 2014-10-29 [expires: 2019-12-31]
  Key fingerprint = 46CC 7308 65BB 5C78 EBAB  ADCF 0437 6F3E E085 6959
  David Shaw (GnuPG Release Signing Key) <dshaw 'at' jabberwocky.com>

  rsa2048/33BD3F06 2014-10-29 [expires: 2020-10-30]
  Key fingerprint = 031E C253 6E58 0D8E A286  A9F2 2071 B08A 33BD 3F06
  NIIBE Yutaka (GnuPG Release Key) <gniibe 'at' fsij.org>

  rsa2048/7EFD60D9 2014-10-19 [expires: 2020-12-31]
  Key fingerprint = D238 EA65 D64C 67ED 4C30  73F2 8A86 1B1C 7EFD 60D9
  Werner Koch (Release Signing Key)

You may retrieve these keys from a keyserver using this command

  gpg --keyserver hkp://keys.gnupg.net --recv-keys  \
                  249B39D24F25E3B6 04376F3EE0856959 \
                  2071B08A33BD3F06 8A861B1C7EFD60D9

The keys are also available at https://gnupg.org/signature_key.html and
in any recently released GnuPG tarball in the file g10/distsigkey.gpg .
Note that this mail has been signed by a different key.


-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 194 bytes
Desc: not available
URL: </pipermail/attachments/20170123/d10a1c5d/attachment-0001.sig>
-------------- next part --------------
_______________________________________________
Gnupg-announce mailing list
Gnupg-announce at gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-announce

From ankostis at gmail.com  Tue Jan 24 12:14:33 2017
From: ankostis at gmail.com (ankostis)
Date: Tue, 24 Jan 2017 12:14:33 +0100
Subject: pyme3 for Windows
In-Reply-To: <87d1fczqfb.fsf@europa.jade-hamburg.de>
References: <CA+dhYEW9cm3Bd2S-C4aC8wcp-5nUcis0J0R_y7zxsrd0dL3UYg@mail.gmail.com>
 <20170123102801.00001402@seibercom.net>
 <CA+dhYEXw=XeNMra4TLvVjDLVFKOXWeAyFt8BD5mpOVD8Bjs0xQ@mail.gmail.com>
 <87d1fczqfb.fsf@europa.jade-hamburg.de>
Message-ID: <CA+dhYEVnoWvf42YbzsXJBMm-4iV5Hm-C0dOBjmoJ9SMdX6Q5Ug@mail.gmail.com>

On 24 January 2017 at 11:46, Justus Winter <justus at g10code.com> wrote:

> ankostis <ankostis at gmail.com> writes:
>
> > On 23 January 2017 at 16:28, Jerry <jerry at seibercom.net> wrote:
> >
> >> On Mon, 23 Jan 2017 01:06:38 +0100, ankostis stated:
> >>
> >> >Has anybody managed to compile pyme3 on Windows?
> >> >
> >> >Thanks for all the Hard Work,
> >> >  Kostis
> >> >
> >>
> >> I don't know if this is what yo are looking for.
> >>
> >> https://sourceforge.net/projects/pyme/files/latest/
> download?source=files
> >>
> >>
> > Almost!
> > These are `pyme-0.8.1` win32-bindings for python-2.
> >
> > The latest bindings have been ported to python-3 and renamed to `pyme3`,
> > currently in version `1.7.1`,[1]  and are now part of `libgpgme`
> > project.[2]
>
> Actually, we renamed them to 'gpg', and the current version is 1.8.0.
>
> We cross-compile all our software for Windows using MinGW.  We don't
> build the Python bindings though.  If anyone manages to do that, please
> share your findings.
>
>
Ideally python bindings should be compiled and packaged as wheels
for  3 different "platforms":
- MinGW
- Cygwin (when GnuPG there upgrades from the old 1.x)
- Gpg4Win (32bit & 64bit, don't know what are they using.

Do these 3 make sense?
Are there more combinations?

Kostis

Justus
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20170124/e2a05d45/attachment.html>

From aranea at aixah.de  Tue Jan 24 12:36:44 2017
From: aranea at aixah.de (Luis Ressel)
Date: Tue, 24 Jan 2017 12:36:44 +0100
Subject: tofu: Missing entry in the bindings table for new key
In-Reply-To: <87a8agzq2k.fsf@europa.jade-hamburg.de>
References: <20170121012614.3c67ca2a@gentp.lnet>
 <87a8agzq2k.fsf@europa.jade-hamburg.de>
Message-ID: <20170124123631.0afa9b2c@gentp.lnet>

On Tue, 24 Jan 2017 11:53:55 +0100
Justus Winter <justus at g10code.com> wrote:

> Can you please describe in detail what you were doing so that we can
> recreate the problem?  You can create a throwaway environment for
> experimentation by setting the environment variable GNUPGHOME to a
> temporary directory, like so (assuming a Bourne-like shell):

This was easier to reproduce than I expected. I've attached the
transcript of a shell session demonstrating the problem. Manually
calling "gpg --tofu-policy good $KEYID" fixes the issue.

I'm using gpg 2.1.17; I haven't checked yesterday's release yet.

HTH,
Luis
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: transcript
URL: </pipermail/attachments/20170124/6311551f/attachment.ksh>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20170124/6311551f/attachment.sig>

From justus at g10code.com  Tue Jan 24 11:53:55 2017
From: justus at g10code.com (Justus Winter)
Date: Tue, 24 Jan 2017 11:53:55 +0100
Subject: tofu: Missing entry in the bindings table for new key
In-Reply-To: <20170121012614.3c67ca2a@gentp.lnet>
References: <20170121012614.3c67ca2a@gentp.lnet>
Message-ID: <87a8agzq2k.fsf@europa.jade-hamburg.de>

Hi,

Luis Ressel <aranea at aixah.de> writes:

> Hello,
>
> I created a new key today. When I tried to verify a signature made by
> this key, I got the error message
>
> gpg: Signature made Sat Jan 21 01:07:59 2017 CET
> gpg:                using RSA key DEADBEEF
> gpg: Good signature from "foo <foo at example.org>" [ultimate]
> gpg: aka "foo <foo at example.com>" [ultimate]
> gpg: error updating TOFU database: NOT NULL constraint failed: signatures.binding
> gpg: TOFU: error registering signature: General error
>
> Apparently no entry for my key/userid had been recorded in the bindings
> table. I was of course able to fix this by calling
> "gpg --tofu-policy good DEADBEEF", but it still looks like a bug to me.
> Any ideas how this could happen?
>
> Potentially relevant facts:
> * The new key's userid collides with that of my old key.
> * I'm using the setting "tofu-default-policy unknown".

Can you please describe in detail what you were doing so that we can
recreate the problem?  You can create a throwaway environment for
experimentation by setting the environment variable GNUPGHOME to a
temporary directory, like so (assuming a Bourne-like shell):

  $ export GNUPGHOME=$(mktemp -d)
  $ gpg -k
  [nothing]

Note that you need to copy your gnupg configuration over, or at least
configure the trust model.

Thanks,
Justus
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 487 bytes
Desc: not available
URL: </pipermail/attachments/20170124/b12d2418/attachment.sig>

From justus at g10code.com  Tue Jan 24 11:46:16 2017
From: justus at g10code.com (Justus Winter)
Date: Tue, 24 Jan 2017 11:46:16 +0100
Subject: pyme3 for Windows
In-Reply-To: <CA+dhYEXw=XeNMra4TLvVjDLVFKOXWeAyFt8BD5mpOVD8Bjs0xQ@mail.gmail.com>
References: <CA+dhYEW9cm3Bd2S-C4aC8wcp-5nUcis0J0R_y7zxsrd0dL3UYg@mail.gmail.com>
 <20170123102801.00001402@seibercom.net>
 <CA+dhYEXw=XeNMra4TLvVjDLVFKOXWeAyFt8BD5mpOVD8Bjs0xQ@mail.gmail.com>
Message-ID: <87d1fczqfb.fsf@europa.jade-hamburg.de>

ankostis <ankostis at gmail.com> writes:

> On 23 January 2017 at 16:28, Jerry <jerry at seibercom.net> wrote:
>
>> On Mon, 23 Jan 2017 01:06:38 +0100, ankostis stated:
>>
>> >Has anybody managed to compile pyme3 on Windows?
>> >
>> >Thanks for all the Hard Work,
>> >  Kostis
>> >
>>
>> I don't know if this is what yo are looking for.
>>
>> https://sourceforge.net/projects/pyme/files/latest/download?source=files
>>
>>
> Almost!
> These are `pyme-0.8.1` win32-bindings for python-2.
>
> The latest bindings have been ported to python-3 and renamed to `pyme3`,
> currently in version `1.7.1`,[1]  and are now part of `libgpgme`
> project.[2]

Actually, we renamed them to 'gpg', and the current version is 1.8.0.

We cross-compile all our software for Windows using MinGW.  We don't
build the Python bindings though.  If anyone manages to do that, please
share your findings.

Justus
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 487 bytes
Desc: not available
URL: </pipermail/attachments/20170124/995fbecf/attachment.sig>

From justus at g10code.com  Tue Jan 24 13:22:15 2017
From: justus at g10code.com (Justus Winter)
Date: Tue, 24 Jan 2017 13:22:15 +0100
Subject: pyme3 for Windows
In-Reply-To: <CA+dhYEVnoWvf42YbzsXJBMm-4iV5Hm-C0dOBjmoJ9SMdX6Q5Ug@mail.gmail.com>
References: <CA+dhYEW9cm3Bd2S-C4aC8wcp-5nUcis0J0R_y7zxsrd0dL3UYg@mail.gmail.com>
 <20170123102801.00001402@seibercom.net>
 <CA+dhYEXw=XeNMra4TLvVjDLVFKOXWeAyFt8BD5mpOVD8Bjs0xQ@mail.gmail.com>
 <87d1fczqfb.fsf@europa.jade-hamburg.de>
 <CA+dhYEVnoWvf42YbzsXJBMm-4iV5Hm-C0dOBjmoJ9SMdX6Q5Ug@mail.gmail.com>
Message-ID: <874m0ozlzc.fsf@europa.jade-hamburg.de>

ankostis <ankostis at gmail.com> writes:
> On 24 January 2017 at 11:46, Justus Winter <justus at g10code.com> wrote:
>> We cross-compile all our software for Windows using MinGW.  We don't
>> build the Python bindings though.  If anyone manages to do that, please
>> share your findings.
>>
>>
> Ideally python bindings should be compiled and packaged as wheels
> for  3 different "platforms":
> - MinGW
> - Cygwin (when GnuPG there upgrades from the old 1.x)
> - Gpg4Win (32bit & 64bit, don't know what are they using.

Gpg4Win uses MinGW, Cygwin is out of scope for us imho.

However, I believe the question is whether or not we can load a shared
library compiled with MinGW into the Python process (however that is
built, I don't know).

Justus
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 487 bytes
Desc: not available
URL: </pipermail/attachments/20170124/cc13affc/attachment.sig>

From justus at g10code.com  Tue Jan 24 13:55:45 2017
From: justus at g10code.com (Justus Winter)
Date: Tue, 24 Jan 2017 13:55:45 +0100
Subject: tofu: Missing entry in the bindings table for new key
In-Reply-To: <20170124123631.0afa9b2c@gentp.lnet>
References: <20170121012614.3c67ca2a@gentp.lnet>
 <87a8agzq2k.fsf@europa.jade-hamburg.de> <20170124123631.0afa9b2c@gentp.lnet>
Message-ID: <871svszkfi.fsf@europa.jade-hamburg.de>

Hi!

Luis Ressel <aranea at aixah.de> writes:

> [ Unknown signature status ]
> On Tue, 24 Jan 2017 11:53:55 +0100
> Justus Winter <justus at g10code.com> wrote:
>
>> Can you please describe in detail what you were doing so that we can
>> recreate the problem?  You can create a throwaway environment for
>> experimentation by setting the environment variable GNUPGHOME to a
>> temporary directory, like so (assuming a Bourne-like shell):
>
> This was easier to reproduce than I expected. I've attached the
> transcript of a shell session demonstrating the problem. Manually
> calling "gpg --tofu-policy good $KEYID" fixes the issue.

Thanks for the nice report.  I have been able to reproduce it and have
created https://bugs.gnupg.org/gnupg/issue2929 for it.

> I'm using gpg 2.1.17; I haven't checked yesterday's release yet.

It is affecting master as well.


(: Justus
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 487 bytes
Desc: not available
URL: </pipermail/attachments/20170124/7162965f/attachment.sig>

From stebe at mailbox.org  Tue Jan 24 15:52:00 2017
From: stebe at mailbox.org (Stephan Beck)
Date: Tue, 24 Jan 2017 14:52:00 +0000
Subject: Counterarguments Supporting GnuPG over Off The Record (OTR)
In-Reply-To: <3110628794.20170121104505@riseup.net>
References: <CAGKxTUQsxLsL3m0nrY0iYCh5cFRtEJpxegUsPqj4CbX-M8Zsug@mail.gmail.com>
 <6760790b-9d89-b2b1-c50b-322afbaf9e43@mailbox.org>
 <f6be526f-4b42-03fe-0486-d43108841d59@verizon.net>
 <20170120061037.GA22582@g0n.xdwgrp> <3110628794.20170121104505@riseup.net>
Message-ID: <c51f13d2-f51e-4d2d-92e5-a43f84268f67@mailbox.org>



MFPA:
> 
> 
> On Friday 20 January 2017 at 6:10:37 AM, in
> <mid:20170120061037.GA22582 at g0n.xdwgrp>, Miroslav Rovis wrote:-
> 
> 
> 
>> And we all are controled, exception, to varying
>> extent,
> 
> We are all completely controlled in modern society: we are enslaved to
> money and those who control it.

And sometimes even organizations that in theory should help you against
surveillance don't do it. When I discovered that my phone has been
wiretapped by measuring with a dedicated bug detector (German make and
model, and recording that measurement on video) I officially informed
the police who didn't do anything except telling me I should hand in a
proof/evidence. I did - the video of the measurement where you can
clearly see and hear the sharp reaction of the bug detector. They didn't
want to anything, not an on-site control measurement either, as another
lawyer had told me they are obliged to.

When, shortly after that,  I told a lawyer to have insight into the
records of the investigations, he did that, showed me the records, and
didn't do anything, he told me for instance, that the police would only
perform a control measurement if their own undercover agents are in
danger! And that I'd need the expertise of a dedicated engineer doing an
analysis for I don't know how many bucks! No, the bug detector doesn't
lie and he does not measure cheese or ham but the signals of , for
instance, radio emitting devices. He even silenced the fact (as I now
was informed by the State Prosecutor, if I believe this information)
that by the time I had the meeting with him for the insight into the
records, the case had already been rejected for further investigation
and dropped. Or that information is not true, because this lawyer
actually told me in person he would inform me when he received any
information. Strange.
When I sent an encrypted email to Digitalcourage.de about nine months
ago, telling them that I had evidence and asking for help in finding a
good lawyer who would act (I have a specialized legal insurance), I got
a "sorry, we can't help you but we wish you success". Thanks a lot.

From that time on, I know that organizations like Digitalcourage are
just interested in THEIR protagonism for THEIR topics like the mass
storage of data. They couldn't or didn't want to help me as an
individual who had found out (by measurement) that someone was/is
wiretapping me, but they positively could have given me the contact data
of a specialized lawyer they knew (with more than 30 years of
existence). I also signed their petition against mass storage of
communications data in Germany and saw that they must have contacts to
lawyers, as I already had thought. I have held my deception about them
deep in my heart, but now could not withstand to stand up and speak out.

It was not my imagination, it was a MEASURING DEVICE that states that
there has been wiretapping of my phone line. And there is this video
file that leaves you with no doubt...

Whenever I feel like repeating it, I'll do that and I'll inform once
again the police (or the media) and so on... THAT is fighting against
surveillance, not (only) signing petitions.

Cheers

Stephan

Feel free to contact me if you'd like to have that video file ...

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20170124/8bbf16d7/attachment-0001.sig>

From sivmu at web.de  Wed Jan 25 01:05:15 2017
From: sivmu at web.de (sivmu)
Date: Wed, 25 Jan 2017 01:05:15 +0100
Subject: gnupg website
Message-ID: <9520907a-aae0-26bc-3224-0ef393cb58e0@web.de>

Hi,

not sure this is the perfect place, but I wanted to point out that the
gnupg.org website still uses sha1 as a mac.
If I am not mistaken, several common browsers have announced to display
warnings fur this kind of tls connection, so it might be a good idea to
update the server at the next opportunity.

Also, activating OCSP to increase privacy might be a good idea too.

Thanks for your work on open source encryption.

- Regards


From wk at gnupg.org  Wed Jan 25 09:24:39 2017
From: wk at gnupg.org (Werner Koch)
Date: Wed, 25 Jan 2017 09:24:39 +0100
Subject: Changing passphrase parameters (s2k options)
In-Reply-To: <b8380123-05d4-f7a5-4160-90719e4f2139@digitalbrains.com> (Peter
 Lebbing's message of "Mon, 23 Jan 2017 13:34:46 +0100")
References: <161314f8-d3cf-fe35-db68-8ef6e35024fd@jelmail.com>
 <0e4ff183-0a16-4729-66f1-160c4598d9e5@digitalbrains.com>
 <caac02d5-f030-9e54-34a6-49b2a52ead94@jelmail.com>
 <b8380123-05d4-f7a5-4160-90719e4f2139@digitalbrains.com>
Message-ID: <87r33r5yyg.fsf@wheatstone.g10code.de>

On Mon, 23 Jan 2017 13:34, peter at digitalbrains.com said:

> (FWIW, I don't think you can currently do either. Possibly you can
> change the s2k-count via the agent protocol, but that might not pertain

No, that is not possible.  Right now the agent always uses AES and S2K
paremeters which require on the running machine about 100ms for
decryption.


Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: </pipermail/attachments/20170125/8dfb2b12/attachment.sig>

From wk at gnupg.org  Wed Jan 25 09:52:15 2017
From: wk at gnupg.org (Werner Koch)
Date: Wed, 25 Jan 2017 09:52:15 +0100
Subject: gnupg website
In-Reply-To: <9520907a-aae0-26bc-3224-0ef393cb58e0@web.de> (sivmu@web.de's
 message of "Wed, 25 Jan 2017 01:05:15 +0100")
References: <9520907a-aae0-26bc-3224-0ef393cb58e0@web.de>
Message-ID: <87mvef5xog.fsf@wheatstone.g10code.de>

On Wed, 25 Jan 2017 01:05, sivmu at web.de said:

> not sure this is the perfect place, but I wanted to point out that the
> gnupg.org website still uses sha1 as a mac.

Despite that SHA-1 is not yet broken they now even claims that HMAC-SHA1
is broken?  I do not even known a theoretical attack on HMAC-MD5.

This whole banning of SHA-1 and 3DES for public https servers and in
particular ssllabs' new grades is mostly security theater.  Sure, this
helps to raise awareness that we always need to be prepared to replace
algorithms and for that it is a Good Thing.

However, for the Web threat model these algorithms are still fine: To
attack Web sites there are _much_ easier ways than to break SHA-1 or to
inject JS to generate incredible large amounts of traffic to reach the
limit of 64 bit block ciphers.  Let alone the contradiction of sending
Javascript to the client and claiming security of the user/client.

This reminds me of the proverbial barbed wire equipped gate protected by
a bunch of gunmen and 5 miles of a 2 feet high latticework fence.  Guess
where the thieves will enter the property.

> Also, activating OCSP to increase privacy might be a good idea too.

OCSP is used as an alternative to CRLs and not directly related to
privacy.  On a CA break the next update of your browser will put the A
onto its internal blacklist anyway.  When the server key is compromised
OCSP does not help at all

> Thanks for your work on open source encryption.

