from:"Jonathan"

The attached .asc file causes problems? I have disabled that but still
enabled the header. Why would the .asc attachment option be there if it
causes problems?

On 20/03/2011 01:28 PM, Ingo Klöcker wrote:
 On Sunday 20 March 2011, Charly Avital wrote:
 Ingo Klöcker wrote the following on 3/20/11 11:43 AM:
 I doubt this very much because the encoding surely happens before
 the signing.


 Regards,
 Ingo

 In my post, I also indicated that there was a string --=20 between
 the actual text and the signature disclaimer CONFIDENTIALITY
 NOTICE: This e-mail
 
 Well, that's the standard signature separator: 2 dashes followed by a 
 space. To preserve this trailing space Thunderbird/enigmail does the 
 right thing and encodes it.
 
 
 After Jonathan disabled that signature add-on, his signed messages
 verified.
 
 Yeah, well. Even though Jonathan disabled the signature his message is 
 still quoted-printable encoded. As are my messages. So, quoted-printable 
 encoding does not seem to be the problem.
 
 Also, Jonathan's message Re: what are the sub keys does not have a 
 signature. Still the signature is broken. What the two messages with 
 broken signatures seem to have in common is the attached key. Maybe 
 that's what is causing the problems.
 
 
 Regards,
 Ingo
 
 
 
 
 ___
 Gnupg-users mailing list
 Gnupg-users@gnupg.org
 http://lists.gnupg.org/mailman/listinfo/gnupg-users



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Keyservers

Firstly, what is MUA? I hear that but am not sure what that means.
Secondly, I have disabled that in Thunderbird. I had no idea it modified
anything; I thought it was simply a text signature that did not
interfere with Enigmail and GnuPG. Thanks for enabling me to understand
the complication there.

On 20/03/2011 02:38 PM, Ben McGinnes wrote:
 On 21/03/11 5:11 AM, Jonathan Ely wrote:

 The attached .asc file causes problems? I have disabled that but
 still enabled the header. Why would the .asc attachment option be
 there if it causes problems?
 
 The .asc file is the GPG signature and does not cause problems.  The
 signature that is referred to is the confidentiality notice that is
 appended to your email.  Presumably it is appended by your MUA or
 GMail *after* the rest of your message is signed and thus the bad
 signature message indicates your email has been modified (which it
 has, by a disclaimer which everyone will ignore and not feel bound
 by).
 
 
 Regards,
 Ben
 
 
 
 
 ___
 Gnupg-users mailing list
 Gnupg-users@gnupg.org
 http://lists.gnupg.org/mailman/listinfo/gnupg-users



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Keyservers

I do not use the Gmail interface any more; I only use the Thunderbird
client and typed the signature in the edit field found in the Tools |
Account options | General dialogue. It always appears in the body, right
under the point where I type. If this is the case it should not
interfere with Enigmail or GnuPG, correct?

PS. I learnt my lesson about including any signature for a mailing list.

On 20/03/2011 03:35 PM, Ben McGinnes wrote:
 On 21/03/11 6:11 AM, Jonathan Ely wrote:
 Firstly, what is MUA? I hear that but am not sure what that means.
 
 MUA = Mail User Agent, e.g. Thunderbird, Outlook, Apple Mail, etc.
 MTA = Mail Transfer Agent, e.g. Sendmail, Postfix, Exchange, etc.
 
 Secondly, I have disabled that in Thunderbird. I had no idea it
 modified anything; I thought it was simply a text signature that did
 not interfere with Enigmail and GnuPG. Thanks for enabling me to
 understand the complication there.
 
 If a signature is inserted before the message is signed then it will
 be included as part of the message body and will be part of the signed
 content.  This means it won't break the signature.  If it is inserted
 as the message is being sent, but after the message is signed then it
 will generate the error seen on the list.
 
 To be sure that a text signature is appended without interfering with
 the digital signature, it should appear in the body of the message
 when you edit it.  Thunderbird is quite capable of doing this (I have
 one, but don't normally include it when posting to lists).
 
 
 Regards,
 Ben
 
 
 
 
 ___
 Gnupg-users mailing list
 Gnupg-users@gnupg.org
 http://lists.gnupg.org/mailman/listinfo/gnupg-users



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Keyservers

Really? For me, it is much easier to access the newest reply instead of
using the Down Arrow key to find it. Gmail always worked the same way
for me.

On 20/03/2011 04:44 PM, Ingo Klöcker wrote:
 On Sunday 20 March 2011, Jonathan Ely wrote:
 On 20/03/2011 03:35 PM, Ben McGinnes wrote:
 To be sure that a text signature is appended without interfering
 with the digital signature, it should appear in the body of the
 message when you edit it.  Thunderbird is quite capable of doing
 this (I have one, but don't normally include it when posting to
 lists).

 I do not use the Gmail interface any more; I only use the Thunderbird
 client and typed the signature in the edit field found in the Tools |
 Account options | General dialogue. It always appears in the body,
 right under the point where I type. If this is the case it should
 not interfere with Enigmail or GnuPG, correct?

 PS. I learnt my lesson about including any signature for a mailing
 list.
 
 The next thing you might want to learn is not to top-post (i.e. write 
 the reply above of the full quote of the message one replies to). Top-
 posting is very common in corporate email exchange but it is uncommon on 
 many mailing lists (including this one).
 
 
 Regards,
 Ingo
 
 
 
 ___
 Gnupg-users mailing list
 Gnupg-users@gnupg.org
 http://lists.gnupg.org/mailman/listinfo/gnupg-users



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Keyservers

Something to think about that one. I guess I will experiment in the
future, but I understand what you mean and you do have a point with the
question  answer order rather than the reverse. Now I understand why
Thunderbird has that option.

On 20/03/2011 05:35 PM, Grant Olson wrote:
 On 03/20/2011 05:16 PM, Jonathan Ely wrote:
 Really? For me, it is much easier to access the newest reply instead of
 using the Down Arrow key to find it. Gmail always worked the same way
 for me.

 
 Ingo's talking about the body of the message.  Most mailing lists people
 reply after the question, so it's in context when you find a thread
 later, instead of before, at the top of the message.
 
 Arguably, when reading a message out of context, it's easier when most
 people see:
 
 QUESTION: What is the secret to life, the universe and everything?
 ANSWER: 42
 
 Rather than:
 
 ANSWER: 42
 QUESTION: What is the secret to life, the universe and everything?
 
 Which is what happens when you 'top-post' your answer at the top of the
 message.
 
 If it's hard to do compose an interleaved reply with your screen-reader,
 that's fine, but you will get people complaining about it every now and
 then.  If it's easy, you probably want do to reply after people's
 comments, in context, instead of before, when you're on mailing lists.
 
 
 
 
 ___
 Gnupg-users mailing list
 Gnupg-users@gnupg.org
 http://lists.gnupg.org/mailman/listinfo/gnupg-users



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: what are the sub keys

Exactly. Computation time is nothing nowadays. If that was the case,
those who use 1024 bit keys I would think still use the SHA1 hash
algorithm. But now people such as myself use SHA512 and 4096 bit RSA
keys, and if I could use a 8192 bit RSA key and the new SHA512/256
algorithm that I think was published just this past 02 February I would.

On 22/03/2011 10:19 AM, lists.gn...@mephisto.fastmail.net wrote:
 On Sat, Mar 19, 2011 at 11:36:57PM -0400 Also sprach Robert J. Hansen:
 On 3/19/11 10:34 PM, Jonathan Ely wrote:

 but be sure to set your preferences and choose a 4096 over 2048.

