Re: some beginner questions
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 El 03-04-2017 a las 20:04, Will Senn escribió: ... > Actually, I appreciate all of the detail. I will start off with a > simple keypair that I am careful with. Based on my current > understanding, if my passphrase is known only to me, is > sufficiently long and unique, if I keep my secret key reasonably > secure, and keep it local to my own devices, I should be reasonably > safe from exploit against all but the most determined folks. You may also want to set an expiration date for your keys (in case you lose the private keys and revocation certs... let's say they were on the same hdd and it crashed), which can be edited later (only problem is your correspondents will need to get an updated copy of your public key to still be able to use your key). You can also export your keys using paperkey utility, that way you can print them in an easy to type (maybe even easy to OCR) way and store the printed version in a safe place. I don't really care that much about my signing key, but if my hdd crashes and I need to use my remotely stored backups... I'll need my encryption key to open them. Best Regards -BEGIN PGP SIGNATURE- Version: GnuPG v2 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBCAAGBQJY5CU5AAoJEMV4f6PvczxAI8EIAKiYCeQoNwO8qG+BhYa/th2C ZpBctqO+uPWKuAJz40WoL6Adqn29KquI/L33TBJ+m5IOKklldtevSTgjXU7649+Q jy5IBhSl1qhxtetiK+yzKNGFYcZ96QZNUU0U9CJIIriV57+BPIsf3kynS/wfM2P5 jQcZdLcHUkLku6WtdANNsXfHqo7fMvw+6Tfxw+rIBFPcyHonrXKKdpBuTDxdYFst HyHhXb6hhFqurOCcKyKpGlFecfvt+0V6O4923xvQdBYIq/yBfLGU18O8OCmU6c2b PkZcJgA+D+0V5LbOus3IAROY+14SS8o+q7gEpOnT61qhCqF1v0weCDw8AxGc8JM= =E8Zl -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: some beginner questions
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 El 02-04-2017 a las 20:23, Will Senn escribió: ... >> In short, the main key acts as a level of indirection, which >> separates your identity from your encryption/signing keys. > Sounds like what I was led to believe to be the case, but at the > end of the day, I don't seem to be able to sign anything with the > signing subkey if the master key is not present (with sec instead > of sec#). Do you know how I get it to use the subkey (the manual > says it will default to a signing subkey, but that's not my > experience). I keep my whole key (main and subkeys) in an encrypted container, and use only the subkeys on a daily basis (one signing and one for encryption). The idea was that I could carry gpg on a pendrive and if the pendrive is lost, I could revoke the subkeys, and don't lose the signatures on the main key. It worked on gpg 1.4.x and it works for me on GPG4Win, the only things I can't sign are other keys (unless I mount my whole key). Now, if my computer gets infected by a key-stealing virus and I don't notice it before mounting my whole key, I'm toasted anyway. But at least I have a chance to get a warning, and I also can read my encrypted emails on my laptop without worrying about the keys in case I lose the laptop. Best Regards P.S: about orphan keys, I've set my keys to expire in 2 years, so if I lose the private keys, they won't haunt me forever. I just need to remember to change the expiration date from time to time. -BEGIN PGP SIGNATURE- Version: GnuPG v2 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBCAAGBQJY5BzGAAoJEMV4f6PvczxAJKcH/3vmRJ1YBr383P41Z681OL2J LTelFJbwwTmp1131UKZ4C9tKHAOykt6JPErCvoGcjkVjiuScy4lto/1i4SLsTnTo 3kvGd4/k8Wpo/G8iGiFZ3hERziJhs75RNkvw4T0vTpDigHepFAHrdX2CwTl84Dk6 Cz6TMbYnLIepiESO9R9QZcdiQ36SnOy8ViuGiEeokZvYsEfigdisWVps61I7Ip+r XRJmlEJW5GuuVtKG/DcmoOY3aocRMW0u08+jhDHaLihRiV+GrFKHaWcSLST9N3R+ GfvEU+hdoa/MMPZmFNAi/55E6RyKzTAWjegul0D+TwHN670hKwkY53HOvmhwY6o= =6o3D -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Seperate Session Key and Encrypted Data
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 El 01-10-2015 a las 7:26, Christian Loehle escribió: > I want to use gpg to encrypt a potentially large file to some > (cloud-like) storage provider, the recipients are not known at the > time of uploading. What I want to do is to send the encrypted > session key of the file to a recipient, when I 'add' them, without > reuploading or even touching the original file. This should be > possible, does anyone know how to? I'm also open to other > suggestions It seems to me it would be easier to use symmetrical encryption. I always do it using a GUI, but I found these instructions to do it. I guess gpg will ask for the password: gpg --symmetric filename yields filename.gpg gpg --symmetric -a filename yields filename.asc Decryption is performed using the usual "-d" switch: gpg -d filename - --- Otherwise, you would have to encrypt the file to your own key, and then extract the session key. I've never done that, but I found these directions: gpg --show-session-key [file_name] To decrypt: gpg --override-session-key [session key] [file_name] - --- I hope it works, I wrote those directions "just in case", but never tried them, so I may have made mistakes. Best Regards -BEGIN PGP SIGNATURE- Version: GnuPG v2 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBCAAGBQJWDwDxAAoJEMV4f6PvczxA98gH/ja+hCm3OVqrgOPvUfklOLV3 X0jfOPm86CPRvnzzwyCC+Sd2IXdER5arZmtWHInqTJwYwh1qSP5vY12yldfPfutr O+VIgvOcqwQmbKSLSCZt0IYCp8p/4Wf390paQa79BhW00gIuhl+xpR6qmlGWhqLd +ckf+tMZdpaLxmS0CjaDCghHXX2PTGMty0M9iu443s4JOThCHnOox7xmeau/X+wE 0BFwKJNChxeYEEMy9VMwO4JR2GG5M+I0vwurJza0J2i+61n+ubwJL9hw9VuCoXTJ SQDrhoHJ7iCb4X5gBkqDhFZKC9t0dLdijzPjaOWyynp30ZN4l8mLo35QzJ2WqCQ= =Vm/n -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: How to get your first key signed
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 El 01-10-2015 a las 5:33, Bob Henson escribió: ... > Authority key, say. But a signature of any person's key that you > have not met and positively verified is worse than useless as it > degrades the whole trust process. Someone who I had never > previously even heard of once signed my old, now revoked key - were > that person someone "known" to be nasty, it would have degraded my > key's value. The best it could have been is totally meaningless. I think it is a mistake to consider a signature can degrade a key's value. After all, we CAN'T prevent people from signing our keys, unless we try to keep them off the keyservers. But keys tend to end in keyservers (probably they feel lonely and want to gather with their peers). And bogus signatures from bogus keys don't weaken the WoT, since a bogus key is not signed, so the signatures are meaningless. Of course these signatures increase the public key size, but you can distribute a clean copy of your key to your peers. Best Regards -BEGIN PGP SIGNATURE- Version: GnuPG v2 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBCAAGBQJWDw7uAAoJEMV4f6PvczxA39cIAKXhYP5iN+LFP3Fhj+n+b55S 4KXY6D0P0JV4DZYa6kN4duAn9jigM87xOrL4NiCbK+42wg4FkgZioIDxLJzV2C1L 8LQGxNWPfSgO0kbGQKyzsMkcsnc3HMLyiE5MnRH3jiq5arb+gQfO57YaMNRl6JdS ENpVM7GtxMoloFHZ9dJdhhv8IEqxHnoW3WkvbRZMfgiedj7YKcLDqADgqJ94fzMc HF280jXWKLbZHZhbp2XdopknzEGZqc02EZ4RBeAHse/jYPShyUfX3mJ/37jriVon sbZpzLHzxbMlzGVT8+zBzB34ei8ftb0dYaxk5FM7P4MNwycf5y5qaLDiGpT3PFI= =nKXX -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: How to get your first key signed
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 El 01-10-2015 a las 8:08, Bob Henson escribió: ... >> It /is/ totally meaningless. And we should educate users that it >> is meaningless. > > Agreed. But a new user who has yet to be educated would baulk at > trusting a key signed by Genghis Khan or Atilla the Hun - however > they perceived it, they might well refuse to acknowledge the > signature as valid and would certainly not sign it or assign it > user trust - that's human nature. Human beings are essentially > illogical. :-) Indeed. But at first sight, the signature would come from "unknown key", not from Atilla the Hun ;) Best Regards -BEGIN PGP SIGNATURE- Version: GnuPG v2 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBCAAGBQJWDw/VAAoJEMV4f6PvczxA4gIH/0qXi/VlMYUZ4EynPKpqRN6M mOJchGkbd6hgrCrWhoFXHJpfoosmrWfn6s6Jpazv1B0h/uXV3w8wTzv5o+Rnrvez h/jP3tJHN4hI0AdeD/ghumZP2/TM5M3D39Juxg++btFOMZGowXXISaJK0o76yoXw MtXTywhyVpXma/3tyt2KGaFUf73Q2M8VzUPQpZkDOvN36tJl8bK3Jdid3D1gktwm nshRe2RUgtuGxECoEegTJraCdbOqi4QyoL0Pqxl4tvUUuB++mR0p9uxMrbQ1wPEU aAAMjfEBr7UQ0sRhjNcERNG7uNK1XJHeX9AXio+AADz71ikytu1P5018M680cII= =KEvr -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: FAQ: drop mention of 1.4?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 El 28-08-2015 a las 4:37, Werner Koch escribió: ... > Some of these old time users may not follow the news thus may be > baffled when they figure that gpg is not able to decrypt their old > data. Thus a short note that a GPG 1 version is maintained to > allow decryption of PGP-2 data or to be used on ancient > platforms[1] should be helpful. IMHO, it would be desirable that the current version can still open old data, even if it refuses to encrypt that way. But maybe keeping the decrypt old data capability has some inconveniences. Best Regards -BEGIN PGP SIGNATURE- Version: GnuPG v2 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBCAAGBQJV6LVMAAoJEMV4f6PvczxApqkH/AvxKBxxoqalxP988BNPxY47 dREUlS5sDx/9PM31PUSqbeYhDE05lVwmsnUEzzpCazdD23jcUiq4Eztm+B0+fNsb 4rEiD26YDLHRAHPwP6ZJEeKnlVL0PuLVbscy0m+NyvJNJdAg8F9f5SwkVn40s+1o EaE0juprgzXYE0hyHEq73hjLT7z0scKD58LfxnYBva6Qz97cuZDCPdbPnHDGNFF7 eTpVbXCylWzPmPznKiZGfBJBw0woX5e+5848dgi9zE/Fs/aWFEgjGSvOnX6tldYO jnERVZoUDWq9EwDgPCq1WmqZsCzjDUkud7bwwIgP21sRKpMy9JUSpBGC7XeCMhg= =krOS -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: FAQ: drop mention of 1.4?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 El 03-09-2015 a las 19:46, Robert J. Hansen escribió: >> IMHO, it would be desirable that the current version can still >> open old data, even if it refuses to encrypt that way. But maybe >> keeping the decrypt old data capability has some inconveniences. > > Here's the question I really want people to answer: "At what point > do we tell people, 'no, that data format has been obsolete for > twenty years, we're not going to support it any more, it's not even > close to conforming to the RFCs we implement'?" Yes, people should stop using things that are seriously outdated and proven unsafe. > If you say "for as long as people have that traffic," then you've > just given GnuPG an open-ended commitment to supporting PGP 2.6 > *forever*. I was thinking about being able to access old data that was encrypted with PGP 2.6 standad, not about creating new data using that standard, so, *if possible*, it would be nice to have read-only backward compatibility. > There are still people using Apple IIes and Appleworks to manage > their business spreadsheets. And some time ago, I found an old QPro spreadsheet that had survived somehow in a backup CD. I don't remember if I could open it. But I do remember once I had to find a way to open a old ms-writer file I needed to read. Best Regards -BEGIN PGP SIGNATURE- Version: GnuPG v2 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBCAAGBQJV6PpkAAoJEMV4f6PvczxAUYAH/1Wjtd2YyF/IYEmQ4G2TN5Jt B1JxIcP5EwHQRtviVyfHeKTIsOpaHIEQyNAbBo22EMudMDIM1yJCV77uNgFoNLdT /z0Q9c1ycuCHwiJS+QXsuyUJghLB70NiTarPjz3W5gmYB2jpYfNb/McaJ941ROaY yfMtNMAGIadpZ+l89hMK2nPAqByWmmAzKpAlmddCll6eG8ikz34QALCBNgAt+Zp9 2n8N5YVnJBnskBP5el88gZTGLzUFWed/kJ1fA+OkxIbKQC+S6iUSfLiJAf8zJCCx LvI2rrkHDcSPtiAW2d/Qu+zICG07Rh11nJnMqNmr9xUPagbd0wMzOA0VaIsSxc8= =6vku -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Teaching GnuPG to noobs
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 El 17-06-2015 a las 11:15, Robert J. Hansen escribió: ... The most common one I've found is not understanding the material as well as they think. This tends to come through most in the metaphors an instructor uses. For instance, I frequently encounter instructors who tell the class to imagine a lock with two keys, one that locks it and one that unlocks it, and they proceed to use that lock metaphor to explain crypto. It's absurd. Who in the class has ever seen a lock with two keys, one that locks it and one that unlocks? The metaphor's ridiculous: the locks the students are familiar with require *no* keys to lock and only one key to unlock. I remember a tutorial that compared it to a lock and 1 key. I keep the key, and send the lock to the person that will send messages to me. The person writes the message, put it in a box, and locks the box with the lock. I think that is very accurate, because I can encrypt messages to your public key, even if I don't have a key of my own (of course, in that case I can't sign the message, but that is a different operation). Maybe the magical wax could be useful to explain signatures? Or... I can send you a sample of my DNA. Then I write a message, and sign it using my blood as ink (ouch!), you get the message, run a DNA test... The only way somebody can fake my signature would involve stealing a sample of my blood, but then, it would be like stealing my private key. Best Regards -BEGIN PGP SIGNATURE- Version: GnuPG v2 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBCAAGBQJVg23fAAoJEMV4f6PvczxAhWkH/2oOKNgGU76BEf4Mo4xNZOIJ n/tVzzIRX5Oygjk//RRe9qwWCXSAU7CCOuqqy2xDyHcrVCxgI1lwhd6KBFx6uNOe g1xSkhHRDyJxd/67etgo0BaV4g0MrB0/LZHp5LXxUDXJjWOg3zpdS8X+TECIh2TA pFyfr+aL2Tu0BhylcOoZYvK7WDp7QCDgAW+jOHciwvTK3WfY1ArXrJ8dTxPNT1qn VlpgxrzbVoyZ/hD707qMdvjYjf9vUI5DNBZ6vPVcHBFIcwMsjzWSzeZHwSx8nbu2 zD7Z1UyvIBHN5cyProuBQJFmiIbzyNZ+m5R5kSSQZzX+rkA9g7tkQSla1Rr+PYo= =usmm -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Talking about Cryptodevices... which one?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 El 05-02-2015 a las 16:00, MFPA escibió: Hi On Thursday 5 February 2015 at 9:38:29 AM, in mid:54d33a15.5050...@digitalbrains.com, Peter Lebbing wrote: Oh, by the way: But will a smartcard solve the problem that the host computer might be infected with malware? I'm absolutely sure nobody made that claim. I've seen the question several times before, usually answered in the negative. Well... I remember usually the answer is you shouldn't try to keep using a compromised computer, and that instead of trying to find a way to keep using a compromised computer, you should fix it. But I still have the impression about smartcards are supposed to prevent an attacker from stealing the private keys from the cards, right? Best Regards -BEGIN PGP SIGNATURE- Version: GnuPG v2 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBCAAGBQJU0/2lAAoJEMV4f6PvczxAgpoH/2CkUateERiw78WUCnKaUjuZ QJXMi14zPqVMlj/od4ctVqZ4P8q/dM6AvcVHQELxmyolGub5bQK441N+wm6HIvSc lhhqf5JFoGmDYJ39OFsIZdZ7/aokPezOww+0Q+Da9Db6XmIuuar0Fq4puawWDr36 GE46VIT0waGGfMTQgcF+Jj5tiF2HZXConhr9juObyuz/fYj8pD1tYRfoPdip8CVZ JY3jYp2UGX9xQa89yw8dGKncoUxryjiSSpaK110NASD+z5M2+kIUNTdhFNIP3EXO O+/njMPkq+cD+ghwgx34qYPTd7gnb3weq+DsW6AAQBNiufumb6NhAh7RczLMDnA= =Xm/Q -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Talking about Cryptodevices... which one?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hello, Well, some months ago I wanted to take a look at existing smartcards and/or readers that hopefully support both OpenPGP and x503 certificates, but my Google-Fo failed me, I couldn't figure out where to buy something that works on Windows and can be shipped to Chile. Any advice? I'm not planning to buy right now, but the first step is to know what to buy, where to buy, and how much does it cost. Best Regards -BEGIN PGP SIGNATURE- Version: GnuPG v2 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBCAAGBQJUwb86AAoJEMV4f6PvczxAWE8H+wav12mzITZwDOc15OAEnG2b RvW1jQ9/VXwHMbAl3b/pgLv9AHdd2vcqULRhqUW3HdCwNj9/14xDB8IQ51ogBoTk 1Xyr56e3DVzHjK3c6V4lyrtBbue8GPlU0rMh/uKutOEBzmrAT6wO1/vwicC/zV0s QLjN3uNrk7DubIYWfEicWPBKm1icu4YzgIHoBjOzX/NPCnALEwjcRdLqxMInLjVA sAT61l0ojvbwC64KSMQ1yu7gMrK5h2MF+F1ODWzdXuDvdQ1RrIG2NUW2ZS8SHCHW nF+mtkEiy1Rutl+TfgaebSxSJ+sQHoT/EKX2ebu4GX7Ko4gO0Capx4hH3aZn/u4= =Cbrr -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Crypto device where I need to confirm every operation?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 El 23-01-2015 a las 0:29, Robert J. Hansen escibió: Smartcards exist to keep private keys safe(r) from being stolen. They do a pretty good job of that. But when we expect smartcards to be able to somehow make a compromised environment safe to ... Yes, but maybe you are missing an interesting point... You're changing the subject slightly. :) The thread is about letting a legitimate user continue to safely use the system; you're talking about limiting the damage an attacker can do. The two are related but different. Oh, yes, you are right. After all, if the attacker can steal a signature, then each time we try to sign something legitimate, the attacker may be able to hijack it and sign something we don't want to sign, and the thing we want so sign will remain unsigned. And even if the attacker can't hijack the signature, malware may very well hijack the email account, etc. The idea might be good for damage mitigation; but for permitting continued normal operation, it's IMO a non-starter on every level. Yes, compromised machine must be cleaned ASAP. BTW, if somebody is willing to develope such safety device, I hope it is designed to have a go ahead button to press, but not to require entering a pin-code each time. If entering the password to unlock GPG key too often is unpleasant, doing that in a tiny pin-pad that maybe is not in a comfortable place would be unusable. Best Regards -BEGIN PGP SIGNATURE- Version: GnuPG v2 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBCAAGBQJUwdw8AAoJEMV4f6PvczxAFa8IAJSTu/uHY2tE71cTMgfjD2Rm uZG0BFbTF1Ypurz0TxoHxBNfiSjwo+o41gm0+bqV6M24V5hGMAIKBfcpx8GUFZf9 YQrl0Vv7VbffUjcRao96ikkstisU/utzQpn06wbd5hLlEAAl6MAvINg0laqeay3u gjdtgpEQESivsedQm1yFIPy7xvEJ7bT3qmuZ+V8hYnsFA/v/iJilZNRQzZVubmB0 wy8v5HN0PXYuOKCGo+XJTu5I02YKfOhKPEu1gpEY5VpQ7Prl4IeMGr45bM7TXv54 kC0gtv7i4Bmulkg30VeJgdTf7bktmQV5Wx7MgErVGDAIvgJTst2X0e/Q0a5A3zA= =X8pm -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Keysigning
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 El 02-12-2014 a las 7:53, Robin Mathew Rajan escibió: Hello David, :) I already uploaded my public key to a public key server some months ago. But there's no local Linux users group where I live! I sent emails to some people listed at biglumber.com with my Government issued ID card attached. But no reply came from them. :( Some of them are CACert Assurers! CAcert requires face to face meetings, since we (yes, I'm an assurer) must check the government issued ID and try to figure out if it has been tampered. Then we must compare the picture with your face, to make sure you are you, and not someone else with your ID. But the purpose of getting a signature in your key is to: 1.- allow the person that issues the signature to trust your key validity. 2.- allow people trusting the signature issuer's judgement to trust your key validity. So, if you get CAcert's signature, it allows people trusting CAcert procedures to consider your key as valid, but it won't have any meaning for people that doesn't trust CAcert. Several persons in this list falls in that category. A signature from a local linux users group would mean nothing to me, since I don't know any of them, and I don't know what kind of validation they do before signing a key. In other words, you want signatures, but not just any signature, you want signatures that have some meaning for the people that will be exchanging messages with you. I know when I first made my key, I wanted it signed, as if it was some kind of autograph book, but after a while you realize it just increases the key's weight. Nothing to worry too much about, since while you can't remove signatures from keyservers (and you can't prevent somebody from fetching your key from a keyserver, signing it with 200 bogus keys, and uploading it again), you can still clear your local copy of your key, and send it by email to one of your friends. And your friends can also fetch your key and clean it from all the meaningless signatures it may have (meaningless to them, as I said, it depends on each person). For some uses, I could use a key carrying only a nickname, and exchange signatures with my gaming alliance, and that would be OK, since I won't be exchanging any world domination plan with them. If I were working with a customer that is a representative of a bank, and I had to email him the user and password for the server I just setup for them, I'd require a face to face meeting to sign his key (and I wouldn't mind too much about what name is on the key, I'd care about the person that uses the key. If they key says Barak Obama, I'd issue a local signature, so I can still use the signature to verify the key's validity, and I would not be vouching to the world the key belongs to Barak Obama). Or I could trust the signature already issued by my boss. By the way, that was just an example, probably any customer requesting me to give them the server login info would accept it in plain text over email, or maybe using whatsapp. If paranoid, they may request the user name being sent by mail and the password by SMS. Yes, it's frustrating. Best Regards -BEGIN PGP SIGNATURE- Version: GnuPG v2 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBCAAGBQJUf4HwAAoJEMV4f6PvczxAsxsH/1+hkZvznGKT4OERtKrygsRN XUOeXz3AOM0gZZZJ6S91tLvjz7aCqtjZGVZRx7mDq0IRXdvJ8enfuysyTgPpKPfM JNE23xF2e7D12lbJR9dfSPftruOd38HqN9kIOMtI1oXa28rAgBqfV0o04Gba8JlD HsOVCrd2y+E82Ozbf79xAP7Ckg57MSBkmULpwz2cgC2b7OagSYA9hmL8uMe23Ktl LdXq/y83AEsRxAM8Drd9hw/Wvqsj6AMarTvxOz5CZFdqs4q/5X1ZsLMM4acikC+r 8ydWH3shoefASam4kfHJhXMpNLhjUWxo4mX0dcqAcjMiZjTMaMqZyJRLUR/feh0= =QTn4 -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: howto revoke a key that has no secret key