:-)


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: </pipermail/attachments/20170125/3ed98f04/attachment.sig>

From andrewg at andrewg.com  Wed Jan 25 10:13:42 2017
From: andrewg at andrewg.com (Andrew Gallagher)
Date: Wed, 25 Jan 2017 09:13:42 +0000
Subject: gnupg website
In-Reply-To: <87mvef5xog.fsf@wheatstone.g10code.de>
References: <9520907a-aae0-26bc-3224-0ef393cb58e0@web.de>
 <87mvef5xog.fsf@wheatstone.g10code.de>
Message-ID: <1987CE2B-2762-4AF4-87A2-FEF2B303966A@andrewg.com>


> On 25 Jan 2017, at 08:52, Werner Koch <wk at gnupg.org> wrote:
> 
> On Wed, 25 Jan 2017 01:05, sivmu at web.de said:
> 
>> not sure this is the perfect place, but I wanted to point out that the
>> gnupg.org website still uses sha1 as a mac.
> 
> Despite that SHA-1 is not yet broken they now even claims that HMAC-SHA1
> is broken?  I do not even known a theoretical attack on HMAC-MD5

Browsers are not deprecating HMAC-SHA-1, but the use of SHA-1 in certificate signature generation. These are not the same thing. 

gnupg.org's own cert uses SHA-256 and it's intermediate uses SHA-364. Nothing to see here, move along. :-)

Andrew. 


From peter at digitalbrains.com  Wed Jan 25 12:14:53 2017
From: peter at digitalbrains.com (Peter Lebbing)
Date: Wed, 25 Jan 2017 12:14:53 +0100
Subject: gnupg website
In-Reply-To: <87mvef5xog.fsf@wheatstone.g10code.de>
References: <9520907a-aae0-26bc-3224-0ef393cb58e0@web.de>
 <87mvef5xog.fsf@wheatstone.g10code.de>
Message-ID: <8beb8ed6-9582-8f34-7e24-9d200932d88d@digitalbrains.com>

On 25/01/17 09:52, Werner Koch wrote:
> OCSP is used as an alternative to CRLs and not directly related to
> privacy.

The OP might have meant "OCSP Stapling" which includes the OCSP data in
the data sent by the webserver during TLS session setup. That way, the
OCSP data doesn't need to be fetched from an OCSP server, which would
leak the fact a certain website certificate is being verified to the
OCSP server.

OCSP (without stapling) is already possible for the gnupg.org website
certificate:

>                 Authority Information Access (not critical):
>                         Access Method: 1.3.6.1.5.5.7.48.2 (id-ad-caIssuers)
>                         Access Location URI: http://crt.usertrust.com/GandiStandardSSLCA2.crt
>                         Access Method: 1.3.6.1.5.5.7.48.1 (id-ad-ocsp)
>                         Access Location URI: http://ocsp.usertrust.com

HTH,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>


From rjh at sixdemonbag.org  Wed Jan 25 14:41:10 2017
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Wed, 25 Jan 2017 08:41:10 -0500
Subject: gnupg website
In-Reply-To: <87mvef5xog.fsf@wheatstone.g10code.de>
References: <9520907a-aae0-26bc-3224-0ef393cb58e0@web.de>
 <87mvef5xog.fsf@wheatstone.g10code.de>
Message-ID: <f9fbaa8c-4f59-7be8-527c-bac7e45a4bba@sixdemonbag.org>

> This whole banning of SHA-1 and 3DES for public https servers and in
> particular ssllabs' new grades is mostly security theater.

For that matter, I'm still in the dark as to what the big problem with
three-key 3DES is.  The best attack against it requires more RAM than
exists in the entire world and only reduces it to 112 bits.

3DES is slow, ungainly, and has been largely replaced by better
ciphers... but *unsafe*?


From felix.vanderjeugt at gmail.com  Wed Jan 25 15:51:25 2017
From: felix.vanderjeugt at gmail.com (Felix Van der Jeugt)
Date: Wed, 25 Jan 2017 15:51:25 +0100
Subject: Mail address to account conversion (keybase.io)
Message-ID: <1485355460-sup-5400@abysm>

Dear all,

Recently, keybase.io stopped their email forwarding service. Now, my
noctua at keybase.io uid can no longer receive email. I'd normally revoke
the uid, but my account, keybase.io/noctua, can still receive messages
through the website.

I'm in a dilemma now: should I revoke the uid because the email address
is invalid? It's nice to have a reference to the account in my key,
though.

Any advice on this would be welcome.

Sincerely,
Felix
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: </pipermail/attachments/20170125/ab976387/attachment.sig>

From andrewg at andrewg.com  Wed Jan 25 19:10:56 2017
From: andrewg at andrewg.com (Andrew Gallagher)
Date: Wed, 25 Jan 2017 18:10:56 +0000
Subject: Mail address to account conversion (keybase.io)
In-Reply-To: <1485355460-sup-5400@abysm>
References: <1485355460-sup-5400@abysm>
Message-ID: <e85936de-24bd-7f57-ede0-64befc01d419@andrewg.com>

On 25/01/17 14:51, Felix Van der Jeugt wrote:
> Dear all,
> 
> Recently, keybase.io stopped their email forwarding service. Now, my
> noctua at keybase.io uid can no longer receive email. I'd normally revoke
> the uid, but my account, keybase.io/noctua, can still receive messages
> through the website.
> 
> I'm in a dilemma now: should I revoke the uid because the email address
> is invalid? It's nice to have a reference to the account in my key,
> though.

If the ID still "belongs" to you (in some meaningful sense) then
there's no need to revoke it just because it is unusable for the
purposes of email. It is merely a convention that IDs correspond to
email addresses. If your keybase account still exists, has a 1-to-1
mapping with that ID, and is still under your control, then IMO it's
legitimate to keep the ID - particularly if it is used as a reference
point for other things. The presence of an ID on a public key makes no
claim as to whether the ID is usable for a particular purpose. True,
people might try to email you on that ID, but the worst that will
happen is they get a bounce (and you have other, usable IDs on the same
pubkey I assume).

Andrew.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20170125/60b3559f/attachment.sig>

From chris.p.16 at gmx.de  Wed Jan 25 20:14:56 2017
From: chris.p.16 at gmx.de (chris.p.16 at gmx.de)
Date: Wed, 25 Jan 2017 20:14:56 +0100
Subject: Smartcard working completely with GPG2 and incompletely with GPG1.4
Message-ID: <20170125201456.024b9218@Carbon>

Hello all,

after using GnuPG since 2014 I now purchased a Nitrokey USB smartcard. I set it up mainly* following the steps at https://wiki.fsfe.org/TechDocs/CardHowtos/CardWithSubkeysUsingBackups with GnuPG 2 and tried to configure GnuPG 1.4 to work likewise (on Linux Mint, it's installed as well). I'm now running into a strange problem which is a bit like https://lists.gnupg.org/pipermail/gnupg-users/2015-September/054345.html , but the other way around.

With GnuPG 2, signing, encrypting and decrypting a file works without any problems. With 1.4, I can encrypt and sign a file, but I can't decrypt it. It's failing with the message:

gpg: public key decryption failed: general error
gpg: decryption failed: secret key not available

The commands gpg --card-status and gpg2 --card-status seem to display mainly the same things, the only strange line is "Key Attributes" at GPG 1.4:

$ gpg --card-status
Application ID ...: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Version ..........: 2.1
Manufacturer .....: ZeitControl
Serial number ....: XXXXXXXX
Name of cardholder: Christoph Pxxx
Language prefs ...: de
Sex ..............: male
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: forced
Key attributes ...: 0R 0R 0R
Max. PIN lengths .: 32 32 32
PIN retry counter : 3 0 3
Signature counter : 10
Signature key ....: D2F4 E619 8D05 9E98 AD58  7E6E 9965 610B 43F2 7C98
      created ....: 2017-01-24 17:52:18
Encryption key....: 4AD3 7EE7 6418 CABE 4026  923E D82A 7A84 3A07 266F
      created ....: 2014-04-12 10:52:41
Authentication key: [none]
General key info..: pub  4096R/43F27C98 2017-01-24 Christoph Pxxx <xxxxxxx at xxxxx.de>
sec#  4096R/E728903D  created: 2014-04-12  expires: never     
ssb>  4096R/3A07266F  created: 2014-04-12  expires: never     
                      card-no: 0005 00005031
ssb>  4096R/43F27C98  created: 2017-01-24  expires: never     
                      card-no: 0005 00005031


$ gpg2 --card-status
Reader ...........: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Application ID ...: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Version ..........: 2.1
Manufacturer .....: ZeitControl
Serial number ....: XXXXXXXX
Name of cardholder: Christoph Pxxx
Language prefs ...: de
Sex ..............: male
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: forced
Key attributes ...: rsa4096 rsa4096 rsa2048
Max. PIN lengths .: 32 32 32
PIN retry counter : 3 0 3
Signature counter : 10
Signature key ....: D2F4 E619 8D05 9E98 AD58  7E6E 9965 610B 43F2 7C98
      created ....: 2017-01-24 17:52:18
Encryption key....: 4AD3 7EE7 6418 CABE 4026  923E D82A 7A84 3A07 266F
      created ....: 2014-04-12 10:52:41
Authentication key: [none]
General key info..: sub  rsa4096/43F27C98 2017-01-24 Christoph Pxxx <xxxxxxx at xxxxx.de>
sec#  rsa4096/E728903D  created: 2014-04-12  expires: never     
ssb>  rsa4096/3A07266F  created: 2014-04-12  expires: never     
                        card-no: 0005 00005031
ssb>  rsa4096/43F27C98  created: 2017-01-24  expires: never     
                        card-no: 0005 00005031

I also set up a logfile for scdaemon as in the mentioned thread ("verbose", "debug ipc, cardio" in ~/.gnupg/scdaemon.conf). At encryption, there doesn't seem to be much difference. At decryption however, when using GnuPG 1.4 the new lines in scdaemon are

2017-01-25 19:54:15 scdaemon[8806] DBG: chan_5 <- SERIALNO openpgp
2017-01-25 19:54:15 scdaemon[8806] DBG: chan_5 -> S SERIALNO XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 0
2017-01-25 19:54:15 scdaemon[8806] DBG: chan_5 -> OK
2017-01-25 19:54:15 scdaemon[8806] DBG: chan_5 <- RESTART
2017-01-25 19:54:15 scdaemon[8806] DBG: chan_5 -> OK

while using GnuPG 2.1 leads to 26 lines consisting of the decryption information. Instead of "SERIALNO openpgp" it's just "SERIALNO" there.

The output of 'gpg-connect-agent "KEYINFO --list" /bye' is

S KEYINFO 4C4D4CBB69450D70DAECB0929B4E57E00D96A270 T XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX OPENPGP.2 - - - - -
S KEYINFO 259BD34A8AFCFDE34C08C637086496C890AF3640 D - - - P - - -
S KEYINFO 6BB6690E54C14D959135BBFEA6665F2E8A04231C T XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX OPENPGP.1 - - - - -
OK

? I don't have an authentication subkey.

I know this is much information, but as all of this was asked for in the thread mentioned above, I thought it'd be better providing you with all of these outputs now than sending them one at a time later. I hope you have an idea why this strange problem occurs.

Regards,

Chris

P. S.: I'm sure you've noticed that, but anyway: Every "XXXX" sequence is not taken from the original output, but changed for anonymity reasons.

*: I used my existing RSA keypair, generated a signing subkey and put this subkey and the already existing encryption subkey on the card. So, no DSA & Elgamal. I also didn't follow the steps after "Ready to go" as I don't have more than one encryption subkey.


From sivmu at web.de  Wed Jan 25 22:07:08 2017
From: sivmu at web.de (sivmu)
Date: Wed, 25 Jan 2017 22:07:08 +0100
Subject: gnupg website
In-Reply-To: <8beb8ed6-9582-8f34-7e24-9d200932d88d@digitalbrains.com>
References: <9520907a-aae0-26bc-3224-0ef393cb58e0@web.de>
 <87mvef5xog.fsf@wheatstone.g10code.de>
 <8beb8ed6-9582-8f34-7e24-9d200932d88d@digitalbrains.com>
Message-ID: <287c7c87-2391-8203-52cd-0a7a865c03db@web.de>



Am 25.01.2017 um 12:14 schrieb Peter Lebbing:
> On 25/01/17 09:52, Werner Koch wrote:
>> OCSP is used as an alternative to CRLs and not directly related to
>> privacy.
> 
> The OP might have meant "OCSP Stapling" which includes the OCSP data in
> the data sent by the webserver during TLS session setup. That way, the
> OCSP data doesn't need to be fetched from an OCSP server, which would
> leak the fact a certain website certificate is being verified to the
> OCSP server.

Yes that is what I meant, sorry for the confusion.
I think this might be relevant for some people who would prefer not to
trigger unnecessary queries for privacy reasons.

Anyways ssllabs shows a warning that the website will be degraded from A
to C in a month. Not sure that matters all that much, but if there is an
oppertunity to change the available ciphers at some point...



From dgouttegattat at incenp.org  Wed Jan 25 22:25:45 2017
From: dgouttegattat at incenp.org (Damien Goutte-Gattat)
Date: Wed, 25 Jan 2017 22:25:45 +0100
Subject: gnupg website
In-Reply-To: <f9fbaa8c-4f59-7be8-527c-bac7e45a4bba@sixdemonbag.org>
References: <9520907a-aae0-26bc-3224-0ef393cb58e0@web.de>
 <87mvef5xog.fsf@wheatstone.g10code.de>
 <f9fbaa8c-4f59-7be8-527c-bac7e45a4bba@sixdemonbag.org>
Message-ID: <2cb24605-08f9-2212-6dfd-0f3894b8637b@incenp.org>

On 01/25/2017 02:41 PM, Robert J. Hansen wrote:
> For that matter, I'm still in the dark as to what the big problem with
> three-key 3DES is.  The best attack against it requires more RAM than
> exists in the entire world and only reduces it to 112 bits.

The main problem would be its 64-bit block size. Apparently there's a 
"practical" attack against 64-bit ciphers as used in TLS [1].

That's probably reason enough to avoid 3DES whenever possible (when a 
128-bit cipher is available).

[1] https://eprint.iacr.org/2016/798



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20170125/f414daa1/attachment.sig>

From sivmu at web.de  Wed Jan 25 22:36:16 2017
From: sivmu at web.de (sivmu)
Date: Wed, 25 Jan 2017 22:36:16 +0100
Subject: gnupg website
In-Reply-To: <2cb24605-08f9-2212-6dfd-0f3894b8637b@incenp.org>
References: <9520907a-aae0-26bc-3224-0ef393cb58e0@web.de>
 <87mvef5xog.fsf@wheatstone.g10code.de>
 <f9fbaa8c-4f59-7be8-527c-bac7e45a4bba@sixdemonbag.org>
 <2cb24605-08f9-2212-6dfd-0f3894b8637b@incenp.org>
Message-ID: <0d83ed0d-1dfe-dd88-3202-55af4868b22b@web.de>



Am 25.01.2017 um 22:25 schrieb Damien Goutte-Gattat:
> On 01/25/2017 02:41 PM, Robert J. Hansen wrote:
>> For that matter, I'm still in the dark as to what the big problem with
>> three-key 3DES is.  The best attack against it requires more RAM than
>> exists in the entire world and only reduces it to 112 bits.
> 
> The main problem would be its 64-bit block size. Apparently there's a
> "practical" attack against 64-bit ciphers as used in TLS [1].
> 
> That's probably reason enough to avoid 3DES whenever possible (when a
> 128-bit cipher is available).
> 
> [1] https://eprint.iacr.org/2016/798
> 

That would be the sweet32 attack https://sweet32.info/

Basically if you can collect a few hundred GB of data, it is trivial to
calculate the key. There is a prove of concept for https connections,
although I believe this is especially relevant for VPN connections
(openvpn uses a 64 bit ciphers (blowfish) by default)


From rjh at sixdemonbag.org  Wed Jan 25 23:00:18 2017
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Wed, 25 Jan 2017 17:00:18 -0500
Subject: gnupg website
In-Reply-To: <2cb24605-08f9-2212-6dfd-0f3894b8637b@incenp.org>
References: <9520907a-aae0-26bc-3224-0ef393cb58e0@web.de>
 <87mvef5xog.fsf@wheatstone.g10code.de>
 <f9fbaa8c-4f59-7be8-527c-bac7e45a4bba@sixdemonbag.org>
 <2cb24605-08f9-2212-6dfd-0f3894b8637b@incenp.org>
Message-ID: <002c01d27756$6b0cf5f0$4126e1d0$@sixdemonbag.org>

> The main problem would be its 64-bit block size. Apparently there's a
> "practical" attack against 64-bit ciphers as used in TLS [1].

Quoting from the abstract:  "In our proof-of-concept demos, the attacker needs to capture about 785GB of data."  I question the wisdom of any system which sends 785Gb of data without ever rekeying.

This attack seems to fall into the realm of "stupid SSL mistakes lead to exploitation. "




From sivmu at web.de  Wed Jan 25 23:18:25 2017
From: sivmu at web.de (sivmu)
Date: Wed, 25 Jan 2017 23:18:25 +0100
Subject: gnupg website
In-Reply-To: <002c01d27756$6b0cf5f0$4126e1d0$@sixdemonbag.org>
References: <9520907a-aae0-26bc-3224-0ef393cb58e0@web.de>
 <87mvef5xog.fsf@wheatstone.g10code.de>
 <f9fbaa8c-4f59-7be8-527c-bac7e45a4bba@sixdemonbag.org>
 <2cb24605-08f9-2212-6dfd-0f3894b8637b@incenp.org>
 <002c01d27756$6b0cf5f0$4126e1d0$@sixdemonbag.org>
Message-ID: <b4b68c59-e060-c95e-9fba-9255e6887ff4@web.de>



Am 25.01.2017 um 23:00 schrieb Robert J. Hansen:
>> The main problem would be its 64-bit block size. Apparently there's a
>> "practical" attack against 64-bit ciphers as used in TLS [1].
> 
> Quoting from the abstract:  "In our proof-of-concept demos, the attacker needs to capture about 785GB of data."  I question the wisdom of any system which sends 785Gb of data without ever rekeying.
> 
> This attack seems to fall into the realm of "stupid SSL mistakes lead to exploitation. "
> 

There are prove of concepts against TLS and openvpn https://sweet32.info/

It is not quite that simple I think.


From christian.heinrich at cmlh.id.au  Wed Jan 25 23:19:42 2017
From: christian.heinrich at cmlh.id.au (Christian Heinrich)
Date: Thu, 26 Jan 2017 09:19:42 +1100
Subject: Mail address to account conversion (keybase.io)
In-Reply-To: <1485355460-sup-5400@abysm>
References: <1485355460-sup-5400@abysm>
Message-ID: <CAGKxTUTE=dTdczBvb-7s-9+_UDcvn4bc9XsSguWhJCsZV866sw@mail.gmail.com>

Felix,

On Thu, Jan 26, 2017 at 1:51 AM, Felix Van der Jeugt
<felix.vanderjeugt at gmail.com> wrote:
> Recently, keybase.io stopped their email forwarding service. Now, my
> noctua at keybase.io uid can no longer receive email. I'd normally revoke
> the uid, but my account, keybase.io/noctua, can still receive messages
> through the website.

Is this for their private key that keybase.io generates on your behalf
when you sign up?


-- 
Regards,
Christian Heinrich

http://cmlh.id.au/contact


From felix.vanderjeugt at gmail.com  Wed Jan 25 23:32:03 2017
From: felix.vanderjeugt at gmail.com (Felix Van der Jeugt)
Date: Wed, 25 Jan 2017 23:32:03 +0100
Subject: Mail address to account conversion (keybase.io)
In-Reply-To: <CAGKxTUTE=dTdczBvb-7s-9+_UDcvn4bc9XsSguWhJCsZV866sw@mail.gmail.com>
References: <1485355460-sup-5400@abysm>
 <CAGKxTUTE=dTdczBvb-7s-9+_UDcvn4bc9XsSguWhJCsZV866sw@mail.gmail.com>
Message-ID: <1485383410-sup-3104@abysm>

Excerpts from Christian Heinrich's message of 2017-01-26 09:19:42 +1100:
> On Thu, Jan 26, 2017 at 1:51 AM, Felix Van der Jeugt
> <felix.vanderjeugt at gmail.com> wrote:
> > Recently, keybase.io stopped their email forwarding service. Now, my
> > noctua at keybase.io uid can no longer receive email. I'd normally revoke
> > the uid, but my account, keybase.io/noctua, can still receive messages
> > through the website.
> 
> Is this for their private key that keybase.io generates on your behalf
> when you sign up?