 Why?  This is like saying, I like the bank vault on my front door, but
 I wish it was thicker: I want the extra security.  Key length is only a
 small part (arguably the smallest part) of communications security.

 
 I agree that 4096 may seem like overkill, but I think the recommendation
 to max out one's RSA key size is defensible. Here's why:
 
 1. Modern computers are fast; it costs us almost nothing in terms of
computation time to use a 4096-bit key.
 
 2. Modern computers are fast, and getting faster all the time; remember
that your security margin may need to be good not just today, but
against all the attacks that are possible in the future, for as long
as your data needs to remain secure (decades, for some people). Once
upon a time, 1024-bit keys were considered perfectly adequate; most
experts urge against generating keys today with that strength.
 
 I agree that an awful lot of fuss is made over key length, sometimes to
 the exclusion of other, much more likely attack vectors. However, until
 someone describes for me a compelling reason NOT to bump key length up
 to 4096, my view remains: Why not?
 
 Special case, relating to this thread's original question:
 
 Some software which is designed to interface with GnuPG, or otherwise
 implement PGP keys, may not support arbitrary key lengths.
 E.G. Evolution used to have a 160-bit hash hard-coded into it's gnupg
 integration (it may still--I haven't used Evolution in a while), which
 meant that to remain DSS-compliant, you could only sign email with a
 1024-bit DSA key. DSA-2 keys could not be supported directly by
 Evolution. You could circumvent the key-stregth limit by using an RSA
 key as long as you liked. However, in cases when a particular piece of
 software may require use of a key which does not meet your general-use
 criteria, for whatever reason, generating a sub-key which meets the
 requirements can allow you to use the specific feature you need, while
 still enabling you to use other sub-keys for less restrictive
 applications.
 
 
 
 ___
 Gnupg-users mailing list
 Gnupg-users@gnupg.org
 http://lists.gnupg.org/mailman/listinfo/gnupg-users



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: what are the sub keys

Would not it be 4096 with RSA, or is DSA in conjunction with a 4096 bit
key still popular? I have never used DSA so does what Robert said
pertaining to my used combination apply here?

On 22/03/2011 12:13 PM, Jerome Baum wrote:
 Robert J. Hansen r...@sixdemonbag.org writes:
 
 And this is where I part ways with you.  There is no reason not to bump
 key length up to 4096.  There is also no reason not to use SHA512 with a
 DSA-1k key, for instance.  Sure, only 160 bits of SHA512 will be used, but
 that's not a reason not to use it.  It's not as if you're making the system
 weaker.
 
 Correct me if I'm  wrong on this one, but it does  make your key weaker,
 right?
 
 
 
 
 ___
 Gnupg-users mailing list
 Gnupg-users@gnupg.org
 http://lists.gnupg.org/mailman/listinfo/gnupg-users



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: what are the sub keys

Enigmail allows only 1024, 2048 and 4096. I have never heard of that,
but even still I would personally choose the largest key for the time
being till RSA becomes obsolete. Is there anything larger than 4096
since you mentioned values unknown to me?

On 22/03/2011 05:17 PM, MFPA wrote:
 Hi
 
 
 On Tuesday 22 March 2011 at 7:43:23 PM, in
 mid:20110322194323.ga1...@imac-6g2p.mgh.harvard.edu,
 lists.gn...@mephisto.fastmail.net wrote:
 
 
 There is a greater margin of security in a 4096-bit key
 over a 2048-bit key (all other factors being equal)
 
 Is there any particular reason to jump from 2048 to 4096 rather than
 use an intermediate value? 3072 maybe?
 
 

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users




signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: 4096 bit keys

I really wish 8192 would become available. Not that it would be the end
all/be all of key security but according to your theory it sounds much
more difficult to crack.

On 22/03/2011 05:14 PM, Mike Acker wrote:
 with chip makers playing with chips having 64 cores printed in silicon...
 
 someplace i read the ratios on this,-- if you make the key a little
 longer the key gets much harder to break.  in public key encryption
 though you have to factor the product of the two large prime numbers --
 which i'm told is no easy task.  i've often wondered about this as lists
 of large prime numbers are not hard to come by... so-- start someplace
 and start running divides... trouble is though you can't use the
 hardware instruction set: the numbers are way to large
 
 what does an x64 chip do? divide a 64 bit integer into a 128 bit
 dividend to yield a 64 but quotient and a 64 bit remainder? dunno but
 you have to do the same thing but using what? a 2048 or 4096 bit dividend?
 
 (I'm not a mathematician)
 
 what if they put 8192 cores on a chip? who would have such a machine?
 NSA.  the smart money would bet they would have it
 
 
 
 
 ___
 Gnupg-users mailing list
 Gnupg-users@gnupg.org
 http://lists.gnupg.org/mailman/listinfo/gnupg-users



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: 4096 bit keys

What is ECC? Now I want that haha.

On 22/03/2011 06:53 PM, Grant Olson wrote:
 On 03/22/2011 06:06 PM, Jonathan Ely wrote:
 I really wish 8192 would become available. Not that it would be the end
 all/be all of key security but according to your theory it sounds much
 more difficult to crack.

 
 The actual cutting edge solution is to move from RSA to ECC.  Even a
 8192 bit or 16k bit RSA key isn't approved by the NSA or NIST for TOP
 SECRET materials, but ECC-521 is.
 
 ECC actually is up-and-running in the beta for gpg 2.1, but
 realistically it'll be (at least) a few years before it gets mainstream
 adoption.
 
 
 
 
 ___
 Gnupg-users mailing list
 Gnupg-users@gnupg.org
 http://lists.gnupg.org/mailman/listinfo/gnupg-users



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: what are the sub keys

2011-03-23 Thread Jonathan Ely

Well excuse me for not knowing it all. I only know what Enigmail allows
through its user interface, and bad judgement is sometimes a method of
learning for better decision making. I have only begun using both GnuPG
and Enigmail this month along with Thunderbird, and this list educated
me a lot since I have been subscribed. Anything else you would like to
point out? I apologise if I come off mean in any way.

On 23/03/2011 04:55 PM, Ingo Klöcker wrote:
 On Tuesday 22 March 2011, Jonathan Ely wrote:
 Enigmail allows only 1024, 2048 and 4096. I have never heard of that,
 but even still I would personally choose the largest key for the time
 being till RSA becomes obsolete. Is there anything larger than 4096
 since you mentioned values unknown to me?
 
 Let's see. There's 4097, 4098 and even 4099. And then there's 4100. ;-p
 
 IMHO all those discussions about key sizes are really pathetic. Stick 
 with the defaults or educate yourself by reading the appropriate 
 literature instead of starting one non-sensical discussion after the 
 other on this mailing list. It should be rather obvious by now that key 
 sizes above 2048 are mostly a matter of personal taste and bad 
 judgement.
 
 
 Regards,
 Ingo
 
 
 
 ___
 Gnupg-users mailing list
 Gnupg-users@gnupg.org
 http://lists.gnupg.org/mailman/listinfo/gnupg-users



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Hi

2011-03-31 Thread Jonathan Ely


The first spammer I have seen thus far. Did not know they existed here.
On 31/03/2011 10:27 AM, Lee Elcocks wrote:
 hi  it's in your best interests to start this right away http://bit.ly/gntBne
 
 ___
 Gnupg-users mailing list
 Gnupg-users@gnupg.org
 http://lists.gnupg.org/mailman/listinfo/gnupg-users
 



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Hi

2011-03-31 Thread Jonathan Ely

I did not understand what that menat anyway. I never click links that
seem anonymous so I am safe, but that was unusual.

On 31/03/2011 08:41 PM, Robert J. Hansen wrote:
 On 3/31/11 7:25 PM, Jerry wrote:
 Dumping [something] would have been my first choice.
 
