Re: New GUI frontend for windows
On Wed, 25 Dec 2013 12:50:50 -0500, Robert J. Hansen stated: On 12/25/2013 7:49 AM, Alice Bob wrote: It is closed source, unlimited trialware. (a) If you're asking people to provide feedback and bug reports for closed-source software, you're asking people to help you make a buck without giving them much of anything in return. I find that unethical. I don't find closed-source software unethical, mind you, but if you're going to write closed-source software then, IMO, you need to take responsibility for doing SQA without community assistance. (b) Without source, there's no way I will trust it. (c) The web page asks, Can I trust you?, and you answer it with YES!. Sorry, but no. The only correct answer to Can I trust you? is, You need to figure that out for yourself. In my experience, people who answer that question yes are usually deeply untrustworthy. (d) As a closed-source product, this should not be advocated on GnuPG-Users. GnuPG is a GNU project, and they have some quite serious philosophical beliefs about the moral evils of closed-source software. Let's respect the GNU position by not advocating closed-source software on this list. I certainly don't want to start a flame war here; however, if you are so unequivocally anti proprietary software, then why do you even allow a version of your product to be created that will run on it. That is certainly not a consistent approach. -- Jerry ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: New GUI frontend for windows
On Wed, 25 Dec 2013 19:04:22 -0500, Ryan Sawhill stated: I wanted to create an easy to use gui for GnuPG. Without installing, choosing options, and just working from the get-go. I appreciate your sentiment but I absolutely agree with what everyone else has said. Expecting people to use closed-source crypto software in 2013 would be a little like expecting people to only buy their music (contained in a limited-life wasteful physical container like a CD) in-person at a big chain store.. or to only rent movies in-person at Blockbuster -- namely, unrealistic at best. And as you might have guessed after the first few comments: I can tell you right now you're not going to get anyone subscribed to this list to try it. Ryan Sawhill, lets get something straight. I don't speak for you and you do not speak for me. You are most certainly free to express your own sentiments; however, they are only yours, not mine nor anyone else's. -- Jerry ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: New GUI frontend for windows
On 26-12-2013 13:00, Jerry wrote: I certainly don't want to start a flame war here; however, if you are so unequivocally anti proprietary software, then why do you even allow a version of your product to be created that will run on it. That is certainly not a consistent approach. Most people in the free software world believe in freedom - the freedom to use software as we see fit and to adapt it to our requirements. Not in taking someone else's freedoms away. If someone wants to run GnuPG on windows - that's what you're asking - why should one remove the freedom to do so? As a practical matter, not distributing windows binaries would get Werner many questions for it and for help from people who tried to port / compile it on windows because the demand is there. To prevent such a non-productive situation windows binaries could be distributed as only to prevent all this trouble. Werner has also only 24hours in one day. I'm not saying this is the reason to distribute windows binaries but it would certainly be a practical reason to do so, if no other reasons (like increased security for everyone if the large number of windows users would also be able to use GnuPG). -- Met vriendelijke groet / With kind regards, Johan Wevers PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: The Presidential Commission
On 21-12-2013 2:43, Robert J. Hansen wrote: The President's commission on the NSA was expected to give a whitewash of the program. They definitely didn't. When the recently-retired #2 at the CIA tells the President, you're screwing up and reforms need to be made immediately over at NSA, that's pretty big news. OK, and are changes made? Or is this just another promise like the one to close the torture prison at Guantanamo Bay? -- Met vriendelijke groet / With kind regards, Johan Wevers PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: The Presidential Commission
On 12/26/2013 7:23 AM, Johan Wevers wrote: OK, and are changes made? Or is this just another promise like the one to close the torture prison at Guantanamo Bay? I'm not going to dignify that last one with an answer. As to your first question, no changes have been made yet. It's only been a couple of days. Give it time: let's see what shakes out of this. The committee just released its report a little bit ago, and between that and the Christmas holidays it's unsurprising there's been no further development on it. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: New GUI frontend for windows
I really wish people would read my emails before responding to them. I certainly don't want to start a flame war here; however, if you are so unequivocally anti proprietary software... I'm not, as I said in that message -- a part which you quoted, even: I don't find closed-source software unethical, mind you... I also (correctly) attributed the anti-proprietary mindset to GNU, not to me: GnuPG is a GNU project, and they have some quite serious philosophical beliefs about the moral evils of closed-source software. Let's respect the GNU position by not advocating closed-source software on this list. Finally, why do you even allow a version of your product to be created that will run on [proprietary OSes]. GnuPG is not my product. I am not a GnuPG developer. I am not a GnuPG maintainer. I have never contributed one line of code to GnuPG. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Fwd: Rosetta CryptoPad released
Hi Peter and Robert, Ist not ab I really wouldn't mind never reading about this CryptoPad thingy in this mailing list. I can't shake the feeling it's only discussed to give it a podium in the mailing list of a reputable cryptography tool. Peter. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Fwd: Rosetta CryptoPad released
