Re: Houston, we have a problem

2017-09-22 Thread Guilhem Moulin 
On Fri, 22 Sep 2017 at 22:32:37 +0200, Kristian Fiskerstrand wrote:
> And what happens if you do gpg --import-options import-clean --recv-key
> ? is the bad MPI value sigs removed or still there in that case?

Should be `gpg --keyserver-options import-clean --recv-key $keyid`; or
alternatively, `gpg --edit-key $keyid clean save` if you want to do it
offline.  Both commands removes these “Bad MPI value” sigs here (2.2.1),
and `--check-sigs` reports that all remaining signatures are indeed
valid.

-- 
Guilhem.


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Houston, we have a problem

2017-09-22 Thread Stefan Claas 
On Fri, 22 Sep 2017 23:16:55 +0200, Guilhem Moulin wrote:
> On Fri, 22 Sep 2017 at 22:32:37 +0200, Kristian Fiskerstrand wrote:
> > And what happens if you do gpg --import-options import-clean
> > --recv-key ? is the bad MPI value sigs removed or still there in
> > that case?  
> 
> Should be `gpg --keyserver-options import-clean --recv-key $keyid`; or
> alternatively, `gpg --edit-key $keyid clean save` if you want to do it
> offline.  Both commands removes these “Bad MPI value” sigs here
> (2.2.1), and `--check-sigs` reports that all remaining signatures are
> indeed valid.

That did the trick. Thanks a lot! :-)

Regards
Stefan

-- 
https://www.behance.net/futagoza
https://keybase.io/stefan_claas

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Houston, we have a problem

2017-09-22 Thread Stefan Claas 
On Fri, 22 Sep 2017 22:52:13 +0200, Kristian Fiskerstrand wrote:
> On 09/22/2017 10:48 PM, Stefan Claas wrote:
> > On Fri, 22 Sep 2017 22:32:37 +0200, Kristian Fiskerstrand wrote:  
> 
> 
> >>> And in place of the fake sigs it says erroneous MPI value. :-)
> >>
> >> And what happens if you do gpg --import-options import-clean
> >> --recv-key ? is the bad MPI value sigs removed or still there in
> >> that case?  
> > 
> > Unfortunately still there.  
> 
> Well, it doesn't really do anything, as the signature will be checked
> when calculating the trust database for the web of trust, but indeed,
> need to use --check-sigs explicitly in your use case then.

O.k. and thanks a lot for your help!

Regards
Stefan

-- 
https://www.behance.net/futagoza
https://keybase.io/stefan_claas

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Houston, we have a problem

2017-09-22 Thread Kristian Fiskerstrand 
On 09/22/2017 10:48 PM, Stefan Claas wrote:
> On Fri, 22 Sep 2017 22:32:37 +0200, Kristian Fiskerstrand wrote:


>>> And in place of the fake sigs it says erroneous MPI value. :-)  
>>
>> And what happens if you do gpg --import-options import-clean
>> --recv-key ? is the bad MPI value sigs removed or still there in that
>> case?
> 
> Unfortunately still there.

Well, it doesn't really do anything, as the signature will be checked
when calculating the trust database for the web of trust, but indeed,
need to use --check-sigs explicitly in your use case then.

-- 

Kristian Fiskerstrand
Blog: https://blog.sumptuouscapital.com
Twitter: @krifisk

Public OpenPGP keyblock at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3

Potius sero quam numquam
Better late then never



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Houston, we have a problem

2017-09-22 Thread Stefan Claas 
On Fri, 22 Sep 2017 22:32:37 +0200, Kristian Fiskerstrand wrote:
> On 09/22/2017 10:29 PM, Stefan Claas wrote:
> > On Fri, 22 Sep 2017 22:17:17 +0200, Kristian Fiskerstrand wrote:  
> >> On 09/22/2017 10:08 PM, Stefan Claas wrote:
> >>> Thanks for the information! Can you tell me please how to import
> >>> a pub key with a local client, so that invalid data get's removed
> >>> automatically? When doing a gpg --receive-key key-id the fake data
> >>> is not removed.  
> >>
> >> What does gpg --check-sigs  report?
> > 
> > Ah... it reports (in german) 3 correct sigs and 2 not checked
> > because of errors.
> > 
> > And in place of the fake sigs it says erroneous MPI value. :-)  
> 
> And what happens if you do gpg --import-options import-clean
> --recv-key ? is the bad MPI value sigs removed or still there in that
> case?

Unfortunately still there.

Regards
Stefan

-- 
https://www.behance.net/futagoza
https://keybase.io/stefan_claas

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

gpg-agent UI when waiting for smart card touch?