No, this is for my own PGP key of which I uploaded the public key to
them. I just added a uid with the keybase email to my key.

Sincerely,
Felix

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: </pipermail/attachments/20170125/fe6ddb3a/attachment.sig>

From rjh at sixdemonbag.org  Wed Jan 25 23:33:01 2017
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Wed, 25 Jan 2017 17:33:01 -0500
Subject: gnupg website
In-Reply-To: <b4b68c59-e060-c95e-9fba-9255e6887ff4@web.de>
References: <9520907a-aae0-26bc-3224-0ef393cb58e0@web.de>
 <87mvef5xog.fsf@wheatstone.g10code.de>
 <f9fbaa8c-4f59-7be8-527c-bac7e45a4bba@sixdemonbag.org>
 <2cb24605-08f9-2212-6dfd-0f3894b8637b@incenp.org>
 <002c01d27756$6b0cf5f0$4126e1d0$@sixdemonbag.org>
 <b4b68c59-e060-c95e-9fba-9255e6887ff4@web.de>
Message-ID: <003a01d2775a$fd5b5970$f8120c50$@sixdemonbag.org>

> There are prove of concepts against TLS and openvpn https://sweet32.info/

Sure, but those proofs-of-concept require *hundreds of GB of traffic*.

That's the sort of thing that causes a lot of crypto nerds to twitch and
mutter "rekey, rekey".




From felix.vanderjeugt at gmail.com  Wed Jan 25 23:39:13 2017
From: felix.vanderjeugt at gmail.com (Felix Van der Jeugt)
Date: Wed, 25 Jan 2017 23:39:13 +0100
Subject: Mail address to account conversion (keybase.io)
In-Reply-To: <e85936de-24bd-7f57-ede0-64befc01d419@andrewg.com>
References: <1485355460-sup-5400@abysm>
 <e85936de-24bd-7f57-ede0-64befc01d419@andrewg.com>
Message-ID: <1485383552-sup-20@abysm>

Excerpts from Andrew Gallagher's message of 2017-01-25 18:10:56 +0000:
> True, people might try to email you on that ID, but the worst that
> will happen is they get a bounce (and you have other, usable IDs on
> the same pubkey I assume).

I indeed do have those, but I'm not sure keybase will bounce. I tried
mailing myself there earlier (with a third address) and all I got in
return was silence.

> If the ID still "belongs" to you (in some meaningful sense) then
> there's no need to revoke it just because it is unusable for the
> purposes of email. It is merely a convention that IDs correspond to
> email addresses. If your keybase account still exists, has a 1-to-1
> mapping with that ID, and is still under your control, then IMO it's
> legitimate to keep the ID - particularly if it is used as a reference
> point for other things. The presence of an ID on a public key makes no
> claim as to whether the ID is usable for a particular purpose.

Thanks for the opinion, I find myself agreeing. I should probably stop
collecting signs on that uid on keysigning parties, though, I shouldn't
bother people with sending signed keys an unconventional (and manual)
method.

Sincerely,
Felix

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: </pipermail/attachments/20170125/c3556e80/attachment.sig>

From ankostis at gmail.com  Thu Jan 26 00:29:33 2017
From: ankostis at gmail.com (ankostis)
Date: Thu, 26 Jan 2017 00:29:33 +0100
Subject: Mail address to account conversion (keybase.io)
In-Reply-To: <1485383552-sup-20@abysm>
References: <1485355460-sup-5400@abysm>
 <e85936de-24bd-7f57-ede0-64befc01d419@andrewg.com>
 <1485383552-sup-20@abysm>
Message-ID: <CA+dhYEVY0DNL=0KoKp8Tb-PN_Vt49k6wKGsk1u-_jO-tNspvLg@mail.gmail.com>

Maybe that's an opportunity to put to use "notations
, and self-sign the keybase-uidusing --cert-notation.

Of course, nobody would care to check that,
but would there be any other issue down this road?

Kind Regards,
  Kostis

On 25 January 2017 at 23:39, Felix Van der Jeugt <
felix.vanderjeugt at gmail.com> wrote:

> Excerpts from Andrew Gallagher's message of 2017-01-25 18:10:56 +0000:
> > True, people might try to email you on that ID, but the worst that
> > will happen is they get a bounce (and you have other, usable IDs on
> > the same pubkey I assume).
>
> I indeed do have those, but I'm not sure keybase will bounce. I tried
> mailing myself there earlier (with a third address) and all I got in
> return was silence.
>
> > If the ID still "belongs" to you (in some meaningful sense) then
> > there's no need to revoke it just because it is unusable for the
> > purposes of email. It is merely a convention that IDs correspond to
> > email addresses. If your keybase account still exists, has a 1-to-1
> > mapping with that ID, and is still under your control, then IMO it's
> > legitimate to keep the ID - particularly if it is used as a reference
> > point for other things. The presence of an ID on a public key makes no
> > claim as to whether the ID is usable for a particular purpose.
>
> Thanks for the opinion, I find myself agreeing. I should probably stop
> collecting signs on that uid on keysigning parties, though, I shouldn't
> bother people with sending signed keys an unconventional (and manual)
> method.
>
> Sincerely,
> Felix
>
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20170126/04700564/attachment.html>

From sivmu at web.de  Thu Jan 26 00:47:36 2017
From: sivmu at web.de (sivmu)
Date: Thu, 26 Jan 2017 00:47:36 +0100
Subject: sha1 pgp fingerprint
Message-ID: <56badd3b-9a3c-e3cb-a283-279540d24ebc@web.de>


I have been wondering for a while about the use of sha1 in pgp fingerprints.

Although sha1 may not be easily broken in practise, there are
theoreticall collosion attacks that are feasible for well funded
organisations.
Cryptographers, like Bruce Schneier, have been recommending for years to
migrate to a new hash algorithm for all sorts of reasons.

New versions of gpg do not use sha1 in any encryption operation if I am
not mistaken. But we still use sha1 fingerprints to compare of our keys.

The question I have not yet found any clear answer for, is why is nobody
talking about this and should pgp keys be identified by a stronger hash
alogrithm in the future?


From antony at blazrsoft.com  Thu Jan 26 00:55:06 2017
From: antony at blazrsoft.com (Antony Prince)
Date: Wed, 25 Jan 2017 18:55:06 -0500
Subject: gnupg website
In-Reply-To: <0d83ed0d-1dfe-dd88-3202-55af4868b22b@web.de>
References: <9520907a-aae0-26bc-3224-0ef393cb58e0@web.de>
 <87mvef5xog.fsf@wheatstone.g10code.de>
 <f9fbaa8c-4f59-7be8-527c-bac7e45a4bba@sixdemonbag.org>
 <2cb24605-08f9-2212-6dfd-0f3894b8637b@incenp.org>
 <0d83ed0d-1dfe-dd88-3202-55af4868b22b@web.de>
Message-ID: <88c008a8-2a7e-1f05-d5b5-15b9952b20be@blazrsoft.com>

On 1/25/2017 4:36 PM, sivmu wrote:
> Basically if you can collect a few hundred GB of data, it is trivial to
> calculate the key. There is a prove of concept for https connections,
> although I believe this is especially relevant for VPN connections
> (openvpn uses a 64 bit ciphers (blowfish) by default)
>

Thanks for bringing up the point about OpenVPN. I use it myself. I
already had it set to AES-128-CBC, but I upgraded to the git 2.5 master
version and set it to AES-256-GCM. This is one of the settings they
recommend in their response to the issue [0] since GCM support was added
in 2.4.

[0]https://community.openvpn.net/openvpn/wiki/SWEET32

--
Antony

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 898 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20170125/c2af8018/attachment.sig>

From andrewg at andrewg.com  Thu Jan 26 01:16:42 2017
From: andrewg at andrewg.com (Andrew Gallagher)
Date: Thu, 26 Jan 2017 00:16:42 +0000
Subject: gnupg website
In-Reply-To: <287c7c87-2391-8203-52cd-0a7a865c03db@web.de>
References: <9520907a-aae0-26bc-3224-0ef393cb58e0@web.de>
 <87mvef5xog.fsf@wheatstone.g10code.de>
 <8beb8ed6-9582-8f34-7e24-9d200932d88d@digitalbrains.com>
 <287c7c87-2391-8203-52cd-0a7a865c03db@web.de>
Message-ID: <cde2828a-e802-a29f-2c4c-bae7200d5996@andrewg.com>

On 2017/01/25 21:07, sivmu wrote:
> Anyways ssllabs shows a warning that the website will be degraded 
> from A to C in a month. Not sure that matters all that much, but if 
> there is an oppertunity to change the available ciphers at some 
> point...

I've looked into this and I'm not sure why ssllabs is degrading from A-
to C. There is a link to the blog post in the results page, but the post
appears to say that the grade will *not* be reduced. I quote:

> we?ll be modifying our grading criteria to penalise sites that 
> negotiate 3DES with TLS 1.1 and newer protocols. Such sites will
> have their scores capped at C. Sites that continue to support 3DES
> and keep it at the end of their ordered list of suites will not be 
> affected (for now).

gnupg.org *does* keep 3DES at the end of the supported suites, so surely
it should not be affected. I'm tempted to write this off as a
mistake by ssllabs.

A

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20170126/eed90495/attachment.sig>

From glenn at rempe.us  Thu Jan 26 02:16:36 2017
From: glenn at rempe.us (Glenn Rempe)
Date: Wed, 25 Jan 2017 17:16:36 -0800
Subject: gnupg website
In-Reply-To: <cde2828a-e802-a29f-2c4c-bae7200d5996@andrewg.com>
References: <9520907a-aae0-26bc-3224-0ef393cb58e0@web.de>
 <87mvef5xog.fsf@wheatstone.g10code.de>
 <8beb8ed6-9582-8f34-7e24-9d200932d88d@digitalbrains.com>
 <287c7c87-2391-8203-52cd-0a7a865c03db@web.de>
 <cde2828a-e802-a29f-2c4c-bae7200d5996@andrewg.com>
Message-ID: <96fee013-bd5d-cc5e-4be6-81892cf8ac34@rempe.us>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

I would also like to note that gnupg.org does not appear to work on
the latest versions of Apple iOS or macOS  Safari due to TLS cert
issues. It fails to load in Safari on either platform (but Chrome and
Firefox do work on macOS, Safari is the only browser on iOS).

I believe this may be due to Apple's App Transport Security (ATS)
rules. You can find an overview of those rules and a link to more
details here:

http://stackoverflow.com/questions/31231696/ios-9-ats-ssl-error-with-sup
porting-server

It seems that iOS/macOS cannot negotiate a strong connection with TLS
1.2 and one of the allowed cipher suites using forward secrecy when
talking to gnupg.org.

The accepted TLS 1.2 ciphers for Apple ATS are:

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

And gnupg.org only provides:

TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33)   DH 2048 bits   FS	128
TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39)   DH 2048 bits   FS	256
TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa)	112

As you can see, there appears to be no overlap with the suites that
ATS expects for a strong connection and those that gnupg.org offers.

For comparison sake, here are the cipher suites that cloudflare
advertises with its CDN services:

Preferred TLSv1.2  128 bits  ECDHE-ECDSA-AES128-GCM-SHA256 Curve P-256
DHE 256
Accepted  TLSv1.2  128 bits  ECDHE-ECDSA-AES128-SHA256     Curve P-256
DHE 256
Accepted  TLSv1.2  128 bits  ECDHE-ECDSA-AES128-SHA        Curve P-256
DHE 256
Accepted  TLSv1.2  256 bits  ECDHE-ECDSA-AES256-GCM-SHA384 Curve P-256
DHE 256
Accepted  TLSv1.2  256 bits  ECDHE-ECDSA-AES256-SHA384     Curve P-256
DHE 256
Accepted  TLSv1.2  256 bits  ECDHE-ECDSA-AES256-SHA        Curve P-256
DHE 256

Here is the full list of TLS suites that I used to compare:

https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls
- -parameters-4

SSLlabs tests for gnupg.org seem to show that it cannot negotiate a
connection with forward security with gnupg.org which is a requirement
for ATS.

https://www.ssllabs.com/ssltest/analyze.html?d=gnupg.org&s=217.69.76.60

Every load of gnupg.org in Safari results in a total failure to load
anything. Running one of the suggested diagnostics shows the following
error:

*********************
$ nscurl --ats-diagnostics https://gnupg.org
Starting ATS Diagnostics

...
Default ATS Secure Connection
- ---
ATS Default Connection
2017-01-25 16:13:17.674 nscurl[38742:199753]
NSURLSession/NSURLConnection HTTP load failed
(kCFStreamErrorDomainSSL, -9824)
Result : FAIL
- ---
*********************

The error is also showing in the system console application with an
entry such as:

NSURLSession/NSURLConnection HTTP load failed
(kCFStreamErrorDomainSSL, -9824)


While I am not certain it would fix it, it seems that gnupg.org might
be able to fix by changing its config to advertise a more extensive
set of TLS 1.2 suites that support forward secrecy and that match the
supported list provided by Apple over TLS 1.2 connections.

I am happy to test this again after such a change. For now, if my
testing on my own devices is representative you may be shutting out
all iOS users and Safari on macOS users as well from being able to
load your site at all. If others don't see that same behavior I would
be interested to hear that too.

Cheers,

Glenn



On 1/25/17 4:16 PM, Andrew Gallagher wrote:
> On 2017/01/25 21:07, sivmu wrote:
>> Anyways ssllabs shows a warning that the website will be degraded
>>  from A to C in a month. Not sure that matters all that much, but
>> if there is an oppertunity to change the available ciphers at
>> some point...
> 
> I've looked into this and I'm not sure why ssllabs is degrading
> from A- to C. There is a link to the blog post in the results page,
> but the post appears to say that the grade will *not* be reduced. I
> quote:
> 
>> we?ll be modifying our grading criteria to penalise sites that 
>> negotiate 3DES with TLS 1.1 and newer protocols. Such sites will 
>> have their scores capped at C. Sites that continue to support
>> 3DES and keep it at the end of their ordered list of suites will
>> not be affected (for now).
> 
> gnupg.org *does* keep 3DES at the end of the supported suites, so
> surely it should not be affected. I'm tempted to write this off as
> a mistake by ssllabs.
> 
> A
> 
> 
> 
> _______________________________________________ Gnupg-users mailing
> list Gnupg-users at gnupg.org 
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
> 
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEHYo11lajUTmaOI4vCiVDbdRDnGwFAliJTesACgkQCiVDbdRD
nGyKog//YCy1Vb9qSSB8EeVdRTddIXcFiqjeMbIDzq2oodaMdn1da/RQKR5g1nE6
DbAcyZVIZjKnnW8Uso3bCOt03KTLoK71RJo8pu54pCB2P6WlecgnZ/KwEqXMbqnO
KORSdGj4D0eU8NcUrfx5DFkr8j7odv6duiJ/ajLP+iOTUYDDL4VxkBn9aVAAWC1W
1JP/Yn9Rn5JfZxGdf3U8vzu6OSGWS8alAZRVHJRuyPceqzKCnQl4CrfYz/9n6h8S
X2X3NYH1JonevkQPjzvfpI1oehZB9kKhXXK2ACg4Xtrz6UcgP621TSc5xngqDj/r
yLMJNdoTuNA9HYAxV2P0b7SufhAUKlaivugvWf0pWrKwbLJS/N3dkgcVl3H7KTs4
uvCNJoObkv0YQIkIvzg99vsJW5+oO8k2E38YyWQUJ81pQWAV+hk71Gb3oiu78dpc
2klSmBXFc9JYjoYf5XrCimZqvfmcpnU5OfCzUqVFYINE7TVmfMqrqZTGdyQ+YOFU
QgU7X2GoHTVjKjkgZLjF/8xZstGSd+tXPmNH6TSClxSTwn+STSQUmQow+WIbAbU9
RO8BmLmodkxC2+lUDnvnI9uzGIiJAJfg2fDXjEw5Gx0UBPvsmRqoHHXqOOAQrqCJ
y8g/+HHoX65knjdVUYmWWVoY43ysoxiPZIyuug1UD/c16uu2tH0=
=uOgq
-----END PGP SIGNATURE-----


From gniibe at fsij.org  Thu Jan 26 03:07:44 2017
From: gniibe at fsij.org (NIIBE Yutaka)
Date: Thu, 26 Jan 2017 11:07:44 +0900
Subject: Smartcard working completely with GPG2 and incompletely with
 GPG1.4
In-Reply-To: <20170125201456.024b9218@Carbon>
References: <20170125201456.024b9218@Carbon>
Message-ID: <87lgtyzi8f.fsf@iwagami.gniibe.org>

Hello,

Thank you for your report in detail.

chris.p.16 at gmx.de wrote:
> The commands gpg --card-status and gpg2 --card-status seem to display
> mainly the same things, the only strange line is "Key Attributes" at
> GPG 1.4:

gpg 1.4 can use gpg-agent by the option use-agent.  I think that you
enable this option in .gnupg/gpg.conf.

Yes, gpg 1.4 can be used with the gpg-agent of GnuPG 2.0, this usage is
supported well.

scdaemon in GnuPG 2.1 has been enhanced to support ECC, and the particular
protocol of KEY-ATTR has been changed.  This is the cause of the issue.

While I'm sure scdaemon 2.1 doesn't work well with gpg 1.4 by protocol
incompatibility, I'm not sure how gpg 1.4 can be used with the gpg-agent
of 2.1, in general.  In my opinion, I don't think this usage is
well supported in the current development of GnuPG.

Let us see.

Are there any reason why the combination of gpg 1.4 and gpg-agent 2.1 is
useful?
-- 


From peter at digitalbrains.com  Thu Jan 26 10:56:18 2017
From: peter at digitalbrains.com (Peter Lebbing)
Date: Thu, 26 Jan 2017 10:56:18 +0100
Subject: sha1 pgp fingerprint
In-Reply-To: <56badd3b-9a3c-e3cb-a283-279540d24ebc@web.de>
References: <56badd3b-9a3c-e3cb-a283-279540d24ebc@web.de>
Message-ID: <97898816-bac0-6e2c-940b-e0ade3161ff7@digitalbrains.com>

On 26/01/17 00:47, sivmu wrote:
> The question I have not yet found any clear answer for, is why is nobody
> talking about this and should pgp keys be identified by a stronger hash
> alogrithm in the future?

Subverting SHA-1 as used for OpenPGP fingerprints requires a
second-preimage attack. The problems with SHA-1 are with collision
resistance, not preimage attacks.

HTH,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>


From dgouttegattat at incenp.org  Thu Jan 26 11:20:58 2017
From: dgouttegattat at incenp.org (Damien Goutte-Gattat)
Date: Thu, 26 Jan 2017 11:20:58 +0100
Subject: sha1 pgp fingerprint
In-Reply-To: <56badd3b-9a3c-e3cb-a283-279540d24ebc@web.de>
References: <56badd3b-9a3c-e3cb-a283-279540d24ebc@web.de>
Message-ID: <542d90cf-da25-c7c9-d2e2-efef01fe25f4@incenp.org>

On 01/26/2017 12:47 AM, sivmu wrote:
> The question I have not yet found any clear answer for, is why is nobody
> talking about this and should pgp keys be identified by a stronger hash
> alogrithm in the future?

People *do* talk about this. But a change of the hash algorithm used for 
fingerprinting keys cannot be decided unilateraly by GnuPG developers. 
All OpenPGP implementations have to agree on such a change, that's why 
the discussions occur on the IETF OpenPGP mailing list.

