date:20190722

Re: revoke last valid user ID

2019-07-22 Thread Teemu Likonen via Gnupg-users

i...@zeromail.org [2019-07-22T23:40:42+02] wrote:

> Thanks, that sounds possible. But I wonder, if there is a reason GnuPG
> won't let me revoke it directly - and if so, if that reasoning is
> strong enough to not even have a way to override it. Since I have keys
> with all user IDs revoked and I only ever used GnuPG, it seems I was
> able to do that once.

Maybe you have previously revoked the whole key. Such key is shown with
all its user IDs revoked.

-- 
///  OpenPGP key: 4E1055DC84E9DFF613D78557719D69D324539450
//  https://keys.openpgp.org/search?q=tliko...@iki.fi
/  https://keybase.io/tlikonen  https://github.com/tlikonen


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Essay on PGP as it is used today

2019-07-22 Thread Robert J. Hansen

> I think that’s the point security researchers like Schneier have been
> trying to make: it is easy for all people — from grandparents who
> still think they need AOL to chipheads who can install Arch without
> watching a YouTube tutorial — to screw up encrypted email in a way
> that exposes the cleartext.

This is true, but it's not because OpenPGP is uniquely difficult.  It's
because it's uniquely flexible.  Signal is intimately tied to the cell
platform and cell signaling.  Even when using the desktop client, it's
using your cell phone as a proxy.  The more choices you take away from
the user, the easier the remaining experience tends to become.

(Which is not the same as saying the remaining experience is a *good*
one, just an *easy* one.  Go ahead, try using Signal to do a third party
noninteractive introduction.  Can't do it!  That choice is taken away
from you.  Which means if you don't need third party introductions, the
experience is good and easy... and if you do, it's bad and easy: bad, in
that you can't do what you need, but easy, in that at least it's very
honest about not being able to do what you need.)

> Encrypted email is fundamentally unsafe as it currently exists.

Given the government uses email to transfer national security secrets, I
question this assumption.  Email can definitely be made safe enough: the
question is whether individual users can be expected to have the
training and experience and resources to do so on their own.  (I
personally think the answer is 'no'.)

> But if you’re trying to securely communicate like a normal person who
> is not pretending to be Mister Robot, then PGP for email is one of
> the least adopted, least safe ways to do so and 
> Signal/iMessage/WhatsApp are decent solutions.

I generally agree.  I recommend WhatsApp as a communications client of
first recourse for people in non-permissive environments.

Number one, it's easy to convince other people you meet to use it.  "You
can reach me on WhatsApp at..." tends to get reactions of, "oh, yeah, I
have it installed" or "I guess I should install that".  You don't need
to talk about security or code audits or E2E or anything else: just show
them it's fun.

Number two, switching from SMS to WhatsApp is a *huge* increase in
security for the average smartphone user.

Number three, the cops don't look at you funny if you've got it on your
phone.  Especially if you've got some nieces and nephews you can trade
funny memes with.  Purge the important stuff before you go through a
border crossing and if you're asked about WhatsApp just say "my nieces
and nephews made me install it so they could share funny stuff with me".

Signal fails on #1 ("This is supposed to be a ... a secure
communications tool?  Why do I need that?  I don't want to get in
trouble with the cops.") and on #3 ("Why do you need this, citizen?").

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Essay on PGP as it is used today

2019-07-22 Thread Ryan McGinnis via Gnupg-users

  I’m not so sure that it does.  I think that’s the point security researchers like Schneier have been trying to make: it is easy for all people — from grandparents who still think they need AOL to chipheads who can install Arch without watching a YouTube tutorial — to screw up encrypted email in a way that exposes the cleartext.   Encrypted email is fundamentally unsafe as it currently exists.  It’s really hard to screw up some of the new E2E encrypted messengers.  Sure, if your method for secure communications is dropping stego’d memes with encrypted payloads on imgur, then simple tools like Signal and WhatsApp won’t do.  But if you’re trying to securely communicate like a normal person who is not pretending to be Mister Robot, then PGP for email is one of the least adopted, least safe ways to do so and Signal/iMessage/WhatsApp are decent solutions.  -Ryan McGinnis https://bigstormpicture.com PGP: 5C73 8727 EE58 786A 777C 4F1D B5AA 3FA3 486E D7ADSent with ProtonMail Sent from ProtonMail Mobile On Mon, Jul 22, 2019 at 15:00, Mark H. Wood via Gnupg-users  wrote:  On Mon, Jul 22, 2019 at 03:46:18PM +, Ryan McGinnis via Gnupg-users wrote:>[1]https://www.schneier.com/blog/archives/2018/05/details_on_a_ne.html>> 3. Why is anyone using encrypted e-mail anymore, anyway? Reliably and>easily encrypting e-mail is an insurmountably hard problem for reasons>having nothing to do with today's announcement. If you need to>communicate securely, use Signal. If having Signal on your phone will>arouse suspicion, use WhatsApp.Depends on your threat model.  For mine, reliably and easilyencrypting email is almost absurdly simple:1) Use PGP2) Don't send secrets to people I don't trust to keep them.Anyway, 99% of my PGP use is for the opposite of secrecy: I sign myemails so that (if you care enough to install PGP) you can be highlyassured that they're from me.--Mark H. WoodLead Technology AnalystUniversity LibraryIndiana University - Purdue University Indianapolis755 W. Michigan StreetIndianapolis, IN 46202317-274-0749www.ulib.iupui.edu___Gnupg-users mailing listGnupg-users@gnupg.orghttp://lists.gnupg.org/mailman/listinfo/gnupg-users