 Let's be a little careful about our language.  Thanks.  :)
 
 ___
 Gnupg-users mailing list
 Gnupg-users@gnupg.org
 http://lists.gnupg.org/mailman/listinfo/gnupg-users
 



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: windows front end to GnuPG

Have you ever thought about GPG4WIN? It is not accessible for me since I
use a screen reader and because of that I think the graphical user
interface needs some serious work, but I hear it works well for others.

On 17/04/2011 08:45 PM, Felipe Alvarez wrote:
 I've currently begun getting everyone in the office using GnuPG on
 windows. We're using WinPT as the front end. However there are several
 deficiencies with this program that we have encountered. Further, it
 is no longer being developed (last version 1.4.3 release sept 2009).
 Are there any other windows front ends that are easy to use, WRT
 single file en/de/cryption? The main requirements would possibly
 include:
 - sits on the task tray
 - low mem footprint
 - still in development
 
 --
 Felipe
 
 ___
 Gnupg-users mailing list
 Gnupg-users@gnupg.org
 http://lists.gnupg.org/mailman/listinfo/gnupg-users
 



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: windows front end to GnuPG

The only thing I use is the Enigmail extension for Mozilla Thunderbird
which works well enough for me, but of course I must use the version 1
branch of GnuPG.

On 17/04/2011 08:57 PM, Felipe Alvarez wrote:
 Have you ever thought about GPG4WIN?
 Looks a bit 'heavy' (fancy GUI and a bunch of programs I know that I
 will not be using) but I'll give it a try.
 
 Felipe
 
 ___
 Gnupg-users mailing list
 Gnupg-users@gnupg.org
 http://lists.gnupg.org/mailman/listinfo/gnupg-users
 



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: windows front end to GnuPG

So their is an installer for Windows for version 2.x? I never found one
accept for that of GPG4WIN.

On 17/04/2011 09:08 PM, Doug Barton wrote:
 On 04/17/2011 18:00, Jonathan Ely wrote:
 The only thing I use is the Enigmail extension for Mozilla Thunderbird
 which works well enough for me, but of course I must use the version 1
 branch of GnuPG.
 
 There is nothing about enigmail that requires gnupg 1. I use it with
 gnupg2 without any problems on windows and FreeBSD.
 
 
 Doug
 



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: windows front end to GnuPG

Version 1.4.11 is still the latest of that branch, right? That is what
the download page says but some times there are later versions than what
is reported. Media Player Classic is a good example of this.

On 17/04/2011 09:32 PM, Faramir wrote:
 El 17-04-2011 22:18, Jonathan Ely escribió:
 So their is an installer for Windows for version 2.x? I never found one
 accept for that of GPG4WIN.
 
   AFAIK, GPG4win is the only package for GPG 2.x for windows. But you
 can chose which apps to install. However, there are a few that are
 required to run GPG 2.x. I don't remember which ones, since I'm still a
 happy user of GPG 1.x
 
   Best Regards

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: It Is Gone

2011-07-19 Thread Jonathan Ely

Thanks. I should have known better to ask before I copied an FTP's link
location from the page. They made it a bit more difficult for me since
they no longer link it directly but as long as the FTP server is still
in existence I should be able to find it.

On 19/07/2011 07:37 PM, Robert J. Hansen wrote:
 On 7/19/11 5:24 PM, Jonathan Ely wrote:
 Can somebody please link to or refer me to the site that
 contains the latest version 1 of GnuPG? Thanks.
 
 ftp://ftp.gnupg.org/gcrypt/binary/gnupg-w32cli-1.4.11.exe
 
 Enjoy!
 
 
 ___
 Gnupg-users mailing list
 Gnupg-users@gnupg.org
 http://lists.gnupg.org/mailman/listinfo/gnupg-users
 


0xDA74EEF3.asc
Description: application/pgp-keys


signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Open Password Protected ZIP File

2011-08-14 Thread Jonathan Ely

I strongly suggest Ultimate ZIP Cracker at vdgsoftware.com/uzc.html if I
recall correctly. It is undoubtedly the most complete and promising
software I have ever used and trust me when I say I have used many of
the kind. Beware that it is resource intensive if you configure it as such.

On 14/08/2011 01:19 AM, Jean-Philippe Charpentier wrote:
 Does anybody know how to open a ZIP file, password protected? I forgot the 
 password.
 
 Google brings me to various password attack tools - any recommendation?
 
 Thanx,
 JPC
 ___
 Gnupg-users mailing list
 Gnupg-users@gnupg.org
 http://lists.gnupg.org/mailman/listinfo/gnupg-users


0xDA74EEF3.asc
Description: application/pgp-keys


signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Location of GnuPG 1.4.11 Windows binary

2011-08-21 Thread Jonathan Ely

You must have missed my enquiry from some time in July. I was looking
for it as well only to copy the link location of one of the FTP links
and do some self-searching. It would be useful if they announce 1.x.x
upgrades so people will not have to randomly decide when to check the
directory for an upgrade. I installed GPG4WIN and uninstalled it because
it was just too much for me and the 1.x.x branch is more simple for me
anyway since I only need it for the Enigmail extension.

On 21/08/2011 10:54 PM, Mark Rousell wrote:
 I just thought the following might be helpful for Windows users of GnuPG
 1.x.
 
 I had been running 1.4.10 on Windows for some time and I thought it was
 time I checked for an upgrade so I visited
 http://www.gnupg.org/download/ to see if there was a new version. I
 found that 1.4.11 was available but that the binary download links had
 disappeared! The only reference to Windows binaries is now via Gpg4win
 but that project only provides Windows binaries of 2.x and not 1.x.
 
 Happily however I found that the traditional standalone Windows binary
 installer is still in available via FTP. It's simply not linked from the
 GnuPG website as far as I can see. Here's the link:
 ftp://ftp.gnupg.org/gcrypt/binary/
 
 Thank goodness for that.
 
 If anyone from GnuPG is reading this, please don't stop building (and
 providing links to) Windows binaries for GnuPG 1.x. I'm sure I can't be
 the only user of it. :-)
 
 I'm sure it wouldn't be the end of the world for me to learn how to
 compile it for Windows but I know that the GnuPG developers will
 probably do a better job of it than me. ;-)
 
 
 
 
 
 ___
 Gnupg-users mailing list
 Gnupg-users@gnupg.org
 http://lists.gnupg.org/mailman/listinfo/gnupg-users


0xDA74EEF3.asc
Description: application/pgp-keys


signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: supersede key on key-server

2011-08-22 Thread Jonathan Ely

I was wondering something similar. I have a few keys which I have
invalidated and disabled but there is no way to delete them. I am using
this new key which I have not uploaded because if something happens and
I must re-create the key that will too become just clutter on the server.

On 22/08/2011 10:39 AM, Mike Acker wrote:
 some of us use more than one email address. with GPG it is simple to add
 a secondary ID to a key and this seems to work quite well.
 
 when a change like this is made it is desirable to update the keyserver.
 what happens when you re-upload a key to the keyserver? I hate to think
 the keyserver gets loaded up with old junk keys no one want used anymore...
 


0xDA74EEF3.asc
Description: application/pgp-keys


signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: windows binary for gnupg 1.4.11 // link no longer on gnupg site?

2011-09-13 Thread Jonathan Ely

It is no longer shown but it is available at
ftp.gnupg.org/gnupg/binaries or something of the sort. Copy one of the
link locations that link to the source code and modify that path in the
location bar. It is inconvenient no doubt but it works.

I hope there will be updates to the 1.x branch because I use it with
Enigmail and have no use for the PGP agent that I read is mandatory in
the 2.x branch.

