Re: One Key, multiple Smartcards not working anymore
Hello, Thank you for the fast reply and the solution. I can confirm, that this works. Also I switched to GPG 2.1 on my notebook (also Windows) and the bug doesn't exist in that version. Best regards, Josef On 29.07.2015, 06:02 NIIBE Yutaka wrote: Hello, I forgot to address some way to recover. On 07/28/2015 04:09 AM, Josef Schneider wrote: I insert the other card and do a card-status: [...] General key info..: pub 2048R/988E7DDD 2015-07-07 Josef Schneider jo...@schneider.wf sec 4096R/9BE45ED0 erzeugt: 2012-12-10 verfällt: 2017-04-13 Kartennummer:0005 ssb 4096R/B641DD11 erzeugt: 2012-12-10 verfällt: niemals Kartennummer:0005 ssb 4096R/CA02F8EA erzeugt: 2012-12-10 verfällt: niemals Kartennummer:0005 ssb# 2048R/988E7DDD erzeugt: 2015-07-07 verfällt: 2017-07-06 ssb# 2048R/03E021FE erzeugt: 2015-07-07 verfällt: 2017-07-06 ssb# 2048R/8B406748 erzeugt: 2015-07-07 verfällt: 2017-10-24 In this situation, you have a stub for RSA 4096-bit keys. 4096R/9BE45ED0 - Kartennummer:0005 4096R/B641DD11 - Kartennummer:0005 4096R/CA02F8EA - Kartennummer:0005 With GnuPG 2.0, you can export stub (it's not possible for GnuPG 2.1). $ gpg -a -o 9BE45ED0-stub.asc --export-secret-keys 9BE45ED0 $ gpg -a -o B641DD11-stub.asc --export-secret-subkeys B641DD11 $ gpg -a -o CA02F8EA-stub.asc --export-secret-subkeys CA02F8EA Then, General key info..: pub 2048R/988E7DDD 2015-07-07 Josef Schneider jo...@schneider.wf sec# 4096R/9BE45ED0 erzeugt: 2012-12-10 verfällt: 2017-04-13 ssb# 4096R/B641DD11 erzeugt: 2012-12-10 verfällt: niemals ssb# 4096R/CA02F8EA erzeugt: 2012-12-10 verfällt: niemals ssb 2048R/988E7DDD erzeugt: 2015-07-07 verfällt: 2017-07-06 Kartennummer:0006 ssb 2048R/03E021FE erzeugt: 2015-07-07 verfällt: 2017-07-06 Kartennummer:0006 ssb 2048R/8B406748 erzeugt: 2015-07-07 verfällt: 2017-10-24 Kartennummer:0006 When you have this configuration ('#' means no secret key), import *-stub.asc by gpg --import. signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Proposal of OpenPGP Email Validation
Indeed, as written in the proposal key 8B5A ABB1 A033 21CE C2FF C35F 3BA0 E844 EDEB DFE9 https://hkps.pool.sks-keyservers.net/pks/lookup?op=vindexsearch=0x3BA0E844EDEBDFE9 is a faked key which is signed by a faked CA. THAT's exactly the problem I want to fix! And note that for ordinary users it is not that easy to find out Yes, people could in this case double check with the web site of the magazine. But they simply don't do that (including me and a couple of other people here in this forum!). As a result Jürgen aganin and again gets emails with the wrong key. And I dind't get an answer from Jürgen ... And ... I want to avoid this unnessecary burdon. BTW, as another example, several keys of t...@gpgtools.org are faked (search for these keys and the the interesting result). Am 30.07.2015 um 12:23 schrieb MFPA: Hi On Thursday 30 July 2015 at 9:27:37 AM, in mid:55b9dff9.6080...@gmail.com, Viktor Dick wrote: On 2015-07-30 10:17, Ingo Klöcker wrote: I'm sorry to tell you that you have fallen into the trap. There is only one genuine pg...@ct.heise.de key the fingerprint of which is printed in each issue of the c't magazine. The other one is a fake. And the fact that the fake key with the author's email address is signed by different keys only means that a lot of people have signed this fake key without following the proper procedure of key validation (or that the trolls created even more fake keys to sign the author's fake key to make it look more credible). Not according to http://www.heise.de/security/dienste/PGP-Schluessel-der-c-t-CA-473386.html where three different keys are listed (two DSS and one RSA). I concur that the keys 38EA4970 and E1374764 both look likely to be genuine. One has signatures from B3B2A12C, the other from DAFFB000. The link above lists as ct magazine CERTIFICATE pg...@ct.heise.de keys B3B2A12C and DAFFB000, as well as a third key BB1D9F6D. As for the other non-revoked keys I found by searching for schmidt juergen heise de:- all four are signed by a ct magazine CERTIFICATE pg...