On Thu, 28 Sep 2017 14:58:05 +0100, Andrew Gallagher wrote:
> On 28/09/17 14:18, Peter Lebbing wrote:
> > Are you sure you had the Governikus key in your keyring? I am
> > seeing the same as Stefan: the signature is bad. It says sig-3, the
> > dash indicates failure. It should have been sig!3 for
On 28/09/17 14:18, Peter Lebbing wrote:
> Are you sure you had the Governikus key in your keyring? I am seeing the
> same as Stefan: the signature is bad. It says sig-3, the dash indicates
> failure. It should have been sig!3 for a good signature.
Apologies, you are right. Importing the
On 28/09/17 12:59, Stefan Claas wrote:
> When long time ago Facebook's pub key received it's vanity sigs i was
> upset and decided
> to no longer support traditional key servers and added this text to my key.
As I argued above, vanity signatures *shouldn't* be an issue - the
problem comes when
Okay, I made a boo boo regarding text wrapping. Let me repaste the debug
output:
--8<---cut here---start->8---
gpg: DBG: rsa_verify
data:+01ff \
gpg: DBG:
On 28/09/17 13:30, Andrew Gallagher wrote:
> What specific error are you getting? I don't see any errors using
> --check-sigs on that key, but then I don't trust Governikus so I'm not
> performing the same test that you are.
Are you sure you had the Governikus key in your keyring? I am seeing the
Am 28.09.2017 um 13:30 schrieb Andrew Gallagher:
On 2017/09/28 10:57, Stefan Claas wrote:
Now i have a problem lol... with my new pub key and --check-sigs.
My new pub key 3BB27531899F06EA4582B2E9D68B6EAC6ECF3AB6 was signed
by Governikus 864E8B951ECFC04AF2BB233E5E5CCCB4A4BF43D7 and when doing
On 2017/09/28 10:57, Stefan Claas wrote:
>
> Now i have a problem lol... with my new pub key and --check-sigs.
>
> My new pub key 3BB27531899F06EA4582B2E9D68B6EAC6ECF3AB6 was signed
> by Governikus 864E8B951ECFC04AF2BB233E5E5CCCB4A4BF43D7 and when doing
> a --check-sigs i get an error...under
Am 27.09.2017 um 20:24 schrieb Daniel Kahn Gillmor:
On Wed 2017-09-27 10:10:54 +0100, Andrew Gallagher wrote:
On 26/09/17 20:39, Werner Koch wrote:
Unfortunately the man pages describes --list-sigs in detail and only in
the next paragraph --check-sigs is explained in terms of --list-sigs.
it
On Wed 2017-09-27 10:10:54 +0100, Andrew Gallagher wrote:
> On 26/09/17 20:39, Werner Koch wrote:
>> Unfortunately the man pages describes --list-sigs in detail and only in
>> the next paragraph --check-sigs is explained in terms of --list-sigs.
>> it might be better to merge them into one
On Tue, 26 Sep 2017 13:07, andr...@andrewg.com said:
> The gpg command itself should cryptographically verify signatures when
> performing --list-sigs, so that at least it can throw a warning when an
Actually --list-sigs is more of a debug command than a command users
should use to verify a key.
On Tue, 26 Sep 2017 15:14:38 +0200, Kristian Fiskerstrand wrote:
> On 09/26/2017 03:05 PM, Stefan Claas wrote:
> > I'm no expert like all you guys, but my dream would be if Werner
> > and his team could
> > work together with the keybase team, so that we could have WKD
> > support for keybase.
>
On 09/26/2017 03:51 PM, Andrew Gallagher wrote:
> Not getting into an OS flame war here, but not everyone uses Android.
That doesn't mean it doesn't exist, it just means different user
preferences as represented by the weigths in the decision matrix when
purchasing a new device.
--
On 26/09/17 14:39, Kristian Fiskerstrand wrote:
> On 09/26/2017 03:38 PM, Andrew Gallagher wrote:
>> Yes. Unfortunately it's tricky to implement that on a smartphone. We
>> don't have card+phone working in gnupg yet either. We *barely* have
>> gnupg working on phones at all. But that's for another
On 09/26/2017 03:38 PM, Andrew Gallagher wrote:
> Yes. Unfortunately it's tricky to implement that on a smartphone. We
> don't have card+phone working in gnupg yet either. We *barely* have
> gnupg working on phones at all. But that's for another day.
