On 22/05/2018 02:16, Mauricio Tavares wrote:
Stupid question: what is wrong with a "encrypt/decrypt old
format" flag/config option? If I have the need to use old stuff, I can
turn that on. All I see here is a "do not open old stuff" as a default
setting which should solve most issues.
...
On 05/21/2018 03:38 PM, Mark Rousell wrote:
> On 22/05/2018 02:16, Mauricio Tavares wrote:
>> Stupid question: what is wrong with a "encrypt/decrypt old
>> format" flag/config option? If I have the need to use old stuff, I can
>> turn that on. All I see here is a "do not open old stuff" as a
On 22/05/2018 02:16, Mauricio Tavares wrote:
> Stupid question: what is wrong with a "encrypt/decrypt old
> format" flag/config option? If I have the need to use old stuff, I can
> turn that on. All I see here is a "do not open old stuff" as a default
> setting which should solve most
On 05/21/2018 02:57 PM, Mark Rousell wrote:
> On 22/05/2018 02:39, Mark Rousell wrote:
>> Get real. These people are long-time GnuPG users and now you want to
>> throw them under the bus because... well, because you prefer it that
>> way. No, that's not a fair, it's not reasonable, it's not
On 22/05/2018 02:39, Mark Rousell wrote:
> Get real. These people are long-time GnuPG users and now you want to
> throw them under the bus because... well, because you prefer it that
> way. No, that's not a fair, it's not reasonable, it's not ethical, or
> it's even professional. [etc etc]
On
On 22/05/2018 02:47, Mirimir wrote:
>
> But OK. The point here is not to expect that you can open such archives
> in an email client with Internet access, which is also receiving new
> email. Because that makes it vulnerable to Efail and follow-ons.
I agree.
> So put
> the archives in an
On 21/05/2018 10:46, Ralph Seichter wrote:
> On 21.05.18 07:20, Robert J. Hansen wrote:
>
>> We should keep the 1.4 source code available, but wash our hands of it
>> and say it will receive *no* future fixes, not even for security
>> issues -- and we need to stand on that when people start
On 21/05/2018 06:20, Robert J. Hansen wrote:
> Here's my own set of suggestions for breaking changes to GnuPG:
>
> 1. End-of-life 1.4 already.
>
> Yes, it's the only option for PGP 2.6. Yes, it's the only option for
> old and out-of-date stuff. Yes, there will be people who need to
> decrypt
On 05/21/2018 02:41 PM, Mirimir wrote:
> Yes, "accepting new emails with old crypto" is the problem. But Efail
> relies on cyphertext embedded in URLs, which won't unauthenticate.
Damn copypasta :( Please make that:
> Yes, "accepting new emails with old crypto" is the problem. But Efail
>
On 05/21/2018 02:06 PM, Mark Rousell wrote:
> On 21/05/2018 23:17, Mirimir wrote:
>> On 05/21/2018 02:06 AM, Ed Kellett wrote:
>>
>>
>>
>>> Maybe they just want to be able to read emails that they received a long
>>> time ago?
>> So decrypt them all into a ramdisk, tar, and encrypt with GnuPG. Or
On 21/05/2018 08:53, Michael Kesper wrote:
> I think it might be best to put that functionality into a separate
> GnuPG version called gpg-legacy.
> Make it clear in all man pages of this tool, the --version and --help
> options that this only exists to decrypt existing but now obsolete
>
On 21/05/2018 04:56, Jochen Schüttler wrote:
> Some people have the necessity to decrypt old data, so there should be a
> separate tool for them to do exactly that. It's the only way to start
> off fresh.
Agreed.
And I think that GnuPG 1.x provides this tool, doesn't it.
--
Mark Rousell
On 21/05/2018 04:14, Jean-David Beyer wrote:
> On 05/20/2018 08:51 PM, Jeremy Davis wrote:
>> I just read the awesome article "Efail: A Postmortem" by Robert Hansen.
>>
>> Thanks for this Robert. Great work!
>>
>> As suggested by Robert, I've signed up to say:
>>
>> Break backwards compatibility
On 05/21/2018 02:06 AM, Ed Kellett wrote:
> On 2018-05-21 09:56, Andrew Skretvedt wrote:
>> It seems to me that if the pearl-clutchers who would howl too loudly
>> about breaking backwards compatibility were as concerned as they claim,
>> they would realize that software evolves. But this
On 21/05/2018 13:34, Ben McGinnes wrote:
> I agree with most of the article and largely with the need to break
> compatibility to an ancient flawed design. Particularly since we
> still have a means of accessing those ancient formats if we have to in
> the form of the GPG 1.4 branch. The
On 21/05/2018 23:17, Mirimir wrote:
> On 05/21/2018 02:06 AM, Ed Kellett wrote:
>
>
>
>> Maybe they just want to be able to read emails that they received a long
>> time ago?
> So decrypt them all into a ramdisk, tar, and encrypt with GnuPG. Or put
> it on a backup box with LUKS. Or both.
You
On 21/05/2018 09:56, Andrew Skretvedt wrote:
> I think Efail has shown now that OpenPGP/GnuPG retains the flexibility
> to continue to adapt and maintain a well used and trusted standard for
> private and authenticated data and communications, but it won't
> achieve this if its evolution is
On 21/05/2018 14:06, Ed Kellett wrote:
> I think it's
> a bit unfair to call this "exposing yourself to creeping insecurity". It
> shouldn't ever be dangerous to *read an email* with an up-to-date email
> client, no matter what, because emails shouldn't be able to phone home.
> And the emails
On 21/05/2018 15:17, Mark H. Wood wrote:
>> Break backwards compatibility already: it’s time. Ignore the haters. I
>> trust you.
> (I understand that that's a quote of a discussion-opener from the write-up.)