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 El 02-07-2014 0:45, eMyListsDDg escribió: ... well i managed to create a pub key without a priv key. that is, it only has a pub part. thats what gpa key manager is telling me. That's not possible, since the public key is based on the secret key. Maybe it got deleted somehow, but at some point of the key generation it was there, and I'd bet if you didn't delete it by mistake, it should still be there, somewhere. I'm not good at troubleshooting, but maybe you should post the version of GnuPG you are using, and the operating system too, so other people can tell you where to look for the missing secret key. As a general advice, always add an expiration date to the key, that way if you ever lose the private key and revocation certifies, at least it will die a natural death and stop haunting you. As long as you have the private key, you can modify the expiration date and increase the key life span. Best Regards -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBCAAGBQJTxeSUAAoJEMV4f6PvczxATP0H+gPRIweBKDJR7e97VGXd2JBs KB3gW7YRXnj1qyW234PkG3ryD2cPWX3DjSwKIDVu77LqetJ1v1UoCiMriU1kBYNn V7tbk6XtqfjBU7pKzOZuwNd3j99zqd/bb+NuJUzohryKFGViWU99cNYCIURsity8 1b9KQNB/jFoS7BRKa471OLBZghN2d8w5k289AYX3X3fCNUiHyV2ImXBnb0YPAcLF XzZbSD+kfy5P1d0AGmKCWM/pBoW1glD2S5ulMxSNNdLNlaRTF8xPoWcRGi4QWh1C AScBQNFyLYzmqxX6BqQ5ezgxHy4s+5zHNyRBHP5pA28jgFiY22BPoL8kuhCXdDI= =QEbw -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: howto revoke a key that has no secret key
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 El 06-07-2014 19:25, eMyListsDDg escribió: i found my error and the priv key. i had created this pair on a linux vm some time ago and had forgotten that. back then when i exported it and imported into a win machine something didn't quite take. i'm in the process of updating the db, and getting things in sync. Nice. Just in case, I'd suggest you to set an expiration date and to generate a rev cert (but don't import it!) and store it in a safe place. Best Regards -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBCAAGBQJTxeUfAAoJEMV4f6PvczxAEx0H/0BSkoUbysYyDvs+aN+oMNC8 OxXajevNESScMQU2wcLt2V11j3WkhsjIZwU0vU4FFLLf7EluuRnb78k9OCX3mxrv XuHhgG0osdKr1vO+t4tXWsJwNRphoSTMgcShlW3x5XEB2iZxlAfR69hGg2VPSkR0 IypzBQiElTj8PYGnvu81UdckJ5AZywuK8gkKYpWrwaEYZcNA5p40aCZsch3eH6eA AdpvqthcGrUZnIwTqxhO+NI5ZV8wgQBOaYqAzakeI0SXJHM+ZYmkmWVrEjvZre0M +HZOyrr0qLQaSfpexRM9loaK0MM+9AzKgAK3wyc99NcQItNTPQxyRsffkO4F7EI= =g1cU -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Google releases beta OpenPGP code
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 El 04-06-2014 4:32, Werner Koch escribió: On Wed, 4 Jun 2014 04:43, ds...@jabberwocky.com said: I haven't looked at the fine details yet, but on the surface it seems like they're aiming at Gmail (mainly, but not solely). Interesting. This is in contrast to a recent online article in the German c't magazine [1] where the author claims that Google would cannibalize their own business model if they offer end-to-end encryption. Apple on the other hand can afford the luxury of encrypted chats because their revenue stream is not alone based on advertising. I have the feeling about Google doesn't care if a small percentage of users avoid the business model. As an example, since I made my first gmail account (at that time you needed an invitation to make an account, and people only had 6 invitations to send), I've been using my account through POP3/SMTP, so I never see the advertisement. Of course, when I got my 6 invitations, I sent them to other friends, and none of them use Thunderbird or equivalent, so google lost the advertisement I don't see, but got other 6 people that see it... I guess they bet it will be the same with OpenPGP. Most people value the ability to access their messages from anywhere, using webmail, and won't want to have to carry their private keys with them. Best Regards -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBCAAGBQJTk65cAAoJEMV4f6PvczxAZjgH/3PxixC9U7mhHydMvho9Jlcj o2YZ7WLkwcthXF9XEhMjtNQFUCz3WsCb4NhveVv3MZjlpYkZ78te0yOWQ7jDoxNr I5ggxidGzEmB89WiTbKeUu6rY+rhuExPvIHVICOJf6z3Pz/lRZNIWtLbuVzwy/yI 5FjP/56NSwk1bjH4Cr6HyLD0cWt95JfFwD0980c/1qBbMDwniJLzppLvWCeIvMaF 6qOAl7SapGjKPrymNeo4Objus8qmfyVt/78Pp4se4cpcfuP8BZP6LlWSZvmmC419 Su1KXkOzZHne9rz9gmK4DpcoQ5rnw1EC3wbC/HLA7WjzWNcmQcFmA1YX1mfoeHQ= =a3We -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: fulldisc encryption
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 El 30-05-2014 20:21, Mark Rousell escribió: ... Note that there is also DiskCryptor for open source full disk encryption on Windows. See http://diskcryptor.com. I've not tested it but it does seem to work, although it suffers from the same drawbacks that TC does (e.g. lack of GPT support). I get error 404 on that link (not sure why I'm being forwarded to www.diskcryptor.com ). FreeOTFE seems to be available for windows, and it is compatible with LUKS and dm-crypt, but it is only available at sourceforge, since the website seems to only show advertisement. Sigh, I'm glad I don't need a bullet-proof disk encryption tool right now, so I can wait until things become more clear. Best Regards -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBCAAGBQJTiW80AAoJEMV4f6PvczxAxTwH/jP6eJa7+S4/DBWyww3FCbXp FNzKNqdhSLetxUgNPyx+94w+YBKmVB25Nyc9kw8dvwV6jvJ5iH2ebPrlL3oRkJf5 yzksS+SS+SzL0DKjVLywaDBTcvVQdW3b8SOiirbo7CibglG5Xj5gb9jAoxHng3sv xVS0QXMmfsHKCHv7gU8N5Cq2m0XJfesAsPucijXriWxlF0iVGxR2j4qEgcMQ5K+Y MnwJIJUA9hVZkBI8GnHhNG1+EJ+1HNJNUj8AoUgNoXzUK6Z5hY8Tz4DqKikezPwo dCjCY/swTcXEQKbH6zDNf39asUCMl62rwXWDK0arTQr3LVEMMlUkZaVmHYKA3VE= =pzsh -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Best practices for securely creating master RSA key
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 El 10-05-2014 4:23, Tomer Altman escribió: To whom it may concern, I recall reading somewhere some best practices for creating one's initial RSA key pair that they intend for building their Web of Trust. I think the recommended steps were: 1. Find a computer that you think is relatively free of malware 2. Download a Live Linux distro CD/DVD/USB, and verify its signatures to make sure you are not installing a tainted version 3. Launch the verified Linux distro. 4. Use GnuPG to create private RSA key, and two subkeys (signing encrypting) 5. Strip the master private key from the keychain, saving on an encrypted medium (e.g., encrypted USB stick) 6. Create necessary revocation certificates, also save on encrypted USB stick 7. Copy over GnuPG keychain without master private key to work computer, personal laptop, etc. 8. Store encrypted USB stick somewhere safe You need to create the revocation certificates before removing the primary key, since it is needed to create them. Also, I'd use paperkey to print my secret keys, I'd have them protected by an easy to remember passphrase, since by the time you need the paper backup, you may have changed your passphrase several times, so... also, malware can't steal the printed key, so the passphrase doesn't necessarily need to be bruteforce-proof (now, if you think somebody may want you secret key so bad to do burglary... then it must be a strong passphrase). To remove the primary key, what you do is to export the secret subkeys, then backup your keys (and store them somewhere safe), delete the key, and import the subkeys. If you are working on a live CD, the only malware that may interfere is a tainted bios, something most people doesn't have to worry about (but again, some people DO need to worry about it, I've heard a hint about a non profit CA got a donated computer, and when they checked it before using it, they found something nasty in the bios). I've been thinking maybe I should designate a revocation key (somebody I can trust), but so far, I don't know anyone I know to 1.- Be willing to be my designated revoker. 2.- Know how to keep his key safe until I need him to revoke my key. 3.- Be careful enough to don't revoke my key by mistake. Best Regards -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBCAAGBQJTb/czAAoJEMV4f6PvczxA3xcH/AzVrmqLNb9DBOGcHFd6l39+ SqeycMRQvmBUp4AcWle4HM1+2uxwsaeY2gCr+cxaM1CTjYN4HuN+bAJ/0ot86/sT w9eysPD3yRS8mVj2q0ORj0Ic3lTXk3NdxNgWf0J/cL8LD2yfreWzLjeURK2cKk5b 8Q6PAX4p8u9XNPwvmw8PrwWTTyMBL9eVmq0VbNK/+K3k1qyxyPj+eFqB0PWD8TZB 43wQ2aL3gUHRP9d4y28LNtOgSKKtXKWgeQ7K9Pn/Fj+kBm0WdZGgUZYQlscYx9jv rhCQQavRP0Lue+EOc6oJlZNvmfVrInsTsdku+tOz+6DfjeHyDpa1Cj6N0D2rza0= =JNHf -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: a bit OT: pgpdump binaries?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 El 09-05-2014 4:34, Josef Schneider escribió: ... Hi, compilation is straightforward, if msys and mingw is installed! pgpdump.c is missing a #include getopt.h, after adding that just a ./configure and make to compile it! I compiled a 64 and a 32 bit version for you! The files are digitally signed using the Microsoft Authenticode stuff. Hello Josef, Thank you, as Ben said, I appreciate your effort and already downloaded the binary files. I tried to verify the digital signature, but something failed, however, the hash values match the ones you provided, plus virustotal battery of 52 antivirus agree the file is safe, so I'm puzzled but not worried about the signature. Thanks again Best Regards -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBCAAGBQJTcASRAAoJEMV4f6PvczxAc4EH/13GrC8VToFOZNAoQsKh6Ltx 3HsMeWWNDB5J8IW9JlFtyzQQ+9bG925AhGaLboOsF7S/12TdPJQRrOHqO4jXgA5q rE5GW7AArgaKMSwseNJy97S0m7Y7ma8yEG7f3NqiQbxI2tXLzUiFbat0fXVDcufK Di0HD5qdfnz41vma7GzuW47qhvYxc2Aga7TYcW8B4hs76R00c0xQmAOw3M0K9pNb 1oDJOCw5M2QTEbcw0M7p9tlydwMLhNyt7gNR1b6m5OrjbY0EIi94E6V6bt0JwmPS 58upWqECqPgq9uyD/p4yGLMJvzjqIUh3LrUCIMZpVh2zIpb0YL2ni50WlLXh0D4= =2keJ -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
a bit OT: pgpdump binaries?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hello, I hope this is not much off-topic. I was looking for pgpdump binaries, and the one I have is for version 0.20, I downloaded it on september 2011. But in the website, the current version is 0.28, from june 2013. Does somebody know where I can get a binary file for windows? Maybe one day I'll learn to compile stuff, but for now I'd rather use a binary. Best Regards -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBCAAGBQJTbEThAAoJEMV4f6PvczxAFKkH/2kFTJ/M5PkmwzjHG2QxVLMB 3JFtvA8GjgmT3Xjhzn1A9jkCPxKrYzfwNf97yU7vjHRNZikWH062XptRcXsRU536 PeR7xs1/h+2uOL2CUXlmFmRiiNbMuDIsa0QLD57LP6JnYGf7i3KfI0zqSK9EFL7F GgQE+4U13fxPHgA9GIKn/Lg0ERUbfbNEBDp5pWRPie0QsXl4/DVArXLHnpe8fsdD 6+vQlT5fT2zyYluEDaIs8VGjU9mH2FNSzzUTAgZpgCj9Y8MqGnLw7oqn414cKhxQ jvdtd8qhAcziYTEof+5IpwLpoVyUnTF66INye7X09g3tqbyY1bVqtibWXLDaLCs= =sauL -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Managing Subkeys for Professional and Personal UIDs
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 El 28-04-2014 14:35, Daniel Kahn Gillmor escribió: ... But I also want to point out that some employers may have a legitimate need (even a legal compulsion) to be able to decrypt communications coming to your work-related e-mail. One reasonable solution to this is to provide them an escrowed copy of your encryption-capable subkey, perhaps locked in a way that you would need to be informed (or perhaps deceased?) that they were making use of the escrow. However, i see *no* legitimate need for any employer to be able to forge data signatures or identity certifications from your work-related key. escrow only make sense for encryption-capable keys in limited contexts. What about to adding the boss key to the keys the message is encrypted to? Best Regards -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBCAAGBQJTZBYXAAoJEMV4f6PvczxAQakH/1ogvcGn1Lcdu1UDZ0eZ4a2P nYyRyn1xHZBm/UDMvMfo2+I4rqjMPpUB/gdiosDGXLLG009MiyHl3hd8IdCKCGcp qTIYR7H10ImWFDAi/VmkqPpJi9XSe9AfRO2nqMnMVVTuMGbTp4hCqZqgiAnyH8Pc SSV4iUWj/aykzTuBgfFdS5o6JkANKa9fgXlOI55OtKePTPiKTrALJngXZtJ8OeWT 1fSc8jnKGCYd+mVZFwRJlqHVMhPZigi83BE/HYAde7j8F0Ubnmn6zipTDiiQvy9o ZLs8lmLpHRJO3t+vtP42VFOnY+Qah5z/iJilL1722ODfxwnpyZZHKdSRfGK0Olo= =CTVq -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Managing Subkeys for Professional and Personal UIDs
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 El 02-05-2014 18:18, Daniel Kahn Gillmor escribió: On 05/02/2014 06:03 PM, Faramir wrote: El 28-04-2014 14:35, Daniel Kahn Gillmor escribió: ... But I also want to point out that some employers may have a legitimate need (even a legal compulsion) to be able to decrypt communications coming to your work-related e-mail. One reasonable solution to this is to provide them an escrowed copy of your ... What about to adding the boss key to the keys the message is encrypted to? You're saying instead of doing escrow of encryption keys? Yes, but now I realize it would only solve the problem of accessing files encrypted by you (and just because I always add my own key to the encryption recipients, it doesn't mean other people even want to be able to decrypt messages sent by them). The only problem with that approach is that you have no control over the people who are encrypting messages and sending them to you. So you're bound to get some messages that the Boss wouldn't be able to decrypt later. Yes, you are right... then, a new keypair for work related stuff, and handing over the encryption subkey. And maybe a big disclaimer saying if you send personal stuff to me, send it to my personal email, encrypted to my personal key. Maybe it would be nice to be able to bind specific encryption keys to specific UIDs, but the simplest thing is to keep things apart. ... I'm not saying that all employers *should* do escrow of all their employees' encrpytion-capable keys. In fact, i think the majority of employer/employee relationships should probably never require any kind of key escrow. But there are some relationships where key escrow makes sense, and i wanted to clarify that it *only* makes sense for encryption-capable keys, not personal signing or authentication keys. I agree. A few weeks ago I started working for a company that makes websites (usually, wordpress or joomla), and the passwords to access the sites obviously belong to the company. For now the solution was to say the login details are in an excel file in my desktop, in case you need them. Of course I keep a copy with me in case the desktop dies or is stolen. A work mate left the login details of the site he was working on, written in a piece of paper on his desk (I hope he finishes it before somebody discards the paper while cleaning). And yes, I'm very uncomfortable with that, I'd rather have some way to have a thief proof passwords repository, but so far I don't know how to do it, and I'd also have to convince my boss and work mates to use it. Best Regards -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBCAAGBQJTZC09AAoJEMV4f6PvczxA7KEIAJVVeJkDMPIp7rgJ+adAvEen lBSc8S9wth7EHPyWRpcPzowlNoAZ5umkJviArBGpQe639kBgL+CJgtmMOFxLYzc8 PmJQzqLElmfS5usDt0TyA7WYoY4PlpMAU0uxECCxFrwJC5Qw6CHa+C5zuW8PdJ6J 6LUQ1onCYA7Rm3Mg4IsFrsFfrLeIdZeA8ilCfd2B3ymF6KjFH4m2jvqJDCegfdtK z1Xgh5DhgP9RiQ79to+lS6KOVHm5cn3etkaW3J+r/1Ew2muYqk14bOLUcrQhaWbx 2CJ8Td9kdgCVxVVMjIORoIV9WcLXZmxLw/HF09kbsZLNu1RIOD1LZc7nCMblASk= =zmUw -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: signatures for other people's emails
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 El 16-04-2014 11:14, Hauke Laging escribió: Hello, ... Hello Hauke, I was told that this effect was less about the offer itself but more about the point that this was one more email from a stranger to a group of people. I.e. probably not even read by many of them. Well, my university handles it like this: the person sends the important message to the authority backing up the announcement (usually the secretary of studies, a.k.a. the man you need to talk when there are troubles), and he sends it to the students. Students see a message from him and say OMG, I hope I'm not in troubles, I need to read this. On thunderbird there is an addon that allows to re-expedite a message without modifying it, so I suppose it would not break an inline pgp signature, but probably s/mime would break. Best Regards -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBCAAGBQJTZDvOAAoJEMV4f6PvczxAD6MH/RWO+4VLedbQ0/aR0mx8lCPe dCiu9A3OegpHqlX8MBiiOQz8+/yhrymXwres4rroHWX3oeSJUuR5XKehyM9mI/9P oD+5quiCp0h82rgdytNJOuIBtHgzWef+dZxFt/21I82fItI3+qX62SonnDjrzwLa Lbb/DdYU8/PlWEs3SS+g20pFTPMplkMdhjAwZiqE3HZKZNq+WpYOewHeljKW1+GQ FUJw4lzFvqr17cOL2w4eOhRzP/SHHm6Q+c+FA8ysMikHoTNH3A3PF7HxcyuwNT1k isvEb81cFL4xxU88+FGWxFgEi80NfF9+cl6Dph4BC+VOESFTNYJnvaMpPh4qFXM= =A4K1 -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: signatures for other people's emails
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 El 16-04-2014 13:37, Hauke Laging escribió: Am Mi 16.04.2014, 18:21:16 schrieb Peter Lebbing: The usual way it works here would be, in your example, for the dean to send the recipients a message with Please consider the request in the attached message, and your message would be attached. That way, it is the dean who requests something, and the PhD would be inclined to read it. That is indeed possible but has disadvantages: a) It does not work with more than one supporter. You only need 1, but he must be well known. b) The supporter becomes more involved in the communication than he wants to: He appears as the sender and may receive answers (even bounces and autoresponders). Well, then the sender must be somebody that usually sends important messages to students. One more message won't trouble him. c) The real sender does not have the mail in his sent mail archive thus breaking the usual communication structure. In case of doubt he does not even know whether the mail has already been sent by the supporter. Mmmm... you would have the message sent to the supporter, and if he forwards it with copy to you, maybe... or maybe not, not sure about what is the problem. d) The same for the recipients: They cannot simply search for a mail from the real sender. But the message should include your email address... again, I don't get what is the problem. e) The supporter must handle the recipients in that case. That may be a complicated procedure; he may not even have all the addresses yet. Well, then he should involve the person that has the addresses, probably the person that uses to send important messages to students. Remember, no matter how many signatures the message has, if it doesn't come from a know source, they may consider it as spam and delete it without even opening it. You need the sender to be well know and respected. Yes, it would be nice to have a tool that allows you to attack a signal from other people to make the message more appealing, but then the email clients would have to support it, and now more and more people moves to webmail, that is becoming harder. Best Regards -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBCAAGBQJTZEHxAAoJEMV4f6PvczxAoGwH/0DMC65ihNCnd8j+eTdV7BEI AbP1A3trmj81ltmHizj+avEAVgJU+kgybneziu0UBHuknurLLNaPtcNL9Yvgjjir OW/llwkQg1MnXbCFqnsWrC6TqhPhNMnS3soHrCNICZzMxNspdktkLAjnpU0dU+xx Z/gOt5hwkBqzTw6T0Woc0zpPcADqa5PeNsR+DNAyqncM/TEwEuj1FNhWerS0oUWe L0q31PuTLzOT9QA1j3G7oWHjwQ/oiBxrqcjUYKb/no/qH3bmX+g4lH4JHsFmTAOw KZX2GfXxqErqfKEEBQguBlJ2IXuW1z2/yelg++IxxBVMYZGefnxyJYcgT0HfTps= =0/UI -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Access to www.gnupg.org only via TLS