Hi Peter and Robert, it is not about the tool, it is about the method, if you look at session based D/H key Exchange.. , with the Exchange of the public key in the past you easily can copy paste the ciphertext to any chat and such a crypt tool is a universal thing to use in any chat or email program. That means, the grab of a public key is not possible while you Exchange chiphertext (except you assume everything is recorded). I tested it the last days a little bit and it is better than any scramber software you download from softpedia.comwhich is older than 10 years. Anyway, it is not about the function to be integrated in a jabber Client or email app. it is a tool, as is, and I appreciate the funktion, good that it is one alternative to OTR or Enigmail and all the others. Maybe RSA keys can be extended to ElGamal here too. Regards I really wouldn't mind never reading about this CryptoPad thingy in this mailing list. I can't shake the feeling it's only discussed to give it a podium in the mailing list of a reputable cryptography tool. Peter. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Rosetta CryptoPad released
it is not about the tool, it is about the method, if you look at session based D/H key Exchange... So what? How is GoldBug relevant to GnuPG? As near as I can tell it has no relevance, which causes me to wonder why the author(s) of it keep on introducing messages that refer to it. It has about as much relevance to GnuPG as does my bizarre obsession with prehistoric fish. (Speaking of which, http://www.moreintelligentlife.com/content/features/anonymous/fish-our-time?page=full has a great article on coelacanths. If you get the dead-tree edition of _The Economist_ from late November it has the first photograph on that webpage in full 16x11 glory. Breathtaking.) And if you're talking about Rosetta CryptoPad... the list moderators have *specifically* *asked* that non-Free Software not be advocated on this list. The big exception to that rule is in the context of discussing whether GnuPG can/should support features found in non-Free Software. Given the list moderators have asked that non-Free Software not be advocated on this list, that's all the reason I need to not talk about the Rosetta CryptoPad. Between the closed source and the complete lack of trust, let's consign discussion about it to the dustbin and move on. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Rosetta CryptoPad released
Hi Rob, okay, one short reply: - if I understood it right, both use the same lib? and similar principle - communities appreciates to learn for and from each other, exchange and dialogue is the goal of a mailinglist - as far as I see the Rosetta CryptoPad tool is open source, why do you spread wrong info. - I can see, it is not gnupg for you and so apologies for posting it to you. However, Regards 2013/12/26 Robert J. Hansen r...@sixdemonbag.org it is not about the tool, it is about the method, if you look at session based D/H key Exchange... So what? ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Printing PGP Businesscard
On 12/24/2013 01:02 PM, Johan Wevers wrote: You think someone will type it over? KeyID plus a URL would be more usefull IMO (perhaps a QR code with the URL?) Please use a QR code that contains the full fingerprint (no spaces) prefixed with OPENPGP4FPR: -- this is the mechanism used by the monkeysign project and other mechanisms: http://web.monkeysphere.info/monkeysign/ Most humans don't really cope well with long strings of hexadecimal or any other high-entropy arbitrary data. Using machine-readable QR codes makes it easy for humans to feed the data directly into their trusted machines. --dkg signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Rosetta CryptoPad released
- as far as I see the Rosetta CryptoPad tool is open source, why do you spread wrong info. Because I had it conflated with Encreep, a similar tool that was also recently posted here. That's the closed-source one. My apologies to those who feel I've misled them. - if I understood it right, both use the same lib? and similar principle Again: so what? - communities appreciates to learn for and from each other, exchange and dialogue is the goal of a mailinglist The GnuPG-Users community has always been structured around GnuPG, OpenPGP, how to keep endpoints secure, and (to a lesser extent) privacy rights. GoldBug does not touch on any of those except insofar as it borrows some code from GnuPG. I have no personal animosity with GoldBug, except insofar as people associated with it continue to post identical (or near-identical) messages to many different mailing lists in an apparent marketing attempt. For instance, what possible relevance could it have to OpenSSL? Yet a very familiar-looking message was posted to OpenSSL-Users: http://openssl.6102.n7.nabble.com/Fwd-Rosetta-CryptoPad-released-td47822.html Given that these messages appear to be a marketing attempt, *and* given that they're off-topic, I personally would appreciate it if they could be taken somewhere else. Others may disagree with me, of course. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Printing PGP Businesscard
Would having the e-mail address and name in the QR code adversely affect compatibility with monkeysign? For example, see the attached code which is similar to what I was playing with for key-signing purposes, although I was going to print them on mailing labels. [image: Inline image 2] Avi User:Avraham pub 3072D/F80E29F9 1/30/2009 Avi (Wikimedia-related key) avi.w...@gmail.com Primary key fingerprint: 167C 063F 7981 A1F6 71EC ABAA 0D62 B019 F80E 29F9 On Thu, Dec 26, 2013 at 2:24 PM, Daniel Kahn Gillmor d...@fifthhorseman.netwrote: On 12/24/2013 01:02 PM, Johan Wevers wrote: You think someone will type it over? KeyID plus a URL would be more usefull IMO (perhaps a QR code with the URL?) Please use a QR code that contains the full fingerprint (no spaces) prefixed with OPENPGP4FPR: -- this is the mechanism used by the monkeysign project and other mechanisms: http://web.monkeysphere.info/monkeysign/ Most humans don't really cope well with long strings of hexadecimal or any other high-entropy arbitrary data. Using machine-readable QR codes makes it easy for humans to feed the data directly into their trusted machines. --dkg ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users AviWiki_F80E29F9_L.png___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Trustworthy encryption - step one...