c"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="publicKey - r...@digicana.com - 
5c738727ee58786a777c4f1db5aa3fa3486ed7ad.as=
c"

LS0tLS1CRUdJTiBQR1AgUFVCTElDIEtFWSBCTE9DSy0tLS0tClZlcnNpb246IFBt
Y3J5cHRvIEdvbGFuZyAwLjAuMSAoZGRhY2ViZTApCkNvbW1lbnQ6IGh0dHBzOi8v
cHJvdG9ubWFpbC5jb20KCnhzRk5CRm95d3BvQkVBQ0dsQ0x6dUl4UHR1VDYwQld3
K1luQ0V3NS9HbFhJeDVYNmwzTkpnRGlUL1FydjZtM0MKWDROSkVIY21VT3J1SWhS
L2JJMFdrdnVXVjRSZnh2MEJLUWpwN0puTVdSRE9ZNU54SWNrdk1KR3BsTFRoY3lS
agpLcUF2aXhTcnVrc3h0M3YzQTViNzdLeXcxZXlCMytlQzNZbzBnMjh5aGhmbG4x
Z2V4enNVc3V6U1crRml4eGd6ClMyS2RKMjZhWjhTYjNnanZmSEx2L01LaFhsdVN3
WWdYSURLTWlVT2liMGlEVmRXUGZGWENwVmJIM28xOFZueFQKZEMzVUkzdlZtbEph
clI0TzV4SXA2RndkbVFWdGo3M1pNSGRnWW5RY2VHWWN3b2I4dGFPMGRLZlUrMzEv
Ymp1dQpNYU9qeTJ1S25DeDlsZWVLNEgxM0pjYkl5R1NLN2pyQWVRUk53RTU4VXpC
SlpVQnMxSURjZFlZN1l2MW9iOWlNClljZmtaaHF6enREaksxUVAzSWJlM0FHMDJY
K3JVWExjdmxoOEVjY0RiL1c1MElBK2VqRHk3eUZRYjZTSys0U3AKSXJaSEdQamYx
eUQ0eGtraHpORlBKMm1ZR040aENDcm5XckRnL2hDM3J4U3dDcEkzUEV4bFo4T0Y5
ank5alR0cQpJUngvelhTUUtnSmNBRHM0dHNOSGZ6UHJuRXk0MWJzbWNkSTBOcm5j
UGNmMjVqRnZhUFR3QkhBQ3lIbG1GWDJ6Ci9HdUNoZW9wYXhtaVZKRnVWbGVxcnR4
ZVRCTjR2NzlMaHhCR3RDVWRZSDlHcmVuRnZ6QTl2OFZNQTZyOWQ3YVcKQ2I3bDBK
SEw4d3pEQk9sRENiSk1adlQ3dER4eWwyTUl2MTFMUWVJSW5SbEk2SkJ4TENGWnVo
WVB6d0FSQVFBQgp6U1Z5ZVdGdVFHUnBaMmxqWVc1aExtTnZiU0E4Y25saGJrQmth
V2RwWTJGdVlTNWpiMjArd3NGMUJCQUJDQUFwCkJRSmFNc0tnQmdzSkJ3Z0RBZ2tR
dGFvL28waHUxNjBFRlFnS0FnTVdBZ0VDR1FFQ0d3TUNIZ0VBQUp5TEQvMFQKZUdG
YmJ1TnlQZmxUb3NkbW1LQUM2Wnl1RHdKeExqdkwzWW5IQVVQa1RPL2E2eFR0RVoy
QjQxL21PeDJPVGN5aApKaGh3dEIwL2xzU043cjVyWEh6VVc0VmU2R1NTOFBFSTNq
MUl5TS93ZWN2MytnYjM4ZmZkRkVKQTFiVW45K2YvCnV5aFFJRmFMd0ZwcThVUUd4
RFJKOTFRWGNYRnJQemFsc3Y5S0tOY3QxdFJDbGZWblFSNzdCemtoZklKczJnUWkK
eVQxbCtWRnF6WEFoVmlpdXpSZGxKTWFUTGIyMzZVa2VPeC9leU5WRWNpdlZZb3V5
MkJ6TC9kVzI4V0RQUHRkVgpIT2NWbVY0S2ZhWUpwSDRtQkhCL0tQK0pOUXk1c3BW
Zk1MTWZDMDhyNWEwRUZFM0J5ZWJsdDNPTlBtKzJ5bXpDClJvdEl0ejhUN3Njd3U0
eFRtSXc1V1dSY0lpM21iRFcvbWVmbzd3aGJYM283TmlkUEJDK1pxSnNxTG9Obm8v
YUQKUFlYbnBUekFiczRVVFNxcDZQNDlNSFZXTkY0L24vYVhVM1ZoQnZaeDBoMU5O
TmJPMVB6Ui84U3I3ZmVkRDlVQwpuaUpOSmdmYUtodDFpMTlQYytCRjUrc2duYlJa
ZUlmU3hIV2ZYRCtrcklXR1ptUkJhQnBHelIzSnIzQUF3Q2NECnVKVmVDWHhJZTE3
WlRIeXdxVlpsb1hGWEVSSkJUZm1KK0FEbjIrc0ZNanBkV0Jhd3NsNXhYLzlmZmlP
WWY4aTAKbEdoNnZraWtCbkdaem5YSVp4Y3YvSVZpSHVnYlY3M3FwdktUaVpiME5o
WDlhd3kybGJqcWRxZzR4UHhuMlJJbwpwaEY5VTNpYmxhcDRqSnJZMFo2NmdNUEhB
b2VVWlVJa1crWjYzT1BJbE03QlRRUmFNc0thQVJBQWlSblptNHVjClBLc0ZEUG5N
SjVWcUVkeE9LcVRhbGsxRDM3NzEyemovWjcwNjlaRkV6QnY5UkVUcU9qdmFCQ1ZU
dExrWmpVS3UKQXQ5QVF3S0prcUhNbXpHVGdsVGt5cThEM0Z3cDExeVVoQm12M3lP
ciswVjVNZUU2OUhNdXFpdHBPNWdYbW9NMQoyQ1VBUERzcWV0OEY4THN0RUpNYlJo
cHh2T3NnbU1SV2dGbTVMNzRjeXFPVDQ0K01vOCt1THdldlBIMXBDN2JFCi9rTEVQ

