Re: Question for app developers, like Enigmail etc. - Identicons

On 13.06.17 14:16, Peter Lebbing wrote: > On 13/06/17 09:43, Stefan Claas wrote: >> Another thing i will do in the future, which i haven't read in popular >> tutorials, >> is that once checking the hash/sig of the provided package i will also hash >> the binaries after unpacking and print them out

Re: Question for app developers, like Enigmail etc. - Identicons

On 13/06/17 09:43, Stefan Claas wrote: > Another thing i will do in the future, which i haven't read in popular > tutorials, > is that once checking the hash/sig of the provided package i will also hash > the binaries after unpacking and print them out on a piece of paper, so > that i > can

Re: Fwd: Re: Fwd: Re: Question for app developers, like Enigmail etc. - Identicons

Am 12.06.2017 um 23:50 schrieb Duane Whitty: Thanks for your input much appreciated! I would also add one word about USB sticks: It is very difficult to know if they've been compromised and there are no tell-tale signs when an attack is taking place. I never put a USB in my computer that has

Re: Fwd: Re: Fwd: Re: Question for app developers, like Enigmail etc. - Identicons

On 17-06-12 05:45 PM, Stefan Claas wrote: > On 12.06.17 22:35, Robert J. Hansen wrote: >>> Is there something like a Standard Operating Procedure for GnuPG >>> available, which fulfills security experts demands, and which can >>> easily be adapted by an average GnuPG user, regardless of platform

Re: Fwd: Re: Fwd: Re: Question for app developers, like Enigmail etc. - Identicons

On 12.06.17 22:35, Robert J. Hansen wrote: >> Is there something like a Standard Operating Procedure for GnuPG >> available, which fulfills security experts demands, and which can >> easily be adapted by an average GnuPG user, regardless of platform >> and client he/she uses? > No. More to the

Re: Fwd: Re: Fwd: Re: Question for app developers, like Enigmail etc. - Identicons

> Is there something like a Standard Operating Procedure for GnuPG > available, which fulfills security experts demands, and which can > easily be adapted by an average GnuPG user, regardless of platform > and client he/she uses? No. More to the point, there can't be. Each user faces threats

Re: Fwd: Re: Fwd: Re: Question for app developers, like Enigmail etc. - Identicons

On 12.06.17 22:10, Robert J. Hansen wrote: >> and transfer signed/encrypted messages from my online usage >> computer with a USB stick to my offline computer and verify >> decrypt the messages there. :-) > If you think your online computer may be compromised, then you have no > business sharing

Re: Fwd: Re: Fwd: Re: Question for app developers, like Enigmail etc. - Identicons

> and transfer signed/encrypted messages from my online usage > computer with a USB stick to my offline computer and verify > decrypt the messages there. :-) If you think your online computer may be compromised, then you have no business sharing USB devices between it and your believed-safe

Re: Fwd: Re: Fwd: Re: Question for app developers, like Enigmail etc. - Identicons

On 12.06.17 21:15, Peter Lebbing wrote: >> (Remember there are two types of companies. Those who know they got >> hacked and those who don't know yet that they got hacked.) >> >> I should put that as a signature in my email and Usenet client! :-) Regards Stefan

Re: Fwd: Re: Fwd: Re: Question for app developers, like Enigmail etc. - Identicons

On 12.06.17 21:21, Ludwig Hügelschäfer wrote: > What you can do: Learn, learn by playing, learn by trying to > understand what others write and by asking questions and become a > reasonable critical user. That's the hard way, but you learn best. > Second possibility would be to have a good

Re: Fwd: Re: Fwd: Re: Question for app developers, like Enigmail etc. - Identicons

On 12.06.17 21:15, Peter Lebbing wrote: > On 12/06/17 20:51, Stefan Claas wrote: >> Maybe as an additional security feature Enigmail should give >> a key with a set trust level of "Ultimate" a different color than >> green. > No, that's beside the point. Once somebody gets your user privileges, >

Re: Fwd: Re: Fwd: Re: Question for app developers, like Enigmail etc. - Identicons