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 El 01-05-2014 5:57, Peter Lebbing escribió: On 30/04/14 23:48, Daniel Kahn Gillmor wrote: So a CA who learns that a statement that it has made is untrue *should* revoke that statement as soon as it finds out However, how many of the free StartSSL certs that the owners now wish to revoke have actually been compromised by Heartbleed? Peter Eckersley of the EFF raised ... IMHO, Heartbleed is not the point, any certificate suspected (or even worst, known) to have been compromised should be revoked. I wonder what would happen if a stolen certificate is used to do a fraud, and the affected customers can prove the CA was aware of the compromise and refused to revoke it because they didn't get money. I'm glad StartSSL provide certificates for free, but I'd rather have them asking a nominal fee to issue the certificate rather than asking it to revoke it in case of dissaster. In my case, I don't own a credit card, and I can't send money to paypal, so eventually I might be tempted to get a free certificate, but would be unable to pay a nominal fee to revoke it, not because I don't have money, but because I don't have any way to deliver it to the CA. I also agree that using CAcert certificates may be very uncomfortable, since the root certificate must be manually added to the browser, and we (yes, I'm part of CAcert community, and used to collaborate in policy group) have been unable to produce a license that both covers CAcert (you know, the as is, we don't claim this is reliable stuff), and also can be interpreted as compatible with free software philosophy. Best Regards -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBCAAGBQJTYxuYAAoJEMV4f6PvczxAa3oH/0U7qFBtLqPB+FeMVvNkPCS0 rPt6XkdtrK39UCAgcxJZMcy4RmUcRI6atcjV1DCSP5Rc41aDBE+0uVlHHUTh7Ns2 gXBOA5LJ82WNZqAwNBW12uakdN7iwDnddtMPrUVheoX+is9fqQgLFRKwMnz1ohZf w2GkkWJGai0AZQ8jP6ZYzmR0lHyGOy05ZMAeV/f03WcE2/8ObtSPBmjko4dfe8GT YM7ZRfkHTECQMK1qiCF6DUDfJP0ZdlVvF2cXzz7QM9U7pKWtHrJ3FL7nz1AWnmG0 pJi6ILKS3I3sCllwWlnA5RH5fjjmLgQ3tFnrtjnKyp24KmIa7T+0j4ID6LeYUqA= =Y92P -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Access to www.gnupg.org only via TLS
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 El 01-05-2014 8:55, Werner Koch escribió: On Wed, 30 Apr 2014 21:36, faramir...@gmail.com said: I'm thinking, now you are using CAcert certificates, would it be possible to get a CAcert signature on the gpg signing key for GnuPG releases? I know the signing key has been said to be well If they wish to do that they can certainly do so. I have been an an CAcert assurer for many years. Oh, great, I'm an assurer too... a very bored one, since nobody seems to care for assurances in this zone of the globe :P But CAcert won't sign any key unless the key owner request it. It is an automated process, but must be started by the key owner. The key must carry the name you used when you got assured, and the email address must have been verified (but freeform UIDs are accepted, if they have not changed it recently). Regarding the release signing key: pub rsa2048/4F25E3B6 2011-01-12 [expires: 2019-12-31] uid Werner Koch (dist sig) ... I had to issue a local signature to it ;) Now check my primary key: $ gpg2 --check-sigs --with-colons 1E42B367 \ ... I see more than 70 unique signers since 2008. Of course it is also signed by my old key which has 308 still valid signers. That key used to be on rank 2 of that key signing fun list - up until the KDE and Debian guys entered the game ;-) Indeed, very impressive, but unfortunately, I still get Marginal calculated trust, not unexpected, since I only have exchanged signatures with the very few chilean assurers available. Of course, I'm not saying you should get a CAcert signature just to please me ;) Best Regards -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBCAAGBQJTYydHAAoJEMV4f6PvczxAsdMH/1SlEDac7mVg+Q6I5XUKIPHU ePHMQdqDj3z3nA5DlS12nAtMkfaqKQOGYNG+ccgBC5r7TDPsCP/Y3kOYENZkJK1Q vIIZLPzZf27bssA/uV4sSHLJKR2OI11KN0+Z/16ZxaMXIkqZMEPzXs2AXtZ9s87o i+3ZcECYyj4Tuf2yh+FDsk/MxbloJtznNiUXExcEf92rFHRUT//co9v9wWOPqlWP XeslpRnBySiMkqC0YFVgwMUHK8c9vtLGCd8PO0fKJjtg4l7wF/jpkxj0BHM76FGP qUdCPcal5xtc001r6gosAP2i5uJXpnJzAZI2ypvmHd5y6haHkxGS+RejJaX2NSk= =PTfg -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Access to www.gnupg.org only via TLS
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 El 30-04-2014 3:41, Werner Koch escribió: ... Note that https is not enforced for lists.gnupg.org and the other services because over there we use CAcert certificates which do not work widely enough. If there is an interest to have lists at https as well, I consider to purchase a certificate for it. Hello Werner, I'm thinking, now you are using CAcert certificates, would it be possible to get a CAcert signature on the gpg signing key for GnuPG releases? I know the signing key has been said to be well known, but I don't know any of the signatures on it. However, I know CAcert's key, and an extra signature would not do any harm. Best Regards -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBCAAGBQJTYVDKAAoJEMV4f6PvczxAEyAH/0G8yeBQRh6yHHsbhwFUg6UI gkCwkJO4W+2xoKJTno4KSxII+IYsKBLanfi5ZIJWzrpO6L9IXWKaLs3fJ66Fq/Gt LT3mjfImcxcYJ4i6fk27cbZfbfgT7BieClGzllnuJYSzA+g6w7yly6yXR8lfO0Bp L+INAA9gRxzSQkU+K3p26JlE/W0uTiSRtDXFQJus1uJf+0bD0pnnmiWhqxgwA+nh nZ1Eo5ibE3z6EKbbCn0tPSjHkiq3XyJe7lWkZk4KbjA2pkf07OXAu21yNwTdP4Ia sNylcIg6HMinjh052L5VJxwB5RUBI34EpU+Gt8pQLS3E89tm1dk7jDVBuPblaoU= =mW1r -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Access to www.gnupg.org only via TLS
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 El 30-04-2014 15:23, Doug Barton escribió: On 04/30/2014 01:25 AM, Martin Gollowitzer wrote: ... Yeah, I don't quite see your point. They are providing a very valuable service for free, and charge a nominal fee for revoking a cert. If you ... Meanwhile, if your response is going to be in the nature of, Everything I want should be given to me free just because I want it please don't bother. IMHO, to be able to revoke a compromised certificate should be free, since when you get a certificate, you have time to think about if you really need it, and to consider if you can afford it. But if the certificate is compromised, then you really need it revoked ASAP. It is like providing free airplane tickets, and then charging for the parachute. Best Regards -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBCAAGBQJTYVGoAAoJEMV4f6PvczxAoXAH/jdFpdKyE6XsJkD2BEKvtePI TxmObltuzPeIhjlC5L/6YnCUWP9/Xv6sBpWnvjGJWAj+wybkuI2AwvtOWW3rFvx3 gEDUX4yLYj8/OVFjMdRu6SZmtRcJR24fOq9RIaj3okPJt3nqUIMvABVjFz09hMTT VUMVYcQm57eGxvYOwOFJiqzV7R0nk1QM0Jzuab/zsE6F2E8nYKwfg666TqF6t7nA B5G+V+Jh2EWFlxi9yMxjk8+AWKE68mIjYSxKBOeGqPxI2waOzjYVUV9wtQBzgTQt nv7H/nBUElt4ZYN+f+ZTmt2C3balBa9L05+OIgkYFpXwdet7FNKu8E3gIEep7nI= =7TeX -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: cryptanalysis question: Does knowing some of the content of the message make the full message vulnerable to decryption?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 El 30-01-2014 18:15, Donald Morgan Jr. escribió: If you know a user has a signature that they use to always end a message with, does that data aid in the decryption of the file? Would this exploit be applicable to symmetric encryption methods as well? I think padding helps to avoid that, but I'm not sure if gpg uses padding at the symmetric encryption step. Best Regards -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBCAAGBQJS6uwZAAoJEMV4f6PvczxALTgIAJjfxFm1mkl4GtmoFk33q/xg fM7H+hE0NmpeUbNanGWplS8nTWftIHsqvLlo1Z9AVsn/hE+dDy4iNBZsi7hvwskG my2RCj2lAh2oZSTL/SnKaiLUPUGc8+L8Isje94oR0n+nKhUiJX8suGqkTQaoZ2ne SGSDGz7aGHKBF1sc7mWZCj435FMza8JY3UP6S0q7GO6MpoKzOZ4DjOjKeRPwBa7n m22MZZQQ2f4HpvY0hXvrgU7y+e3fhrybSnZFX6D+oCp6o/q0VjTGFQWAoVttG7vV oJKU4X8w8E403kK/obNRIweEtHvxfL77q67HZHNTMZGvLewXDO1pGalWdyGjqDQ= =zwS+ -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Customizing GPG Tools Keychain
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 El 03-10-2013 17:48, Alejandro Szita escribió: Dear All, I am a new member to this list, so first of all thank you so much for your time and consideration in helping me out, I hope I can return the favour in the near future. My system runs MAC OS 10.7.5, I have the GPG Tools Package installed and I am able to sign encrypt e-mails. My question is about how to customize this package. I read somewhere else that you can remove your Private Master Key altogether from your system and use only the subkeys. Moreover, you can specialize each subkey for a particular use, such as for example: only encrypt an e-mail, only validate a code, etc... Could you please point me to a resource or article that explains in detail how to do that? Yes, there is a tutorial here http://tjl73.altervista.org/HTML_sign_tutorial/tutorial_en.html Hu... I think this is not the first time I read your name, could it have been at fidonet, many years ago? Best Regards -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.15 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBCAAGBQJSbZZoAAoJEMV4f6PvczxAE/gH/i80XxtVZdJwLMP88es40bWj EWSPNUuevXf4s/Qxx4aJ44NaaauybDKjBX3IAH8pme1birgQs9LgPWQr52ddOBFL UyjszOFBlESKSMyUIskX2dOc7Iuq5fqK7zdEpWaF+m/owVV+fjk1ktH76X4NX05Q 3cID+e9QDim9TVZkAZMC348LKRJb0uUi/TkopTtNKs4u6gZi1Q2l79C25Dkr/0u5 dueV7fLVWmWIx0BqqD6pgQNYVkZ52XwzVkSE5s7oFmIzkO2MufQ7yqFQtSGUWiej 0dj19Iq2DxGcedDgrxhJ0Rkahcg3RQuZ42R5DM8cYw6mrx4QkQXqIhLF1lYnAz8= =BJA7 -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: [Gpg4win-announce] Gpg4win 2.2.0 released
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 El 21-08-2013 8:53, Emanuel Schütze escribió: Hello, we are pleased to announce the availability of the new stable Gpg4win version 2.2.0. Nice! But... is the stable version different than Gpg4win 2.2.0-beta56 ? Sometimes the final version of a product is the same as the last beta. Best Regards -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.14 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBCAAGBQJSG8sFAAoJEMV4f6PvczxA6ocH/0zaDcmPISTl8jZGHGrieAsF DwaKs3Fatn/L09TA6yB/Bz03iO+3jiiO2ajstDqUivbr1s8VqSu0d47HhWamK2WK G8M0MdGH3dBZPLcACm/TyLCVMx3eEGKWdHQnDwJSdrPZp34fbBqpe+vMM6kAi2kO HaJAFV/riCRfWx5uZgYEwq7itkNIp2Bv+4w5+dRh2BaUj4gShu+65pzTXsV1SVtn QKrnExfS2PWzztAZG5kGxmcIU98opysVFIybCxPMj4CS1kzD4wyCqsCfA+8FBUgH Vw2Sor9/5KDdcOvVuv5nPis/fG63WsdHSEo3aC3sIE3ruFy4/5724hDQ5zkPdY8= =q4i2 -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Serpent?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 El 22-08-2013 9:56, Robert J. Hansen escribió: ... GnuPG extends this with support for Camellia-128, Camellia-192 and Camellia-256. I don't know the reasoning for introducing Camellia, but I'm sure there's a solid basis for it. IIRC, somebody said, a long long time ago, that Japan had some requirements for using Camellia, so I guess if GnuPG doesn't have it, japanese people can't use it without some you are using an unnapproved cipher or something like that. But I can't even remember who said Japan likes Camellia, so maybe that's not the reason. Best Regards -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.14 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBCAAGBQJSF+mLAAoJEMV4f6PvczxA8z4IAJXkulr79NVxYMgsu6F06R/w /Op22OZu6RMMYhmUNE9JjSKvTssSnNpxFxN9H09neTWiY1CdMRbiDdZcjgLXrE6z GpnEeTo8qwGt7RlDS5Y5VO6Nte/aRarsN/isTyILbNQI4XYcWzDBcYUsSprToUgH sVSZduk0tWLUPi1oq/wdT5LqjKZlHZXulin/rmfJjNLlNLWAFIAV+mq8hGtr5Vb7 tG3+M/2e3BOExkfSwIBlEwazNVcQpSxq5jHYnBwke3sh47yZ67X3BycyAdLRyC2Z FlcNQSR7GGjFERriLebK7azzM5/gVU0oDvi1p5lKGRyAL3P+Odj5MQWeypHF1Ao= =ufHz -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Any value to duplicate signatures?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 El 02-03-2013 5:14, Doug Barton escribió: ... The signatures are from the same keys, same certification level, everything. The only thing different is the date of the signature (obviously). So the question is, what value, if any, would there be to importing those signatures, and sending them out to the key servers? I know that the various -clean options will strip that down to the most recent, I'm just curious. :) Sometimes signatures include expiration dates, so you need to renew them from time to time to avoid losing them. Other than that... Best Regards -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.13 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBCAAGBQJRMmfyAAoJEMV4f6PvczxAT9YH/jNOn36sy3MjdwRLc4/Y1suV VRONriU53Wv8aH4jEeDge6xI5Xz3x8sivRuADayWXvCgVAWyKi5Lbau+0GYRyqKY FaBdjYWWc1ntUFdthph6WNp/V2y5ElPeWp1/MEO7x3Q8e/YdtWJoLpVwZFdW3FsF EGoeu90Yb/91nMjqlQZryHmjQRCQh2fE6LKm9nw2A04qjQeZNCWeDnERx8nFEGAD NvdidQAoPHCxiRKsW3UzQ8/OweUDLlFf2kwidMo7+fF9XeOvrrFe30OlozjqU+Px o2auoE5/VyxdcPlfglQAbZwB7R0Rdy5Gmx34nlqsfi0+LQSnmApLvJLX4QYV0xw= =W7UC -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Questions about OpenPGP best practices
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 El 25-02-2013 19:54, Peter Loshin escribió: ... 2. On keeping an encrypted backup of my secret key material, what method is recommended for doing that? (Presumably something like gpg --export-secret-keys | gpg --output secretkeymatter.gpg --symmetric?) You can use Paperkey utility to print you secret key (still protected by its passphrase). Paperkey removes the public key information from the secret key and prints it in a way that makes it very easy to OCR it or manual type it in case you need the backup. You will need your public key to restore the private key, but if you uploaded it to key servers, it is very likely you won't have troubles to find a copy of it. Best Regards -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.13 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBCAAGBQJRMPxcAAoJEMV4f6PvczxAKIEH/Rw8+3aTn/ffONAfr5pamxwA 9GO4+fFLfMgxmBWhUTI7ckTGS8HS1NcuLJXTEs1yaJ7detBeqeT89sN3A7iibx95 eHFp6m/KjhGeTNMHv4Fym2rdsbh14t6p/0AJofRRVUc/Mbx5GKUJanovSQTMQ1uo TNdO0WBOPGlwLX9dxnD1RbrZHG05K+VefWClH6f8NHD++4/p/vNoj7LDst5ySw5O 5jp1uMMTsiJ08hR23RfOt9CJA1KXczeZZoeLK5z8g1nwlkE+hn/7x+Vg/QFkfCJR wswM9jaJ0FoT3T5+oOqNiNH672FW1A07W9VEzwBU4lpFMLN2fWukW0n0XlBMoSo= =k038 -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: More secure than smartcard or cryptostick against remote attacks?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 El 08-02-2013 6:48, Peter Lebbing escribió: On 08/02/13 03:12, Josef Schneider wrote: With GnuPG on the other hand someone who has access to my PC can sign whatever he likes and sign as much as he likes, as long as my card reader is attached Just so you know, the OpenPGP card has a forcesig, force signature PIN, flag which you can set so you have to enter the PIN for every individual signature. Unfortunately (IMHO), there's no such flag for decryption and authentication, which can be done multiple times with one PIN entry. Maybe it would be interesting to add a big sign button to the pad. Probably you would not like to enter a PIN for each signature, but maybe 1 button to press for each signature (after the PIN has been entered for the first one) would be interesting. Of course, probably that would require to modify readers and cards, and maybe very few people would want it. Best Regards -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.13 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBCAAGBQJRFWE6AAoJEMV4f6PvczxAZtMH/2oRg2tBUupSXsOfg9h0o/PK f704aBb3gMGMezVYI//MH7QQJIjVxGPDJbaK2vWGJTyEtLl2wh5+c82EnQEnpq19 wDMzK8FcDL5AzKdLltznLn/iIu+EygOUOMa9/tzD+vQ/9X4R+sJGpDw6rJD6ytku 8THUwPGBcVX4pnYdDBjGQYOxr94R8qGa4FaqRxW6iOWp9Nf63QKgTM6miV/Pf37Q 7Bf8SAQ8KSu0Sf9M9wCVv3T+Qsa+Pmk0LPOEizZ9Pt7UGguakwcce0KQxo4A0qf8 Tdylc35BwctW+8tpM1dRUzlrqvgdLklhguhA1YnFx0RxQBYHurF5T3PYg4fzycI= =FuKE -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: More secure than smartcard or cryptostick against remote attacks?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 El 06-02-2013 19:51, Robert J. Hansen escribió: On 2/6/13 4:28 AM, Peter Lebbing wrote: Can you explain (broadly) how one would compromise the signature/the device that you sign with? Happily! I have an OpenPGP smartcard and an SCM card reader. I installed it under Fedora 16 and it worked beautifully. Under Fedora 17 it's broken. After a few rounds of unfruitful debugging I gave Werner an account on an F17 box with this hardware plugged in, and even then we were unable to figure out what was wrong. So, since this device clearly doesn't work under F17 (or F18, now, for that matter), I've elected to stop using it in favor of using my desktop PC. Just makes sense. Damned thing doesn't work. -- And that is _exactly_ the attack I would use against any dongle you plug into a compromised PC in order to make signatures safely. If I've compromised the system, all I need to do is make the dongle not work properly. After a few rounds of frustrating debugging and discovering the thing just doesn't work, you'll revert back to using your compromised PC. You'll do it for the exact same reason that I stopped using my smartcard reader: damned thing doesn't work. Ah, but there are situations in which that would not work... if the secret key is ONLY present in the smartcard, and you are required by law to only use a secret key from a smartcard, that attack would make you unable to use digital signatures, but would not allow you to obtain documents signed by the victim. Now, why did I came with that case where law forces the use of smartcards? Easy, because that is what chilean law says about digital signatures. Of course, it focus on x.509 standard, and only if the certificate was issued by one of the CAs in the short list of government approved CAs. You can use other kind of digital signatures, but they won't be considered as legal as the smartcard ones, the judge would have to decide how much prove value to assign to those signatures... and that would be a bit scary ;) Best Regards -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.13 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBCAAGBQJRFDwCAAoJEMV4f6PvczxAFbwH/jEv4rKh0oX2yk+5c8F+cy4l bgV/Yj4GLVv3ICtZ1whvdACLxo9eGKOntRRaHfio4lUVSwYQH9dcYDb+L7VMf//A XGMLzO8YKuXYCtLYbPihkk6ElH4UmhOUjmTOEZ3thpNTLYpjQGu31NQSgW+cDX22 O+yEymizYpZTODJ+rNMMEg0658W7okcsRlJnvuYDaINlxJZn4YPusd+fmTpH03Mj lw8jT5to2cMyKYgJ888AvFibQVJRaEzAsnMB+Y3+xZUz+kWblPsTE2waDTGe4vVb bevO9UMOga0aNqYrDR1oYfOR4XxkIrBmNfIVwr7nIlrNRcn261SxmL4y+khrTZs= =bY0L -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Seperate Master Key and signing/encrypting subkeys method
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 El 04-12-2012 18:18, Allen Schultz escribió: GnuPG-Users: I was wondering where that article was about seperating the master key from daily subkeys (both signing and encrypting). I can't seem to find it. Are there other articles on the similar methodologies that are still I can't find it now, but found this: http://www.mentby.com/Group/gnupg-users/offline-primary-key.html It lacks the screen captures, but has the juicy information required to do it. secure. And is it still recommended that I sign another's keys with the master signing key? The master key is the only key that can sign other keys, and yes, your sub-keys must be signed by your master key (it is done automatically), if not, somebody can add rogue keys. Best Regards -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (MingW32) Comment: Using GnuPG with undefined - http://www.enigmail.net/ iQEcBAEBCAAGBQJQvo3CAAoJEMV4f6PvczxA/MIH/AhYMkfT07fCqu6denLuSwQ6 O0+TE6KDFqOQazTiBB3B5Iy8w5xAnuUaqeRiP9uce+q2Kf12at2aOUNjvzDXBRTK DYDy48WBLXIs3E+FEAbagBUbqqNdJiGQV7EpbICVUxcGJRxHmCKs03tYB0yRS1O3 LNehI02WGKi5wS4TSyq6bmp3nvGJEjLXKnwqCDNi++YCW5yUyNtvvx0mD9BQSZg9 oaUq5wxM9Gk1gzzFlomR80y1GBgsop4dM4jqqv1PdrfM/b4BD3CMeqZRWa22BUUj IxNFKcswYnmxZyDYiOrpQT/Yl3A2DRBJSBOE4G4OMAOdRzf80ey/AQyOn4CVV50= =InEO -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: OT: USB key with hardware encryption?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 El 02-12-2012 18:31, Doug Barton escribió: ... It's OT for this mailing list, but you could use TrueCrypt in portable mode in this situation with a file volume. I think he can't, TrueCrypt in portable mode still require admin rights to run, and Richard mentioned access restrictions. Another option is to use 7zip in portable mode, it allows to encrypt the compressed volume using AES, unless the restrictions affect it too (AFAIK, it doesn't require admin rights, but maybe there are ways to restrict it too). Best Regards -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (MingW32) Comment: Using GnuPG with undefined - http://www.enigmail.net/ iQEcBAEBCAAGBQJQvAOMAAoJEMV4f6PvczxAo/kH/i45wACE5Gdee4Qm7dS+0c4m lZQU1wZEwRv0a1G0+qEjbSXmhv3iyHJSHIMDGJPDclVCNq28qCPhmNY7letcmsZP LWhP0pG4V2R0Bg1wW4gxt1RavIKQHEC2QaV5j4OuXqIvFoA8Aj+ULZhFpschcy+c B+NB1WSzuAbEfY93ReHE310iCSq0BITVzB1fKFeR9xGL+4j3MYGQ9Ud8MBxvKBum oFXBXQIG8wQNxXACE6Lva+4YRtPzOgrVosBSpDcqz96S/hhHAJN0usENbmShorB1 NfnbHZgvWKckjTBFqUZCekhkThKXzCRPY8DbccM5BUlciIw/11mRcn1H8iIAoH4= =WUAE -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: OT: USB key with hardware encryption?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 El 02-12-2012 16:38, Richard Höchenberger escribió: Apparently I just now figured out how to use Google ;) Found two flash drives with built-in encryption pinpad: http://www.lok-it.net/ http://www.corsair.com/usb-drive/flash-padlock-2-usb-drive.html I've read a review about the corsair usb drive, and the writer said it was easy to crack, but then I read another review, saying it is a lot less flawed than the other review said, so I'd trust it to keep my data safe from casual attackers (seriously, how many of us need NSA-proof devices? I know I don't). But don't put it on a washing machine, it seems to be less water-proof than it is supposed to be. Best Regards -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (MingW32) Comment: Using GnuPG with undefined - http://www.enigmail.net/ iQEcBAEBCAAGBQJQvAVBAAoJEMV4f6PvczxAc9cIAJgvwUkbB9uZDmTpI88ohHUU TuSFrb7k38V310na7Ne/UEQ2hyn7nNKtSELMMffF4V9w2ixF6PIFhSmovrh7zESh R2iqVHKGQveYdlXSUPhMXVb/wj9QOwlV0UTSmtxw3cbnYNXyf5KGPx4cM1j6pdse Faoam58fMWElmTU/FTSN853cmfUeJcSxLgTZ0TCzsALutFGb7A1Hdz56mzjzHsOe gdzUkckCkgLaFfqXEzkbqfz2/WxeiNfo3aRsQtZv42aFMKnpKm28RSo5LFR4Hl9B pBHe31rWkh5nU/PeF0VH+rzeHqjRU1Js+qilvve58T7uxKY+DKohrBgoTK7QXsE= =uuPo -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: OT: USB key with hardware encryption?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 El 02-12-2012 16:38, Richard Höchenberger escribió: ... http://www.corsair.com/usb-drive/flash-padlock-2-usb-drive.html Do you guys have any experience with one of these? I found the favorable review: http://www.everythingusb.com/corsair-flash-padlock-2-flash-drive-18671.html And I think at Corsair's site there is more info. IIRC, even if you can retrieve the encrypted files, you have to defeat a full 256 bit key, not a 10 digits PIN, so, the PIN is intended to be used together with the time bruteforce protection, and would be used to unlock the AES key. Best Regards -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (MingW32) Comment: Using GnuPG with undefined - http://www.enigmail.net/ iQEcBAEBCAAGBQJQvAvHAAoJEMV4f6PvczxAuB4H+gM0HUAJLO9QMgAY5JDP5qib eMZIIGY59U0KEkK5+brZ4waEz9YuG3ZdOMaNhGwMp5TjSVc4JaDnDa44fWyX5j7q 1UQPCI56T4EJ6PYgchsGkuwuSSFnLhJgymomzQXKP7WX70z6pKyXI7v6ztInLGa7 mQRWRa5wEqwzvs3cYKeiINpfifA8jC+W39s7nFiw6GHPafHEpIDZEiGm9y+7CBiu SdKGHlpS+x+KDfaLlXvyEeDI/qQxoDpFPKLLSAYp7YN5uxJYbIQbbFr2JQn6JyEb +EtjKVXu9WKMzXO33fmmsuUSQl4hxNL07F8HcnEXwXQSAFij4paDHNOTfC61c9M= =Mbc8 -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: new release of GPA