Re: revoke last valid user ID

2019-07-22 Thread ilf


Wiktor Kwapisiewicz:
I'd try adding one dummy User ID, revoke the rest, then delete that 
dummy User ID before it gets sent to the keyserver.


Thanks, that sounds possible. But I wonder, if there is a reason GnuPG 
won't let me revoke it directly - and if so, if that reasoning is strong 
enough to not even have a way to override it. Since I have keys with all 
user IDs revoked and I only ever used GnuPG, it seems I was able to do 
that once.



I guess you don't want to revoke the entire key...


The keys I am trying to do that for *are* revoked or expired. That's why 
I want to remove the (immediate visibility of the) user IDs, even from 
the classic SKS keyserver network.


--
ilf

If you upload your address book to "the cloud", I don't want to be in it.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Essay on PGP as it is used today

2019-07-22 Thread Mark H. Wood via Gnupg-users

On Mon, Jul 22, 2019 at 03:46:18PM +, Ryan McGinnis via Gnupg-users wrote:
>[1]https://www.schneier.com/blog/archives/2018/05/details_on_a_ne.html
> 
>� 3. Why is anyone using encrypted e-mail anymore, anyway? Reliably and
>easily encrypting e-mail is an insurmountably hard problem for reasons
>having nothing to do with today's announcement. If you need to
>communicate securely, use Signal. If having Signal on your phone will
>arouse suspicion, use WhatsApp.�

Depends on your threat model.  For mine, reliably and easily
encrypting email is almost absurdly simple:

1) Use PGP
2) Don't send secrets to people I don't trust to keep them.

