Re: TOFU

2017-06-22 Thread MFPA
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On Wednesday 21 June 2017 at 7:49:42 PM, in , Peter Lebbing wrote:- > I think it's a bad UX choice to > name an invalid > signature "UNTRUSTED Good" and a valid signature > "Good". I

Re: Key corruption: duplicate signatures and usage flags

2017-06-22 Thread MFPA
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On Thursday 22 June 2017 at 12:22:46 PM, in , martin f krafft wrote:- > There were [SC] when I created it, but I've recently > changed to > a signing subkey and removed the flag

Re: Are TOFU statistics used for validity or conflict resolution?

2017-06-22 Thread Neal H. Walfield
At Thu, 22 Jun 2017 09:42:50 +0300, Teemu Likonen wrote: > It _seems_ to me that > > - Field 3 :: validity - A number with validity code. > > is the same thing as SUMMARY in TOFU_STATS. Am I right? > > And here's my question again: Does the SUMMARY field's value (0-4) have > effect on how

Re: Are TOFU statistics used for validity or conflict resolution?

2017-06-22 Thread Teemu Likonen
Teemu Likonen [2017-06-22 09:42:50+03] wrote: > Does the SUMMARY field's value (0-4) have effect on how key's validity > is calculated or how TOFU conflicts are resolved or presented to a > user? I didn't get answers yet but I'll speculate a bit on the subject. This is all about "trust-model

Re: Managing the WoT with GPG

2017-06-22 Thread Werner Koch
On Thu, 22 Jun 2017 16:29, madd...@madduck.net said: > updating the trustdb on update of key material, wouldn't it make > much more sense to compute the information just-in-time? Provided For a key listing this means computing it for every listed key. And the majority of frontends first do a

Re: Key corruption: duplicate signatures and usage flags

2017-06-22 Thread Justus Winter
martin f krafft writes: > [ Unknown signature status ] > Hey Justus, thanks for writing in. Here are the answers you wanted: > >> gpg --version please? > > 2.1.18 > >> > So far, so good. Do note the [SC] usage flags. >> >> What are the capabilities of your primary key

Re: Managing the WoT with GPG

2017-06-22 Thread Neal H. Walfield
Hi, I didn't say that it is not possible to have a better algorithm. It is possible. But, it is not as easy as you suggest (and what you suggest doesn't sound trivial). For instance, adding or updating a key doesn't necessarily result in equal or more trust. An update could cause a key to be

Re: Managing the WoT with GPG

2017-06-22 Thread martin f krafft
also sprach Peter Lebbing [2017-06-22 15:46 +0200]: > > As far as I understand, the parameters --marginals-needed and > > --completes-needed can be used to define a maximum search depth D, > > so when I ask GPG to update the trustdb WRT key 0xdeadbeef, then I'd > >

Re: Managing the WoT with GPG

2017-06-22 Thread Peter Lebbing
On 22/06/17 15:00, martin f krafft wrote: > As far as I understand, the parameters --marginals-needed and > --completes-needed can be used to define a maximum search depth D, > so when I ask GPG to update the trustdb WRT key 0xdeadbeef, then I'd > envision it to Don't you mean >

Re: Managing the WoT with GPG

2017-06-22 Thread martin f krafft
also sprach Andrew Gallagher [2017-06-21 15:57 +0200]: > I have a quick and dirty tool here: > https://github.com/andrewgdotcom/synctrust Yeah, that'll do the job, except it blindly overwrites changes made locally. It's unlikely this happens, but say I declared your key

Re: Key corruption: duplicate signatures and usage flags

2017-06-22 Thread Teemu Likonen
Justus Winter [2017-06-21 15:10:52+02] wrote: > martin f krafft writes: >> x-hkp://pool.sks-keyservers.net > > Here ^ is the keyserver url. >> gpg> save >> Preferred keyserver: Preferred keyserver: Preferred keyserver: Preferred >> keyserver: Preferred keyserver:

Re: Managing the WoT with GPG

2017-06-22 Thread martin f krafft
also sprach Neal H. Walfield [2017-06-21 14:00 +0200]: > It starts with the set of ultimately trusted keys. But let's say > that you start with key X, which is not ultimately trusted. What > should GnuPG do with the result? Or, let's say that X is > ultimately trusted and it

Re: Key corruption: duplicate signatures and usage flags

2017-06-22 Thread martin f krafft
Hey Justus, thanks for writing in. Here are the answers you wanted: > gpg --version please? 2.1.18 > > So far, so good. Do note the [SC] usage flags. > > What are the capabilities of your primary key supposed to be? There were [SC] when I created it, but I've recently changed to a signing

Are TOFU statistics used for validity or conflict resolution?

2017-06-22 Thread Teemu Likonen
Are TOFU statistics used for key's validity calculations or TOFU conflict resolution? Some background: The TOFU system keeps statistics about key's use. I'll quote some lines from the DETAILS document. About --with-colons --witt-tofu-info --list-keys: *** TFS - TOFU statistics

about CCID USB readers (Re: setting GnuPG card to 'not forces' does not let sign)

2017-06-22 Thread Matthias Apitz
El día lunes, junio 12, 2017 a las 12:58:23p. m. +0200, Werner Koch escribió: > On Mon, 12 Jun 2017 12:38, g...@unixarea.de said: > > > Do you know of any other CCID reader for ID-000 size cards? > > I have a sample of the Gemalto Shell Token here. It has been around for > quite some time and