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 El 06-11-2012 11:30, Werner Koch escribió: On Tue, 6 Nov 2012 07:56, faramir...@gmail.com said: My fault, I was trying with www.gpg4win.org Your problem might be that you still filter out the 5.0.0.0/8 net which has been allocated 2 years ago. I check with Intevation that both will Probably it has something to do with a VPN software I have installed (hamachi), I'll uninstall and try, just for curiosity. Best Regards -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (MingW32) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iQEcBAEBCAAGBQJQmZs4AAoJEMV4f6PvczxA35IIAJ1vA/bptN+y1y5wIBiDGOeY F9rFkV9I2POAiT+rx4+vJlYbedH1Pm7I+Q8qzqsM7GpBB9fHHqVuJiFINuFDiCFI gcqNgbTFMx+5OLG+DH70zvGVUn8e9k1vEFmZ3jgypTI4kOcGeeX7o4eKJlV4y/52 HW9DOyTcU7QkfsAcFvv02xWuModSE+Cx+iWPShnUBEv/ots/hHb1UwtBdF4uFVX/ wdKPM8UIpg5uDg/cYL2gwwLyBwzASa9lP1vV81eCXHJJlQEYlLfiNeA8MeI1JRpG A+/K8F+BlfeZOLdqgioujJtdsEv1uLYQ6XfrSn9hB1lNxsE8r5kPFojIGgrvHZs= =FGR0 -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: new release of GPA
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 El 06-11-2012 11:30, Werner Koch escribió: On Tue, 6 Nov 2012 07:56, faramir...@gmail.com said: My fault, I was trying with www.gpg4win.org Your problem might be that you still filter out the 5.0.0.0/8 net which has been allocated 2 years ago. I check with Intevation that both will point to the same box. Yes, uninstalling hamachi and comodo vpn solved the problem, they were old versions that used that range of addresses. Back to the subject, does GpgEx require Kleopatra to run? Any other dependences? Best Regards -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (MingW32) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iQEcBAEBCAAGBQJQmcB3AAoJEMV4f6PvczxAXiUH/RrGc74o7Sc+mrIoN8iry3IW QozqDHw0jVux9XycrcUvdqcUrnUmyOIpclvbwitwThJ0r6rCOCEyDJznlUTwxOry KFfwOkE+jpG1LzzfFHq8so5qOtxuuDfx1wSpnDBt6Ad3MqqxBZNj4aX3ZDZwsaIn vm2gRdMa4tv6FAJqa3qSYxzCMxxbYAV+v0FY4Elm9s/K3qX1y836GUF2EENfc1xs 9cNcWu0xVMKNJ8DuNamg9dflFmm8KWAIgudwvxPGNj6IOt0yPz4VfsUbrAJHFjsG FnHtd6KJhTqgodPQNM7vMOo/poQI8i7q1uSaxYCknVCeEca8hlaM/Cjpu/WhNIw= =GQSc -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: new release of GPA
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 El 30-10-2012 9:31, Werner Koch escribió: On Mon, 29 Oct 2012 21:41, r...@sixdemonbag.org said: Could you perhaps make a list of, say, the top five features GPGshell supports that GPA doesn't? Things that you, yourself, use regularly, That is a good idea. At least it might help us to stop responding to recommendation of GPGshell. BTW, why did the OP not also recommended PGP Desktop? I have 2 questions: 1.- Is it me, or gpg4win site is down? 2.- Can I install gpg4win in paralel to GPG 1.4.12? I don't know if it would modify my keyrings or something like that. Best Regards -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (MingW32) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iQEcBAEBCAAGBQJQmB/uAAoJEMV4f6PvczxAwWQH/03z9/gJ1I3qt8DEDVZ96SXm +2qYlCJI7izZJJuQ3k1hJEiuOj8OmlYUk5+PzAKnDZSg667xBoUpxfT1E/wlrZsH rgBnDAwzqsO6lovNP7rVGLsUha9AO+Me1pTwtxg7bAeLMnqTTZQe3CfqMvKsJ+1g WmDVFdOXrtAQnSAhAhYSZsbUNSX7P/KS59bOa83ObUbHMUtOoy5ZZf2vIH09J4d1 jTP0rHMgZpfbQDawCNQClfwIkmWq6jGB80laILbGr08DDEakyNLFbNxHah1ahIG5 hA4mAid16B1xE335BSwJs0rQep3e7ht3cYEIzM+1x4c3Y0hW7NLGjb+0/TBYGLc= =n5pJ -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: new release of GPA
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 El 29-10-2012 15:34, Robert J. Hansen escribió: On 10/29/2012 2:05 PM, User wrote: You may want to take a look at GPGshell for an alternative. GPGshell is not Free Software, and for that reason it's not exactly appropriate to recommend it on this list. Whether we agree or disagree Well, that is true, and still, a lot of people love GPGShell functionalities. It is sad to think that, not being free software, if the developer stops supporting it, nobody can pick it and keep it updated. What about GPGshell do you find to be a clear win over GPA? How can the GPA maintainers make GPA competitive with GPGshell? I don't remember GPA features, can it be installed without having to upgrade to GPG 2.x branch? I'd like to give it a look again. Best Regards -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (MingW32) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iQEcBAEBCAAGBQJQkZY0AAoJEMV4f6PvczxAymcH+gIK314Jor8HwUFZmW/mkjlW gjeOD9NGEha1oAPIS32EBJMwTxkTgSbwRheHRL2Sbq+ZBSlfdYoLzPVNlCpgunH1 1qUXe0eoHoYhgEU7H8q1xerNKDIhgM/WyMRQQw9FqVr0iRo6vgOFGS9oLxujp1Lr 3026R0ZhrJllFZv9NZSE/ut9TxhmIqmuEkws6gAKrW7THUwW5wgw3Y+kQ1t9zs1u q0PPuJfC2q0cUmzUbm0xTwtrNAe5X3drdt93VGzNyPwzktb6zXxviFRRFATMCqML kzOutt/A0FTGeV4jFHKFR49MU30HA39ZXx+urPjsnS8t4EpXtY+2NAhSLVSrRWM= =yuOs -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: what is killing PKI?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 El 28-08-2012 20:01, MFPA escribió: Hello, IMHO, the main trouble probably is people don't feel the need to protect their privacy. So why do they use envelopes rather than postcards, and keep secret the PIN for their cashpoint cards? There may be several reasons for that, and I'd like to ask about them to the friends that, being capable of using GPG, have said no, I don't want to bother with installing it to me. But a priori, probably they use envelopes to keep all the paper sheets together. And I don't think they would send a PIN on a letter. But if they do, probably they would say but the mail-man can't know there is a PIN inside my letter, why would he open the envelope?. Ok, maybe they trust mail office doesn't open envelopes. They have too many letters and too little time, and no interest on reading letter. But email messages don't go straight from your hand to mail-man's hand, they have to travel a bit before reaching the mail server, and if you are using Wi-Fi, anyone in router's range can take a look at it. If we add the fact Eve doesn't even have to re-seal the envelope, then we may have a problem. Best Regards -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (MingW32) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iQEcBAEBCAAGBQJQQBEeAAoJEMV4f6PvczxAJW4H+wXE6nYdHU4bCKws3HN1/sVP q5aoeolTRqwdvzJ+repmVWKtdV8toHZkLD5Wo2047EAkmZK2ROwXeWqzOY1klCXE b9YwWaDzUPOhCzs9Hv8psPAZdIeVdmYGCS09AKfUNBFH09u9innICZiPGdgJdMYn oLj6BnTZzzUpGwPToXXbJeapGJKQWyjPrWJdh+RbSiNqJoQazEj3TiuLErq+n52L fZqxlrZH5WEbqHHqrqd1PRiickEULmPlbg/8YORYUIn2CEkhI9Z0dsNDCbpBjgvn XomWp6Ozv68P2yj6bmZ/cy+o6JTgA16v86BqZmpxeJDG4QuNfWjeg2AizSf2/vc= =dV82 -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: What is stopping PKI from growing was: Re: what is killing PKI?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 El 29-08-2012 5:28, antispa...@sent.at escribió: Hello List! I'm (for some of you) your worst nightmare. Somebody who does not master the fine arts of cryptography, yet has an oppinion about cryptography. I might say I enjoy reading the thread on PKI, but I wasn't able to read it all. I don't think that is anybody's nightmare. After all, many of us are not masters of cryptography. Please understand this is not a flame against Landon, but rather at the whole culture of having a debate that puts people into two groups: a small one formed by initiated and a huge one with lay people. I am using Right, but it doesn't require high technological skills or a degree in computer science to become an initiated. It can be explained in 20 minutes, while you drink a coffee. Manuals are long and sometimes hard to understand, because they must cover a lot of information, and list all these options we will never use (but are still there, because what I don't use is a must-have for other people). Just stay with us a bit, and soon you'll find yourself transformed into a GPG initiated. ... I think the argument with the envelope instead of a postcard is dated before considering encryption as an electronic envelope. Anyway, while Well, but it is. It is an almost impossible to open envelope, but encrypted email still have the recipient's address, and the info of the sender, at plain sight. ... stereotypical nerd living in a basement. The real postman has way too much on his hands to waste time with every private message. Yet, the message might be delivered into the hands of a servant or family member. It's them, the people around, who are the most interested to find out the juicy story. That is also very true, Eve is probably very close to either the sender or the recipient. Unless we are talking about NSA, CIA, or Men in Black, but if that is the case, then using cryptography is only a small part of the protection measures. I see webmail as far from a barrier. Get one plain text editor with encrypt / decrypt abilities. Than just copy and paste the armored text. Or even better, attach the armored file to the message, and then you don't even have to worry about html stuff messing it. What can be simpler? Why do I have to handle a buggy slow beast like thunderbird or evolution when I can do it with the balast provided by a As a thunderbird user, I don't find it buggy or slow. At least, it didn't use to be slow. ... everything on a 386. So, instead of having a complicated system with problems, just use a web interface and do all the mails offline in a folder. Faster, more portable. Not sure about the faster part, you have more steps to follow to send a message. But it still can be done. And as you need to carry your encryption tools with you, you can also carry a portable install of Thunderbird+GPG+Enigmail. Well, not sure if GPG2 will run in portable mode, but for a while we can still use 1.4.x branch ... Why look down at people? Lay people? A concept invented by the religious / initiated caste to sepparate themselves from the disgusting masses. Lol, it is not like that. It is we are talking about encryption and why except us -the paranoid guys- the other people don't use it. It is not about education level, intelligence, or anything like that, in fact, if we were looking down at people, we would be saying they aren't capable of using this stuff, instead of that, we are talking about why don't they use it? How can we make them use it?. ... It's cute to develop bondage though some sort of initiation, say Dungeons and Dragons if you like a cliché, but it's still jacking off. The world is the thing out, at large, and not some meetings in a basement. Initiation? I'm lost now... I came here, joined the list, read a bit, made some questions, tried GPG, left a orphan key... and somehow, now I'm a GPG user. And to think it all started when a teacher said well, this is my public key, your assignment is to send an encrypted message to me, that is the link to PGP's site. And of course, I thought isn't there a free version? By the way, some years ago I went to a CAcert assurer's meeting. It was on a coffee shop, no basements involved. ... Even if gpg is easily obtainabe, that is, still, almost nothing. Gpg is not a portable app. One must read a few cryptic pages. Even if clear, It used to be. You can still get the portable version. they are boring. Generate a key. What size? The answers are quite liberal: it depends on what you need. It should be *2048 or read some Unfortunately, it really depends on your needs. But there is hope: the standard answer here is most people should stick to the defaults. There are even some straight forward wizards to set it up and generate your key (like enigmail's wizard). Options are more complex, but people with unusual needs should know they have to devote more time
Re: what is killing PKI?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 El 28-08-2012 18:27, Stan Tobias escribió: ... What would happen if you start reading your daughter's diary everyday, but never let anybody catch you reading it? And you are ... I would be violating her privacy. Right, that was my point. From your previous message, I got the idea you suggested if we want to use buses, we must use them, if we want privacy, we must send clear text messages and claim don't read them!. But it can only work if we get aware about people violating our rights. With email messages that is not the case (unless people disclosure things they saw on the messages). What happens with her right to privacy? Nothing, she still has that right. Ok, my fault, I was talking about privacy and not about her rights. Well, what should she do to ensure her privacy is respected and not violated, if she can't know if somebody is reading her diary? I can leave my passwords on a piece of paper next to my screen, I know my mother won't read them, and certainly she won't use them. I know her and I trust her. But I don't know the guy sitting with a laptop on the next cafeteria table, I don't know the administrators in my ISP, and I don't know the path my email messages will follow to reach the recipient's email box, so I don't have any reason to trust that people. And since the email can be read at several points, by several people, even if I see the content posted somewhere, unless I can track the person that posted it, there are many possible Eves, I can't know which one intercepted it, so I can't sue anybody. So my options are to encrypt my messages, or to assume they can be read and I must not send passwords or other sensitive data. ... obvious. Note it's usually alright to read diaries of long-deceased persons. For another example, suppose she was kidnaped - it would be alright to view her diary in order to help her. I agree. Maybe I made a mistake comparing her diary with email messages, since her diary is at her home (no strangers should be able to enter the house), while emails are out there, you don't even know who can have access to them. ... So, in order to enforce our right to privacy, we use a tool to make it really hard to break our right to privacy (a subpoena is very I think we talk different languages here. You have a right to privacy whether it's breached or not (I think it's kind of a human right, Yes, my fault, I was talking about privacy. Best Regards -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (MingW32) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iQEcBAEBCAAGBQJQPo9/AAoJEMV4f6PvczxA8/MH/2N3e8hXiq3F0rGN1i11RBMR JpS9YvEVy8w5RwVATxWRKiS4XxlDJ0SeY71Yz3mxM2HvrlAU6mxolDzbEL0NQmDH GvDC/l4tsEWmgDRbJodlhcfIsjd2VWPRJr9MTb2g+50AcFhKb9ScCRQlXzDVZtyy vKgmyUEZnNVjfcH1oMK6r3mF7OVsdnskodYvwbmZt1u9PsMFRVNhT+D/FK7ao91Q Tu+SO/H0wSBX4khfdL45qP+Iq8dLUKmpuafyV4S1KvrqVZTp6Q5ffP2zEIakX3jg HM0y5MUDORdLAo2OiEflZdxgpugw/SCzbEzIS8v14Cr1uWFNcwe/k2LWT9snpos= =/RcE -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: on running C-Z/SUV without a group manager
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 El 24-08-2012 8:42, peter.segm...@wronghead.com escribió: ... Yes and no. If the group manager configures the software,... This group's view is now that a single point of failure (such as a group manager - who probably either does (or easily can, if she so desires) know (or guess) the identity of ~all~ of the group members is to be avoided if at all possible. I'm suggesting (to them and to you) that it is indeed possible to construct both a piece of software - which is what we are discussing here - and the security protocols that would enable 100% peer-to-peer MO. Uh... well, that brings in another problem: how does Allice get Bob's key or symmetrical password to encrypt the messages? Currently I don't even imagine what are the expected use cases software must allow. Since she is already going to use security software on unsecured computers, I don't know how much confidence she should have on it, ... Please allow me to make this important point (again!): *these are not unsecured computers*. These are, without a trace of doubt, more secure computers than a typical Internet-connected MS Windows computer, and (oddly!) I don't ever remember on gpg user list any warning about using gpg on those. These are simply computers on which, for various reasons, no permanently installed software exists. Maybe I misunderstood the description of those on the road computers. It may have been my fault, but I got the idea they would be computers like you can find on coffees, or maybe libraries. If the don't have permanently installed software (not even operating system), then it is very likely they won't have malware on them. Unless Mallory suspect Allice might use one of these computers, it is unlikely she would install malware on the bios, or to use hardware devices to tamper the computer. ...Nobody can prove there is a hidden partition, but you can't prove you don't have one, so beware of bamboo needles. Just for the record: nobody in this group is in any danger of being tortured (or worse). Nobody is likely to be even mistreated for the mere possession of some USB stick with unreadable content - as long as Then, Truecrypt, if Allice can get admin rights on the computers she use. But only IF she is sure to don't be mistreated for the possession of an unreadable USB stick. ... other hand, when her connection to the C-Z/SUV is established (or possibly just suspected) by her employer, Alice will very likely end up unloading grocery trucks at her local supermarket for the next Then Allice must evaluate if the possession of an encrypted USB stick can make her employer to suspect she is involved with something he doesn't approve. Remember: - - Encryption: Eve knows you have something there, but can't read it. - - Steganography: Eve doesn't know you have something there, but she might be able to find it if she looks very carefully. And if she finds it, she can read it (unless you combine steganography with encryption. But then you lose the benefits of steganography and you not only have encrypted messages, you are also trying to hide the fact you have encrypted messages...). Best Regards -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (MingW32) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iQEcBAEBCAAGBQJQPGGXAAoJEMV4f6PvczxAI6kH/jgADjDoC/5ko3cj1G0+II29 DO5jzaO8OL2hVGAja4kfFivW3zVoZxh4TEmifOm159vw5fYTRPo5uqEBnTlwXiKi v4KrwVRysW4isFQ4Q6LjqLhwIkngHyVRDEzgl53jKqO1PG3W5ujE26MY9L7+Q7C6 m/lo07Zw+gSEmFI1MCtYy+nhdxr0Jf5qerBve84+kQgtFmB7a6phz9IZTDLtsQsP MDa95nyMZ18BcSF+DFsoxpDCaUWfzVm9VH7echO7fpaG6bFW3mGN/PsFPyNk/1Ow gh1Clo2yVpGqUYabcLt+wPdJGiFGHyLdFRhVoa1Ysxeb782xct3R3IWyakWAHQI= =y35l -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: what is killing PKI?