Sure we do, youbikey 3 neo on NFC works quite
On 26/09/17 13:49, Kristian Fiskerstrand wrote:
>
> The users shoudn't browse keyservers at all, so it shouldn't really be
> an issue. Linking to get operation to get the public keyblock is just a
> convenience.
Users shouldn't do it. And yet they still do it, precisely because it is
a
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
On 17-09-26 09:15 AM, Andrew Gallagher wrote:
> On 26/09/17 12:30, Kristian Fiskerstrand wrote:
>> On 09/26/2017 01:07 PM, Andrew Gallagher wrote:
>>> So SKS should just say "unverified signature from
>>> ". It should not repeat the purported
On 09/26/2017 02:15 PM, Andrew Gallagher wrote:
> Absolutely. None of this is an argument against users having to do
> things right. But the way to get users to do things right is to train
> them to do things right from the start - and you do that by railroading
> them down the straight and narrow
On 26/09/17 12:30, Kristian Fiskerstrand wrote:
> On 09/26/2017 01:07 PM, Andrew Gallagher wrote:
>> So SKS should just say "unverified signature from ". It
>> should not repeat the purported user ID, nor provide a search link that
>> returns completely unrelated keys that happen to have the same
On 09/26/2017 01:07 PM, Andrew Gallagher wrote:
> So SKS should just say "unverified signature from ". It
> should not repeat the purported user ID, nor provide a search link that
> returns completely unrelated keys that happen to have the same purported ID.
No, that is also wrong, as it implies
On Fri, 22 Sep 2017 20:29:07 +0200, Werner Koch wrote:
> You may use the latest Enigmail or Kmail to automate the upload but
> you can also use Posteo's Web interface to upload the key. But take
> care: Posteo does not allow a Name in the user id, only the mail
> address (addr-spec) is allowed.
On Fri, 22 Sep 2017 at 22:32:37 +0200, Kristian Fiskerstrand wrote:
> And what happens if you do gpg --import-options import-clean --recv-key
> ? is the bad MPI value sigs removed or still there in that case?
Should be `gpg --keyserver-options import-clean --recv-key $keyid`; or
alternatively,
On Fri, 22 Sep 2017 23:16:55 +0200, Guilhem Moulin wrote:
> On Fri, 22 Sep 2017 at 22:32:37 +0200, Kristian Fiskerstrand wrote:
> > And what happens if you do gpg --import-options import-clean
> > --recv-key ? is the bad MPI value sigs removed or still there in
> > that case?
>
> Should be `gpg
On Fri, 22 Sep 2017 22:52:13 +0200, Kristian Fiskerstrand wrote:
> On 09/22/2017 10:48 PM, Stefan Claas wrote:
> > On Fri, 22 Sep 2017 22:32:37 +0200, Kristian Fiskerstrand wrote:
>
>
> >>> And in place of the fake sigs it says erroneous MPI value. :-)
> >>
> >> And what happens if you do
On 09/22/2017 10:48 PM, Stefan Claas wrote:
> On Fri, 22 Sep 2017 22:32:37 +0200, Kristian Fiskerstrand wrote:
>>> And in place of the fake sigs it says erroneous MPI value. :-)
>>
>> And what happens if you do gpg --import-options import-clean
>> --recv-key ? is the bad MPI value sigs removed
On Fri, 22 Sep 2017 22:32:37 +0200, Kristian Fiskerstrand wrote:
> On 09/22/2017 10:29 PM, Stefan Claas wrote:
> > On Fri, 22 Sep 2017 22:17:17 +0200, Kristian Fiskerstrand wrote:
> >> On 09/22/2017 10:08 PM, Stefan Claas wrote:
> >>> Thanks for the information! Can you tell me please how to
On 09/22/2017 10:29 PM, Stefan Claas wrote:
> On Fri, 22 Sep 2017 22:17:17 +0200, Kristian Fiskerstrand wrote:
>> On 09/22/2017 10:08 PM, Stefan Claas wrote:
>>> Thanks for the information! Can you tell me please how to import
>>> a pub key with a local client, so that invalid data get's removed
On Fri, 22 Sep 2017 22:17:17 +0200, Kristian Fiskerstrand wrote:
> On 09/22/2017 10:08 PM, Stefan Claas wrote:
> > Thanks for the information! Can you tell me please how to import
> > a pub key with a local client, so that invalid data get's removed
> > automatically? When doing a gpg
On 09/22/2017 10:08 PM, Stefan Claas wrote:
> Thanks for the information! Can you tell me please how to import
> a pub key with a local client, so that invalid data get's removed
> automatically? When doing a gpg --receive-key key-id the fake data
> is not removed.
