Re: Problems with cert validation via CRL

[NIIBE Yutaka]

Hello,

David Gray  wrote:
> At the same time, I'm curious as to why the Ubuntu installation is
> validating the certificate as 'good' while the Windows installation is not -
> is this just because the Ubuntu installation was able to successfully
> validate the certificate in the past (presumably when a previous and
> non-problematic CRL was published)?  If the CA publishes an updated CRL that
> doesn't have issues, will my Windows installation be able to validate the
> certificate at that point?

Please note that my knowledge of gpgsm and X.509 is pretty much limited.

Do you have .gnupg/trustlist.txt on Ubuntu machine?  It can be created
when you answer dialog of gpgsm by pinentry interaction.
-- 

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: GPG, subkeys smartcard and computer

[Kristian Fiskerstrand]

On 02/20/2017 05:49 PM, Peter Lebbing wrote:
> So perhaps one key per device is superior, also for detecting which client
> system was compromised by looking at the SSH auth logs on the server 
> (supposing
> the attacker didn't gain root privileges and wiped his traces immediately). 
> But
> I think it's not a very significant difference, or did I miss a scenario?

Revocation of the specific subkey is automatically picked up by all
systems due to automatic refresh of the public key on regular intervals,
without losing access to the system from non-compromised devices.

-- 

Kristian Fiskerstrand
Blog: https://blog.sumptuouscapital.com
Twitter: @krifisk

Public OpenPGP keyblock at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3

Qui audet vincit
Who dares wins



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Problems with cert validation via CRL

[David Gray]

Hello - new user here; this may be an obvious question but I haven't been
able to find the answer.  Ultimately, this may just highlight some of the
problems inherent in a hierarchical trust model.

 

I've got a free x.509 email certificate generated by Comodo.  

 

I've got Ubuntu 16.04 LTS running a clean install, with gpg and gpgsm 2.1.11
installed.  I imported my certificate into my keychain using gpgsm a day or
two ago, and everything is working as expected - the certificate is
successfully validated, and I'm able to encrypt files using the public key
of this certificate, and decrypt them using the private key.  

 

I've also got a Windows 10 machine - this computer had GPG4Win installed for
some time, but I've since uninstalled that, and removed all configuration
directories/files I could find.  I've installed GnuPG binary version 2.1.11,
and I've been able to successfully import my certificate into my keychain
this morning, and everything seems to work as expected - but the certificate
is not successfully validated under Windows.  As a result, I'm not able to
encrypt anything using the public key of this certificate.

 

I'm trying to figure out what is going on - it appears that there is problem
validating the CRL available at the DP listed in my certificate regardless
of whether I run the fetch-url from Ubuntu or Windows - both output files
are attached.  Does this suggest a problem with the CRL that the CA has
published, or do I have something I need to adjust in my configs somewhere?

 

At the same time, I'm curious as to why the Ubuntu installation is
validating the certificate as 'good' while the Windows installation is not -
is this just because the Ubuntu installation was able to successfully
validate the certificate in the past (presumably when a previous and
non-problematic CRL was published)?  If the CA publishes an updated CRL that
doesn't have issues, will my Windows installation be able to validate the
certificate at that point?

 

I've replaced all the email addresses in the attached files with
'u...@domain.com'.

 

I appreciate any assistance you might be able to provide.  Thank you,

 

Dave

 

 

