On 17 October 2011 20:11, Werner Koch w...@gnupg.org wrote:
Hi!
Over the last year Marcus and me discussed ideas on how to make
encryption easier for non-crypto geeks. We explained our plans to
several people and finally decided to start a project to develop such a
system. Obviously it is
I'm going to lean very far out the window and assume he meant the actual
private key, not the private key-ring/-file/...
I'm not sure I understand the distinction you're making there.
One is protected with a passphrase (i.e. it's encrypted), the other is
in the clear.
If I manage to steal
On 10/18/2011 8:10 AM, Jerome Baum wrote:
If I manage to steal your private keyring, then yes the very strong
passphrase should grind my attempts to steal your key to a halt. If I
manage to steal your private _key_ OTOH, I don't need to get past your
passphrase as that doesn't come into play.
On 18/10/11 14:36, Jerome Baum wrote:
* I'm going to take the word to mean what it says: key, not what I can
flexibly interpret it as: encrypted key.
One of those metal things in my pocket? What good are they for encryption? Even
if you manage to read it in, it still has way too little
Monday, October 17, 2011, 11:30:48 PM, Robert wrote:
Smartcard and a good PIN. That's pretty much the gold standard. It's
not the best way (there is no 'best way'), but it's generally an
excellent place to start from.
I read a smartcard is simply a chip card. Why is it save, what's a
PIN?
On 10/18/2011 8:36 AM, Jerome Baum wrote:
Have you looked at my original statement?
Yes.
I recall making the distinction between a key* and a key-ring/-file,
not between a key-ring and a key-file.
A distinction that has been lost on apparently everyone here. Please
use accepted terminology.
On 18/10/11 14:53, takethe...@gmx.de wrote:
I read a smartcard is simply a chip card. Why is it save, what's a
PIN? Say I'm using it on a PC with a trojan in the background
that logs my keystrokes (my password) and can send data (my key)
via internet to an attacker. How is access
On 2011-10-18 14:48, Peter Lebbing wrote:
On 18/10/11 14:36, Jerome Baum wrote:
* I'm going to take the word to mean what it says: key, not what I can
flexibly interpret it as: encrypted key.
One of those metal things in my pocket? What good are they for encryption?
Even
if you manage to
On 10/18/2011 9:08 AM, Jerome Baum wrote:
Makes sense if there's no context. But there's context here --
cryptography. In that context, key means something specific.
This ain't EUROCRYPT or FINANCIAL CRYPTOGRAPHY. If you're reading
professional journals that are talking about crypto in purely
On 2011-10-18 15:05, Robert J. Hansen wrote:
On 10/18/2011 8:36 AM, Jerome Baum wrote:
I recall making the distinction between a key* and a key-ring/-file,
not between a key-ring and a key-file.
A distinction that has been lost on apparently everyone here. Please
use accepted terminology.
On 18/10/11 15:05, Robert J. Hansen wrote:
On 10/18/2011 8:36 AM, Jerome Baum wrote:
Have you looked at my original statement?
Yes.
Oddly, I don't recall Jerome ever making a statement remotely like If I steal
your decrypted key, I only remember him stating that he thought, as did I,
If someone sniffs your PIN, and has trojaned or rooted your computer, he could
use your smartcard while it is still plugged in to your computer, just like
you
are using your smartcard.
If you're worried about this you should be able to find a smartcard
reader with PIN entry that GnuPG
On 18/10/11 15:05, Robert J. Hansen wrote:
IIRC nowadays is store a separate file per key?
No, it's still a single file (pubring.gpg, for instance, is the public
keyring). I just can't promise that it's still a raw stream of RFC4880
octets.
ls ~/.gnupg/private-keys-v1.d/
Peter.
PS:
On 18/10/11 15:08, Jerome Baum wrote:
It's one thing to be picky when it adds to the discussion proper. That
would be the case when we're distinguishing between the key as it is
stored on disk (encrypted, inside a key-file/-ring/...) and the key as
it is stored in memory (unencrypted). That
Skimmed over this. You say that you need ISP support to get the
system adopted (for the DNS-based distribution). Wouldn't that
hinder adoption?