On 13/09/2011 10:41 AM, ved...@nym.hush.com wrote:
 On the gnupg download site,
 http://gnupg.org/download/
 
 There is no link for a windows binary for 1.4.11, only a link to 
 the gpg4win site (a GREAT site and program, btw, but only for gnupg 
 2.x).
 
 Is there going to be a a windows binary for future builds of the 
 gnupg 1.x branch?
 
 (I'm interested primarily in order to update Maxine Brandt's 
 Torduninja site that I recreated, as no one had access to her old 
 site after she passed on)
 
 http://www.angelfire.com/mb2/mbgpg2go/tp.html
 
 Thanks,
 
 vedaal 
 
 
 ___
 Gnupg-users mailing list
 Gnupg-users@gnupg.org
 http://lists.gnupg.org/mailman/listinfo/gnupg-users

-- 
Brotha J.


0xDA74EEF3.asc
Description: application/pgp-keys


signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Looking for 3G smartphone partner and cooperator

2011-09-28 Thread Jonathan Ely

On 28/09/2011 07:46 AM, Bolin qu wrote:
 Hello,my friend:
 
 How are you recently? i hope everything is very well with you now.
 This is your friend_bolin worked in 3G T-smart communications factory as a 
 sales man and tooling manager, Our company has many years experience in 
 providing the brand owners and wholesalers all over the world with 
 professional products and OEM, ODM services.and we're the strategic partner 
 with China Mobile.
 Attached is our newest product presentation for you reference. if any style 
 meets your interest,please don't hesitate to contact me!
 
 BRS!
 --
 Bolin qu,Oversea sales and tooling manager
 T-smart communications equipment Co.,LTD.(China mobile Partner)
 Add:B-D,8 Floor,Hanjing International building,Nanshan District,Shenzhen 
 City,PRC
 MP:+86 13602649836   skype:bolin.qu 
 Email: slsimon...@gmail.com or bolinqud...@live.cn
 TEL:0755-83534040/25315393 FAX:0755-83584225 
 ___
 Gnupg-users mailing list
 Gnupg-users@gnupg.org
 http://lists.gnupg.org/mailman/listinfo/gnupg-users
Nothing but a spammer. Get off the list or whomever controls the list
should ban this fool for good.

-- 
Brotha J.


0xDA74EEF3.asc
Description: application/pgp-keys


signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Shouldn't keyservers store and provide subkeys?

2005-03-29 Thread Jonathan McDowell

[I'm guessing the original mail was on gnupg-users; I'm not on that list
though I do read pgp-keyserver-folk.]

On Thu, Mar 24, 2005 at 04:44:49PM -0500, Jason Harris wrote:
 On Thu, Mar 24, 2005 at 04:20:02PM -0500, David Shaw wrote:
  I'm all for it.  It would be nice to point people to a keyserver set
  that works properly with everything: multiple subkeys, photo IDs, and
  MR output.  At the moment, this is just SKS servers.

onak should handle all of these; if anyone has examples of keys that it
doesn't deal with then please do let me know the details.

I appreciate that the.earth.li [wwwkeys.uk.pgp.net] is probably the
only public keyserver running the code, but I do try to react to any
bug reports I receive.

It can be found at:

http://www.earth.li/projectpurple/progs/onak.html

which also has details of the arch repository.

J.

-- 
101 things you can't have too much of : 41 - Tea.
This .sig brought to you by the letter E and the number  3
Product of the Republic of HuggieTag


pgpF08vQs36S3.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

preferred compression types with multiple recipients

2006-05-24 Thread Jonathan Wellons


Good day everyone,

How does gpg reconcile conflicting preferred compression types?  I've 
switched mine to bzip2 to save space, but it occurs to me that it may 
not be of much effect until a significant number of other people I 
communicate with also switch from zlib.


My understanding of encrypted mail to multiple recipients is that
* a session key is generated
* the message is encrypted symmetrically with the session key
	* the session key is encrypted asymmetrically with each recipient's 
public key.


It seems that a message is only compressed once.

Thanks,
Jonathan


PGP.sig
Description: This is a digitally signed message part
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: SHA2 compatibility

2006-06-07 Thread Jonathan Rockway




This is a true statement, but not relevant to your question.  I was
discussing DSA keys, and you're asking about RSA.  You can use any
hash with RSA that you like.  There are no restrictions in size or
otherwise.  The only thing you have to worry about is whether your
recipient can handle that hash or not.


Interestingly, my OpenPGP smartcard (1024-bit RSA key) refuses to sign 
anything that's not 160 bits (i.e. SHA1 and RIPEMD-160 only).  Is there 
any reason for this, or is this a bug?


Regards,
Jonathan Rockway



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: How to verify the file was successfully encrypted...

2006-07-12 Thread Jonathan Rockway




There is no way to design such a self-check.  This isn't a lack in
GnuPG, but a design impossibility for any program.  Think about it: a
check mode would try and account for a bug in GnuPG and warn you
that the file was not encrypted properly.  However, if you're
presuming a bug, then who says you should trust the check mode?

If GnuPG completes successfully, that means it succeeded.  If you want
more assurance than that, the only way to do it is to decrypt the file
and compare.
  


If you wanted to be really sure that GPG didn't mess something else, try 
decrypting it with some other OpenPGP implementation.  If you're using 
perl, use Crypt::OpenPGP.  (And Text::Diff to do your diff, and 
File::Slurp to read in the files for Text::Diff :)


BTW, why are you encrypting these files anyway?  If someone broke into 
your computer they could just steal the crypto key too.


Regards,
Jonathan Rockway

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: [Fwd: perl EUID change causing failure]

2006-07-31 Thread Jonathan Rockway

Might I suggest using a pre-implemented perl solution?

Crypt::OpenPGP:
http://search.cpan.org/~btrott/Crypt-OpenPGP-1.03/lib/Crypt/OpenPGP.pm
GnuPG::Interface: http://search.cpan.org/~ftobin/GnuPG-Interface-0.33/

And also, GPG, Mail::GPG, Crypt::GPG, or Mail::GnuPG.

http://search.cpan.org/search?query=gpgmode=all

In other words, other people have already worked out the details, so why
not try one of those modules before fighting with something that's not
really worth your time?

Regards,
Jonathan Rockway


Marcel Chastain - Security Administration wrote:
 I have a perl wrapper around gpg for use within a web app. It changes
 its 'EUID' (Effective UserID) early in the script.
 From there, it attempts to run
 /usr/local/bin/gpg --list-public-keys

 My test script:
 #!/usr/bin/perl
 $ENV{'GNUPGHOME'} = '/home/username/.gnupg';
 my $uid = getpwnam(username);
 $ = $uid;
 print `/usr/local/bin/gpg --list-public-keys`;

 The output:
 gpg: O j: ... this is a bug (gpg.c:1880:main)
 secmem usage: 0/0 bytes in 0/0 blocks of pool 0/32768

 (replace the word 'username' with a user on your system for testing
 purposes)
 Now, this *only* happens when setting the EUID. I can set the
 RealUID($) and things work perfectly.

 Does this have something to do with the code updates mentioned in the
 What's New section..? (
 http://lists.gnupg.org/pipermail/gnupg-announce/2006q2/000226.html )

 User IDs are now capped at 2048 bytes.  This avoids a memory
 allocation attack (see CVE-2006-3082).

 Running gnupg 1.4.4 compiled from ports, freebsd 4.11-STABLE .