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 El 26-08-2012 17:37, Stan Tobias escribió: ... If you want to preserve the Privacy (like I described above), you have to exercise it. You have to take a risk that someone will open and read your letter/email, and if they do, you demand them and everybody else to leave you alone, that is to say, to respect your privacy. If you encrypted your letter, you wouldn't be able to exercise your right to Privacy by demanding others not to read it. What would happen if you start reading your daughter's diary everyday, but never let anybody catch you reading it? And you are careful to don't talk about what you've read, or take actions that could hint you have read the diary. Your daughter will never know you read it. What happens with her right to privacy? She is still exercising it, she writes on her diary everyday. The same thing applies to email messages, we expect only the intended recipient will read it, we send them everyday. And yet, we don't know if we have privacy or not, until something we sent is published somewhere AND goes viral. But since we are not celebrities, it is unlikely what we write will go viral, even if we send nude pictures, it is unlikely we will ever know someone already saw them. And by sending more and more email messages, we won't make that change. So, in order to enforce our right to privacy, we use a tool to make it really hard to break our right to privacy (a subpoena is very likely to make us disclosure our messages, if we don't have anything to hide). That tool is encryption, and it doesn't only enforce our privacy right, it also make us aware about people trying to take away that right from us, because the one trying to take away that right, first would have to take away our right to use encryption, or force us to install some backdoor on it. Best Regards -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (MingW32) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iQEcBAEBCAAGBQJQPFhCAAoJEMV4f6PvczxABXwH/A1wzMGPZmhXqjSgQMXidCcZ 6ajIMlxq3GDwf2l1eivMAMOsdsDTqK1PkVOur14G5iIzGNZuM6yko8ClQLu3bz5+ 7fgC4krm/X7FyAMxiHKNYVzuTpqgAaWfLgsozZEDK0duDkIGSVFDmfRd2oV+wSmU 8J2C+95wI4cmi2Z0ilKKIu3ukVzaJAn5sQfZWcFfDiojVc3A0ZZLTbHQR1YjlQ7N WBYw7jANqS5nk2pCbv/26RAv4Dbgsrs1OqxUjxu9cXo4jSqBdUFTC/j1VyKLiyhd 79EdSY7qQC8EECew1cNsW2TgMBuPTgGNmqp9dbQYL6GPPP7c4b5aFs30r3Tte6U= =w38t -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: what is killing PKI?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 El 25-08-2012 1:35, Laurent Jumet escribió: Hello Faramir ! Hello Lauren, On your message below, my GPG gives this warning: === Begin Windows Clipboard === gpg: armor: BEGIN PGP SIGNED MESSAGE gpg: armor header: Hash: SHA256 :packet 63: length 11 - gpg control packet gpg: armor: BEGIN PGP SIGNATURE gpg: armor header: Version: GnuPG v1.4.12 (MingW32) gpg: armor header: Comment: gpg: invalid armor header: Using GnuPG with Mozilla - http://enigmail.mozdev.org/\r\n === End Windows Clipboard === It's the first time I get such a message; what does it mean? Not sure, I checked the message on my sent folder, and signature validates without issues, so maybe 'something happened on the way to heaven'... maybe some mailserver was hungry and ate one byte or two? I've not changed any setting, so if this message's signature is right, probably it was one of these strange errors we will never be able to reproduce on purpose. Best Regards -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBCAAGBQJQOHDRAAoJEMV4f6PvczxAc64H/0jsgZPhI5waYvrtJ1t3GpRE OEEsxGf+tlOeQEPdo7gMJTq7iEBfo1+sgwwidLUdumtasrboZa4i6IXv8CJEOMxv km0bbpf/yo8oSluUNzDqUzv6n4CrrlZAcPPRq0QHVLcxQ9kTqcOKx/gnHjCzT5xK 7LSPA2l/bnNgdLQnQwUHL5+87H27bucJfsRyg7U5g+dIJAlnAPt5R1TTm9DD43G5 2XrNlUNfaoVy/rlJoXAl/arAz4yMSRLbtxHdNah895pUwRmoI0XXT65Br5ISKzUB x/2Ked5w2dZZmRrpK1I9ahp72Vm7o5AOx/RCvbYV2guTajztqy/kEsn23UxJGuI= =nxb2 -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpg simplified?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 El 22-08-2012 14:59, peter.segm...@wronghead.com escribió: Thank you for your comprehensive comments, You are welcome, lets add more comments. On 22/08/12 03:16, Faramir - faramir...@gmail.com wrote: I think you are wrong about that. All the user needs is a properly configured portable install of GnuPG (and very likely, an easy to use GUI, because if Allice can't understand WOT, probably using CLI won't make her happy at all). FWIW, this is not our assumption. Alice is far from a computer illiterate and such simple CLI interaction is for her a trivial exercise. Clicking a couple of buttons on a GUI usually is easier than remembering a command with 1 or 2 options plus 2 or 3 parameters. Selecting a recipient from a list is easier than remembering and typing the ID of the recipient. I'm not computer illiterate too, but a lack of GUI would make gpg usage very uncomfortable for me. GPG is on the other hand so tightly integrated with WOT that no matter what, it is unavoidable that any user will sooner or later stumble upon some of WOT anatomy or physiology minutia, and that will have at least one of two rather detrimental consequences: a) with insufficient knowledge of the WOT model, Alice will take a wrong turn and therefore impact the overall security of the group; Yes and no. If the group manager configures the software, and Alice doesn't modify config files, GPG should prevent her from taking wrong turns. Getting people's public keys is easy, but making GPG to accept them as valid keys is not that easy. You need to either sign them, or to modify config file to skip GPG's decision. There are several WoT models available, and if the Group Manager chose an strict one, and Alice doesn't sign keys or modify the config file. It is possible to remove Alice's primary key from her keyring, so she can't sign other people's keys, even if she wants to. In other words, if the software is properly configured, taking a wrong turn would require parking the car and using a wrench to remove the guard rail. So Alice would not take a wrong turn by mistake. b) Forced to deal with things she doesn't fully understand, Alice will lose the confidence in the security the system provides. Since she is already going to use security software on unsecured computers, I don't know how much confidence she should have on it, but that is another matter. The second point is worth elaborating upon. Somewhere else you say: Allice doesn't need to know what it does... and: Then the end user will never have to bother about what is a WoT. GPG and the group manager will handle that part. End user just need updated public keyring. This thinking pretty well follows the contemporary computer security dogma: the user need not understand any of the underlaying concepts, the user just has to trust whoever has designed and implemented the system. Well, it was you the one that said Alice doesn't have the time to learn about WoT and other stuff. I tried to say GPG can be configured to don't let her make wrong decisions (she can't take wrong turns). But that requires Alice won't attempt to disable safety measures, because if she does so, then she will be in a road with a lot of possible turns with banners she doesn't know how to read. In our case, that is simply wrong. Alice is no fool, Alice is (probably) a medical or technical professional, Alice is reaing the papers, Alice knows that computer security is full of holes, and unless she, herself, has a reasonable knowledge of the system upon which ~her~ security depends, if in doubt, she will respectfully decline to participate in the activities of the group this system is supposed to serve. What she doesn't understand *is a liability*. Not all liabilities can be avoided, but they certainly must be minimized. It's not to say that Alice must be proficient in the design of crypto algorithms, but she ~must~ understand and have the confidence in data formats and the protocols. Well, considering she will be using insecure computers which no amount of encryption can make safe, maybe she should respectfully decline to participate in the activities of the group. The configuration Robert suggested to you means the WoT is reduced to keys approved and provided by the Group Manager. Any other key Alice might find would be considered as invalid and the software would refuse to encrypt messages to those keys. In other words, there is no WoT, there is a vertical single-link chain of trust, because the only person that can add keys to the allowed recipients list is the group manager. Alice (in the most common usage scenario) carries with her a USB stick that has no file on it that, unless it is broken cryptographically, is anything other than a stream of random bytes. The three (or a single) In other words, her USB stick must look like an unformatted storage unit? If that is the case
Re: what is killing PKI?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 El 24-08-2012 19:33, Robert J. Hansen escribió: ... Thank you, John. Simson Garfinkel has another one worth adding to the list, but I'm blanking on it for the life of me right now -- give me a Maybe Bridge over troubled waters? (I'm joking) IMHO, the main trouble probably is people don't feel the need to protect their privacy. If they don't feel that need, why should they bother in learning, or even asking about privacy software? My opinion is NOT based on studies, but on the answers my techno savvy friends and relatives gave me when I told them about GPG and x509. Maybe we should dress in transparent clothes, and say we don't have anything to hide if people ask us why are using that clothes. It might be complemented by a banner saying I'm NOT SHOWING my body, it's just I'm NOT HIDING it. But first we need to save money to pay the fines. Best Regards -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBCAAGBQJQODGdAAoJEMV4f6PvczxAUXkH/3MIVsiFRP35UwdZ5tTiFpI7 KuedACQdIPJl4jDTTs94gSZBtW2d51R+SwpKb83+XIM584x5BA9wrEtcsWeIrort T079Y5R8QVIb8juf2BbxeLpgnCnzGZf/55Vcs7fxmUZCK5HxOpmpFWt26SZcKCy/ FjXmYSCP5R2o/ZvmheCrpJm0nhzDGKgPQH/r9pk8RQiu0qpJwYQPDU19uWghKgEh C0OmTCGV/YhSU719a47mX40FB7K+3xD9mWLPEbet3wtI/7ClhxjuA+f3EaNusbge lOrhAW82VJ2Js30olUTtiCo5Tk2iGXDglYijSBmUVO0SUJ/q5kk7GKtWagCyepU= =JXVY -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpg simplified?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 El 31-07-2012 8:17, peter.segm...@wronghead.com escribió: ... Correct me if I'm wrong, but it is unreasonable to expect anybody to successfully and safely use gpg without understanding the concepts and mastering the skills essential to the WOT: I think you are wrong about that. All the user needs is a properly configured portable install of GnuPG (and very likely, an easy to use GUI, because if Allice can't understand WOT, probably using CLI won't make her happy at all). The group manager (from now on, the administrator) has a key, used to sign the member's key (as Robert explained in the message from july 31, about using Thunderbird+Enigmail). Gpg is configured to trust Administrator signature, probably her own signatures, and nothing else (so, it will be a very short WoT). If she encrypts a file to a public key, either: a) Gpg sees the key is signed by the administrator, and allows the encryption. Allice doesn't have to know about the internal magic in this process. b) Gpg doesn't find the administrator signature, and rejects the recipient's key as not valid. Allice doesn't need to know what does it mean, she just need to know if GPG doesn't let me do this, I must not do this. Of course, if all they keys she has available came from the software provided by the administrator, this will never happen. ... group manager in the widest possible sense). He can easily do all the necessary key management (distribution, verification, revocation...) functions in the course of his other (quite extensive, actually) group management tasks and activities. Then the end user will never have to bother about what is a WoT. GPG and the group manager will handle that part. End user just need updated public keyring. Most users in this group have no single computer they operate on. Occasionally they must be able to create cipher-text on drive-by computers, not connected to the public network or where any network access is raising undesired attention . It is essential that the software requires no installation on the computer it is to be used on. (i.e., it must be statically linked, with no external dependencies). I have GPG with GPGShell on my USB flash drive, and I can encrypt, decrypt, and generate keys quite easily. Of course I can do a lot more things, but I'm not forced to do any other thing. And since GPGShell is JUST a GUI, that means GPG can do the same things from command line, and unlike GPGShell GUI, it is available for windows, linux, etc. Now I already said that, I must also say I don't enter my private key passphrase in a computer I don't trust. In fact, I don't remember if I ever used my portable gpg, other than to test if it works. I carry it with me just in case I go to visit my father, and for any strange reason, I want to decrypt a file I have at my 4shared account. I know his computer is probably safer than mine, since he uses it just for work, he doesn't install stuff on it, and so on. Best Regards -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBCAAGBQJQNE8lAAoJEMV4f6PvczxAeR8H/jr+cXxjZebOD9yv2INAsR4c t5PrOKdL1YIbLOhi5900hosY/Fuj5+Dvb2d7V64OM47IFrPN/4ud+pGs3iK4Mlbf 1sNJU5NUozo8cspz1kizKi6uXbFWoAMllcyGBuGz7U7mflC7APIabZG8ItXPZjXv rkPQGdpApdm8V2pp7g9ZbX3nSASoilvwsGT3a7SLVJvTK9e9wZT2EXRWTvcPxdo5 loLaVmaJSnKSKPgNgRXB9BomMIuHlGftlY6KZSeCvP/adzazKb+uHyW9XCgztZuH p9qvQAR443anYrl68AJIEpfUKvjBbWpDYnXz4VZwI3hmzNWu6CrZX1FElugT+qM= =W66I -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
check-passphrase-pattern
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hello, I saw a message at spanish help list, requesting where to find an example pattern file to use with check-passphrase-pattern option. Since this list is a lot more populated than spanish list, I thought I should forward the question here. Best Regards -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBCAAGBQJQMEU5AAoJEMV4f6PvczxAIRoIAJNr2fbSM5W3iztxwRCYVyS9 oF10RtEsJV9ecFCbO779wyKWrBsO68OToL9hApxPGl2FvW1j8Vk6mdn748RP6Zaz tEHGMZfAqBXAkrHcKithsaM3Si/ONNJohsyseykHSWhtVVTl4ltE6c+RoSo7uX+a IedI6FWvfEPAvsNC6f+aosPY31+CvM6/IVMHV1ijvGKfPSOfzuRBSBItg2MA8JBq oBigD+iZ3+P470oL4Q2esFdeTQUcJ45O9VDgnkHkhfbZUhENE/1jZhyYdwb267L/ O/aN/YSyoapVoDBCLqoMxMf2VBBzsPkDEK77D0FCdMiHhRjyXjb4TnWJOWEGRKU= =IjAk -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: AES vs. Serpent vs. Twofish (was Re: KeePass or any other password wallet to store and transport keys)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 El 26-07-2012 5:56, Ben McGinnes escribió: On 26/07/12 6:40 PM, Robert J. Hansen wrote: ... For instance, I don't like Serpent very much on account of how complex it is. My rule of thumb is, if I don't believe an undergraduate in computer science can understand this algorithm, how can I expect people to implement this algorithm correctly? Lets hope people developing TrueCrypt have a graduated in computer science among them ;) ... Interesting. Most of the things I've read on Serpent, which admittedly isn't much, is about how it was not accepted for AES because of the speed aspects rather than other aspects and that it may be more secure. I *think* I remember B. Schneier said Serpent is the most secure from AES contest. Current AES is recommended because it is the standard, so, no one gets fired for using AES (like IBM), and for his money, he would use TwoFish (if we consider Schneier was uncomfortable with some things about AES that now are known to be not as strong as they were supposed to be, maybe TwoFish lacks those vulnerabilities... but might have other undiscovered issues. Good thing is, *if* they remain undiscovered, they won't be exploited). Anyway, one reason to cascade the 3 algorithms might be: Serpent, because it is the most secure. TwoFish, because it might lack the vulnerabilities AES has, and because we might be affraid Serpent was not implemented right. And AES, because it is the standard, and no one gets fired for chosing AES. Now, if we consider Serpent was rejected because its lack of speed, the 3 algos together must be like an arthritic snail... Best Regards -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBCAAGBQJQE0AJAAoJEMV4f6PvczxA/dIH/0PI/mVXDIaPVIepybEPTwhu xEcTwm4g+1tpN7E55WdRoLIbA9tGvmEHSYk2Wt/fKhee0Txs/Aymnu/jhGL7Ikt0 24+Qjp5ZD3Z90Vmqppc9khBQiYI9i5MWnV5ZgiHejBNL/SI5wkHB/0AuV/Ck0KPO 4DEl+U5s/6uidcxmZGr3Xg74fCiOMzKSWhQ49j5rLuK3NhStcuUUpuUMj977Fuae jVsD6Nt38n7dCoNq2sUduFgWeBnvuO5z0Ms7OroCvqlpKgXQiCcdR6IRWIEZhAAi jGvoJfN/A+QpZ6S+xAq3dWecmS+O63j1Lp3laycMQfImotWYZi2mVs/xqQNkZHI= =RI9P -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: KeePass or any other password wallet to store and transport keys
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 El 26-07-2012 8:43, Heinz Diehl escribió: On 26.07.2012, Faramir wrote: That's security through obscurity assuming the other one won't know where to search for the key, which is not stored with ... Not right, if your secret key is protected by a passphrase (or strong password), it doesn't matter if the attacker know where to find it. It does matter. Because the software which has generated the key can be flawed, and thus can have generated a flawed key. Nobody has to know about such flaws, it's quite likely that an attacker chooses not to publicate information about that, with the effect that he/she can use the security hole longer (maybe forever). If it's reported, it will be fixed immediately. Wait, now I'm lost here... we were talking about how to prevent an attacker from getting an usable private key, so I don't see how the quality of the key has anything to do with it. Actually, the attacked is very likely to know where it is, since probably it will be at the default folder. This is why smartcards exist. Well, yes, but we were talking about keys not stored on smartcards, but on normal storage devices (like hdd or USB flash memory). Best Regards -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBCAAGBQJQE0ueAAoJEMV4f6PvczxAJVQH/3cz7MZ3rIdQVDzCxhhWxfv4 e+9kSuiB465UqeI/aFb7weEDVTs5dVYzhHsZ7VU6dx4LE4KI2m2M/vkscqpRWZMj Srs+PpP8yBbO/f6ibBqYfNaZX53gtMYJtdIRHP3bQUvCj3CV9FLYG8PDHBLosY2F 0rtuoS6sOitUcDZGl6EXCHk9gXxXLRzH7IWYoE1PSIKvm+ZQQ99RyE2NBwDPb41a RsK/xD8S8ZYX692Dfi9TZnlUoe0XnGsu6yiWaQAqlY3APPckVU84Uh2VhJRHu7Rk MJmYbMUt2gWKVXkiNrYtuOV2v3dRBDSYRCohCNSe82Acq8zNa8YiiZstcCpAUWE= =fHSd -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: KeePass or any other password wallet to store and transport keys
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 El 25-07-2012 1:12, Robert J. Hansen escribió: On 7/24/2012 10:21 PM, Faramir wrote: Clearly I'm out of my league there. I had heard about that, but later I also heard about stacking different algos (with different keys of course) to increase security. I'm unaware of any reputable reference that recommends this practice. That's not to say no such reference exists, only that if one exists I'm unaware of it. If I even saw a reputable reference, I forgot it. I know TrueCrypt can stack up to 3 different encryption algorithms, but that is not the same as if Schneier, Shamir or that kind of professionals say it is a good measure. I know Schneier adviced to be careful, because you don't know if you will improve security or decrease it, but that was a long time ago, maybe now they know a bit more, but if they do, I could not find a reference. Now I found this article, with some references to papers: http://blog.cryptographyengineering.com/2012/02/multiple-encryption.html Anyway, do you know about any list of compatible encryption algorithms? I mean, pairs that work well together. The better question, to me at least, is why would I want to do this? Probably because some software offers the option to do it, it would be good to know what to avoid, other than avoid everything. Cryptosystems tend to fail predominantly due to human error, then to software bugs. Consider that since PGP 2.6 was released in ... what was it, '91? ... not one single encryption algorithm used by PGP has ever been broken. Although IDEA is not well-regarded by modern standards it's still a safe cipher; and RSA is still, well, RSA. In that case, it might make a sense to, lets say, compress and encrypt a file using winzip, and then compress and encrypt it using 7zip, in case one implementation fails, the other might hold. Or in the case of the original question, storing the private keyring inside a keepass database. If there is a bug in GnuPG, maybe keepass will hold. If there is not a bug in gpg, then it doesn't matter if keepass is bug-free or not. It might make a sense using cascade encryption in truecrypt, just in case there is a bug in the implementation of one of the encryption algorithms. But if the bug is elsewhere, since it is the same program, the bug would affect both ciphers, and there is no gain in using cascade. If the algorithms are unlikely to be broken but the likelihood of security-impacting software bugs is essentially certain, then stacking algorithms would seem to be ill-advised. Stacking algorithms increases the complexity of the code, increases the number of keys which must be True. If we combine 2 different systems (lets say, winrar and keepass) would avoid the danger of more bugs, but of course, won't help with the increase of keys. Best Regards -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBCAAGBQJQEJH8AAoJEMV4f6PvczxA+C0H/iCHeAdwUTdyUAFFbyHBl0vU M6eiG3S7vM+QoU5YKFol16IqVBH0rdZpUNFVe0IgWLLX0CPsyaLuMCit2QWUZlYT eXRV86O2gwPg+qlbd9JNB1gW25otjwJDbCOQckvhz05N/MELSQ0ft7OydiIs45FO 8EM6oxIahiqky8tb3EFm6b0o/JMxkz6rzmi5vojwoDi7PF1p32JO+L6oYw+0nzha zqlEkg3/ZlRIUGgMdNj/4+ibAw3N4ze6S2pUuw7+yKaXBYAl0yqxv2m/T2PKAV1y NxqZJHju6154JAxdT4V+pDhGKWIu+a4hwsGye9McBK9m1B4BvkOvkMgdB92keJk= =fAFT -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: KeePass or any other password wallet to store and transport keys