@ct.heise.de key F6ADD6C2 that is not listed on the magazine's page. all four are also signed by a ct magazine CERTIFICATE ct magazine CERTIFICATE key FB4DFDC6. one of the four has a UID claiming itself to be another ct magazine CERTIFICATE pg...@ct.heise.de as well as being Juergen Schmidt's key. Also all four have the same creation date. I guess anybody being fooled didn't look at the page linked above, or they would have used key 2C26A309 ct magazine pgpCA CommunicationKey 2015 pg...@ct.heise.de when contacting the magazine. (-; ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users -- Nicolai M. Josuttis www.josuttis.de mailto:n...@enigmail.net PGP fingerprint: CFEA 3B9F 9D8E B52D BD3F 7AF6 1C16 A70A F92D 28F5 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Proposal of OpenPGP Email Validation
Hi On Thursday 30 July 2015 at 7:04:28 AM, in mid:55b9be6c.1050...@gmail.com, Viktor Dick wrote: On 2015-07-29 18:24, n...@enigmail.net wrote: So, could somebody explain in a bit more detail how a PoW approach works? As far as I understand it, for any key that you have - regardless whether you have access to the mail address in the uid - you can add some signature where anyone with the public key can quickly check that the person that posesses the private key has spent a specific amount of computing power (p.e., 1 week with an average PC) to create this signature. It is hard to create the signature (impossible without the private key, a lot of computing power with it) but easy to check. That's my understanding, too. Essentially, you create the possibility to make a key 'premium' by spending this time and hope that trolls who flood the keyservers with fake keys will be deterred by the costs. You can hope so, but is it reasonable to expect? Anyone who does not have any problem with trolls can of course still upload a non-premium key. And anybody who doesn't trust Proof of Work as a validation could trust only encrypted-mail validations. It would be simple, as PoW validation signatures would be self-certs whereas enc-mail validation certs would come from a validation server's key. I myself find the idea not so appealling. I would not like it if after creating a key my machine had high CPU load for a couple of weeks. And I doubt that many trolls will be deterred by it - the number of fake keys per time interval will go down, but since they are anyhow going out of their way to create problems for others without any gain for themselves, I think a significant portion will still do it even if it costs more. I think a week of computing for the PoW is excessive. But if the troll's CPU time is on a botnet, they won't care about the cost or about slowing down their machine for a week. I rather like the idea of servers that offer to sign your key (or rather a specific UID) and send it to your email, encrypted to you. For the user this just means that if he has the problem of trolls using his address he has to send his key to such a server or upload it in a webinterface, then receive the mail, decrypt it and import the contained signatures to his key, and optionally upload his new key to a keyserver - with enigmail, for example, everything done within a few clicks. I prefer this method rather than clicking a link in an email. But people are used to that scenario from website registrations, as long as the email arrives within a couple of minutes of them registering on the website. Anyone who looks for a key to a specific mail address on a keyserver will probably, when faced with multiple results, take the one that has most signatures (and isn't expired) - especially if some of the signatures are from email-verification-sounding hostnames. Surely, all signatures from keys that you do not already trust are just ambient noise. Therefore, there is no necessity to create a whitelist of servers (but it can be done, if a user decides to trust signatures of a