 

 Subject:
 perl EUID change causing failure
 From:
 Marcel Chastain - Security Administration [EMAIL PROTECTED]
 Date:
 Wed, 26 Jul 2006 16:26:48 -0700
 To:
 [EMAIL PROTECTED]

 To:
 [EMAIL PROTECTED]


 I have a perl wrapper around gpg for use within our company's internal
 control panel. It changes its 'EUID' (Effective UserID) early in the
 script.
 From there, it attempts to run
 /usr/local/bin/gpg --list-public-keys

 My test script:
 #!/usr/bin/perl
 $ENV{'GNUPGHOME'} = '/home/username/.gnupg';
 my $uid = getpwnam(username);
 $ = $uid;
 print `/usr/local/bin/gpg --list-public-keys`;

 The output:
 gpg: O j: ... this is a bug (gpg.c:1880:main)
 secmem usage: 0/0 bytes in 0/0 blocks of pool 0/32768

 (replace the word 'username' with a user on your system for testing
 purposes)
 Now, this *only* happens when setting the EUID. I can set the RealUID
 and things work perfectly.

 Running gnupg 1.4.4 compiled from ports, freebsd 4.11-STABLE .

 

 ___
 Gnupg-users mailing list
 Gnupg-users@gnupg.org
 http://lists.gnupg.org/mailman/listinfo/gnupg-users
   


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: AES 256 bit key generation

2006-08-11 Thread Jonathan Rockway

AES is a symmetric cypher, so you can use anything you want as the key,
although I'm pretty sure that you must never use the same key to encrypt
two different messages.  (See Initialization Vector.  I know this is
required for stream cyphers like RC4, but I'm not sure about block
cyphers like AES.)  If anything, using a different key every time
ensures that two identical messages encrypt to different cyphertexts,
which is a good thing.  Also be sure to read up on ECB / CBC.

You should probably look this up in the AES section of Applied
Cryptography before you deploy any code, though.

Regards,
Jonathan Rockway
 I want to create as AEs key of size 256 bits.is there any function in
 libgcrypt to generate AES key ?
 Now i am using libgcrypt random number generation to create an AES key
 .is this correct ? 


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Don't store your key on a flash drive! [was Re: GnuPG (GPG) Problem]

2006-08-19 Thread Jonathan Rockway

I would recommend that you don't do that.  What if you lose the drive? 
Then your private key is compromised.  Do you have a revocation
certificate in a safe location?  If not, you can't even tell anyone that
your private key has been compromised!  Not good!

The OpenPGP smartcard is a much safer option, since it will not give up
the private key (even if you have the password), and will lock itself
after 3 incorrect password attempts.  (And after 3 incorrect Admin PIN
attempts, it will destroy itself, which is pretty inconvenient for
someone trying to steal your key.)  Compare this to a pen drive that
will let anyone copy off the secret key and guess the passphrase on
their friendly local supercomputer cluster.

The other advantage is that if your card gets stolen, you *know* that
it's been stolen.  If you have your key lying around in your homedir
somewhere, someone could just make a copy of it, and you'd never know. 
With the OpenPGP card, if it's not in your hand, you can consider it stolen.

For $20, you can't go wrong.  Get an OpenPGP card and be happy :)

http://www.kernelconcepts.de/products/security-en.shtml

Regards,
Jonathan Rockway

Ismael Valladolid Torres wrote:
 John Clizbe escribe:
   
 Just copy the keyring files.
 

 I store my private keyring and a public keyring containing only my
 public key on a pendrive, then in your gpg.conf:

 keyring /path/to/pendrive/pubring.gpg
 secret-keyring /path/to/pendrive/secring.gpg

 Using several different computers it works like a charm.

 Cordially, Ismael
   




signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Don't store your key on a flash drive! [was Re: GnuPG (GPG) Problem]

2006-08-22 Thread Jonathan Rockway


 I am a smartcard programmer. Sure an OpenPGP card is just a standard
 smartcard with special elementary files in its filesystem. Could I
 make my own OpenPGP card from a common smartcard given I know its
 administrative codes?

Yup, that's what the Open in OpenPGP Smartcard means :) I'm not a
smartcard programmer, so I bought one instead.  If you'd like to make
OpenPGP smartcards and sell them, that would be great!

Regards,
Jonathan Rockway

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Crypto Stick vs Smart Card Reader /w Pin Pad

2014-08-30 Thread Jonathan Brown

Is the crypto stick which is fully open source and open hardware more
secure than a Gemalto smart card reader with pin pad built in? Which of
these would make you more of a hard target and increase security.
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Please remove MacGPG from gnupg.org due to serious security concerns

Am 17.02.2015 um 17:00 schrieb Ville Määttä mailing-li...@asatiifm.net:

 Upstream still does have the issue which now seems to have been fixed in the 
 fork but in a binary removed from upstream…

I really can not confirm this. I am running vanilla GnuPG 2.1.2 (built from 
source) on Yosemite (10.10.2 to be exact) with a Gnuk without any problems.

In any case, I agree about the part that such fixes should be developed in the 
GnuPG repo and not in basically a fork that receives less reviewing.

 I think the GUI tooling of not only Mac but other *NIX systems to be quite an 
 important factor in getting wider use for encryption. Such tools must be from 
 a respectable source and properly implemented just as much as the underlying 
 engine. I would argue GnuPG should take the responsibility of such tooling 
 where there isn’t a good option. Other *NIX systems are doing fairly well 
 already so I suppose a Mac GUI would really be the urgent one.

I suppose it might be a good idea to have a Qt GUI. That looks native enough on 
Mac so that most users won't complain, works good on X11 or Wayland based 
systems and also works well on Windows. Ideally, this would be a project under 
the GnuPG umbrella, but ideally not taking away time from core developers and 
thus be done by others. It also is not that security critical if it's just a 
GUI using the command line tool.

--
Jonathan


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Please remove MacGPG from gnupg.org due to serious security concerns

Am 17.02.2015 um 14:31 schrieb Werner Koch w...@gnupg.org:

 GnuPG's speedo build system also downloads stuff via the Makefile but it
 verifies the checksums before proceeding. The checksums are taken from a
 public file which has a detached signature and the public key for that
 is one of the GnuPG release signing keys.

While this is much better from a security point of view, it still means that 
building needs an internet connection. It would be nice to be able to build it 
on an air-gapped machine, which I guess is quite a common use case for GnuPG.

To be fair, though, I never noticed that until you mentioned it :).

--
Jonathan
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Please remove MacGPG from gnupg.org due to serious security concerns

Am 17.02.2015 um 14:22 schrieb Werner Koch w...@gnupg.org:

 I do not think that it matters whether you pull using the git or the ssh
 protocol.  In both cases an active attacker can intercept the traffic
 easily.  Virtually nobody checks ssh host keys and how should they do it
 given that I can't find its fingerprint easily on github.  Thus you would only
 see the host key changed warning in case this is not the first time
 you connected to this github project (I assume they use different host
 keys per project). 

I do verify the fingerprint, and they are quite easy to find actually:

https://help.github.com/articles/what-are-github-s-ssh-key-fingerprints/

First Google match for GitHub SSH fingerprint.

 After all it is not different from downloading tarballs - only 10 to 20%
 of all downloads also download the signature file and for most projects
 there is no signature file.

Well, I guess you have to take into account that a lot of downloads are from 
packaging software like pkgsrc, FreeBSD ports, Gentoo portage, ArchLinux's 
makepkg, etc. Usually, these do download the signature and tarball once, verify 
it and then write a checksum to the Makefile / PKGBUILD / however it is called 
that is then verified. So I guess you can't easily map that to Only x% of 
users check the downloaded tarball. I guess it's a lot more, it's just not all 
check it using the .sig.