Please look at how most people use mail: They get a mail address from
their ISP, a preinstalled MUA and so on. Mail works for them
instantly;
On 18/10/11 15:23, Jerome Baum wrote:
It doesn't prevent a trojan from signing something other than what you
intended (if it's your master key on card, even another key or a new
sub-key) but whether this is a problem depends on your threat model.
The signature problem can still be solved by
It doesn't prevent a trojan from signing something other than what you
intended (if it's your master key on card, even another key or a new
sub-key) but whether this is a problem depends on your threat model.
I should mention that the current OpenPGP card spec doesn't let the card
know whether
I'm going to keep this as short as possible, because we've already hit
the point at which we're casting far more heat than light.
Oddly, I don't recall Jerome ever making a statement remotely like
If I steal your decrypted key, I only remember him stating
that he thought, as did I, that
I don't see why the ISP has to be the entity providing DNS lookup.
The one I use won't even allocate me a static address, let alone
accept RRs from me to serve out to others. I'm not sure I'd trust
them to get it right and *keep* it right anyway.
If the ISPs won't cooperate, maybe the antivirus
Thanks to everyone for the helpful answers. Maybe I'll buy a smartcard, it
seems more convinient than rebooting for every email.
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
On Mon, Oct 17, 2011 at 05:50:42PM -0600, Aaron Toponce wrote:
[snip]
At any rate, I would love to see more client-to-client encryption in email.
I've always wondered if there could be an OTR approach to mail, somehow,
so people don't need to generate and manage their own sets of keys, as that
Well, not quite. Eventually you would get it. The task of security
systems is to make eventually be longer than:
o the payoff is worth; or
o the time it takes to be discovered; or
o the time it takes for the secured object to lose its value.
Statistically, that is. You could get it
Right, that's a good point I think we all considered trivial when
maybe we shouldn't have. In your threat model you should determine for
how long your data should be safe (per attacker type) before you go
ahead and make decisions about key protection.
To clarify, this is what we should tell
On 10/18/2011 8:53 AM, takethe...@gmx.de wrote:
I read a smartcard is simply a chip card. Why is it save, what's a
PIN?
PIN: Personal Identification Number.
The idea is the secret key material is stored on the card, not on the
PC. The secret key material is located in write-only memory:
Just wondering if anyone knows of any scripts for collecting keys into
a keyring prior to a key signing party (i.e., for people who intend to
participate to submit their keys)?
Can't give software names but look at what the open-source conferences
use. Debian should have some tools to show as
On Tue, 18 Oct 2011 15:05, r...@sixdemonbag.org said:
No, it's still a single file (pubring.gpg, for instance, is the public
keyring). I just can't promise that it's still a raw stream of RFC4880
octets.
It still is for the public keys.
2.1 changes the format of the secring (well, dropped
On 18/10/11 16:00, Mark H. Wood wrote:
I don't see why the ISP has to be the entity providing DNS lookup.
Because it is the e-mail address of the recipient you look up; that's all the
data you have in this scenario. Thus, for me you would look up a key
corresponding to user peter at the domain
In fact to my knowledge outside of webmail and inside private email
(so drop companies, universities, schools) it's usual to configure your
own MUA, with the help of instructions from your ISP.
Well, so we need to convince them to change those instructions.
Yes and this is what I said: It's
On Tue, 18 Oct 2011 15:30, jer...@jeromebaum.com said:
In fact to my knowledge outside of webmail and inside private email
(so drop companies, universities, schools) it's usual to configure your
own MUA, with the help of instructions from your ISP.
Well, so we need to convince them to change
... We can remove *needless* complexity, but security could be said
to be the art of *introducing* specific complexity that's a lot worse
for the attacker than it is for you. It can't be automagical.