specific server) and it is still decentralized - anyone can set up such a verification server. If it can be done without Big Brother creating a whitelist, it should be. Of course with a lot of effort, a troll could still try to create a complete fake network and cross-sign different keys. But here the amount of work to be done for a troll is much bigger than that for a genuine user, so hopefully it will not be a problem. I imagine it would not be much of a problem for a troll to automate most of the work. But unless they compromise some keys from genuine validators, it's all in vain if people bother to check signatures. Hold on, the magazine writer's problem is that people encrypt his emails to the wrong key because they do not bother to check signatures. -- Best regards MFPA mailto:2014-667rhzu3dc-lists-gro...@riseup.net A closed mouth gathers no foot ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Proposal of OpenPGP Email Validation
On 2015-07-30 16:39, MFPA wrote: On Thursday 30 July 2015 at 1:43:35 PM, in mid:55ba1bf7.4090...@enigmail.net, n...@enigmail.net wrote BTW, as another example, several keys of t...@gpgtools.org are faked (search for these keys and the the interesting result). Sorry, I don't see a result that leaps out at me as interesting. Are you willing to elaborate? I'd say if one searches on a keyserver, it is pretty clear which key is real. I'm a bit worried because when I search with Enigmail it does not show the signatures, so from there they all seem equally valid. Regards, Viktor signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Proposal of OpenPGP Email Validation
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On Thursday 30 July 2015 at 1:43:35 PM, in mid:55ba1bf7.4090...@enigmail.net, n...@enigmail.net wrote: BTW, as another example, several keys of t...@gpgtools.org are faked (search for these keys and the the interesting result). Sorry, I don't see a result that leaps out at me as interesting. Are you willing to elaborate? - -- Best regards MFPA mailto:2014-667rhzu3dc-lists-gro...@riseup.net Teamwork is essential - it allows you to blame someone else -BEGIN PGP SIGNATURE- iQF8BAEBCgBmBQJVujcxXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRCM0FFN0VDQTlBOEM4QjMwMjZBNUEwRjU2 QjdDNzRDRUIzMUYyNUYwAAoJEGt8dM6zHyXwooMH/0C6TwqvvV4x7JoCk2ovnO7i SlGcm9LdRESIRbk0WNqfaBkINP/pimVRhmLAgvmt8aBmBD5mk19QZqyUwHR5JJP4 z4Q3OkfXFcXr6KWqgHgAkXxghFtnp8MJj/5TLQ4ICO5bPee4yN6L2NElPIrN1M6a PA17OZdCpTVuQXOU84b4XyvFkADNM5xJLX22lNYkm/NX2YMbJ89IlntfjBksCP8I xh9xUjQaNsOnXHv16iNLskrWmdGeCG3gvGq0QX53bLc/ExHMhy7p7GOHt0TT+Guh qpCbQdlyil7FGsUTl/5hawkFA4Xy5SOaieIQFkURV2V/H07DiUb4U1LI36XaT2+I vgQBFgoAZgUCVbo3Nl8UgAAuAChpc3N1ZXItZnByQG5vdGF0aW9ucy5vcGVu cGdwLmZpZnRoaG9yc2VtYW4ubmV0MzNBQ0VENEVFOTEzNEVFQkRFNkE4NTA2MTcx MkJDNDYxQUY3NzhFNAAKCRAXErxGGvd45ISoAQDffuI/eHQ4N6RnAfAI0WR9m/YO xLD1KPSvkv30D+ZflgEAzVSctYlMpt2xk6HozQGCeaKEG+H0JEgNswYH5yx0xAU= =O+Gs -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Proposal of OpenPGP Email Validation
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 07/30/2015 05:12 PM, Viktor Dick wrote: On 2015-07-30 16:39, MFPA wrote: On Thursday 30 July 2015 at 1:43:35 PM, in mid:55ba1bf7.4090...@enigmail.net, n...@enigmail.net wrote BTW, as another example, several keys of t...@gpgtools.org are faked (search for these keys and the the interesting result). Sorry, I don't see a result that leaps out at me as interesting. Are you willing to elaborate? I'd say if one searches on a keyserver, it is pretty clear which key is real. I'm a bit worried because when I search with Enigmail it does not show the signatures, so from there they all seem equally valid. Instinctively this sounds flawed, the point is there is no way without downloading the key and verifying the validation path through other existing known good keys. If you rely solely on the number of signatures that can easily be constructed, either through generating new keys or due to the keyservers not doing any cryptographic