Re: MIME or inline signature ?
On Fri, 13 Feb 2015 04:18, r...@sixdemonbag.org said: And the MIME attachment being mangled by the mailing list, yes, I agree. It's almost a bizarre endorsement of the attachment fragility idea... Which is a long standing problem of the Python mail library. Mailpile also had its trouble with that standard library. This needs to be fixed and we would get rid of a lot of problems. There are probably other ML managers which get it right. Switching to another ML software is not an option. Mailman simply is the standard for mailing lists and people are used to it. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: MIME or inline signature ?
On 13-02-2015 1:44, Jerry wrote: Inline totally destroys a sig delimiter It is supposed to sign and/or encrypt the sig too. and adds a lot of useless garbage to the message body. You need a mailclient to interpret that. Mail clients interprete Mime attachments too (or not). -- ir. J.C.A. Wevers PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: emulating smartcard with Nexus 5
Hello, You need to emulate an OpenPGP via Host Card Emulation. You can get necessary parts from here: 1. OpenPGP applet. Try this: https://github.com/Yubico/ykneo-openpgp or This: https://github.com/martinpaljak/AppletPlayground 2. Emulator for running the applet code in Android: https://github.com/martinpaljak/vJCRE I have some code that did exactly that but was not published because of some technical limitation not related to possible software only OpenPGP: https://github.com/martinpaljak/mobiil-idkaart If you are capable of creating Android software with a GUI, I could help with the non-Android-GUI issues. Martin -- Martin +372 515 6495 On Fri, Feb 13, 2015 at 1:55 AM, NIIBE Yutaka gni...@fsij.org wrote: Hello, Let me record a bit of history. On 02/13/2015 01:19 AM, Brian Minton wrote: I recently got a new Nexus 5, with NFC. Supposedly it supports ISO 7816-4. Is there any possibility of, for instance, porting gnuk to android? I'd love to use my smartphone as a smartcard. Of course, the smartphone wouldn't have as many anti-tampering features as a typical smart card, so this would be mainly for educational purposes rather than true security. In fact, Ueno (cc-ed) did something like that around 2007-2008. It was the precursor of Gnuk. IIRC, he wrote a paper describing his work. If he still has the code, it would help you. Since I didn't like smartphone (which is smart enough to cheat its users, by my interpretation), I wrote the code for ATmega 20MHz to implement OpenPGPcard functionality, inspired by his work. It took five second to sign RSA-1024. I demonstraded this work at FSFS 2008 in India, then, I demonstrated gpg --card-status worked with ATmega implementation in Japan Linux Symposium 2009, in Akihabara, Tokyo. After that, around 2010, experts claimed that we should not use RSA-1024 any more. So, I gave up my ATmega work, and sought another MCU candidate. That's the start of Gnuk with STM32F103. P.S. The ATmega implementation of RSA was done when I was an employee of National Institute of AIST, Japan, and it was registered as the work under AIST (perhaps, copyrighted by AIST). I left the code there when I left AIST in September, 2010. If interested, please contact AIST (not me). -- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: MIME or inline signature ?
Hi Xavier, Am 12.02.2015 um 23:46 schrieb Xavier Maillard: Hello, sorry, just to inform you that I cannot verify your signature: While trying to verify it, Enigmail (German localization) reports the following: Enigmail-Sicherheitsinfo: Fehler - Überprüfung der Unterschrift fehlgeschlagen Öffentlicher Schlüssel DE2FFC869AFA5165 zur Überprüfung der Unterschrift benötigt FALSCHE Unterschrift von Xavier Maillard xav...@maillard.im in English: (translated on-the-fly by myself) Enigmail-security info: Error - Failed to verify signature Public key xx required for signature verification BAD Signature from xx You might have signed your message with a key different from the one I can download from the keyserver. As a security measure I have assigned your key a non-trust attribute. Best regards Stephan Beck signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: MIME or inline signature ?