2017-09-22 Thread David Mandelberg 

Hi,

I'm using gpg-agent with Yubikeys configured to require a physical touch 
before performing operations. Is there any way to get gpg-agent to 
display something on screen when it's waiting for me to touch the 
Yubikey? (Otherwise, I sometimes don't realize it's waiting for 
anything, and the operation times out.)


--
Freelance cyber security consultant, software developer, and more
https://david.mandelberg.org/

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Houston, we have a problem

2017-09-22 Thread Kristian Fiskerstrand 
On 09/22/2017 10:29 PM, Stefan Claas wrote:
> On Fri, 22 Sep 2017 22:17:17 +0200, Kristian Fiskerstrand wrote:
>> On 09/22/2017 10:08 PM, Stefan Claas wrote:  
>>> Thanks for the information! Can you tell me please how to import
>>> a pub key with a local client, so that invalid data get's removed
>>> automatically? When doing a gpg --receive-key key-id the fake data
>>> is not removed.
>>
>> What does gpg --check-sigs  report?  
> 
> Ah... it reports (in german) 3 correct sigs and 2 not checked because of
> errors.
> 
> And in place of the fake sigs it says erroneous MPI value. :-)

And what happens if you do gpg --import-options import-clean --recv-key
? is the bad MPI value sigs removed or still there in that case?


-- 

Kristian Fiskerstrand
Blog: https://blog.sumptuouscapital.com
Twitter: @krifisk

Public OpenPGP keyblock at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3

Veni, vidi, vacatum
I came , I saw, I left



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Houston, we have a problem

2017-09-22 Thread Stefan Claas 
On Fri, 22 Sep 2017 22:17:17 +0200, Kristian Fiskerstrand wrote:
> On 09/22/2017 10:08 PM, Stefan Claas wrote:  
> > Thanks for the information! Can you tell me please how to import
> > a pub key with a local client, so that invalid data get's removed
> > automatically? When doing a gpg --receive-key key-id the fake data
> > is not removed.
> 
> What does gpg --check-sigs  report?  

Ah... it reports (in german) 3 correct sigs and 2 not checked because of
errors.

And in place of the fake sigs it says erroneous MPI value. :-)

Regards
Stefan 

-- 
https://www.behance.net/futagoza
https://keybase.io/stefan_claas

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gpg 2.1.19 fails to generate key pair

2017-09-22 Thread Matthias Apitz 

it works with:

phablet@ubuntu-phablet-bq:~$ ./gpg2.sh --version
gpg-agent[28499]: enabled debug flags: mpi crypto memory cache memstat hashing 
ipc
gpg-agent: a gpg-agent is already running - not starting a new one
gpg-agent: random usage: poolsize=600 mixed=0 polls=0/0 added=0/0
  outmix=0 getlvl1=0/0 getlvl2=0/0
gpg-agent: secmem usage: 0/32768 bytes in 0 blocks
gpg (GnuPG) 2.2.1
libgcrypt 1.8.1
...


phablet@ubuntu-phablet-bq:~$ ~/gpg2.sh --full-generate-key
...
  ┌──┐
  │ Please re-enter this passphrase  │
  │  │
  │ Passphrase: ***_ │
  │  │
  │  │
  └──┘











We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: /home/phablet/.gnupg/trustdb.gpg: trustdb created
gpg: key 3FECB79DDDA409E4 marked as ultimately trusted
gpg: directory '/home/phablet/.gnupg/openpgp-revocs.d' created
gpg: revocation certificate stored as 
'/home/phablet/.gnupg/openpgp-revocs.d/41E0B3688FDD76C9337ECD873FECB79DDDA409E4.rev'
public and secret key created and signed.

pub   rsa2048 2017-09-22 [SC]
  41E0B3688FDD76C9337ECD873FECB79DDDA409E4
uid  Matthias Apitz (test) 
sub   rsa2048 2017-09-22 [E]

-- 
Matthias Apitz, ✉ g...@unixarea.de, ⌂ http://www.unixarea.de/  ☎ 
+49-176-38902045
Public GnuPG key: http://www.unixarea.de/key.pub

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Houston, we have a problem

2017-09-22 Thread Kristian Fiskerstrand 
On 09/22/2017 10:08 PM, Stefan Claas wrote:
> Thanks for the information! Can you tell me please how to import
> a pub key with a local client, so that invalid data get's removed
> automatically? When doing a gpg --receive-key key-id the fake data
> is not removed.

What does gpg --check-sigs  report?