What does gpg --check-sigs
On Fri, 22 Sep 2017 21:40:41 +0200, Kristian Fiskerstrand wrote:
> On 09/22/2017 09:34 PM, Stefan Claas wrote:
> >>> O.k. i just tested a bit and this is a bug int the Web Interface
> >>> and in GnuPG's CLI Interface.
> >> I don't see a bug here.
> > Now i am a bit confused... Then maybe a
On 09/22/2017 09:40 PM, Kristian Fiskerstrand wrote:
> So all is as it is supposed to be
Just to add, the alternative if not considering WoT is a direct
validation structure, a user in this case should only (locally) sign
keyblock information of communication peers after a direct fingerprint
On 09/22/2017 09:34 PM, Stefan Claas wrote:
>>> O.k. i just tested a bit and this is a bug int the Web Interface
>>> and in GnuPG's CLI Interface.
>> I don't see a bug here.
> Now i am a bit confused... Then maybe a "funny" design flaw? I mean
> what should users unfamiliar with the whole WoT
On Fri, 22 Sep 2017 20:29:07 +0200, Werner Koch wrote:
> On Fri, 22 Sep 2017 19:23, stefan.cl...@posteo.de said:
>
> > O.k. i just tested a bit and this is a bug int the Web Interface
> > and in GnuPG's CLI Interface.
>
> I don't see a bug here.
Now i am a bit confused... Then maybe a
On Fri, 22 Sep 2017 19:23, stefan.cl...@posteo.de said:
> O.k. i just tested a bit and this is a bug int the Web Interface and in
> GnuPG's CLI Interface.
I don't see a bug here.
However, given that you use Posteo, you are in the good position to use
the Web Key Directory feature. This
On Thu, 21 Sep 2017 16:44:57 +0200, Stefan Claas wrote:
> Hi all,
>
> http://pgp.zdv.uni-mainz.de:11371/pks/lookup?op=vindex=Erika+Mustermann
>
> Question for the experts, how can a casual or new GnuPG user, like
> Alice and Bob, detect a Signature forgery on a pub key, when using
> Web based
Am 22.09.2017 um 02:37 schrieb Ángel:
On 2017-09-21 at 23:37 +0200, Stefan Claas wrote:
Long ago when we had a discussion here on the Mailing List on
how to prevent unwanted signatures i made a proposal that
signing someone's public key should work similar to revocation
certificates. If you
On 2017-09-21 at 23:37 +0200, Stefan Claas wrote:
> Long ago when we had a discussion here on the Mailing List on
> how to prevent unwanted signatures i made a proposal that
> signing someone's public key should work similar to revocation
> certificates. If you would like to sign my pub key you
On Thu, 21 Sep 2017 17:05:35 -0400, Daniel Kahn Gillmor wrote:
> If by "key-id" you mean the 32-bit long thing like "D21739E9", then
> there's no way to cryptographically secure that -- it's just too
> low-entropy. I've written elsewhere about why key ids are bad:
>
>
On Thu, 21 Sep 2017 23:11:23 +0200, Ralph Seichter wrote:
> On 21.09.17 22:37, Stefan Claas wrote:
>
> > If i would be a programmer of software like GnuPG, my software would
> > not allow to receive unwanted signatures on my pub key, nor would it
> > allow that someone else can fake a sig on
On Thu, 21 Sep 2017 17:06:18 -0400, Robert J. Hansen wrote:
> > Do i understand you right, i validate Werner's pub key and when
> > i get a signed email from Erika Mustermann the sig should be then
> > o.k. from her, because i signed Werner's key?