On Fri, 13 Feb 2015 12:22:23 +, MFPA stated: My preference is Inline: I want everything right there in the message body where I can see it. Exactly what is it you feel the over powering urge to see? -- Jerry pgpDjGfOstW1Q.pgp Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: MIME or inline signature ?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 My personal preference is inline, but I do have a request: if you have a 4096 bit RSA key, please don't sign inline. The signature block is ridiculously long. That's why I use DSA and especially ed25519 for signing. My main email access is on my phone, with copy/paste from Open Keychain. I've used K-9 mail, and it is okay but I prefer Google Inbox. I also have used mailvelope, but it didn't work very well IMHO. I do have enigmail available on my desktop, so I have no problem with PGP/MIME (or for that matter S/MIME) messages. -BEGIN PGP SIGNATURE- Version: OpenKeychain v3.1.2 iIAEAREIACghHEJyaWFuIE1pbnRvbiA8YnJpYW5AbWludG9uLm5hbWU+BQJU3gTs AAoJEGuOs6Blz7qpBm8A/RPcORSl0WQEs1hNy3Z+bFQ4fr/xqtjDqUO8+l2QHrKN AP9RndrrIDOzsjy9PY2PJMi+3hNcNUDG5AebCwHsSOifyg== =nmOf -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: MIME or inline signature ?
On 2015-02-13 15:07, Brian Minton wrote: if you have a 4096 bit RSA key, please dont sign inline. The signature block is ridiculously long. You'll find it is actually even an 8192 bit RSA key. Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at http://digitalbrains.com/2012/openpgp-key-peter ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: [Announce] GnuPG 2.1.2 released
Werner, congratulations on getting 2.1.2 released! Also congratulations to all people in the GnuPG-Initiative for the funding success that we all had in the last weeks. Yes, Werner gets the funding, but I consider it a success of all people that actively contribute to GnuPG! On Wednesday 11 February 2015 at 20:40:39, Werner Koch wrote: What's New in GnuPG-2.1 This was ment to read GnuPG-2.1.2 I guess, because of A detailed description of the changes found in 2.1 can be found at https://gnupg.org/faq/whats-new-in-2.1.html . I wasn't sure if this were actually the 2.1.2 diff or something else. A look at http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=blob;f=NEWS;hb=HEAD clarified it. Again I think you or we as an initiative should write a description that fits the differences for the users. Best, Bernhard -- www.intevation.de/~bernhard (CEO)www.fsfe.org (Founding GA Member) Intevation GmbH, Osnabrück, Germany; Amtsgericht Osnabrück, HRB 18998 Owned and run by Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: MIME or inline signature ?
On 13 Feb 2015, at 08:25, Christopher W. Richardson c...@cwrichardson.com wrote: FWIW, Mac Mail marked this message as spam. Not sure if it universally does that for all inline sigs, but ... FYI. Chris Fortunately it certainly does not. -- Ville signature.asc Description: Message signed with OpenPGP using GPGMail ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: MIME or inline signature ?
On 2/12/2015 at 5:42 PM, Xavier Maillard xav...@maillard.im wrote: Hello, in my quest of the perfect setup, I am asking myself what is the prefered way to sign a message: inline (like this one) or using a MIME header ? = If, by 'perfect', you mean that it's as close to possible to not be mangled, and/or tampered with, then there is a simple but often overlooked way to do this, while including any meta-data you wish to add: Armor Sign it ;-) Assuming everyone you correspond with, who is interested in your signature, is using GnuPG, then they can easily verify it. Assuming you just want to do this for the mailing list, where most people don't sign their messages anyway, then just send the plaintext without worrying about the signature. vedaal ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Key keeps showing unknown trust
On Fri 2015-02-13 07:38:09 -0500, MFPA wrote: Thanks for the correction. I was confusing secret and public keyring files. I don't think gpg 2.1 will use any pubring.gpg if pubring.kbx exists, though. gpg2 --list-keys for me looks at /home/dkg/.gnupg/pubring.kbx even though /home/dkg/.gnupg/pubring.gpg exists. --dkg ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: MIME or inline signature ?
On 13-02-2015 16:44, Mark H. Wood wrote: Some people will complain if you use one format, and others will complain if you use the other, so unless there's someone you especially want to favor (or annoy) you may as well send what you would most like to receive. (Isn't there some sort of Golden Rule about that?) Be liberal in what you accept, and conservative in what you send: https://en.wikipedia.org/wiki/Robustness_principle -- ir. J.C.A. Wevers PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: [Announce] GnuPG 2.1.2 released
On Fri, 13 Feb 2015 16:26, bernh...@intevation.de said: What's New in GnuPG-2.1 This was ment to read GnuPG-2.1.2 I guess, because of No, this describes what is new in the 2.1 branch. 2.1.2 is basically a bug fix release. clarified it. Again I think you or we as an initiative should write a description that fits the differences for the users. It is a bug fix and the NEWS file shows what has been fixes (or added). I may evntually update the whats-new-in-2.1. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: MIME or inline signature ?
