Re: WoT question - policy

[Stefan Claas]

On Fri, 16 Nov 2018 10:32:36 +0100, Wiktor Kwapisiewicz wrote:

Hi Wiktor,

> As for the sigs, sig1 are ignored in GnuPG by default, everything
> else has the same value. So if Stefan's friends trust his key fully,
> all keys he's signed will be equally valid.

I like again to make it clear that people don't have to be my
friends, or that third parties would know that they are my
(real) friends. ;-)

Also regarding privacy. I fully understand that people may think
that I am crazy, demanding a postal address. I see this currently
(because of lack for better suggestions) as the only valid method
for me, to do a proper verification.

Hi hope  i make now people at EFF not angry!!! 

The community could also run a petition, asking EFF
if they could do this as a paid service, in case they
would like to do so and have the resources...

I trust EFF 100% and they already have my postal address
because i did a small donation recently. ;-)

Best regards
Stefan


-- 
https://www.behance.net/futagoza
https://keybase.io/stefan_claas


pgp7fK0Qt81ZI.pgp
Description: Digitale Signatur von OpenPGP
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: WoT question - policy

[Antony Prince]

On 2018-11-17 06:16 AM, Kiran Shetty wrote:

On Sat, Nov 17, 2018 at 3:32 PM Robert J. Hansen 
wrote:


I am Using "*https://github.com/smartrevolution/gnupg-for-java*;
this repo. But now able to Run this.


That codebase is old and no longer maintained.  There are no
well-maintained Java bindings for GPGME.

You will almost certainly have an easier time using BouncyCastle,
which is a Java library implementing the OpenPGP protocol.


Can you please help me with source code or git repo for the same.



As Robert mentioned, that codebase is old. I used the Guardian
Project one [0] a couple years ago and was able to get some of
the basic functions working, but their last commit was in 2015,
so I'd definitely look for an alternate route or see if you can
update it well enough to get it going which is what I was doing
before I no longer had the need/desire. I've never tinkered
with it, but BouncyCastle can be found here [1].

[0] https://github.com/guardianproject/gnupg-for-java
[1] http://bouncycastle.org/java.html

--
--
Antony Prince

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: WoT question - policy

[Antony Prince]

On 2018-11-17 07:21 AM, Kiran Shetty wrote:


Running  [0] https://github.com/guardianproject/gnupg-for-java project
give Error :
D:\AuxLedger\Java
PGP\GuardianProject\gnupg-for-java-master\build.xml:63: Execute
failed: java.io.IOException: Cannot run program "make" (in directory
"D:\AuxLedger\Java PGP\GuardianProject\gnupg-for-java-master\jni"):
CreateProcess error=2, The system cannot find the file specified


It seems it was intended to use ANT in a Linux environment as per the
README, but indicates that it is possible to use MinGW in a Windows
environment, also per the README. I would definitely try to look into
other bindings because as mentioned before the aforementioned sources
are old and not particularly geared for Windows environments it
would seem. Make is a utility for compiling programs in Linux/UNIX
environments which is why your system failed to find it unless you
use MinGW or something like it, but that will only further
complicate the process.

--
--
Antony Prince

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: WoT question - policy

[Stefan Claas]

On Sat, 17 Nov 2018 17:51:02 +0530, Kiran Shetty wrote:
> Running  [0] https://github.com/guardianproject/gnupg-for-java
> project give Error :
> D:\AuxLedger\Java
> PGP\GuardianProject\gnupg-for-java-master\build.xml:63: Execute
> failed: java.io.IOException: Cannot run program "make" (in directory
> "D:\AuxLedger\Java PGP\GuardianProject\gnupg-for-java-master\jni"):
> CreateProcess error=2, The system cannot find the file specified

With all due respect, why not use the official GnuPG source from here,
or an official  binary, if your are not able yet, to run make in a Java
environment?

Regards
Stefan

-- 
https://www.behance.net/futagoza
https://keybase.io/stefan_claas

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: WoT question - policy

[Kiran Shetty]

Running  [0] https://github.com/guardianproject/gnupg-for-java project give
Error :
D:\AuxLedger\Java PGP\GuardianProject\gnupg-for-java-master\build.xml:63:
Execute failed: java.io.IOException: Cannot run program "make" (in
directory "D:\AuxLedger\Java
PGP\GuardianProject\gnupg-for-java-master\jni"): CreateProcess error=2, The
system cannot find the file specified

On Sat, Nov 17, 2018 at 5:39 PM Antony Prince  wrote:

> On 2018-11-17 06:16 AM, Kiran Shetty wrote:
> >> On Sat, Nov 17, 2018 at 3:32 PM Robert J. Hansen 
> >> wrote:
> >>
> >>> I am Using "*https://github.com/smartrevolution/gnupg-for-java*;
> >>> this repo. But now able to Run this.
> >>
> >> That codebase is old and no longer maintained.  There are no
> >> well-maintained Java bindings for GPGME.
> >>
> >> You will almost certainly have an easier time using BouncyCastle,
> >> which is a Java library implementing the OpenPGP protocol.
> >>
> > Can you please help me with source code or git repo for the same.
> >
>
> As Robert mentioned, that codebase is old. I used the Guardian
> Project one [0] a couple years ago and was able to get some of
> the basic functions working, but their last commit was in 2015,
> so I'd definitely look for an alternate route or see if you can
> update it well enough to get it going which is what I was doing
> before I no longer had the need/desire. I've never tinkered
> with it, but BouncyCastle can be found here [1].
>
> [0] https://github.com/guardianproject/gnupg-for-java
> [1] http://bouncycastle.org/java.html
>
> --
> --
> Antony Prince
>
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: WoT question - policy

[Kiran Shetty]

Can you please help me with source code or git repo for the same.

