Re: v2.1 openpgp smartcard -- packing in after a `key to card'
Dirk-Willem van Gulik wrote: > During a pretty standard create key; key to card cycle (scripted) - I got an > error > > gpg: OpenPGP card not available: Card removed > > just after the ‘save’ in the —edit-key. A subsequent status check gives me: > > gpg2 --card-status > gpg: OpenPGP card not available: Card removed > > with below scdaemon log information. Unfortunately, your log only includes information _after_ the failure. So, I could only guess about failure. I guess that "key to card" was failed for some reason. > 2019-12-09 18:15:06 scdaemon[47159] detected reader 'SCM Microsystems Inc. > SPR 532' > 2019-12-09 18:15:06 scdaemon[47159] detected reader 'ACS ACR122U PICC > Interface' > 2019-12-09 18:15:06 scdaemon[47159] detected reader 'OMNIKEY AG CardMan 3121' While you have three card readers... > 2019-12-09 18:15:07 scdaemon[47159] DBG: chan_7 -> S READER OMNIKEY AG > CardMan 3121 What you were using was "OMNIKEY AG CardMan 3121", which only supports short APDU level exchange. It is listed in this list: https://ccid.apdu.fr/ccid/supported.html It should work for 1024-bit key. However, I'm afraid that probably, it doesn't work well with recent PC/SC lite, because readers with short APDU level exchange only are getting uncommon. SCM SPR 532 works better, because it supports TPDU level exchance (lower level). -- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gmail smime, sends two messages one is not encrypted. Experience?
Stefan Claas via Gnupg-users wrote: > Mark H. Wood via Gnupg-users wrote: > > > On Sat, Dec 07, 2019 at 09:51:34PM +0100, Stefan Claas via Gnupg-users > > wrote: > > > Juergen BRUCKNER wrote: > > > > > > > Hi Stefan > > > > > > > > Thats not the approach PGP pursues. > > > > PGP was, is and should continue to be decentralized in the future. It > > > > was never really intended to validate identities in a wide circle, but > > > > to secure communication, and - im parts - to ensure the integrity of > > > > software. > > > > > > Well, the integrity of software can also be shown with a simple hash > > > value posted, because I can not verify if the sig belongs to person > > > xyz, even when he / she has a lot of fan sigs from people unknown to > > > me. > > > > Yes, if you trust that the page with the hash on it has not been > > compromised. Once the bad guy is inside the site, changing the hash > > is just as easy as replacing the software. Signatures depend on > > material that is *not* in the same place with the signed object (if > > we're doing it right) and thus can be verified from independent > > sources. > > > > Simple hashes can only detect simple failures. They have no value > > against a careful adversary. > > The software author(s) can simply provide a, via blockchain, timestamped > record[1] of the original hash value. Additionally, from time to time, a > timestamped warrant canary would be welcome addition too. P.S. And regarding PGP signatures, for security software releases; a *super nice* gesture, which would IMHO have a major impact in the OpenPGP ecosystem, would be if authors of security software which are German nationals would have *certified* their software signing keys by the German CA Governikus[2]. [2] https://pgp.governikus.de/pgp/ Regards Stefan -- box: 4a64758de9e8ceded2c481ee526440687fe2f3a828e3a813f87753ad30847b56 certified OpenPGP key blocks available on keybase.io/stefan_claas ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gmail smime, sends two messages one is not encrypted. Experience?