Be liberal in what you accept, and conservative in what you send: https://en.wikipedia.org/wiki/Robustness_principle It's worth noting that Postel (the guy who first formulated it) was very dissatisfied with how people tended to interpret Postel's Law. Per him, he felt most people who quoted Postel's Law were confused on the difference between 'liberal' and 'foolish', and tried to justify foolish engineering decisions on the basis of a liberal acceptance policy. Postel's sentiments were more, Reject traffic that does not conform to the spec, even if it's in common use; accept traffic that conforms to the protocol spec, even if it's exotic; and only generate traffic that conforms to both spec and common use. Unfortunately, that loses much of the poetry of the original phrasing. This has long been one of my complaints about the way GnuPG gets used. GnuPG will accept and generate some pretty darn exotic traffic (let's use SHA-224 with ECDSA and Camellia-256!), which is good: that's exactly what you want in a toolkit. But just because we can do things like this doesn't mean we actually should... smime.p7s Description: S/MIME Cryptographic Signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: MIME or inline signature ?
On 2/13/15 4:01 AM, MFPA wrote: In an OpenPGP-aware mail client, that is the decision of the developer. For example, is there any huge reason why it would be a bad idea to treat dashspacedashdashnewline the same as they treat dashdashspacenewline? And Enigmail, for example, can do exactly that. :) Doug ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: moving up from 2.0.26 to 2.1.1
On Wed 2015-02-11 16:35:27 -0500, Philip Jackson wrote: If I do gpg2 --version, it comes back clearly with 2.0.26. and enigmail clearly indicates that it has found the gpg2 that I built. So, moving on, if I do : apt-get -t experimental install gnupg2 will I get 2.1.1 installed together with its dependencies ? you should, as long as all of those dependencies are satisfiable in either debian experimental or ubuntu trusty. debian experimental is not guaranteed to have dependencies satisfied internally (debian unstable users should be able to install experimental packages without trouble though). apt will refuse to start the install if it can't satisfy the dependencies though, so you can try it out without worrying that it'll leave you in a half-broken state. And returning to my original questions, since it is written that 2.0* and 2.1 cannot co-exist, I suppose that I shall have to remove manually everything connected with my 2.0.26 ? I suppose so, but i don't know how you installed 2.0.26 either, so i don't know how to remove it, sorry! --dkg ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: MIME or inline signature ?
On 13-02-2015 20:41, Robert J. Hansen wrote: It's worth noting that Postel (the guy who first formulated it) was very dissatisfied with how people tended to interpret Postel's Law. I think Godwin is even more dissatisfied. :-) This has long been one of my complaints about the way GnuPG gets used. GnuPG will accept and generate some pretty darn exotic traffic (let's use SHA-224 with ECDSA and Camellia-256!), which is good: that's exactly what you want in a toolkit. But just because we can do things like this doesn't mean we actually should... Hmmm. Some exotic uses with ElGamal keys were removed after a bug was discovered AFAIK. And thinking on some discussions about pgp 2 compatibility I still have some complains about that. But let's not reopen that discussion again. -- ir. J.C.A. Wevers PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: MIME or inline signature ?