verification that the signatures themselves are correct. ... and that is intended behavior ... - -- - Kristian Fiskerstrand Blog: http://blog.sumptuouscapital.com Twitter: @krifisk - Public OpenPGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 - Nil satis nisi optimum Nothing but the best is good enough -BEGIN PGP SIGNATURE- iQEcBAEBCgAGBQJVukObAAoJECULev7WN52FowoH/RPkEUy5LiIXqqKZaNPvLno1 7KB4vTCSVQwj/RHfCUYCCF5mqZ5mkLA6czdKOCslaZP6YqjrgPhzDxJ65mzZ2enG Xv8neTWgnjVbotkQ0tauNqlw7mcTSLG8FwxXpuyrAilAKmOEeV1/JN2pHZBp/0u2 2LPfcc2QNMaXwKK5Ri5vpOTieFlmeLEj/lt+HCF3AikilIKv8L7grG+jADTda5kw VlQ3Sn+NbUUMrRMUjMwtwgN58jtM8uGtflsveouFsQEs9eH5bPbw/nj1ZVtAyjeS hcs2KyMqHj5JAhKpySkhgvqID7gr3LxOSB1xCkgvAz3LHhQu39OD6iOGFT4fLBc= =yklt -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Proposal of OpenPGP Email Validation
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On Friday 31 July 2015 at 12:11:35 AM, in mid:957598505.20150731001135@my_localhost, MFPA wrote: However, what would be different if one of the keys found happened to carry one of your proposed? Sorry, that should have been:- What would be different if one of the keys found in the search happened to carry one of the proposed email address validation signatures? - -- Best regards MFPA mailto:2014-667rhzu3dc-lists-gro...@riseup.net No matter what a man's past may have been, his future is spotless. -BEGIN PGP SIGNATURE- iQF8BAEBCgBmBQJVurK6XxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRCM0FFN0VDQTlBOEM4QjMwMjZBNUEwRjU2 QjdDNzRDRUIzMUYyNUYwAAoJEGt8dM6zHyXwbCcH/1sWY/2Gah5tOrppI71SYMZ4 pTXghWR5ahYDZuKyMJHpSJ6Vy+QKEYrdEqGhCXgHa4npBmkal3OlUlwSaktO9WJO ubJzP5QP3vwvd2c8hbHA49/oKbTRoNcPQRNfTkteQU1gLvwiklTYbeu6uhaNy7oc okvTHQvJ47Vzb9t+Vt2Wj3vOA5qnwJtDIw9PnBqxKRYqNyJ+BzhTvsVxlgyifp8Q Y/2M8Jko8L0TN+BbCNTYi9MRXDmc3nCfWyn/0T9g4RQCciyNVc5eDuDi1KM/kzm6 oK9wpfxwtwuZ7B8dhrZS4AWSRZ/6Vv2lFpUU45FfvKNQU3e9VtG0bIykp4pUH02I vgQBFgoAZgUCVbqyy18UgAAuAChpc3N1ZXItZnByQG5vdGF0aW9ucy5vcGVu cGdwLmZpZnRoaG9yc2VtYW4ubmV0MzNBQ0VENEVFOTEzNEVFQkRFNkE4NTA2MTcx MkJDNDYxQUY3NzhFNAAKCRAXErxGGvd45H74AP9YIHPPdKMxRWMDSg8WWFSwCsv1 ThEwttSwRmcVZ4mFJQD+M9OBBkk31ksmUMxZRyk0GZsga5p8E9nguH+hJ9hDqA8= =U6Vd -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Proposal of OpenPGP Email Validation
On 31.07.2015 01:11, MFPA wrote: Only if you download the key from the GPGTools website and find the key-id first. (If the GPGTools team shows their key ID or Fingerprint on their website, I failed to find it.) On the front page they have 'to verify the signature, please download and import our updated key' right below the download button. There is no fingerprint, but the whole key is there. But I was talking about the fact that of the six results, one has hundreds of signatures. Sure, in the web of trust concept this doesn't mean anything unless there is a (short) trust chain from me to one of these, but in practice this still significantly rises the chance that it is the correct key (and it is, I checked with the one on their homepage). My output from searching a keyserver for gpgtools.org:- 'gpg --search-keys' does not seem to give a list of signatures (which explains why enigmail also doesn't), I was searching using a web interface. I guess this is because it is assumed that signatures do not mean anything without a trust chain. But if I had to bet money on one of the keys, I would still take the one with hundreds of signatures. However, what would be different if one of the keys found happened to carry one of your proposed email address validation signatures? If I could quickly check (or rather, my client could do that automatically) that the signature is also found on their web page, I can assume that either the web page is fake (which is unlikely for something known like ccc.de), it has been hacked (unlikely for a random troll) or someone intercepted either my HTTP request or the original verification e-mail (possible with a secret service, unlikely with a troll). Therefore, it will raise my estimated probability that the owner of the key also has access to the mailbox, which will pretty surely now be much higher than for any fake key. The advantage with respect to the proof of work concept is that the procedure is asymmetric: it costs much more to troll than to verify a genuine key. Best regards, Viktor signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Proposal of OpenPGP Email Validation