On Sat, Nov 17, 2018 at 3:32 PM Robert J. Hansen 
wrote:

> > I am Using "*https://github.com/smartrevolution/gnupg-for-java*; this
> > repo. But now able to Run this.
>
> That codebase is old and no longer maintained.  There are no
> well-maintained Java bindings for GPGME.
>
> You will almost certainly have an easier time using BouncyCastle, which
> is a Java library implementing the OpenPGP protocol.
>
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: WoT question - policy

[Robert J. Hansen]

I am Using "*https://github.com/smartrevolution/gnupg-for-java*; this 
repo. But now able to Run this.


That codebase is old and no longer maintained.  There are no 
well-maintained Java bindings for GPGME.


You will almost certainly have an easier time using BouncyCastle, which 
is a Java library implementing the OpenPGP protocol.


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: WoT question - policy

[Kiran Shetty]

Hi Team,
Myself Kiran Shetty. I want to use GnuPG Java library for my Java
Application.
I am Using "*https://github.com/smartrevolution/gnupg-for-java
*" this repo. But now
able to Run this.
Can anyone please help me with GnuPG running source code for Java, in which
I can generate keys, encrypt, decrypt, etc.
Thanks in Advance.

Regards,
Kiran Shetty.


On Tue, Nov 13, 2018 at 10:25 PM Stefan Claas 
wrote:

> Hi all,
>
> i thought about creating a key certification policy, for my key,
> and like to know your opinions.
>
> 
>
> I have read in the past several policies, but i like to avoid
> id-card / online video/chat etc. because i am not able
> to distinguish between a real or a fake id, when doing so.
>
> Therefore i thought to use a postcard/letter method.
>
> Any critics are very welcome!
>
> Regards
> Stefan
>
> --
> https://www.behance.net/futagoza
> https://keybase.io/stefan_claas
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: WoT question - policy

[Stefan Claas]

On Fri, 16 Nov 2018 18:47:05 +0100, Stefan Claas wrote:

> > But i fail to see what any of this has to do with minors
> > specifically (surely the good guidance applies after reaching the
> > age of majority as well), or how law enforcement happened to sneak
> > in at the end there.  I suspect you're imagining some specific
> > scenario that i don't know about, but i don't know what it is or
> > how it relates to OpenPGP certification.  
> 
> While minors are usually smarter (or they think their are) than their
> parents my thought is/ was to create a policy which shows clearly
> that i try to do a proper verification, give a sig level to do my
> best. In case something could happen i can show a postcard.
> 
> I mean why do we have the possibility for a WoT verification
> with it's sig levels? If i issue a sig0 that could mean i don't like
> to tell because if have something to hide to the public WoT public or
> i cheat. Sure if people use other policies or none they could do
> the same for level 2 and 3 :-(

Sorry for the late reply

I like to give a (fictitious) example.

A person with bad things in mind could theoretically use anonymous
email services via Tor or Remailer Services via Tor, with a proper
looking name used in his/her email/nym address. I believe that a lot
of people do not care to much from what domain an email arrives, as
long as the email is not spam.  With my approach there is a postcard.
With the currently used validation model people would have a hard time
to find the bad person, in case he / she would abuse the WoT.

Regards
Stefan

-- 
https://www.behance.net/futagoza
https://keybase.io/stefan_claas


pgpgoHvKLfilo.pgp
Description: Digitale Signatur von OpenPGP
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: WoT question - policy

[Stefan Claas]

On Fri, 16 Nov 2018 11:31:35 -0500, Daniel Kahn Gillmor wrote:
> On Fri 2018-11-16 17:00:33 +0100, Stefan Claas wrote:
> > I understand your points, but like to point out my view of sig0
> > and why i think it is not good and why i wrote a policy that way.  
> 
> I think you're talking about this:
> 
> > With the sig0 approach i have the following problem: I could
> > create a couple of fake keybase accounts, for example, give each
> > other a sig0 and then what is this good for if i follow the advise
> > from the blog and what trust should a third party gain from this
> > many sig0 on such a key?  
> 
> I confess i do not understand what this has to do with sig0.  Surely
> the same "attack" can be mounted via sig2?  I also don't know what
> "advise from the blog" means, and i don't think the word "trust" in
> the final question is well-defined -- what third party gains what
> kind of trust?. Sorry to be so dense!

O.k. before i try to explain what i mean i like to ask why do we have,
or need a Web of Trust and what is it good for?

You are a well respected community member, i assume. For me
it would be enough if your key bears no sigs. If i would like to
communicate with you i only need to be sure that the fingerprint
matches, when downloading your key from your web site. Same
imho applies if i would be an activist and would like to communicate
with EFF for example. I download the key from their site and encrypt
to them.

Now, since we have PGP and GnuPG with the Web of Trust and
its sig levels you make your points on your blog. I understand,
as non-native Englisch speaker that i or someone else should
think about to consider to use sig level 0.

With my humble approach i avoid sig level 0 and also try with
sig2 level and sig3 to do my best to avoid any surprises due
to the fact that i like to use a postcard / letter method for
verification, so that a third party or the requester know
there is some documentation (the postcard) available.

If we had certified CA's globally, like Governikus, and they
would do cross certifications, PGP or GnuPG would not need
all those sig levels, every user would be properly registered
if he / she likes to do so and there would be no need
for an extensive explanation in the manual nor a discussion
about sig levels, policies and what not. Everybody is still
free, in case of not trusting Governmental institutions and
use PGP / GnuPG the classic way.

> In response to the situation i *think* you're describing, i'd say:
> 
>If you rely on mere quantity of any type of certification from
>parties you cannot identify and have no clear reason to trust, then
>you are open to a trivial Sybil attack. 
>[https://en.wikipedia.org/wiki/Sybil_attack]

Yes.

> >> Keep it simple.  (or, don't bother)  
> >
> > Agreed, use X.509... ;-)  
> 
> eh?  I have never said (and would never say) that X.509 is "simple".
> it's grossly overcomplicated for what it's typically used for, even
> worse than OpenPGP.