>
> I'd like to first see how many haters can be won over by selling the
> necessary
On 21/05/2018 14:31, Ben McGinnes wrote:
> I could have given them that benefit of the doubt on the initial
> article too, but the FAQ they now have on the Surveillance
> Self-Defense website does rather eviscerate any hope of that:
>
>
On 21/05/2018 09:54, Damien Goutte-Gattat via Gnupg-users wrote:
> On 05/21/2018 04:07 AM, Mark Rousell wrote:
>> I think you mean that support for 2.0.y has been dropped, surely?
> No, I do mean that support for all PGP 2-related stuff has been dropped
> from the current stable branch. Modern
Hello Justin.
Am Montag, den 21.05.2018, 11:25 -0500 schrieb Justin Hibbits:
> Through some unknown series of events, I now have two copies of my
> personal gpg key in my keyring. I double-checked to see if GPG is
> seeing the same key in two keyrings (maybe reading a backup), but
> both
> keys
On 05/21/2018 02:31 AM, Ben McGinnes wrote:
> On Sun, May 20, 2018 at 01:43:07PM -1100, Mirimir wrote:
>> On 05/19/2018 11:44 PM, Aleksandar Lazic wrote:
>>>
>>> I do not want to create a conspiracy theory but it's wiggy that
>>> EFF favors *NO* security ,pgp or s/mime, instead to fix the current
On 05/21/2018 02:06 AM, Ed Kellett wrote:
> Maybe they just want to be able to read emails that they received a long
> time ago?
So decrypt them all into a ramdisk, tar, and encrypt with GnuPG. Or put
it on a backup box with LUKS. Or both.
___
Through some unknown series of events, I now have two copies of my
personal gpg key in my keyring. I double-checked to see if GPG is
seeing the same key in two keyrings (maybe reading a backup), but both
keys are being read from the same keyring.
This leads me to two questions:
1) How could
(Only to point the finger at the real bug)
Efail is not just an HTML rendering bug. It includes very real attacks
against S/MIME as it's used by thousands of corporations.
It's true that the cryptanalytic attack on OpenPGP is pretty much
nothing. But even then, there's room to argue
On Mon, May 21, 2018 at 08:51:17AM -0400, Robert J. Hansen wrote:
>> That being the *incredibly* unhelpful and likely actively harmful
>> recommendation to remove encryption and decryption functionality from
>> vulnerable MUAs.
>
> I blame the EFF for that more than I blame the Efail developers.
Internet works because we have standards.
Rfc 3986 states that URLs have to be ecoded.
Redering-Engies which send unencodes content including whitespaces and newlines
to an external Server are seriously broken.
(Only to point the finger at the real bug)
Kind Regards,
Klaus
On Sun, May 20, 2018 at 07:23:17AM +, Dmitry Gudkov wrote:
> I want to get involved and give a damn!
[applause]
> Break backwards compatibility already: it’s time. Ignore the haters. I
> trust you.
(I understand that that's a quote of a discussion-opener from the write-up.)
I'd like to
On Sun, May 20, 2018 at 01:43:07PM -1100, Mirimir wrote:
> On 05/19/2018 11:44 PM, Aleksandar Lazic wrote:
>>
>> I do not want to create a conspiracy theory but it's wiggy that
>> EFF favors *NO* security ,pgp or s/mime, instead to fix the current
>> possibilities and promote signal.
>
> I read
On 2018-05-21 09:56, Andrew Skretvedt wrote:
> It seems to me that if the pearl-clutchers who would howl too loudly
> about breaking backwards compatibility were as concerned as they claim,
> they would realize that software evolves. But this evolution doesn't
> eradicate its past. GnuPG is open
> That being the *incredibly* unhelpful and likely actively harmful
> recommendation to remove encryption and decryption functionality from
> vulnerable MUAs.
I blame the EFF for that more than I blame the Efail developers. I
expect the people who develop new attacks to overstate their
On Sun, May 20, 2018 at 02:26:47AM -0400, Robert J. Hansen wrote:
> Writing just for myself -- not for GnuPG and not for Enigmail and
> definitely not for my employer -- I put together a postmortem on Efail.
> You may find it worth reading. You may also not. Your mileage will
> probably vary.
“Break backwards compatibility already: it’s time. Ignore the haters. I
trust you.”
+1
Efail caused me to run across the criticism that Moxie Marlinespike
wrote about GnuPG/OpenPGP in early 2015.
https://moxie.org/blog/gpg-and-me/
It felt to me that without naming it, he'd focused on the
On 21.05.18 07:20, Robert J. Hansen wrote:
> We should keep the 1.4 source code available, but wash our hands of it
> and say it will receive *no* future fixes, not even for security
> issues -- and we need to stand on that when people start screaming.
I agree. In my experience, this
Hi all,
Am Montag, den 21.05.2018, 04:19 +0100 schrieb Mark Rousell:
> On 21/05/2018 02:12, Jochen Schüttler wrote:
> > I'm all for breaking backwards compatibility.
> >
> > What's the worst the haters can do? Turn their back on GnuPG? Shout
> > out
> > really loud once more? I think they should
On 05/21/2018 04:07 AM, Mark Rousell wrote:
> I think you mean that support for 2.0.y has been dropped, surely?
No, I do mean that support for all PGP 2-related stuff has been dropped
from the current stable branch. Modern GnuPG (≥ 2.1) can neither read
nor write anything that has been generated
On 05/21/2018 06:20 AM, Robert J. Hansen wrote:
> 2. End-of-life 2.0.
That one at least is already done. The 2.0 branch reached EOL with the
2.0.31 release on December 29, 2017. I believe Werner stated clearly
enough that there will be *no* further point release on that branch, not
even for
38 matches
Mail list logo
