Re: Keyserver access changes in GnuPG

2018-12-12 Thread Werner Koch 
On Thu, 13 Dec 2018 00:00, t...@pobox.com said:

> /usr/bin/gpg1 for users who want to keep using it.  Dropping
> the keyserver and photoviewer helpers is part of the next
> planned release from the 1.4.x branch, which is being
> tracked in https://dev.gnupg.org/T3443.

Right.  Given that gpg1 is a fallback solution to work with archived
encrypted mails it does not make much sense to keep on maintain the
keyserver helpers and extras like photo id viewers.


Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


pgpycbx6_nN6Y.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Keyserver access changes in GnuPG

2018-12-12 Thread justina colmena via Gnupg-users 
On December 12, 2018 2:00:18 PM AKST, Todd Zullinger  wrote:
>
> the keyserver and photoviewer helpers
>

A permanent record and a mug shot for the cops and every thief, hooker, and 
pickpocket on the block, respectively. And they all just help themselves to the 
secret key.

Someone puts out a little bit of money for secret keys and passphrases, they 
know your real name and where you live, and it just all goes to hell in a 
handbasket.


-- 
A well regulated Militia, being necessary to the security of a free State, the 
right of the people to keep and bear Arms, shall not be infringed.

https://www.colmena.biz/~justina/justina.colmena.asc

signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Keyserver access changes in GnuPG

2018-12-12 Thread Todd Zullinger 
Wiktor Kwapisiewicz via Gnupg-users wrote:
> Hello all,
> 
> I recently saw a message from one of Fedora's maintainers:
> 
>> Coming soon to Fedora30 (rawhide), gnupg v1.4.x renamed to gnupg1. Also 
>> dropping keyserver support at Werner's suggestion since upstream plans to 
>> disable that soon.
> 
> Source: https://infosec.exchange/@bcl/101195051788828345
> 
> Does anyone know anything about dropping keyserver support in GnuPG? That 
> seems
> a little bit radical but maybe I've missed something...

This only applies to the gnupg-1.4.x packages in Fedora.

Fedora 30 will ship with gnupg-2.x as /usr/bin/gpg (with
keyserver support intact).

The packages from the 1.4.x branch will be installed as
/usr/bin/gpg1 for users who want to keep using it.  Dropping
the keyserver and photoviewer helpers is part of the next
planned release from the 1.4.x branch, which is being
tracked in https://dev.gnupg.org/T3443.

Hopefully that helps clarify things a bit and removes any
worries that Fedora is stripping keyserver support from the
default /usr/bin/gpg.

-- 
Todd
~~
You know an odd feeling?  Sitting on the toilet eating a chocolate
candy bar.
-- George Carlin, Napalm & Silly Putty



signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Keyserver access changes in GnuPG

2018-12-12 Thread Andrew Luke Nesbit 
On 12/12/2018 21:43, Wiktor Kwapisiewicz wrote:
>> Should I issue and publish a revocation certificate?  Will this cause
>> problems considering that I'm still using the same master key?
> 
> I don't think revocation is necessary if the private subkeys are still safe.

Yes, they are still safe.  On thinking about it, issuing a revocation
certificate could be overkill.  It might even cause more confusion than
it is meant to solve.

> It may be just inconvenient for people that want to contact you / verify your
> signatures to see your subkeys expired and when they "gpg --refresh-keys" (as
> they always do) your key would still be expired with no apparent way of
> proceeding. If I saw something like that I'd think the key is abandoned.

Indeed, so would I.  But then there's also a pretty good chance that the
same person might write to me and ask, "Hey, what's up with your OpenPGP
keys?"  Then I could explain and point them to the right place.  Or, by
then, my website or my email signature might have enough information to
point them in the right direction before it even becomes an issue.

> If you had HTTPS on your site I'd recommend Web Key Directory as this 
> downloads
> keys from your site *and* refreshes expired keys from your site too 
> automatically.

I am coincidentally currently in the process of provisioning an Apache
server with HTTPS/443 enabled.  Not even HTTP/80 will be open, so HTTP
to HTTPS redirection won't be implemented either.

I've looked up Web Key Directory and had a quick browse, and this is
exactly the kind of thing I need.  Thank you!!

Kind regards,

Andrew
-- 
EB28 0338 28B7 19DA DAB0  B193 D21D 996E 883B E5B9



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Keyserver access changes in GnuPG

2018-12-12 Thread Wiktor Kwapisiewicz via Gnupg-users 
On 12.12.2018 22:35, Andrew Luke Nesbit wrote:
> My subkeys expired on Monday, 10/12/2018.  I've updated my subkeys with
> a new expiration date (in one year).  I'm considering NOT uploading the
> new public keys to the keyservers.  Rather, I will distribute them using
> other channels, such as downloading from my personal website or sneakernet.
> 
> Should I issue and publish a revocation certificate?  Will this cause
> problems considering that I'm still using the same master key?