This was more a joke, but i must admit (i own a classII and classIII
X.509 certificate) and in combination with Thunderbird there is
no learning phase and it's quite simple to use and you have the
assurance that the name and email belongs to that person you
are communicating with, without consulting a manual etc.

> >  (disagree, see my point when it comes to Protection of Minors)  
> 
> I think you're referring to this part of
> https://stefan_claas.keybase.pub/policy.txt:
> 
> > ***Protection of minors***
> > 
> > While there is no law, as far as i know, which says you are only
> > allowed to use strong encryption tools if you are an adult i like
> > to point out one thing which parents or young teenagers, brand new
> > to PGP / GnuPG and the Web of Trust, must understand.
> > 
> > The word trust does *not* mean: Hey, this is a cool girl or guy, i
> > can trust, because he/she uses PGP/GnuPG and has signatures on
> > his/her public key. It simply means that it publicity states that
> > "someone" has somehow attested that the public key belongs to that
> > "person".
> > 
> > Therefore i strongly advise parents and young teenagers to backup
> > the secret key, *including the passphrase* written on a piece of
> > paper. Deposit them in a safe place. Backup your communications and
> > encrypt to yourself. Should something happen law enforcement is
> > then able to read the messages.  
> 
> The middle paragraph is exactly the point i was making in my earlier
> mail -- definitely agree. :)

:-) 
 
> But i fail to see what any of this has to do with minors specifically
> (surely the good guidance applies after reaching the age of majority
> as well), or how law enforcement happened to sneak in at the end
> there.  I suspect you're imagining some specific scenario that i
> don't know about, but i don't know what it is or how it relates to
> OpenPGP certification.

While minors are usually smarter (or they think their are) than their
parents my thought is/ was to create a policy 

Re: WoT question - policy

[Daniel Kahn Gillmor]

On Fri 2018-11-16 17:00:33 +0100, Stefan Claas wrote:
> I understand your points, but like to point out my view of sig0
> and why i think it is not good and why i wrote a policy that way.

I think you're talking about this:

> With the sig0 approach i have the following problem: I could create
> a couple of fake keybase accounts, for example, give each other a
> sig0 and then what is this good for if i follow the advise from the
> blog and what trust should a third party gain from this many sig0 on
> such a key?

I confess i do not understand what this has to do with sig0.  Surely the
same "attack" can be mounted via sig2?  I also don't know what "advise
from the blog" means, and i don't think the word "trust" in the final
question is well-defined -- what third party gains what kind of trust?.
Sorry to be so dense!

In response to the situation i *think* you're describing, i'd say:

   If you rely on mere quantity of any type of certification from
   parties you cannot identify and have no clear reason to trust, then
   you are open to a trivial Sybil attack. 
   [https://en.wikipedia.org/wiki/Sybil_attack]

>> Keep it simple.  (or, don't bother)
>
> Agreed, use X.509... ;-)

eh?  I have never said (and would never say) that X.509 is "simple".
it's grossly overcomplicated for what it's typically used for, even
worse than OpenPGP.

>  (disagree, see my point when it comes to Protection of Minors)

I think you're referring to this part of
https://stefan_claas.keybase.pub/policy.txt:

> ***Protection of minors***
> 
> While there is no law, as far as i know, which says you are only allowed
> to use strong encryption tools if you are an adult i like to point out
> one thing which parents or young teenagers, brand new to PGP / GnuPG and
> the Web of Trust, must understand.
> 
> The word trust does *not* mean: Hey, this is a cool girl or guy, i can trust,
> because he/she uses PGP/GnuPG and has signatures on his/her public key. It 
> simply
> means that it publicity states that "someone" has somehow attested that the 
> public
> key belongs to that "person".
> 
> Therefore i strongly advise parents and young teenagers to backup the secret
> key, *including the passphrase* written on a piece of paper. Deposit them in 
> a 
> safe place. Backup your communications and encrypt to yourself. Should 
> something
> happen law enforcement is then able to read the messages.

The middle paragraph is exactly the point i was making in my earlier
mail -- definitely agree. :)

But i fail to see what any of this has to do with minors specifically
(surely the good guidance applies after reaching the age of majority as
well), or how law enforcement happened to sneak in at the end there.  I
suspect you're imagining some specific scenario that i don't know about,
but i don't know what it is or how it relates to OpenPGP certification.

Regards,

--dkg


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: WoT question - policy

[Stefan Claas]

On Fri, 16 Nov 2018 08:03:09 -0500, Daniel Kahn Gillmor wrote:
> On Thu 2018-11-15 23:41:32 +0100, Stefan Claas wrote:
> > or if i sign with sig0 a key on a key signing party, where i also
> > don't know that the person who attended is a good or bad person  
> 
> OpenPGP identity certifications ("keysignings") make no claims one way
> or the other about a person's moral character.
> 
> Such a certification is simply an assertion that the person holding
> the indicated identity also controls the corresponding cryptographic
> key material.
> 
> This kind of confusion is exactly why i think cert-levels are a
> "solution" in search of a problem.  People already find it hard enough
> to reason about a distributed network of identity assertions (the "web
> of trust") *without* having to factor in certification levels.

I understand your points, but like to point out my view of sig0
and why i think it is not good and why i wrote a policy that way.

> Keep it simple.  (or, don't bother)

Agreed, use X.509... ;-) (disagree, see my point when it comes
to Protection of Minors)

Regards
Stefan


-- 
https://www.behance.net/futagoza
https://keybase.io/stefan_claas


pgpoc8V0bkknI.pgp
Description: Digitale Signatur von OpenPGP
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: WoT question - policy

[Daniel Kahn Gillmor]

On Thu 2018-11-15 23:41:32 +0100, Stefan Claas wrote:
> or if i sign with sig0 a key on a key signing party, where i also don't
> know that the person who attended is a good or bad person

OpenPGP identity certifications ("keysignings") make no claims one way
or the other about a person's moral character.