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 12.06.17 20:51, Stefan Claas wrote: > On 12.06.17 20:18, Ludwig Hügelschäfer wrote: >> Hi, >> >> On 12.06.17 14:52, Stefan Claas wrote: >> >>> Hi Ludwig, >>> >>> I just checked again. On my Mac and on my Windows Notebook i >>> get a green bar

Re: Fwd: Re: Fwd: Re: Question for app developers, like Enigmail etc. - Identicons

On 12/06/17 20:51, Stefan Claas wrote: > Maybe as an additional security feature Enigmail should give > a key with a set trust level of "Ultimate" a different color than > green. No, that's beside the point. Once somebody gets your user privileges, there is no "additional security". It's game

Re: Fwd: Re: Fwd: Re: Question for app developers, like Enigmail etc. - Identicons

On 12.06.17 20:18, Ludwig Hügelschäfer wrote: > Hi, > > On 12.06.17 14:52, Stefan Claas wrote: > >> Hi Ludwig, >> >> I just checked again. On my Mac and on my Windows Notebook i get a >> green bar , from a blue "Untrusted" key when i go into Enigmails >> Key Management and set the trust of that

Re: Fwd: Re: Fwd: Re: Question for app developers, like Enigmail etc. - Identicons

Hi, On 12.06.17 14:52, Stefan Claas wrote: > Hi Ludwig, > > I just checked again. On my Mac and on my Windows Notebook i get a > green bar , from a blue "Untrusted" key when i go into Enigmails > Key Management and set the trust of that key to Ultimate... Well, ultimate ownertrust is the wrong

Re: Question for app developers, like Enigmail etc. - Identicons

On 12.06.17 17:28, Robert J. Hansen wrote: >> I agree with you and it makes perfect sense, but then it would raise >> another question. How should an average user of GnuPG, like me, >> then handle this. > It cannot be the job of the GnuPG team to teach people how to safely > administer their

Re: Question for app developers, like Enigmail etc. - Identicons

> I agree with you and it makes perfect sense, but then it would raise > another question. How should an average user of GnuPG, like me, > then handle this. It cannot be the job of the GnuPG team to teach people how to safely administer their operating system. There are too many operating

Re: Fwd: Re: Fwd: Re: Question for app developers, like Enigmail etc. - Identicons

> If Mallory would get somehow access to my Computer and replace one > pub key from my communication partners with a fake one and sets the > trust level to Ultimate. How can i detect this, if i'm not always > looking at the complete Fingerprint and compare it with a separate > list? If Mallory

Re: Question for app developers, like Enigmail etc. - Identicons

On 12.06.17 16:31, Peter Lebbing wrote: > I hadn't gotten round to answer your earlier questions yet, since I > noticed a point I should first spend some effort and thinking on. > > On 12/06/17 16:14, Stefan Claas wrote: >> And a question for this... If Mallory would get >> somehow access to my

Re: Fwd: Re: Fwd: Re: Question for app developers, like Enigmail etc. - Identicons

I hadn't gotten round to answer your earlier questions yet, since I noticed a point I should first spend some effort and thinking on. On 12/06/17 16:14, Stefan Claas wrote: > And a question for this... If Mallory would get > somehow access to my Computer and replace one pub key from my >

Re: Fwd: Re: Fwd: Re: Question for app developers, like Enigmail etc. - Identicons

On 12.06.17 16:06, Peter Lebbing wrote: > On 12/06/17 14:52, Stefan Claas wrote: >> I just checked again. On my Mac and on my Windows Notebook >> i get a green bar , from a blue "Untrusted" key when i go into >> Enigmails Key Management and set the trust of that key to >> Ultimate... > Don't do

Re: Fwd: Re: Fwd: Re: Question for app developers, like Enigmail etc. - Identicons

On 12/06/17 14:52, Stefan Claas wrote: > I just checked again. On my Mac and on my Windows Notebook > i get a green bar , from a blue "Untrusted" key when i go into > Enigmails Key Management and set the trust of that key to > Ultimate... Don't do this! Or did you do it just for testing?