I don't think revocation is necessary if the private subkeys are still safe.

It may be just inconvenient for people that want to contact you / verify your
signatures to see your subkeys expired and when they "gpg --refresh-keys" (as
they always do) your key would still be expired with no apparent way of
proceeding. If I saw something like that I'd think the key is abandoned.

If you had HTTPS on your site I'd recommend Web Key Directory as this downloads
keys from your site *and* refreshes expired keys from your site too 
automatically.

Kind regards,
Wiktor

-- 
https://metacode.biz/@wiktor

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Keyserver access changes in GnuPG

2018-12-12 Thread Andrew Luke Nesbit 
On 12/12/2018 09:15, Wiktor Kwapisiewicz via Gnupg-users wrote:

>> Coming soon to Fedora30 (rawhide), gnupg v1.4.x renamed to gnupg1. Also 
>> dropping keyserver support at Werner's suggestion since upstream plans to 
>> disable that soon.
> 
> Source: https://infosec.exchange/@bcl/101195051788828345
> 
> Does anyone know anything about dropping keyserver support in GnuPG? That 
> seems
> a little bit radical but maybe I've missed something...

I feel that I've missed a memo too.

I've never liked public keyservers either.  Or, rather, the way they are
normally used.

I especially dislike how beginners' tutorials encourage their users to
upload just-made keys to public keyservers before they (the users) have
even learned how to use GPG with any degree of fluency... or even
confirmed that their new keys are appropriately made or configured.

Can somebody please point me to a more authoritative source of this
keyserver news?  Did Werner himself write anything about this?  If it's
true, then I welcome it too.

On a highly related topic...

My subkeys expired on Monday, 10/12/2018.  I've updated my subkeys with
a new expiration date (in one year).  I'm considering NOT uploading the
new public keys to the keyservers.  Rather, I will distribute them using
other channels, such as downloading from my personal website or sneakernet.

Should I issue and publish a revocation certificate?  Will this cause
problems considering that I'm still using the same master key?

Kind regards,

Andrew
-- 
EB28 0338 28B7 19DA DAB0  B193 D21D 996E 883B E5B9



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Keyserver access changes in GnuPG

2018-12-12 Thread Stefan Claas 
On Wed, 12 Dec 2018 08:05:58 -0900, justina colmena via Gnupg-users wrote:

> One disadvantage of "keyservers" in general is that the automated queries to 
> them leak "too much information" on the
> parties with whom one is communicating - even the fact that one is using PGP 
> at all.

This can be simply avoided by using a mixnym address and using the Usenet group 
alt.anonymous messages.
It requires of course that people get familiar with Mixmaster, which is as old 
as PGP. Or simply use Bitmessage.
 
> One of the original goals of PGP, and later on, GnuPG, was to avoid the 
> reliance on a central point of failure such
> as a "server." It was to be a most explicitly *decentralized* system.

Nobody is against a decentralized system. 
 
> *Probably nothing wrong* with a keyserver if the key is tied to one's 
> everyday real-life identity, but that is not
> always the use case of public key cryptography. Not everyone wants his or her 
> phone number, email address, and
> residence address published in a database accessible to the public.

And probably nobody wants that 3rd parties can upload your key with funny or 
not so funny signatures, or knock-out
your key so that friends can't no longer download it from key servers.
 
> The big advantage, of course, to the keyservers is that they make it 
> convenient for people to use PGP and GnuPG who
> might not otherwise bother with encryption at all.

The latest user guide from EFF shows key server usage as *last* option in their 
document and also tells people to think
about it, uploading a key to a key server. 



> This whole debate, I seem to recall, took place many, many years ago, and of 
> course different groups have different
> goals and find different technical solutions for their respective situations.

True, but have you ever seen replies from (a) key server software developer(s) 
saying we are aware of all those problems
and we are working on a solution? I don't refer here to the pgp.com key server, 
WKD,  Autocrypt or keybase, i mean the
widely used SKS key server network.