Such a certification is simply an assertion that the person holding the
indicated identity also controls the corresponding cryptographic key
material.

This kind of confusion is exactly why i think cert-levels are a
"solution" in search of a problem.  People already find it hard enough
to reason about a distributed network of identity assertions (the "web
of trust") *without* having to factor in certification levels.

Keep it simple.  (or, don't bother)

   --dkg


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: WoT question - policy

[Wiktor Kwapisiewicz via Gnupg-users]

On 16.11.2018 00:40, Dirk Gottschalk via Gnupg-users wrote:
> There's documentation about the trustdb. I read it a while ago, but not
> entirely. You can also set the amount of needed signatures for the
> trust calculations and so on. Then comes the trust deepness into play.
> I also have to read further because I want to "abuse" GnuPG for an
> email controlled bot system inside a bigger company as part of the
> security concept. The commands shall be encrypted and signed and some
> function should be usable by "unknown" users with the needed trust
> level and so on.

For people interested these two articles by Konstantin Ryabitsev go into details
of how things are calculated:

https://www.linux.com/learn/pgp-web-trust-core-concepts-behind-trusted-communication

https://www.linuxfoundation.org/blog/2014/02/pgp-web-of-trust-delegated-trust-and-keyservers/

In may be initially hard to digest but the amount of knowledge these articles
are packed is unparalleled, and, actually there are no other resources on this
subject I could find (GnuPG manual has a description but IMHO Konstantin's more
clear).

As for the sigs, sig1 are ignored in GnuPG by default, everything else has the
same value. So if Stefan's friends trust his key fully, all keys he's signed
will be equally valid.

On the other matter I doubt anyone would have a serious problem by signing
someone else's key regardless of circumstances. Signing documents, maybe, as
that would qualify as an Advanced Electronic Signature but signing (certifying)
keys? They are technically similar but that's all.

Kind regards,
Wiktor

-- 
https://metacode.biz/@wiktor

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: WoT question - policy

[Stefan Claas]

On Fri, 16 Nov 2018 00:40:11 +0100, Dirk Gottschalk wrote:

Hi Dirk,
 
> Am Donnerstag, den 15.11.2018, 23:41 +0100 schrieb Stefan Claas:

> > You make a very important point, which i thought also about and
> > that is my little approach for covering my a*#. I would strongly
> > assume that law enforcement would also check a sig0 user,
> > regardless of policy or not, if something happens to a key owner,
> > or if i sign with sig0 a key on a key signing party, where i also
> > don't know that the person who attended is a good or bad person with
> > a real or fake id. I am totally unable to distinguish  between a
> > real or fake id nor do i know if a person is good or bad if i would
> > attend such a key signing party.  
> 
> That was a bad example. But you see what I meant. Signature levels
> imply in some cases the assumption that it is related to the relation
> of people whether it's right or wrong.

No, no... this absolutely no bad example, regardless of sig level!

I wish that more users on the Mailing List would participate in this
discussion and critic or comment my policy. I would also very much
appreciate a proper formulated policy of mine, from a native English
speaker. Regardless whether he / she likes my policy, or not!

> There's documentation about the trustdb. I read it a while ago, but
> not entirely. You can also set the amount of needed signatures for the
> trust calculations and so on. Then comes the trust deepness into play.
> I also have to read further because I want to "abuse" GnuPG for an
> email controlled bot system inside a bigger company as part of the
> security concept. The commands shall be encrypted and signed and some
> function should be usable by "unknown" users with the needed trust
> level and so on.

Sounds interesting! I will check the docs, thanks!

I must say good night now because it is already late! ;-)

Regards
Stefan

-- 
https://www.behance.net/futagoza
https://keybase.io/stefan_claas


pgpUlG4zYlT6G.pgp
Description: Digitale Signatur von OpenPGP
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: WoT question - policy

[Dirk Gottschalk via Gnupg-users]

Hi.

Am Donnerstag, den 15.11.2018, 23:41 +0100 schrieb Stefan Claas:
> On Thu, 15 Nov 2018 22:54:01 +0100, Dirk Gottschalk wrote:

> Hi Dirk,
 
> > Am Donnerstag, den 15.11.2018, 21:05 +0100 schrieb Stefan Claas:
> > > I disagree, with my humble approach imho third parties do not
> > > know
> > > that people are my real friends, colleagues, or that i belong to
> > > a
> > > certain group.  
> > 
> > The implication matters. For example: If you sign a three keys of,
> > let's assume kidnappers, with level 3. I guess, police won't read
> > and
> > understand your policy first, you'll get a little trouble for sure.
> > Okay, that is a bad example. But, the diagram will result in level
> > 3
> > Relations, what can lead to assumptions somebody does not want or
> > intent.
> 
> You make a very important point, which i thought also about and
> that is my little approach for covering my a*#. I would strongly
> assume that law enforcement would also check a sig0 user,
> regardless of policy or not, if something happens to a key owner,
> or if i sign with sig0 a key on a key signing party, where i also
> don't know that the person who attended is a good or bad person with
> a real or fake id. I am totally unable to distinguish  between a real
> or fake id nor do i know if a person is good or bad if i would attend
> such a key signing party.

That was a bad example. But you see what I meant. Signature levels
imply in some cases the assumption that it is related to the relation
of people whether it's right or wrong.


> > > I am no expert, but i like to know from my example (because i
> > > don't
> > > understand this) how could i trust this internal computation,
> > > when
> > > it is only visible to me and not to third parties?  

> > It is based on your trust into the signers. There is a chain in
> > trust dependencies for the trustdb. The levels full, marginal and
> > so on lead to basical calculations in how reliable a key is, which
> > is indirectly signed by trusted keys. I did not dig deeper into the
> > GPG internals for this system, but I've already seen it works well,
> > at least for me.

