<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body bgcolor="#FFFFFF" text="#000000">
Dear Forum,<br>
<br>
GNUPG Users Digest is nearly flooding my mailbox with exchanges
about the WoT and keyserver issues. <br>
<br>
A simple user (me) needs to know how one could make adaptations in
the settings of GPA or Kleopatra. I would expect instructions here:<br>
<a class="moz-txt-link-freetext" href="https://kde.org/applications/utilities/org.kde.kleopatra">https://kde.org/applications/utilities/org.kde.kleopatra</a><br>
<a class="moz-txt-link-abbreviated" href="http://www.gnupg.org/related_software/gpa/">www.gnupg.org/related_software/gpa/</a><br>
or perhaps here:<br>
<a class="moz-txt-link-abbreviated" href="http://www.gpg4win.org/index.html">www.gpg4win.org/index.html</a><br>
<a class="moz-txt-link-abbreviated" href="http://www.enigmail.net/index.php/en/">www.enigmail.net/index.php/en/</a><br>
*There are not.*<br>
<br>
Hansen's and DKG's blog are only partly helpful. For example my
Linux system seems to *not* have a ~/.gnupg/dirmngr.conf file at
all (one of those files recommended for editing). I.e. Nautilus
cannot find it.<br>
So, I did adapt gpg.conf by outcommenting (#) any line starting with
keyserver, but was not able to adapt the dirmngr.conf.<br>
Upon inspection, thereafter, my GPA and Kleopatra were NOT correctly
configured. <br>
<br>
Trying to figure out how GPA and Kleopatra could be adapted, I
found, for GPA: Menu > Edit > Backend preferences > Network
> Configuration for Keyservers > Use custom value > adapt
to hkps://keys.openpgp.org<br>
For Kleopatra: Menu > Settings > Configure Kleopatra >
Directory Services > Open PGP Keyserver > adapt to
hkps://keys.openpgp.org<br>
(I would have included an inline screenshot, but this list is
allergic to html)<br>
<br>
GPG4Win and Enigmail need further research. (This is a suggestion. I
cannot do it).<br>
<br>
And further, I would have expected a program update that sets the
defaults to the ones suggested by Hansen and DKG. Or is the matter
still under consideration, or is it not that important? (I
personally cannot judge it). <br>
<br>
The only hint that I can give: The WoT nor keyservers are not very
important in my case. I use GnuPG inside a small group of people who
(for identity verification) can talk to each other, at least by
telephone. I do not use Enigmail (since limited to few mail clients
and not accepted by sufficient of my recipients), but just send
encrypted messages as attachments. <br>
<br>
Best regards<br>
<br>
Roland<br>
<br>
<br>
<div class="moz-cite-prefix">On 02/07/2019 05:48,
<a class="moz-txt-link-abbreviated" href="mailto:gnupg-users-request@gnupg.org">gnupg-users-request@gnupg.org</a> wrote:<br>
</div>
<blockquote type="cite"
cite="mid:mailman.15907.1562039285.30381.gnupg-users@gnupg.org">
<pre class="moz-quote-pre" wrap="">Send Gnupg-users mailing list submissions to
<a class="moz-txt-link-abbreviated" href="mailto:gnupg-users@gnupg.org">gnupg-users@gnupg.org</a>
To subscribe or unsubscribe via the World Wide Web, visit
<a class="moz-txt-link-freetext" href="http://lists.gnupg.org/mailman/listinfo/gnupg-users">http://lists.gnupg.org/mailman/listinfo/gnupg-users</a>
or, via email, send a message with subject or body 'help' to
<a class="moz-txt-link-abbreviated" href="mailto:gnupg-users-request@gnupg.org">gnupg-users-request@gnupg.org</a>
You can reach the person managing the list at
<a class="moz-txt-link-abbreviated" href="mailto:gnupg-users-owner@gnupg.org">gnupg-users-owner@gnupg.org</a>
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Gnupg-users digest..."