On Thursday 30 July 2015 08:04:28 Viktor Dick wrote: Now that I think about it - if I search for the original author of the c't article (j...@ct.de), who complained about getting mails that were encrypted to some fake key, I would assume that the keys 38EA4970 and E1374764 are both genuine, because they both have not only selfsigs. BTW, they are both signed by different keys with the UID 'pg...@ct.heise.de', so they already have a similar service in place - of course I had to do a websearch to find if these keys are genuine, which should probably be easier. I guess ideally the UID would contain a weblink to a page that has the fingerprint and describes the service shortly. I'm sorry to tell you that you have fallen into the trap. There is only one genuine pg...@ct.heise.de key the fingerprint of which is printed in each issue of the c't magazine. The other one is a fake. And the fact that the fake key with the author's email address is signed by different keys only means that a lot of people have signed this fake key without following the proper procedure of key validation (or that the trolls created even more fake keys to sign the author's fake key to make it look more credible). Regards, Ingo signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Proposal of OpenPGP Email Validation
On 2015-07-30 10:17, Ingo Klöcker wrote: I'm sorry to tell you that you have fallen into the trap. There is only one genuine pg...@ct.heise.de key the fingerprint of which is printed in each issue of the c't magazine. The other one is a fake. And the fact that the fake key with the author's email address is signed by different keys only means that a lot of people have signed this fake key without following the proper procedure of key validation (or that the trolls created even more fake keys to sign the author's fake key to make it look more credible). Not according to http://www.heise.de/security/dienste/PGP-Schluessel-der-c-t-CA-473386.html where three different keys are listed (two DSS and one RSA). signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Proposal of OpenPGP Email Validation
On 2015-07-29 18:24, n...@enigmail.net wrote: So, could somebody explain in a bit more detail how a PoW approach works? As far as I understand it, for any key that you have - regardless whether you have access to the mail address in the uid - you can add some signature where anyone with the public key can quickly check that the person that posesses the private key has spent a specific amount of computing power (p.e., 1 week with an average PC) to create this signature. It is hard to create the signature (impossible without the private key, a lot of computing power with it) but easy to check. Essentially, you create the possibility to make a key 'premium' by spending this time and hope that trolls who flood the keyservers with fake keys will be deterred by the costs. Anyone who does not have any problem with trolls can of course still upload a non-premium key. I myself find the idea not so appealling. I would not like it if after creating a key my machine had high CPU load for a couple of weeks. And I doubt that many trolls will be deterred by it - the number of fake keys per time interval will go down, but since they are anyhow going out of their way to create problems for others without any gain for themselves, I think a significant portion will still do it even if it costs more. I rather like the idea of servers that offer to sign your key (or rather a specific UID) and send it to your email, encrypted to you. For the user this just means that if he has the problem of trolls