 For gnupg.org we assume that users of the repos closely watch out for
 conflicts and verify the latest release tag.  If there is a problem that
 should be reported to a mailing-list (after verification that it is
 really a conflict).
 
 git meanwhile allows to sign commits.  If anyone knows a method to set a
 different key for tagging and commits, I would soon start to sign each
 commit.  I use a smartcard based key for tagging but won't use that for
 regular commits.

git commit -S keyID

You can just create an alias for that, I for example use git ci.

--
Jonathan


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Please remove MacGPG from gnupg.org due to serious security concerns

Am 17.02.2015 um 14:58 schrieb Sandeep Murthy s.mur...@mykolab.com:

 FYI I think you haven’t really looked at the support forum.  This page
 
 http://support.gpgtools.org/kb/faq/found-an-issue
 
 clearly lists instructions for submitting a bug.  They are always interested
 in reproducible issues, and every week in the discussions such issues
 are reported.
 
 Therefore it is not true that this support forum does not allow people to
 report bugs.

I looked for this a month ago and couldn't find anything besides a support 
forum (didn't sound right to me) and a Twitter handle, thus I decided to try 
Twitter.

--
Jonathan


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Please remove MacGPG from gnupg.org due to serious security concerns

Am 17.02.2015 um 20:16 schrieb Juergen Fenn schneeschme...@googlemail.com:

 Enigmail has discussed recently to drop support for GnuPG1, making
 gpg-agent/pinentry a crucial issue on the Mac. The standard version of
 pinentry from MacPorts does not work properly out of the box.

For homebrew, there's a pinentry-mac formula, which unfortunately also does the 
remote code execution. I raised the issue with homebrew, however, most posts in 
that ticket were deleted because some people started questioning the review 
process of new formula and asked how this could even have gotten into homebrew.

The solution I chose is an ugly, but more secure one: I use pinentry-gtk with 
XDarwin. Sure it's ugly, even more so since it is upscaled on a retina display. 
But it's only for entering the PIN / passphrase, so I'd rather use that then 
pinentry-mac. I did not choose pinentry-curses because that didn't work well 
with signing Git commits.

 Anyway, alternatives should be mentioned on the GnuPG pages because—I
 agree to the OP—this is too important an issue, GnuPG also being used
 by  many people who seriously depend on its security.

I totally agree. There should at least be a big fat warning, saying to not use 
if it you really depend on security.

 The question is, can we use GnuPG on the Mac and rely on it?

I'd say yes. I'm using GnuPG 2.1.2 vanilla with a Gnuk token and don't see why 
it should be any less reliable than on Linux.

--
Jonathan
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Please remove MacGPG from gnupg.org due to serious security concerns

Am 17.02.2015 um 22:32 schrieb Lukas Pitschl luk...@gpgtools.org:

 The best way to reach us is either our support platform at 
 https://gpgtools.tenderapp.com or t...@gpgtools.org.

When I tried contacting you guys a little more than a month ago, there was no 
e-mail to be found on the website. Only a support forum that sounded like 
Users helping users (so I didn't want to report the bug there) and a Twitter, 
which I then used. Can you please make sure it's easy to find that mail address?

 The code that checks out our GPGTools_Core repository is pretty old already 
 and it’s certainly a stupid way to do it.

It's not so much about age, but about what thought process came to the 
conclusion that this might be a good idea. This is a security project, so every 
change done should be done with thoroughly thinking about the security 
implications that change might have. This was clearly not done here, and IMHO 
downloading and executing remote code without any verification is unforgivable 
for a security project.

 At  the time we assumed that it was safe to check it out via ssl from github, 
 since curl would refuse to do so if there was a certificate error.

This entirely depends on the certification store curl has and the 
configuration. Granted, the defaults on OS X are sane. But still, this relies 
completely on GitHub not being compromised. And it was only quite recently that 
someone managed to get write access to repos due to a bug in GitHub. How can 
someone blindly trust and rely on a service they can neither control nor audit 
for the security of their users in a security project? This is just extremely 
irresponsible.

And even worse: Why did you decide to hide what is going on by prefixing it 
with a @? This really feels like you are trying to deceit users, hiding from 
them that they execute remote code that you could change at any moment. Worse 
yet, you could later on switch it back and nobody would notice. This feels a 
lot like a hidden backdoor to me.

 we will only charge a fee for GPGMail, the rest of GPG Suite will remain free.

Actually, I'm all for you charging a fee. That will create enough pressure for 
a fork that will then hopefully have better security practices.

--
Jonathan
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Please remove MacGPG from gnupg.org due to serious security concerns

2015-02-16 Thread Jonathan Schleifer

Hi!

I hereby request that MacGPG gets removed from gnupg.org due to serious 
security concerns. Basically, the first thing the Makefile in all their repos / 
tarballs does is this:

@bash -c $$(curl -fsSL 
https://raw.github.com/GPGTools/GPGTools_Core/master/newBuildSystem/prepare-core.sh)

So you type make not expecting anything bad (you verified the checksum and 
everything), but you just executed remote code. Great. And they even hide it 
from you by prefixing it with @, which is downright evil. So you never notice 
unless you look at the Makefile. Currently, that script clones another common 
repo using the unverified git:// protocol (because, why use submodules if you 
can do it in an insecure way?), but obviously, that can change any minute and 
could change just for certain IPs etc.

The developer(s) don't allow any issues on GitHub, so I tried contacting them 
by other means (e.g. Twitter), only to get ignored. They clearly don't care 
about security.

In any case, somebody who does something like this clearly doesn't care about 
security the least. The potential for backdoors is extremely high and I think 
nobody should be using any software written by this developer / these 
developer(s), as they clearly demonstrated that they couldn't care less about 
your security.

I don't feel comfortable that the majority of Mac users are using this software 
which doesn't care for security at all, but is used for extremely security 
sensitive tasks. I guess this is because gnupg.org recommends it and therefore 
people think it's safe. I think gnupg.org should do the contrary instead and 
strongly discourage using it.

--
Jonathan


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Please remove MacGPG from gnupg.org due to serious security concerns

2015-02-17 Thread Jonathan Schleifer

Am 17.02.2015 um 07:53 schrieb Sandeep Murthy s.mur...@mykolab.com:

 I'm guessing because you need an SSH key at GitHub in order to pull via SSH. 
 Yet another problem solved by git modules.
 
 Still, they could have at least changed it to https.
 
 GitHub supports pull/push via SSH or HTTPS therefore you can do this to with 
 MacGPG (2)
 or any GitHub repo.

Well, for SSH, you need a key, but for HTTPS, you don't, so they could have 
used that. However, git submodules solve the problem completely, as you can use 
relative paths. So it uses whatever you used to check out the initial repo.

 There must be lots of MacGPG users and most of them probably use the GPG
 suite, because it is GUI based (also more user friendly, unlike GnuPG) and it
 would not be fair on them to unilaterally remove the link to GnuPG or to 
 receive
 some kind of security warning without raising the issues you mention with
 the people who are actively developing and maintaining the source.

I disagree. The developers are not capable of writing secure software, as 
demonstrated (several times even, it seems). It would be best to advise to 
never use that at all and then write new software, if there's demand for it. 
It's sometimes better to not use something than to use something untrustworthy. 
For security products, this is especially true.

--
Jonathan


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Please remove MacGPG from gnupg.org due to serious security concerns

2015-02-19 Thread Jonathan Schleifer

Am 19.02.2015 um 20:08 schrieb Werner Koch w...@gnupg.org:

 Because I have to enter the PIN everytime (right, I do this on purpose),
 the RSA signatures a long, and I do not keep my signing key card
 inserted all the time.  In fact I have to walk out of the office to pick
 it up.