-- 

Kristian Fiskerstrand
Blog: https://blog.sumptuouscapital.com
Twitter: @krifisk

Public OpenPGP keyblock at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3

Primum ego, tum ego, deinde ego
First I, then I, thereafter I.



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: automatic conversion from keyring to keybox files?

2017-09-22 Thread Daniel Kahn Gillmor 
On Thu 2017-09-21 23:47:14 +0100, MFPA wrote:
> Now that the upgrade path for GnuPG 2.0.x users is to 2.2.x versions,
> will be there any automatic conversion from keyring to keybox files,
> either offered by the installer or available as a command?

On debian systems, you can run:

 migrate-pubring-from-classic-gpg

And it should handle things sanely.

--dkg


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Houston, we have a problem

2017-09-22 Thread Stefan Claas 
On Fri, 22 Sep 2017 21:40:41 +0200, Kristian Fiskerstrand wrote:
> On 09/22/2017 09:34 PM, Stefan Claas wrote:
> >>> O.k. i just tested a bit and this is a bug int the Web Interface
> >>> and in GnuPG's CLI Interface. 
> >> I don't see a bug here.  
> > Now i am a bit confused... Then maybe a "funny" design flaw? I mean
> > what should users unfamiliar with the whole WoT procedure may
> > think when seeing a fake "sig3" (which they may not spot) and then
> > clicking on the key-id in question, which then links to the original
> > key?
> >   
> 
> No, its not a design flaw, it is valid design. OpenPGP keyblock
> information is based on an object based security model where packets
> are added, but don't carry any meaning until the signature has been
> verified. The public keyserver network is by design not a trusted
> third party, and can not be, so keyblock needs to be imported using a
> local client at which point invalid data, including invalid
> signatures, results in discarding of the data, which would filter out
> the signature in this case.
> 
> So all is as it is supposed to be

Thanks for the information! Can you tell me please how to import
a pub key with a local client, so that invalid data get's removed
automatically? When doing a gpg --receive-key key-id the fake data
is not removed.

Regards
Stefan


-- 
https://www.behance.net/futagoza
https://keybase.io/stefan_claas

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Houston, we have a problem

2017-09-22 Thread Kristian Fiskerstrand 
On 09/22/2017 09:40 PM, Kristian Fiskerstrand wrote:
> So all is as it is supposed to be

Just to add, the alternative if not considering WoT is a direct
validation structure, a user in this case should only (locally) sign
keyblock information of communication peers after a direct fingerprint
exchange in person, that removes any need for adding ownertrust to keys
not your own and simplifies the model.

-- 

Kristian Fiskerstrand
Blog: https://blog.sumptuouscapital.com
Twitter: @krifisk

Public OpenPGP keyblock at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3

Nunc aut numquam
Now or never



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Houston, we have a problem

2017-09-22 Thread Kristian Fiskerstrand 
On 09/22/2017 09:34 PM, Stefan Claas wrote:
>>> O.k. i just tested a bit and this is a bug int the Web Interface
>>> and in GnuPG's CLI Interface.   
>> I don't see a bug here.
> Now i am a bit confused... Then maybe a "funny" design flaw? I mean
> what should users unfamiliar with the whole WoT procedure may
> think when seeing a fake "sig3" (which they may not spot) and then
> clicking on the key-id in question, which then links to the original
> key?
> 

No, its not a design flaw, it is valid design. OpenPGP keyblock
information is based on an object based security model where packets are
added, but don't carry any meaning until the signature has been
verified. The public keyserver network is by design not a trusted third
party, and can not be, so keyblock needs to be imported using a local
client at which point invalid data, including invalid signatures,
results in discarding of the data, which would filter out the signature
in this case.

So all is as it is supposed to be

-- 

Kristian Fiskerstrand
Blog: https://blog.sumptuouscapital.com
Twitter: @krifisk

Public OpenPGP keyblock at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3

"By three methods we may learn wisdom: First, by reflection, which is
noblest; Second, by imitation, which is easiest; and third by
experience, which is the bitterest."
(Confucius)



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Houston, we have a problem

2017-09-22 Thread Stefan Claas 
On Fri, 22 Sep 2017 20:29:07 +0200, Werner Koch wrote:
> On Fri, 22 Sep 2017 19:23, stefan.cl...@posteo.de said:
> 
> > O.k. i just tested a bit and this is a bug int the Web Interface
> > and in GnuPG's CLI Interface.   
> 
> I don't see a bug here.

Now i am a bit confused... Then maybe a "funny" design flaw? I mean
what should users unfamiliar with the whole WoT procedure may
think when seeing a fake "sig3" (which they may not spot) and then
clicking on the key-id in question, which then links to the original
key?