See for example those threads:

https://www.ietf.org/mail-archive/web/openpgp/current/msg08265.html

https://www.ietf.org/mail-archive/web/openpgp/current/msg08693.html

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20170126/12d85cde/attachment.sig>

From andrewg at andrewg.com  Thu Jan 26 12:49:54 2017
From: andrewg at andrewg.com (Andrew Gallagher)
Date: Thu, 26 Jan 2017 11:49:54 +0000
Subject: gnupg website
In-Reply-To: <cde2828a-e802-a29f-2c4c-bae7200d5996@andrewg.com>
References: <9520907a-aae0-26bc-3224-0ef393cb58e0@web.de>
 <87mvef5xog.fsf@wheatstone.g10code.de>
 <8beb8ed6-9582-8f34-7e24-9d200932d88d@digitalbrains.com>
 <287c7c87-2391-8203-52cd-0a7a865c03db@web.de>
 <cde2828a-e802-a29f-2c4c-bae7200d5996@andrewg.com>
Message-ID: <75760e50-f70b-586d-93fb-af86056a983e@andrewg.com>

On 26/01/17 00:16, Andrew Gallagher wrote:
> 
> gnupg.org *does* keep 3DES at the end of the supported suites, so surely
> it should not be affected. I'm tempted to write this off as a
> mistake by ssllabs.

I've spoken to ssllabs and it appears that this was an ambiguity in the
wording of their blog post. That means the downgrade to C next month is
legit - not because 3DES is present, but because 3DES is present *and*
GCM is absent.

What both this and Glenn's Apple issue have in common is the lack of
ECDHE+GCM suites in the cipher list. I generally use the following
config in Apache:

SSLCipherSuite \
  "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 \
  EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 \
  EECDH EDH+AESGCM EDH+aRSA +3DES 3DES \
  !aNULL !eNULL !LOW !EXP !MD5 !KRB5 !PSK !SRP !DSS !SEED !RC4"

This uses all HIGH suites in a sensible order but still falls back to
3DES for XP compatibility. When retiring 3DES this simplifies to:

SSLCipherSuite \
  "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 \
  EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 \
  EECDH EDH+AESGCM EDH+aRSA !MEDIUM !LOW !aNULL !eNULL !PSK"

Andrew.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20170126/f1c1bbb2/attachment.sig>

From fgunbin at fastmail.fm  Thu Jan 26 14:13:18 2017
From: fgunbin at fastmail.fm (Filipp Gunbin)
Date: Thu, 26 Jan 2017 16:13:18 +0300
Subject: gnupg website
In-Reply-To: <96fee013-bd5d-cc5e-4be6-81892cf8ac34@rempe.us> (Glenn Rempe's
 message of "Wed, 25 Jan 2017 17:16:36 -0800")
References: <9520907a-aae0-26bc-3224-0ef393cb58e0@web.de>
 <87mvef5xog.fsf@wheatstone.g10code.de>
 <8beb8ed6-9582-8f34-7e24-9d200932d88d@digitalbrains.com>
 <287c7c87-2391-8203-52cd-0a7a865c03db@web.de>
 <cde2828a-e802-a29f-2c4c-bae7200d5996@andrewg.com>
 <96fee013-bd5d-cc5e-4be6-81892cf8ac34@rempe.us>
Message-ID: <m28tpyge1d.fsf@fgunbin.local>

On 25/01/2017 17:16 -0800, Glenn Rempe wrote:

> I would also like to note that gnupg.org does not appear to work on
> the latest versions of Apple iOS or macOS  Safari due to TLS cert
> issues. It fails to load in Safari on either platform (but Chrome and
> Firefox do work on macOS, Safari is the only browser on iOS).

That's true on my macOS 10.12.2.

Filipp
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 487 bytes
Desc: not available
URL: </pipermail/attachments/20170126/8263efd9/attachment.sig>

From wk at gnupg.org  Thu Jan 26 18:05:05 2017
From: wk at gnupg.org (Werner Koch)
Date: Thu, 26 Jan 2017 18:05:05 +0100
Subject: gnupg website
In-Reply-To: <003a01d2775a$fd5b5970$f8120c50$@sixdemonbag.org> (Robert
 J. Hansen's message of "Wed, 25 Jan 2017 17:33:01 -0500")
References: <9520907a-aae0-26bc-3224-0ef393cb58e0@web.de>
 <87mvef5xog.fsf@wheatstone.g10code.de>
 <f9fbaa8c-4f59-7be8-527c-bac7e45a4bba@sixdemonbag.org>
 <2cb24605-08f9-2212-6dfd-0f3894b8637b@incenp.org>
 <002c01d27756$6b0cf5f0$4126e1d0$@sixdemonbag.org>
 <b4b68c59-e060-c95e-9fba-9255e6887ff4@web.de>
 <003a01d2775a$fd5b5970$f8120c50$@sixdemonbag.org>
Message-ID: <878tpxda66.fsf@wheatstone.g10code.de>

On Wed, 25 Jan 2017 23:33, rjh at sixdemonbag.org said:

> That's the sort of thing that causes a lot of crypto nerds to twitch and
> mutter "rekey, rekey".

For example OpenSSH does a rekeying not later than 4 GiByte even for 128
bit block length ciphers.

The block length problem is known since we use block ciphers.  Despite
that their are practical solution for most problem domains
(i.e. rekeying) the new standard cipher contest (which led to AES) was
started back in the last millennium.  One explicit goal was to
standardize on a 128 bit block length cipher to stop thinking about this
problem.

I tried to explain in my first reply that there is no real problem in
sweet32.  The real problem is allowing to run arbitrary code on your
machine - Javascript is the simple attack vector to exploit bugs in the
client software.  Why generating incredible huge amounts of traffic for
each individual target when you can also write an exploit which works on
a large percentage of all clients.


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: </pipermail/attachments/20170126/e10e026e/attachment.sig>

From wk at gnupg.org  Thu Jan 26 18:19:11 2017
From: wk at gnupg.org (Werner Koch)
Date: Thu, 26 Jan 2017 18:19:11 +0100
Subject: sha1 pgp fingerprint
In-Reply-To: <97898816-bac0-6e2c-940b-e0ade3161ff7@digitalbrains.com> (Peter
 Lebbing's message of "Thu, 26 Jan 2017 10:56:18 +0100")
References: <56badd3b-9a3c-e3cb-a283-279540d24ebc@web.de>
 <97898816-bac0-6e2c-940b-e0ade3161ff7@digitalbrains.com>
Message-ID: <874m0ld9io.fsf@wheatstone.g10code.de>

On Thu, 26 Jan 2017 10:56, peter at digitalbrains.com said:

> second-preimage attack. The problems with SHA-1 are with collision
> resistance, not preimage attacks.

Correct, but we should also mention that even collissions are not yet a
current problem - but one we definitely want to be prepared for.

The whole fuzz about replacing SHA-1 from https (I write https and not
TLS for a reason) may help to learn about algorithm replacement
procedures for the future.  Replacing SHA-1 in X.509 certificates, as
used for the Web, will not magically make the Web in any way more
secure.  The problems with the Web infrastructure are not due to SHA-1
or even RSA-1024; Shamir's old rule still holds: "Crypto will not be
broken, it will by bypassed".


Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: </pipermail/attachments/20170126/bb9a1cad/attachment.sig>

From rjh at sixdemonbag.org  Thu Jan 26 19:48:34 2017
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Thu, 26 Jan 2017 13:48:34 -0500
Subject: gnupg website
In-Reply-To: <878tpxda66.fsf@wheatstone.g10code.de>
References: <9520907a-aae0-26bc-3224-0ef393cb58e0@web.de>	<87mvef5xog.fsf@wheatstone.g10code.de>	<f9fbaa8c-4f59-7be8-527c-bac7e45a4bba@sixdemonbag.org>	<2cb24605-08f9-2212-6dfd-0f3894b8637b@incenp.org>	<002c01d27756$6b0cf5f0$4126e1d0$@sixdemonbag.org>	<b4b68c59-e060-c95e-9fba-9255e6887ff4@web.de>	<003a01d2775a$fd5b5970$f8120c50$@sixdemonbag.org>
 <878tpxda66.fsf@wheatstone.g10code.de>
Message-ID: <00e601d27804$ccd74cf0$6685e6d0$@sixdemonbag.org>

> For example OpenSSH does a rekeying not later than 4 GiByte even for 128
> bit block length ciphers.

The 256GiB limitation (2**32 blocks of 2**6 bytes = 2**38 bytes; 2**30 is a
gibibyte, 2**8 is 256, hence, 256 GiB) is so well-known that it appears
multiple times in the GnuPG FAQ, even.  All the 64-bit-block ciphers have
notations of "don't encrypt more than about 4GiB of data".

(If people are wondering why we advise 4GiB when the birthday bound is
256GiB, it's because we want a large safety margin.)
 



From glenn at rempe.us  Thu Jan 26 19:48:28 2017
From: glenn at rempe.us (Glenn Rempe)
Date: Thu, 26 Jan 2017 10:48:28 -0800
Subject: gnupg website
In-Reply-To: <75760e50-f70b-586d-93fb-af86056a983e@andrewg.com>
References: <9520907a-aae0-26bc-3224-0ef393cb58e0@web.de>
 <87mvef5xog.fsf@wheatstone.g10code.de>
 <8beb8ed6-9582-8f34-7e24-9d200932d88d@digitalbrains.com>
 <287c7c87-2391-8203-52cd-0a7a865c03db@web.de>
 <cde2828a-e802-a29f-2c4c-bae7200d5996@andrewg.com>
 <75760e50-f70b-586d-93fb-af86056a983e@andrewg.com>
Message-ID: <a4d9c7a8-87cf-ece9-529e-ed10f10ff6e3@rempe.us>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Werner, you (or anyone setting up a web server themselves really)
might also find this config generator from Mozilla helpful as a
shortcut in creating what is considered a modern web server config for
TLS.

https://mozilla.github.io/server-side-tls/ssl-config-generator/

https://wiki.mozilla.org/Security/Server_Side_TLS

This config may not apply to gnupg.org directly since its not clear
what web server you are running. In any case it will tell you which
suites you are recommended to support for modern(ish) browsers.

I would also note that there is room for improvement regarding the
security headers the gnupg.org sends with its content.

https://securityheaders.io/?q=gnupg.org&followRedirects=on

You are using HSTS, which is generally very good, but in this case it
forcibly breaks users experience since it requires me to connect with
TLS but that is not possible since you are not advertising a TLS suite
that shares common ground with my browser (or millions of other
potential visitors).

Cheers.

On 1/26/17 3:49 AM, Andrew Gallagher wrote:
> On 26/01/17 00:16, Andrew Gallagher wrote:
>> 
>> gnupg.org *does* keep 3DES at the end of the supported suites,
>> so surely it should not be affected. I'm tempted to write this
>> off as a mistake by ssllabs.
> 
> I've spoken to ssllabs and it appears that this was an ambiguity
> in the wording of their blog post. That means the downgrade to C
> next month is legit - not because 3DES is present, but because 3DES
> is present *and* GCM is absent.
> 
> What both this and Glenn's Apple issue have in common is the lack 
> of ECDHE+GCM suites in the cipher list. I generally use the 
> following config in Apache:
> 
> SSLCipherSuite \ "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM 
> EECDH+ECDSA+SHA384 \ EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 
> EECDH+aRSA+SHA256 \ EECDH EDH+AESGCM EDH+aRSA +3DES 3DES \ !aNULL 
> !eNULL !LOW !EXP !MD5 !KRB5 !PSK !SRP !DSS !SEED !RC4"
> 
> This uses all HIGH suites in a sensible order but still falls back 
> to 3DES for XP compatibility. When retiring 3DES this simplifies 
> to:
> 
> SSLCipherSuite \ "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM 
> EECDH+ECDSA+SHA384 \ EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 
> EECDH+aRSA+SHA256 \ EECDH EDH+AESGCM EDH+aRSA !MEDIUM !LOW !aNULL 
> !eNULL !PSK"
> 
> Andrew.
> 
> 
> 
> _______________________________________________ Gnupg-users
> mailing list Gnupg-users at gnupg.org 
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
> 
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEHYo11lajUTmaOI4vCiVDbdRDnGwFAliKRHYACgkQCiVDbdRD
nGz5xg/7BITjIZlPTQ3dmTmbFx5/griGFF0gRD7oDelH7Diytqc2moQLJU0DfynZ
JBDlOkLIidzhSYQMR6ce/wzq/McV/fEuHhKsDTxDtSgU0tGe02xwg4MXCopP3OB9
6iO0zw8VwysDz+H4TDvx+/8CqwUeOBk+oRDZybZgH3xgBDVc8YsuWSCQVZJZdDEG
JEnolJeWz+fS28FFkqN+hEcmqOT0Cxo1fRXClM1hOBRCl4BxPrE5WeFYag3YT6/a
Y33GXA6+v+5lcC2il5vQY4Y1Obdn3kYK9E/aRs2gRSmEVX7rQ8lbuPRpz3WVLqFp
sUZ3BEvdXSjWPAG65xKopsaD+PnKpkzIKTcjQLy+3dx08A8l5V4wDSpjd9M86I7c
h32vByUjYq/l5rVztP8ZOkW3tq6ParyVw22VyjJGcj0LlyBnAbgcrCbw2ZsVFFnr
72Q8lfMrK8B+2YHyVz68CM54K29OAsm459OdzCcN8MXUSp33ck2TYoJxhsT+qWR6
1N2y1kb+Noq6ewYktUCwUHwwLLIoOCa3UiF1lMTpziq/rNjz0sIcvpg1ml7GymO7
8/lqxX5OyEMVACXbVQkNtwhVMagih1CWPgwZHCZWiVk/2BS85sYou0kvsxZByW44
0vRWRAbgcMWPw7viD7gVY8SksmqGblJfogKTqD382Wjp/gk1FvM=
=P0Vg
-----END PGP SIGNATURE-----


From gniibe at fsij.org  Fri Jan 27 01:58:57 2017
From: gniibe at fsij.org (NIIBE Yutaka)
Date: Fri, 27 Jan 2017 09:58:57 +0900
Subject: Smartcard working completely with GPG2 and incompletely with
 GPG1.4
In-Reply-To: <20170125201456.024b9218@Carbon>
References: <20170125201456.024b9218@Carbon>
Message-ID: <87a8ad5ne6.fsf@iwagami.gniibe.org>

Hello,

chris.p.16 at gmx.de wrote:
> With GnuPG 2, signing, encrypting and decrypting a file works without
> any problems. With 1.4, I can encrypt and sign a file, but I can't
> decrypt it. It's failing with the message:
[...]
>
> gpg: public key decryption failed: general error
> gpg: decryption failed: secret key not available
[...]
> sec#  rsa4096/E728903D  created: 2014-04-12  expires: never     
> ssb>  rsa4096/3A07266F  created: 2014-04-12  expires: never     
>                         card-no: 0005 00005031
> ssb>  rsa4096/43F27C98  created: 2017-01-24  expires: never     
>                         card-no: 0005 00005031

I located the cause of this issue.  It is not the issue of scdaemon
incompatibility of GnuPG 2.1, which I addressed yesterday.

With GnuPG 1.4 for smartcard can't work well for RSA 4096-bit keys.  (I
think that it can also occur with the combination of GnuPG 1.4 and GnuPG
2.0.)

In the code of g10/cardglue.c, the buffer length is 1002-byte by the
definition of ASSUAN_LINELENGTH [0], but this length is not enough for
the checking at [1].  (To represent encrypted value of 4096-bit itself,
it requires 1024-byte by hex string.)

[0] https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=blob;f=include/assuan.h;h=1170f959df353f33373565c729981891dcd0100c;hb=refs/heads/STABLE-BRANCH-1-4#l91
[1] https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=blob;f=g10/cardglue.c;h=809b315e564831aac8727d3c905e53016749f76e;hb=refs/heads/STABLE-BRANCH-1-4#l1395
-- 


From rsv869 at runbox.com  Fri Jan 27 03:25:32 2017
From: rsv869 at runbox.com (Reid Vail)
Date: Thu, 26 Jan 2017 21:25:32 -0500
Subject: I'm confused about GPG, and it's confused about me
In-Reply-To: <20170123203618.6E01EE04E5@smtp.hushmail.com>
References: <20170123164822.62EA3200CE@smtp.hushmail.com>
 <E1cViv4-0000Ws-Ov@rmm6prod02.runbox.com>
 <20170123203618.6E01EE04E5@smtp.hushmail.com>
Message-ID: <20170126212532.68033ed4@rsv2-Serval-Pro>

Hello Vedaal -

Sorry if top-posting is bad 'Net manners.

Thank for your reply.  Trying to follow your instructions, really. And not trying to
be too slow to follow.  Below are the steps I took, and the results.

Your suggestions were very straight forward but I couldn't get them to work.  When I
used Seahorse and tried to create a new keypair it never seemed to complete. I know
wants random input and keystrokes to help create the keys.  Tried it several times
but it never succeeded.  I also tried GPA and ran it with the same intent, executed
all kinds of activity to generate random data.  The progress bar in the Generating
Key box completed but I never saw a message that said it completed successfully, and
the new key (if it ever did complete) never showed in the Key Manager screen.

Next I  ran GnuPG manually at the command-line and that did succeed.  I figured I
could manually use that new key to sign the public key was trying send to, which is
the goal.

I executed the following to show the public key I was trying to sign:

rsv2 at rsv2-Serval-Pro ~ $ gpg --with-fingerprint rsv869 at runbox.com_public.asc
pub  2048R/26F66FEB 2016-11-09 Reid Vail <rsv869 at runbox.com>
      Key fingerprint = 3A74 A1DB 2C79 6657 D14B  A6B8 3EDE 6A32 26F6 6FEB
sub  2048R/14C2E935 2016-11-09
pub  2048R/A780EFF6 2017-01-17 Reid Vail (runbox) <rsv869 at runbox.com>
      Key fingerprint = 1F35 6DC3 3182 016A 8E59  E509 9A72 F153 A780 EFF6
sub  2048R/1ED8FE07 2017-01-17

The one I want to sign is A780EFF6.
--------------------------------------------------------------------------------------
rsv2 at rsv2-Serval-Pro ~ $ gpg --sign-key rsv869 at runbox.com

pub  2048R/A780EFF6  created: 2017-01-17  expires: never       usage: SC  
                     trust: ultimate      validity: ultimate
sub  2048R/1ED8FE07  created: 2017-01-17  expires: never       usage: E   
[ultimate] (1). Reid Vail (runbox) <rsv869 at runbox.com>

gpg: no default secret key: secret key not available

Key not changed so no update needed.
------------------------------------------------------------------------------------

Next I tried to define it the default key... not happening  !!

rsv2 at rsv2-Serval-Pro ~ $ gpg --default-key A780EFF6 --clearsign REIDgpg

You need a passphrase to unlock the secret key for
user: "Reid Vail (runbox) <rsv869 at runbox.com>"
2048-bit RSA key, ID A780EFF6, created 2017-01-17

gpg: can't open `REIDgpg': No such file or directory
---------------------------------------------------------------------------------

That last is obviously my misunderstanding the command structure, but the man pages
are just a little too opaque for me.... 

Any suggestions are welcome.  

RSV869


On Mon, 23 Jan 2017 15:36:18 -0500
vedaal at nym.hush.com wrote:

> 
> 
> On 1/23/2017 at 1:00 PM, "reid vail"  wrote:Hi vedaal -
> 
> thanks for your response.  I'll follow those instructions.  
> 
> when you say that's the 'default' key I believe you mean it's the
> default key fore that that specific GnuPG correspondent, right?  And
> by extension, when I import any other public keys I need to sign them
> as trusted (in this case, by Seahorse), as you instructed below.  
> That's the process, I think :->
> 
> =====
> 
> yes.
> 
> also, should you ever need to upgrade to a newer linux system, and
> want to import your keys,
> 
> you would need to first make a keypair in the GnuPg Seahorse or GPA or
> whatever gui you use, in the new system, and then import your keys and
> sign them the the new key
> vedaal


From rsv869 at runbox.com  Fri Jan 27 03:33:35 2017
From: rsv869 at runbox.com (Reid Vail)
Date: Thu, 26 Jan 2017 21:33:35 -0500
Subject: error in GPA
Message-ID: <20170126213335.1a811abe@rsv2-Serval-Pro>

Hello GNuPG team -

was trying to create a key pair in GPA and got the following error 

"The GPGME library returned and unexpected error at gpagenkeyadvop.c199. The error
was:  General Error"

"This is either an installation problem or a bug in GPA. GPA will now try to recover
from this error. "


Can you help.

