Re: Smart cards

[Werner Koch]

On Tue, 11 Dec 2018 19:27, art...@ulfeldt.com said:
> using openkeychain with a yubikey nfc is totally solid, and convenient.
> I've been using them for years. they also plug into the bottom of the
> phones which some people prefer.

You should keep in mind that you can eavesdrop on NFC communication
within several meters.  Right, it is required that the card is niot more
than about 10cm away from the reader but that is only to convey the
power to the card, the HF is readable from several meters as soon as the
card is powered up.

If you care about side channel attacks, NFC communication is a bad idea
because the decrypted session key can easily be picked up.  To avoid
this, /secure communication/ needs to be used but that is cumbersome
because this requires a shared secret between host and card.  But well,
smartphones are not a safe device anyway.


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


pgperAkiF2fwR.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Keyserver access changes in GnuPG

[Werner Koch]

On Thu, 13 Dec 2018 00:00, t...@pobox.com said:

> /usr/bin/gpg1 for users who want to keep using it.  Dropping
> the keyserver and photoviewer helpers is part of the next
> planned release from the 1.4.x branch, which is being
> tracked in https://dev.gnupg.org/T3443.

Right.  Given that gpg1 is a fallback solution to work with archived
encrypted mails it does not make much sense to keep on maintain the
keyserver helpers and extras like photo id viewers.


Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


pgpycbx6_nN6Y.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: GnuPG, (neo)mutt and S/MIME

[Werner Koch]

On Tue, 11 Dec 2018 22:24, p...@sys4.de said:

> Is there any other infrastructure/tool I need to setup and configure to sign
> and encrypt messages in mutt?

set crypt_use_gpgme

and then use the S/MIME options in Mutt's menu: hit 'p', 'b' and 'm' to
encrypt and sign with S/MIME.  ('m' switches to S/MIME mode).


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


pgpX2qMpzeWy3.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Keyserver access changes in GnuPG

[justina colmena via Gnupg-users]

On December 12, 2018 2:00:18 PM AKST, Todd Zullinger  wrote:
>
> the keyserver and photoviewer helpers
>

A permanent record and a mug shot for the cops and every thief, hooker, and 
pickpocket on the block, respectively. And they all just help themselves to the 
secret key.

Someone puts out a little bit of money for secret keys and passphrases, they 
know your real name and where you live, and it just all goes to hell in a 
handbasket.


-- 
A well regulated Militia, being necessary to the security of a free State, the 
right of the people to keep and bear Arms, shall not be infringed.

https://www.colmena.biz/~justina/justina.colmena.asc

signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Keyserver access changes in GnuPG

[Todd Zullinger]

Wiktor Kwapisiewicz via Gnupg-users wrote:
> Hello all,
> 
> I recently saw a message from one of Fedora's maintainers:
> 
>> Coming soon to Fedora30 (rawhide), gnupg v1.4.x renamed to gnupg1. Also 
>> dropping keyserver support at Werner's suggestion since upstream plans to 
>> disable that soon.
> 
> Source: https://infosec.exchange/@bcl/101195051788828345
> 
> Does anyone know anything about dropping keyserver support in GnuPG? That 
> seems
> a little bit radical but maybe I've missed something...

This only applies to the gnupg-1.4.x packages in Fedora.

Fedora 30 will ship with gnupg-2.x as /usr/bin/gpg (with
keyserver support intact).

The packages from the 1.4.x branch will be installed as
/usr/bin/gpg1 for users who want to keep using it.  Dropping
the keyserver and photoviewer helpers is part of the next
planned release from the 1.4.x branch, which is being
tracked in https://dev.gnupg.org/T3443.

Hopefully that helps clarify things a bit and removes any
worries that Fedora is stripping keyserver support from the
default /usr/bin/gpg.

-- 
Todd
~~
You know an odd feeling?  Sitting on the toilet eating a chocolate
candy bar.
-- George Carlin, Napalm & Silly Putty



signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Keyserver access changes in GnuPG

[Andrew Luke Nesbit]

On 12/12/2018 21:43, Wiktor Kwapisiewicz wrote:
>> Should I issue and publish a revocation certificate?  Will this cause
>> problems considering that I'm still using the same master key?
> 
> I don't think revocation is necessary if the private subkeys are still safe.

Yes, they are still safe.  On thinking about it, issuing a revocation
certificate could be overkill.  It might even cause more confusion than
it is meant to solve.

> It may be just inconvenient for people that want to contact you / verify your
> signatures to see your subkeys expired and when they "gpg --refresh-keys" (as
> they always do) your key would still be expired with no apparent way of
> proceeding. If I saw something like that I'd think the key is abandoned.