dave@dave-VirtualBox:~/.gnupg/crls.d$ dirmngr --debug-all --fetch-crl 
http://crl.comodoca.com/COMODOSHA256ClientAuthenticationandSecureEmailCA.crl
dirmngr[3184.0]: Note: no default option file '/home/dave/.gnupg/dirmngr.conf'
dirmngr[3184.0]: enabled debug flags: x509 crypto memory cache memstat hashing 
ipc lookup
dirmngr[3184.0]: permanently loaded certificates: 0
dirmngr[3184.0]: runtime cached certificates: 0
dirmngr[3184.0]: RESP: 'HTTP/1.1 200 OK'
dirmngr[3184.0]: RESP: 'Date: Mon, 20 Feb 2017 13:32:34 GMT'
dirmngr[3184.0]: RESP: 'Content-Type: application/x-pkcs7-crl'
dirmngr[3184.0]: RESP: 'Connection: close'
dirmngr[3184.0]: RESP: 'Set-Cookie: 
__cfduid=dba16ddf7e3474878a3bb0d6b4d273e9f1487597554; expires=Tue, 20-Feb-18 
13:32:34 GMT; path=/; domain=.comodoca.com; HttpOnly'
dirmngr[3184.0]: RESP: 'Last-Modified: Sun, 19 Feb 2017 16:58:28 GMT'
dirmngr[3184.0]: RESP: 'ETag: W/"58a9ceb4-efab2"'
dirmngr[3184.0]: RESP: 'X-CCACDN-Mirror-ID: dwdccacrl10'
dirmngr[3184.0]: RESP: 'Cache-Control: public, max-age=14400'
dirmngr[3184.0]: RESP: 'CF-Cache-Status: HIT'
dirmngr[3184.0]: RESP: 'Expires: Mon, 20 Feb 2017 17:32:34 GMT'
dirmngr[3184.0]: RESP: 'Server: cloudflare-nginx'
dirmngr[3184.0]: RESP: 'CF-RAY: 334253495461246e-IAD'
dirmngr[3184.0]: RESP: ''
dirmngr[3184.0]: update times of this CRL: this=20170219T165828 
next=20170223T165828
dirmngr[3184.0]: locating CRL issuer certificate by authorityKeyIdentifier
dirmngr[3184.0]: DBG: find_cert_bysubject: certificate not in cache
dirmngr[3184.0]: DBG: get_cert_local_ski called w/o context
dirmngr[3184.0]: DBG: find_cert_bysubject: certificate not returned by caller - 
doing lookup
dirmngr[3184.0]: error fetching certificate by subject: Configuration error
dirmngr[3184.0]: CRL issuer certificate 
{92616B82E1A2A0AA4FEC67F1C2A3F7B48000C1EC} not found
dirmngr[3184.0]: crl_parse_insert failed: Missing certificate
dirmngr[3184.0]: processing CRL from 
'http://crl.comodoca.com/COMODOSHA256ClientAuthenticationandSecureEmailCA.crl' 
failed: Missing certificate

dave@dave-VirtualBox:~/.gnupg/crls.d$ gpgsm --debug-all --list-keys 
--with-validation
gpgsm: reading options from '/home/dave/.gnupg/gpgsm.conf'
gpgsm: enabled debug flags: x509 mpi crypto memory cache memstat hashing ipc
gpgsm: failed to open '/home/dave/.gnupg/policies.txt': No such file or 
directory
gpgsm: DBG: looking for parent certificate
gpgsm: DBG:   found via authid and keyid
gpgsm: DBG: got issuer's certificate:
gpgsm: DBG: BEGIN Certificate 'issuer':
gpgsm: DBG:  serial: 01
gpgsm: DBG:   notBefore: 2000-05-30 10:48:38
gpgsm: DBG:notAfter: 2020-05-30 10:48:38
gpgsm: DBG:  issuer: CN=AddTrust External CA Root,OU=AddTrust External TTP 
Network,O=AddTrust AB,C=SE
gpgsm: DBG: subject: CN=AddTrust External CA Root,OU=AddTrust External TTP 
Network,O=AddTrust 

Re: GPG, subkeys smartcard and computer

[Peter Lebbing]

On 20/02/17 16:25, Kristian Fiskerstrand wrote:
> Wouldn't consider this accurate, the typical use case for multiple A
> subkeys is per-device usage, explicitly to avoid having to revoke all if
> one is compromised.

Well, if you use only one, "revoke all" is still "revoke one" ;). It's not the
revocation step that gets any bigger, it's just that you need to roll out the
new key to all your client systems instead of just the server systems.
Personally, the number of server systems I use is way larger than the number of
client systems. Over all, I don't think it's that much more work, given it's a
rare occurence anyway (I hope).