> However, given that you use Posteo, you are in the good position to
> use the Web Key Directory feature.  This requires 2.2.1 because we
> had to add some workaround for key upload due to changes at Posteo
> which we didn't caught earlier.  So people sending mail to you using
> a GnuPG 2.2 would find your key instantly.  It is not there right now:
> 
>   /usr/local/libexec/gpg-wks-client -v --check stefan.claas at posteo
> de gpg-wks-client: public key for 'stefan.cl...@posteo.de' NOT found
> via WKD

Well, as i mentioned previously i have have no longer access to my key,
due to my stupidness. I may consider to create a new one for posteo
usage, but this may take a while.
 
> You may use the latest Enigmail or Kmail to automate the upload but
> you can also use Posteo's Web interface to upload the key.  But take
> care: Posteo does not allow a Name in the user id, only the mail
> address (addr-spec) is allowed.  Thus you need to add a second user
> id with just your mailaddress and use gpg's filter stuff to export
> only that UID. GnuPG 2.2.1 automates that tasks and creates another
> user if needed.
> 
> If you want to test this feature you may send a mail to clara.chefin
> at posteo de, which is a test account of us.  (You can also write to
> the owner of Posteo to ask him why they still have an invalid
> certificate for posteo.net addresses ;-).

O.k thanks for the info. When time permits i will check this out.

Regards
Stefan

-- 
https://www.behance.net/futagoza
https://keybase.io/stefan_claas

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Houston, we have a problem

2017-09-22 Thread Werner Koch 
On Fri, 22 Sep 2017 19:23, stefan.cl...@posteo.de said:

> O.k. i just tested a bit and this is a bug int the Web Interface and in
> GnuPG's CLI Interface. 

I don't see a bug here.

However, given that you use Posteo, you are in the good position to use
the Web Key Directory feature.  This requires 2.2.1 because we had to
add some workaround for key upload due to changes at Posteo which we
didn't caught earlier.  So people sending mail to you using a GnuPG 2.2
would find your key instantly.  It is not there right now:

  /usr/local/libexec/gpg-wks-client -v --check stefan.claas at posteo de
  gpg-wks-client: public key for 'stefan.cl...@posteo.de' NOT found via WKD

You may use the latest Enigmail or Kmail to automate the upload but you
can also use Posteo's Web interface to upload the key.  But take care:
Posteo does not allow a Name in the user id, only the mail address
(addr-spec) is allowed.  Thus you need to add a second user id with just
your mailaddress and use gpg's filter stuff to export only that UID.
GnuPG 2.2.1 automates that tasks and creates another user if needed.

If you want to test this feature you may send a mail to clara.chefin at
posteo de, which is a test account of us.  (You can also write to the
owner of Posteo to ask him why they still have an invalid certificate
for posteo.net addresses ;-).

>
> Regards
> Stefan

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


pgpsSZYqr6WSF.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gpg 2.1.19 fails to generate key pair

2017-09-22 Thread Werner Koch 
On Fri, 22 Sep 2017 17:24, g...@unixarea.de said:

> I instructed via gpg-agent.conf the gpg-agent to do a debug log which
> follows. The proc gpg-agent crashes with SIG_BUS.

That is why you see and EOF error from gpg.

We did a few more release after 2.1.19, which was released on March 1.
Not all fixed bugs are noted in the NEWS and it is also possible that
the SIGBUS comes from Libgcrypt.  (run gpg-agent --version to see the
version of Libgcrypt).

Please first try to build with a recent version (2.2.1 is current but
2.1.23 should be okay) and the latest version of the respective
Libgcrypt branch.  That would be easier for us than to try to figure out
a bug we might have already fixed.

What OS and which platform are you using?  I assume it is a BSD (or
Plan-9 ;-).


Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


pgprV9Rbe2SS6.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Houston, we have a problem

2017-09-22 Thread Stefan Claas 
On Thu, 21 Sep 2017 16:44:57 +0200, Stefan Claas wrote:
> Hi all,
> 
> http://pgp.zdv.uni-mainz.de:11371/pks/lookup?op=vindex=Erika+Mustermann
> 
> Question for the experts, how can a casual or new GnuPG user, like
> Alice and Bob, detect a Signature forgery on a pub key, when using
> Web based key servers?
> 
> Note for native English speakers, Erika Mustermann is well known among
> german users, same as Jon Doe.

O.k. i just tested a bit and this is a bug int the Web Interface and in
GnuPG's CLI Interface. 