Reid


From peter at digitalbrains.com  Fri Jan 27 14:10:31 2017
From: peter at digitalbrains.com (Peter Lebbing)
Date: Fri, 27 Jan 2017 14:10:31 +0100
Subject: I'm confused about GPG, and it's confused about me
In-Reply-To: <20170126212532.68033ed4@rsv2-Serval-Pro>
References: <20170123164822.62EA3200CE@smtp.hushmail.com>
 <E1cViv4-0000Ws-Ov@rmm6prod02.runbox.com>
 <20170123203618.6E01EE04E5@smtp.hushmail.com>
 <20170126212532.68033ed4@rsv2-Serval-Pro>
Message-ID: <af4b6267-d5e1-8754-def7-adf8c3f5efce@digitalbrains.com>

On 27/01/17 03:25, Reid Vail wrote:
> rsv2 at rsv2-Serval-Pro ~ $ gpg --with-fingerprint rsv869 at runbox.com_public.asc
> pub  2048R/26F66FEB 2016-11-09 Reid Vail <rsv869 at runbox.com>
>       Key fingerprint = 3A74 A1DB 2C79 6657 D14B  A6B8 3EDE 6A32 26F6 6FEB
> sub  2048R/14C2E935 2016-11-09
> pub  2048R/A780EFF6 2017-01-17 Reid Vail (runbox) <rsv869 at runbox.com>
>       Key fingerprint = 1F35 6DC3 3182 016A 8E59  E509 9A72 F153 A780 EFF6
> sub  2048R/1ED8FE07 2017-01-17

This merely shows the content of a file on your disk.

> The one I want to sign is A780EFF6.

To sign a key, you need to have it in your keyring. However, based on

> rsv2 at rsv2-Serval-Pro ~ $ gpg --default-key A780EFF6 --clearsign REIDgpg
> 
> You need a passphrase to unlock the secret key for
> user: "Reid Vail (runbox) <rsv869 at runbox.com>"
> 2048-bit RSA key, ID A780EFF6, created 2017-01-17

I'm thinking you're trying to sign your own key, which is not something
that can be done. There is the so-called self-signature, but it is not
done by --sign-key but rather by changing some aspect of your key with
--edit-key.

It would appear (because it asks for a passphrase) that your system has
this private key in its keyring.

> gpg: can't open `REIDgpg': No such file or directory

You are asking GnuPG to issue a detached signature on a file in your
current directory called REIDgpg. This file appears not to exist.

> That last is obviously my misunderstanding the command structure, but the man pages
> are just a little too opaque for me.... 

The man pages are reference manuals, not introductory texts. They are
indeed opaque if you're trying to learn how to do stuff on the command
line. [1] is better, but it is old. I must admit I'm not really well
acquainted with introductory texts.

You can see which private keys your system has in its keyring by

$ gpg -K

And it would appear you have multiple since GnuPG complains "no default
secret key".

What are you trying to do? Please try to indicate the end rather than
the means. When you say "I want to sign key A780EFF6" it is not clear to
me what you are trying to accomplish by that. Do you want to make that
key valid? If it's your own key, that won't work. That's for making
other people's keys valid. Your own key should have its trust level set
to "ultimate" to make it valid. This is something that GnuPG does
automatically when creating a key, but not when importing a secret key
that was created with a different GnuPG installation.

Hope that helps a little bit,

Peter.

[1] https://www.gnupg.org/gph/en/manual.html

> 
> Any suggestions are welcome.  
> 
> RSV869
> 
> 
> On Mon, 23 Jan 2017 15:36:18 -0500
> vedaal at nym.hush.com wrote:
> 
>>
>>
>> On 1/23/2017 at 1:00 PM, "reid vail"  wrote:Hi vedaal -
>>
>> thanks for your response.  I'll follow those instructions.  
>>
>> when you say that's the 'default' key I believe you mean it's the
>> default key fore that that specific GnuPG correspondent, right?  And
>> by extension, when I import any other public keys I need to sign them
>> as trusted (in this case, by Seahorse), as you instructed below.  
>> That's the process, I think :->
>>
>> =====
>>
>> yes.
>>
>> also, should you ever need to upgrade to a newer linux system, and
>> want to import your keys,
>>
>> you would need to first make a keypair in the GnuPg Seahorse or GPA or
>> whatever gui you use, in the new system, and then import your keys and
>> sign them the the new key
>> vedaal
> 
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
> 

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>


From julien at vehent.org  Thu Jan 26 20:15:57 2017
From: julien at vehent.org (Julien Vehent)
Date: Thu, 26 Jan 2017 14:15:57 -0500
Subject: gnupg website
In-Reply-To: <a4d9c7a8-87cf-ece9-529e-ed10f10ff6e3@rempe.us>
References: <9520907a-aae0-26bc-3224-0ef393cb58e0@web.de>
 <87mvef5xog.fsf@wheatstone.g10code.de>
 <8beb8ed6-9582-8f34-7e24-9d200932d88d@digitalbrains.com>
 <287c7c87-2391-8203-52cd-0a7a865c03db@web.de>
 <cde2828a-e802-a29f-2c4c-bae7200d5996@andrewg.com>
 <75760e50-f70b-586d-93fb-af86056a983e@andrewg.com>
 <a4d9c7a8-87cf-ece9-529e-ed10f10ff6e3@rempe.us>
Message-ID: <20170126191557.GA1568@vehent.org>

Hello,

I'm the maintainer of the Server Side TLS guidelines at Mozilla. I'm
happy to help with the HTTPS setup of gnupg.org in any way I can.

Here's the configuration currently measures by the TLS Observatory,
along with some recommendations to reach Modern level.

	--- Ciphers Evaluation ---
	prio cipher             protocols             pfs         curves
	1    DHE-RSA-AES128-SHA TLSv1,TLSv1.1,TLSv1.2 DH,2048bits 
	2    DHE-RSA-AES256-SHA TLSv1,TLSv1.1,TLSv1.2 DH,2048bits 
	3    DES-CBC3-SHA       TLSv1,TLSv1.1,TLSv1.2 None        
	OCSP Stapling        false
	Server Side Ordering true
	Curves Fallback      false

	--- Analyzers ---
	* Mozilla evaluation: intermediate
	  - for modern level: remove ciphersuites DHE-RSA-AES128-SHA, DHE-RSA-AES256-SHA, DES-CBC3-SHA
	  - for modern level: consider adding ciphers ECDHE-ECDSA-AES256-GCM-SHA384, ECDHE-RSA-AES256-GCM-SHA384, ECDHE-ECDSA-CHACHA20-POLY1305, ECDHE-RSA-CHACHA20-POLY1305, ECDHE-ECDSA-AES128-GCM-SHA256, ECDHE-RSA-AES128-GCM-SHA256, ECDHE-ECDSA-AES256-SHA384, ECDHE-RSA-AES256-SHA384, ECDHE-ECDSA-AES128-SHA256, ECDHE-RSA-AES128-SHA256
	  - for modern level: remove protocols TLSv1, TLSv1.1
	  - for modern level: consider enabling OCSP stapling
	  - for modern level: enable Perfect Forward Secrecy with a curve of at least 256bits, don't use DHE
	  - for modern level: use a certificate of type ecdsa, not RSA

Hope this helps,
Julien

On Thu 26.Jan'17 at 10:48:28 -0800, Glenn Rempe wrote:
> Werner, you (or anyone setting up a web server themselves really)
> might also find this config generator from Mozilla helpful as a
> shortcut in creating what is considered a modern web server config for
> TLS.
> 
> https://mozilla.github.io/server-side-tls/ssl-config-generator/
> 
> https://wiki.mozilla.org/Security/Server_Side_TLS
> 
> This config may not apply to gnupg.org directly since its not clear
> what web server you are running. In any case it will tell you which
> suites you are recommended to support for modern(ish) browsers.
> 
> I would also note that there is room for improvement regarding the
> security headers the gnupg.org sends with its content.
> 
> https://securityheaders.io/?q=gnupg.org&followRedirects=on
> 
> You are using HSTS, which is generally very good, but in this case it
> forcibly breaks users experience since it requires me to connect with
> TLS but that is not possible since you are not advertising a TLS suite
> that shares common ground with my browser (or millions of other
> potential visitors).
> 
> Cheers.
> 
> On 1/26/17 3:49 AM, Andrew Gallagher wrote:
> > On 26/01/17 00:16, Andrew Gallagher wrote:
> >> 
> >> gnupg.org *does* keep 3DES at the end of the supported suites,
> >> so surely it should not be affected. I'm tempted to write this
> >> off as a mistake by ssllabs.
> > 
> > I've spoken to ssllabs and it appears that this was an ambiguity
> > in the wording of their blog post. That means the downgrade to C
> > next month is legit - not because 3DES is present, but because 3DES
> > is present *and* GCM is absent.
> > 
> > What both this and Glenn's Apple issue have in common is the lack 
> > of ECDHE+GCM suites in the cipher list. I generally use the 
> > following config in Apache:
> > 
> > SSLCipherSuite \ "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM 
> > EECDH+ECDSA+SHA384 \ EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 
> > EECDH+aRSA+SHA256 \ EECDH EDH+AESGCM EDH+aRSA +3DES 3DES \ !aNULL 
> > !eNULL !LOW !EXP !MD5 !KRB5 !PSK !SRP !DSS !SEED !RC4"
> > 
> > This uses all HIGH suites in a sensible order but still falls back 
> > to 3DES for XP compatibility. When retiring 3DES this simplifies 
> > to:
> > 
> > SSLCipherSuite \ "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM 
> > EECDH+ECDSA+SHA384 \ EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 
> > EECDH+aRSA+SHA256 \ EECDH EDH+AESGCM EDH+aRSA !MEDIUM !LOW !aNULL 
> > !eNULL !PSK"
> > 
> > Andrew.
> > 
> > 
> > 
> > _______________________________________________ Gnupg-users
> > mailing list Gnupg-users at gnupg.org 
> > http://lists.gnupg.org/mailman/listinfo/gnupg-users
> > 
> 
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: Digital signature
URL: </pipermail/attachments/20170126/5cbf4239/attachment-0001.sig>

From peter at digitalbrains.com  Fri Jan 27 14:16:15 2017
From: peter at digitalbrains.com (Peter Lebbing)
Date: Fri, 27 Jan 2017 14:16:15 +0100
Subject: I'm confused about GPG, and it's confused about me
In-Reply-To: <20170126212532.68033ed4@rsv2-Serval-Pro>
References: <20170123164822.62EA3200CE@smtp.hushmail.com>
 <E1cViv4-0000Ws-Ov@rmm6prod02.runbox.com>
 <20170123203618.6E01EE04E5@smtp.hushmail.com>
 <20170126212532.68033ed4@rsv2-Serval-Pro>
Message-ID: <c97cca4c-dacc-56fb-c56c-589486456158@digitalbrains.com>

Whoops, left out part of my answer.

On 27/01/17 03:25, Reid Vail wrote:
> When I
> used Seahorse and tried to create a new keypair it never seemed to complete. I know
> wants random input and keystrokes to help create the keys.  Tried it several times
> but it never succeeded.  I also tried GPA and ran it with the same intent, executed
> all kinds of activity to generate random data.  The progress bar in the Generating
> Key box completed but I never saw a message that said it completed successfully, and
> the new key (if it ever did complete) never showed in the Key Manager screen.

I'm sorry to hear you are having such trouble getting it to work! That's
a pretty bad first user experience.

Are you doing this on a virtual machine? Certain virtual machine
deployments have trouble gathering randomness, which prevents generating
keys. Other than that, these programs should just have worked. Odd...

> I figured I
> could manually use that new key to sign the public key was trying send to, which is
> the goal.

I don't fully understand. Are you trying to send someone else an
encrypted document, and are you encountering the situation that GnuPG is
warning you that there is no indication that the key belongs to the
recipient?

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>


From g1363333 at icloud.com  Fri Jan 27 17:23:21 2017
From: g1363333 at icloud.com (=?GB2312?B?0KG3xiC5+SDKzw==?=)
Date: Fri, 27 Jan 2017 17:23:21 +0100
Subject: =?CP936?B?ufnQobfGLdb37n0=?=
Message-ID: <83C07839-8DC0-40AE-B5CC-08FDD9953858@icloud.com>









???@???


                           




?????
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20170127/2a2f070f/attachment-0002.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ???.pdf
Type: application/pdf
Size: 28319 bytes
Desc: not available
URL: </pipermail/attachments/20170127/2a2f070f/attachment-0001.pdf>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20170127/2a2f070f/attachment-0003.html>

From jacob.lyles at gmail.com  Fri Jan 27 21:56:24 2017
From: jacob.lyles at gmail.com (Jacob Lyles)
Date: Fri, 27 Jan 2017 20:56:24 +0000
Subject: Trojan detected in Windows 10 Simple Installer for GnuPG Modern
Message-ID: <CAC078-B9DzXD5k0V4d2iOPaXnZ7kazS-ng50L5obiz5QJwAPsw@mail.gmail.com>

Platform: VM "Microsoft Edge on Win 10 Stable (14.14393)" for
Virtualbox (download
link
<https://az792536.vo.msecnd.net/vms/VMBuild_20160802/VirtualBox/MSEdge/MSEdge.Win10_RS1.VirtualBox.zip>
)

GnuPG download: gnupg-w32-2.1.18_20179123.exe
(sha256 1FD01E24F65465DFD075B8AD55A58EAEE13E79C02C42096C325A7CCF5A1EB283)
"Simple installer for GnuPG modern"

Problem: Windows Defender detects a trojan named
"Trojan:Win32/Sprisky.C!cl" in the installer and deletes it.

This could be a false positive or a problem with the Windows 10 VM
distributed by Microsoft. The sha256 checksum matches the checksum expected
by the developer. It would be useful to know whether windows 10 users who
run windows directly on their hardware experience the same problem.

I am able to download other GPG distributions, such as Gpg4win, without
issue.

Should I file a bug report with the maintainer? Even if the problem is on
Microsoft's end, this is a bad experience for GPG users.


- Jacob
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20170127/7a01834d/attachment.html>

From juanmi.3000 at gmail.com  Sat Jan 28 22:37:15 2017
From: juanmi.3000 at gmail.com (=?UTF-8?Q?Juan_Miguel_Navarro_Mart=c3=adnez?=)
Date: Sat, 28 Jan 2017 22:37:15 +0100
Subject: Trojan detected in Windows 10 Simple Installer for GnuPG Modern
In-Reply-To: <CAC078-B9DzXD5k0V4d2iOPaXnZ7kazS-ng50L5obiz5QJwAPsw@mail.gmail.com>
References: <CAC078-B9DzXD5k0V4d2iOPaXnZ7kazS-ng50L5obiz5QJwAPsw@mail.gmail.com>
Message-ID: <4f820d04-b716-a14c-4373-eb875948be69@gmail.com>

I've just downloaded the same file:

    C:\Users\MyUser\Downloads>..\Desktop\portable\sha256sum.exe
gnupg-w32-2.1.18_20170123.exe
    1fd01e24f65465dfd075b8ad55a58eaee13e79c02c42096c325a7ccf5a1eb283
*gnupg-w32-2.1.18_20170123.exe

... and Avast didn't detect it as malicious, also 0 / 56 detections from
VirusTotal.com[1]


I can't test it on Defender as it's disabled by Avast, but most likely
it is a false positive.

I'll try using a W10 machine.


[1]:
https://www.virustotal.com/es/file/1fd01e24f65465dfd075b8ad55a58eaee13e79c02c42096c325a7ccf5a1eb283/analysis/1485639002/

-- 
Juan Miguel Navarro Mart?nez

GPG Keyfingerprint:
5A91 90D4 CF27 9D52 D62A
BC58 88E2 947F 9BC6 B3CF

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20170128/f7f4e659/attachment.sig>

From peter at digitalbrains.com  Sat Jan 28 22:37:22 2017
From: peter at digitalbrains.com (Peter Lebbing)
Date: Sat, 28 Jan 2017 22:37:22 +0100
Subject: Trojan detected in Windows 10 Simple Installer for GnuPG Modern
In-Reply-To: <CAC078-B9DzXD5k0V4d2iOPaXnZ7kazS-ng50L5obiz5QJwAPsw@mail.gmail.com>
References: <CAC078-B9DzXD5k0V4d2iOPaXnZ7kazS-ng50L5obiz5QJwAPsw@mail.gmail.com>
Message-ID: <9444aa32-8917-827d-36d8-58da4779b9a4@digitalbrains.com>

On 27/01/17 21:56, Jacob Lyles wrote:
> GnuPG download: gnupg-w32-2.1.18_20179123.exe
> (sha256 1FD01E24F65465DFD075B8AD55A58EAEE13E79C02C42096C325A7CCF5A1EB283) "Simple
> installer for GnuPG modern"

This is indeed truly the file signed by Werner's dist sig key:

$ gpg2 --verify gnupg-w32-2.1.18_20170123.exe{.sig,}
gpg: Signature made Mon 23 Jan 2017 22:12:23 CET
gpg:                using RSA key D8692123C4065DEA5E0F3AB5249B39D24F25E3B6
gpg: Good signature from "Werner Koch (dist sig)" [full]
gpg: werner koch (dist sig): Verified 1 signature in the past 5 minutes, and
     encrypted 0 messages.
$ sha256sum gnupg-w32-2.1.18_20170123.exe
1fd01e24f65465dfd075b8ad55a58eaee13e79c02c42096c325a7ccf5a1eb283  gnupg-w32-2.1.18_20170123.exe

(albeit that you accidentally typed a 9 in the date in the filename)

I suspect it's a false positive, but somebody else will need to check.

HTH,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20170128/71b3e23e/attachment.sig>

From xinayder at airmail.cc  Sat Jan 28 23:11:26 2017
From: xinayder at airmail.cc (Alexandre Oliveira)
Date: Sat, 28 Jan 2017 20:11:26 -0200
Subject: Trojan detected in Windows 10 Simple Installer for GnuPG Modern
In-Reply-To: <4f820d04-b716-a14c-4373-eb875948be69@gmail.com>
References: <CAC078-B9DzXD5k0V4d2iOPaXnZ7kazS-ng50L5obiz5QJwAPsw@mail.gmail.com>
 <4f820d04-b716-a14c-4373-eb875948be69@gmail.com>
Message-ID: <0922c479-e4a8-c5a4-a3b9-c2343be44896@airmail.cc>

On 28/01/2017 19:37, Juan Miguel Navarro Mart?nez wrote:
> I've just downloaded the same file:
> 
>     C:\Users\MyUser\Downloads>..\Desktop\portable\sha256sum.exe
> gnupg-w32-2.1.18_20170123.exe
>     1fd01e24f65465dfd075b8ad55a58eaee13e79c02c42096c325a7ccf5a1eb283
> *gnupg-w32-2.1.18_20170123.exe
> 
> ... and Avast didn't detect it as malicious, also 0 / 56 detections from
> VirusTotal.com[1]
> 
> 
> I can't test it on Defender as it's disabled by Avast, but most likely
> it is a false positive.
> 
> I'll try using a W10 machine.
> 
> 
> [1]:
> https://www.virustotal.com/es/file/1fd01e24f65465dfd075b8ad55a58eaee13e79c02c42096c325a7ccf5a1eb283/analysis/1485639002/
> 
> 
> 
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
> 

It must be a false positive. I just downloaded the same file, I'm
running Windows 10 and my AV software (Malwarebytes) didn't complain
about it.
-- 
Alexandre Oliveira
  167F D82F 514A E8D1 2E9E
  C62D 1B63 9D4A 7E9D DA9D


From caro at nymph.paranoici.org  Sun Jan 29 06:27:40 2017
From: caro at nymph.paranoici.org (Carola Grunwald)
Date: Sun, 29 Jan 2017 05:27:40 +0000 (UTC)
Subject: How to prevent passphrase caching in 2.1
References: <20161120211814.CDD7C100A216@remailer.paranoici.org>
 <87fumlnpro.fsf@wheatstone.g10code.de>
 <915f84a9-2b95-75eb-3ffa-d79f8ae5d000@digitalbrains.com>
 <20161123022836.845501032265@remailer.paranoici.org>
 <87d1hifark.fsf@wheatstone.g10code.de>
 <20161127171555.A1137100B022@remailer.paranoici.org>
 <947121270.20161229123703@riseup.net>
Message-ID: <20170129052740.CECA5103224A@remailer.paranoici.org>

On Thu, 29 Dec 2016 12:37:03 +0000, MFPA
<2014-667rhzu3dc-lists-groups at riseup.net> wrote:

>On Sunday 27 November 2016 at 5:15:55 PM, in
><mid:20161127171555.A1137100B022 at remailer.paranoici.org>, Carola
>Grunwald wrote:-
>
>
>> But no, unfortunately it's a Windows server
>> application with GnuPG, Tor,
>> Mixmaster and Hamster embedded. And in a server
>> environment it's
>> problematic to switch system time back and forth,
>
>
>Have you tried RunAsDate?
><http://www.nirsoft.net/search_freeware_result_new.html?q=runasdate>
>
>     "RunAsDate intercepts the kernel API calls that returns the
>     current date and time (GetSystemTime, GetLocalTime,
>     GetSystemTimeAsFileTime), and replaces the current date/time with
>     the date/time that you specify."
>
>
>(Note: I originally sent this reply a month ago, but I just noticed my
>email provider had refused it "due to content violation". It turns out
>they do not like the URL you will now get as the first search result
>on the search URL I have substituted above.)