With A per system:

1) Create new key on compromised system
2) Roll out new key to all server systems
3) Revoke old key on all server systems

With just one A:

1) Create new key
2) Roll out new key to all client systems
3) Roll out new key to all server systems
4) Revoke old key on all server systems

Steps 3 and 4 are more work than step 2. I have login credentials for at least
11 systems off the top of my head, yet only 3 client devices I regularly use 
[1].

When all your server systems automatically pick up on OpenPGP auth subkeys from
a keyserver, or when you use OpenSSH's CA mechanism, steps 3) and 4) are pretty
much automatic, in which case indeed step 2) would dominate and one key per
device once again wins.

So perhaps one key per device is superior, also for detecting which client
system was compromised by looking at the SSH auth logs on the server (supposing
the attacker didn't gain root privileges and wiped his traces immediately). But
I think it's not a very significant difference, or did I miss a scenario?

My 2 cents,

Peter.

[1] However, I have four different auth keys on those clients, three on-disk,
one per system and one smartcard I only use on a single one of those systems. I
actually use one key per client, but note that I don't have multiple A-capable
OpenPGP subkeys. All my on-disk keys are just regular ol' OpenSSH keys, and I
think then one key per device is a much cleaner setup indeed.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: GPG, subkeys smartcard and computer

[Personal (open)]

 

On 20.02.2017 15:25, Kristian Fiskerstrand wrote: 

> On 02/19/2017 01:45 PM, Andrew Gallagher wrote:
> 
>> And in the case of A and S, there next to no benefit - if one of your 
>> subkeys is lost you should revoke it immediately anyway
> 
> Wouldn't consider this accurate, the typical use case for multiple A
> subkeys is per-device usage, explicitly to avoid having to revoke all if
> one is compromised.
> 
> -- 
> 
> Kristian Fiskerstrand
> Blog: https://blog.sumptuouscapital.com [1]
> Twitter: @krifisk
> 
> Public OpenPGP keyblock at hkp://pool.sks-keyservers.net
> fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3
> 
> Qui audet vincit
> Who dares wins
> 
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users [2]

Another use-case would be using rsa and ecc ( ecc on the laptop/desktop
and rsa subs on the smartcard) 
sent via webmail, pardon lack of a gpg signature. 
-- 

Corey W Sheldon
ph: +1 (310).909.7672
0x8B4E89435A88E539 0x59276298D2264944

Freelance IT Consultant, Multi-Discipline Tutor
Fedora AmbaNA (linuxmodder)
Ameridea LLC Founder, President

Find me elsewhere:
https://gist.github.com/linux-modder/ac5dc6fa211315c633c9

"One must never underestimate the power of boredom...from which
creativity and laziness are borne, which can spark great works of chaos
and genius." --Anonymous

"Any man willing to retreat freedom for security is deserving of
neither." (Pp) -- Benjamin Franklin. 

This document, including attachments, is intended for the person or
company named and contains confidential and/or legally privileged
information. Unauthorized disclosure, copying or use of this information
may be unlawful and is prohibited. If you are not the intended
recipient, please destroy this message and notify the sender.
 

Links:
--
[1] https://blog.sumptuouscapital.com
[2] http://lists.gnupg.org/mailman/listinfo/gnupg-users
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Hybrid keysigning party, your opinion?

[Peter Lebbing]

On 19/02/17 21:16, Nils Vogels wrote:
> I'll read up on this thread from the archives, but I'm exploring possibilities
> to enhance the FOSDEM format with the use of QR for on-the-spot signing for
> those who want to and don't mind having signatures submitted by signers to
> keyservers.

Thank you for organizing a party! I'm definitely up for assisting with the
organization.

I'd first have to look up on the FOSDEM format. The QR codes are indeed a nice
addition, however, it is inherently restricted to just a part of the attendees.
I don't trust my phone with my certifications, and holding a laptop with webcam
is really awkward and I might even drop it.

Normally I'd leave my certification-capable smartcard at home as well.

Cheers,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: GPG, subkeys smartcard and computer

[Kristian Fiskerstrand]

On 02/19/2017 01:45 PM, Andrew Gallagher wrote:
> And in the case of A and S, there next to no benefit - if one of your
> subkeys is lost you should revoke it immediately anyway

Wouldn't consider this accurate, the typical use case for multiple A
subkeys is per-device usage, explicitly to avoid having to revoke all if
one is compromised.