using his address he has to send his key to such a server or upload it in a webinterface, then receive the mail, decrypt it and import the contained signatures to his key, and optionally upload his new key to a keyserver - with enigmail, for example, everything done within a few clicks. Anyone who looks for a key to a specific mail address on a keyserver will probably, when faced with multiple results, take the one that has most signatures (and isn't expired) - especially if some of the signatures are from email-verification-sounding hostnames. Therefore, there is no necessity to create a whitelist of servers (but it can be done, if a user decides to trust signatures of a specific server) and it is still decentralized - anyone can set up such a verification server. Of course with a lot of effort, a troll could still try to create a complete fake network and cross-sign different keys. But here the amount of work to be done for a troll is much bigger than that for a genuine user, so hopefully it will not be a problem. It would also be possible to check for known services if the signature is actually theirs (by checking the key with that on the homepage or something like that), but of course it should have been possible to do that with the original recipient already... These signatures should expire after a year or so, so keys where the owner no longer has acces to the private key will loose these signatures after a while. I myself have two older keys from early experiments (where I did not specify an expiry date) uploaded to the keyserver network, but I guess anyone who looks me up will take my current key, because it has much more subkeys (which I now change every year) and also some signatures. Now that I think about it - if I search for the original author of the c't article (j...@ct.de), who complained about getting mails that were encrypted to some fake key, I would assume that the keys 38EA4970 and E1374764 are both genuine, because they both have not only selfsigs. BTW, they are both signed by different keys with the UID 'pg...@ct.heise.de', so they already have a similar service in place - of course I had to do a websearch to find if these keys are genuine, which should probably be easier. I guess ideally the UID would contain a weblink to a page that has the fingerprint and describes the service shortly. Regards, Viktor signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Proposal of OpenPGP Email Validation
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On Thursday 30 July 2015 at 4:12:35 PM, in mid:55ba3ee3.7000...@gmail.com, Viktor Dick wrote: On 2015-07-30 16:39, MFPA wrote: On Thursday 30 July 2015 at 1:43:35 PM, in mid:55ba1bf7.4090...@enigmail.net, n...@enigmail.net wrote BTW, as another example, several keys of t...@gpgtools.org are faked (search for these keys and the the interesting result). Sorry, I don't see a result that leaps out at me as interesting. Are you willing to elaborate? I'd say if one searches on a keyserver, it is pretty clear which key is real. Only if you download the key from the GPGTools website and find the key-id first. (If the GPGTools team shows their key ID or Fingerprint on their website, I failed to find it.) My output from searching a keyserver for gpgtools.org:- - --- C:\TDM-GCC-32gpg --search-keys t...@gpgtools.org gpg: using character set 'utf-8' gpg: data source: http://kronecker.scientia.net:11371 (1) GPGTools Team t...@gpgtools.org 2048 bit RSA key 0xDE13CCD892EFC169, created: 2013-09-13, exp ires: 2017-09-13 (2) GPGTools Team t...@gpgtools.org 2048 bit RSA key 0x93F6E721F7D75F75, created: 2013-09-13, exp ires: 2017-09-13 (3) GPGTools Team t...@gpgtools.org 2048 bit RSA key 0x07F7603CC8F5BBF1, created: 2013-09-13, exp ires: 2017-09-13 (4) *Key invalid; use 76D78F0500D026C4 GPG Tools Team t...@gpgtools.org 2048 bit RSA key 0x929D128A9EA002BA, created: 2013-09-13, exp ires: 2017-09-13 (5) George Nigg t...@gpgtools.org 2048 bit RSA key 0xD0863D5E46FA0F9F, created: 2013-07-12, exp ires: 2017-07-12 (6) GPGTools Team t...