Many thanks for the hint, but unfortunately it doesn't influence GnuPG's
time retrieval.

| runasdate.exe /immediate 10\10\2016 00:00:00 gpg.exe ... --clearsign ...

still signs with the host system's timestamp.

Thanks anyway!

And please excuse the late response, as I didn't have much time lately
to care about that project.

Kind regards

Caro


From marko.bauhardt at mailbox.org  Sun Jan 29 11:39:25 2017
From: marko.bauhardt at mailbox.org (Marko Bauhardt)
Date: Sun, 29 Jan 2017 11:39:25 +0100
Subject: Expired GPG key for ssh authentication
Message-ID: <970B17F7-B6C1-46F6-8233-61E370FB85E6@mailbox.org>

Hi,
I?m using gpg 2.0.30. I have a keyring which contains a subway which is there for authentication only. I?m using `monkeysphere s` to add this key to my ssh-agent. Using `ssh-add -L` to get the public ssh key representation to be able to add the key to my `.ssh/authorized_keys` file on the server. Everything works. But  i configured my subkey to expire after one year.

Now one year later. My ssh subkey is expired. But i?m still able to login into my ssh-server.
My assumption was that i can use this subkey only if this key is valid. Is the expired key working because i?m using the ssh-agent instead of the gpg-agent?

Any idea or comment?

---

Marko Bauhardt
marko.bauhardt at mailbox.org <mailto:marko.bauhardt at mailbox.org>

Key ID: 53192101
Fingerprint: DC0F E851 82A3 72E3 7FE1  ACDB 970C FD47 5319 2101

-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20170129/eda0da76/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: </pipermail/attachments/20170129/eda0da76/attachment-0001.sig>

From andrewg at andrewg.com  Sun Jan 29 15:18:08 2017
From: andrewg at andrewg.com (Andrew Gallagher)
Date: Sun, 29 Jan 2017 14:18:08 +0000
Subject: Expired GPG key for ssh authentication
In-Reply-To: <970B17F7-B6C1-46F6-8233-61E370FB85E6@mailbox.org>
References: <970B17F7-B6C1-46F6-8233-61E370FB85E6@mailbox.org>
Message-ID: <8FBCEB00-6BE2-4213-96E3-AFDFF21B76A5@andrewg.com>


> On 29 Jan 2017, at 10:39, Marko Bauhardt <marko.bauhardt at mailbox.org> wrote:
> 
> Now one year later. My ssh subkey is expired. But i?m still able to login into my ssh-server. 
> My assumption was that i can use this subkey only if this key is valid. Is the expired key working because i?m using the ssh-agent instead of the gpg-agent?

It is still working because the remote ssh server has no concept of key expiry. When you converted your auth subkey to ssh format you stripped all the expiry info from it. (There is the related problem of your client offering the expired key to the server, but this is relatively harmless). 

If you want your ssh key to stop working when the auth subkey expires, you need to make sure to run monkeysphere on a regular basis (cron) on the remote server, to refresh the authorized_keys and thereby overwrite any ssh keys associated with expired pgp keys. Ssh keys themselves do not expire. 

See: http://web.monkeysphere.info/doc/ssh-user-authentication/

Andrew. 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20170129/22e3ffec/attachment.html>

From marko.bauhardt at mailbox.org  Sun Jan 29 18:28:37 2017
From: marko.bauhardt at mailbox.org (Marko Bauhardt)
Date: Sun, 29 Jan 2017 18:28:37 +0100
Subject: Expired GPG key for ssh authentication
In-Reply-To: <8FBCEB00-6BE2-4213-96E3-AFDFF21B76A5@andrewg.com>
References: <970B17F7-B6C1-46F6-8233-61E370FB85E6@mailbox.org>
 <8FBCEB00-6BE2-4213-96E3-AFDFF21B76A5@andrewg.com>
Message-ID: <871A4711-A73D-4A5A-AE93-CB104473E41C@mailbox.org>


> On 29 Jan 2017, at 15:18, Andrew Gallagher <andrewg at andrewg.com> wrote:
> 
> 
> On 29 Jan 2017, at 10:39, Marko Bauhardt <marko.bauhardt at mailbox.org <mailto:marko.bauhardt at mailbox.org>> wrote:
> 
>> Now one year later. My ssh subkey is expired. But i?m still able to login into my ssh-server.
>> My assumption was that i can use this subkey only if this key is valid. Is the expired key working because i?m using the ssh-agent instead of the gpg-agent?
> 
> It is still working because the remote ssh server has no concept of key expiry. When you converted your auth subkey to ssh format you stripped all the expiry info from it. (There is the related problem of your client offering the expired key to the server, but this is relatively harmless).
> 
> If you want your ssh key to stop working when the auth subkey expires, you need to make sure to run monkeysphere on a regular basis (cron) on the remote server, to refresh the authorized_keys and thereby overwrite any ssh keys associated with expired pgp keys. Ssh keys themselves do not expire.
> 
> See: http://web.monkeysphere.info/doc/ssh-user-authentication/ <http://web.monkeysphere.info/doc/ssh-user-authentication/>

Thank you Andrew.
Make sense

Marko

-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20170129/069ea1c3/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: </pipermail/attachments/20170129/069ea1c3/attachment.sig>

From rsv869 at runbox.com  Mon Jan 30 04:04:47 2017
From: rsv869 at runbox.com (Reid Vail)
Date: Sun, 29 Jan 2017 22:04:47 -0500
Subject: I'm confused about GPG, and it's confused about me
In-Reply-To: <c97cca4c-dacc-56fb-c56c-589486456158@digitalbrains.com>
References: <20170123164822.62EA3200CE@smtp.hushmail.com>
 <E1cViv4-0000Ws-Ov@rmm6prod02.runbox.com>
 <20170123203618.6E01EE04E5@smtp.hushmail.com>
 <20170126212532.68033ed4@rsv2-Serval-Pro>
 <c97cca4c-dacc-56fb-c56c-589486456158@digitalbrains.com>
Message-ID: <20170129220447.5bdf13f9@rsv2-Serval-Pro>

On Fri, 27 Jan 2017 14:16:15 +0100
Peter Lebbing <peter at digitalbrains.com> wrote:

> Whoops, left out part of my answer.
> 
> On 27/01/17 03:25, Reid Vail wrote:
> > When I
> > used Seahorse and tried to create a new keypair it never seemed to complete. I know
> > wants random input and keystrokes to help create the keys.  Tried it several times
> > but it never succeeded.  I also tried GPA and ran it with the same intent, executed
> > all kinds of activity to generate random data.  The progress bar in the Generating
> > Key box completed but I never saw a message that said it completed successfully, and
> > the new key (if it ever did complete) never showed in the Key Manager screen.  
> 
> I'm sorry to hear you are having such trouble getting it to work! That's
> a pretty bad first user experience.
> 
> Are you doing this on a virtual machine? Certain virtual machine
> deployments have trouble gathering randomness, which prevents generating
> keys. Other than that, these programs should just have worked. Odd...
> 
> > I figured I
> > could manually use that new key to sign the public key was trying send to, which is
> > the goal.  
> 
> I don't fully understand. Are you trying to send someone else an
> encrypted document, and are you encountering the situation that GnuPG is
> warning you that there is no indication that the key belongs to the
> recipient?
> 
> Peter.
> 
> -- 
> I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
> You can send me encrypted mail if you want some privacy.
> My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>
> 
Thanks very much for your reply, and I completely agree it will be simpler to
outline what I'm trying to do.  It's just this:

I have two email addresses. I'm to send an encrypted message from my gmail
address to my runbox address just to test and to make sure I understand the steps,
and to be sure I have the right tools loaded.

I believe I got turned around because of my really flawed understanding of
the exporting, importing and signing requirements (and because it gets convoluted
when it's your own addresses your working with), and because some of the GUI tools I
have loaded on my Linuxmint 18 KDE implementation aren't working right. 

Here's the output from gpg -K ... Since there are duplicates it might be best delete
them all and start again, with a closer read of the manual.  

rsv2 at rsv2-Serval-Pro ~ $ gpg -K
/home/rsv2/.gnupg/secring.gpg
-----------------------------
sec   2048R/26F66FEB 2016-11-09
uid                  Reid Vail <rsv869 at runbox.com>
ssb   2048R/14C2E935 2016-11-09

sec   3072R/709C5420 2016-11-10
uid                  Reid-Gmail <rsv869 at gmail.com>
ssb   3072R/A284EB64 2016-11-10

sec   2048R/A780EFF6 2017-01-17
uid                  Reid Vail (runbox) <rsv869 at runbox.com>
ssb   2048R/1ED8FE07 2017-01-17

sec   2048R/23FFE4EF 2015-10-04
uid                  Reid Vail <rsv869 at runbox.com>
ssb   2048R/385F695B 2015-10-04

sec   2048R/044D3458 2017-01-24
uid                  reid s. vail (GMAIL 1-23) <rsv869 at gmail.com>
ssb   2048R/6A4EDEAB 2017-01-24

Reid








From glenn at rempe.us  Mon Jan 30 07:54:27 2017
From: glenn at rempe.us (Glenn Rempe)
Date: Sun, 29 Jan 2017 22:54:27 -0800
Subject: gnupg website
In-Reply-To: <20170126191557.GA1568@vehent.org>
References: <9520907a-aae0-26bc-3224-0ef393cb58e0@web.de>
 <87mvef5xog.fsf@wheatstone.g10code.de>
 <8beb8ed6-9582-8f34-7e24-9d200932d88d@digitalbrains.com>
 <287c7c87-2391-8203-52cd-0a7a865c03db@web.de>
 <cde2828a-e802-a29f-2c4c-bae7200d5996@andrewg.com>
 <75760e50-f70b-586d-93fb-af86056a983e@andrewg.com>
 <a4d9c7a8-87cf-ece9-529e-ed10f10ff6e3@rempe.us>
 <20170126191557.GA1568@vehent.org>
Message-ID: <40a5598f-cb21-678b-2ad1-c17dd9ce1325@rempe.us>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Werner,

Is there a plan to take action on this TLS issue the Julien and I have
written about? I believe all Safari and iOS users are excluded from
gnupg.org without action on the TLS setup.

Cheers

On 1/26/17 11:15 AM, Julien Vehent wrote:
> Hello,
> 
> I'm the maintainer of the Server Side TLS guidelines at Mozilla.
> I'm happy to help with the HTTPS setup of gnupg.org in any way I
> can.
> 
> Here's the configuration currently measures by the TLS
> Observatory, along with some recommendations to reach Modern
> level.
> 
> --- Ciphers Evaluation --- prio cipher             protocols
> pfs         curves 1    DHE-RSA-AES128-SHA TLSv1,TLSv1.1,TLSv1.2
> DH,2048bits 2    DHE-RSA-AES256-SHA TLSv1,TLSv1.1,TLSv1.2
> DH,2048bits 3    DES-CBC3-SHA       TLSv1,TLSv1.1,TLSv1.2 None
>  OCSP Stapling        false Server Side Ordering true Curves
> Fallback      false
> 
> --- Analyzers --- * Mozilla evaluation: intermediate - for modern
> level: remove ciphersuites DHE-RSA-AES128-SHA, DHE-RSA-AES256-SHA,
> DES-CBC3-SHA - for modern level: consider adding ciphers
> ECDHE-ECDSA-AES256-GCM-SHA384, ECDHE-RSA-AES256-GCM-SHA384,
> ECDHE-ECDSA-CHACHA20-POLY1305, ECDHE-RSA-CHACHA20-POLY1305,
> ECDHE-ECDSA-AES128-GCM-SHA256, ECDHE-RSA-AES128-GCM-SHA256,
> ECDHE-ECDSA-AES256-SHA384, ECDHE-RSA-AES256-SHA384,
> ECDHE-ECDSA-AES128-SHA256, ECDHE-RSA-AES128-SHA256 - for modern
> level: remove protocols TLSv1, TLSv1.1 - for modern level: consider
> enabling OCSP stapling - for modern level: enable Perfect Forward
> Secrecy with a curve of at least 256bits, don't use DHE - for
> modern level: use a certificate of type ecdsa, not RSA
> 
> Hope this helps, Julien
> 
> On Thu 26.Jan'17 at 10:48:28 -0800, Glenn Rempe wrote:
>> Werner, you (or anyone setting up a web server themselves
>> really) might also find this config generator from Mozilla
>> helpful as a shortcut in creating what is considered a modern web
>> server config for TLS.
>> 
>> https://mozilla.github.io/server-side-tls/ssl-config-generator/
>> 
>> https://wiki.mozilla.org/Security/Server_Side_TLS
>> 
>> This config may not apply to gnupg.org directly since its not
>> clear what web server you are running. In any case it will tell
>> you which suites you are recommended to support for modern(ish)
>> browsers.
>> 
>> I would also note that there is room for improvement regarding
>> the security headers the gnupg.org sends with its content.
>> 
>> https://securityheaders.io/?q=gnupg.org&followRedirects=on
>> 
>> You are using HSTS, which is generally very good, but in this
>> case it forcibly breaks users experience since it requires me to
>> connect with TLS but that is not possible since you are not
>> advertising a TLS suite that shares common ground with my browser
>> (or millions of other potential visitors).
>> 
>> Cheers.
>> 
>> On 1/26/17 3:49 AM, Andrew Gallagher wrote:
>>> On 26/01/17 00:16, Andrew Gallagher wrote:
>>>> 
>>>> gnupg.org *does* keep 3DES at the end of the supported
>>>> suites, so surely it should not be affected. I'm tempted to
>>>> write this off as a mistake by ssllabs.
>>> 
>>> I've spoken to ssllabs and it appears that this was an
>>> ambiguity in the wording of their blog post. That means the
>>> downgrade to C next month is legit - not because 3DES is
>>> present, but because 3DES is present *and* GCM is absent.
>>> 
>>> What both this and Glenn's Apple issue have in common is the
>>> lack of ECDHE+GCM suites in the cipher list. I generally use
>>> the following config in Apache:
>>> 
>>> SSLCipherSuite \ "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM 
>>> EECDH+ECDSA+SHA384 \ EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 
>>> EECDH+aRSA+SHA256 \ EECDH EDH+AESGCM EDH+aRSA +3DES 3DES \
>>> !aNULL !eNULL !LOW !EXP !MD5 !KRB5 !PSK !SRP !DSS !SEED !RC4"
>>> 
>>> This uses all HIGH suites in a sensible order but still falls
>>> back to 3DES for XP compatibility. When retiring 3DES this
>>> simplifies to:
>>> 
>>> SSLCipherSuite \ "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM 
>>> EECDH+ECDSA+SHA384 \ EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 
>>> EECDH+aRSA+SHA256 \ EECDH EDH+AESGCM EDH+aRSA !MEDIUM !LOW
>>> !aNULL !eNULL !PSK"
>>> 
>>> Andrew.
>>> 
>>> 
>>> 
>>> _______________________________________________ Gnupg-users 
>>> mailing list Gnupg-users at gnupg.org 
>>> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>>> 
>> 
>> _______________________________________________ Gnupg-users
>> mailing list Gnupg-users at gnupg.org 
>> http://lists.gnupg.org/mailman/listinfo/gnupg-users
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEHYo11lajUTmaOI4vCiVDbdRDnGwFAliO4xoACgkQCiVDbdRD
nGzhmA/6AwxKMMt5OqvARLozbzuTDrmGb7TEfXcHKRssGHpCITEQ0kBTbiCRhszd
3NAfK/Fc+jE+ysVRQ2Khs5IQXPKiXBtGd57NjNg2/RJkDJmXHKDzWOuFW137Xhuv
asc+8e+xsMgo7/i1J32F419E1feo9jvm+QprvPZHRia85EHa60wVGllTSBgA82FN
j977NlTCDhveZuB0DJgVCsI0Wo0AdLELh2tTQD1vB+Tkizvkki1+q769u3GmDzHX
moV14oGjyI72Z8On1He1PD2UZobGyABQukQSpPsGFEh4RKgDyoe+07Uh6n3cydxH
UKpQpA9a3hjsnCHz2V/WuJnxwjD/IqPzeLs4/UdnbmRENp7iySe0SV+Pdm/Iqw50
OaxTMyxzhhd7Lz7IbslxLGMEGrCls8+xRzIP3JPbrdZjC++lggZIbiNFg/wECDJi
zDXCih9IeOHb6CWU/p+qt4vteMviwFUBgvpQOSXpqbnidyG+QbwYQ7AqAD/YHdwf
zqPSHP2GOpWrHv73q3rOLowOUTdwQhGa5aLrbRkQX51dcYAq9O4YJsGYjdE1xFi2
Cwb/Uxuef4j2o+PYjHGGW4+jknm3cPIo3mf8WHLTIOsrj9iPEMClqZk7+ryxaQlI
0PPWu3nuCav2ez241GSZoANM/2V439obFRCT6oz8JYpI7cRs3SQ=
=8xGz
-----END PGP SIGNATURE-----


From peter at digitalbrains.com  Mon Jan 30 10:46:14 2017
From: peter at digitalbrains.com (Peter Lebbing)
Date: Mon, 30 Jan 2017 10:46:14 +0100
Subject: gnupg website
In-Reply-To: <00e601d27804$ccd74cf0$6685e6d0$@sixdemonbag.org>
References: <9520907a-aae0-26bc-3224-0ef393cb58e0@web.de>
 <87mvef5xog.fsf@wheatstone.g10code.de>
 <f9fbaa8c-4f59-7be8-527c-bac7e45a4bba@sixdemonbag.org>
 <2cb24605-08f9-2212-6dfd-0f3894b8637b@incenp.org>
 <002c01d27756$6b0cf5f0$4126e1d0$@sixdemonbag.org>
 <b4b68c59-e060-c95e-9fba-9255e6887ff4@web.de>
 <003a01d2775a$fd5b5970$f8120c50$@sixdemonbag.org>
 <878tpxda66.fsf@wheatstone.g10code.de>
 <00e601d27804$ccd74cf0$6685e6d0$@sixdemonbag.org>
Message-ID: <eb18b93e-2021-910e-6bae-ed003a01a5d6@digitalbrains.com>

On 26/01/17 19:48, Robert J. Hansen wrote:
> The 256GiB limitation (2**32 blocks of 2**6 bytes = 2**38 bytes; 2**30 is a
> gibibyte, 2**8 is 256, hence, 256 GiB)

It just occured to me that it seems you're conflating bits and bytes.
Doesn't a 64-bit-block cipher operate on 2**3 rather than 2**6 bytes?

That would make it 2**35 bytes or 32 GiB. It would be 256 gibibit rather
than gibibyte.