> Like i said in my previous reply i have to study this in more depth.

There's documentation about the trustdb. I read it a while ago, but not
entirely. You can also set the amount of needed signatures for the
trust calculations and so on. Then comes the trust deepness into play.
I also have to read further because I want to "abuse" GnuPG for an
email controlled bot system inside a bigger company as part of the
security concept. The commands shall be encrypted and signed and some
function should be usable by "unknown" users with the needed trust
level and so on.


Regards,
Dirk

-- 
Dirk Gottschalk
Paulusstrasse 6-8
52064 Aachen, Germany

GPG: DDCB AF8E 0132 AA54 20AB  B864 4081 0B18 1ED8 E838
Keybase.io: https://keybase.io/dgottschalk
GitHub: https://github.com/Dirk1980ac



signature.asc
Description: This is a digitally signed message part
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: WoT question - policy

[Stefan Claas]

On Thu, 15 Nov 2018 22:54:01 +0100, Dirk Gottschalk wrote:

Hi Dirk,
 
> Am Donnerstag, den 15.11.2018, 21:05 +0100 schrieb Stefan Claas:

> > I disagree, with my humble approach imho third parties do not know
> > that people are my real friends, colleagues, or that i belong to a
> > certain group.  
> 
> The implication matters. For example: If you sign a three keys of,
> let's assume kidnappers, with level 3. I guess, police won't read and
> understand your policy first, you'll get a little trouble for sure.
> Okay, that is a bad example. But, the diagram will result in level 3
> Relations, what can lead to assumptions somebody does not want or
> intent.

You make a very important point, which i thought also about and
that is my little approach for covering my a*#. I would strongly
assume that law enforcement would also check a sig0 user,
regardless of policy or not, if something happens to a key owner,
or if i sign with sig0 a key on a key signing party, where i also don't
know that the person who attended is a good or bad person with a real
or fake id. I am totally unable to distinguish  between a real or fake
id nor do i know if a person is good or bad if i would attend such a
key signing party.

> > I am no expert, but i like to know from my example (because i don't
> > understand this) how could i trust this internal computation, when
> > it is only visible to me and not to third parties?  
> 
> It is based on your trust into the signers. There is a chain in trust
> dependencies for the trustdb. The levels full, marginal and so on lead
> to basical calculations in how reliable a key is, which is indirectly
> signed by trusted keys. I did not dig deeper into the GPG internals
> for this system, but I've already seen it works well, at least for me.

Like i said in my previous reply i have to study this in more depth.
 
Regards
Stefan


-- 
https://www.behance.net/futagoza
https://keybase.io/stefan_claas


pgpWRNnJODuF3.pgp
Description: Digitale Signatur von OpenPGP
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: WoT question - policy

[Stefan Claas]

On Thu, 15 Nov 2018 21:35:47 +, MFPA wrote:

> On Thursday 15 November 2018 at 8:05:05 PM, in
> , Stefan Claas wrote:-
> 
> 
> > I am no expert, but i like to know from my example
> > (because i don't
> > understand this) how could i trust this internal
> > computation, when it
> > is only visible to me and not to third parties?  
> 
> If third parties could see your trust calculations, that would be a
> potential attack vector. They could maybe find a way to manipulate
> your calculations to trust their key.

Thanks. O.k. i must admit that i am only an occasional user and no
expert. I think i must read more about this topic.

Regards
Stefan

-- 
https://www.behance.net/futagoza
https://keybase.io/stefan_claas


pgp4opR5oGWYD.pgp
Description: Digitale Signatur von OpenPGP
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: WoT question - policy

[Dirk Gottschalk via Gnupg-users]

Hello Stefan.

Am Donnerstag, den 15.11.2018, 21:05 +0100 schrieb Stefan Claas:
> On Thu, 15 Nov 2018 20:15:21 +0100, Dirk Gottschalk via Gnupg-users
> wrote:
> 
> > > When i first learned about PGP in 94/95 i also thought why should
> > > people sign each other's key for a WoT and why do we need a
> > > global WoT and what is it good for.  
> > 
> > This should be obvious.
> 
> Please elborate a little bit more, because new user or old farts like
> me maybe do not understand what's it's purpose, i.e to publicity
> state to the whole world (thanks to key servers) that people use PGP
> or GnuPG?

The intention of the WOT is to create trust chains. This implies a
chain of signatures, quantity of signatures is not really important,
IMHO.


> > > With my humble approach i like to be honest, in that form, that i
> > > did my best for certifying someones key which might be useful for
> > > someone else, entering the WoT, without letting third parties
> > > know   that i know a person personally, or have a longtime online
> > > friendship etc. or that i belong to a certain group of people.  

> > With differing signature levels you surely do let people know that
> > kind of data. There are even small tools available, which produces
> > a diagram of relations between people/keys from their signatures,
> > including the signature level data. This can be done via
> > recursively fetching the keys from a key server.

> I disagree, with my humble approach imho third parties do not know
> that people are my real friends, colleagues, or that i belong to a
> certain group.

The implication matters. For example: If you sign a three keys of,
let's assume kidnappers, with level 3. I guess, police won't read and
understand your policy first, you'll get a little trouble for sure.
Okay, that is a bad example. But, the diagram will result in level 3
Relations, what can lead to assumptions somebody does not want or
intent.


> > > With the sig0 approach i have the following problem: I could
> > > create a couple of fake keybase accounts, for example, give each
> > > other a sig0 and then what is this good for if i follow the
> > > advise from the blog and what trust should a third party gain
> > > from this many sig0 on such a key?   

> > You can sign sig0 without havin any trouble of this kind. That's
> > the
> > reason why we have the trustdb since GnuPG 2.?. It depends on the
> > internal set trust and gpg computes the calculated trust level for
> > the
> > key in question.