Peter Lebbing pe...@digitalbrains.com writes: On 2015-02-13 15:07, Brian Minton wrote: if you have a 4096 bit RSA key, please dont sign inline. The signature block is ridiculously long. You'll find it is actually even an 8192 bit RSA key. Yes sorry. I should add a smaller key for that purpose ... Regards -- Sent with my mu4e ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: MIME or inline signature ?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi On Friday 13 February 2015 at 10:19:06 AM, in mid:54ddcf9a.5070...@vulcan.xs4all.nl, Johan Wevers wrote: On 13-02-2015 1:44, Jerry wrote: Inline totally destroys a sig delimiter In an OpenPGP-aware mail client, that is the decision of the developer. For example, is there any huge reason why it would be a bad idea to treat dashspacedashdashnewline the same as they treat dashdashspacenewline? It is supposed to sign and/or encrypt the sig too. and adds a lot of useless garbage to the message body. You need a mailclient to interpret that. Mail clients interprete Mime attachments too (or not). In my opinion, one of the strengths of Inline is that you _don't_ need a mail client to interpret it: the message can be pasted into a text file or a command window. - -- Best regards MFPAmailto:2014-667rhzu3dc-lists-gro...@riseup.net Maybe YOU have nothing to hide; that still leaves plenty you want to hide from! -BEGIN PGP SIGNATURE- iQF8BAEBCgBmBQJU3eepXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRCM0FFN0VDQTlBOEM4QjMwMjZBNUEwRjU2 QjdDNzRDRUIzMUYyNUYwAAoJEGt8dM6zHyXwKDEH/jbh2mG6iKkRiNROUHjnV9a9 g2UosK2Ye9bycNIQrlhR2Jicie0URtzOgeCi889qcXO1z1TxlM+/QPdkGJyuaFbA R1CQouXaM8tXNek3DRc3r6DSU985Q0sQBGm2qsesxzN6cu6CcZcQYY0CmGs6hcY/ nrp3tC9REwTefMj/zBPuCuf6PJfW4ohI6U+VragDJQJi8xCjHpPTbBPItcaNWX2D n9qcJRDGxT/wNYcx77d86blEPKFeU2Ej+WJU9jLu+0js4a5Oi9bQXFBXHs/xwsz5 df9wsxCRxFQ3RstRwzOWzKi90T1k6EqxlmpPM+dT1Oj5v2Ud8ufJCyssHYdFZyaI vgQBFgoAZgUCVN3ntV8UgAAuAChpc3N1ZXItZnByQG5vdGF0aW9ucy5vcGVu cGdwLmZpZnRoaG9yc2VtYW4ubmV0MzNBQ0VENEVFOTEzNEVFQkRFNkE4NTA2MTcx MkJDNDYxQUY3NzhFNAAKCRAXErxGGvd45BFhAQAxrPhfKqDeFUgJ6wR/NMpSFgQX +rDsD6strw3YodyeQAEAdBaB5H3MrrINIydLXqWQ20pFW4Q81YjQ5+g8ZcopmAk= =2SaR -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: MIME or inline signature ?
des-apare.cido...@autistici.org writes: Maybe I cannot offer a big rule for THE preferred way. Jerry is right, but maybe we HAVE to deal with recipients who have no influence to take a mail client which is capable to handle PGP/MIME sigbatures properly. Then it is also MY problem. I agree. With my PGP contacts I learned, that some can't handle PGP/MIME mails. The experience is, that the Addon Mailvelope (Firefox, Chrome) can't handle at all mails with attachment in PGP/MIME format. Also the Client K9 for smartphones. A compromise would be to set up per-recipient-rules in Enigmail to send inline mails to these contacts. This is getting over complicated just to the purpose it deserves. Sadly. -- Sent with my mu4e ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: MIME or inline signature ?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On Thursday 12 February 2015 at 10:46:33 PM, in mid:m0vbj6n3xy@kcals.intra.maillard.im, Xavier Maillard wrote: in my quest of the perfect setup, I am asking myself what is the prefered way to sign a message: inline (like this one) or using a MIME header ? My preference is Inline: I want everything right there in the message body where I can see it. Some people advocate PGP/MIME, which hides signatures and encrypted messages in attachments. Both standards are valid, neither is deprecated. I have seen it advised to use Inline for initial contact, and switch to MIME only after establishing the recipient can cope with it. But I can't find the reference at the moment, and I think it may be outdated advice. - -- Best regards MFPAmailto:2014-667rhzu3dc-lists-gro...