Re: gpgsm and expired certificates

[MFPA]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Hi


On Friday 8 November 2013 at 12:00:56 PM, in
, Uwe Brauer wrote:


>
> It
> seems to me that the BAT does not support Comodo CA.

> Uwe


Aside from the ones I have added, The Bat has about 120 root CA
certificates. I guess it is a minority-use mailer and a lot of the CAs
won't pay for their certificates to be included.

But Microsoft Crypto-API has nearly 400 root CA certificates, and
Comodo's were missing there too. In researching, I read (I think on a
Comodo help forum) that their certificates are only included in
relatively recent windows versions, and Microsoft tags root
certificate updates as "non-critical."



- --
Best regards

MFPAmailto:expires2...@ymail.com

If you are afraid to speak against tyranny, then you are already a slave.
-BEGIN PGP SIGNATURE-

iPQEAQEKAF4FAlJ+ZshXFIAALgAgaXNzdWVyLWZwckBub3RhdGlvbnMub3Bl
bnBncC5maWZ0aGhvcnNlbWFuLm5ldEJBMjM5QjQ2ODFGMUVGOTUxOEU2QkQ0NjQ0
N0VDQTAzAAoJEKipC46tDG5plCwD/3TjEnWaQpal4Urn3fMiF06NK93zBXCACV+C
1niL4DrS9E1dHJ3On+zEFRswk0/35UEhShMgTR7nfU+eys99xdXrDl0X0DWaIsji
tFhqHUtov65CRSDC4PjaM4STc9daowvCdaWi+EvusV14MKGMW50XJIpsFxWDUWtR
8lHXOOLW
=HeHs
-END PGP SIGNATURE-


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gpgsm and expired certificates

[Uwe Brauer]

>> "MFPA" == MFPA   writes:

   > Hi
   > On Thursday 7 November 2013 at 11:16:36 AM, in
   > , Uwe Brauer wrote:


   > I had to search for and import some more root certificates from the
   > Comodo website before I could encrypt to you using my mailer's
   > built-in s/mime.

   > Microsoft Crypto-API no use, even after your and comodo's certificates
   > imported into certmgr.msc. I'm probably doing something wrong there,
   > but it's not clear what to do.

   > For something that is supposed to be easier than OpenPGP, s/mime
   > doesn't seem easy to me.

That is really odd, I have successfully interchanged s/mime emails, with
users using thunderbird or outlook + windows + Comodo certificates.

None of them had to install the root certificates. It seems to me that
the BAT does not support Comodo CA.

Uwe 


smime.p7s
Description: S/MIME cryptographic signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gpgsm and expired certificates

[Robert J. Hansen]

(Before I begin I should say I agree with Mark -- this is commentary,  
not disagreement.)



This bug seems to cry out for an add-on.  Then people who (think they)
know what they are doing can have the additional convenience, and the
rest can do whatever it is they do now.  I would guess there is
resistance to putting this into the base product on the theory that
99.9% of users will just hit "yes", meaning "get rid of this
unintelligible dialog and let me read the message", which is arguably
a Bad Thing.


A detail oft-overlooked is that the question isn't whether the  
*sender* is part of the 0.1%; the question is whether the *recipient*  
is part of the 0.1%.  If I use a self-signed S/MIME cert, will my  
recipient be savvy enough to understand the risks and take appropriate  
steps?


I think 0.1% is a reasonable approximation: of all Thunderbird users,  
maybe one in a thousand has the skill necessary to safely and  
responsibly use a self-signed S/MIME cert, or to safely and  
responsibly check someone else's usage of a self-signed S/MIME cert.   
So one in a thousand senders, multiplied by one in a thousand  
recipients...


What I'm getting at here is that this isn't just a case of "99.9% of  
users will just hit 'yes', which is arguably a Bad Thing."  It's also  
a case of the user base for this being so small as to be  
indistinguishable from statistical noise.



CAs the same thing that the user *should* have done with those
commercial root cert.s: evaluate and install them individually.  (Of
course hardly any of us have done this.)


Well, 'should' is a pretty strong word.  So long as someone  
understands the risks involved in letting Mozilla define your list of  
trusted CAs rather than taking individual responsibility yourself,  
that's really all we can ask for.  I do agree, though, that the  
default list of trusted CAs is eye-poppingly large.