Re: Fwd: Re: Fwd: Re: Question for app developers, like Enigmail etc. - Identicons

On 07.06.17 22:23, Ludwig Hügelschäfer wrote: > Hi Stefan, > > On 06.06.17 22:19, Stefan Claas wrote: >> On 06.06.17 20:46, Charlie Jonas wrote: >>> On 2017-06-06 19:12, Stefan Claas wrote: I tried also with Enigmail under OS X but when checking the signatures here from the list

Re: Fwd: Re: Fwd: Re: Question for app developers, like Enigmail etc. - Identicons

On 07.06.17 22:23, Ludwig Hügelschäfer wrote: > Hi Stefan, > > On 06.06.17 22:19, Stefan Claas wrote: >> On 06.06.17 20:46, Charlie Jonas wrote: >>> On 2017-06-06 19:12, Stefan Claas wrote: I tried also with Enigmail under OS X but when checking the signatures here from the list members

Re: Fwd: Re: Fwd: Re: Question for app developers, like Enigmail etc. - Identicons

ig BTW: Could you please stop forwarding your replies to the list? Now there are 6 threads titled "Question for app developers, like Enigmail etc. - Identicons" on the list. Just click on "Reply to list" when replying. Thanks. signature.asc Description: OpenPGP digital signatur

TOFU (was: Question for app developers, like Enigmail etc. - Identicons)

On 07/06/17 13:49, Stefan Claas wrote: > In Enigmail with the blue and green bar (without showing statistics) it > would simply mean > that it switches from green to blue, right? Not necessarily! I don't know if Enigmail checks whether the From: is equal to the key UID, but we're talking about

Re: Question for app developers, like Enigmail etc. - Identicons

Am 07.06.2017 um 13:21 schrieb Peter Lebbing: On 07/06/17 11:04, Peter Lebbing wrote: On 06/06/17 20:12, Stefan Claas wrote: Is TOFU verifying the email address from the from: header of the message and then compares it with the email address in the UID? Yes. Actually, that's not really

Re: Question for app developers, like Enigmail etc. - Identicons

On 07/06/17 11:04, Peter Lebbing wrote: > On 06/06/17 20:12, Stefan Claas wrote: >> Is TOFU verifying the email address from the from: header of the message >> and then compares it with the email address in the UID? > > Yes. Actually, that's not really correct. It also works without a From:. I

Re: Question for app developers, like Enigmail etc. - Identicons

Am 07.06.2017 um 11:04 schrieb Peter Lebbing: On 06/06/17 20:12, Stefan Claas wrote: Is TOFU verifying the email address from the from: header of the message and then compares it with the email address in the UID? Yes. I ask, because if i would use a free form UID with no email address

Re: Fwd: Re: Fwd: Re: Question for app developers, like Enigmail etc. - Identicons

Am 07.06.2017 um 10:57 schrieb Peter Lebbing: On 07/06/17 07:55, Stefan Claas wrote: The procedure went like this: I inserted my id-card in a certified card reader, which i purchased, startet the german certified id-card software "AusweisApp2" to connect to the CA Server and the server checked

Re: Question for app developers, like Enigmail etc. - Identicons

On 06/06/17 20:46, Charlie Jonas wrote: > On 2017-06-06 19:12, Stefan Claas wrote: >> I tried also with Enigmail under OS X but when checking the signatures here >> from the list members i always get the blue "Untrusted Good Signature". > > Yes I get this as well. Interestingly whatever trust

Re: Question for app developers, like Enigmail etc. - Identicons

On 06/06/17 20:12, Stefan Claas wrote: > Is TOFU verifying the email address from the from: header of the message > and then compares it with the email address in the UID? Yes. > I ask, because > if i would use a free form UID with no email address That would make it difficult. >, or i use an

Re: Fwd: Re: Fwd: Re: Question for app developers, like Enigmail etc. - Identicons

On 07/06/17 07:55, Stefan Claas wrote: > The procedure went like this: I inserted my id-card in a certified > card reader, which i purchased, startet the german certified id-card > software "AusweisApp2" to connect to the CA Server and the server > checked my id-card online and after verification