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 El 25-07-2012 2:50, Heinz Diehl escribió: On 25.07.2012, Faramir wrote: Clearly I'm out of my league there. I had heard about that, but later I also heard about stacking different algos (with different keys of course) to increase security. What's the model of threat in your case, actually? Usually, the crypto algorithm isn't the weakest part in the whole scenario, and stacking different algorithms will therefore not make any sense at all. I'm just talking (and thinking) about the question from the thread starter, so this discussion doesn't apply directly to my threat model. I find the question interesting, because maybe, some day, I might think about storing one encrypted thing inside another encrypted thing. Best Regards -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBCAAGBQJQEJUtAAoJEMV4f6PvczxAy20IAKx2qDgEb/BKMJLwXLgRUKsE 0+KaJ4GMhl08jsBUxKYNf6E+oX35Kq1HY087RAJQh0c+W3KwQRFYfIQHRCa+SlkU UwpXjI80gCV9qVwbIqBllSYpfX0Dsu17gUTW5Rn8sH2PAF9JkMTJ2oaphOUKGtqL do1YnHie0bZWdHyudkmGfNnDIvjpqxNLJy56df6B/Pn/JL5yLtz0y2vWV9k/TETV Z5rOY/gtKHn6We4tR9r8F4ypK9vyk1W5iB4zVcgboYygYMFqJ8qMN+vi1fp/Pkyh Gpocl/dchoxCFCSjBAEehjKLEODSnh/DLQ8HQ8KBHEuXTw9mOTPx/wEmCQenQaY= =0MBk -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: KeePass or any other password wallet to store and transport keys
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 El 25-07-2012 8:29, antispa...@sent.at escribió: On Wed, Jul 25, 2012, at 03:23, Faramir wrote: ... Yes, security through obscurity. A possible attacker won't know for ... I don't know why do you say security through obscurity. Private keys can be stored encrypted, so even if somebody steal them, the thieve ... I keep the key on the same phisical drive as the encrypted document. That's security through obscurity assuming the other one won't know where to search for the key, which is not stored with the right extension or in the most common place. Not right, if your secret key is protected by a passphrase (or strong password), it doesn't matter if the attacker know where to find it. Actually, the attacked is very likely to know where it is, since probably it will be at the default folder. But finding it doesn't mean he can USE it, without the passphrase, it is just a soup of bits. A hacker will know what key he needs to open a file, because the encrypted file say it, unless the sender selects hide recipient's key ... So he or she will have to locate the right key. Reasonable would be to keep the key away, at least on some removable media. Most of us want to keep our keys away from other people, and also keep them protected by a passphrase, in case the key falls in the wrong hands. The attacker needs 2 things: the key and the passphrase. It is a matter of making things harder for the attacker. It employs far less characters. Yet it can be looong. How about that? Is that any better? 45 ASCII lowercase with a uppercase ASCII and a couple of signs is better than 16 random alphanumerics and signs? I bet it is, as long as that 45 characters passphrase is not something that could be found on dictionaries, or combining dictionary words. But probably it is an overkill. Anyway, Keepass has a built in ... If only dictionary attacks would be the the problem than any longish verse from a popular band could do it. Just add a comma in some weird place and you have broken even the lyrics hacker. Don't forget there can be attacks with dictionary and mutators. Of course, you can increase mutators until the attack becomes infeasible too (what is the point when a dictionary attack with mutators become a bruteforce attack?). Anyway, a good password should include uppercase and lowercase, numbers and special characters. One of each of these forces the attacker to increase the key space (even 1 special character forces the attacker to include them in the attack). Of course, there may be a sub-set of special characters known as most used special characters. And of course, make it long enough a bruteforce attack is infeasible for your adversary. And what is infeasible for your adversary? Depends on your threat model. Best Regards -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBCAAGBQJQEJ3CAAoJEMV4f6PvczxAOLsH/24OaRbK88Z9GHtrFRItn/4F oRvZrmc7ldffOPjuduUdpuOY6QhYzfPew1c0o3+OsW5HlxkRtk9LdihcDLGRnUd7 bA5/VFy6fTxKxnW22GYwy2Ht2NNO+s/KVe9ZRK/LMCWHhvTAT/z1DVvu3i3sQadL DMMqOKdlouuuyKk0C8MCJX6siVx5HBCn/c8Eu/a+gWZSayQBIjnlJamD7fjhAuzh ze5VytLaNLrf2FXO9oJZ/1WPCSa2ICaTPqbtsli+Z4Q1UifwjqYYlY0+7h+T6LBa CAFtPh+kNsa0lqefusR/n9ytWeU3k7LiTCJnGGHqk3VykdyNkD1+eS8PWi6uG/k= =vAef -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: KeePass or any other password wallet to store and transport keys
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 El 22-07-2012 16:52, Robert J. Hansen escribió: On 7/22/2012 12:12 PM, Faramir wrote: If your secret key is password protected, placing it inside a keepass file would add a second (maybe unneeded) layer of protection, and you can chose a different encryption algorithm than GnuPG uses, so if one algo gets broken, the other would hold. Not necessarily. This idea of 'stacking algorithms improves strength' is tempting, but it can just as easily reduce strength or do nothing. Clearly I'm out of my league there. I had heard about that, but later I also heard about stacking different algos (with different keys of course) to increase security. Cryptography is a subtle art, and algorithms interact with each other in deeply surprising and counterintuitive ways. Before advocating that algorithms be composed together to achieve certain results, it's good to make sure that these compositions are cryptanalytically sound. :) Indeed. But, AFAIK (and I can be wrong), private keys are stored individually encrypted (lets assume the use encrypts them all) inside the private keyring. Each one can have a different passphrase. Then you take that keyring and encrypt it using... lets say, Twofish algo, with a different passphrase. In that case, you would be encrypting a different file, not the individual private key, so it might be at least equivalent to using salt to make the file change. Anyway, do you know about any list of compatible encryption algorithms? I mean, pairs that work well together. Best Regards -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBCAAGBQJQD1gwAAoJEMV4f6PvczxA2AcH/jyAJrSpwCK838pg0j3omJ7H zVZElXU4zh8r8PNCaO4SsRdkyNRWmvlzN5/nMkbl80RFzEgiWN/IZEcnPxtbkiMV 2XoIyoF3rYGnLj/SvSUsyMBudo5UJDl0iBUu2e6UEfLQEKPiF/C7usjCq/y+n0Yc J/7q9ZoW8WY4Sehvmk9xVPi4WmEKx4Z4it6UAW2oDH9BUmbL565nGalRQVHve0qC 9c9siNkvj73HgkHgHCRDt+PKzcJe7U/nJYPLslgc0Rki/siytvQlHUpqGgWxuJQF ykOyWGUIM2shHiCWUCNUKSDvkaUwb+1/+Jgsn8P6kemQpSzrYBLEF0b1oZNNF3o= =zpYk -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: KeePass or any other password wallet to store and transport keys
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 El 20-07-2012 11:51, antispa...@sent.at escribió: I don't know much about security and cryptography. So what do you think about this combination? Is it any safer or is just a waste of time with the conversion to ASCII and back? If your secret key is password protected, placing it inside a keepass file would add a second (maybe unneeded) layer of protection, and you can chose a different encryption algorithm than GnuPG uses, so if one algo gets broken, the other would hold. But it seems unlikely encryption algos get broken anytime soon, so weak link probably is the password chosen. Of course, I'm not an expert, so I may be totally wrong. Best Regards -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBCAAGBQJQDCaLAAoJEMV4f6PvczxAQcIH/335Q3wGH9w94u5Klq3Tm5qq DZivYjuwf52A8s6LmtyiOP4RbYbfz89vzHcgeqCjBI7RX0QNQGrlSBwhLKm1VWVH 7MryVBpKBKARDwDxwUD2t4sLf6tgZU+QidHKg5tuWuGTF0jEHVaciZi9kKcS3ed2 i2H1CdwY2yCH4dOcb1MQ9a1gk7QBbnI8VCHTY7EwMHtvRSZVFEgUjySOTFKf+Omz zuuXDvikfmY/Tbd7fRfSCzPMw5cwtSq8TLXVucA0XeQQhSqFmtxzAsvEKe5CD53l pNZX+JLveVM6VfhNK+yVtOFRCegNJRoAUyMHVwCG4RUZBzXcIrZ9A+/Hi6Vf4DI= =zHN+ -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Some people say longer keys are silly. I think they should be supported by gpg.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 El 22-05-2012 12:33, Jerry escribió: ... that sort of logic. What really amazed me though was that the OP wants security and yet he uses GMail. GMail and security are diametrically opposed concepts. Why? If I send an encrypted message, it doesn't matter if I use gmail, ISP-expensive-crap-mail or any other provider, the message would still be encrypted end-to-end. Of course I'm not talking about composing a message in the webmail editor and then encrypting it, but about using a MUA, like Thunderbird, or maybe composing the message on a text editor, encrypting it and pasting it on the message body (or attaching the encrypted text file). Best Regards -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBCAAGBQJPvD0yAAoJEMV4f6PvczxA0BAH/A2prkdtv6LcIC6U1PQcId3v BBbeLL8VeqBZq+XDYqBM1GP56BLH1CFWOXaSrEiIhPsLtaF6TkJLHfA5GEbSwQ+j RkyI5MN1M88ZyTlvbdvm0uSiLzFXEmp9Jtqlwr58C29oTvI1JFwD9SxVKXmOwnSP GHRgG7HBwSiBDFbSnjALE9nW6cDD1J6LwJaGvkD4tmKkJLqPzimoBnJ+o8P3TbdB /AnhGlwaxlQQd0+5cxCiGBZ1NfZAZGmMWqD/1IE3bZMIs3hp/JkA4MDUwP5E8z25 N/nQPgoNb9iaFy0yozycZLEq4qDBHQxvLQNK79tSBe5+B2QJmPEYglxzserNfXA= =o2WG -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Some people say longer keys are silly. I think they should be supported by gpg.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 El 22-05-2012 8:34, da...@gbenet.com escribió: ... Some say that all the power of the universe - and all the time its been in existence will not crack a 2048 bit key with a secure passphrase. So by the time the universe is well and That is about if you secret key falls in the hands of somebody wanting to use it. But factoring your public key to obtain a working copy of your secret key is certainly something that may be done before the end of time, and won't require dyson spheres to power the machine. We know one day RSA 2048 will be broken... BUT, the question is: will it matter to us when it happens?. Maybe I will say Finally! I will be able to revoke that orphan key I uploaded to keyservers when I was learning how to use GPG... if I could remember the UID it had. We can use RSA 2048 and wait until something stronger is available, or we can go RSA 3072 and be even safer. Or we can even go RSA 4096, and people will say that's an overkill!!!, all that without modifying GnuPG. Best Regards -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBCAAGBQJPvEA5AAoJEMV4f6PvczxAMwoH+wWn0YnqWTjBYe3NIvYaGQyW oIvUsAQu5B9xVRP1wN7f0OJFKoPevcaI0pU5erAs6RGpiHmd35oLYzxGEpsCWE26 YJ37m3mBJCGRk0aOkthT6ugDJ4fEHsm5toj2si9ItJNLq2374+8GMoz++c6Vpbf/ b/y/LaWO3eeZXhtdBCC8OSYKdZiUQ1DYBBFT6WAickgYQJ+hYtRhiq2JQq9SicCA KkWEj/NVB7esOMVoVcrQzAxbivgqKwUyGjpOVTmPlnz2lx19t3j5TAucM9Vhrsab wfY3u4dW6T6X24Pv6WEZmyb14JgEAsK8elehU4dyRTKA+OzOAZr1ihcNOODC/Yg= =I24B -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Some people say longer keys are silly. I think they should be supported by gpg.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 El 22-05-2012 4:58, tim.kac...@gmail.com escribió: ... There are also estimates made that in the US 1 in 6 protestors is actually a government agent of one sort or another, dept of defense, homeland security, fbi what have you. And that exludes any thugs the bankers put in the crowd as privately hired types. If that's the case, it is very likely you will send your messages encrypted to the Super-Secure 32.768 bits RSA key belonging to infiltrated agent... which of course won't have to break the key to read it, because he already has the key. Best Regards -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBCAAGBQJPvEXKAAoJEMV4f6PvczxAcLkH/3dOjOpou//Auk4bIwizLodI u6PvxBYW8P0rrdg3/1QUDWoj2mXA6AoaihbPe5LcmXH3fTgA06Y3i1zndzAfAPrD 7IGve7Km08ew6muutPmKnq0jk8nHhLJ6b1P1llD8ePky5nsppBVH0kT9gNFDQzbv oRXLs4hcKS3DIs49BQnQswE8upgl72HcR9ozU95ptTsayewv1n57PZg+cj8o0dNT N56kZ1YfJqZqx8uImV1fT8Oh658V5HDn3Fvx58s6M5r6WVbGynN9ZyPeL3uFNYpQ wtZNHKK4Zc7XE/7n87IUy6/D8bH+rQTvbHWBiYa0rhs7H5JJqejEnkZMRSCPUsg= =yKPa -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: SSH Agent keys 4096 bit?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 El 04-05-2012 10:17, Milo escribió: Hello Robert, Hello all. ... How many petabytes are sent across the wire each day? Do you really think people will be storing all of today's traffic for twenty years, just so some analyst not even born yet will someday be able to say, wow, I really want to see what's in this random guy's porn stash!? Yeah, then leave your home open because Wow, who want to check every door in the world. So many of them. The difference is you don't need to store doors before checking them. Best Regards -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBCAAGBQJPpOEmAAoJEMV4f6PvczxAONUH/jIkisFOFHc/soX+uiqfWbU1 GUOVjo+kFqRmXxAZy4BM1+k50fI2DGekwTgOinTnu4T+EymPUsdIHC7RVTTvwak7 fKqCJ8HWhLeZxBxguiicfeYELBHbcXqODdQDl5UqEC3jLxhhHClFpi5nTigyjv0c fm1QmwoiHHM/J2G6rKo2dEwB3uTUuysf4jsublONE+x1NKYgW7y7UfpUjLK47Pzf 6OfJSB5gM+3LObnuj4blZTiQcWWMeAe/Wu250S0xme7EWnLrAXK2Qk/ZJEFx03kG 8VIQ2aEbEqTfHCFk8dYuXkbeIboLJ1LR4DtIi6vdUst7s0msIrU129LV/MbD4F8= =w0rK -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: SSH Agent keys 4096 bit?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 El 05-05-2012 7:46, Milo escribió: ... You also indicate yourself where this goes askew: RSA 8k is immensely more CPU intensive than AES256 v AES128. If you can't afford this immense expense - don't use 8k RSA. But if you send a signed message, using RSA 8k, then you force your recipient to use it. GPG choses the symmetric algo and hash algo based on the recipient's preferences, but it can't chose they asymmetric algo. Best Regards -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBCAAGBQJPpfVfAAoJEMV4f6PvczxA8PwIAKD1jSUMQhx+nWrOmTMAfwTp 6XKso4YKlr0eQofnYDywBu8sUW2N1HZvl2u2f/1pp8n63Xifua45a6glZPl5nsGF wouA2OFcQPupDIOZVq6skkp+Dxxr2nvjvvG2HYxSJqtAjWsEezFcUrmFP15/TC4W G7RNAz8bC39O9VNcPCBA5qBLUX/DF2tBKZ22tm9IEE1OTiYREOJNnq0AQcnkro/T xIbZwcVQTz7wuG8TTzy5tQZNJnk0tTVSNbEpPJGEP2D7gVXteaprV+nVhcfwOGkr 1w1VlQiQTRFJBIWJyKES6LTLqtqSkIlTEogAsWLX53k7RyhVCie0iI7qg/8SDNg= =LOro -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Current key servers
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 El 12-04-2012 20:29, John Clizbe escribió: ... pool.sks-keyservers.net adds them to its own list. So really, that's the only address you need. :) It's best to stick with the pool address, otherwise if you select a single server, you'll run into trouble if it's offline or there is a connectivity I'd also keep 1 or 2 addresses to keyservers, just in case one day the pool has troubles. Best Regards -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBCAAGBQJPkdpfAAoJEMV4f6PvczxAhooH/0oxu1cjlMrBgY2JlS0jmrlk meY39pzUw3zQlT57lBmbtKENyety6wOtZn3UwwdThAz7FFGjxd7x4j66v+qVUaMD 56CJbE5k6xuFS32v0wgRsJwUV/ehZFrBUvD78XaHlAsd51nuiFbiHh5BEYdxMnZD OGV5OIcn+/L9dCaDgnB+W5KtIfXANhL+kTb4A6LdQtQ/1OlanJylcHRk4DtMaPvG 6wZUnJKHtq/UvgkVXyJTetv3+VsQkJIf+fURSQ+DKjgp0obeFqvUQpRRn9mBpFN8 tgD8QD4ZkOyB2rCCZDuD6QV1bZCo/sqEQ96vwdo6OTOA5XEjxOQCa7wlgfr6H8A= =s6sB -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: comments on uid
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 El 18-03-2012 5:13, freej...@is-not-my.name escribió: ... Alright that's a good answer but aren't people just confirming the email address belongs to a known signer when they sign a key? Does it really matter what the UID comment is? I think it may be going a bit too far to say the UID is guaranteed. You define yout policy about what do you check when you sign a key (or an UID, after all, you sign UIDs on a key, not the key itself). So somebody might check email address and name of the key owner, and ignore the comment, unless it is false (like the comment sayind USA President). Others might don't care about the comments at all. Do I have to do anything with the keys when adding a UID and deleting the old one? I don't remember. I think you must make the new UID primary UID before being able to delete the old one, but not sure about it. The worst thing that could happen is to get a message saying you can't delete your primary UID or something like that. My question is on a situation I didn't add the comment by mistake when I created the key and now I'd like to be able to add a comment. The key isn't signed etc. Thanks. If the key is not signed and it is not on keyservers, just make the new UID, set it as primary, and delete the old one. If the key is available at keyservers, then revoke the old one instead of deleting it. Best Regards -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBCAAGBQJPZhtbAAoJEMV4f6PvczxAAoQH/jWRJ/iUvkPw5njP3pGJhXoG FUUpdZmzkzJ3kuYTZwDpzBmn2W5v0pzV/fiZiXGjd3dPunIUg9V1sob0t24X+K34 FMS1T/9uISfZolURJMZav7lFJxW9xTP2CjfCzF76Nz8HVcgAWyAXLt3EvUzq3iQo jcM51jAEhzSCVSNHHnvWIvWUIzUMDDENgyPX90D/cifpjUErNAKEfy6Nytx66BcY HvYy4DNC53M54AXkPktT2UvFMjsDc53N9nedxM6n2PL9GWIJC9QXAd++7hcCFdld cX4mr00I+3t/zd72eo+N4OR0SN4Mq0EbSF9ncMNuzZpC/RJtXvwPXdwMn4Ql7ac= =rU/9 -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: comments on uid
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 El 18-03-2012 15:13, freej...@is-not-my.name escribió: I should note that many people actually *don't* check if the e-mail address belongs to the person whose UID they sign. If this were as ... That doesn't sound right. If you can't verify the email shown on the key belongs to the user what have you accomplished? All you did was tie a key id to a person (maybe, not sure if you provably accomplished that) but not the email address. If the purpose of key signing is ultimately to relate something useful to a person then I think it's more useful to know a certain person owns a certain email adddress and what his key id is. YMMV. Well, I can carry my photo-Id stuff with me to a keysigning party, but I don't have any document to show I own my email address. Some people solve that by sending the signed key, encrypted to the recipient's key, to the email address. If the person doesn't control the email address, the person won't get the signature. If the email owner doesn't have the key, then he can't open the signature. Some people even adds what it is called a Freeform UID, which carries Name, Comment, but no email address, that way, if they change their email provider, signatures collected on that UID won't be lost (you should revoke the UIDs that include an email address you no longer can use). Passports and other documents are easily forged, just take 100 bucks and sit Well, that depends on the technology used to make the passports. ... you along with his passport? I'm sure somebody has thought it all through but it seems to me the purpose of trusting a key is to bind somebody to an email address, not just a key ID...sort of like S/MIME that contains the email address, but without relying on a trusted third party. That depends on what do you want to achieve. Some people wants to know which is the real key of a person (binding the key to a name), some others want to make sure they are sending stuff to the right person, but don't care about who is that person (they bind the key to an email address, or to a nickname). That is the good (and for some people, the bad) thing about OpenPGP, your signatures have the meaning you want them to have... Best Regards -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBCAAGBQJPZi8xAAoJEMV4f6PvczxAbr0H/3l00PKWhqzu7BCct+B18+0m g9ZfgjJvZTKqWYejquzBVA+oDE709Mltb/6h7b9GAgSIXOX4AwQ3+mVckD4vQQEA tC8nE5r/sTwiIJoYkwvLaEtTzO5ZSM34FX6InUs4AoHmR81kKAEN9iCm34hjOVry hbIFwkuLy21ImEVhBYH+HdkRJbxKGfueOAO+ijzu+3vxvHttILM/Mpo3ZGX6C9sV b2NeWs1qzaBCQxDh6yT8mm6S1+hBEmg/SKp+91Ql3OsX0vlmIQ70kucLDIlkjbR0 At9VH7aeim0VPUdLu67PEoHm3vxoDq9Cat6nSUH61fvxD2giy+DKx+XsPLoCh/o= =CESH -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: invalid gpg key revocation
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 El 07-03-2012 18:24, MFPA escribió: ... Only your private key can generate the revocation certificate, Can't you add another key as a designated revoker, and then generate the revocation certificate with that other private key? You are right, I forgot that because I don't really know how to do that (and I don't know who would I make my designated revoker). Lets ask if there was a designated revoker, that would explain it all. Best Regards -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBCAAGBQJPV/GfAAoJEMV4f6PvczxA+bIH/jS3cikbp9pjw/XxZ4AAsn1j +kTbCxHEvQ667ZyqhMawSiDf33VDHMPurisQPh/OnZxXUdz8TtOW4d4pK09Ffxgr gjkQyt450e6xtqxHmZ6GZOc7ony4DsELXjrXtvrSZCqjAkE3PHJrmdr1qhhhXOKe 8AS1ZY5TqoJ/pKpYm8//GOrB+8lwlmuqW7AnIc5UaTxD7GCEh46yxdk4MI4FU9ML +IemCTVIyS+P2ah+bvivr3r7lVA5sKNSvcUv3wy+KkuIlpdxjpEmoIxODxMu4W9p ba2IRfWyODfU/OROqDhg+Hi+WGji5DObGolGInIhClbkvCPHSUKfwLKoPQOJl98= =Xxi5 -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: invalid gpg key revocation