___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gpgsm and expired certificates

[Mark H. Wood]

On Thu, Nov 07, 2013 at 12:16:36PM +0100, Uwe Brauer wrote:
> >> "MFPA" == MFPA   writes:
[snip]
>>> However thunderbird refuses to use yoru public key
>>> claiming it cannot be trusted.
> 
> 
>> I just searched and found [1] about Thunderbird, which says you can
>> import a copy of other people's self-signed S/MIME certificate from a
>> ".cer" file into your "Authorities" tab. So much for "being easier
>> because keys are automatically embedded in the signatures."
> 
> Well I was referring to the following 10 years old bug
> https://bugzilla.mozilla.org/show_bug.cgi?id=209182
> 
> I have the feeling this is a design decision by  "philosophy":
> thunderbird/semonkey don't encourage the use of self-signed certificates
> (BTW I just learn that there is a add-on, key-manager which generates
> self-signed certificates, similar as it seems to me to the BAT.

This bug seems to cry out for an add-on.  Then people who (think they)
know what they are doing can have the additional convenience, and the
rest can do whatever it is they do now.  I would guess there is
resistance to putting this into the base product on the theory that
99.9% of users will just hit "yes", meaning "get rid of this
unintelligible dialog and let me read the message", which is arguably
a Bad Thing.

Since we're getting offtopic anyway, I'll continue and opine that this
add-on would only be doing for self-signed cert.s and other unknown
CAs the same thing that the user *should* have done with those
commercial root cert.s: evaluate and install them individually.  (Of
course hardly any of us have done this.)

-- 
Mark H. Wood, Lead System Programmer   mw...@iupui.edu
Machines should not be friendly.  Machines should be obedient.


smime.p7s
Description: S/MIME cryptographic signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gpgsm and expired certificates

[MFPA]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Hi


On Thursday 7 November 2013 at 11:16:36 AM, in
, Uwe Brauer wrote:




> However it is not necessary I just export our signature
> as a pem file and import in under authorities. Still
> this is very uncomfortable...

I had to search for and import some more root certificates from the
Comodo website before I could encrypt to you using my mailer's
built-in s/mime.

Microsoft Crypto-API no use, even after your and comodo's certificates
imported into certmgr.msc. I'm probably doing something wrong there,
but it's not clear what to do.

For something that is supposed to be easier than OpenPGP, s/mime
doesn't seem easy to me.


- --
Best regards

MFPAmailto:expires2...@ymail.com

My mind works like lightning... one brilliant flash and it's gone
-BEGIN PGP SIGNATURE-

iPQEAQEKAF4FAlJ8IW9XFIAALgAgaXNzdWVyLWZwckBub3RhdGlvbnMub3Bl
bnBncC5maWZ0aGhvcnNlbWFuLm5ldEJBMjM5QjQ2ODFGMUVGOTUxOEU2QkQ0NjQ0
N0VDQTAzAAoJEKipC46tDG5p2hIEAJuUrJYztL/8jLXZ525+nGHHzIkKtXDUOTDn
o1DtWyAYMd0UDhAaJsK4aZl5KeiyP+AwjPSAtQExFwz8pg4ywhMx0SUC/3PcmmEs
BlxHRXOhf31d71ndv0gTu1XFVi/2N1dfXZSlI4DO0iOICgnNqIWubwsxkuA8zzBd
3q/j95//
=V2Ln
-END PGP SIGNATURE-


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gpgsm and expired certificates

[MFPA]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Hi


On Thursday 7 November 2013 at 11:16:36 AM, in
, Uwe Brauer wrote:



> BTW, I see you switched back to pgp, but why do you use
> old inline mode and not pgpmine?

Because I prefer it. I like to see the pgp signature in the message
body instead of hidden away.




- --
Best regards

MFPAmailto:expires2...@ymail.com

Those who do not read are no better off than those who cannot.
-BEGIN PGP SIGNATURE-

iPQEAQEKAF4FAlJ8BO5XFIAALgAgaXNzdWVyLWZwckBub3RhdGlvbnMub3Bl
bnBncC5maWZ0aGhvcnNlbWFuLm5ldEJBMjM5QjQ2ODFGMUVGOTUxOEU2QkQ0NjQ0
N0VDQTAzAAoJEKipC46tDG5psUsD/iQhZWfXfzbDmVs/8vNg4nFRIZ5IXTb3LRU9
MbiKAdH6V6p55PMQ8/z/qJHBXHbnhacnKUMXPvyK71w5kKAnWb2gZfJivJj36axI
h0btBJjCA3d2899fuODBdON1y+q/VgZLfMA5Uj1ILN9AC8SnDrUHUqGDHzeH1xZm
OMbGJVaC
=5KUo
-END PGP SIGNATURE-


smime.p7s
Description: S/MIME Cryptographic Signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gpgsm and expired certificates

[Uwe Brauer]

>> "MFPA" == MFPA   writes:

Hello

[snip]


   > But all the hordes who use webmail are pretty-much still out of luck,
   > though. (With certain exceptions, such as hushmail.)