Mark H. Wood via Gnupg-users wrote: > On Sat, Dec 07, 2019 at 09:51:34PM +0100, Stefan Claas via Gnupg-users wrote: > > Juergen BRUCKNER wrote: > > > > > Hi Stefan > > > > > > Thats not the approach PGP pursues. > > > PGP was, is and should continue to be decentralized in the future. It > > > was never really intended to validate identities in a wide circle, but > > > to secure communication, and - im parts - to ensure the integrity of > > > software. > > > > Well, the integrity of software can also be shown with a simple hash > > value posted, because I can not verify if the sig belongs to person > > xyz, even when he / she has a lot of fan sigs from people unknown to > > me. > > Yes, if you trust that the page with the hash on it has not been > compromised. Once the bad guy is inside the site, changing the hash > is just as easy as replacing the software. Signatures depend on > material that is *not* in the same place with the signed object (if > we're doing it right) and thus can be verified from independent > sources. > > Simple hashes can only detect simple failures. They have no value > against a careful adversary. The software author(s) can simply provide a, via blockchain, timestamped record[1] of the original hash value. Additionally, from time to time, a timestamped warrant canary would be welcome addition too. P.S. I have read recently that one can only trust software he / she has written themselves ... ;-D [1] https://opentimestamps.org/ Regards Stefan -- box: 4a64758de9e8ceded2c481ee526440687fe2f3a828e3a813f87753ad30847b56 certified OpenPGP key blocks available on keybase.io/stefan_claas ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gmail smime, sends two messages one is not encrypted. Experience?
>>> "MHWvG" == Mark H Wood via Gnupg-users writes: > On Sun, Dec 08, 2019 at 10:38:43AM +0100, Uwe Brauer via Gnupg-users wrote: >> Now to the question s/mime versus gnupg. >> >> There are the following points which make s/mime easier. >> >> 1. Key generation. In s/mime you apply for a certificate and don't >> have to generate the key by yourself. > Oh, I hope not. The point of asymmetric crypto is that you never, > ever, give your private key to anyone, even, *especially*, the CA. > The proper way to get an X.509 certificate is to generate a keypair, > keep the private key private, and send a CSR containing the public key > to the entity which will issue the certificate. Ah, sorry for the sloppy formulation. You are completely right. The process is, usually[1], as follows 1. For example using Comodo, you apply for a certificate. 2. Your keypair is generated by your own crypt module of the browser (quite some time ago I had a look at the corresponding javascript and it did not look suspicious). 3. You receive a link via email, which you have to open with the same browser and the same computer and your keys get signed. However the user usually does not notice all these steps, and this is what I meant. In the case for pgp the user has to generate a keypair him/herself and believe me, for most users this is much more complicated than 'applying for a certicate in comodo'. Footnotes: [1] there is one exception https://www.actalis.it/products/certificates-for-secure-electronic-mail.aspx they really generate a keypair and send it to you, no kidding. That seems to me a mayor security breach, to say the least smime.p7s Description: S/MIME cryptographic signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gmail smime, sends two messages one is not encrypted. Experience?
Sadly i know many CA's who don't give the user any choice about this. They say as a 'user friendly service' they generate also the key for the user and send him a .p12-file. Am 10.12.19 um 17:01 schrieb Mark H. Wood via Gnupg-users: > > Oh, I hope not. The point of asymmetric crypto is that you never, > ever, give your private key to anyone, even, *especially*, the CA. > The proper way to get an X.509 certificate is to generate a keypair, > keep the private key private, and send a CSR containing the public key > to the entity which will issue the certificate. > > > ___ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > -- Juergen M. Bruckner juer...@bruckner.tk smime.p7s Description: S/MIME Cryptographic Signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gmail smime, sends two messages one is not encrypted. Experience?
On Sun, Dec 08, 2019 at 10:38:43AM +0100, Uwe Brauer via Gnupg-users wrote: > Now to the question s/mime versus gnupg. > > There are the following points which make s/mime easier. > > 1. Key generation. In s/mime you apply for a certificate and don't >have to generate the key by yourself. Oh, I hope not. The point of asymmetric crypto is that you never, ever, give your private key to anyone, even, *especially*, the CA. The proper way to get an X.509 certificate is to generate a keypair, keep the private key private, and send a CSR containing the public key to the entity which will issue the certificate. -- Mark H. Wood Lead Technology Analyst University Library Indiana University - Purdue University Indianapolis 755 W. Michigan Street Indianapolis, IN 46202 317-274-0749 www.ulib.iupui.edu signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gmail smime, sends two messages one is not encrypted. Experience?