It has taken 6 months to get here, but now it is happening! Please propagate: http://www.greens-efa.eu/software-procurement-11372.html Anyone at CCC interested in this, please ping me. God Jul! :-) //Erik Erik Josefsson BE GSM: +32484082063 SE GSM: +46707696567 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Printing PGP Businesscard
On 12/26/2013 03:01 PM, Avi wrote: Would having the e-mail address and name in the QR code adversely affect compatibility with monkeysign? For example, see the attached code which is similar to what I was playing with for key-signing purposes, although I was going to print them on mailing labels. As long as you have a separate line for the fingerprint, and that line is prefixed with OPENPGP4FPR:, then monkeysign should be work fine with your QR code. --dkg signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Possible to combine smartcard PIN with key password?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi On Tuesday 24 December 2013 at 10:23:14 AM, in mid:52b96092.1070...@digitalbrains.com, Peter Lebbing wrote: Even if you keep a tiny computer on your lanyard (easy to realise these days), that still leaves the keyboard. Some of the laser projection virtual keyboard units are a cube of just a couple of inches and weigh less than the average smartphone. You just type on an image of a keyboard projected onto an opaque flat surface, and it senses which keys you hit. - -- Best regards MFPAmailto:expires2...@ymail.com The secret to creativity is knowing how to hide your sources. -BEGIN PGP SIGNATURE- iPQEAQEKAF4FAlK8vb9XFIAALgAgaXNzdWVyLWZwckBub3RhdGlvbnMub3Bl bnBncC5maWZ0aGhvcnNlbWFuLm5ldEJBMjM5QjQ2ODFGMUVGOTUxOEU2QkQ0NjQ0 N0VDQTAzAAoJEKipC46tDG5pRqAEAK+6AkDpM1Ug+BzUvUf1yJ9yMTe5Bym10v9l wSfa6jCYvAnUvG+XIzJsu+WKT5v45rmRLtfTXO4d8YHCLrtWi40P4lvAeCfYKYZB /Dy2oLkOpOk11aRMc37m28qwQ367geUXtp4E0tlZhRWnkHgsf/b0L1MLowmsvRt3 1WshZRK2 =JgW6 -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: New GUI frontend for windows
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi On Wednesday 25 December 2013 at 10:05:43 PM, in mid:52bb56b7.2090...@dougbarton.us, Doug Barton wrote: Not to mention it's dramatically more difficult (some would argue impossible) to develop trust in a pseudonym. I say it makes no difference whether somebody goes by the name their government recognises, or by a pseudonym chosen by themself (or their friend/colleague/enemy). Unless I am entering into a contract and may be unable to hold them to account without using (or at least knowing) their legal name. - -- Best regards MFPAmailto:expires2...@ymail.com Never trust a dog with orange eyebrows -BEGIN PGP SIGNATURE- iPQEAQEKAF4FAlK8yVRXFIAALgAgaXNzdWVyLWZwckBub3RhdGlvbnMub3Bl bnBncC5maWZ0aGhvcnNlbWFuLm5ldEJBMjM5QjQ2ODFGMUVGOTUxOEU2QkQ0NjQ0 N0VDQTAzAAoJEKipC46tDG5pBoQD/05UMhuu662VX3agFLR+k4a0kKH9HCA0AK0X 4cOq2hXiCODZ33jPunDvxNZdfHEHSRaQ6zz4rmtVXyKUJp2Wfzxi8CHoSQmXSrN4 u+5Ni7xMRruuz62ewnmMoBlgWtblU/hvDNPKHPQVCwoKzh8c8xRdlzGJvSL4I419 G0taPvVh =IRah -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Possible to combine smartcard PIN with key password?
