Re: Second OpenPGP-card
Matthias Apitz wrote: El día miércoles, febrero 28, 2024 a las 10:32:43 +0100, Werner Koch via Gnupg-users escribió: On Tue, 27 Feb 2024 20:52, Jacob Bachmeyer said: Therefore, pass(1) almost certainly has its own list of keys stored pass stores the fingerprints of the keys in a .gpg-id file and allows to set different ones per directories. Werner, I have only one .gpg-id file on my L5 mobile in my password-store: purism@pureos:~$ find .password-store/ -name .gpg-id .password-store/.gpg-id purism@pureos:~$ cat .password-store/.gpg-id CCID L5 That .gpg-id file would be the list I was talking about. It seems that pass(1) stores the actual keys on your main GPG keyring, but keeps a list of /which/ keys should be able to decrypt passwords separately. (Also ensure that there is never a rogue PASSWORD_STORE_KEY variable in your environment: if set, it overrides the search for a .gpg-id file.) There is also a facility for maintaining GPG signatures on those .gpg-id files, which would make sneaking in Mallory's key far more difficult if you were to use it. I suspect that the pass(1) manpage has more information and may be interesting reading. Overall, this seems to be a good design. I would also suggest using the key fingerprints instead of names when you reencrypt your password store, as I suspect that your new and old smartcard keys may have similar names. As Werner mentioned, you can also have different .gpg-id files for different parts of your password store, if you wanted some passwords to only be available with certain smartcards. -- Jacob ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Second OpenPGP-card
Werner Koch wrote: On Tue, 27 Feb 2024 20:52, Jacob Bachmeyer said: [...] logarithm problem and /vice versa/. Accordingly, RSA1024 is now considered sufficiently dubious that some implementations no longer support it, such as the go-crypto/openpgp library used by the newer Which is a Bad Idea because it is up to the user or their implementation to decide which keys are trustworthy. Being able to revoke rsa1024 keys is a useful feature. Although MD5 (PGP2) can be considered as fully broken, rsa1024 is not in general broken. Agreed; I was not endorsing that position, but I see that I should have said "apparently considered" to make that a bit more clear. I trust that GPG will continue to support the shorter RSA keys for the foreseeable future. But ist is pretty fashionable to use an easy to exploit OS (e.g. not using the latest Linux kernel) and musing about RSA key strength. Keep Shamir's law in mind. Or even Windows, which remains disturbingly common in applications that probably need far less attack surface, like industrial control systems... (Is the stupidity of management a main driver of Shamir's law?) -- Jacob ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Second OpenPGP-card
On Wed, 28 Feb 2024 10:55, Matthias Apitz said:
> purism@pureos:~$ cat .password-store/.gpg-id
> CCID L5
Which means that it encrypts to "CCID L5". pass parses this using
while read -r gpg_id; do
gpg_id="${gpg_id%%#*}" # strip comment
[[ -n $gpg_id ]] || continue
GPG_RECIPIENT_ARGS+=( "-r" "$gpg_id" )
GPG_RECIPIENTS+=( "$gpg_id" )
done
The good thing with pass is that it is easy to read.
Shalom-Salam,
Werner
--
The pioneers of a warless world are the youth that
refuse military service. - A. Einstein
openpgp-digital-signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Second OpenPGP-card
El día miércoles, febrero 28, 2024 a las 10:32:43 +0100, Werner Koch via Gnupg-users escribió: > On Tue, 27 Feb 2024 20:52, Jacob Bachmeyer said: > > > Therefore, pass(1) almost certainly has its own list of keys stored > > pass stores the fingerprints of the keys in a .gpg-id file and allows to > set different ones per directories. Werner, I have only one .gpg-id file on my L5 mobile in my password-store: purism@pureos:~$ find .password-store/ -name .gpg-id .password-store/.gpg-id purism@pureos:~$ cat .password-store/.gpg-id CCID L5 matthias -- Matthias Apitz, ✉ g...@unixarea.de, http://www.unixarea.de/ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub I am not at war with Russia. Я не воюю с Россией. Ich bin nicht im Krieg mit Russland. ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Second OpenPGP-card
On Tue, 27 Feb 2024 20:52, Jacob Bachmeyer said: > Therefore, pass(1) almost certainly has its own list of keys stored pass stores the fingerprints of the keys in a .gpg-id file and allows to set different ones per directories. > logarithm problem and /vice versa/. Accordingly, RSA1024 is now > considered sufficiently dubious that some implementations no longer > support it, such as the go-crypto/openpgp library used by the newer Which is a Bad Idea because it is up to the user or their implementation to decide which keys are trustworthy. Being able to revoke rsa1024 keys is a useful feature. Although MD5 (PGP2) can be considered as fully broken, rsa1024 is not in general broken. But ist is pretty fashionable to use an easy to exploit OS (e.g. not using the latest Linux kernel) and musing about RSA key strength. Keep Shamir's law in mind. Salam-Shalom, Werner -- The pioneers of a warless world are the youth that refuse military service. - A. Einstein openpgp-digital-signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