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 El 06-03-2012 15:59, auto15963...@hushmail.com escribió: ... I do in fact use gpg-agent and a cache 0, but this machine is not in a workplace or public location. It is in my home, in a place where visitors have no access, and my family would not have been able to do this. My machine has considerable security. I am not saying it would be 100% impossible to get access, but I am saying that if there is a possibility, I am not aware of it and I need to be so that I can prevent it recurrence. I do believe that there is another more plausible explanation. Same here, any attack (other than thief) on my machine would come from Internet. For instance, what procedure occurs at the server itself that allows the revocation to occur? Is it a fully automated event? Is there a way for a person without a key to issue a command to the server in any way to make this happen? Only your private key can generate the revocation certificate, Keyservers don't have your private key. After the revocation certificate is generated, anybody can import it to your public key and upload it to keyservers... remember rev certs must be capable of revoking a key in case the private key is no longer available. So we think probably somebody had access to your key, or to a backed up rev cert. You say there was not an already generated rev cert, so it is very likely your computer has a trojan on it. By the way, how long was your private key? 1024 bits? Or less? because if it was a 512 bits key, it MIGHT have been factorized. Just in case, I keep my master keys off-line, only the subkeys are at my computer. Best regards -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBCAAGBQJPVqxPAAoJEMV4f6PvczxAQuYH/27tOPNayc478f25WNJZBYy1 T/LEbpGnp2iLysiXxVduD/2xRD47UtulV4eNyBUKBt05s8Yqm3q8IGJr/eo4ih4p uGSz0UBPUduSMXiqqoBIx3KuZ+mYBDKy3FypVT2Zhx28yMGqxkgEaAMThqqO75SW hASqe2RecpCPbAp53sjFPtJSnDaQRiZcjKuSNcwddwPAV+ML082JR1qzOcocqnm9 xQIbObrw9HTTcJ9leHE+KyRw3PxqLExt8fVJGYGLvyerp7URiZVn8nn0ujh1N8DP ulv+FKwvpwTlJuMQMxzVNvh5jOoSfHf6lq07kPSh5WMWc9pxvRrcGWsoc8cw810= =I9XD -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: invalid gpg key revocation
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 El 06-03-2012 16:58, Peter Lebbing escribió: ... The keyservers don't do any validation on revocation certificates; anyone who feels like it can add /invalid/ revocation certificates to your key to annoy you. But as soon as OpenPGP software imports the key from the keyserver, it will simply discard /invalid/ revocation certificates as noise. Ah... I was not aware of that... interesting... Best Regards -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBCAAGBQJPVq0ZAAoJEMV4f6PvczxA5qgH/RlrHSO6dm+eVpXZirjVabh0 1or3HlvC88Aim48xlS3v2MOOm33Gd0EYBGGpP0RQPVuznJ9io+4UvxbKzX8cZgSX atJ+tK6JMOgtFDxy/o51LQKhD9yUlAXYKeHyIqlDSOLfrT/vzkWP9Sa7lfNKpcTD V4YQC7WGQwlSOkQAzRMdd5X985/si9+Sc8QlB1Vpm1OkYLJzRlccEKif/7QwiLHf Pj87e9ZYV4Un2OfJkyFBG3tNsvZ59+XxHDEcwnhz6oIGMJOTtl5N8wIVaPLH4s78 jF3V1IzwV7f04Oazk2qeqVAj8u9jTi9tqLKjZOZ/zdxFnZ+kqsxGU95o1/EBVl4= =CtxV -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: invalid gpg key revocation
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 El 04-03-2012 19:29, Hauke Laging escribió: ... The interesting question about that is not about you publishing the public key but about how the person could get access to your private key. It is not possible to revoke a key without the private key. That answers your question Or they need to have a revocation certificate previously generated... maybe a rev cert was stored in an unsecure place? Best Regards -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBCAAGBQJPVDqDAAoJEMV4f6PvczxAWg4H/0Khw4TmTSthbLHexlZQgt8J e3oIisCWdGtmdZYWodoZPPLLqoKV4ctWXzjXYP2D3xXpCXwoPueQ4Xar0ANm1Crp TIj/CsbOc027Q8QsekSS9teleCCzkxTfrXCnwmHBsQPWVHb1HS75QocF8JIjqH9n zNZZhtRwisieSJvjUp6Yv8eiqlO/m0V2YWa/GrbPpE70HZCI6CN3+1GvZUWBwjvI LDt7TcR8a2bK8JwzauByNercmkUYc6ljhIyRjrkgHiabuMuZ9JKTcIXcWkJqOoys EIQbp4kjA913Mvn+9B1qQ172/5/zkMta29E7nGp05GEScrwdQCu8pEwXn3dfut4= =IzRH -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Revoke a key 0E84608B
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 El 31-01-2012 9:12, Marko Randjelovic escribió: I tried to revoke this key since after changing a passphrase on 2012-01-28 and using it with new passphrase immediately after, after a few hours I could not again be successfull (bad passphrase). Since you know the old and new passphrase, maybe you can bruteforce it, using passphrases as a guide and looking for characters that could have been mistyped. I don't know about tools to do it, but there should be some. But revkey also askes for a passphrase. To generate a revocation certificate you need the private key, so you need the passphrase. If you have an already generated revocation certificate, importing it doesn't require passphrase. Is there any way to revoke this key? No. If you uploaded your key to keyservers, the only thing you can do is to ask people that signed that key to revoke the signatures on it, that way, it would be easier to chose the right key in future (I mean, once you get a new key, and it gets signed, people will find 2 keys, one signed, and new, and another with revoked signatures, and older). Best Regards -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBCAAGBQJPKEeqAAoJEMV4f6PvczxAv2EIAI8wTLWn2tv89Nw8T9TozIT0 MvTp++8cmMUbn3HjzG6Q6T8bxWu9lQGy55MeP1Qx2wAw6A5m4PT/0Ys1Qc8Cdnqt ffcia/SroyS/knm/jnzQfht3oNocHU1X/OSYzJqEZ6E1CCTLs4c0TeNlRleF9UCZ V/IVQSZcxd25pl7GRl0tFbSdDihrwG6b6FFgZ6e/Rw02hus+sFUv2jv7ZWn5hdI5 KKJgdCC4KgBbXrSuGV9i7heSAEDvRbL0On0ysqLMRO43DlLet65hsmA09u527RgK fDn9mpCI82jNuD/AmeJcVP1uaI1bgoowUkr8w3RYJ4fvtS6iQjnT5pKjbmO2bKk= =9bNi -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Revoke a key 0E84608B
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 El 31-01-2012 9:12, Marko Randjelovic escribió: I tried to revoke this key since after changing a passphrase on 2012-01-28 and using it with new passphrase immediately after, after a few hours I could not again be successfull (bad passphrase). I searched your key, and it will expire in about one and half year, so, if everything fails, at least it won't haunt you until the end of time. Best Regards, and good luck with the attempt to recover it. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBCAAGBQJPKEkCAAoJEMV4f6PvczxA7osH/1oX7AO8v12MfZh1B73LXr9j AicqVp33L632dZYNez/oB0w1htDGPcIH0AqTXai4OdRN9wm3qldgDQycMhDRpLyP BImc6psM0IY8eaOyJ2FpEe0LTCjomlmnYetdt67P1H1s23iAn4jgwJbIYZ7m4v9e KiKmCtme+//tvFehiA7R7L/z69MPglZghoJdqEnoXGQaM1t7zvGQX2NOIVCRzDf8 e+oFrOzYf5sk212+g+ZwMs/N5ncZMUgVVNAy96PqcB2aJV0L+krs2+9Bj4nJ3Ocu /bHSh0BrN47muakvAjOIBLJiKJPFRqintPx6YV/wcJ697jXDxofDIoVa7aElpNs= =p5tD -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
GnuPG distribution signature
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hello, Is key D869 2123 C406 5DEA 5E0F 3AB5 249B 39D2 4F25 E3B6 ( 0x4F25E3B6 ) the current key used for signing files? I suppose it is, but I'd like to ask before issuing a local signature. Best Regards -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBCAAGBQJPJyJnAAoJEMV4f6PvczxAdT0IAIk+D4P847GCWn3bZbkIqHPI rXZkdov92g25YfOXfZLJAB0J994IEdc+PwwV0T3/UdScxWxCuJpuRffVsxWyxVeO phrV1C/7vQ81OdaUR0Rq2cPb3n2vjj4lbGNTj9KHkJ34LLt5ngPp6wInf1FDoBH0 rcjtBOcjHhVZq7iSFK8No6wwjeRwSrPjcJRtdmcu6kUT0dNK1X+1ke0/Lw2FfQg6 5cJcX+yZ02/u5fNwhOr5ALP5napSsFogu3DGUFm2TD91j3zso3LA5EbRGa1hmQk4 eZeA1VURQOuIKT9VJk8pr7oXJ7yjh0veWH1BIrHf0x6Su0f5uWYSm27zWX2mveA= =XfC7 -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Using root CAs as a trusted 3rd party
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 El 21-01-2012 18:50, Gregor Zattler escribió: Hi Aaron, gnupg users, * Aaron Toponce aaron.topo...@gmail.com [21. Jan. 2012]: I just signed an OpenPGP key with cert level 0x12 (casual checking) given the following scenario: * A PGP key was signed by an SSL certificate that was signed by a root CA * I verified that the signature was indeed from that root CA. * I striped the signature, and imported the PGP key. * I then signed the key, exported, and sent back. What are your thoughts on using root CAs as a trusted 3rd party for trusting that a key is owned by whom it claims? Of course, this is merely for casual checking, but it seems to be good enough. IMHO by signing a key you make a statement about the connection between a person or owner and the user id you sign, saying I somehow convinced myself that user owns this key. This only makes sense if you have some insight into the matter that a person which is confronted with the key only cannot have. Your signature should add some information. Merely saying I'm convinced that the user is the owner/originator of the key because someone else already signed this key, does not make much sense to me. I think you should have added a notation explaining you reasoning. Well, if Trent signs Alice key, Bob, who trust Trent, might sign her key too. Charly doesn't know Trent, but he trusts Bob's judgement, so he might accept Alice's key as valid, not because of Trent's signature, but because of Bob's signature. Also, maybe Trent only signs keys if 2 persons have checked it, but he just sign it once, that signature doesn't reflect the amount of people having checked it. Best Regards -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBCAAGBQJPHvTaAAoJEMV4f6PvczxAAjQIAIPfzIApPoR+FWibTqvp6Ijl 7i3YB5lvP7HpsLdpcA9To4XlmBXVuaPH4u+eJr/d8dOIJ/qCEgJnkaPamG/bXOU3 AobiXY0B0/mpF809vpF3+cNY+8PVTPVeWz66BrBzfVg9CVOUo+fhygChfyPTrEDw BL+fjowHmdliUhF8jDvw3Em2Oa+wcugImNnmTKncr3Qj1Kmp3UtVOSLQD5tbia3c SzHQ8nAHFgEbjpE3To+UjcXaBfd3kQnZ2WKKdcJdjxFscd0lvSj0dkj5jAnpWZZH xKoLE8ljvfSZOk73v5vxLENj4xWBOUJopi+bzaN4ZjTEMmUV0DOnh93C0QBTceQ= =gy8V -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Using root CAs as a trusted 3rd party
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 El 24-01-2012 16:26, brian m. carlson escribió: On Tue, Jan 24, 2012 at 03:13:46PM -0300, Faramir wrote: Well, if Trent signs Alice key, Bob, who trust Trent, might sign her key too. Charly doesn't know Trent, but he trusts Bob's judgement, so he might accept Alice's key as valid, not because of Trent's ... This is why OpenPGP implementations have trust settings. If Bob trusts Trent's assertions, then he can give Trent full trust and Bob's implementation will believe that Alice's key belongs to Alice. There's no need to sign the key. But Charly doesn't have Trent's key in his keyring, he doesn't even know about Trent. So if Bob doesn't sign Alice's key, Charly won't consider it valid. He will see the signature issued by an unknown key (Trent's), and that is all. Best Regards -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBCAAGBQJPHx5LAAoJEMV4f6PvczxAFh8H/0AQVJ8hDV63a6DTukz/wymT sARdhUsGEufW1VbyNx5nR6luHkXv/omYckM6JzV+om4MYnGS0ZChV9bTyfWWvJAo SAxhuht8Ees4ocK/0U4/gcEJAIzwGJd/RpjPMbyENbvtOofwjzIqU92GixSIu6iT pruCU3y1JhIE5q6LZ7d0jWs6ycdkbj+o0OVcrfHD0aTsoSEFkQkAtsvzVqIxnKy3 y/BY6+yz6BcaYWvE0WnB/fOZb9fobHwTrl1aSMn0WuewU3HlJN3dvtNueB3JYlOM DN9sx5G+h1yY0mJoLRYAZj85RCL7KZ0kLDrcHEby/4ueOKitfN0H4xRVLZbHdYA= =osi/ -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: private key protection
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 El 18-10-2011 10:07, Peter Lebbing escribió: ... A capable enough hacker might infect the USB pendrive while it is in your internet-connected PC and that way still gain access to the non-connected system. Ok, but if the online computer uses Windows, and the offline one uses Linux, then it would be a multiplataform trojan horse... that is not likely to be a common case. Best Regards -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBCAAGBQJOnzaAAAoJEMV4f6PvczxAxxcH/RyWHL7x47kCWDFE8uYL1fY9 eS7beCvPQpWvsGKZaQkjFeTVn86o442AkbrZ7Awy03WtzJJvOezQ6km6NrcB2dHa R0bnLYj41kjvA8s2/AenDk/OvNm3iPgJrHtp6NA+O9sT4QITiQNb0yVQqGQoQwuY gfDT4Ne1ZpKC6yml3Fl/wfnK6Mm1YXK6o7LEIk7GbDeaeMl8LDAzR9SYmFYnxwps r6Qk0abh7RtC6DET6DbxamD2VDN9bglrrBqVUMqFUzeYfe0luxGyfSBL9ToDDKc+ YZ54vvrVC4ABgD2oJJTbQ1kB3cYOhaeFlbWXFfvvrrJnNNrH5T09kHahadGFMjc= =RV1p -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: private key protection
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 El 19-10-2011 17:54, Peter Lebbing escribió: On 19/10/11 22:43, Faramir wrote: Ok, but if the online computer uses Windows, and the offline one uses Linux, then it would be a multiplataform trojan horse... that is not likely to be a common case. Define your threat model... are we talking random trojan infection or a focused attacker trying to gain your key? Because in the latter case, I hardly think commonality matters. You are right, I was thinking about random trojan infection (maybe not 100% random, since a private key stealing trojan would be focused on OpenPGP users, rather on average users). But if somebody wants MY private key, then probably there would be an attack involving picking my lock, infecting my BIOS, or some other 007-like activity. But in that case, the victim might be involved in some organization that should develop policies to deal with that risk. Best Regards -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBCAAGBQJOnzyeAAoJEMV4f6PvczxA7eEH/j3wjkHNcwPNd2hSz1NXmIl0 KCMkE2H2BEqS19AhpDMmYdB4EVddDsDJg1rLa7W+he5o/4g6WPueLoeeh+Rqbj0T IZCNN6KlVWgZ2P9JLt9cc5H9TVU1f3O1HtJUThwQJfsFygDBrk/HqpTvsJcXqU51 yAd2aw2gudI8FtJAz5hawRMABzIKObH3wJGbpQfVR1ih91zsjisPCJXt+4grwg2b lxTS2tR8RnuZJPkmmBZTyAKNkapdGnJ2BiXPKYY8rqtPzM035hqDlsiVAHvea0ie UYtOkTVXGVgW0xQlXY/0j4HKBm/xuNltUiZPja8EIGV2KMvoV16iYmCVa5CpURc= =MJed -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: restoring SmartCard key with off-card copy
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 El 05-10-2011 6:21, Peter Lebbing escribió: On 05/10/11 08:15, Faramir wrote: Would Paperkey be useful to do that? I guess no, since it encodes the private key somehow... but maybe tweaking it? IMHO, if you want to have a backup that also allows you to use the key without the card, the following procedure is by far the easiest: - Create a normal RSA key (gpg --gen-key) - Back it up in a safe place, run it through paperkey, all the usual steps - From gpg --edit-key, use the keytocard command. Ok, but I was thinking about the already existing card backup is the secret key without information already available from public key. And Paperkey removes that redundant information when it creates the backup, and restore it when using the backup. So maybe it could be adapted to combine the card backup too. Just a thought. Best Regards -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBCAAGBQJOjoZkAAoJEMV4f6PvczxA/PAIAJKYq1aqGxp0YLUBmgqGRNB1 JW0aKVQ8XOsppWhjY7HI5Amc0OPZFLleVOFSC1xgJeRzee5WSpw8w/H/saBg9eUt qaKf2Go0pZpSiwuoUQ6uHBo40r012QQJeb5fVGolqq8CaZxlHWWy+96r1tQxgMsg ksAPUs+tykE3c/ts+sGQFiX1RU7zuiNj/+0slt01SZs8iwSKJyHdbYR0bM9P8IUo SLBdTTBSSSXqgIHVA8XMuKitnhhcmKBDpjU8RvNBVGhgG11TB6aOLC65XAR7Z/L5 e71eIrmfVIS5Oa+Owr6SYnCXZzCmfnJlWnZSo4u1lTBtU3gr4RM3/FUDdB2zQGs= =MOEy -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: restoring SmartCard key with off-card copy
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 28/09/11 15:50, Werner Koch wrote: There is no feature for it. You may use gpgsplit to manually construct a key from such a backup. You need to take the keybinding signature etc from the matching public key. I have not tried, it though. Would Paperkey be useful to do that? I guess no, since it encodes the private key somehow... but maybe tweaking it? Best Regards -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBCAAGBQJOi/X1AAoJEMV4f6PvczxAOvYH/31H1Dhf4JL8Ctahw9LFy4PX cgfzhdbUrEAlUvUg6r4CJrwfij5/QDsf0E8zsxpqGPIsmBRQp/kv7cMO+HuJyy5b 4ui2rEx1w60yU/Yy8By/7OoqG4KS3RKkYbVu5zAcsm5rwV1171Ipq3t+8qMl1nRC p01UFVgj3uBsKeWHvp3fMVVwbkHkc1vB5KibrJQNL19IB1t+sEqW5lQtO+boHZTf vRjSaKaJvcFYGCHlRppLi7kOoVgHykp7hpKkuIdSempsUadjbWJyJIUbZEd/HbP5 OW1a1KlS/24BQY/5WrNiKsoXngSNSN+SBLu1eEU3xTiayH4UacIpxs5RcLceDSo= =+6VQ -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Easiest way to migrate from GPG 1.4.11 to 2.x?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hello, I've been a very happy user of 1.4.x branch for some years. Now I'm thinking about moving to 2.x, which would mean GPG4Win. How do I migrate my keyrings to 2.x? Simple copy/paste? Best Regards -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBCAAGBQJOdnVhAAoJEMV4f6PvczxAe5EIAKmZYSwgI+I4YpZIj5nl5pPM kJGK4fw+HWtdO+/UtdAr5UQryJP73outnE4kX62973Nbykdnqo/aXDX7slFUwWH4 imBIHBL/QYz+hTgkmF2oCO7QTNbZNmlz7QUdarTklE6blTnzSb4yHu/jlOawle/+ +B7msyJ5L4OgJHUSYSV7ZBIyqDwec/hpuQYzurxee7pzzYrqrGLjaJRkVZ6kKThr fpsjf6MH6uvGTHjoj5p8LEIUXvEytf7duUVaTOvXFQuDAyr2+LqyWN1K8R0kAJdA DGn6v1N0DjCYmWrfGQkAWTbhDXEC/L2svd303DpMXdhAfNRwX3KoxGno7/Ua8wI= =XmEm -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Which release should we be using?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 El 26-08-2011 12:35, Aaron Toponce escribió: ... Also, 62-character passphrase might be a bit extreme, giving you a false-sense of security. Using a truly random sequence of characters from the 94-printable ASCII pool of characters, a 12-character passphrase provides you with about 78-bits of entropy. If you think According to keepass strength measurer, you can get more than 128 bits with just 30 characters (including some symbols of course). Usually we want strong passphrases to keep things safe while stored on not-so-safe places, like attached to an email message on a mail server. Best Regards -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBCAAGBQJOV8pFAAoJEMV4f6PvczxA1KkH/1FMlL71+PLV2dYWbZdpqPzA 6z52Gm4O+t3Gl8KmLGljZvnVph7gGPuTwYUAtndpvE/ftibiaVONvX71X0qwrkGx A7mQEtKMjYDP8YfE3Zv+GVRIft7uIspqfTk9GnnlFJ5Pzvx7bb477C4438tT+tmB uvGQDmqU1PAJ8S70WGkSTjP8uXcIHe2zOCBMsJ+TpYkIIdDLLPKrIJwz7Q7JGorI 76sNKHlPkvv7y2ns1gqI2BOxgxjoJi031h8MKSGtOMtwhCJfkSTqGS9/tOgS1JXS w/994Z32Ko7I5/BrHV0otvWDjqN7Wn5i2QOWd9IuMYwSX+ISHKrXajGn77HLDYQ= =AB0f -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Which release should we be using?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 El 26-08-2011 15:08, David Tomaschik escribió: On Fri, Aug 26, 2011 at 12:31 PM, Faramir faramir...@gmail.com wrote: According to keepass strength measurer, you can get more than 128 bits with just 30 characters (including some symbols of course). ... I really like KeePass, but the strength measure it provides is nearly meaningless. It assumes 8 bits of entropy per symbol, which is, as Aaron pointed out, wrong. Suggested readings: Maybe in past it did that, but version it assigns different values to different symbols. I just tried it, and from a to z, it gives 5 bits each symbol, but ñ gives 7 bits. / gives 4, = gives 5, ! gives 4 bits. But, while a = 5 bits, and != 4 bits, a!= 11 bits. I don't know how it does the calculations, but clearly it has become a lot more complex (which doesn't mean it has become more accurate). Another check: qwerty= 4 bits, but qytrwe= 29 bits. Unfortunately, I couldn't find any detail about the algorithm used to measure the password quality. Anyway, probably some quality checking is better than not checking at all, even if the calculated bits are wrong. Best Regards -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBCAAGBQJOWBXRAAoJEMV4f6PvczxA/9cH/jkS/lf9v1ZXGi6NsjTmIJbj pp0x7ze4gGolL0kCfS7uHY9asP1n5Lr2a+DSKSkgST67I6VCESDoAZFSu0cXHH5o YKMdXI75Zxjgz2O7iX/JmaQYCAxVOiIM077pzWEaF0w6O7mLaKTBtwZgfWIl0sEj JedfjJ0oWDYkoI5qNOs7tYdCNHFkYrx8Fxqvvwa+YgMu8LubBXSx6EOeFI8+oEYZ kTlh4qJLTziIrScVnV5SuhP0parKcVJSsQhiwUPd4r4ZvtrBxrUwG1JGZscIeLHr 3ekcNhYhVBEN5Ze7JXycbEivrqLS6Cn5BA02Ew48P31ZP+RzEGJ/WvyzO5wGZqE= =Sbtk -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Extract numbers from a key // wrong pgpdump link :-(
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 El 03-08-2011 9:40, ved...@nym.hush.com escribió: Sorry, wrong link extension, here is the correct one: http://www.pgpdump.net/ By the way, what would be required to run pgpdump locally? I guess there is no compiled version for windows... Best Regards -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBCAAGBQJOVC8yAAoJEMV4f6PvczxALS8IAI9zmVAzU4/rg0903m3iCIlx 0YO+xYaeoZ62Z7PdMg5gJKuttWm/WXWDjdjM52R5yOHMg4YLi8dcU+dckU2m0rE3 1J1yLE06PN10fM8EglyyL1CpzHeE5nrKRPxw8STOo5aULy6qYJdvDU0/iW62t4We rXZiUMieiwrxRsvL9LDxA3CgUMmfK83iG6ve+ivw4LVYWaJa0TXxn0o/gYpZPG4F KBUd+uGJjbketBHg+TzihHcmmqhvUFEQjJ6RLDNQtdAPNMP+rihaTIsIqbCEvQKT QHj5DXVMsdijcswwQG1yPjJUAICmqlZl7ZWosBtJFxVCxFYGirlEA4LfQrQOQJo= =2r4m -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Why sign as well as encrypt files stored on untrusted drives?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 El 13-07-2011 7:28, Chris Poole escribió: ... Is there some feasible attack that could change the encrypted data in such a way that I won't notice it when I decrypt the file, but somehow the file will still decrypt? Anyone that has a copy of your public key -and by definition, it is public, and you included the KeyID on your message- can encrypt a file to you. So, somebody could encrypt a different file to your public key, and replace the encrypted file in the untrusted drive. You would be able to decrypt it, and depending on the content of the file, maybe you would not notice it is not the original file (imagine it is a list of email addresses, with dozens of addresses, you would not notice if one is missing, or if there is one extra address). A signature would let you know easily if the file has changed. But I'm not saying you should sign it, it is up to you. Princess Leia would sign the message she loaded into R2D2, to prevent things like This is Red 5, I'm ready to fire my torpedoes, but... I don't see the target, are you sure you have the right blueprints of Death Star?. Best Regards -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBCAAGBQJOIOL8AAoJEMV4f6PvczxAKZwH/jXUIZ/R9ul8g1jtmvplsCcu sn4yTMbL0tLS7ubrlrd8IifjzLS193ryVB7fJcKZtZDEIt5MxeoRDXvWxpS3kMbn i+ZLxR7rfb67yK+jMpSAGHORbPCOBY++ZlaYjJSw0gkP2IrStSvhbJphTOIfz9IN LHi9nZkXMGcV2Ub1q3QI3UiIe+IEJD9qg0jJ0aL17DyZDtA1ZSeZO/hgq/2lApuW 12nDfXQ0IQvFvut2mNZ6Bri0XDhuJJC+2O6irqY1/w8nyDlZ3BRQ5YOKkQPMsrMt dYdxDG2bFP5yr07ieaMpwHXfRr5lvNBaMt1chbQfbAfdjTuwltnya69Wcc3xY3c= =A1Ad -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: formatting of gpg blocks