Fwd: Re: Question for app developers, like Enigmail etc. - Identicons

Am 07.06.2017 um 08:50 schrieb Andrew Gallagher: On 7 Jun 2017, at 06:55, Stefan Claas wrote: The procedure went like this: I inserted my id-card in a certified card reader, which i purchased, startet the german certified id-card software "AusweisApp2" to connect to

Re: Question for app developers, like Enigmail etc. - Identicons

> On 7 Jun 2017, at 06:55, Stefan Claas wrote: > > The procedure went like this: I inserted my id-card in a certified > card reader, which i purchased, startet the german certified id-card > software "AusweisApp2" to connect to the CA Server and the server > checked my

Fwd: Re: Fwd: Re: Question for app developers, like Enigmail etc. - Identicons

On 07.06.17 00:04, MFPA wrote: > > > On Tuesday 6 June 2017 at 5:07:18 PM, in > , Stefan Claas > wrote:- > > > > Therefore qualified CA's > > in my opinion are mandatory where each user in each > > country [may] register > > with his/her id-card

Re: Fwd: Re: Question for app developers, like Enigmail etc. - Identicons

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On Tuesday 6 June 2017 at 5:07:18 PM, in , Stefan Claas wrote:- > Therefore qualified CA's > in my opinion are mandatory where each user in each > country [may] register > with his/her id-card

Re: Fwd: Re: Fwd: Re: Question for app developers, like Enigmail etc. - Identicons

On 06.06.17 20:46, Charlie Jonas wrote: > On 2017-06-06 19:12, Stefan Claas wrote: >> I tried also with Enigmail under OS X but when checking the signatures here >> from the list members i always get the blue "Untrusted Good Signature". > Yes I get this as well. Interestingly whatever trust level

Re: Fwd: Re: Fwd: Re: Question for app developers, like Enigmail etc. - Identicons

On 2017-06-06 19:12, Stefan Claas wrote: > I tried also with Enigmail under OS X but when checking the signatures here > from the list members i always get the blue "Untrusted Good Signature". Yes I get this as well. Interestingly whatever trust level I give keys, Enigmail on OSX seems to want to

Fwd: Re: Fwd: Re: Question for app developers, like Enigmail etc. - Identicons

On 06.06.17 12:46, Peter Lebbing wrote: > On 06/06/17 05:30, Duane Whitty wrote: >> As I understand the concept of TOFU (Trust On First Use), when you >> receive a signed email gpg tests that signature against the key >> retrieved from the public key servers associated with the email. > TOFU is

Re: Fwd: Re: Question for app developers, like Enigmail etc. - Identicons

On 06.06.17 18:07, Stefan Claas wrote: > On 06.06.17 04:11, Daniel Kahn Gillmor wrote: >> On Tue 2017-06-06 01:24:43 +0200, Stefan Claas wrote: >>> On 05.06.17 22:26, Daniel Kahn Gillmor wrote: what does "bullet-proof" mean, specifically? >>> For me it means that the idendicons should be

Re: Fwd: Re: Question for app developers, like Enigmail etc. - Identicons

On 06.06.17 04:11, Daniel Kahn Gillmor wrote: > On Tue 2017-06-06 01:24:43 +0200, Stefan Claas wrote: >> On 05.06.17 22:26, Daniel Kahn Gillmor wrote: >>> what does "bullet-proof" mean, specifically? >> For me it means that the idendicons should be visually easy to read >> and cryptographically

Re: Fwd: Re: Question for app developers, like Enigmail etc. - Identicons

On 06/06/17 05:30, Duane Whitty wrote: > As I understand the concept of TOFU (Trust On First Use), when you > receive a signed email gpg tests that signature against the key > retrieved from the public key servers associated with the email. TOFU is about *consistency*. It says: this e-mail is