@gpgtools.org GPGMail Project Team (Official OpenPGP Key) gpgmail-devel@list s.gpgma GPGTools Project Team (Official OpenPGP Key) gpgtools-org@list s.gpgto 2048 bit DSA key 0x76D78F0500D026C4, created: 2010-08-19, exp ires: 2018-08-19 Keys 1-6 of 6 for t...@gpgtools.org. Enter number(s), N)ext, or Q)uit - --- Number 6 has more UIDs but nothing in the search listing tells me any key is clearly the one I want. When verifying a software download, the search would be the other way around. I would be checking a signature, so GnuPG would search the server for the key-id that made the signature, the signature would be good or bad, and the key would be the one their website says it should be or it wouldn't. (OK, there would quite probably be certifications vouching for the key as well, in case the site was hacked and now said a different key.) I'm a bit worried because when I search with Enigmail it does not show the signatures, so from there they all seem equally valid. I do not use Enigmail, so couldn't comment. However, what would be different if one of the keys found happened to carry one of your proposed? - -- Best regards MFPA mailto:2014-667rhzu3dc-lists-gro...@riseup.net What's another word for synonym? -BEGIN PGP SIGNATURE- iQF8BAEBCgBmBQJVuq8rXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRCM0FFN0VDQTlBOEM4QjMwMjZBNUEwRjU2 QjdDNzRDRUIzMUYyNUYwAAoJEGt8dM6zHyXwL1cH/3MxcfTEKp+Dlnj3pf//5dr4 sywvMnkv/7k7X0wEPApQVmlVH+6y0kFgOBK366oAKh32mq2muftcRIhOe/eH5pCJ PQvpjhmuqu7TvmIT9YlnnEcuWPMhK8iT8q1WqAwNJdFxv2WhzN6V+g/QcilDE4cD TQ6VyIvNp9Z6Nrrb9bl7DF8eh4jxiRtvyoT+JfL9l3qt3umqcuy/eTyt5YLOg03T V3jSherLB4eSyRFwxbOvccd9o9yZK8rVezD6Oul+dOUQbgBeuPrLfRG2E1sjLE2S fKj9NsZTmMOc3D2uSfwGNWb9vQtKnnvMosGX6PGvp9ESgvj5REXEJ4vCcwZUFxKI vgQBFgoAZgUCVbqvPF8UgAAuAChpc3N1ZXItZnByQG5vdGF0aW9ucy5vcGVu cGdwLmZpZnRoaG9yc2VtYW4ubmV0MzNBQ0VENEVFOTEzNEVFQkRFNkE4NTA2MTcx MkJDNDYxQUY3NzhFNAAKCRAXErxGGvd45HRoAQCWIaBpOmDy7AruEsbWaJZUrt3I tCsfiO9kXYa5lBh4CgEA+xSPOnYEEaWXIqlouKAbKEt1JqqJ+k5ut5j68DbkBAo= =qAVG -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Is there a way to comment a key locally?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi On Thursday 30 July 2015 at 2:02:17 AM, in mid:87h9ome9uu@alice.fifthhorseman.net, Daniel Kahn Gillmor wrote: Sure, that would work. But if you're going to do that, why not just keep the info in your associated addressbook or other handy database/textfile? the GnuPG keyring isn't the most efficient data store for arbitrary data. Fair enough. But keeping it in the keyring is neat, and I'm sure I read somewhere that the .kbx format is more flexible than the old keyring format and stores meta-information about the keys. Local comments seem to me to be a reasonable type of metadata to want to store. They could usefully double as a locally-assigned UID or handle for the key, saying red haired funny tall guy from XYZ meeting or including an email address that is not in the key's actual UIDs. - -- Best regards MFPA mailto:2014-667rhzu3dc-lists-gro...@riseup.net Virtual workspace, Virtual Office, Virtual Job -BEGIN PGP SIGNATURE- iQF8BAEBCgBmBQJVuf60XxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRCM0FFN0VDQTlBOEM4QjMwMjZBNUEwRjU2 QjdDNzRDRUIzMUYyNUYwAAoJEGt8dM6zHyXwHe8H/1ftfbGoJv1YIemfgkgOwEQa tXgMRfllYEy3O/WLo4zuVJ3MDKrl6synmfZ+ti6g4F11og71B63FKQLkSp1cdg5U 9FB0w0E7QiPua2TexeW1YusGlODQu9UzFZFEJm9YPSKCA9AAQwVWmd5lDAv9H/UG wNbNRHwBb0TShX1lbjJe6gcrEnLijVPj0O14sQ1TQ//BcZSfnySxe1vJV4AibY7m rNbPHKbJgeCF2J5Ac0pRAdjm3Oq9JYgRNOnEWmqhRdSVVzcDNk+W8G7D8Ch2Q7zb L1BmtbXIo3oFqsqychm40n9n8Na4f8LkyRhefw7i6VCYy6f4Yx+dd4Qnib44AAyI vgQBFgoAZgUCVbn+wF8UgAAuAChpc3N1ZXItZnByQG5vdGF0aW9ucy5vcGVu cGdwLmZpZnRoaG9yc2VtYW4ubmV0MzNBQ0VENEVFOTEzNEVFQkRFNkE4NTA2MTcx MkJDNDYxQUY3NzhFNAAKCRAXErxGGvd45O1+AP9kuwuMwevNsKNmP/7ENiko5jrH 18OfJc41pSwahJ8zrgD9GBuB5KsTL36Sdr9VZjkvU/Og/k7ZHRf2rLJTzFiWeQs= =Vow0 -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Is there a way to comment a key locally?