-- 

Kristian Fiskerstrand
Blog: https://blog.sumptuouscapital.com
Twitter: @krifisk

Public OpenPGP keyblock at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3

Qui audet vincit
Who dares wins



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: powertop(8) Points at gpg-agent.

[Ralph Corderoy]

Hi Werner,

> > the forking of two siblings to have a `GETINFO pid' chat every
> > minute.
>
> What you see are not new processes but merely two threads every
> minute.

Yes, sorry, I saw the clone(2) and translated to fork.

> --disable-check-own-socket can be used to disable this feature.

Thanks.  In Arch's 2.1.18-1's agent/gpg-agent.c's handle_connections(),
I see

if (disable_check_own_socket)
  my_inotify_fd = -1;
else if ((err = gnupg_inotify_watch_socket (_inotify_fd, socket_name)))

and my_inotify_fd is used with select(2).  Does the per minute sibling
thread chat still need to occur in that case?

> > # define TIMERTICK_INTERVAL  (2)
>
> I have not changed that interval because it is useful when you are
> using smartcards.  What is does is to check the aliveness of scdaemon
> by doing a waitpid (pid, NULL, WNOHANG)).

I don't see a system call with strace for that waitpid though?

$ strace -tt -f gpg-agent --daemon
...
13:29:23.845564 inotify_init()  = 7
13:29:23.845704 inotify_add_watch(7, "/run/user/1000/gnupg", 
IN_DELETE|IN_DELETE_SELF|IN_EXCL_UNLINK) = 1
13:29:23.845955 pselect6(8, [3 4 5 6 7], NULL, NULL, {tv_sec=1, 
tv_nsec=98782}, {[], 8}) = 0 (Timeout)
13:29:25.848353 pselect6(8, [3 4 5 6 7], NULL, NULL, {tv_sec=2, 
tv_nsec=30747}, {[], 8}) = 0 (Timeout)
13:29:27.850760 pselect6(8, [3 4 5 6 7], NULL, NULL, {tv_sec=2, 
tv_nsec=1343}, {[], 8}) = 0 (Timeout)
13:29:29.853172 pselect6(8, [3 4 5 6 7], NULL, NULL, {tv_sec=2, 
tv_nsec=1218}, {[], 8}) = 0 (Timeout)
13:29:31.855622 pselect6(8, [3 4 5 6 7], NULL, NULL, {tv_sec=2, 
tv_nsec=1263}, {[], 8}) = 0 (Timeout)
13:29:33.858052 pselect6(8, [3 4 5 6 7], NULL, NULL, {tv_sec=2, 
tv_nsec=1409}, {[], 8}) = 0 (Timeout)

Does --disable-scdaemon mean the check isn't needed and select(2) can
stretch to the next longer timeout?

Either way, if the waitpid(WNOHANG) really is happening and strace isn't
showing it, then could a thread not be dedicated to a hanging waitpid(),
with it sending a message on a file descriptor back to the main thread's
select()?

> Not really resource intensive.

No, I agree the work done isn't heavy;  it's the regular periodic
short-term wake-up that's a bit of a pain.

> Note that gpg-agent makes sure that the tick happens on the full
> second

Noted.  Though those `-tt' times from strace above have it creeping
forward, off the second?

-- 
Cheers, Ralph.
https://plus.google.com/+RalphCorderoy

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: GPG, subkeys smartcard and computer

[Stefano Tranquillini]

Hi,
Things are getting clearer now, the fact is: subkeys are not related and
basically only the last generated is used. I missunderstood this step.
I need a Auth subkey on the smartcard becuase I've setup the server to
access ssh only via a key. If I'm not at my pc I can't access the server,
and this may be a problem. However, with a smartcard I may overcome the
problem by using any pc.
Probably is the same as having a ssh key stored on a usb and use it when
I'm not on my laptop (and throw it away afterward, just in case). but this
is outside the gpg list ;)