Indeed, so would I.  But then there's also a pretty good chance that the
same person might write to me and ask, "Hey, what's up with your OpenPGP
keys?"  Then I could explain and point them to the right place.  Or, by
then, my website or my email signature might have enough information to
point them in the right direction before it even becomes an issue.

> If you had HTTPS on your site I'd recommend Web Key Directory as this 
> downloads
> keys from your site *and* refreshes expired keys from your site too 
> automatically.

I am coincidentally currently in the process of provisioning an Apache
server with HTTPS/443 enabled.  Not even HTTP/80 will be open, so HTTP
to HTTPS redirection won't be implemented either.

I've looked up Web Key Directory and had a quick browse, and this is
exactly the kind of thing I need.  Thank you!!

Kind regards,

Andrew
-- 
EB28 0338 28B7 19DA DAB0  B193 D21D 996E 883B E5B9



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Keyserver access changes in GnuPG

[Wiktor Kwapisiewicz via Gnupg-users]

On 12.12.2018 22:35, Andrew Luke Nesbit wrote:
> My subkeys expired on Monday, 10/12/2018.  I've updated my subkeys with
> a new expiration date (in one year).  I'm considering NOT uploading the
> new public keys to the keyservers.  Rather, I will distribute them using
> other channels, such as downloading from my personal website or sneakernet.
> 
> Should I issue and publish a revocation certificate?  Will this cause
> problems considering that I'm still using the same master key?

I don't think revocation is necessary if the private subkeys are still safe.

It may be just inconvenient for people that want to contact you / verify your
signatures to see your subkeys expired and when they "gpg --refresh-keys" (as
they always do) your key would still be expired with no apparent way of
proceeding. If I saw something like that I'd think the key is abandoned.

If you had HTTPS on your site I'd recommend Web Key Directory as this downloads
keys from your site *and* refreshes expired keys from your site too 
automatically.

Kind regards,
Wiktor

-- 
https://metacode.biz/@wiktor

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Keyserver access changes in GnuPG

[Andrew Luke Nesbit]

On 12/12/2018 09:15, Wiktor Kwapisiewicz via Gnupg-users wrote:

>> Coming soon to Fedora30 (rawhide), gnupg v1.4.x renamed to gnupg1. Also 
>> dropping keyserver support at Werner's suggestion since upstream plans to 
>> disable that soon.
> 
> Source: https://infosec.exchange/@bcl/101195051788828345
> 
> Does anyone know anything about dropping keyserver support in GnuPG? That 
> seems
> a little bit radical but maybe I've missed something...

I feel that I've missed a memo too.

I've never liked public keyservers either.  Or, rather, the way they are
normally used.

I especially dislike how beginners' tutorials encourage their users to
upload just-made keys to public keyservers before they (the users) have
even learned how to use GPG with any degree of fluency... or even
confirmed that their new keys are appropriately made or configured.

Can somebody please point me to a more authoritative source of this
keyserver news?  Did Werner himself write anything about this?  If it's
true, then I welcome it too.

On a highly related topic...

My subkeys expired on Monday, 10/12/2018.  I've updated my subkeys with
a new expiration date (in one year).  I'm considering NOT uploading the
new public keys to the keyservers.  Rather, I will distribute them using
other channels, such as downloading from my personal website or sneakernet.

Should I issue and publish a revocation certificate?  Will this cause
problems considering that I'm still using the same master key?

Kind regards,

Andrew
-- 
EB28 0338 28B7 19DA DAB0  B193 D21D 996E 883B E5B9



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Setup encrypted email

[Wiktor Kwapisiewicz via Gnupg-users]

On 12.12.2018 13:29, Nikos - FlexIT wrote:
> Hello
> 
>  
> 
> Can I setup encrypted emails completely free with gpg? I am using Microsoft
> outlook 2016.
> 
> Can you please inform me how I can do it?

Hi Nicos,

Check out Gpg4Win and one of its components: GpgOL - an add-in for Outlook:
https://www.gpg4win.org/screenshots.html

Kind regards,
Wiktor

-- 
https://metacode.biz/@wiktor

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: GnuPG, (neo)mutt and S/MIME

[Stefan Claas]

On Tue, 11 Dec 2018 22:24:00 +0100, Patrick Ben Koetter wrote:

Hi Patrick,

> I was told GnuPG has this wonderful tool gpgsm, which helps to handle S/MIME
> keys/certs and also to sign and encrypt messages. Is this true or am I mixing
> things?

Yes, that is true. However, if i remember correctly gpgsm by itself does not 
produce
a message body format for an an email which looks like those created from other
S/MIME capable email clients.
 
> I played a little with the gpgsm and was able to add my S/MIME keys/certs. Now
> I wonder how I would make use of them with in neomutt.
> 
> Is there any other infrastructure/tool I need to setup and configure to sign
> and encrypt messages in mutt?