Regards
Stefan

-- 
https://www.behance.net/futagoza
https://keybase.io/stefan_claas

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Use of Passphrase Callback

2017-09-22 Thread SHARMA Sandhya (MORPHO) 
Hello,

I am Using gnupg on windows and want to use "Passphrase Callback" functionality 
to input password for private key.
My current lines of code is:
error = gpgme_set_pinentry_mode(context,GPGME_PINENTRY_MODE_LOOPBACK);
gpgme_passphrase_cb_t func = _callback;
gpgme_pinentry_mode_t pinMode =  gpgme_get_pinentry_mode(context);
void *pp = 0;
gpgme_set_passphrase_cb(context,func,pp);

and declaration of gpgme_passphrase_cb_t is
gpgme_error_t passphrase_callback(void *opaque, const char *uid_hint, const 
char *desc,int prev_was_bad, int fd)

but breakpoint on this function never hits.
Kindly provide help on this or any example used to implement Passphrase 
CallBack.



Thanks & Regards,
Sandhya Sharma

#
" This e-mail and any attached documents may contain confidential or 
proprietary information. If you are not the intended recipient, you are 
notified that any dissemination, copying of this e-mail and any attachments 
thereto or use of their contents by any means whatsoever is strictly 
prohibited. If you have received this e-mail in error, please advise the sender 
immediately and delete this e-mail and all attached documents from your 
computer system."
#
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Prince Jones v US

2017-09-22 Thread Kristian Fiskerstrand 
On 09/22/2017 11:55 AM, Jerry wrote:
> Can you cite the case #. All I could find is an old "local appeals court in
> Washington, D.C." ruling. I found nothing under the US Supreme Court.

See https://www.dccourts.gov/sites/default/files/2017-09/15-CF-322.pdf

DISTRICT OF COLUMBIA COURT OF APPEALS
No. 15-CF-322
09/21/2017
P RINCE J ONES , A PPELLANT ,
V .
U NITED S TATES , A PPELLEE .
Appeal from the Superior Court
of the District of Columbia
(CF1-18140-13)

-- 

Kristian Fiskerstrand
Blog: https://blog.sumptuouscapital.com
Twitter: @krifisk

Public OpenPGP keyblock at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3

"Great things are not accomplished by those who yield to trends and fads
and popular opinion."
(Jack Kerouac)



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: OT: Which smartphone would you use

2017-09-22 Thread Franck Routier 
Hi, Jolla did an official port of SailfishOS to Sony Xperia X hardware. 
It's about one year old, but you still can get one in Europe for around 
300€.


Then you'll have to buy (49€) a Sailfish for Xperia license, and install 
it. The only point is the the image is not yet available for purchase, 
but it should be a matter of days...


See https://blog.jolla.com/sailfishx/


Regards,

Franck


Le 21/09/2017 à 19:33, Thomas Hejze a écrit :

Am Dienstag, 19. September 2017, 13:44:53 CEST schrieb Andreas Ronnquist:


If I had the money, I would pledge for one of these:

https://puri.sm/shop/librem-5/



That project looks promising, however, I fear I am not able to spend $924.000
for my smartphone ;-)

Anyway that is what I am looking for, I hope they will make it. Nevertheless,
even then it will take at least one year for them to bring their product to
the market.

Looking at Tizen, Jolla, Firefox OS and Ubuntu Touch, I start to worry for the
future of Open Source. Isn't there a business case for a FOSS smartphone?

Best regards
Thomas

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users



___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Houston, we have a problem

2017-09-22 Thread Stefan Claas 



Am 22.09.2017 um 02:37 schrieb Ángel:

On 2017-09-21 at 23:37 +0200, Stefan Claas wrote:

Long ago when we had a discussion here on the Mailing List on
how to prevent unwanted signatures i made a proposal that
signing someone's public key should work similar to revocation
certificates. If you would like to sign my pub key you had to
send me a, let's call it, Signature Request Certificate, if i accept
it i enter my passphrase and then the Software would extract
the needed signature bits from the request cert and add those
bits to my pub key. Like i said i'm no programmer and can't
therefore test if such a feature proposal would work.

Regards
Stefan


Nope. This would solve the case of «Key of legitimate user signed by
fake user»¹ but not «Fake user signed by another fake user», which is
the problem.


¹ Assuming the legitimate one would notice and not allow his key to be
signed by the evil one, which is no problem, actually.


The proposal would be technically feasible (invalidating all existing
signatures, and probably conflicting with local sigs, but feasible).
However, it wouldn't solve the underlying problem.



Thanks for your insights, much appreciated!

Regards
Stefan


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users