Anyway, key generation is already automated. All you have to do is
(1) choose to employ
I don't see why the ISP has to be the entity providing DNS lookup.
The one I use won't even allocate me a static address, let alone
accept RRs from me to serve out to others. I'm not sure I'd trust
them to get it right and *keep* it right anyway.
I should clarify. An email provider is also
On Tue, Oct 18, 2011 at 04:23:42PM +0200, Jerome Baum wrote:
[snip]
While we're discussing the STEED proposal in the other thread, do you
think it's better to educate your users and risk loosing them or do you
think it's better to provide sensible defaults for the average
threat model and
On Tue, 18 Oct 2011 15:19, r...@sixdemonbag.org said:
Arguably we should be using 'certificate' to describe keys, but
We tried that in the Gpg4win manuals. However it turned out that this
term as other problems when used with OpenPGP keys (ah well, keyblocks).
honestly, that's a losing
I was pleased to see room for different classes of users in the STEED
paper. When I encounter software that tries to be helpful, my own
first thought is: how do I turn that off? But I recognized long ago
that I was never a typical user and my own inclinations are no guide
to popularity.
On Tue, 18 Oct 2011 16:30, pe...@digitalbrains.com said:
Because it is the e-mail address of the recipient you look up; that's all the
data you have in this scenario. Thus, for me you would look up a key
corresponding to user peter at the domain digitalbrains.com. The only logical
Right.
On Tue, 18 Oct 2011 15:42, mw...@iupui.edu said:
To be secure without being involved in the process is an unreasonable
expectation which can never be met. We need to teach our kids to
expect to protect themselves online the same way we teach them to look
We did this for about 15 years -
Even webmail. It is easy to write a browser extension to do the crypto
stuff. Installing browser extensions is even easier than installing
most other software.
I'd make it a point of discussion whether it's still webmail proper then.
But you could also use Javascript, Java or Flash, so yes
On 10/18/2011 11:58 AM, Werner Koch wrote:
We did this for about 15 years - without any success. If you look
at some of the studies you will see that you can't teach that stuff
to non-techies - sometimes not even to engineers.
As a data point from 2005:
I was teaching computer literacy at
On Tue, 18 Oct 2011 16:35, jer...@jeromebaum.com said:
operations will be the most important part to making that work, and the
ISPs don't have to help out there (modulo webmail which isn't even
end-point).
Even webmail. It is easy to write a browser extension to do the crypto
stuff.
On 10/17/11 5:18 PM, takethe...@gmx.de wrote:
Hi everybody,
what is the best way to protect
your private key from getting stolen?
Page 29 (http://www.gnupg.org/gph/en/manual.html#AEN513) of the Gnu
Privacy Handbook (http://www.gnupg.org/gph/en/manual.html)recommends a
strong passphrase to
This works, thank you :)
On 10/17/2011 4:09 PM, Hauke Laging wrote:
Am Montag, 17. Oktober 2011, 13:51:03 schrieb sweepslate:
The end goal is to encrypt a volume of around 100GB of personal files
that I'll be carrying arround with me in a portable drive.
The key point is doing the
On 10/17/2011 4:49 PM, David Tomaschik wrote:
I like GnuPG as much as the next guy around here, but is there a
reason you want to use GPG instead of a tool designed for disk
encryption? TrueCrypt is cross-platform and works well... if you're
Windows-only, there's BitLocker, and for Linux
On Mon, Oct 17, 2011 at 05:50:42PM -0600, Aaron Toponce wrote:
.snip..
At any rate, I would love to see more client-to-client encryption in email.
I've always wondered if there could be an OTR approach to mail, somehow,
so people don't need to generate and manage
* Robert Holtzman hol...@cox.net [111018 21:43,
mID 20111018185035.gb4...@cox.net]:
The greatest hindrance to widespread adoption is the phrase I often
hear...I've got nothing to hide It drives me up a wall.
+1
Martin
smime.p7s
Description: S/MIME cryptographic signature
44 matches
Mail list logo