While i also played with S/MIME and PGP setup's in Mutt long time ago, i am
using now for regular S/MIME email communications Thunderbird. I also
remember vaguely that for those (Neo)Mutt S/MIME set-up gpgsm was not
required. 

I would suggest that you simply google for "Mutt S/MIME" to see a lot of
tutorials on how to do that. Once you have a correct neomutt set-up
you can send me an S/MIME signed email so that we can see if your
set-up works properly. I have a D-Trust certificate. The D-Trust
root certificates should be already installed in most systems.

Regards
Stefan

-- 
https://www.behance.net/futagoza
https://keybase.io/stefan_claas


pgpTkR0zjqPks.pgp
Description: Digitale Signatur von OpenPGP
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Setup encrypted email

[Arthur Ulfeldt]

Yes! All the encryption happens on your computer (and or your phone) and
you have complete control of the process.
The flip side of this is you are responsible for the whole process. There
are *many* ways to go about this for different
people in different situations. Here is just one option.

* make yourself a key using gpg
* put that key on the devices you want to use (I use a yubikey for this,
and that costs $ which is totally optional)
* setup your email, gpg4win is one popular option:
https://www.gpg4win.org/about.html
* set it up on your phone. openkeychain is popular on android and has been
solid for me for years.
* setup facebook to send you encrypted notifications (optional and purely
for fun)
* get comfortable with this process for a while then explore more complex
and or customized options.

On Wed, Dec 12, 2018 at 11:24 AM Nikos - FlexIT  wrote:

> Hello
>
>
>
> Can I setup encrypted emails completely free with gpg? I am using
> Microsoft outlook 2016.
>
> Can you please inform me how I can do it?
>
>
>
> Με φιλικούς χαιρετισμούς/ Best Regards,
>
>
>
> Νικος Ζησης
>
> *System Administrator*
>
> [image: 1]
>
> *FlexIT Information Technology Outsourcing PC*
>
> [image: 2]
>
>
>
>
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Setup encrypted email

[Nikos - FlexIT]

Hello

Can I setup encrypted emails completely free with gpg? I am using Microsoft 
outlook 2016.
Can you please inform me how I can do it?

Με φιλικούς χαιρετισμούς/ Best Regards,

Νικος Ζησης
System Administrator
[1]
FlexIT Information Technology Outsourcing PC
[2]


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Keyserver access changes in GnuPG

[Stefan Claas]

On Wed, 12 Dec 2018 08:05:58 -0900, justina colmena via Gnupg-users wrote:

> One disadvantage of "keyservers" in general is that the automated queries to 
> them leak "too much information" on the
> parties with whom one is communicating - even the fact that one is using PGP 
> at all.

This can be simply avoided by using a mixnym address and using the Usenet group 
alt.anonymous messages.
It requires of course that people get familiar with Mixmaster, which is as old 
as PGP. Or simply use Bitmessage.
 
> One of the original goals of PGP, and later on, GnuPG, was to avoid the 
> reliance on a central point of failure such
> as a "server." It was to be a most explicitly *decentralized* system.

Nobody is against a decentralized system. 
 
> *Probably nothing wrong* with a keyserver if the key is tied to one's 
> everyday real-life identity, but that is not
> always the use case of public key cryptography. Not everyone wants his or her 
> phone number, email address, and
> residence address published in a database accessible to the public.

And probably nobody wants that 3rd parties can upload your key with funny or 
not so funny signatures, or knock-out
your key so that friends can't no longer download it from key servers.
 
> The big advantage, of course, to the keyservers is that they make it 
> convenient for people to use PGP and GnuPG who
> might not otherwise bother with encryption at all.

The latest user guide from EFF shows key server usage as *last* option in their 
document and also tells people to think
about it, uploading a key to a key server. 



> This whole debate, I seem to recall, took place many, many years ago, and of 
> course different groups have different
> goals and find different technical solutions for their respective situations.

True, but have you ever seen replies from (a) key server software developer(s) 
saying we are aware of all those problems
and we are working on a solution? I don't refer here to the pgp.com key server, 
WKD,  Autocrypt or keybase, i mean the
widely used SKS key server network.