Anyway, 99% of my PGP use is for the opposite of secrecy: I sign my
emails so that (if you care enough to install PGP) you can be highly
assured that they're from me.

-- 
Mark H. Wood
Lead Technology Analyst

University Library
Indiana University - Purdue University Indianapolis
755 W. Michigan Street
Indianapolis, IN 46202
317-274-0749
www.ulib.iupui.edu

signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

security of local keyring

2019-07-22 Thread metalevel

Hello,

I want to use GPG for rather simple authentication of downloaded files. I made 
a test installation on a Windows box, then imported and validated (via 
fingerprint) the public keys of some sources.

Now I have the following question. Is there some means of access control for 
the public keyring?
It seems, there is no privilege distinction between managing the local keyring 
and using it. When the user is able to freely import and delete public keys, 
there's no prevention of some malware tampering with the keyring either.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: revoke last valid user ID

2019-07-22 Thread Wiktor Kwapisiewicz via Gnupg-users


On 22.07.2019 19:28, ilf wrote:

Is there a way to override this limitation?


I'd try adding one dummy User ID, revoke the rest, then delete that 
dummy User ID before it gets sent to the keyserver.


I guess you don't want to revoke the entire key...

Kind regards,
Wiktor

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

revoke last valid user ID

2019-07-22 Thread ilf

Doing more keyring housekeeping, I would like to all revoke user IDs of 
keypairs with revoked/expired certificates. However, I am getting this 
error:



gpg: Cannot revoke the last valid user ID.


This is also in the documentation:


--quick-revoke-uid user-id user-id-to-revoke
This command revokes a user ID on an existing key. It cannot be used 
to revoke the last user ID on key (some non-revoked user ID must 
remain) […]


https://www.gnupg.org/documentation/manuals/gnupg/OpenPGP-Key-Management.html

Why it this?

I have keypairs with revoked/expired certificates keys in my keyring 
which have *all* user IDs revoked. And I am sure I want to do this. Is 
there a way to override this limitation?


--
ilf

If you upload your address book to "the cloud", I don't want to be in it.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Essay on PGP as it is used today

2019-07-22 Thread Ryan McGinnis via Gnupg-users

  https://www.schneier.com/blog/archives/2018/05/details_on_a_ne.html“ 3. Why is anyone using encrypted e-mail anymore, anyway? Reliably and easily encrypting e-mail is an insurmountably hard problem for reasons having nothing to do with today's announcement. If you need to communicate securely, use Signal. If having Signal on your phone will arouse suspicion, use WhatsApp.”-Ryan McGinnis https://bigstormpicture.com PGP: 5C73 8727 EE58 786A 777C 4F1D B5AA 3FA3 486E D7ADSent with ProtonMail Sent from ProtonMail Mobile On Mon, Jul 22, 2019 at 03:28, Craig T via Gnupg-users  wrote:







Hey Ryan thanks for posting... and this response is not a poke at you, so dont take it personally!



but ... groan... honestly who the fck are "latacora", and all the others who sprout shite they read somewhere and regurgitate elsewhere...

Yeah I have been seeing posts like this pop up and with variations of content. Today everyone is cool kid security consultant, it's a badge of upper crust 007 techno ability.

Show me actual facts and figures, opinions are not fact.

Like anything worthwhile, sometimes you need to study and actually apply a bit of effort to do something properly.

GPG is no different...  The "instant gratification" and simple systems don't enforce good security workflows. Just because Uncle Bob likes and says you should use signal/whatsapp etc etc and shouldn't use whatever, doesn't mean you should follow.


If folks like Bruce Schneier suddenly popped up and said "we have a problem" and dumped his PK, I may take notice... Then again that's my opinion, why should you believe me :)

Cheers

Craig







From: Gnupg-users  on behalf of Ryan McGinnis via Gnupg-users 
Sent: 17 July 2019 15:28
To: Konstantin Boyandin via Gnupg-users 
Subject: Essay on PGP as it is used today
 


More than a bit critical, but a good read all the same.  Found on HN. 


https://latacora.micro.blog/2019/07/16/the-pgp-problem.html



HN comment thread here:  https://news.ycombinator.com/item?id=20455780







-Ryan McGinnis 

https://bigstormpicture.com 

PGP: 5C73 8727 EE58 786A 777C 4F1D B5AA 3FA3 486E D7AD

Sent with ProtonMail















c"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="publicKey - r...@digicana.com - 
5c738727ee58786a777c4f1db5aa3fa3486ed7ad.as=
c"

