Re: GPG, subkeys smartcard and computer

On 21/02/17 15:23, Peter Lebbing wrote: > On 21/02/17 16:19, Andrew Gallagher wrote: >> And this is the main reason I started running my own keyserver - by >> refreshing your monkeysphere-host keyring, you are leaking to the >> keyserver which user credentials have login access to your system. :-)

Re: GPG, subkeys smartcard and computer

On 21/02/17 16:19, Andrew Gallagher wrote: > And this is the main reason I started running my own keyserver - by > refreshing your monkeysphere-host keyring, you are leaking to the > keyserver which user credentials have login access to your system. :-) But if an attacker can cut off your SSH

Re: GPG, subkeys smartcard and computer

On 21/02/17 15:58, Kristian Fiskerstrand wrote: > Keep in mind, the keyring in the scope of monkeysphere is normally one > keyblock :) But yeah, the crontab frequency will depend a bit on system. Not for multi-user systems with many accounts; it would only be the case for personal servers. Is a

Re: GPG, subkeys smartcard and computer

On 21/02/17 15:17, Peter Lebbing wrote: > On 21/02/17 15:58, Kristian Fiskerstrand wrote: >> Keep in mind, the keyring in the scope of monkeysphere is normally one >> keyblock :) But yeah, the crontab frequency will depend a bit on system. > > Not for multi-user systems with many accounts; it

Re: GPG, subkeys smartcard and computer

On 02/21/2017 03:15 PM, Peter Lebbing wrote: > If Kristian Fiskerstrand says it's okay for SSH servers to refresh their > keyring every 20 or 30 minutes from the public keyserver netowrk, then I > guess it really is :-). I had estimated it as inappropriate. Keep in mind, the keyring in the scope

Re: GPG, subkeys smartcard and computer

On 21 Feb 2017, at 13:37, Kristian Fiskerstrand wrote: >> On 02/21/2017 02:21 PM, Peter Lebbing wrote: >> Revoking the old A key and creating a new one needs to happen on the >> system you have the primary key on, so you need to subsequently roll out

Re: GPG, subkeys smartcard and computer

On 21/02/17 14:37, Kristian Fiskerstrand wrote: > Who said anything about creating a new one in this part of the process? Since I assumed you were siting behind a trusted machine with your primary key installed when you revoke, it made no sense to me to just revoke the key and not create a new

Re: GPG, subkeys smartcard and computer

On 02/21/2017 02:21 PM, Peter Lebbing wrote: > Revoking the old A key and creating a new one needs to happen on the > system you have the primary key on, so you need to subsequently roll out Who said anything about creating a new one in this part of the process? each device has separate A subkeys

Re: GPG, subkeys smartcard and computer

On 20/02/17 22:51, Kristian Fiskerstrand wrote: > Revocation of the specific subkey is automatically picked up by all > systems due to automatic refresh of the public key on regular intervals, > without losing access to the system from non-compromised devices. Revoking the old A key and creating

Re: GPG, subkeys smartcard and computer

On 02/20/2017 05:49 PM, Peter Lebbing wrote: > So perhaps one key per device is superior, also for detecting which client > system was compromised by looking at the SSH auth logs on the server > (supposing > the attacker didn't gain root privileges and wiped his traces immediately). > But > I

Re: GPG, subkeys smartcard and computer

On 20/02/17 16:25, Kristian Fiskerstrand wrote: > Wouldn't consider this accurate, the typical use case for multiple A > subkeys is per-device usage, explicitly to avoid having to revoke all if > one is compromised. Well, if you use only one, "revoke all" is still "revoke one" ;). It's not the

Re: GPG, subkeys smartcard and computer

On 20.02.2017 15:25, Kristian Fiskerstrand wrote: > On 02/19/2017 01:45 PM, Andrew Gallagher wrote: > >> And in the case of A and S, there next to no benefit - if one of your >> subkeys is lost you should revoke it immediately anyway > > Wouldn't consider this accurate, the typical use

Re: GPG, subkeys smartcard and computer

On 02/19/2017 01:45 PM, Andrew Gallagher wrote: > And in the case of A and S, there next to no benefit - if one of your > subkeys is lost you should revoke it immediately anyway Wouldn't consider this accurate, the typical use case for multiple A subkeys is per-device usage, explicitly to avoid

Re: GPG, subkeys smartcard and computer

Hi, Things are getting clearer now, the fact is: subkeys are not related and basically only the last generated is used. I missunderstood this step. I need a Auth subkey on the smartcard becuase I've setup the server to access ssh only via a key. If I'm not at my pc I can't access the server, and

Re: GPG, subkeys smartcard and computer

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi On Sunday 19 February 2017 at 2:58:56 PM, in , Damien Goutte-Gattat wrote:- > Disclaimer: I am not advocating such a setup, that I > don't even actually use. I use that setup. Last I

Re: GPG, subkeys smartcard and computer

On 02/19/2017 03:11 PM, Peter Lebbing wrote: However, maybe someone has come across a reason to do it where it would be worth the hassle. There certainly are people using multiple S subkeys. Some time ago, I did some experiments with a RSA master key with two sets of subkeys: RSA subkeys and

Re: GPG, subkeys smartcard and computer

On 19/02/17 13:45, Andrew Gallagher wrote: > In my personal experience, monkeysphere has correctly added all > valid A subkeys. Thanks for the clarification. > But I have a niggling doubt that I once read complaints from somebody > somewhere (not helpful, I know) that whatever system they were

Re: GPG, subkeys smartcard and computer

> On 19 Feb 2017, at 11:19, Peter Lebbing wrote: > >> On 17/02/17 15:11, Andrew Gallagher wrote: >> Some systems will only authenticate against the most recently created >> A subkey. > > I have no personal experience, but I think it's possible this relates to >

Re: GPG, subkeys smartcard and computer

Hi Stefano, On 19/02/17 09:41, Stefano Tranquillini wrote: > I think I can have multiple A subkeys, not like E keys that only the > last is used, and use them to ssh servers if all these subkeys are > added to the server It depends on how the authorized authentication keys are added to the

Re: GPG, subkeys smartcard and computer

> On 19 Feb 2017, at 08:41, Stefano Tranquillini > wrote: > > wait, If i've a subkey E (called E1) and I lose it (e.g. it was on the > smartcard). > Can't I create a new E (called E2) from my master and decrypt the data? Or > the data encrypted are

Re: GPG, subkeys smartcard and computer

thanks, Sorry for the double messages, I sent the first before subscribing to the list and I tought it was not forwarded to the mailing list. Briefly: - use tails to genereate master (default settings) and subkeys - export the public key and fingerprints - backup master to a cold storage -

Re: GPG, subkeys smartcard and computer

Stefano, I meant to reply last night, but didn't fancy writing this out on a phone keyboard. No need to resend questions - this tends to be a high-latency list for people in odd time zones, working from home, on the move etc. NB all the below is IMHO, YMMV etc. :-D On 16/02/17 15:04, Stefano

GPG, subkeys smartcard and computer

Hi all, I'm sort of new to GPG/PGP, I'm not new to the encryption/crypto world and to computers, however, some concepts are yet not clear to me. I can't get my head around on how to use GPG in the "correct" way to guarantee the maximum result. That is: protect, at the best, my privacy and also

GPG, subkeys smartcard and computer

Hi all, I'm sort of new to GPG/PGP, I'm not new to the encryption/crypto world and to computers, however, some concepts are yet not clear to me. I can't get my head around on how to use GPG in the "correct" way to guarantee the maximum result. That is: protect, at the best, my privacy and also