Today's Topics:
1. Re: Your Thoughts (Stefan Claas)
2. Re: SKS Keyserver Network Under Attack (Alyssa Ross)
3. Re: Your Thoughts (Alyssa Ross)
4. Re: New keyserver at keys.openpgp.org - what's your take?
(Mirimir)
5. Re: Your Thoughts (Robert J. Hansen)
----------------------------------------------------------------------
Message: 1
Date: Tue, 2 Jul 2019 00:09:47 +0200
From: Stefan Claas <a class="moz-txt-link-rfc2396E" href="mailto:sac@300baud.de"><sac@300baud.de></a>
To: <a class="moz-txt-link-abbreviated" href="mailto:gnupg-users@gnupg.org">gnupg-users@gnupg.org</a>
Subject: Re: Your Thoughts
Message-ID: <a class="moz-txt-link-rfc2396E" href="mailto:mailman.15908.1562039285.30381.gnupg-users@gnupg.org"><mailman.15908.1562039285.30381.gnupg-users@gnupg.org></a>
Content-Type: text/plain; charset=utf-8
Ryan McGinnis via Gnupg-users wrote:
</pre>
<blockquote type="cite">
<pre class="moz-quote-pre" wrap="">
Null modem transfer of your messages? Yikes. To me that?s the issue with
PGP in general as it relates to secure communications - the nerds and the
criminals and the spies know how to work it, but your average end user
doesn?t need their step one to be ?go to a Goodwill in a city you don?t live
in wearing a disguise and buy a laptop with cash?, they need PGP to almost be
automatic. Think of how easy it is to bootstrap Signal and how hard you?d
have to try to accidentally send something cleartext over that application.
Linking your key to a new device is as easy as scanning QR code. Perfect
forward secrecy, rich media, voice and video synchronous communications
upgrades, you name it. And my grandma could probably set it up without
help. I guarantee most big data scooping intelligence services are a lot
more worried about OpenWhisper protocol than PGP because *people actually use
it*. Just being caught with WhatApp in China can get you sent to a camp,
depending on your ethnicity.
</pre>
</blockquote>
<pre class="moz-quote-pre" wrap="">
Not to be off-topic, but you gave me the keyword "China" ...
I just recently found this and was wondering what purpose it
serves? Are people in China also allowed to use GnuPG?
pgp.ustc.edu.cn/
Regards
Stefan
------------------------------
Message: 2
Date: Mon, 1 Jul 2019 22:43:18 +0000
From: Alyssa Ross <a class="moz-txt-link-rfc2396E" href="mailto:hi@alyssa.is"><hi@alyssa.is></a>
To: Mirimir <a class="moz-txt-link-rfc2396E" href="mailto:mirimir@riseup.net"><mirimir@riseup.net></a>
Cc: <a class="moz-txt-link-abbreviated" href="mailto:gnupg-users@gnupg.org">gnupg-users@gnupg.org</a>
Subject: Re: SKS Keyserver Network Under Attack
Message-ID: <a class="moz-txt-link-rfc2396E" href="mailto:20190701224317.x3mffnm63klnxcyg@x220.qyliss.net"><20190701224317.x3mffnm63klnxcyg@x220.qyliss.net></a>
Content-Type: text/plain; charset="us-ascii"
</pre>
<blockquote type="cite">
<pre class="moz-quote-pre" wrap="">And yes, hkps://keys.openpgp.org would fall over and die if too many
users started using it. So cert poisoning will be an issue until there's
a secure alternative.
</pre>
</blockquote>
<pre class="moz-quote-pre" wrap="">
Just as a point of interest, I've talked to the people running
keys.openpgp.org about their capacity in #hagrid, when we were exploring
whether to change the default keyserver in Nixpkgs' GnuPG[1] (which we
ended up doing).
The impression I got was that they're very optimistic about their
ability to handle traffic to their server -- they were happy to have a
distro make the switch, and will be changing the defaults in Enigmail
and OpenKeychain very soon, as I understand it.
It is a real shame that a decentralized Hagrid isn't really possible,
though, at least to my understanding. It's quite the limitation for
GnuPG.