LS0tLS1CRUdJTiBQR1AgUFVCTElDIEtFWSBCTE9DSy0tLS0tClZlcnNpb246IFBt
Y3J5cHRvIEdvbGFuZyAwLjAuMSAoZGRhY2ViZTApCkNvbW1lbnQ6IGh0dHBzOi8v
cHJvdG9ubWFpbC5jb20KCnhzRk5CRm95d3BvQkVBQ0dsQ0x6dUl4UHR1VDYwQld3
K1luQ0V3NS9HbFhJeDVYNmwzTkpnRGlUL1FydjZtM0MKWDROSkVIY21VT3J1SWhS
L2JJMFdrdnVXVjRSZnh2MEJLUWpwN0puTVdSRE9ZNU54SWNrdk1KR3BsTFRoY3lS
agpLcUF2aXhTcnVrc3h0M3YzQTViNzdLeXcxZXlCMytlQzNZbzBnMjh5aGhmbG4x
Z2V4enNVc3V6U1crRml4eGd6ClMyS2RKMjZhWjhTYjNnanZmSEx2L01LaFhsdVN3
WWdYSURLTWlVT2liMGlEVmRXUGZGWENwVmJIM28xOFZueFQKZEMzVUkzdlZtbEph
clI0TzV4SXA2RndkbVFWdGo3M1pNSGRnWW5RY2VHWWN3b2I4dGFPMGRLZlUrMzEv
Ymp1dQpNYU9qeTJ1S25DeDlsZWVLNEgxM0pjYkl5R1NLN2pyQWVRUk53RTU4VXpC
SlpVQnMxSURjZFlZN1l2MW9iOWlNClljZmtaaHF6enREaksxUVAzSWJlM0FHMDJY
K3JVWExjdmxoOEVjY0RiL1c1MElBK2VqRHk3eUZRYjZTSys0U3AKSXJaSEdQamYx
eUQ0eGtraHpORlBKMm1ZR040aENDcm5XckRnL2hDM3J4U3dDcEkzUEV4bFo4T0Y5
ank5alR0cQpJUngvelhTUUtnSmNBRHM0dHNOSGZ6UHJuRXk0MWJzbWNkSTBOcm5j
UGNmMjVqRnZhUFR3QkhBQ3lIbG1GWDJ6Ci9HdUNoZW9wYXhtaVZKRnVWbGVxcnR4
ZVRCTjR2NzlMaHhCR3RDVWRZSDlHcmVuRnZ6QTl2OFZNQTZyOWQ3YVcKQ2I3bDBK
SEw4d3pEQk9sRENiSk1adlQ3dER4eWwyTUl2MTFMUWVJSW5SbEk2SkJ4TENGWnVo
WVB6d0FSQVFBQgp6U1Z5ZVdGdVFHUnBaMmxqWVc1aExtTnZiU0E4Y25saGJrQmth
V2RwWTJGdVlTNWpiMjArd3NGMUJCQUJDQUFwCkJRSmFNc0tnQmdzSkJ3Z0RBZ2tR
dGFvL28waHUxNjBFRlFnS0FnTVdBZ0VDR1FFQ0d3TUNIZ0VBQUp5TEQvMFQKZUdG
YmJ1TnlQZmxUb3NkbW1LQUM2Wnl1RHdKeExqdkwzWW5IQVVQa1RPL2E2eFR0RVoy
QjQxL21PeDJPVGN5aApKaGh3dEIwL2xzU043cjVyWEh6VVc0VmU2R1NTOFBFSTNq
MUl5TS93ZWN2MytnYjM4ZmZkRkVKQTFiVW45K2YvCnV5aFFJRmFMd0ZwcThVUUd4
RFJKOTFRWGNYRnJQemFsc3Y5S0tOY3QxdFJDbGZWblFSNzdCemtoZklKczJnUWkK
eVQxbCtWRnF6WEFoVmlpdXpSZGxKTWFUTGIyMzZVa2VPeC9leU5WRWNpdlZZb3V5
MkJ6TC9kVzI4V0RQUHRkVgpIT2NWbVY0S2ZhWUpwSDRtQkhCL0tQK0pOUXk1c3BW
Zk1MTWZDMDhyNWEwRUZFM0J5ZWJsdDNPTlBtKzJ5bXpDClJvdEl0ejhUN3Njd3U0
eFRtSXc1V1dSY0lpM21iRFcvbWVmbzd3aGJYM283TmlkUEJDK1pxSnNxTG9Obm8v
YUQKUFlYbnBUekFiczRVVFNxcDZQNDlNSFZXTkY0L24vYVhVM1ZoQnZaeDBoMU5O
TmJPMVB6Ui84U3I3ZmVkRDlVQwpuaUpOSmdmYUtodDFpMTlQYytCRjUrc2duYlJa
ZUlmU3hIV2ZYRCtrcklXR1ptUkJhQnBHelIzSnIzQUF3Q2NECnVKVmVDWHhJZTE3
WlRIeXdxVlpsb1hGWEVSSkJUZm1KK0FEbjIrc0ZNanBkV0Jhd3NsNXhYLzlmZmlP
WWY4aTAKbEdoNnZraWtCbkdaem5YSVp4Y3YvSVZpSHVnYlY3M3FwdktUaVpiME5o
WDlhd3kybGJqcWRxZzR4UHhuMlJJbwpwaEY5VTNpYmxhcDRqSnJZMFo2NmdNUEhB
b2VVWlVJa1crWjYzT1BJbE03QlRRUmFNc0thQVJBQWlSblptNHVjClBLc0ZEUG5N
SjVWcUVkeE9LcVRhbGsxRDM3NzEyemovWjcwNjlaRkV6QnY5UkVUcU9qdmFCQ1ZU
dExrWmpVS3UKQXQ5QVF3S0prcUhNbXpHVGdsVGt5cThEM0Z3cDExeVVoQm12M3lP
ciswVjVNZUU2OUhNdXFpdHBPNWdYbW9NMQoyQ1VBUERzcWV0OEY4THN0RUpNYlJo
cHh2T3NnbU1SV2dGbTVMNzRjeXFPVDQ0K01vOCt1THdldlBIMXBDN2JFCi9rTEVQ
ZXdjQUUvNjBwUTBZZ1ZQMkxlNngyaHQ4Q3pEWjdwOGNTSGtYbEJhOXlIa1haUkV0