@riseup.net It is not necessary to have enemies if you go out of your way to make friends hate you. -BEGIN PGP SIGNATURE- iQF8BAEBCgBmBQJU3eyCXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRCM0FFN0VDQTlBOEM4QjMwMjZBNUEwRjU2 QjdDNzRDRUIzMUYyNUYwAAoJEGt8dM6zHyXwb2kH/30Y48/dFhbHsjaJriiF1XnF D8DsBr00vfBnkmZE8u0D/OyIeSBHA6BLZEwyrcI7sS4bPEgGsJTZLQ6BV+yJSz0e cLtIUoeS0500Y4EDEEC/lb64Lqk2HFBC3pvWpQyx544TYCm/rEokuoeUAPg64Arc MV7QWaO0opXxWbqqkMJdk+Szsblp23tMjcTaPRobUcfm6qhPLjnGCxRVLtFtzXyY rUAIdb9n/1ttp+7Pby4772uhH88i6L2sANnfGJf5UkD9ub4Fe8tBUeShMQK//nwn rw4jr0WUdcp9dnyWe7/dSNWGwN3NkF8Yby9mGcujc9oMK1OsOioh5eNq9AKV07SI vgQBFgoAZgUCVN3sll8UgAAuAChpc3N1ZXItZnByQG5vdGF0aW9ucy5vcGVu cGdwLmZpZnRoaG9yc2VtYW4ubmV0MzNBQ0VENEVFOTEzNEVFQkRFNkE4NTA2MTcx MkJDNDYxQUY3NzhFNAAKCRAXErxGGvd45P6cAQAQmfXw4RTx+PVLAyMKnc2zQiBr 2kTJ+KYid7vnt+y3XQEAaWa4Z4EWqFyP7fap/WgHCFRM3eAvpFRDLE7RhvBugw8= =lQ3i -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Key keeps showing unknown trust
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On Thursday 12 February 2015 at 12:26:57 PM, in mid:87d25fz566@vigenere.g10code.de, Werner Koch wrote: Nope. You will never find a secring.kbc. 2.1 uses secring.gpg only in this ways: If secring.gpg exists and the file .gpg-v21-migrated does not exist, the secret keys from secring.gpg are imported to private-keys-v1.d/ and .gpg-v21-migrated is created. The migrated keys are stored in a special intermediate format below private-keys-v1.d/ and converted to the final format as soon as you use that key and thus have to enter the passphrase (which is needed for re-encryption). Thanks for the correction. I was confusing secret and public keyring files. - -- Best regards MFPAmailto:2014-667rhzu3dc-lists-gro...@riseup.net The problem is not that we're paranoid; it's that we're not paranoid enough. -BEGIN PGP SIGNATURE- iQF8BAEBCgBmBQJU3fA0XxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRCM0FFN0VDQTlBOEM4QjMwMjZBNUEwRjU2 QjdDNzRDRUIzMUYyNUYwAAoJEGt8dM6zHyXwYOUIAK72KDYIHggs/XpuncfBA/xd LSX7HcbSXitVVjDX3tkdG8YLxHDZcA/X3cp5rh2idUWVQ/yJv0mFs1Cvoqvrj6ov rhCxMJmPklkXhFDTsTiYI7H2Z3/EVAMoPjU1Bf/RmzmCMla8HOSu9fPughxCEQCL FovqNbKPPCYKzTpf9MFB8kP6R2OfuAsIFydaY7WBEAq3P417B8S8xSPu2jCg6SHC DF/E5y3fDIdFHAogoBZNHRU6ZSbZ2sEdRWrjHfwLv750D6cScYyYAnTUGMYdnTdP FSE5SsBFUQ1KQCP7vBOd4XojmS7HuC/NrTtJj7bqAyR4IIuxDcts0bn1IA7FytqI vgQBFgoAZgUCVN3wO18UgAAuAChpc3N1ZXItZnByQG5vdGF0aW9ucy5vcGVu cGdwLmZpZnRoaG9yc2VtYW4ubmV0MzNBQ0VENEVFOTEzNEVFQkRFNkE4NTA2MTcx MkJDNDYxQUY3NzhFNAAKCRAXErxGGvd45B4AAQDtocKsGjtX6XxVOCa466S10Bjg LMN7aNZksf/bM8l6zQEAqcGDOJ9x2zLm+oZDIGqv/sGNoRMAnVVQSNLS1imWBAo= =xIda -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Tilde (~) in valid email address
On Fri 2015-02-13 19:54:44 -0500, bm-2ctjsegdfzqngqwuqjswro6jrwlc9b3...@bitmessage.ch wrote: When generating a uid for a key using gpg2 (2.0.25), and attempting to input an email address containing a tilde (~), I receive an invalid email error. There seems to be no way I can find to bypass this restriction, and use my invalid email. have you tried adding the --expert flag when doing --gen-key? if that doesn't work, have you looked into doing batch key creation? see the unattended key generation section of the manual for explanation of how to do that: https://gnupg.org/documentation/manuals/gnupg/Unattended-GPG-key-generation.html hth, --dkg ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Tilde (~) in valid email address
When generating a uid for a key using gpg2 (2.0.25), and attempting to input an email address containing a tilde (~), I receive an invalid email error. There seems to be no way I can find to bypass this restriction, and use my invalid email. Such characters can be used in i2bote addresses, and when managing this i2p-based messaging service through a mail client like Thunderbird or Claws-mail, it would be nice to be able to auto-select recipients and keys via email address, and to be able to distribute my key with an accurate email bound to it. I realize this situation is currently limited to a rather small set of users, though was wondering whether anyone knew how to force the use of such an invalid email, or whether it is worth eliminating this particular constraint on email formatting. Cheers and thanks, ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Sign key with externalized master key