Yep, there is penango fore firefox+gmail.


   >> Public
   >> keys are automatically embedded in the signatures.

   > That is simpler and avoids the web-bug-like effect you have if you
   > choose to auto-retrieve OpenPGP keys from keyservers for new contacts.
   > But must waste a lot of bandwidth between regular correspondents.

Well given that a lot of users write emails with html markup, this
really does not bother me.


   >> However thunderbird refuses to use yoru public key
   >> claiming it cannot be trusted.


   > I just searched and found [1] about Thunderbird, which says you can
   > import a copy of other people's self-signed S/MIME certificate from a
   > ".cer" file into your "Authorities" tab. So much for "being easier
   > because keys are automatically embedded in the signatures."

Well I was referring to the following 10 years old bug
https://bugzilla.mozilla.org/show_bug.cgi?id=209182

I have the feeling this is a design decision by  "philosophy":
thunderbird/semonkey don't encourage the use of self-signed certificates
(BTW I just learn that there is a add-on, key-manager which generates
self-signed certificates, similar as it seems to me to the BAT.

At first I thought that I need to use openssl in order to extract your
cert and import in under authorities 
like
openssl pkcs7 -in MFPA.p7 -inform DER -print_certs > out.cert

(Which would be bad, because command line openssl is not what the
average user would call, comfortable and windows users have to install
openssl a part)

However it is not necessary I just export our signature as a pem file
and import in under authorities. Still this is very uncomfortable...

regards

Uwe Brauer 

BTW, I see you switched back to pgp, but why do you use old inline mode
and not pgpmine?


smime.p7s
Description: S/MIME cryptographic signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gpgsm and expired certificates

[MFPA]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Hi


On Wednesday 6 November 2013 at 11:42:49 AM, in
, Uwe Brauer wrote:



> Well take for example iOs: using pgp is a sort of a
> nightmare.

So I have heard.



> The reasons why I think smime is easier to use for the
> average user are: smime is already installed in most
> MUA (so no additional software+plugin)

But all the hordes who use webmail are pretty-much still out of luck,
though. (With certain exceptions, such as hushmail.)



> keypairs are
> generated and signed  by the "trust center".

I don't know about the "trust centre." The Bat! gives me the choice
of its own internal implementation or Microsoft Crypto-API, which is
part of Windows. (The Bat! and Windows are closed-source proprietary
products that we probably shouldn't discuss too much on this list.)



> Public
> keys are automatically embedded in the signatures.

That is simpler and avoids the web-bug-like effect you have if you
choose to auto-retrieve OpenPGP keys from keyservers for new contacts.
But must waste a lot of bandwidth between regular correspondents.



> Aha I see you use the BAT, an email program I have not
> seen in use, for almost a decade.

I have used it myself for over nine years.



> Good and bad news.
> Gpgsm allowed my to use your public keys after having
> fireing up a series of questions, iOs also,

Good.



>  (if you
> don't mind I send you to test messages later privately)

I don't mind.



> However thunderbird refuses to use yoru public key
> claiming it cannot be trusted.

Fair enough. Using its internal implementation, The Bat! accepts
signatures from the S/MIME certificate I created last night (because I
added it to the trusted root CA address book) and does not accept your
S/MIME signature (because Comodo's root certificate is not in the
trusted root CA address book - but adding it would be just a few
clicks). MS Crypto-API is fine with Comodo's root cert, but says my
certificate has an invalid signature algorithm specified.

I just searched and found [1] about Thunderbird, which says you can
import a copy of other people's self-signed S/MIME certificate from a
".cer" file into your "Authorities" tab. So much for "being easier
because keys are automatically embedded in the signatures."


> So I am afraid  the
> issue is to  persuade the not only the people but also
> the software.

As I said, getting other people to persuade their MUA to accept it.

[1] .