Re: Essay on PGP as it is used today

2019-07-22 Thread Stefan Claas via Gnupg-users

Jerry wrote:

> On Mon, 22 Jul 2019 07:07:32 -0400, Robert J. Hansen stated:
> >> I went to an EFF (Electronic Frontier Foundation) meeting  and a big
> >> and tall guy came to me and told me that he had a way of Breaking PGP
> >> and told me he had been working on a database program that made this
> >> possible and spouted off terms I had never heard before.  
> >
> >Yeah, these conspiracy theorists always show up.
> >
> >> I went back inside, and I couldn't find him. I had questions.  
> >
> >You're in the right place.
> >
> >Mathematicians have come up with different ways to estimate how many
> >primes there were under a certain value -- what we call the prime
> >counting function, or "π(x)" in mathematicalese.  There are lots of
> >ways to do it, but they all give answers very close to each other:
> >these are estimates, not precise numbers.
> >
> >The first estimate for π(x) was "x divided by the natural logarithm of
> >x".
> >
> >Let x be 100.  The natural log of 100 is about 4.6.  100 divided by 4.6
> >is about 22.  Thus, we expect there to be about 22 primes under 100.
> >There are in fact 25 -- so while this method isn't perfect it's
> >definitely enough to get us in the neighborhood.
> >
> >If we do that same equation for a 2048-bit key, it turns out there are
> >10 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000
> >000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000
> >000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000
> >000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000
> >000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000
> >000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000
> >000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000
> >000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000
> >000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000
> >000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000
> >000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000
> >000 000 000 000 000 000 000 different prime numbers that could go into
> >it.
> >
> >Google's total data storage is about 10 exabytes.  In 10 exabytes you
> >could store about 40 000 000 000 000 000 prime numbers.
> >
> >There's just no way anyone on earth has a list of prime numbers that
> >they're trying one after another.  Not only isn't there enough hard
> >drive space, but the hard drives required would literally be bigger
> >than the entire Milky Way galaxy!
> 
> I am not sure about that. If a good data compression algorithm was
> employed, they might be able to save the space of a solar system or two.
> 



Regards
Stefan

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Essay on PGP as it is used today