On Wed 2015-02-11 17:31:42 -0500, Xavier Maillard wrote: Daniel Kahn Gillmor d...@fifthhorseman.net writes: The fact that you're using a FAT volume is the root cause here; FAT filesystems do not have ownership or permissions, so when a modern OS mounts them, it has to fake permissions for these files. Thank you for this precision. Are you aware of some portable and well supported by the 3-major OSes filesystem type ? FAT, alas, is the portable filesystem that you're looking for. UDF, mentioned elsewhere in this thread, is a read-only filesystem, and i think it doesn't have ownership or permissions either. I see two approaches: a) figure out how to get each operating system to mount the volume with tighter permissions b) convince gpg that looser permissions on fat32 filesystems are acceptable I think (b) is the wrong way to go -- gpg is pointing out, rightly, that your sensitive data is exposed. So that leaves (a), which probably needs to be fixed anyway. Your operating system is exposing sensitive data from your USB stick (which is supposed to be only yours, since you plugged it in while you were in control of the machine) to any other user account on the computer. Reporting this bug to your OS vendor would be a good thing, because it would help other users of the same OS. --dkg ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: SSH generic socket forwarding for gpg-agent
On Thu 2014-12-04 03:23:52 -0500, Werner Koch wrote: On Tue, 11 Nov 2014 18:35, m...@monaco.cx said: Does anyone have gpg-agent forwarding working with SSH's recent generic socket forwarding? Does it still require socat on one end, because I've only been able to specify a socket path on the left-hand side of the forwarding specification Yes, it works for me. However, I tested it with the current development version of 2.1 which adds an extra features: --extra-socket NAME Also listen on native gpg-agent connections on the given socket. The intended use for this extra socket is to setup a Unix domain socket forwarding from a remote machine to this socket on the local machine. A gpg running on the remote machine may then connect to the local gpg-agent and use its private keys. This allows to decrypt or sign data on a remote machine without exposing the private keys to the remote machine. The documentation on how to use Unix domain sockets with ssh is a bit sparse. You probably want to use -o StreamLocalBindUnlink=yes when connecting to the remote host and you have to enable the forwarding features (look for Stream* options). Encouraging this kind of use seems risky. I certainly wouldn't want to do it without being able to have gpg-agent prompt me on my local machine for each use of the key. Its current silent operation once the passphrase is cached seems ripe for abuse by anyone in control of the remote account. Could gpg-agent have a setting (per-key? per-agent?) that would have it use pinentry for prompting? The traditional argument against this sort of feature is that someone with control over your local socket would most likely have control over your graphical environment, and therefore could dismiss or hide any prompt that comes up (so the prompting is a false sense of security). I'm not sure i buy this argument in general (i see it as defense-in-depth rather than a false sense of security, since it's one more hurdle the attacker needs to clear), but it certainly doesn't hold when there is a clear security boundary like gpg-agent forwarded over a network socket. --dkg ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Sign key with externalized master key
FAT, alas, is the portable filesystem that you're looking for. NTFS also works. Linux can read/write NTFS through NTFS-3G and FUSE, and a port exists for OS X as well. And yes, the stack is 100% libre. :) smime.p7s Description: S/MIME Cryptographic Signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Sign key with externalized master key
The wikipedia article on UDF mentions write support in all major OSes. It also supports POSIX permissions. On Fri, Feb 13, 2015 at 9:49 PM, Robert J. Hansen r...@sixdemonbag.org wrote: FAT, alas, is the portable filesystem that you're looking for. NTFS also works. Linux can read/write NTFS through NTFS-3G and FUSE, and a port exists for OS X as well. And yes, the stack is 100% libre. :) ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users