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>


From richard.hoechenberger at gmail.com  Mon Jan 30 09:43:50 2017
From: richard.hoechenberger at gmail.com (=?UTF-8?Q?Richard_H=C3=B6chenberger?=)
Date: Mon, 30 Jan 2017 09:43:50 +0100
Subject: gnupg website
In-Reply-To: <40a5598f-cb21-678b-2ad1-c17dd9ce1325@rempe.us>
References: <9520907a-aae0-26bc-3224-0ef393cb58e0@web.de>
 <87mvef5xog.fsf@wheatstone.g10code.de>
 <8beb8ed6-9582-8f34-7e24-9d200932d88d@digitalbrains.com>
 <287c7c87-2391-8203-52cd-0a7a865c03db@web.de>
 <cde2828a-e802-a29f-2c4c-bae7200d5996@andrewg.com>
 <75760e50-f70b-586d-93fb-af86056a983e@andrewg.com>
 <a4d9c7a8-87cf-ece9-529e-ed10f10ff6e3@rempe.us>
 <20170126191557.GA1568@vehent.org>
 <40a5598f-cb21-678b-2ad1-c17dd9ce1325@rempe.us>
Message-ID: <CAGm-8jMbsf9k1dy9KwWgbFkHWuwLoT7_shHh=7rutn=1+QEqFQ@mail.gmail.com>

Hi,

On Mon, Jan 30, 2017 at 7:54 AM, Glenn Rempe <glenn at rempe.us> wrote:

> I believe all Safari and iOS users are excluded from
> gnupg.org without action on the TLS setup.
>

I can confirm that Safari won't open https://gnupg.org/ on macOS 10.12.3.
Very frustrating indeed!

Best,

    Richard
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20170130/771836e6/attachment.html>

From peter at digitalbrains.com  Mon Jan 30 11:48:46 2017
From: peter at digitalbrains.com (Peter Lebbing)
Date: Mon, 30 Jan 2017 11:48:46 +0100
Subject: I'm confused about GPG, and it's confused about me
In-Reply-To: <20170129220447.5bdf13f9@rsv2-Serval-Pro>
References: <20170123164822.62EA3200CE@smtp.hushmail.com>
 <E1cViv4-0000Ws-Ov@rmm6prod02.runbox.com>
 <20170123203618.6E01EE04E5@smtp.hushmail.com>
 <20170126212532.68033ed4@rsv2-Serval-Pro>
 <c97cca4c-dacc-56fb-c56c-589486456158@digitalbrains.com>
 <20170129220447.5bdf13f9@rsv2-Serval-Pro>
Message-ID: <e2884b02-e799-8a47-d236-ac4139ee688b@digitalbrains.com>

First off, two questions:

Why are you using GnuPG 1.4 by the way? It's generally only recommended
for server deployments rather than end-users. For desktop use, 2.0 and
2.1 are often a better choice.

And are you sure GnuPG 1.4 is the only GnuPG on your system? 1.4 and 2.0
will happily work together, but 2.1 doesn't combine well with 1.4. If
some of the tools you use actually use 2.1 and others use 1.4, confusion
may arise.

Often, GnuPG 1.4 will nonetheless be installed on your Linux system. For
instance, the package manager might use it to verify the signatures on
the package lists of your distribution. This is another use case for
1.4: not for the people with user accounts but for the system itself.

On 30/01/17 04:04, Reid Vail wrote:
> I have two email addresses. I'm to send an encrypted message from my gmail
> address to my runbox address just to test and to make sure I understand the steps,
> and to be sure I have the right tools loaded.

If you don't have anything worthwhile in your GnuPG installation, you
could radically start anew by just

$ cd ~
$ rm -r .gnupg

>From the command line, you would create a key with

$ gpg --gen-key

and follow the prompts. In your setup, you would do it twice, once for
both e-mail addresses. However, note that you could also create one key
and associate both e-mail addresses with that one key. Many people have
one key to rule them all, with as many associated identities as they like.

A lot can be said on key expiry and revocation certificates. I'm going
to be brief and without justification recommend a key expiry of 2 years
and generating and keeping safe a revocation certificate with for example:

$ gpg -o revoc.asc --gen-revoke [KEYID]

Give no reason and no comment, since you don't know right now why you
might use it in the future.


If you generated a key, it will just be available on your keyring and
already be valid. Trust needs to anchor somewhere, there has to be some
initial step where you simply state "this is trusted". For OpenPGP,
that's on your own keys. With GnuPG, this is done by assigning
"ultimate" ownertrust to keys (here, your own keys). So you don't need
to sign your own keys if it is just for your own consumption. You could
still sign your own keys with your other own keys to indicate to other
people that you are saying you are really you. (You have to love the
sentences you get when talking about your multiple disjoint identities! :-)

If however you need to spread your own keys to several of your own
systems, you'd use

$ gpg -o my_sec.gpg --export-secret-key [KEYID]

then transfer my_sec.gpg to the second system and there:

$ gpg --import my_sec.gpg

followed by (this is important):

$ gpg --edit-key [KEYID] trust

and assigning ultimate trust to the imported key. GnuPG does this
automatically for keys /created/, not for keys /imported/. In general,
do this just for your own keys.


If you will habitually use one key and only incidentally the other,
you'd put the following in your gpg.conf:

default-key [KEYID]

This will tell GnuPG that of the several private keys, it should use
that one to make signatures. If you have only one private key (even if
it has multiple associated identities, one for GMail, one for Runbox),
you do not need this.

To encrypt to your GMail account from the command-line, do:

$ echo Hi to myself >test.txt
$ gpg -r rsv869 at gmail.com -e test.txt

You now have an encrypted file test.txt.gpg. You are not prompted for a
passphrase since this is a public-key-only operation: it just needs the
public key of rsv869 at gmail.com, which is not encrypted data. However, if
you also want to sign with rsv869 at runbox.com, you'd do:

$ gpg -u rsv869 at runbox.com -r rsv869 at gmail.com -se test.txt

Now it will ask for a passphrase since you are signing it with the
Runbox key. If you had the Runbox key as a default-key in gpg.conf, you
could simply do:

$ gpg -r rsv869 at gmail.com -se test.txt

If there is a default-key in gpg.conf but you wish to sign using the
other this time, use the -u [KEYID] to choose which key to sign with.

To decrypt this file, you'd do:

$ gpg test.txt.gpg

which will prompt for the GMail key passphrase because that is the key
it was encrypted to. It will deliver a file called test.txt, and if it
was signed, it'll say so in the output.

Hopefully this helps you get started a bit.

Note that if you decide you want one key with both e-mail accounts
associated, you would add the second identity with:

$ gpg --edit-key [KEYID] adduid

You can just encrypt to yourself even with just one key, but if you
want, you can also send me an encrypted mail off-list and I will tell
you whether it could be decrypted or not.

HTH,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>


From wk at gnupg.org  Mon Jan 30 11:56:01 2017
From: wk at gnupg.org (Werner Koch)
Date: Mon, 30 Jan 2017 11:56:01 +0100
Subject: gnupg website
In-Reply-To: <40a5598f-cb21-678b-2ad1-c17dd9ce1325@rempe.us> (Glenn Rempe's
 message of "Sun, 29 Jan 2017 22:54:27 -0800")
References: <9520907a-aae0-26bc-3224-0ef393cb58e0@web.de>
 <87mvef5xog.fsf@wheatstone.g10code.de>
 <8beb8ed6-9582-8f34-7e24-9d200932d88d@digitalbrains.com>
 <287c7c87-2391-8203-52cd-0a7a865c03db@web.de>
 <cde2828a-e802-a29f-2c4c-bae7200d5996@andrewg.com>
 <75760e50-f70b-586d-93fb-af86056a983e@andrewg.com>
 <a4d9c7a8-87cf-ece9-529e-ed10f10ff6e3@rempe.us>
 <20170126191557.GA1568@vehent.org>
 <40a5598f-cb21-678b-2ad1-c17dd9ce1325@rempe.us>
Message-ID: <87a8a86cla.fsf@wheatstone.g10code.de>

On Mon, 30 Jan 2017 07:54, glenn at rempe.us said:

> Is there a plan to take action on this TLS issue the Julien and I have
> written about? I believe all Safari and iOS users are excluded from

I am working on that.  But please given me a few days.  I want to align
the patched version of pound, which we are running as web frontend, to
be aligned with the next Debian version.

Thanks for all the hints.


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: </pipermail/attachments/20170130/45b9a84f/attachment.sig>

From rjh at sixdemonbag.org  Mon Jan 30 14:36:47 2017
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Mon, 30 Jan 2017 08:36:47 -0500
Subject: gnupg website
In-Reply-To: <eb18b93e-2021-910e-6bae-ed003a01a5d6@digitalbrains.com>
References: <9520907a-aae0-26bc-3224-0ef393cb58e0@web.de>
 <87mvef5xog.fsf@wheatstone.g10code.de>
 <f9fbaa8c-4f59-7be8-527c-bac7e45a4bba@sixdemonbag.org>
 <2cb24605-08f9-2212-6dfd-0f3894b8637b@incenp.org>
 <002c01d27756$6b0cf5f0$4126e1d0$@sixdemonbag.org>
 <b4b68c59-e060-c95e-9fba-9255e6887ff4@web.de>
 <003a01d2775a$fd5b5970$f8120c50$@sixdemonbag.org>
 <878tpxda66.fsf@wheatstone.g10code.de>
 <00e601d27804$ccd74cf0$6685e6d0$@sixdemonbag.org>
 <eb18b93e-2021-910e-6bae-ed003a01a5d6@digitalbrains.com>
Message-ID: <1122baf8-bcf6-860a-d6a5-5e51abe8c010@sixdemonbag.org>

> It just occured to me that it seems you're conflating bits and bytes.
> Doesn't a 64-bit-block cipher operate on 2**3 rather than 2**6 bytes?

*coughs* Yes.  My bad.


From wk at gnupg.org  Mon Jan 30 18:22:46 2017
From: wk at gnupg.org (Werner Koch)
Date: Mon, 30 Jan 2017 18:22:46 +0100
Subject: gnupg website
In-Reply-To: <87a8a86cla.fsf@wheatstone.g10code.de> (Werner Koch's message of
 "Mon, 30 Jan 2017 11:56:01 +0100")
References: <9520907a-aae0-26bc-3224-0ef393cb58e0@web.de>
 <87mvef5xog.fsf@wheatstone.g10code.de>
 <8beb8ed6-9582-8f34-7e24-9d200932d88d@digitalbrains.com>
 <287c7c87-2391-8203-52cd-0a7a865c03db@web.de>
 <cde2828a-e802-a29f-2c4c-bae7200d5996@andrewg.com>
 <75760e50-f70b-586d-93fb-af86056a983e@andrewg.com>
 <a4d9c7a8-87cf-ece9-529e-ed10f10ff6e3@rempe.us>
 <20170126191557.GA1568@vehent.org>
 <40a5598f-cb21-678b-2ad1-c17dd9ce1325@rempe.us>
 <87a8a86cla.fsf@wheatstone.g10code.de>
Message-ID: <8737g05uop.fsf@wheatstone.g10code.de>

On Mon, 30 Jan 2017 11:56, wk at gnupg.org said:

> I am working on that.  But please given me a few days.  I want to align

Time warp: All servers updated.  Sslabs rating is now A+ (respective A
for those without HSTS).  The used pound version is can be found at
git.gnupg.org.

Hope that helps the Sierras


Salam-Shalom,

   Werner


-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: </pipermail/attachments/20170130/d558d834/attachment.sig>

From andrewg at andrewg.com  Mon Jan 30 18:35:33 2017
From: andrewg at andrewg.com (Andrew Gallagher)
Date: Mon, 30 Jan 2017 17:35:33 +0000
Subject: gnupg website
In-Reply-To: <8737g05uop.fsf@wheatstone.g10code.de>
References: <9520907a-aae0-26bc-3224-0ef393cb58e0@web.de>
 <87mvef5xog.fsf@wheatstone.g10code.de>
 <8beb8ed6-9582-8f34-7e24-9d200932d88d@digitalbrains.com>
 <287c7c87-2391-8203-52cd-0a7a865c03db@web.de>
 <cde2828a-e802-a29f-2c4c-bae7200d5996@andrewg.com>
 <75760e50-f70b-586d-93fb-af86056a983e@andrewg.com>
 <a4d9c7a8-87cf-ece9-529e-ed10f10ff6e3@rempe.us>
 <20170126191557.GA1568@vehent.org>
 <40a5598f-cb21-678b-2ad1-c17dd9ce1325@rempe.us>
 <87a8a86cla.fsf@wheatstone.g10code.de> <8737g05uop.fsf@wheatstone.g10code.de>
Message-ID: <1cbc244d-d09a-f264-b16a-3f04f0fb5819@andrewg.com>

On 30/01/17 17:22, Werner Koch wrote:
> Time warp: All servers updated.

I can confirm it works on the latest iOS.

Andrew.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20170130/95c35f91/attachment.sig>

From glenn at rempe.us  Mon Jan 30 20:13:15 2017
From: glenn at rempe.us (Glenn Rempe)
Date: Mon, 30 Jan 2017 11:13:15 -0800
Subject: gnupg website
In-Reply-To: <8737g05uop.fsf@wheatstone.g10code.de>
References: <9520907a-aae0-26bc-3224-0ef393cb58e0@web.de>
 <87mvef5xog.fsf@wheatstone.g10code.de>
 <8beb8ed6-9582-8f34-7e24-9d200932d88d@digitalbrains.com>
 <287c7c87-2391-8203-52cd-0a7a865c03db@web.de>
 <cde2828a-e802-a29f-2c4c-bae7200d5996@andrewg.com>
 <75760e50-f70b-586d-93fb-af86056a983e@andrewg.com>
 <a4d9c7a8-87cf-ece9-529e-ed10f10ff6e3@rempe.us>
 <20170126191557.GA1568@vehent.org>
 <40a5598f-cb21-678b-2ad1-c17dd9ce1325@rempe.us>
 <87a8a86cla.fsf@wheatstone.g10code.de> <8737g05uop.fsf@wheatstone.g10code.de>
Message-ID: <1033fd1a-8b58-3298-a8f4-ac1e70f06790@rempe.us>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Awesome! Works perfectly now. Tested on macOS (Sierra) Safari and
current iOS Safari.

Congrats on your A+ at SSLlabs

https://www.ssllabs.com/ssltest/analyze.html?d=gnupg.org&s=217.69.76.60

I would suggest you also look at doing HSTS browser preload now that
you have long duration HSTS and a good modern TLS suite. It would
require being applied to sub-domains as well I think which you may or
may not be able to do. You can test (and register for it) here:

https://hstspreload.org/?domain=gnupg.org

Thanks for fixing this issue. Its been bugging me for months. :-)

Glenn

On 1/30/17 9:22 AM, Werner Koch wrote:
> On Mon, 30 Jan 2017 11:56, wk at gnupg.org said:
> 
>> I am working on that.  But please given me a few days.  I want to
>> align
> 
> Time warp: All servers updated.  Sslabs rating is now A+
> (respective A for those without HSTS).  The used pound version is
> can be found at git.gnupg.org.
> 
> Hope that helps the Sierras
> 
> 
> Salam-Shalom,
> 
> Werner
> 
> 
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEHYo11lajUTmaOI4vCiVDbdRDnGwFAliPkEQACgkQCiVDbdRD
nGwLyA/+Nr4ZTY7t3JFsRjoJjmjEz03KuKDiXOY+8KhrzMiUkK+S+uQxZd0/XyU0
Cx+DQnV03UP2egNQiZaF9v4kR07VTigXR+gF0x56xASJVd4lxFOZ24+ngv8xLru1
YK2L9MKjs2qLc5UCYXUrpg6gY0Ey2kr+lOiDotKt7nT6Gmt1K601QyetzkAld19P
ZLM+zkEn2x5MhApA7k5j39tM9lHCPFPgxMeeM7R0UWZCx1AQQ8R+ejNpDQqN9LYD
fzLbo+Vb0K15gZ3MJuc/sUhaYfWtMKI9UpgwGX1iihkKlq52rQ2oLfxgn4NOT3TG
AMwglvNrIEPnADd86CLevRiWsbuiSGAmqJusjNF8R9gloOpoII5t+p6TMFpVonWW
KmBtqizSuPF2d5d8fC0W/j7fYVXfbs6apJ+UM/CyGSY/vZlqTB2V6YwGrjDs1Qex
3A/MRDxfuSfNBG80v9u8QIFwk3OZPNEUhy5bnU8aSb18qP0CTKOkc7R9lrUGTe66
FKJNeeClI8VxHlmybrV6qWtx8u1AqDI3gTSrjVoFmWlZu4/rk5h9jxfBH8tpXTHb
iSXhNUunsZfnv72DVaaLChSWUVuBd7TO/Kw+7jmCpN6J7vsAQlN+PptPQ/d3etVB
ncp6KuoaTcmEoetfjlJRV8viutyZNMGcuychc+B6lAG8K9FzswQ=
=JkIi
-----END PGP SIGNATURE-----


From ludwig at enigmail.net  Mon Jan 30 19:39:30 2017
From: ludwig at enigmail.net (=?UTF-8?B?THVkd2lnIEjDvGdlbHNjaMOkZmVy?=)
Date: Mon, 30 Jan 2017 19:39:30 +0100
Subject: gnupg website
In-Reply-To: <8737g05uop.fsf@wheatstone.g10code.de>
References: <9520907a-aae0-26bc-3224-0ef393cb58e0@web.de>
 <87mvef5xog.fsf@wheatstone.g10code.de>
 <8beb8ed6-9582-8f34-7e24-9d200932d88d@digitalbrains.com>
 <287c7c87-2391-8203-52cd-0a7a865c03db@web.de>
 <cde2828a-e802-a29f-2c4c-bae7200d5996@andrewg.com>
 <75760e50-f70b-586d-93fb-af86056a983e@andrewg.com>
 <a4d9c7a8-87cf-ece9-529e-ed10f10ff6e3@rempe.us>
 <20170126191557.GA1568@vehent.org>
 <40a5598f-cb21-678b-2ad1-c17dd9ce1325@rempe.us>
 <87a8a86cla.fsf@wheatstone.g10code.de> <8737g05uop.fsf@wheatstone.g10code.de>
Message-ID: <c24432f1-4f4e-4411-3ecc-265b8417d1bc@enigmail.net>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 30.01.17 18:22, Werner Koch wrote:

> Hope that helps the Sierras

It does :-) Thanks!

Ludwig

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE4WAgb7FA4aaVxJnYOtv6bQCh5v4FAliPiF8ACgkQOtv6bQCh
5v5S4Q//T8JcBKcdfTQ/9mJwPrF5aIBNJgHlL57qHadvAAUGsd8scw6kb8NZGzCO
EeY5smazP10UahDhdpf3g2ydmGFqb+jaa06GrUjTnKMUHrtZ+bgYSkMwfo3zUe3h
uSRKABqUqlTWX0Lk6KGQUwXsE7WU5L9xRG/EKUCu/g7DLI0xzzA5O52Y8Dbxy7Is
l18AHvshkcmXBP9V8u8lCHmce2gUM7allndMK94U8j4e7C8z0QCTuGxWs22+jmGb
4eiY9a2ddIaKWQ9eAtdRJ9Q5pHnyARLu++sQDVYiiPEaMImBYXAYE0M9FJgW6A3H
HrjrpOzj1o1d4C+Bo06EbD8+E7vEYTj9XUk5c9J2uzLQrSD7t6WM3gIedu+ym39I
aqUGbTo0OxokGIVBGMXgoLZC/JJqSz3zhaG6i9DfQo4zXGm9ns4LeR0HLevtNeQN
6lKKKXpcYFgQpGiX0LTt1Ge785tCtEBMbc1pKbBBpx6fgf4ZaU705H6UQY4XDPY2
WONd14PQg1QOm+4ZqVgtvATmhEqytSVQ0XPLp+rXHPBo1/M8xzZw+a8h2babvOY1
hwBGBpBdZAFJxkrea5QOJEmGh6tdnYfCqIyfYXmqOTYPxP/lKjc0LjiY8gozeoAF
3iI4mo9fOeW39+WCILFysEWhpNowhhfSuFdwkZs/thhww84ScMQ=
=yNxK
-----END PGP SIGNATURE-----


From sivmu at web.de  Mon Jan 30 21:07:04 2017
From: sivmu at web.de (sivmu)
Date: Mon, 30 Jan 2017 21:07:04 +0100
Subject: gnupg website
In-Reply-To: <8737g05uop.fsf@wheatstone.g10code.de>
References: <9520907a-aae0-26bc-3224-0ef393cb58e0@web.de>
 <87mvef5xog.fsf@wheatstone.g10code.de>
 <8beb8ed6-9582-8f34-7e24-9d200932d88d@digitalbrains.com>
 <287c7c87-2391-8203-52cd-0a7a865c03db@web.de>
 <cde2828a-e802-a29f-2c4c-bae7200d5996@andrewg.com>
 <75760e50-f70b-586d-93fb-af86056a983e@andrewg.com>
 <a4d9c7a8-87cf-ece9-529e-ed10f10ff6e3@rempe.us>
 <20170126191557.GA1568@vehent.org>
 <40a5598f-cb21-678b-2ad1-c17dd9ce1325@rempe.us>
 <87a8a86cla.fsf@wheatstone.g10code.de> <8737g05uop.fsf@wheatstone.g10code.de>
Message-ID: <33935a34-0724-73aa-e7f8-cbecfefb6068@web.de>



Am 30.01.2017 um 18:22 schrieb Werner Koch:
> On Mon, 30 Jan 2017 11:56, wk at gnupg.org said:
> 
>> I am working on that.  But please given me a few days.  I want to align
> 
> Time warp: All servers updated.  Sslabs rating is now A+ (respective A
> for those without HSTS).  The used pound version is can be found at
> git.gnupg.org.
> 
> Hope that helps the Sierras
> 
> 
> Salam-Shalom,
> 
>    Werner
> 

Wow that was fast, thanks.