On Sat, Dec 07, 2019 at 09:51:34PM +0100, Stefan Claas via Gnupg-users wrote: > Juergen BRUCKNER wrote: > > > Hi Stefan > > > > Thats not the approach PGP pursues. > > PGP was, is and should continue to be decentralized in the future. It > > was never really intended to validate identities in a wide circle, but > > to secure communication, and - im parts - to ensure the integrity of > > software. > > Well, the integrity of software can also be shown with a simple hash > value posted, because I can not verify if the sig belongs to person > xyz, even when he / she has a lot of fan sigs from people unknown to > me. Yes, if you trust that the page with the hash on it has not been compromised. Once the bad guy is inside the site, changing the hash is just as easy as replacing the software. Signatures depend on material that is *not* in the same place with the signed object (if we're doing it right) and thus can be verified from independent sources. Simple hashes can only detect simple failures. They have no value against a careful adversary. PKC, used properly, can raise the cost of compromise, by increasing the number of places that the bad guy must break into and get out of undetected. This is the electronic analog of a principle in physical security: require the bad guy to spend time, make noise, and create a visible mess, to increase his fear of being discovered to the point that the expectation of winning is not worth the expectation of losing. -- Mark H. Wood Lead Technology Analyst University Library Indiana University - Purdue University Indianapolis 755 W. Michigan Street Indianapolis, IN 46202 317-274-0749 www.ulib.iupui.edu signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gmail smime, sends two messages one is not encrypted. Experience?
On Sat, Dec 07, 2019 at 08:59:16PM +0100, Stefan Claas via Gnupg-users wrote: > Juergen Bruckner via Gnupg-users wrote: > > Hi Juergen, > > > This question is very easy to answer. > > > > S/MIME has some advantages over (Open)PGP. > > One of them - the most important for the usual S/MIME users - is, that > > S/MIME allows the uniquely identification of a communication partner, > > which is only limitedly possible with PGP. > > > > In addition, educational institutions, such as universities, schools, > > research networks etc., have their own internal CA, which keeps the > > costs very manageable. > > Ah, o.k. with an own CA that make sense. However, I was also assuming > that students may use their certs also for 'outside' comms, which then > would require then that the other parties have always to import non- > trusted root certs, which is not the case with commercial ones, obtained > from globally trusted CAs. Here, the University has a deal with an academic consortium to provide cert.s chained back, ultimately, to a well-known commercial provider. I just submit a CSR to a website, a globally-valid cert. is issued to me in a few hours, and my department is not billed for anything. It's probably cheaper than all the paperwork required to process a requisition and chargeback. We use this, not only for email, but for websites and other network services, where there is no viable OpenPGP-based alternative. The ability to issue email certificates was actually added later, when the Powers That Be became increasingly concerned about phishing. > > Am 05.12.19 um 23:39 schrieb Stefan Claas via Gnupg-users: > > > Sorry, I can't help you but I do have a question, if you don't mind ... > > > > > > Why are the Students at the University don't use OpenPGP with Gmail > > > via the free Mailvelope add-on for Firefox, Chrome? Wouldn't that be > > > not cheaper instead of purchasing a whole lot of S/MIME certificates? -- Mark H. Wood Lead Technology Analyst University Library Indiana University - Purdue University Indianapolis 755 W. Michigan Street Indianapolis, IN 46202 317-274-0749 www.ulib.iupui.edu signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
[RESOLVED?] (was: [gmx+gmail])
>>> "JBvG" == Juergen Bruckner via Gnupg-users writes: Hell Juergen > Hello Uwe, > i use Gmail for business for a very long time and never had any issue > like that. You are not going to belive that. I deactivated the s/mime support of gmail's webinterface and even deleted the certificate. Then everything worked as expected. I suspect that this internal s/mime support decrypts the message and copies it in my folder, which is really bad. Unfortunately I cannot investigate this issue, since my university lacks experts in that matter. Regards Uwe smime.p7s Description: S/MIME cryptographic signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users