On Wed, 29 Jul 2015 18:34, d...@fifthhorseman.net said: note that this has the side effect of marking every lsigned key+user id as valid (since i'm certifying it with my own key). It would be possible to add a notation in the unhashed area so that it can be added to the self-signature(s). We would of course not export such a notation. Another option is to add a comment to the metadata which we store in a keybox. An even better way will be to allow for a comment in the TOFU database we will eventually implement. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Proposal of OpenPGP Email Validation
On Wed, 29 Jul 2015 17:49, patr...@enigmail.net said: The whole point of this exercise is to verify that the key and the email address(es) belong _together_. I don't see how PoW could do this, or I didn't understand it well enough. The idea with a regular PoW is that an attacker (well, script kiddie) would look for a lower hanfing fruit than to create a faked key. The PoW is expensive and thus the expectaion is that it would at best only done for the first interval but not a second time My points against PoW are: - PoW is not green computing so it should only be done in rare cases. - Users with low end devices are discriminated. - With all that surplus Bitcoin mining rig we would soon see a lot of faked keys just for the fun of it - or as a service. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Proposal of OpenPGP Email Validation
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi On Thursday 30 July 2015 at 9:27:37 AM, in mid:55b9dff9.6080...@gmail.com, Viktor Dick wrote: On 2015-07-30 10:17, Ingo Klöcker wrote: I'm sorry to tell you that you have fallen into the trap. There is only one genuine pg...@ct.heise.de key the fingerprint of which is printed in each issue of the c't magazine. The other one is a fake. And the fact that the fake key with the author's email address is signed by different keys only means that a lot of people have signed this fake key without following the proper procedure of key validation (or that the trolls created even more fake keys to sign the author's fake key to make it look more credible). Not according to http://www.heise.de/security/dienste/PGP-Schluessel-der-c-t-CA-473386.html where three different keys are listed (two DSS and one RSA). I concur that the keys 38EA4970 and E1374764 both look likely to be genuine. One has signatures from B3B2A12C, the other from DAFFB000. The link above lists as ct magazine CERTIFICATE pg...@ct.heise.de keys B3B2A12C and DAFFB000, as well as a third key BB1D9F6D. As for the other non-revoked keys I found by searching for schmidt juergen heise de:- all four are signed by a ct magazine CERTIFICATE pg...@ct.heise.de key F6ADD6C2 that is not listed on the magazine's page. all four are also signed by a ct magazine CERTIFICATE ct magazine CERTIFICATE key FB4DFDC6. one of the four has a UID claiming itself to be another ct magazine CERTIFICATE pg...@ct.heise.de as well as being Juergen Schmidt's key. Also all four have the same creation date. I guess anybody being fooled didn't look at the page linked above, or they would have used key 2C26A309 ct magazine pgpCA CommunicationKey 2015 pg...@ct.heise.de when contacting the magazine. (-; - -- Best regards MFPA mailto:2014-667rhzu3dc-lists-gro...@riseup.net This message represents the official view of the voices in my head. -BEGIN PGP SIGNATURE- iQF8BAEBCgBmBQJVufsoXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRCM0FFN0VDQTlBOEM4QjMwMjZBNUEwRjU2 QjdDNzRDRUIzMUYyNUYwAAoJEGt8dM6zHyXwC2oIALQTnp8zRuDfNM/crs07szAG lrmNBhB63fSnr2CfHbpSUHXjoVIgn6sKRGz7oUEyhvmTUDPc4QS+aa7khV5jE094 kQn4nh7oWSNDfTEMSZJjA1DQlrN9QMO0A1Pq77Y1LoRCnaMSBtMgifOqp1vX6nfE ejhqpwMiLF4Db7fdn4gTBK1o3FGXKP55kC5i2QMnwF9KiXz0gtkgdQ+7pgM4MdRT ow9pynZHoEy9sfIKRkF5g5uk1ch5O2mFFvFeCfTph1d6MK06phQaT9v0VQgOz8ms 0BtsUApmUShYO+BPKVlKVFDsfnMPGrcsOqjxcCz+Ikv2GOOdgdnEl1Rbs2+N0ICI vgQBFgoAZgUCVbn7Ll8UgAAuAChpc3N1ZXItZnByQG5vdGF0aW9ucy5vcGVu cGdwLmZpZnRoaG9yc2VtYW4ubmV0MzNBQ0VENEVFOTEzNEVFQkRFNkE4NTA2MTcx MkJDNDYxQUY3NzhFNAAKCRAXErxGGvd45MHfAQDVto8gZk48618e2MxXA8ZITDH4 bTaPakeawetZLjew+QD/QZSjuDd/l7s76NXGhrj14fXb9Z9B+/ibDuPelWfSnws= =cN7q -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users