> I am no expert, but i like to know from my example (because i don't
> understand this) how could i trust this internal computation, when it
> is only visible to me and not to third parties?

It is based on your trust into the signers. There is a chain in trust
dependencies for the trustdb. The levels full, marginal and so on lead
to basical calculations in how reliable a key is, which is indirectly
signed by trusted keys. I did not dig deeper into the GPG internals for
this system, but I've already seen it works well, at least for me.


> > I do use singanture levels as well, but I am thinking about this
> > practice for a while now. Even giving a sig3 changes nothing, if I
> > assigned just a marginal in the trustdb. The Chain is relevant, not
> > the level you assigned.

> If people read between the lines, so to speak, when reading my
> policy they would hopefully help to strengthen the WoT in that
> they could adopt it or improve it and sign each others key that
> way to build a stronger chain. Or i am to naive and blue eyed?

I see what you are trying to approach.


> I mean, what would have people to loose or give up when using my
> approach? Combining a classical verification method with modern
> technology is for me a good thing and i believe for honest people
> too.

I don't say your approach is bad.

> I bet if Werner, for example, would do the same, his letterbox would
> be filled imeadetily... :-)

> O.k the one thing that may be a bit difficult today is to actually
> write a postcard and go to the post office, in surveilled Internet
> age, where Facebook and WhatsApp etc. rules. :-)

Indeed. ^^

Regards,
Dirk

-- 
Dirk Gottschalk
Paulusstrasse 6-8
52064 Aachen, Germany

GPG: DDCB AF8E 0132 AA54 20AB  B864 4081 0B18 1ED8 E838
Keybase.io: https://keybase.io/dgottschalk
GitHub: https://github.com/Dirk1980ac



signature.asc
Description: This is a digitally signed message part
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: WoT question - policy

[MFPA]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Hi


On Thursday 15 November 2018 at 8:05:05 PM, in
, Stefan Claas wrote:-


> I am no expert, but i like to know from my example
> (because i don't
> understand this) how could i trust this internal
> computation, when it
> is only visible to me and not to third parties?

If third parties could see your trust calculations, that would be a
potential attack vector. They could maybe find a way to manipulate
your calculations to trust their key.



> O.k the one thing that may be a bit difficult today
> is to actually write
> a postcard and go to the post office, in surveilled
> Internet age, where
> Facebook and WhatsApp etc. rules. :-)

Probably easier the last few years, since most places that sell
postcards also sell stamps.


- --
Best regards

MFPA  

The voices in my head may not be real, but they have some good  ideas!
-BEGIN PGP SIGNATURE-

iNUEARYKAH0WIQSWDIYo1ZL/jN6LsL/g4t7h1sju+gUCW+3mvV8UgAAuAChp
c3N1ZXItZnByQG5vdGF0aW9ucy5vcGVucGdwLmZpZnRoaG9yc2VtYW4ubmV0OTYw
Qzg2MjhENTkyRkY4Q0RFOEJCMEJGRTBFMkRFRTFENkM4RUVGQQAKCRDg4t7h1sju
+vdqAQCMJoKc33WGqvQYQ1FtR2yGrdwHUI9zc5zb1HPod0L1pgD/WpZJHWzgcze2
vzDWbpJQVUIkVV3YXS4xZRC2bw1ktAiJApMEAQEKAH0WIQRSX6konxd5jbM7JygT
DfUWES/A/wUCW+3mvl8UgAAuAChpc3N1ZXItZnByQG5vdGF0aW9ucy5vcGVu
cGdwLmZpZnRoaG9yc2VtYW4ubmV0NTI1RkE5Mjg5RjE3Nzk4REIzM0IyNzI4MTMw
REY1MTYxMTJGQzBGRgAKCRATDfUWES/A/xMnEACMqQZ+8+pu2cToSVauaZZYD/mj
CV6jxZItzP0Zn2ENn1XD+J/GNf7JICWHb/CYG4EbJ3XzuWrc/AroqUsGCBeUKCYm
wvbDXNdz7a1c1XRTfBSdzKif1BhtMNAOe5HWr3Vjj5lJ1k2hZrvRLLLzNRNcxlzo
HWjaszMYrGNvV/MGcQMYwPjdlm8fxibyq0Vw11p1/nWboNZgHuoO8yQQotHBVlC9
CRgrr0UvEE+7RyiOwc/6EsZBzDUIQJqQbbkqC1gxVfUeI+iiBi+6iq6QSOAvkhJ1
zqu3p9MiPEaj0lz8EsX4p3S8OMW88ljOma25bsAWd8G4MUrsGr9OIjronWmtPGZS
BlfwVcZhur78yWKFN21ws5/w9eU3Xah74XAdbZKxaRe40N5d87nc+AXR5aZyYfLs
Kii87CriKZnG7liLGbM3+aygRvCOkX5N+cCVRuOTfuC1pamvOkqEF8Lc5VUvb8HD
u/uSN0Azo4k9P98+lb4oGm7thHx4plfYTDthikn9sTjwjAkOnjaWAZPEbHoQuqzu
gzp70bjgwjbbDgAt5shneJWE+9xAa51pP2cirzS0kk2YibNgQ++0VSFFCYjKFp/T
CUCTu6rwNBCuUWtgYPnNPZrebfJbG7/lPo0iOhWdwrP4JdsLiUMGheqUiEXeZfjG
5giH/v9pzDnpxFyt3A==
=qSUJ
-END PGP SIGNATURE-


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: WoT question - policy

[Stefan Claas]

On Thu, 15 Nov 2018 20:15:21 +0100, Dirk Gottschalk via Gnupg-users
wrote:

Hi,


> > When i first learned about PGP in 94/95 i also thought why should
> > people sign each other's key for a WoT and why do we need a global
> > WoT and what is it good for.  
> 
> This should be obvious.