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 El 19-06-2011 4:20, 0 escribió: I see. I read that it is a good practice to sign one's public key before giving it to other people. I thought they meant signing the key as a message. Now that you clarified this, I went to seahorse, Names and Signatures, sign key. It gives me a choice to let others see this signature. Should I allow that? I would also appreciate it, if you could explain how key certification is useful. AFAIK, but I might be wrong, public keys are self-signed by default. Maybe there was a time when that was not the rule, but now it is. Best Regards -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBCAAGBQJN/bNEAAoJEMV4f6PvczxAz7wH/Rb/xTS8K3EYtCTWuatMyG++ CeBEKtdZmj3AcvvVk42n5pbEquRG4N4wSfQ+0B5k1wa/vFvRDuC5fFRBiG49ncLw JLXhd+Oy9AAjgK8XkO7Edw2M9uzFXS7PD8z3xGneU+s82dNB7ji+mv6BbhYl7YYr UJI0E2yqY8XBByCDTmjZ3e2WgJKlCGs9U5fCLDnBSTGaYt8C94zSjKfgElMoEHh4 eERqiHBw5vpsJyx4QulYznfrR2wpH1doYo8FX5WPQEJ7UkcZKZALoQ8WWItKUFuo dTK24BOod8XENiQC1VW87p61fLg5wbwBjTxGmeZaYLmOKpOs0qFvZApBRXi7cUU= =Jmoe -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Problem with faked-system-time option
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 El 07-06-2011 4:18, Werner Koch escribió: ... Those are a lot of questions, but I'm still highly sceptical towards that GPG2 monster and would prefer to stay with my more manageable It is not a moster; rthe installer is only that larger becuase it includes the GTK+ libraries a full mail client and GPA. After reading lots of messages with things like agent, I'm a bit sceptical toward GPG2 too, and since I don't use outlook, I'm very happy with GPG1. But if the installer allow me to chose what to install (as I think it does), it is not a problem to me to download 25 or 50 Mb. Best Regards -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBCAAGBQJN9qGsAAoJEMV4f6PvczxA/30H/jji4EngLeDtAIpp0GA22T+7 x6QwwowIXjBaMn4i1hIN/Ej8qS1DxmaE4nnF69ryKpUDWnn/q+BWRcb0CFB2w/uc wsZlw2iqJap3uG7CnQ0PsVrVHJ6o7kzg76kPn++L/DNmCtXHpL7wJ1SgMpoiARCT +6QTRXHhIf3Rdt9ObItGaQwwbQC2CIKz3hWwpbs0yvkFZVETtTSz2ttF7GOy/pho xBMLgA1YRepeqBfFT47+TJ8bsCMPv8HYTGz2S9R2VcKSlFzS9OK0eKHcP4/TXGTm FMSITem/b4yt6W0TBwx38Sd0kUTGq1zcKyD9Eo68HwpCZaPrARXGvj6f4yCAP9c= =68y0 -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Generate digest and signature seperately
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 El 13-06-2011 11:39, Hauke Laging escribió: ... I would like to have the possibility to pass the hash to be signed. I suppose if the hash is sent using a secure connection, it should be safe enough. But that option, no doubt, would be an expert option. It sounds interesting to me, but of course, I'm not the one writing the patch. Best Regards -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBCAAGBQJN9pD0AAoJEMV4f6PvczxAC/sH/2iJeXN9zWUIQjO9MlFWk/SX UtfCDd4Zvk33J2oqCT7h1mpCdpO2dQ86AkJ8zat5TMH3Ps3r4Ndvvo4CsmJxuP7A BchcbEFt2hhKA5uUz5I7omZYdjfNhWKLYieWcCUAPoDJUeuYthUdptEU7OMTEzXQ kIstM9sHJfckiCjfB1RC8FuWwtr4jrxa8W42WhxVJQ28SfK2YDj1kReoBB6ALLh/ iMJBKpNv0mTued3rL93+DtEwJgGMnFi1Zx4ix2u39PuP4EYkKksHY5lswj/7GrvQ nCuYo4ai2xBleqvXhqM/UFhbuNmO9RIXKzTYyE9JW76yJAhvvcx7OZukQ1hDFu0= =Ttt9 -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: GPG Problem - invalid radix64 character
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 El 16-05-2011 12:35, Jerome Baum escribió: ... In the worst case, you may be looking at loosing everything from the corruption point onwards, assuming some kind of stream compression. This is IIRC the default for GnuPG when it encrypts. Otherwise you may be ... For the future, look at alternative ways to run this backup. Why ascii-armor? Why gpg? Encrypting w/ gpg has a huge potential for data loss in case of corruption -- of even a single bit. This isn't really an issue with gpg, it simply doesn't _by default_ operate in a manner designed for this. You may be able to tweak it, but how about this instead: I don't have an knowledge about compression algos, so I assume you are right. However, we can disable GPG's compression to avoid that problem. What is the advantage of encrypting data with OpenSSL over GPG? Best Regards -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBCAAGBQJN0aSsAAoJEMV4f6PvczxAv64H/3AQuDMVDh3A5HQ+f85VPCfA 4+jtVeEoTMxLXVXoWoh4+OrZev+Wiyo/zEDIu3RpRs1o/EV7kmZUcFslZebeHbkr laSqcBlJvcKhfknKnERkNb/oKBBxF+AsUhyi2P6GGc+3lvAQUx+F+0i/IJ6Y0Bix F4Q4kVf8OU1tJC0G5Tr5c65tiEXakRhrjj0Cdf2ZTevG4WzGq87NGPaN6NoNXUaO fJtQeYCvpaqTDyX4KDV0W/cQpDd2AnBMHATo7u5dfNA8aH5lF9+M2wfgsvuIL0jr 0rqkhcndeKwG2a25dk1eR3mG61/Y+5ZvBq7YCfMM678cRgvTJjtrvj5uoKg6AP0= =7/bT -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: A better way to think about passwords
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 El 24-04-2011 13:47, Ingo Klöcker escribió: On Sunday 24 April 2011, Faramir wrote: ... You can store them in a password manager, it's more secure than a txt file or a post-it on the screen. That's not true. A Post-It is much more secure if you do not have to keep the password secret from people who have physical access to your computer. For most home users this should be the case. Indeed. In fact, I keep some passwords on paper, just in case I can't use my password manager (like the password to access the site where I stored the password manager database backup. It doesn't include the passphrase to open the backup, just in case). By the way, I just found something interesting: an extension for Firefox, to make different passwords for each site, but all of them based on a single master password, so people just need to remember 1 password, and yet knowing the password for 1 site won't grant the attacker access to the other sites. Here is the link: http://trac.arantius.com/wiki/Extensions/MagicPasswordGenerator I'm not saying that addon or that practice is safe, I'm just saying the concept is interesting. I'm not saying it is unsafe, either. Best Regards -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBCAAGBQJNt0ubAAoJEMV4f6PvczxAS88H/iRHOhktDKveJRtjwoMw3NBo Z0hSKNRBHFf25cJ0G+jA09XP5+MP3ldTU4inWu5mm3jmSafCyRFPdf6Q0UB7hIO3 pYPd7x2GoqjiUfdAnZPhK648myd/m4/XaYlGQsjspmj9S/Omcx/okW0OgGCe1jn6 JZ7lCzaLoyI7Rxj+wTLVNaVwrPMBvcikYvN5HLnCgco6g5LXzgxBDT2LntI2LkWE +QTe+rSwYLEu2bAQkqkj9W90Jgkh+loCBWXkI/xoROAwtAxEPNB3nhxoxljETWxx SHMBcfqwHlDh6vo5Vh//yqGbPaqqcQ3ESURSBS19Gwa0KJ2HwDver0cr49XAxEk= =vpMd -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: A better way to think about passwords
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 El 24-04-2011 6:49, Mike Acker escribió: On 14:59, Faramir wrote: You can store them in a password manager, it's more secure than a txt ... how long have we been asking the industry for Single Logon? a password manager could help to finally get that... and at least now we have a valid purpose for a web cam: when you move away from your workstation that is when it locks none of this half hour time out stuff That would be interesting... but also annoying, if you are working at your home, alone. you password manager should of course execute before your keyboard logger starts and take care to remove its tracks If there are key loggers involved, then you are toasted, even if the passwords are kept inside your mind instead of a password database. At the moment you type them, they would be captured. Of course, we might say it is better to lose one password at a time, and not the whole database, but... well, I guess it's a personal decision (unless you have to follow some policy). Best Regards -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBCAAGBQJNt1hkAAoJEMV4f6PvczxAgrIH/ip9rQ7GvCVoHI1tmMSIzUvr LMK6ygJQ4d2/Fd5H9epfVxnz75IR6HCc7d/yCnks+Z6SJSioeoXxeZZyyBDj2c8r ti49oh7zkJsDh/QojZzEuYytjXFmntNnLDhvMK1VQSF+VrnSnc2CSwcljJLxNDg7 QXhrSmt4mc2iXcxbCLzPRQ1eKFBPepwKlSkXytyEDCkvRcgz/O+CfRULAu7qZ7HL UwNK8Iob2LK1ARAVmIqobpyaCvlZHnskUjHuNpBbTqTREsYvb00Shn5sNELJxg8E zYX8CJVhz0Qg5S+3KCIlfKv80RGDP1uz2BgCWsm++qj4tnZ5/Iv1oPJ5lcg0VTw= =UoMe -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: A better way to think about passwords
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 El 21-04-2011 10:20, Jean-David Beyer escribió: ... to remember them all in any case. Even if I could remember them, I could not even remember what login to use on each machine, and which password went with which login so I did write them down and to hell with the management rules. You can store them in a password manager, it's more secure than a txt file or a post-it on the screen. The only problem is you need a working computer in order to be able to open de passwords database, so you still need to remember your login for the computer... Best Regards -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBCAAGBQJNs5e7AAoJEMV4f6PvczxA2NYIAIJLyodZyIME9ylAa65e8Wc2 PjUIjzyDWwemM5xSOGUYJzGxBk5ejPZq5rH1HXjOcNZsXHG0CKS0GZoXBNhzLu0a XsSgTL3ksaS7u/GN7MzTldzRUdk/6yzldOhz6LCcVLeFjeus2LhMB4LjEPepmhwI cqCeIym1RoTcC9BgfWCt201w1sDCysi2XSMGjiMwN9yJ3Emf3z7lzFF2/GvNpeYM RKuan4gpDTnfeDxP+aBtGd4cv9nLWfyP9WwQD36Dqm/ADp1WE7uitz7X2m4KUdBP D6Ukn60vrN8IEjUpKKmQx8IK5Pf6ow3dNm0uCMHkog2jmXd0UbJcnTA4MSTfIEU= =66jY -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: A better way to think about passwords
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 El 18-04-2011 8:21, Hauke Laging escribió: Am Montag 18 April 2011 12:53:12 schrieb Faramir: Maybe we should just pick a good password, hash it a couple of times, and use that hash as the real password... we could carry the hashing tool in a flash drive. That does not make sense to me because you do not increase the key space by that. If you try to defend against somebody who knows what you do then it is no protection. Well, true, if the attacker knows I do that. But as the password is supposed to be secret, the password generation procedure could be considered secret too. So, lets say, I think about a password easy to remember to me, then I apply SHA-256 to it a secret amount of times (lets say, I hash the hash 5 times). And I would use that final hash as a password. It would defeat any dictionary attack, since the 4° hash wouldn't be in any commond words dictionary. It would still be vulnerable to a complete rainbow table for SHA-256, but if such rainbow table exists at all, then we are all toasted, no matter what password we use, it would still be found. I don't know the storage space needed for the whole key space of SHA-256, but I guess it would be huge (maybe not feasible). Best Regards -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBCAAGBQJNrWpeAAoJEMV4f6PvczxAm6gH/3SMKQjixZgWZkAQBko+kzWC L+3GtWW6TauKyaXRHxNPdYeXbAuM9wfQAqPuUw237i1X/c3U/FdCvebfxgHT7LKU kgwArstAyXoQnTlpjJ4Tu2ZA1WUOIVseP5YRU16W1CUVG7dzewSBatire/yXkLqC Djz84kZMOdm88F1PPH3hXUjYjgVKBw3OzcENxEd88h35QshxUm6G6EV3v5K10k0R atYbPvWrKKNX2tgU0QP/2MDiOVQeHm8pc2S0M8ddtJ+rL2PULTkCTHJjevCZK4vr rg4lUhU65E+x4oZPMYHw4H039tb7Pz0g+OhdTKwkEQf0Qz3BqafRsFShLiwoOFA= =qQO5 -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Preventing Brute Force Attacks
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 El 19-04-2011 6:35, Mike Acker escribió: On 04/19/2011 04:13, gnupg-users-requ...@gnupg.org wrote: GnuPG Users gnupg-users@gnupg.org (1) apply the Strike 3, you're out rule. any password gate should apply this rule: if the requester does not know the password and submits repeated bad answers DISABLE ACCESS. Game over. ... why is it we are always fussing over theoretical stuff instead of doing basic stuff that would help us? Maybe because, since this is the support list for GnuPG, we are all thinking more about how to protect an encrypted file than about how to protect a server account. Best Regards -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBCAAGBQJNrYKuAAoJEMV4f6PvczxAoDoH/3RUWpZBjPGH/npB/vIBF2rh JSsa4OLqLSQH6kPO0nYowE8a5KF1xzi7owTD/uAc9iBW1nMxW+Cs8UIZufDSAqXx LbLB+QoA0JPxtBA+3WpatWfGRpe84tvoE6StydEJkwpvlzEdiM79M+4gwYkKksBE mQGcUgsn1YWqz8Xr856KEtPAQR+MgdMErdtA3agKo9bxRt+FcXeWnqEZ0gPJNUsh NPoGrZxcMEGU1UvthTPurXn8Kdyc8X80qx6v85YcCOJT++Vzt2nd1I6o03jeAAKw X1JXG8bHuiZUGAirzarIkaBUTUBYR0ui+8ddxZq2OGSoIf0DPcoWr9M7GbHFXRU= =C93q -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: A better way to think about passwords
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 El 17-04-2011 20:39, Grant Olson escribió: ... I think it's worth noting that the low entropy of english (you quoted 2.5 bits per char in another thread) isn't just an academic issue. Real password crackers actually do employ multiple strategies and passes in order of complexity. For example, starting with dictionary, then dictionary w/leetspeak, eventually brute force, etc. Probably the idea is to avoid bruteforce at all costs, because if you have to do that, you might be bruteforcing an 8 characters password for more than 50 years (if mixed lowercase, uppercase, numbers and symbols, and you just have 1 home computer dedicated to the task). Maybe we should just pick a good password, hash it a couple of times, and use that hash as the real password... we could carry the hashing tool in a flash drive. My other big gripe with this article is that it completely ignores the possibility of an offline attack against the hashes. It's assuming that the limiting factor is the number of times you can access a webpage. Right, limiting the attacks make even 4 pins codes secure, if the account becomes blocked after 3 wrong attempts. But that won't protect your password database if it falls in the wrong hands, or your GPG private keys. And to say that's a server problem, fix the server is wrong, because it will quickly become an user's problem if the password is cracked, and the user uses the same password for different things (as a lot of people do). I've been goofing around with BitCoin this weekend, and my MacBook Pro is generating about 2 Million SHA256 hashes a second. I was checking how much time would it take to bruteforce a SHA-1 8 characters password (upper/lowercase characters, plus numbers, plus symbols), and my machine did 2,5 millions of tries a second. Best Regards -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBCAAGBQJNrBgYAAoJEMV4f6PvczxA2HcH/jYcj4b7Y0Dk/2GPOyY4MFKE CB4JMMbJzcdstEN8Djg8r11FI6l1KwGYT3TBCEDPD6+cNjpF+OySGkB/eqr7Fh8y JuRbIfWccxDN1uydYJgEeNNDF02p5PZx1m1xiBe/J8FFdsI+2M8J43sIOx3qwZyH r3vPhzNItzruknnuztxD+ai9NjcnkAefzJl2z9rrs0ILUwIupWQyURzmBrVpW5da HaQFk5wzd5bP0vEj5R5HtoTMG5g17djxmdyBHEypEngi5GsAZlHbT8JUPwBoPdvj c2fZBTe9xxnFj0xkmPEQguSNtXgPSIt2uEcE/RjTYIqflwwc2p5tHGjPByL+4z4= =oVt9 -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: A better way to think about passwords
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 El 17-04-2011 20:27, Andre Amorim escribió: On 17 April 2011 23:58, Robert J. Hansen r...@sixdemonbag.org wrote: Summary: A 3-word password (e.g., quick brown fox) is secure against cracking attempts for 2,537 years. I am giving a great big yuk to his methodology. There's no reference to the entropy of text, for instance. His example of a three common word password, this is fun, amounts to a total of 11 letters I was thinking about that, between words, there is only a BLANK SYMBOL, same value of any other given symbol. Well, from point of view of math, nothing changes, all data, but from knowledge point of view about human behaviour it is possible that it's have some kind of relevance. And I was thinking that before attempting to bruteforce something, we should try using symbols as separators between words, it is easier to type wordnumbersymbolword than to put numbers and symbols between words... Fortunately, I have not found a password cracking tool, for free, capable of doing that. Best Regards -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBCAAGBQJNrBpXAAoJEMV4f6PvczxAM5MIAII4kEX6cPC1eCw5oKZmu/2R uoLWCV/UfP0hSaUrwhb1jLdZTrsvG/j36TaA4G5fEgZXRcEXKJZ0OcXVVMlb8ILz 4+e/Kh+qAGyfGC93BAYUNlvjor7cTwp1sq6xG/8ganfYkhtfVByLOa6Txhh9b3Z4 jhaIQ0eYORv0tlszs4pE2kRh4qaGBEdU1MYEOt26hpJhloxbJFvhHqjztKR3lVfi lQd57ocGTcy4PUtw4YngUX4WvR+UaDJaypYz0dHFt1uQ4/22fsbJDWsi1/pS/RWZ VHLICwVTzTdEyIEGGlweueDW+dbxlkZU0CxuF4PYgizXSNVEak3VVIyifwlWTB8= =Hkit -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: windows front end to GnuPG
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 El 17-04-2011 21:45, Felipe Alvarez escribió: I've currently begun getting everyone in the office using GnuPG on windows. We're using WinPT as the front end. However there are several deficiencies with this program that we have encountered. Further, it is no longer being developed (last version 1.4.3 release sept 2009). Are there any other windows front ends that are easy to use, WRT single file en/de/cryption? The main requirements would possibly include: - sits on the task tray - low mem footprint - still in development My favorite is GPGShell, but it is not Opensource, and it has some problems with Windows 7 (tools for the context menu are not shown). I wish there was something with the same capabilities and multiplataform. GPGShell incudes several tools, GPGTray, which sits in the systray, and can perform several tasks with things you have in the clipboard, or with right-click allows you to launch other tools from GPGShell, or to chose between pre-stored configurations for GPG (you can save several versions of gpg.conf, and you can chose which one to use). GPGKeys is the key management interfase, very good (but for some things you need to know a few command line commands). GPGTools is the tool to work with files, I never use it because of contextual menu (which works fine for me, since I'm still using XP). Best Regards -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBCAAGBQJNq5O3AAoJEMV4f6PvczxAtdYH/2UXoOMNhXtmP/ykrv+kkhXm 2r+uLX7LQ7ysbDsF8wW4HiK41MLsdEEM88GKSi1tbAnKu3dEgFxcS8D48Ak4NebP ncYiwmnoskivNJOh26XzaL8u83Rz+D6YGGBTBAeubZOS7KFZKQBNW2Q3Rxhl2bZ4 fUyJecjIYURh6F3xy1bEliYWCvmOvLwAE3wy1BAxDxUzYKme3PVLpCMI24y043BH lltQ5obPbplEQViCiWKEUT1DR43mW5yACkBwCpraaCCGKOu4G0Wtq2rvt+sn6fuu 7eq9ekETGeSA8KCmG7Arq3QIVNo8HuN3VCVsUiMvARO/QRbHmXTJE7bKRtty3E4= =uRIy -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: windows front end to GnuPG
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 El 17-04-2011 22:18, Jonathan Ely escribió: So their is an installer for Windows for version 2.x? I never found one accept for that of GPG4WIN. AFAIK, GPG4win is the only package for GPG 2.x for windows. But you can chose which apps to install. However, there are a few that are required to run GPG 2.x. I don't remember which ones, since I'm still a happy user of GPG 1.x Best Regards -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBCAAGBQJNq5SoAAoJEMV4f6PvczxAkm4H/3ot23jBAQW3Teuf+wida09t /RjsTTajxIh4X9oit9M3IQ4qv0VrsHHjy5prXAikg1EbwMHCJ5ZqzX1viPHWux1I xw74vI6V9gLEygXs57A2ac0rELKl/PQ4nPVJSVtr8Vsz6wTv0LQUigHIpGf8JZYY UOOb6Ut7bNArZIkHDIpzwNUiQU6LEC1aOp7xAFmCdpxbh7qXSwDl5UNBghapJqnb 3UJdrbHOZe35fd1NR0eGqjUOHtiHXWEa+a5ZwIiaYeO/iehjwTt7v0+j0mIwoitJ 8PWfSOHHDii5rdotPqXZCW0I+6IAw8sb+SZfmjvTVxcRQLJo2T87A4Lt2LwJgYk= =ZFwt -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Creating signatures with expiration time
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 El 14-04-2011 10:24, David Shaw escribió: On Apr 14, 2011, at 5:45 AM, Jesus Cea wrote: ... Thanks, Daniel. Looking the manual, I see --default-sig-expire and --ask-sig-expire too. What is the difference with cert?. cert is short for certification. sig is short for signature. Basically, cert applies when signing keys, and sig applies when signing data (i.e. anything that isn't a key). So, it is possible to set expiration for signatures on documents? Interesting... -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBCAAGBQJNpzFXAAoJEMV4f6PvczxARXMH/jNmxLJeY+Bs84g9VjTb/a/P g/GS40SzMs1DEBker6b9eGb5FQyvjwMtme3+e9OAFRUo9rRWzE8vA07smqwa5GHk x0GdNY8uTVzwm4428s/YwX3w9E1/bdODMoZutYD0/2vkIPBvJ1Y5SHjHvLVr+diH HnnppCaRqfCIyYLrMYsc9R5Nzvc4KlCk80UPumSuK/IT1W2FdREg2012wGSO+6n4 2Zoz1mvCzZL7mES5uAXnJ2rWw395hJfSNEjt+3bGgLdylQXWmQ/0jubNmPXlXNsa 65fOS7EE2SEyhZ0fp2RozCn6Wu4r7XCNlqQXibTWQKWOaWuKfrJurtO0G18CoR4= =CKSP -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