>
> No. When you see something claiming to be
On Thu 2017-09-21 22:37:38 +0200, Stefan Claas wrote:
> I'm sorry! Let me say one last word. If i would be a programmer of
> software like GnuPG, my software would not allow to receive unwanted
> signatures on my pub key
The way the universe works is that once data is public, other data might
On 21.09.17 22:37, Stefan Claas wrote:
> If i would be a programmer of software like GnuPG, my software would
> not allow to receive unwanted signatures on my pub key, nor would it
> allow that someone else can fake a sig on someone else's pub key with
> my key-id.
If you can solve the design
> Do i understand you right, i validate Werner's pub key and when
> i get a signed email from Erika Mustermann the sig should be then
> o.k. from her, because i signed Werner's key?
No. When you see something claiming to be Werner's sig on Erika's
certificate, ask yourself:
* Is it
On 21.09.17 22:13, Robert J. Hansen wrote:
> About 25 years ago I first saw the suggestion that signatures from
> unvalidated certificates should simply not be visible to the end-user
> [...]
Yeah, that would be one way to make these sigs less obvious. Of course
it does not solve the underlying
On Thu, 21 Sep 2017 22:38:06 +0200, Ralph Seichter wrote:
> On 21.09.17 22:11, Stefan Claas wrote:
>
> > > You can only ever be certain of a signature if you have personally
> > > verified the signing key and the signer's identity.
> >
> > Well, call me a stupid Mac dummie, but how in the world
On 21.09.17 22:11, Stefan Claas wrote:
> > You can only ever be certain of a signature if you have personally
> > verified the signing key and the signer's identity.
>
> Well, call me a stupid Mac dummie, but how in the world could GnuPG
> users , living in different areas verify that?
They
On Thu, 21 Sep 2017 16:16:12 -0400, Robert J. Hansen wrote:
> > If someone would issue a fake sig3 from Governikus to someone
> > else how could you, for example, verify that the sig3 is from
> > Governikus?
>
> By validating Governikus's certificate.
Do i understand you right, i validate
> If someone would issue a fake sig3 from Governikus to someone
> else how could you, for example, verify that the sig3 is from
> Governikus?
By validating Governikus's certificate.
You seem to be asking the same question (and getting the same answer)
over and over again. Perhaps try a
> I'm not certain what problem you see that has not been around for as
> long as PGP/GPG exists? You can only ever be certain of a signature if
> you have personally verified the signing key and the signer's identity.
> That's why the default owner trust level is "unknown" (not trusted).
About 25
On Thu, 21 Sep 2017 21:59:26 +0200, Ralph Seichter wrote:
> On 21.09.17 21:38, Stefan Claas wrote:
>
> > The thing is someone could issue a fake sig3 from Heise's CA key to
> > someone else's pub key, without that that customers would detect it,
> > nor Heise would know it, until of course they
On Thu, 21 Sep 2017 21:11:17 +0200, Ralph Seichter wrote:
> On 21.09.17 20:49, Stefan Claas wrote:
>
> > How could customers, not pros like all you guys here on the list,
> > could verify that we both are the persons the keys/signatures are
> > claiming?
>
> Legal identification is required.
On 21.09.17 20:49, Stefan Claas wrote:
> How could customers, not pros like all you guys here on the list,
> could verify that we both are the persons the keys/signatures are
> claiming?
Legal identification is required. Since you are German, you can use
On Thu, 21 Sep 2017 10:55:26 -0400, Robert J. Hansen wrote:
> > Question for the experts, how can a casual or new GnuPG user, like
> > Alice and Bob, detect a Signature forgery on a pub key, when using
> > Web based key servers?
>
> By remembering that anyone can create a key claiming to be
> Question for the experts, how can a casual or new GnuPG user, like Alice
> and Bob, detect a Signature forgery on a pub key, when using Web based
> key servers?
By remembering that anyone can create a key claiming to be anyone, and
that seeing a signature allegedly from Werner (or anyone) means
Hi all,
http://pgp.zdv.uni-mainz.de:11371/pks/lookup?op=vindex=Erika+Mustermann
Question for the experts, how can a casual or new GnuPG user, like Alice
and Bob, detect a Signature forgery on a pub key, when using Web based
key servers?
Note for native English speakers, Erika Mustermann is
54 matches
Mail list logo