Please elborate a little bit more, because new user or old farts like me
maybe do not understand what's it's purpose, i.e to publicity state
to the whole world (thanks to key servers) that people use PGP or
GnuPG?

> > With my humble approach i like to be honest, in that form, that i
> > did my best for certifying someones key which might be useful for
> > someone else, entering the WoT, without letting third parties
> > know   that i know a person personally, or have a longtime online
> > friendship etc. or that i belong to a certain group of people.  
> 
> With differing signature levels you surely do let people know that
> kind of data. There are even small tools available, which produces a
> diagram of relations between people/keys from their signatures,
> including the signature level data. This can be done via recursively
> fetching the keys from a key server.

I disagree, with my humble approach imho third parties do not know
that people are my real friends, colleagues, or that i belong to a
certain group.

> > With the sig0 approach i have the following problem: I could create
> > a couple of fake keybase accounts, for example, give each other
> > a sig0 and then what is this good for if i follow the advise from
> > the blog and what trust should a third party gain from this many
> > sig0 on such a key?   
> 
> You can sign sig0 without havin any trouble of this kind. That's the
> reason why we have the trustdb since GnuPG 2.?. It depends on the
> internal set trust and gpg computes the calculated trust level for the
> key in question.

I am no expert, but i like to know from my example (because i don't
understand this) how could i trust this internal computation, when it
is only visible to me and not to third parties?

> I do use singanture levels as well, but I am thinking about this
> practice for a while now. Even giving a sig3 changes nothing, if I
> assigned just a marginal in the trustdb. The Chain is relevant, not
> the level you assigned.

If people read between the lines, so to speak, when reading my
policy they would hopefully help to strengthen the WoT in that
they could adopt it or improve it and sign each others key that
way to build a stronger chain. Or i am to naive and blue eyed?

I mean, what would have people to loose or give up when using my
approach? Combining a classical verification method with modern
technology is for me a good thing and i believe for honest people too.

I bet if Werner, for example, would do the same, his letterbox would
be filled imeadetily... :-)

O.k the one thing that may be a bit difficult today is to actually write
a postcard and go to the post office, in surveilled Internet age, where
Facebook and WhatsApp etc. rules. :-)

Regards
Stefan

-- 
https://www.behance.net/futagoza
https://keybase.io/stefan_claas


pgpg5aR8YDCdc.pgp
Description: Digitale Signatur von OpenPGP
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: WoT question - policy

[Dirk Gottschalk via Gnupg-users]

Hi.

Am Dienstag, den 13.11.2018, 22:36 +0100 schrieb Stefan Claas:
> On Tue, 13 Nov 2018 21:39:18 +0100, Wiktor Kwapisiewicz wrote:
> > On 13.11.2018 17:54, Stefan Claas wrote:
> > > Hi all,

> > > i thought about creating a key certification policy, for my key,
> > > and like to know your opinions. 

> > > 

> > > I have read in the past several policies, but i like to avoid
> > > id-card / online video/chat etc. because i am not able
> > > to distinguish between a real or a fake id, when doing so.

> > > Therefore i thought to use a postcard/letter method.

> > > Any critics are very welcome!  
> > 
> > Sounds interesting, would the post office check the ID of the
> > person
> > claiming the letter?

> Well, i assume that the good old postman, delivering mail to your
> house, is still around... :-) If i would send as some form of a
> registered letter than i would say yes.

Oh yes, wait a minite, mistper postman. *sing*
 

> > It reminds me of someone's method that utilized small bank
> > transfers (I can't find the source though :( ).

> I also thought about PayPal etc., but decided against it after
> receiving an advice.
 
> > Why not issue generic certifications instead of sig2 and sig3?
> > There
> > are some arguments against them:
> > https://debian-administration.org/users/dkg/weblog/98

> Yes, i remember this blog post and thought about this as well.

> I like to point out that i remember RSA encryption, before PGP was
> available and there was no WoT, so only people who knew each other
> communicated that way.

RSA is not restricted to communication. It's primary intention was, and
is, encryption of any type of data.


> When i first learned about PGP in 94/95 i also thought why should
> people sign each other's key for a WoT and why do we need a global
> WoT and what is it good for.

This should be obvious.


> With my humble approach i like to be honest, in that form, that i did
> my best for certifying someones key which might be useful for someone
> else, entering the WoT, without letting third parties know   that i
> know a person personally, or have a longtime online friendship etc.
> or that i belong to a certain group of people.

With differing signature levels you surely do let people know that kind
of data. There are even small tools available, which produces a diagram
of relations between people/keys from their signatures, including the
signature level data. This can be done via recursively fetching the
keys from a key server.

Using just sig0 reduces the usability of the data because you can not
differ the strength of the relation, at least.


> With the postal approach the requester does not need to send his
> address in encrypted form in case my computer would be compromised.
> When someone request a signature i don't keep records on my computer
> later. I only keep the postcard as souvenir.

A compromised computer is not the real deal at all in this question.

> With the sig0 approach i have the following problem: I could create
> a couple of fake keybase accounts, for example, give each other
> a sig0 and then what is this good for if i follow the advise from
> the blog and what trust should a third party gain from this many sig0
> on such a key? 

You can sign sig0 without havin any trouble of this kind. That's the
reason why we have the trustdb since GnuPG 2.?. It depends on the
internal set trust and gpg computes the calculated trust level for the
key in question.

I do use singanture levels as well, but I am thinking about this
practice for a while now. Even giving a sig3 changes nothing, if I
assigned just a marginal in the trustdb. The Chain is relevant, not the
level you assigned.