NdK: Il 24/12/2013 02:41, adrelanos ha scritto: Adversary capabilities: - Can physically steal the smartcard. - Capable of dismantling a smartcard to extract the key its holing. [Maybe not now, but maybe in a few years the tool required to so so will be available. Only making up the scenario here.] - Not capable of breaking gpg's key encryption/password protection. - Not capable of rubber-hose cryptanalysis. - Not capable of installing a miniature camera and/or hardware keylogger. You're saying that he can lockpick your security door but can't break the glass of the window nearby... Well, let's go through it. - Can physically steal the smartcard. A one time robbery or thief doesn't require that much skill. A hacker conference where one steals a smartcard from a cardrader shouldn't be that unrealistic? - Capable of dismantling a smartcard to extract the key its holing. [Maybe not now, but maybe in a few years the tool required to so so will be available. Only making up the scenario here.] This is the only thing I am asking to grant me here for the sake of discussion. - Not capable of breaking gpg's key encryption/password protection. Being capable of that would be kinda big news? Either a huge breakthrough in cracking cryptography or weakness in gpg. So not assuming it isn't that much of a failure? - Not capable of rubber-hose cryptanalysis. That kind of capability in my opinion requires much more criminal energy and logistics than a robbery. - Not capable of installing a miniature camera and/or hardware keylogger. That kind of capability in my opinion requires much more criminal energy and logistics than a robbery. You're saying that he can lockpick your security door but can't break the glass of the window nearby... I don't understand how you get to that conclusion. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Possible to combine smartcard PIN with key password?
Peter Lebbing: The result is that the on-disk key again adds nothing, because an adversary that can physically access the smartcard can also physically access the computer. The latter often requires breaking into a flat or an office. While smartcards are carried around. Breaking into a a flat/office and installing a hardware keylogger and/or miniature camera requires much more criminal energy than theft/robbery of a smartcard. That is also my point. If you enough capabilities to the adversary, anything can be broken. I only believe, the combination of unique security advantages, which both hardware protections by smartcards and key encryption have, leads to a combination of these advantages and thus defeats more adversaries than not having a combination of these security features. Only if you can make it more difficult to access the computer than to access the smartcard, will the on-disk key add anything, I think. Indeed. That's a necessary assumption I didn't write down. Scenario #2 ### This scenario doesn't involve additional security gained through two keys; it is simply the advantage of a smartcard over an on-disk key. I believe I said that already. The Scenario #2 was only in the show that it's worthwhile having the extra security features by smartcards. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: New GUI frontend for windows
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi On Wednesday 25 December 2013 at 12:49:47 PM, in mid:snt148-w26880c9e58512b4c8b9112bf...@phx.gbl, Alice Bob wrote: I wanted something to quickly load the key, encrypt the message, and send it away. It is closed source, unlimited trialware. Ty. Maybe you have written this for a newer Windows version than my XP. The only thing I could get Encreep to do was create a new key. The result was a 2048-bit RSA key with a 2048-bit RSA subkey. The subkey is flagged to encrypt, sign, and authenticate, the main key can encrypt, sign, authenticate and certify. Why have you chosen not to go with the GnuPG default capabilities: encrypt only for the subkey and sign+certify for the master. The interface says entering a name, an email address, and a password are optional - I chose not to exercise that option, and got (as expected) a key with an empty passphrase. But the key has the unexpected UID of Alice Bob 4234 m...@example.com. - -- Best regards MFPAmailto:expires2...@ymail.com A closed mouth gathers no foot -BEGIN PGP SIGNATURE- iPQEAQEKAF4FAlK82sRXFIAALgAgaXNzdWVyLWZwckBub3RhdGlvbnMub3Bl bnBncC5maWZ0aGhvcnNlbWFuLm5ldEJBMjM5QjQ2ODFGMUVGOTUxOEU2QkQ0NjQ0 N0VDQTAzAAoJEKipC46tDG5peU4D/RMj5fQU95Ll2kUOjQajB0ycPSV9mLTImlJ1 hc009maZ55tDMohK1pAPc0QoUh7sRSNg0l81hdrr3TyoBuZZe5rfrTIpJH1ragla 4LqeY1CqCciyuRQUbCMgixQQfqww1JJklwxjRlZ9Qu6mcNYgK4AScMrE4+px9WS7 dhAA2X9y =T+L6 -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
RE: New GUI frontend for windows
Maybe you have written this for a newer Windows version than my XP.I did try it on XP without noticeable problems. Besides the 'unexpected' behavior, did you have any other issues? But the key has the unexpected UID Yes, if you don't specify a name a 'random' one will be chosen for you,this is to ease on two new users that exchange keys and will expect a change in the ui when importing a key. Why have you chosen not to go with the GnuPG default capabilities: encrypt only for the subkey and sign+certify for the master. Those are the defaults for unattended key generation. Thanks. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users