Another approach is to not sign them when working on it and only signing them 
before pushing using git rebase. I do agree that it's sometimes annoying to 
always plug it in and out again.

 ps. Here is the key I started to use for commits.
 
 pub   ed25519/E3FDFF218E45B72B 2015-02-18 [expires: 2025-02-15]
  Key fingerprint = C1D3 4B69 219E 4AEE C0BA  1C21 E3FD FF21 8E45 B72B
 uid   [ unknown] Werner Koch (wheatstone commit signing)

+1 for choosing Ed25519! (I did the same because I didn't want commits to be 
huge).

As most keyservers still don't support Ed25519 keys, I guess it's worth 
pointing out that you can get the key with --keyserver keyserver.mattrude.com.

Btw, does this mean that basically Ed25519 keys are stable enough now and won't 
change anymore?

--
Jonathan
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Please remove MacGPG from gnupg.org due to serious security concerns

2015-02-16 Thread Jonathan Schleifer

Am 17.02.2015 um 00:53 schrieb Hugo Osvaldo Barrera h...@barrera.io:

It is true that there's a pretty big security hole there with git clone
git://github.com..., since any malicious attacker can intercept that
communication. There's no checksuming or anything to make this difficult *at
all*.

Well, this is only checking out the code. While I agree that this is dangerous,
the curl | sh paradigm is even more dangerous.

What *does* suprise me is that there's a commit to specifically remove git+ssh
in favour of insecure ssh. There's no comment on why that was done either:

https://github.com/GPGTools/GPGTools_Core/commit/5186bade36acedfdc0b76f9f5ddfcfc004ec698b

I'm guessing because you need an SSH key at GitHub in order to pull via SSH.
Yet another problem solved by git modules.

Still, they could have at least changed it to https.

However, I'd recomend that you go over the proper support channels first
(rather than merely twitter) before asking that references to the proyect are
deleted.

As stated on https://gpgtools.org/:

Please report any issues you find on our support platform.

Which points to http://support.gpgtools.org/.

Well, I think there's enough evidence that they do not know how to do things
securely. It has even been pointed out in this thread that this is not the
first time there are serious security problems. It feels like they are actively
trying to make it insecure, because they do things that normally nobody working
on a security product would even consider.

Please consider this: GnuPG is a security product. People's lives might depend
on it. They might have heard that GnuPG is secure and think they are safe since
even Snowden uses it. They go to gnupg.org and then download MacGPG. That's
dangerous and there's no way for them to know unless they go check the source.

As a matter of fact, I compromised one of my machines by checking out one of
the MacGPG tools, checking the checksum of the downloaded tarball and then
typing make. I did not realize it executed remote code (twice even, the curl
and the git checkout, on which make is also run later on). They even actively
hide the fact, which makes it even worse. Should gnupg.org really endorse that?

--
Jonathan

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Please remove MacGPG from gnupg.org due to serious security concerns

2015-02-16 Thread Jonathan Schleifer

Am 17.02.2015 um 00:16 schrieb Sandeep Murthy s.mur...@mykolab.com:

 I think this is an exaggeration.  I have been using MacGPG and the
 GPG Tools support forum for quite some time, and have brought a
 number of issues to their attention, including a couple of security
 related ones, like making their key fingerprints more visible.

On the one hand, you think it's an exaggeration, on the other, you can list 
even more examples. I mean, they don't even do the most basic security 
practices which are common in basically all projects these days, even 
non-security related projects. And we're talking about a security related 
project here! If someone clearly demonstrates even lack of the most basic 
security measures, why should that someone be trusted with way more complex 
stuff? You listing they had problems in the past basically only strengthens the 
argument that they are not to be trusted and should not be endorsed.

 They do care about security and are very responsive to posts on the
 GPG Tools support forum

Really? Somebody caring about security executing remote code? Rather than using 
git submodules (which exist for how many years?), they prefer executing remote 
code that then downloads more code using an unverified channel. This can't be 
just laziness (using git submodules is less work), but looks like somebody even 
put a lot of effort into failing at security. How can you call that caring 
about security? If you'd argue they care a lot about being insecure, I'd agree 
though, because they actually seem to put a lot of effort into that…

 http://support.gpgtools.org/

If you are a security project, you should be thankful for people reporting 
bugs, not trying to make it as hard as possible to report a serious bug. This 
looks like more of a users help users forum kind of thing, nothing where you 
would want to report a bug.

--
Jonathan
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Please remove MacGPG from gnupg.org due to serious security concerns

2015-02-20 Thread Jonathan Schleifer

Great to see that you are planning on trying to bring things into shape so they 
can get upstreamed.

Might I suggest that you start with pinentry? Currently, you import an old 
pinentry release and then build a lot of things around it. It would be really 
helpful if you could instead create a new subdirectory cocoa and do it like the 
other pinentries. That would allow to review it more easily (only the new 
directory needs to be reviewed) and would allow upstreaming it. I think that 
would be a lot more helpful than having a pinentry-mac fork.

--
Jonathan
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Whishlist for next-gen card

2015-02-20 Thread Jonathan Schleifer

Am 20.02.2015 um 09:32 schrieb NdK ndk.cla...@gmail.com:

 1 - support for more keys (expired ENC keys, multiple signature keys)

And maybe for storing a certification key with a different PIN.

 5 - possibility to export private keys to user-certified devices

That pretty much defeats the point of using a smart card in the first place.

 6 - like in Yubikey NEO, a physical button to authorize some operations
 can be useful (certification, signature, NFC PIN-less auth)

That would be a pretty useful thing, but require you to trust the card reader. 
This, however, would really make sense on the Gnuk and I guess you could even 
do that without changing the spec.

--
Jonathan


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Please remove MacGPG from gnupg.org due to serious security concerns

Am 17.02.2015 um 15:14 schrieb Hugo Osvaldo Barrera h...@barrera.io:

 Actually, I've noticed that there was a very quick reply to this when it was
 brought to the dev's attention. I'll leave this here for anyone else 
 interested
 in following-up:
 
  
 https://github.com/GPGTools/GPGTools_Core/commit/5186bade36acedfdc0b76f9f5ddfcfc004ec698b
 
 I'm not aware of any track record of writing bad software in the past either -
 I believe they're just human.

A user complained, so we'd rather use something insecure.

This is not the correct mindset to develop security software!

Also, the new way they solve it ignores the proposal to use git submodules 
entirely, not even stating why they don't want to use git submodules. But that 
at least is not a security problem, so I don't have strong feeling about this 
:).

--
Jonathan


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Please remove MacGPG from gnupg.org due to serious security concerns

2015-02-19 Thread Jonathan Schleifer

Am 18.02.2015 um 15:57 schrieb Werner Koch w...@gnupg.org:

 git commit -S keyID
 
 You can just create an alias for that, I for example use git ci.
 
 I know that but I would like to have a different key for tag and commit.
 Requiring an option is just too cumbersome.

I don't really see how that is cumbersome if you have an alias for tag and for 
commit that each specify the key you want?

As an aside, what's the reason for not signing the commits with the key on the 
card? I sign all my commits with the key stored on my Gnuk. What is kinda 
annoying though is if you set commit.gpgsign = true, as it will then even sign 
git stash etc. and ask you to enter the PIN all the time. Which is why I have 
an alias git ci for git commit -S, as I only want to sign commits, not 
temporary state.

--
Jonathan


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Please remove MacGPG from gnupg.org due to serious security concerns

2015-02-19 Thread Jonathan Schleifer

Am 18.02.2015 um 16:05 schrieb Werner Koch w...@gnupg.org:

 I also do this often to avoid cluttering the screen.  No need to assume
 a backdoor.  It is for a Mac and Mac users want a clean tty ;-)

I also like @ to hide useless output, but is downloading *and executing* from a 
remote location really something you should hide? Especially if everything else 
isn't hidden?