Re: Fwd: Re: Question for app developers, like Enigmail etc. - Identicons

On 17-06-05 11:11 PM, Daniel Kahn Gillmor wrote: > On Tue 2017-06-06 01:24:43 +0200, Stefan Claas wrote: >> On 05.06.17 22:26, Daniel Kahn Gillmor wrote: >>> what does "bullet-proof" mean, specifically? >> >> For me it means that the idendicons should be visually easy to read >> and

Re: Fwd: Re: Question for app developers, like Enigmail etc. - Identicons

On Tue 2017-06-06 01:24:43 +0200, Stefan Claas wrote: > On 05.06.17 22:26, Daniel Kahn Gillmor wrote: >> what does "bullet-proof" mean, specifically? > > For me it means that the idendicons should be visually easy to read > and cryptographically secure. Sorry that i have no better explanation.

Re: Fwd: Re: Question for app developers, like Enigmail etc. - Identicons

On 05.06.17 22:26, Daniel Kahn Gillmor wrote: > On Mon 2017-06-05 16:22:26 +0200, Stefan Claas wrote: >>> * in the "distinguishing" model, it's not clear that any of the schemes >>>i've seen are actually better for most humans against a dedicated >>>attacker who crafts fingerprints to

Re: Fwd: Re: Question for app developers, like Enigmail etc. - Identicons

On Mon 2017-06-05 16:22:26 +0200, Stefan Claas wrote: >> * in the "distinguishing" model, it's not clear that any of the schemes >>i've seen are actually better for most humans against a dedicated >>attacker who crafts fingerprints to make visual identities that look >>similar. do

Re: Fwd: Re: Question for app developers, like Enigmail etc. - Identicons

On 05.06.17 17:40, Stefan Claas wrote: > And another thought, since this thread says "app developers". How would > services like StartMail, ProtonMail or gmx.de for example handle this...? > > If i remember correctly users have not the possibillity to sign someone > elses pub-key when they both

Re: Fwd: Re: Question for app developers, like Enigmail etc. - Identicons

On 05.06.17 16:22, Stefan Claas wrote: > On 04.06.17 22:20, Daniel Kahn Gillmor wrote: > >> I'd generally think that if you're looking for a tool to help people >> remember and recognize keys that they've seen before, then a mail user >> agent is in a great position to do exactly that: just tell

Fwd: Re: Question for app developers, like Enigmail etc. - Identicons

On 04.06.17 22:20, Daniel Kahn Gillmor wrote: > Hi Stefan-- > > I think you're asking about two sort of different things. > > on the one hand, you're asserting that the 32-bit keyid isn't sufficient > for any sort of cryptographic verification. that's absolutely correct, > and enigmail really

Re: Question for app developers, like Enigmail etc. - Identicons

Hi Stefan-- I think you're asking about two sort of different things. on the one hand, you're asserting that the 32-bit keyid isn't sufficient for any sort of cryptographic verification. that's absolutely correct, and enigmail really shouldn't be exposing the 32-bit keyID to humans where it can

Re: Question for app developers, like Enigmail etc. - Identicons

On 05.06.17 01:05, Ben McGinnes wrote: > On Sun, Jun 04, 2017 at 10:47:56PM +0200, Stefan Claas wrote: >> I'm not yet familar with the TOFU model, but if it helps to spot a >> fake pub key imediately, in addition to the regular trust-model i >> see no reason why not. > That's pretty much exactly

Re: Question for app developers, like Enigmail etc. - Identicons

On Sun, Jun 04, 2017 at 10:47:56PM +0200, Stefan Claas wrote: > > I'm not yet familar with the TOFU model, but if it helps to spot a > fake pub key imediately, in addition to the regular trust-model i > see no reason why not. That's pretty much exactly what it does. TOFU stands for Trust On

Re: Question for app developers, like Enigmail etc. - Identicons

On Sun, Jun 04, 2017 at 08:29:31PM +0200, Kristian Fiskerstrand wrote: > On 06/04/2017 11:21 AM, Stefan Claas wrote: > >> The reason why i ask, i started to use Thunderbird with Enigmail >> and Enigmail shows me always Untrusted Good Signature with a 32bit >> key ID, when i have not carefully