[1]: <a class="moz-txt-link-freetext" href="https://github.com/NixOS/nixpkgs/pull/63952">https://github.com/NixOS/nixpkgs/pull/63952</a>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <a class="moz-txt-link-rfc2396E" href="https://lists.gnupg.org/pipermail/gnupg-users/attachments/20190701/4589554b/attachment-0001.sig"><https://lists.gnupg.org/pipermail/gnupg-users/attachments/20190701/4589554b/attachment-0001.sig></a>
------------------------------
Message: 3
Date: Mon, 1 Jul 2019 22:58:32 +0000
From: Alyssa Ross <a class="moz-txt-link-rfc2396E" href="mailto:hi@alyssa.is"><hi@alyssa.is></a>
To: Stefan Claas <a class="moz-txt-link-rfc2396E" href="mailto:sac@300baud.de"><sac@300baud.de></a>
Cc: <a class="moz-txt-link-abbreviated" href="mailto:gnupg-users@gnupg.org">gnupg-users@gnupg.org</a>
Subject: Re: Your Thoughts
Message-ID: <a class="moz-txt-link-rfc2396E" href="mailto:20190701225832.6oldo4pexgjuy6yy@x220.qyliss.net"><20190701225832.6oldo4pexgjuy6yy@x220.qyliss.net></a>
Content-Type: text/plain; charset="us-ascii"
</pre>
<blockquote type="cite">
<pre class="moz-quote-pre" wrap="">I think also (sorry to say this Werner!) the problem is that
GnuPG is Linux cli based and not like MacPGP from Mr. Zimmermann,
back in the 90's was GUI based with much lesser commands and
easier to learn. There was back then no Enigmail or other
MUA plug-ins and you could simply copy and paste your messages.
</pre>
</blockquote>
<pre class="moz-quote-pre" wrap="">
GnuPG is cross-platform and in no way tied to Linux, but I think you
have a point about the CLI-focused design of it. The problem isn't that
it's CLI-based per se, but that this design has made it far too easy for
it to accumulate features without much consideration for how the whole
thing works together.
For example, why isn't ask-cert-level a default? I'm guessing it's just
because at some point it didn't exist, and the developers didn't want to
make a backwards incompatible change. But it means that, out of the box,
signatures on other keys are next to useless, because it's not possible
to specify how carefully you've checked a key. This leads to people only
signing keys that they've very carefully checked, and makes it so that
marginal signatures see almost no use, which I think has likely been a
major contributor to the failure of the web of trust.
A large part of what makes alternative encryption software like Signal
successful is its simplicity. I don't have to worry about the 3000
different setting combinations available to me, because there's design
work been put into it to set me up for success out of the box. I've
spent hours of my life learning about how to use GnuPG, and have ended
up with a way of using it that seems completely different to anybody
else's, but I still don't think I'm doing it right. It's not possible to
figure out how to use it as intended, because there's no intended way to
use it. There's no high level design for how people are supposed to use
the software. And without that, it's never going to be possible to use
GnuPG properly no matter how much time one is willing to invest.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <a class="moz-txt-link-rfc2396E" href="https://lists.gnupg.org/pipermail/gnupg-users/attachments/20190701/ed0d6216/attachment-0001.sig"><https://lists.gnupg.org/pipermail/gnupg-users/attachments/20190701/ed0d6216/attachment-0001.sig></a>
------------------------------
Message: 4
Date: Mon, 1 Jul 2019 19:44:04 -0700
From: Mirimir <a class="moz-txt-link-rfc2396E" href="mailto:mirimir@riseup.net"><mirimir@riseup.net></a>
To: <a class="moz-txt-link-abbreviated" href="mailto:gnupg-users@gnupg.org">gnupg-users@gnupg.org</a>
Subject: Re: New keyserver at keys.openpgp.org - what's your take?
Message-ID: <a class="moz-txt-link-rfc2396E" href="mailto:4c4a0cab-5fae-5351-6b88-6f363032f290@riseup.net"><4c4a0cab-5fae-5351-6b88-6f363032f290@riseup.net></a>
Content-Type: text/plain; charset=utf-8
On 07/01/2019 07:29 AM, David wrote:
<SNIP>
</pre>
<blockquote type="cite">
<pre class="moz-quote-pre" wrap="">My take on all this is that I have had to disable Enigmail because it's
screwed - I was not able to send mail and all the settings in enigmail
were lots of ???????????? so I have been infected :(
David
</pre>
</blockquote>
<pre class="moz-quote-pre" wrap="">
Damn. But all is likely not lost.
If you can open Enigmail Preferences, go to the Keyserver tab, and
specify only keys.openpgp.org as the keyserver. That way, if you manage
to fix gpg, Enigmail won't break it again. Also see "100% CPU usage
endles loop of gpg --list-keys" <a class="moz-txt-link-rfc2396E" href="https://dev.gnupg.org/T3972"><https://dev.gnupg.org/T3972></a> for
background.