--
Jonathan


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Trezor - Could this be the model for a PGP crypto device?

2015-03-10 Thread Jonathan Schleifer

On Tue, 10 Mar 2015 13:35:27 +0900, NIIBE Yutaka gni...@fsij.org wrote:

 Confirmation push button would be a good idea, and I have been
 considering how we can enhance the OpenPGPcard specification so that
 we could do something like that for future implementation(s).

Does this really need to be part of the specification? For example, the Gnuk 
could just delay signing / decryption / authentication until the button has 
been pressed and return an error if it doesn't get pressed within a certain 
amount of time.

-- 
Jonathan


pgpoQTbUc54_Z.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gpg in a cybercafé

2015-03-10 Thread Jonathan Schleifer

On Thu, 05 Mar 2015 22:27:36 +, flapflap flapf...@riseup.net wrote:

 The current version (1.3) of Tails comes with GnuPG 1.4.12.

That's just not true. Not only is the gpg2 command available, but the change 
log even explicitly states that GnuPG 2 was added to improve smartcard support.

--
Jonathan


pgpMrNu2rjlQA.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: strength of voice authentication [was: Re: German ct magazine postulates death of pgp encryption]

2015-03-02 Thread Jonathan Schleifer

On Mon, 02 Mar 2015 22:24:45 +0100, Johan Wevers joh...@vulcan.xs4all.nl 
wrote:

 For once, I've never heard of the police
 trying something like this to obtain confessions or information: the
 chance of failure in an indivicual case are too big.

I'm guessing the reason is more that this would be a legal mine field and most 
likely completely useless in court.

-- 
Jonathan


pgpaN4ya35EI6.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gpg in a cybercafé

2015-03-05 Thread Jonathan Schleifer

On Wed, 04 Mar 2015 14:29:47 +0300, Robert Deroy robert.de...@mail.ru wrote:

 How could i do for use gpg on a usb key, because i have no computer, i only 
 go in cybercafé.
 
 I want to use the last version, 2.1.1, with gpa.

I woudl recommend to boot off a Tails USB stick, as everything else would be 
way too risky in a public place. Don't even think about just running the 
executable on some system! Tails is - as far as I know - the only system 
designed to still provide security in the environment of a café. It goes so far 
as so try to wipe the memory when you shut down.

And here's the catch: It comes with GnuPG - but GnuPG 2.0.x AFAIK. Are you 
positive you absolutely need 2.1? The main reason to require 2.1 is to use ECC, 
I guess.

--
Jonathan


pgpnFKaFM6_7Q.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: German ct magazine postulates death of pgp encryption

On Mon, 2 Mar 2015 00:13:07 +0100, Ingo Klöcker kloec...@kde.org wrote:

 On what kind of hardware? A high-end gamer PC? Or a low end mobile phone?

According to the paper, the goal is to take 4 minutes on an average PC and that 
it shall be adjusted according to hardware improvements.
 
 There are much larger bot nets, e.g the ramnit bot net apparently controlled 
 3.2 million (!) machines (see http://heise.de/-2559388, in German). And with 
 regard to providers not accepting those mails you seem to be missing that the 
 bots simply (ab)use the mail accounts of the bot owners.

Abusing mail accounts only works if they are mail accounts with crappy hosts. 
Sane providers will block your account if you start sending 100 mails in 1 
minute ;).

 Of course, 800,000 spam messages per minute is still many magnitudes less 
 than 
 now.

The question is if that would still be profitable for spammers. Currently, they 
just send their spam to millions of addresses hoping that one of them is stupid 
enough to fall for it. They can do that because it's cheap. But if sending 
isn't cheap, sending to millions to just get one idiot who falls for it isn't 
an option anymore.

 I don't see BitMessage killing spam. But it will surely kill mailing lists.

It would just need to be extended to groups. The protocol is not set in stone.

In any case, I'm not suggesting we all switch to BitMessage. I'm just saying 
this is going in the right direction.

-- 
Jonathan


pgpBKEMKJpQhY.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: German ct magazine postulates death of pgp encryption

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Am 01.03.2015 um 23:25 schrieb Ingo Klöcker kloec...@kde.org:

 And most spam is sent by bots. The spammers don't really care how much
 energy the bots burn. Yes, the amount of spam might decrease because
 the bots cannot hammer out that many bitmessages as SMTP messages per
 second, but your hypothesis that BitMessage would get rid of spam is
 unrealistic.

I don't really agree with that. The goal is that the proof of work for a
single message takes 4 minutes. At that rate, sending spam really is not
profitable. In 4 minutes, spammers can currently send hundreds of
thousands of mails. At that rate, they can afford to send it to every
address they can find. With only one mail per machine every 4 minutes,
they really need to be careful where to send it. Let's assume they have
1 machines (which is unrealistic - most machines are behind a dialup
connection from which no provider will accept mail). That's only 2500
mails a minute. If global spam were just 2500 spam messages a minute,
spam would hardly be a problem.

- --
Jonathan
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iF4EARYKAAYFAlTzle0ACgkQM+YcY+tK57UH+wEA2vgeaGeMeZ8daVMhQnJHsibz
CP2bH4N9Jur5NMcu0G4BAACkAVlj0D5KKr6MfMcVb5dYoCRvn5mqOv/eoZPmLKEI
=xAfS
-END PGP SIGNATURE-


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: German ct magazine postulates death of pgp encryption

Am 28.02.2015 um 14:12 schrieb Peter Lebbing pe...@digitalbrains.com:

 On 28/02/15 14:06, Ralph Seichter wrote:
 but PGP does not work for mass e-mail protection
 
 Let me stress again that the proper course might be to replace SMTP (e-mail) 
 and
 then work from that. If you have a sieve and wish for something to hold 
 liquids,
 you could plug up all the holes or say Blow this for a lark and get a pan.

You mean like BitMessage https://bitmessage.org/bitmessage.pdf?

I think it's the only replacement for mail with cryptography from the start. It 
gets rid of the whole public / private key problem and also gets rid of spam by 
requiring a proof of work to send something.

--
Jonathan


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: trust paths

Am 28.02.2015 um 19:15 schrieb Johan Wevers joh...@vulcan.xs4all.nl

 I'm not talking about mathematically proving something. After all, a
 government agency could make a false key with Werner Koch's name on it
 and send someone who looks like him with real ID documents to a
 keysigning party. Government-issued ID's are no mathematical proof either.

FWIF, you don't even need to be a government for that. And you don't need to 
look like Werner. Some document looking like a government issued ID showing a 
picture of you with Werner's name will most likely be enough to fool everyone 
who doesn't know Werner personally to sign this fake key.

 If the key was only on the keyservers, sure, then even I could do that
 myself easily. But I'm talking about keys on places where it is unlikely
 anyone has write access to, like the gnupg website or as a signature in
 mailinglist messages. Sure, it could be spoofed - but only a short time
 before it get noticed.
 
 It would not be the first time I read about a spoofed gpg key on a Linux
 distro server when the server was hacked. The attack works - but not for
 long.

You are assuming it will be spoofed for everyone. It could just be spoofed for 
you. Anybody who can MITM you and give you a fake SSL cert that you accept 
(i.e. every government on the planet, a lot of companies and even some 
individuals) can give you something spoofed and you would not notice. And there 
would be no outcry about spoofed keys, because it's just you being affected.

--
Jonathan
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: German ct magazine postulates death of pgp encryption