Regards
Stefan


-- 
https://www.behance.net/futagoza
https://keybase.io/stefan_claas


pgplXFBye3Sqt.pgp
Description: Digitale Signatur von OpenPGP
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Keyserver access changes in GnuPG

2018-12-12 Thread justina colmena via Gnupg-users 
On December 12, 2018 2:35:43 AM AKST, Stefan Claas  
wrote:
>On Wed, 12 Dec 2018 10:15:33 +0100, Wiktor Kwapisiewicz via Gnupg-users
>wrote:
>> Hello all,
>> 
>> I recently saw a message from one of Fedora's maintainers:
>> 
>> > Coming soon to Fedora30 (rawhide), gnupg v1.4.x renamed to gnupg1.
>Also dropping keyserver support at Werner's
>> > suggestion since upstream plans to disable that soon.  
>> 
>> Source: https://infosec.exchange/@bcl/101195051788828345
>> 
>> Does anyone know anything about dropping keyserver support in GnuPG?
>That seems
>> a little bit radical but maybe I've missed something...
>
>If so, I see it as a consequent move from past discussions on ML's and
>that Werner shows
>responsibility, while everybody else defended the old system or put
>their head in the sand.
>
>Bravo!
>
>Regards
>Stefan
>
>-- 
>https://www.behance.net/futagoza
>https://keybase.io/stefan_claas


One disadvantage of "keyservers" in general is that the automated queries to 
them leak "too much information" on the parties with whom one is communicating 
- even the fact that one is using PGP at all.

One of the original goals of PGP, and later on, GnuPG, was to avoid the 
reliance on a central point of failure such as a "server." It was to be a most 
explicitly *decentralized* system.

*Probably nothing wrong* with a keyserver if the key is tied to one's everyday 
real-life identity, but that is not always the use case of public key 
cryptography. Not everyone wants his or her phone number, email address, and 
residence address published in a database accessible to the public.

The big advantage, of course, to the keyservers is that they make it convenient 
for people to use PGP and GnuPG who might not otherwise bother with encryption 
at all.

In any case, I am sure that the keyserver support functionality could easily be 
split off into a separate program if it is being dropped from GnuPG, which to 
be honest is getting rather bloated and could do well to focus on its core 
competencies.

Right now the OpenKeychain app on my phone is configured to search OpenPGP 
keyservers:

hkps://keyserver.ubuntu.com
hkps://hkps.pool.sks-keyservers.net (hkp://jirk5u4osbsr34t5.onion)
hkps://pgp.mit.edu
hkps://keys.fedoraproject.org (which I added because I use Fedora.)

There is also a "keybase.io" and a "Web Key Directory" search. It might seem a 
bit much, but the general goal here is not "absolute privacy" but to enable the 
dumb user of a smart phone to make use of PGP encryption.

This whole debate, I seem to recall, took place many, many years ago, and of 
course different groups have different goals and find different technical 
solutions for their respective situations.

-- 
A well regulated Militia, being necessary to the security of a free State, the 
right of the people to keep and bear Arms, shall not be infringed.

https://www.colmena.biz/~justina/justina.colmena.asc

signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Keyserver access changes in GnuPG

2018-12-12 Thread Stefan Claas 
On Wed, 12 Dec 2018 10:15:33 +0100, Wiktor Kwapisiewicz via Gnupg-users wrote:
> Hello all,
> 
> I recently saw a message from one of Fedora's maintainers:
> 
> > Coming soon to Fedora30 (rawhide), gnupg v1.4.x renamed to gnupg1. Also 
> > dropping keyserver support at Werner's
> > suggestion since upstream plans to disable that soon.  
> 
> Source: https://infosec.exchange/@bcl/101195051788828345
> 
> Does anyone know anything about dropping keyserver support in GnuPG? That 
> seems
> a little bit radical but maybe I've missed something...

If so, I see it as a consequent move from past discussions on ML's and that 
Werner shows
responsibility, while everybody else defended the old system or put their head 
in the sand.

Bravo!

Regards
Stefan

-- 
https://www.behance.net/futagoza
https://keybase.io/stefan_claas


pgpJUQUY3ZKVW.pgp
Description: Digitale Signatur von OpenPGP
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Keyserver access changes in GnuPG

2018-12-12 Thread Wiktor Kwapisiewicz via Gnupg-users 
Hello all,

I recently saw a message from one of Fedora's maintainers:

> Coming soon to Fedora30 (rawhide), gnupg v1.4.x renamed to gnupg1. Also 
> dropping keyserver support at Werner's suggestion since upstream plans to 
> disable that soon.

Source: https://infosec.exchange/@bcl/101195051788828345

Does anyone know anything about dropping keyserver support in GnuPG? That seems
a little bit radical but maybe I've missed something...

Thanks in advance!

Kind regards,
Wiktor

-- 
https://metacode.biz/@wiktor

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users