OSCP stapling is still missing though and I'm not sure NIST curves for
ECDHE are the way to go (would prefer DHE) but that's not a primary
concern I guess :)


From miro.rovis at croatiafidelis.hr  Tue Jan 31 00:42:22 2017
From: miro.rovis at croatiafidelis.hr (Miroslav Rovis)
Date: Tue, 31 Jan 2017 00:42:22 +0100
Subject: ? Comments re key servers? re gpg-encrypted mail? re key servers
 carry many phony keys?
In-Reply-To: <97d82431-f4a5-d815-3f93-df8078aa93e8@gmail.com>
References: <5itw9prsds.fsf@fencepost.gnu.org>
 <6ac3703c-151e-f413-00b7-1996269c29ed@gmail.com>
 <20161228104343.GA19104@g0n.xdwgrp>
 <20161228122815.GA19720@g0n.xdwgrp>
 <97d82431-f4a5-d815-3f93-df8078aa93e8@gmail.com>
Message-ID: <20170130234222.GA14408@g0n.xdwgrp>

I'm reviving this end-of-last-year thread, because...

On 161228-15:42+0100, NdK wrote:
> Il 28/12/2016 13:28, Miroslav Rovis ha scritto:
> 
> >> The fact that Github, since this outgoing year, accept gpg signing only
> >> if you post your public key to their servers.
> I can't say for sure, but maybe that's so so they can have an
> "attestation key" to use for verifying signatures, without expensive WoT
> checks. By loading your key, you're certifying it's yours. But it won't
> actually give any more assurance than "you is you" than your credentials
> (against GitHub): if someone steals your credentials, he can replace
> your pub key and sign new commits in your name. They're using GPG just
> as a frontend for signatures using self-signed certificates.
> 

Notice this line below:
> BTW nothing prevents you from uploading your key to the keyservers and
It may not have been used by a repo that I'm interested in on github,
read on...
> participate in the WoT -- that's the only thing that could assure who
> clones your repo that *you* signed those commits.
...
> > Just some quick links in connection, for the less familiar.
> > For users (like me):
> > https://help.github.com/categories/gpg/

It's this repo, where the latest two tags are PGP-signed:
https://github.com/Synzvato/decentraleyes/tags

They are signed with the key below, and no matter how I tried:

gpg --keyserver hkp://pgp.mit.edu --recv-key CECC45E1E979013C
gpg --keyserver hkp://pool.sks-keyservers.net --recv-key CECC45E1E979013C 

it appears that key is not on the usual keyservers. (Because I can get
other keys, but not that one. Is it uploaded only to github? Wrong, IMO,
if that is the case, and I'll open an issue with the repo to tell them
so.)

Can anybody check if maybe they can get that key from the keyservers?
-- 
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Digital signature
URL: </pipermail/attachments/20170131/97693070/attachment.sig>

From miro.rovis at croatiafidelis.hr  Tue Jan 31 00:57:34 2017
From: miro.rovis at croatiafidelis.hr (Miroslav Rovis)
Date: Tue, 31 Jan 2017 00:57:34 +0100
Subject: ? Comments re key servers? re gpg-encrypted mail? re key servers
 carry many phony keys?
In-Reply-To: <20170130234222.GA14408@g0n.xdwgrp>
References: <5itw9prsds.fsf@fencepost.gnu.org>
 <6ac3703c-151e-f413-00b7-1996269c29ed@gmail.com>
 <20161228104343.GA19104@g0n.xdwgrp>
 <20161228122815.GA19720@g0n.xdwgrp>
 <97d82431-f4a5-d815-3f93-df8078aa93e8@gmail.com>
 <20170130234222.GA14408@g0n.xdwgrp>
Message-ID: <20170130235734.GA30378@g0n.xdwgrp>

This mail is already at:
https://lists.gnupg.org/pipermail/gnupg-users/2017-January/057582.html
( and this is a reply to: Message-ID: <20170130234222.GA14408 at g0n.xdwgrp> )
but when you server with Microsoft... well, it's not very reliable ( 80%
of Croatia is occupied by one provider and they serve mail and all with
IIS. Heaven fall on us from shame! )

On 170131-00:42+0100, Miroslav Rovis wrote:
...
> It's this repo, where the latest two tags are PGP-signed:
> https://github.com/Synzvato/decentraleyes/tags
> 
...
> gpg --keyserver hkp://pgp.mit.edu --recv-key CECC45E1E979013C
> gpg --keyserver hkp://pool.sks-keyservers.net --recv-key CECC45E1E979013C 
> 
...
> Can anybody check if maybe they can get that key from the keyservers?

Sorry for the digression...
-- 
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Digital signature
URL: </pipermail/attachments/20170131/d9552409/attachment.sig>

From antony at blazrsoft.com  Tue Jan 31 00:59:00 2017
From: antony at blazrsoft.com (antony at blazrsoft.com)
Date: Mon, 30 Jan 2017 18:59:00 -0500
Subject: ? Comments re key servers? re gpg-encrypted mail? re key servers
 carry many phony keys?
In-Reply-To: <20170130234222.GA14408@g0n.xdwgrp>
References: <5itw9prsds.fsf@fencepost.gnu.org>
 <6ac3703c-151e-f413-00b7-1996269c29ed@gmail.com>
 <20161228104343.GA19104@g0n.xdwgrp> <20161228122815.GA19720@g0n.xdwgrp>
 <97d82431-f4a5-d815-3f93-df8078aa93e8@gmail.com>
 <20170130234222.GA14408@g0n.xdwgrp>
Message-ID: <D8B59914-A88B-4621-8147-B76B02BDCBC4@blazrsoft.com>

On January 30, 2017 6:42:22 PM EST, Miroslav Rovis <miro.rovis at croatiafidelis.hr> wrote:
>I'm reviving this end-of-last-year thread, because...
>
>It's this repo, where the latest two tags are PGP-signed:
>https://github.com/Synzvato/decentraleyes/tags
>
>Can anybody check if maybe they can get that key from the keyservers?

It may be that they haven't uploaded their public key to any public keyserver. You could message the maintainer and ask them for their public key if you are interested in verifying their commits.
-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.


From miro.rovis at croatiafidelis.hr  Tue Jan 31 01:20:33 2017
From: miro.rovis at croatiafidelis.hr (Miroslav Rovis)
Date: Tue, 31 Jan 2017 01:20:33 +0100
Subject: ? Comments re key servers? re gpg-encrypted mail? re key servers
 carry many phony keys?
In-Reply-To: <20170130234222.GA14408@g0n.xdwgrp>
References: <5itw9prsds.fsf@fencepost.gnu.org>
 <6ac3703c-151e-f413-00b7-1996269c29ed@gmail.com>
 <20161228104343.GA19104@g0n.xdwgrp>
 <20161228122815.GA19720@g0n.xdwgrp>
 <97d82431-f4a5-d815-3f93-df8078aa93e8@gmail.com>
 <20170130234222.GA14408@g0n.xdwgrp>
Message-ID: <20170131002033.GA12861@g0n.xdwgrp>

I also see the kind reply by Anthony at:
https://lists.gnupg.org/pipermail/gnupg-users/2017-January/057584.html
but it's not yet in my mailbox...

I must go to sleep, so I opened this issue with the repo:
PGP key not on (usual) keyservers #143
https://github.com/Synzvato/decentraleyes/issues/143

( BTW, looks like a fine addon. For Palemoon, but of course for Firefox as
well, if people haven't yet switched. )

On 170131-00:42+0100, Miroslav Rovis wrote:
> I'm reviving this end-of-last-year thread, because...
> It's this repo, where the latest two tags are PGP-signed:
> https://github.com/Synzvato/decentraleyes/tags
> 
> They are signed with the key below, and no matter how I tried:
> 
> gpg --keyserver hkp://pgp.mit.edu --recv-key CECC45E1E979013C
> gpg --keyserver hkp://pool.sks-keyservers.net --recv-key CECC45E1E979013C 
> 

Good night!

-- 
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Digital signature
URL: </pipermail/attachments/20170131/617f4fa5/attachment-0001.sig>

From wk at gnupg.org  Tue Jan 31 08:54:08 2017
From: wk at gnupg.org (Werner Koch)
Date: Tue, 31 Jan 2017 08:54:08 +0100
Subject: gnupg website
In-Reply-To: <1033fd1a-8b58-3298-a8f4-ac1e70f06790@rempe.us> (Glenn Rempe's
 message of "Mon, 30 Jan 2017 11:13:15 -0800")
References: <9520907a-aae0-26bc-3224-0ef393cb58e0@web.de>
 <87mvef5xog.fsf@wheatstone.g10code.de>
 <8beb8ed6-9582-8f34-7e24-9d200932d88d@digitalbrains.com>
 <287c7c87-2391-8203-52cd-0a7a865c03db@web.de>
 <cde2828a-e802-a29f-2c4c-bae7200d5996@andrewg.com>
 <75760e50-f70b-586d-93fb-af86056a983e@andrewg.com>
 <a4d9c7a8-87cf-ece9-529e-ed10f10ff6e3@rempe.us>
 <20170126191557.GA1568@vehent.org>
 <40a5598f-cb21-678b-2ad1-c17dd9ce1325@rempe.us>
 <87a8a86cla.fsf@wheatstone.g10code.de>
 <8737g05uop.fsf@wheatstone.g10code.de>
 <1033fd1a-8b58-3298-a8f4-ac1e70f06790@rempe.us>
Message-ID: <874m0f4qcf.fsf@wheatstone.g10code.de>

On Mon, 30 Jan 2017 20:13, glenn at rempe.us said:

> I would suggest you also look at doing HSTS browser preload now that
> you have long duration HSTS and a good modern TLS suite. It would

I considered this ...

> require being applied to sub-domains as well I think which you may or

but can't do that for this reason.


Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: </pipermail/attachments/20170131/ee395961/attachment.sig>

From marko.bauhardt at mailbox.org  Tue Jan 31 14:13:52 2017
From: marko.bauhardt at mailbox.org (Marko Bauhardt)
Date: Tue, 31 Jan 2017 14:13:52 +0100
Subject: effect of revuid
Message-ID: <A05CDC43-FE37-4534-A283-CCF6FE5EA2A7@mailbox.org>

Hi,
what is the effect when delete a UID via `revuid` from a  given key.
My key is still valid right? The uid?s are only bound to a given key and can be exchanged as much i want. right? Or are there some more effects?

The only effect i see is

* someone can not send an encrypted email to this email with that specific key
* i can not send a signed messages with that email and specific key

Can i still decrypt emails with my key sent to this revoked email?


thx
marko


---

Marko Bauhardt
marko.bauhardt at mailbox.org <mailto:marko.bauhardt at mailbox.org>

PGP Key ID: 53192101
PGP Fingerprint: DC0F E851 82A3 72E3 7FE1  ACDB 970C FD47 5319 2101

-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20170131/6138f632/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: </pipermail/attachments/20170131/6138f632/attachment.sig>

From AliAjmi at bankmuscat.com  Tue Jan 31 13:05:45 2017
From: AliAjmi at bankmuscat.com (Ali Hassan Hamed Al Ajmi (eChannels))
Date: Tue, 31 Jan 2017 12:05:45 +0000
Subject: GnuPG to create CSR
In-Reply-To: <87ziiuocz0.fsf@alice.fifthhorseman.net>
References: <1E46221211FBA6429BADC35084A32174CB9891@HO-EXMBX-01.bmoman.bankmuscat.com>
 <87ziiuocz0.fsf@alice.fifthhorseman.net>
Message-ID: <1E46221211FBA6429BADC35084A32174CCE149@HO-EXMBX-01.bmoman.bankmuscat.com>

Hi,

Thanks for your response,

I have successfully created the CSR and send it to internal CA (Microsoft CA) team. They sent me the certificate. I have used Kleopatra UI to import the created certificate after save it in a file (attaching sample file). Using same Kleopatra UI, I have also imported root & intermediate certificates for the CA. looks like attached img(kleopatra.png):
We I tried to encrypt or sign any file, it shows this error (attached error.png)

Is there anything wrong I have done?
Or it is just because Kleopatra does not support X.509 certificate created by Microsoft CA?


-----Original Message-----
From: Daniel Kahn Gillmor [mailto:dkg at fifthhorseman.net]
Sent: Saturday, January 14, 2017 1:41 AM
To: Ali Hassan Hamed Al Ajmi (eChannels) <AliAjmi at bankmuscat.com>; gnupg-users at gnupg.org
Subject: Re: GnuPG to create CSR

On Thu 2017-01-12 06:14:06 -0500, Ali Hassan Hamed Al Ajmi (eChannels) wrote:
> Hi,
>
> We are using GPG4win as files encryption tool which utilize "GnuPG"
> crypto engine. One of our requirements is to have certificate signed
> by our internal CA. since we have Microsoft CA, we need to create
> certification request that is compatible with Microsoft CA . Via
> gpg4win GUI, we are able to generate a X.509 keys CR (p10) that does
> not seem compatible with Microsoft CA.

When you say "does not seem compatible with Microsoft CA", i don't know what that means.  Is there a specific Microsoft CA product that you're using?  can you provide pointers to it?

can you provide error messages, warnings, or behaviors that indicate that the CSR you generated is incompatible?  What specific steps did you take with the Gpg4win gui to generate the CSR?

> Does "GnuPG" support creating CR (CSR) that is compatible with Microsoft CA (from command line/ other tools with GUI)?
> If Yes, how to generate a certification request that is compatible with Microsoft CA (CSR)?
> Can you please guide us to a manual /documentation where we will find such information.

If you want to use a command-line part of the GnuPG suite to create an
X.509 CSR, the tool "gpgsm" should be capable of doing it.

Use:

   gpgsm --gen-key


and follow the prompts.

If it asks you "Create self-signed certificate? (y/N)", you want to answer "N" (no) because you want the csr instead.

For example (this is not on windows, this is on a GNU/Linux machine, but it should look similar to what you see in the windows cmd.exe shell:

0 dkg at alice:~$ gpgsm --gen-key
gpgsm (GnuPG) 2.1.17; Copyright (C) 2016 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Please select what kind of key you want:
   (1) RSA
   (2) Existing key
   (3) Existing key from card
Your selection? 1
What keysize do you want? (2048)
Requested keysize is 2048 bits
Possible actions for a RSA key:
   (1) sign, encrypt
   (2) sign
   (3) encrypt
Your selection? 1
Enter the X.509 subject name: CN=bananas.example Enter email addresses (end with an empty line):
>
Enter DNS names (optional; end with an empty line):
> bananas.example
> www.bananas.example
>
Enter URIs (optional; end with an empty line):
>
Create self-signed certificate? (y/N)
These parameters are used:
    Key-Type: RSA
    Key-Length: 2048
    Key-Usage: sign, encrypt
    Name-DN: CN=bananas.example
    Name-DNS: bananas.example
    Name-DNS: www.bananas.example

Proceed with creation? (y/N) y
Now creating certificate request.  This may take a while ...
gpgsm: about to sign the CSR for key: &C6962BE32BF3CA7C3207BCECC0FC1CD3C24CC2E7
gpgsm: certificate request created
Ready.  You should now send this request to your CA.
-----BEGIN CERTIFICATE REQUEST-----
MIICsTCCAZkCAQAwGjEYMBYGA1UEAxMPYmFuYW5hcy5leGFtcGxlMIIBIjANBgkq
hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuFLyvrSVb75agoi43FWQJwr4da7IraU1
iv2DBpFQU54Kst8sgs7ocHtgHQAVlCbiJ3XNVAv4brt+kb8ASp6xGXpTVKe5bzCw
/+OPPW5o/ymSF6wlHar7hKWSylTD3Xl6fyQaw1h6LRpY9S0QG2ua3kX1QIp6rWLd
K3Eq/X41+NFBIVeMtlu0FBCVoUDAC65BsIDahPZwDSsXhVNU2lO1TQXyr4ZCZGQb
c6qYnerlplvzjDT/a7WgaKQgYJzbxa6IM1COCCwDQMW4GH9ZsUi77iu+io/A3h/v
8B3WcVe6m6rg8lIChKSXvd1kmC8ueiCTnYKFHGpKZECPS0ec8hcOkQIDAQABoFIw
UAYJKoZIhvcNAQkOMUMwQTAvBgNVHREEKDAmgg9iYW5hbmFzLmV4YW1wbGWCE3d3
dy5iYW5hbmFzLmV4YW1wbGUwDgYDVR0PAQH/BAQDAgTwMA0GCSqGSIb3DQEBCwUA
A4IBAQARmLx97fNMd2JdPlllA0Kl5bOafXdraLMw7E0gdqoGTcgSy4oKwzYXVXCE
8PcQ5Ld+QSzZRcaEr/cWoZJSPEXX4ahhYPDs14PxNUvDX1R5MUrUGIqUmMQU28Vc
+vxTSmSY/ehvCaCDXDqcTVZjX7pyQ2LGxiy44Sqf8weGL1aHHq6znCJtPUWqpW8n
bMGj34lNPYBXW/95WAAPuLQP6zUDAq6oFf69jVJUKhIZ9Jlkr6XhAKHRpS5VjEeP
Q7PIUMKKM6PMXU1IPMo0X/TfJ7ApUJ0bWWwUTBoHcjAoIIcQCDfBZ+Wh7T9Rvrdm
wKfK8jbgQph4k/9lJXzrEKnXejo7
-----END CERTIFICATE REQUEST-----
0 dkg at alice:$


Then you'd copy/paste the stuff between the "-----BEGIN CERTIFICATE REQUEST-----" and "-----END CERTIFICATE REQUEST-----" lines (including those lines as
well) into a file that you can import into your CA.

make sense?

     --dkg

"Disclaimer! This email message is intended for the named recipient only. If you are not the intended recipient and if you have received this message by error, please immediately notify us through E-Mail at notify at bankmuscat.com and please delete this message from your system. E-mail communications are insecure and capable of interception and corruption, bank muscat would not be liable for incorrect, incomplete transmission, loss or damage on this account or delayed receipt of this e-mail."
-------------- next part --------------
A non-text attachment was scrubbed...
Name: certnewali.cer
Type: application/pkix-cert
Size: 1962 bytes
Desc: certnewali.cer
URL: </pipermail/attachments/20170131/f19206ff/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: kleopatra.png
Type: image/png
Size: 42001 bytes
Desc: kleopatra.png
URL: </pipermail/attachments/20170131/f19206ff/attachment-0002.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: error.png
Type: image/png
Size: 62557 bytes
Desc: error.png
URL: </pipermail/attachments/20170131/f19206ff/attachment-0003.png>