Regards,
Dirk

-- 
Dirk Gottschalk
Paulusstrasse 6-8
52064 Aachen, Germany

GPG: DDCB AF8E 0132 AA54 20AB  B864 4081 0B18 1ED8 E838
Keybase.io: https://keybase.io/dgottschalk
GitHub: https://github.com/Dirk1980ac



signature.asc
Description: This is a digitally signed message part
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: WoT question - policy

[Stefan Claas]

On Wed, 14 Nov 2018 11:05:06 +0100, Stefan Claas wrote:
> On Tue, 13 Nov 2018 17:54:08 +0100, Stefan Claas wrote:
> > Hi all,
> > 
> > i thought about creating a key certification policy, for my key,
> > and like to know your opinions. 
> > 
> > 
> > 
> > I have read in the past several policies, but i like to avoid
> > id-card / online video/chat etc. because i am not able
> > to distinguish between a real or a fake id, when doing so.
> > 
> > Therefore i thought to use a postcard/letter method.
> > 
> > Any critics are very welcome!  
> 
> I like to point out that my procedure, described in my policy,
> would also allow Usenet users, for example, working
> with a Raspberry Pi in Terminal mode could participate.
> So no need for video conferencing for them and me.

Policy slightly updated, critics are welcome!

Regards
Stefan
-- 
https://www.behance.net/futagoza
https://keybase.io/stefan_claas


pgpXwcJr2y4EX.pgp
Description: Digitale Signatur von OpenPGP
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: WoT question - policy

[Stefan Claas]

On Tue, 13 Nov 2018 17:54:08 +0100, Stefan Claas wrote:
> Hi all,
> 
> i thought about creating a key certification policy, for my key,
> and like to know your opinions. 
> 
> 
> 
> I have read in the past several policies, but i like to avoid
> id-card / online video/chat etc. because i am not able
> to distinguish between a real or a fake id, when doing so.
> 
> Therefore i thought to use a postcard/letter method.
> 
> Any critics are very welcome!

I like to point out that my procedure, described in my policy,
would also allow Usenet users, for example, working
with a Raspberry Pi in Terminal mode could participate.
So no need for video conferencing for them and me.

Regards
Stefan

-- 
https://www.behance.net/futagoza
https://keybase.io/stefan_claas


pgpBG2WAcJWat.pgp
Description: Digitale Signatur von OpenPGP
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: WoT question - policy

[Stefan Claas]

On Tue, 13 Nov 2018 21:39:18 +0100, Wiktor Kwapisiewicz wrote:
> On 13.11.2018 17:54, Stefan Claas wrote:
> > Hi all,
> > 
> > i thought about creating a key certification policy, for my key,
> > and like to know your opinions. 
> > 
> > 
> > 
> > I have read in the past several policies, but i like to avoid
> > id-card / online video/chat etc. because i am not able
> > to distinguish between a real or a fake id, when doing so.
> > 
> > Therefore i thought to use a postcard/letter method.
> > 
> > Any critics are very welcome!  
> 
> Sounds interesting, would the post office check the ID of the person
> claiming the letter?

Well, i assume that the good old postman, delivering mail to your house,
is still around... :-) If i would send as some form of a registered
letter than i would say yes.
 
> It reminds me of someone's method that utilized small bank transfers
> (I can't find the source though :( ).

I also thought about PayPal etc., but decided against it after receiving
an advice.
 
> Why not issue generic certifications instead of sig2 and sig3? There
> are some arguments against them:
> https://debian-administration.org/users/dkg/weblog/98

Yes, i remember this blog post and thought about this as well.

I like to point out that i remember RSA encryption, before PGP was
available and there was no WoT, so only people who knew each other
communicated that way.

When i first learned about PGP in 94/95 i also thought why should
people sign each other's key for a WoT and why do we need a global WoT
and what is it good for.

With my humble approach i like to be honest, in that form, that i did
my best for certifying someones key which might be useful for someone
else, entering the WoT, without letting third parties know   that i know
a person personally, or have a longtime online friendship etc. or that i
belong to a certain group of people.

With the postal approach the requester does not need to send his
address in encrypted form in case my computer would be compromised.
When someone request a signature i don't keep records on my computer
later. I only keep the postcard as souvenir.

With the sig0 approach i have the following problem: I could create
a couple of fake keybase accounts, for example, give each other
a sig0 and then what is this good for if i follow the advise from
the blog and what trust should a third party gain from this many sig0
on such a key? 

Regards
Stefan


-- 
https://www.behance.net/futagoza
https://keybase.io/stefan_claas


pgpQw5yQxsRDu.pgp
Description: Digitale Signatur von OpenPGP
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: WoT question - policy

[Wiktor Kwapisiewicz via Gnupg-users]

On 13.11.2018 17:54, Stefan Claas wrote:
> Hi all,
> 
> i thought about creating a key certification policy, for my key,
> and like to know your opinions. 
> 
> 
> 
> I have read in the past several policies, but i like to avoid
> id-card / online video/chat etc. because i am not able
> to distinguish between a real or a fake id, when doing so.
> 
> Therefore i thought to use a postcard/letter method.
> 
> Any critics are very welcome!

Sounds interesting, would the post office check the ID of the person claiming
the letter?

It reminds me of someone's method that utilized small bank transfers (I can't
find the source though :( ).

Why not issue generic certifications instead of sig2 and sig3? There are some
arguments against them: https://debian-administration.org/users/dkg/weblog/98

Kind regards,
Wiktor

-- 
https://metacode.biz/@wiktor

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

WoT question - policy

[Stefan Claas]

Hi all,

i thought about creating a key certification policy, for my key,
and like to know your opinions. 



I have read in the past several policies, but i like to avoid
id-card / online video/chat etc. because i am not able
to distinguish between a real or a fake id, when doing so.

Therefore i thought to use a postcard/letter method.

Any critics are very welcome!

Regards
Stefan

-- 
https://www.behance.net/futagoza
https://keybase.io/stefan_claas


pgp9mMtlINpAG.pgp
Description: Digitale Signatur von OpenPGP
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users