About hardening and fixing gpg, see
<a class="moz-txt-link-rfc2396E" href="https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f"><https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f></a> at
Mitigations and Repairs. Also see
<a class="moz-txt-link-rfc2396E" href="https://dkg.fifthhorseman.net/blog/openpgp-certificate-flooding.html"><https://dkg.fifthhorseman.net/blog/openpgp-certificate-flooding.html></a>.
You'll very likely need to use gpg in terminal. I suspect that GPA may
be just as wedged as Enigmail.
Maybe someone could post a step-by-step guide for fixing gpg. For people
who don't commonly use it in terminal. I suppose that I could import one
of the poisoned keys in a fresh VM, and explore how to fix it. But I'm
sure that someone reading this could just dash it out.
------------------------------
Message: 5
Date: Mon, 1 Jul 2019 23:47:56 -0400
From: "Robert J. Hansen" <a class="moz-txt-link-rfc2396E" href="mailto:rjh@sixdemonbag.org"><rjh@sixdemonbag.org></a>
To: <a class="moz-txt-link-abbreviated" href="mailto:gnupg-users@gnupg.org">gnupg-users@gnupg.org</a>
Subject: Re: Your Thoughts
Message-ID: <a class="moz-txt-link-rfc2396E" href="mailto:30ca199b-1087-4439-2dc8-b46401179380@sixdemonbag.org"><30ca199b-1087-4439-2dc8-b46401179380@sixdemonbag.org></a>
Content-Type: text/plain; charset=windows-1252
</pre>
<blockquote type="cite">
<pre class="moz-quote-pre" wrap="">GnuPG is cross-platform and in no way tied to Linux, but I think you
have a point about the CLI-focused design of it. The problem isn't that
it's CLI-based per se, but that this design has made it far too easy for
it to accumulate features without much consideration for how the whole
thing works together.
</pre>
</blockquote>
<pre class="moz-quote-pre" wrap="">
Eh. Yes, no. I agree with the claim that GnuPG's "we-do-it-all"
approach is overall a net negative for security: but there's a strong
argument to be made that if GnuPG didn't do it all, it wouldn't get done
at all.
Remember that for about fifteen years GnuPG received basically nil for
funding. For a long while each Christmas I'd run a fundraiser match for
GnuPG, where I'd match dollar-for-dollar every dollar donated to GnuPG
for development. My donation capped at $500. For several of those
years, I was one of the largest individual contributors to GnuPG.
During that long period when GnuPG was short of funds and developers, it
could have focused on just one part of the crypto puzzle. "This will
verify operating system packages with OpenPGP" or "this will verify
emails with OpenPGP", to use one simple distinction. But doing that
would've left the other, just as important, need unaddressed: so the
developers did their best to make one package be useful to as many
OpenPGP users as possible.
This approach created some problems. Some of the Efail bugs were
created when GnuPG generates output data even though the file fails
integrity checks. This is not behavior you want in an email crypto
engine: if the email fails, you want to just bomb out and create no
data. But this *is* behavior you want in a bulk crypto engine, where
there is no reasonable way to store petabytes of encrypted data in RAM
to check for consistency before writing to disk.
------------------------------
Subject: Digest Footer
_______________________________________________
Gnupg-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Gnupg-users@gnupg.org">Gnupg-users@gnupg.org</a>
<a class="moz-txt-link-freetext" href="http://lists.gnupg.org/mailman/listinfo/gnupg-users">http://lists.gnupg.org/mailman/listinfo/gnupg-users</a>
------------------------------
End of Gnupg-users Digest, Vol 190, Issue 11
********************************************
</pre>
</blockquote>
<br>
<div class="moz-signature">-- <br>
<img src="http://cleanfuels.nl/Sitepics/00LogoCleanFuelsText.png"
height="73" width="350"><br>
<br>
<font font="" face="trebuchet ms" color="000000" size="3">
Mail to: c/o University of Twente<br>
PO Box 217<br>
7500 AE Enschede<br>
The Netherlands<br>
<br>
Visiting address:<br>
Marconistraat 33A<br>
7575 AR Oldenzaal<br>
The Netherlands<br>
<br>
T: +31 (0)53 4892909<br>
M: +31 (0)64561 6734<br>
<a class="moz-txt-link-abbreviated" href="mailto:Siemons@CleanFuels.nl">Siemons@CleanFuels.nl</a><br>
<a class="moz-txt-link-abbreviated" href="http://www.cleanfuels.nl">www.cleanfuels.nl</a>
</font></div>
</body>
</html>