2019-07-22 Thread Jerry

On Mon, 22 Jul 2019 07:07:32 -0400, Robert J. Hansen stated:
>> I went to an EFF (Electronic Frontier Foundation) meeting  and a big
>> and tall guy came to me and told me that he had a way of Breaking PGP
>> and told me he had been working on a database program that made this
>> possible and spouted off terms I had never heard before.  
>
>Yeah, these conspiracy theorists always show up.
>
>> I went back inside, and I couldn't find him. I had questions.  
>
>You're in the right place.
>
>Mathematicians have come up with different ways to estimate how many
>primes there were under a certain value -- what we call the prime
>counting function, or "π(x)" in mathematicalese.  There are lots of
>ways to do it, but they all give answers very close to each other:
>these are estimates, not precise numbers.
>
>The first estimate for π(x) was "x divided by the natural logarithm of
>x".
>
>Let x be 100.  The natural log of 100 is about 4.6.  100 divided by 4.6
>is about 22.  Thus, we expect there to be about 22 primes under 100.
>There are in fact 25 -- so while this method isn't perfect it's
>definitely enough to get us in the neighborhood.
>
>If we do that same equation for a 2048-bit key, it turns out there are
>10 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000
>000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000
>000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000
>000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000
>000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000
>000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000
>000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000
>000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000
>000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000
>000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000
>000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000
>000 000 000 000 000 000 000 different prime numbers that could go into
>it.
>
>Google's total data storage is about 10 exabytes.  In 10 exabytes you
>could store about 40 000 000 000 000 000 prime numbers.
>
>There's just no way anyone on earth has a list of prime numbers that
>they're trying one after another.  Not only isn't there enough hard
>drive space, but the hard drives required would literally be bigger
>than the entire Milky Way galaxy!

I am not sure about that. If a good data compression algorithm was
employed, they might be able to save the space of a solar system or two.

-- 
Jerry



pgp_kqZgIjIlX.pgp
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Essay on PGP as it is used today

2019-07-22 Thread Robert J. Hansen

> I went to an EFF (Electronic Frontier Foundation) meeting  and a big
> and tall guy came to me and told me that he had a way of Breaking PGP
> and told me he had been working on a database program that made this
> possible and spouted off terms I had never heard before.

Yeah, these conspiracy theorists always show up.

> I went back inside, and I couldn't find him. I had questions.

You're in the right place.

Mathematicians have come up with different ways to estimate how many
primes there were under a certain value -- what we call the prime
counting function, or "π(x)" in mathematicalese.  There are lots of ways
to do it, but they all give answers very close to each other: these are
estimates, not precise numbers.

The first estimate for π(x) was "x divided by the natural logarithm of x".

Let x be 100.  The natural log of 100 is about 4.6.  100 divided by 4.6
is about 22.  Thus, we expect there to be about 22 primes under 100.
There are in fact 25 -- so while this method isn't perfect it's
definitely enough to get us in the neighborhood.

If we do that same equation for a 2048-bit key, it turns out there are
10 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000
000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000
000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000
000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000
000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000
000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000
000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000
000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000
000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000
000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000
000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000
000 000 000 000 000 000 000 different prime numbers that could go into it.

Google's total data storage is about 10 exabytes.  In 10 exabytes you
could store about 40 000 000 000 000 000 prime numbers.

There's just no way anyone on earth has a list of prime numbers that
they're trying one after another.  Not only isn't there enough hard
drive space, but the hard drives required would literally be bigger than
the entire Milky Way galaxy!

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Essay on PGP as it is used today

2019-07-22 Thread Wiktor Kwapisiewicz via Gnupg-users


On 22.07.2019 11:26, Procopius via Gnupg-users wrote:


I searched and determined the author is unknown from from what I could see.


The author is Thomas H. Ptacek, here's contact info:

https://news.ycombinator.com/user?id=tptacek

FWIW he's known for criticizing crypto that he thinks is unnecessarily 
complex, such as PGP and DNSSEC. If you want you can browse through his 
comments to see that the article is mostly a comprehensive collection of 
his thoughts.


Kind regards,
Wiktor

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Essay on PGP as it is used today

2019-07-22 Thread Craig T via Gnupg-users

Hey Ryan thanks for posting... and this response is not a poke at you, so dont 
take it personally!

but ... groan... honestly who the fck are "latacora", and all the others who 
sprout shite they read somewhere and regurgitate elsewhere...
Yeah I have been seeing posts like this pop up and with variations of content. 
Today everyone is cool kid security consultant, it's a badge of upper crust 007 
techno ability.
Show me actual facts and figures, opinions are not fact.
Like anything worthwhile, sometimes you need to study and actually apply a bit 
of effort to do something properly.
GPG is no different...  The "instant gratification" and simple systems don't 
enforce good security workflows. Just because Uncle Bob likes and says you 
should use signal/whatsapp etc etc and shouldn't use whatever, doesn't mean you 
should follow.
If folks like Bruce Schneier suddenly popped up and said "we have a problem" 
and dumped his PK, I may take notice... Then again that's my opinion, why 
should you believe me :)
Cheers
Craig