Regards
Stefan


-- 
https://www.behance.net/futagoza
https://keybase.io/stefan_claas


pgplXFBye3Sqt.pgp
Description: Digitale Signatur von OpenPGP
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Keyserver access changes in GnuPG

[justina colmena via Gnupg-users]

On December 12, 2018 2:35:43 AM AKST, Stefan Claas  
wrote:
>On Wed, 12 Dec 2018 10:15:33 +0100, Wiktor Kwapisiewicz via Gnupg-users
>wrote:
>> Hello all,
>> 
>> I recently saw a message from one of Fedora's maintainers:
>> 
>> > Coming soon to Fedora30 (rawhide), gnupg v1.4.x renamed to gnupg1.
>Also dropping keyserver support at Werner's
>> > suggestion since upstream plans to disable that soon.  
>> 
>> Source: https://infosec.exchange/@bcl/101195051788828345
>> 
>> Does anyone know anything about dropping keyserver support in GnuPG?
>That seems
>> a little bit radical but maybe I've missed something...
>
>If so, I see it as a consequent move from past discussions on ML's and
>that Werner shows
>responsibility, while everybody else defended the old system or put
>their head in the sand.
>
>Bravo!
>
>Regards
>Stefan
>
>-- 
>https://www.behance.net/futagoza
>https://keybase.io/stefan_claas


One disadvantage of "keyservers" in general is that the automated queries to 
them leak "too much information" on the parties with whom one is communicating 
- even the fact that one is using PGP at all.

One of the original goals of PGP, and later on, GnuPG, was to avoid the 
reliance on a central point of failure such as a "server." It was to be a most 
explicitly *decentralized* system.

*Probably nothing wrong* with a keyserver if the key is tied to one's everyday 
real-life identity, but that is not always the use case of public key 
cryptography. Not everyone wants his or her phone number, email address, and 
residence address published in a database accessible to the public.

The big advantage, of course, to the keyservers is that they make it convenient 
for people to use PGP and GnuPG who might not otherwise bother with encryption 
at all.

In any case, I am sure that the keyserver support functionality could easily be 
split off into a separate program if it is being dropped from GnuPG, which to 
be honest is getting rather bloated and could do well to focus on its core 
competencies.

Right now the OpenKeychain app on my phone is configured to search OpenPGP 
keyservers:

hkps://keyserver.ubuntu.com
hkps://hkps.pool.sks-keyservers.net (hkp://jirk5u4osbsr34t5.onion)
hkps://pgp.mit.edu
hkps://keys.fedoraproject.org (which I added because I use Fedora.)

There is also a "keybase.io" and a "Web Key Directory" search. It might seem a 
bit much, but the general goal here is not "absolute privacy" but to enable the 
dumb user of a smart phone to make use of PGP encryption.

This whole debate, I seem to recall, took place many, many years ago, and of 
course different groups have different goals and find different technical 
solutions for their respective situations.

-- 
A well regulated Militia, being necessary to the security of a free State, the 
right of the people to keep and bear Arms, shall not be infringed.

https://www.colmena.biz/~justina/justina.colmena.asc

signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Keyserver access changes in GnuPG

[Stefan Claas]

On Wed, 12 Dec 2018 10:15:33 +0100, Wiktor Kwapisiewicz via Gnupg-users wrote:
> Hello all,
> 
> I recently saw a message from one of Fedora's maintainers:
> 
> > Coming soon to Fedora30 (rawhide), gnupg v1.4.x renamed to gnupg1. Also 
> > dropping keyserver support at Werner's
> > suggestion since upstream plans to disable that soon.  
> 
> Source: https://infosec.exchange/@bcl/101195051788828345
> 
> Does anyone know anything about dropping keyserver support in GnuPG? That 
> seems
> a little bit radical but maybe I've missed something...

If so, I see it as a consequent move from past discussions on ML's and that 
Werner shows
responsibility, while everybody else defended the old system or put their head 
in the sand.

Bravo!

Regards
Stefan

-- 
https://www.behance.net/futagoza
https://keybase.io/stefan_claas


pgpJUQUY3ZKVW.pgp
Description: Digitale Signatur von OpenPGP
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

GnuPG, (neo)mutt and S/MIME

[Patrick Ben Koetter]

Greetings,

I was told GnuPG has this wonderful tool gpgsm, which helps to handle S/MIME
keys/certs and also to sign and encrypt messages. Is this true or am I mixing
things?

I played a little with the gpgsm and was able to add my S/MIME keys/certs. Now
I wonder how I would make use of them with in neomutt.

Is there any other infrastructure/tool I need to setup and configure to sign
and encrypt messages in mutt?

TIA

p@rick

-- 
[*] sys4 AG
 
https://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333 München
 
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein
 

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Keyserver access changes in GnuPG

[Wiktor Kwapisiewicz via Gnupg-users]

Hello all,

I recently saw a message from one of Fedora's maintainers:

> Coming soon to Fedora30 (rawhide), gnupg v1.4.x renamed to gnupg1. Also 
> dropping keyserver support at Werner's suggestion since upstream plans to 
> disable that soon.

Source: https://infosec.exchange/@bcl/101195051788828345

Does anyone know anything about dropping keyserver support in GnuPG? That seems
a little bit radical but maybe I've missed something...

Thanks in advance!

Kind regards,
Wiktor

-- 
https://metacode.biz/@wiktor

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users