Re: Question for app developers, like Enigmail etc. - Identicons

On 04.06.17 22:32, Kristian Fiskerstrand wrote: > On 06/04/2017 10:25 PM, Stefan Claas wrote: >> With Thunderbird/Enigmail (i can't speak for other apps) a user new to GnuPG >> and and not savvy with checking email headers and not carefully checking the >> fingerprint (he must click addionally on

Re: Question for app developers, like Enigmail etc. - Identicons

On 06/04/2017 10:25 PM, Stefan Claas wrote: > With Thunderbird/Enigmail (i can't speak for other apps) a user new to GnuPG > and and not savvy with checking email headers and not carefully checking the > fingerprint (he must click addionally on the Details button) and who has > never > signed a

Re: Question for app developers, like Enigmail etc. - Identicons

On 04.06.17 20:29, Kristian Fiskerstrand wrote: > On 06/04/2017 11:21 AM, Stefan Claas wrote: >> The reason why i ask, i started to use Thunderbird with Enigmail and >> Enigmail shows me always Untrusted Good Signature with a 32bit key ID, >> when i have not carefully verified the persons pub key

Re: Question for app developers, like Enigmail etc. - Identicons

On 06/04/2017 11:21 AM, Stefan Claas wrote: > The reason why i ask, i started to use Thunderbird with Enigmail and > Enigmail shows me always Untrusted Good Signature with a 32bit key ID, > when i have not carefully verified the persons pub key and --lsign'ed > the pub-key. Showing only the long

Re: Question for app developers, like Enigmail etc. - Identicons

On 04.06.17 13:19, Ludwig Hügelschäfer wrote: > On 04.06.17 12:39, Stefan Claas wrote: >> On 04.06.17 11:50, Ben McGinnes wrote: > (...) > >>> then add "keyid-format 0xLONG" to your gpg.conf file. >>> >> I did that, but Enigmail still shows me the short key-id. :-( > The next major version of

Re: Question for app developers, like Enigmail etc. - Identicons

On 04.06.17 12:39, Stefan Claas wrote: > On 04.06.17 11:50, Ben McGinnes wrote: (...) >> then add "keyid-format 0xLONG" to your gpg.conf file. >> > I did that, but Enigmail still shows me the short key-id. :-( The next major version of Enigmail will show long keyIds everywhere. Ludwig

Re: Question for app developers, like Enigmail etc. - Identicons

On 04.06.17 12:50, Robert J. Hansen wrote: >> P.S. With scallion it took me only seconds/or a minute to generate >> a fake pub-key with the same 32bit key id, on my old notebook. > The question then becomes how hard it would be to forge a qidenticon. > There's not a whole lot of entropy there. I'm

Re: Question for app developers, like Enigmail etc. - Identicons

> P.S. With scallion it took me only seconds/or a minute to generate > a fake pub-key with the same 32bit key id, on my old notebook. The question then becomes how hard it would be to forge a qidenticon. There's not a whole lot of entropy there. ___

Re: Question for app developers, like Enigmail etc. - Identicons

On 04.06.17 11:50, Ben McGinnes wrote: > On Sun, Jun 04, 2017 at 11:21:33AM +0200, Stefan Claas wrote: >> The reason why i ask, i started to use Thunderbird with Enigmail and >> Enigmail shows me always Untrusted Good Signature with a 32bit key ID, >> when i have not carefully verified the

Re: Question for app developers, like Enigmail etc. - Identicons

On Sun, Jun 04, 2017 at 11:21:33AM +0200, Stefan Claas wrote: > Hi, > > i like to ask application developers if it's possible to implement, > in the future, identicons like for example Bitmessage has? > > https://github.com/jakobvarmose/go-qidenticon It's possible, but it's highly unlikely that

Question for app developers, like Enigmail etc. - Identicons

Hi, i like to ask application developers if it's possible to implement, in the future, identicons like for example Bitmessage has? https://github.com/jakobvarmose/go-qidenticon The reason why i ask, i started to use Thunderbird with Enigmail and Enigmail shows me always Untrusted Good Signature