From: Gnupg-users  on behalf of Ryan McGinnis 
via Gnupg-users 
Sent: 17 July 2019 15:28
To: Konstantin Boyandin via Gnupg-users 
Subject: Essay on PGP as it is used today

More than a bit critical, but a good read all the same.  Found on HN.

https://latacora.micro.blog/2019/07/16/the-pgp-problem.html

HN comment thread here:  https://news.ycombinator.com/item?id=20455780


-Ryan McGinnis
https://bigstormpicture.com
PGP: 5C73 8727 EE58 786A 777C 4F1D B5AA 3FA3 486E D7AD
Sent with ProtonMail


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Essay on PGP as it is used today

2019-07-22 Thread Procopius via Gnupg-users

From Elwin in Lloydminster, Alberta, Canada (visiting family)
July 22, 2019
Ryan & gnupg-users,
Concerning "Essay on PGP as it is used today"

When I went to the link it said it said,
"The PGP Problem"
I searched and determined the author is unknown from from what I could
see.
The Essay suggested a number of alternatives for private messaging.
The firstwas Signal. I downloaded it to my phone. Then the thought
came to me, "howsecure is signal? I looked for a short time and found
this:
Signal Desktop Leaves Message Decryption Key in Plain Sight
https://www.bleepingcomputer.com/news/security/signal-desktop-leaves-message-decryption-key-in-plain-sight/

Why would the nameless author of this essay suggest people use Signal
when anyone given access to a computer be able to just go into
unprotected directories
and get the key to signal and open all past messages sent. Governments
must
love this feature.
The fact that the author can not be questioned because there is no way
to contact him/her
is the first big clue someone is trying to crash the faith people have
in PGP or GnuPG. This
has happened before to me.

I went to an EFF (Electronic Frontier Foundation) meeting and a big
and tall guy came to
me and told me that he had a way of Breaking PGP and told me he had
been working on a
database program that made this possible and spouted off terms I had
never heard before.
I turned around for a second or few and turned back and he was gone. I
searched the room
with my eyes and couldn't find him. I went to the outside door and
looked up and down the
street to no avail. I went to the Intersection and looked around -
nothing. I went back inside,
and I couldn't find him. I had questions.
Doubts flooded my mind. I went and looked at the fundamentals. The PGP
I am interested in
is the PGP based on RSA because it cannot be broken using a very large
Prime number
set that are multiplied together and assuming these numbers are in a
supply in the quadrillions
times quadrillions. I have had a hobby of codes and ciphers and have
around 200 books on what
most common people would consider the ways to write things they cannot
understand or even
see. I was a subway train operator and Railroad brakeman for over 41
years then retired but
am not a math wiz. If you had a multi processor computer like at
Laurence Livermore National
Labs that can independently parallel process millions of possibilities
a second how long would
it take to break one PGP RSA encoded/enciphered message. So if there
are certain prime
numbers that do not qualify to be used, how many numbers are left? So
you have one qualifying
very large prime.

You go to a list of other very large prime numbers and separately use
each number with your
first chosen very large prime number to make a key and test that key
against the message with
the unknown key. If nothing on the List pans out you choose the next
very large prime number
and reuse the very large prime number list. How many numbers make up
the very large prime
number list?
Elwin

Sent using Hushmail

On 7/16/2019 at 9:31 PM, "Ryan McGinnis via Gnupg-users" wrote:More
than a bit critical, but a good read all the same. Found on HN.
https://latacora.micro.blog/2019/07/16/the-pgp-problem.html

HN comment thread here: https://news.ycombinator.com/item?id=20455780
-Ryan McGinnis
https://bigstormpicture.com
PGP: 5C73 8727 EE58 786A 777C 4F1D B5AA 3FA3 486E D7AD
Sent with ProtonMail
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: revoke last valid user ID

Re: Essay on PGP as it is used today

Re: Essay on PGP as it is used today

Re: revoke last valid user ID

Re: Essay on PGP as it is used today

security of local keyring

Re: revoke last valid user ID

revoke last valid user ID

Re: Essay on PGP as it is used today

Re: Essay on PGP as it is used today

Re: Essay on PGP as it is used today

Re: Essay on PGP as it is used today

Re: Essay on PGP as it is used today

Re: Essay on PGP as it is used today

Re: Essay on PGP as it is used today

15 matches

Site Navigation

Mail list logo

Footer information