On Mon, Feb 20, 2017 at 1:14 AM, MFPA <2014-667rhzu3dc-lists-groups@
riseup.net> wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA512
>
> Hi
>
>
> On Sunday 19 February 2017 at 2:58:56 PM, in
> , Damien
> Goutte-Gattat wrote:-
>
>
> > Disclaimer: I am not advocating such a setup, that I
> > don't even actually use.
>
> I use that setup. Last I heard, message recipients who use
> Enigmail/Thunderbird only see the verification result of one of the
> signatures. Which one they see depends on the order of the two
> local-user lines in my gpg.conf file, so if I have them in the "wrong"
> order an Enigmail/Thunderbird user whose GnuPG is not version 2.1.x
> will not see report of a valid signature.
>
>
> - --
> Best regards
>
> MFPA  
>
> The trouble with words is that you never know whose mouths they've been in.
> -BEGIN PGP SIGNATURE-
>
> iL4EARYKAGYFAliqNQRfFIAALgAoaXNzdWVyLWZwckBub3RhdGlvbnMub3Bl
> bnBncC5maWZ0aGhvcnNlbWFuLm5ldDMzQUNFRDRFRTkxMzRFRUJERTZBODUwNjE3
> MTJCQzQ2MUFGNzc4RTQACgkQFxK8Rhr3eOQu3AEAhk6IddWOiFov15Ha5QhKe9C8
> Xh3WMI8mt2H4h0hdp5IA/jGhW01UYCHDhVG4ddY2fwjjsIekcxOyE+rUcmTwueMK
> iQF8BAEBCgBmBQJYqjUEXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
> ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRCM0FFN0VDQTlBOEM4QjMwMjZBNUEwRjU2
> QjdDNzRDRUIzMUYyNUYwAAoJEGt8dM6zHyXwbjYH/jUKUaX3GcfFcTpz3nsyuVqh
> VPwpd0WVu9Fd4s/Nbt8MOFn++mwR2J7wh3nv44QJgk5MJVFUkCpgIuavm+L8DxG1
> aQ14c0bBNw+IcTLhTF8q5fvWzPsluHex6YoNpzQLXSU3bJgMogm8IT+HCQAc7ee3
> pIwaFuxdW4H/p7E0OIDrJkQywcF7sXBSbr2aAtJZUWFUzeosfrxgVNE8q800elF3
> 8nPtlhNZJ8MGcbOohstocWEv1GCGwzT8RyEGmnGduYYG25hg33zz8mLn210E/nn0
> AOZIjUd8hyxBfLZLRjufbZAHkG+/EQVQcBbk0TBmuZ80dpXFLRZ9TXA4O6OqPIA=
> =FW0d
> -END PGP SIGNATURE-
>
>
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>



-- 
Stefano
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: powertop(8) Points at gpg-agent.

[Werner Koch]

On Fri, 17 Feb 2017 14:59, ra...@inputplus.co.uk said:

> gnupg 2.1.18-1 on Arch Linux.  I noticed powertop ranking the
> gpg-agents, one per user, quite highly, and their impact is multiplied
> by their number.  strace(1) showed the two-second select(2) timing out
> with no syscalls in between, and the forking of two siblings to have a
> `GETINFO pid' chat every minute.

What you see are not new processes but merely two threads every minute.
One for doing the client part and one for the server part.  Thus rewouse
usage is minimal.  --disable-check-own-socket can be used to disable
this feature.

> # define TIMERTICK_INTERVAL  (2)

I have not changed that interval because it is useful when you are using
smartcards.  What is does is to check the aliveness of scdaemon by doing
a waitpid (pid, NULL, WNOHANG)).  Not really resource intensive.  Going
down to 5 seconds would be okay but more will lead to problems with
other applications which want to use a card reader. 

> Are there any plans to make gpg-agent consume less background resources?
> It remains running here when a user logs out.  Is that common?  A
> variety of users logging in over time divides TIMERTICK_INTERVAL quite a

Note that gpg-agent makes sure that the tick happens on the full second
so that gpg-agent will wakeup at the same time as other background
processes wake up.

I doubt that gpg-agent is in any way a resource hog even on a real
multi-user system.


Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


pgpvIzFEemQP6.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users