- --
Best regards

MFPAmailto:expires2...@ymail.com

Courage is not the absence of fear, but the mastery of it.
-BEGIN PGP SIGNATURE-

iPQEAQEKAF4FAlJ60MxXFIAALgAgaXNzdWVyLWZwckBub3RhdGlvbnMub3Bl
bnBncC5maWZ0aGhvcnNlbWFuLm5ldEJBMjM5QjQ2ODFGMUVGOTUxOEU2QkQ0NjQ0
N0VDQTAzAAoJEKipC46tDG5pfXkEALs5FK+Llmn4wqCq+GUO0+qJ+TjHyHoEFd2R
3RRCHLG1ZcwhP0tOAX9Xo5439N16M31x6FB5u6CglI4RNcMvHK/FwqE1Y6e0I3SR
WLqUiX0Oq+JMKQnRBW1DaIGGCIB4uqPQ6DwFKikcA4p4fUSoXpRaKJA7Sar4Sj32
6o35st6x
=AcqD
-END PGP SIGNATURE-


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gpgsm and expired certificates

[Uwe Brauer]

>> "MFPA" == MFPA   writes:

Hi
   > Hi
   > On Monday 4 November 2013 at 10:43:43 PM, in
   > , Uwe Brauer wrote:




   >> -  from my own experience I am convinced that smime
   >> is much easierthan gpg[2] for reasons  I am not
   >> going to repeat here. (I got 7out of 10 of my
   >> friends/colleagues to use smime, but 0 of 10 to
   >> use gpg.)

   > Depending on the software people are using. I'm willing to accept
   > that there are probably more people for whom S/MIME is easier to
   > use.

Well take for example iOs: using pgp is a sort of a nightmare.

The reasons why I think smime is easier to use for the average user are:
smime is already installed in most MUA (so no additional software+plugin)
keypairs are generated and signed  by the "trust center".
Public keys are automatically embedded in the signatures.




   > The email app I am using to write this message can (almost
   > trivially) generate and use self-signed certificates for the email
   > accounts it has configured. The difficulty is getting other people
   > to persuade their MUA to accept them.


Aha I see you use the BAT, an email program I have not seen in use, for
almost a decade.
Good and bad news. Gpgsm allowed my to use your public keys after having
fireing up a series of questions, iOs also, (if you don't mind I send
you to test messages later privately) However thunderbird refuses to
use yoru public key claiming it cannot be trusted. So I am afraid 
the issue is to 
persuade the not only the people but also the software.


> I think I mentioned in one of my other postings that I was using 
> hyperbole to make my point. I'm not quite _that_ paranoid, but I 
> believe in exercising a healthy skepticism.

Ok I have seen this now.



regards

Uwe 


smime.p7s
Description: S/MIME cryptographic signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gpgsm and expired certificates

[MFPA]

Hi


On Monday 4 November 2013 at 10:43:43 PM, in
, Uwe Brauer wrote:



> -  NSA (among others) has abused its resource to
> read emailworldwide at a very large scale.

Indeed.


> -  so if a lot of people, say 30 % of all users
> would encrypt theiremail, then NSA statistical
> approach would *not* work that smoothand this
> is a good thing.

Why do you describe it as a statistical approach? 

I guess 30% was plucked out of the air. It would seem self-evident 
that if a sizeable proportion of emails travelled encrypted, the NSA 
etc. would have to do more work to read them. 



> -  so encrypting email should be easy and look
> trustful for amajority of users

I like the idea, but have a bit of an issue with security made too 
easy. Security has to be inconvenient; just a lot more so for a 
would-be attacker than for the person using the security.



> -  usually public/private key based methods are
> considered relativesecure (Even Snowden claimed
> that you could rely on them), thisdoes not mean
> that the NSA could not read your email. They would
> usually try to enter your machine installing a
> keylogger orsomething like this. But this is
> beyond the statistical method Imentioned above.

Hopefully, if it was more effort and more cost to read an individual's
mail, that individual might be left alone unless they are a suspect.
But what about an individual two or three communication hops from a
suspect?



> -  if I understand correctly the real problem is
> not security of thethe cipher but the
> authenticity of the sender and so the most
> common attack is a man in the middle attack. This
> is true forboth smime and gpg. So comparing
> fingerprints of public key is agood thing,
> which most of us, I presume, don't do.

For most people's communication, it is not encrypted so the main
problem is simply being read in transit, and/or stored. Once you start
encrypting, even without putting the effort in for sender
authentication, it takes more effort to snoop on your mail than on the
majority of people's.



> -  from my own experience I am convinced that smime
> is much easierthan gpg[2] for reasons  I am not
> going to repeat here. (I got 7out of 10 of my
> friends/colleagues to use smime, but 0 of 10 to
> use gpg.)

Depending on the software people are using. I'm willing to accept that 
there are probably more people for whom S/MIME is easier to use.



> -  one of the reasons some of them hesitated was
> the fact that thecertificates were offered by
> some commercial company they did notknow and
> trust.[3]They would have had installed it from
> a government basedorganisation, say the
> ministry of justice though.

I think "know" is the key factor, but "know and trust" is even better.
I suspect a whole lot of people would also be perfectly comfortable if
a certificate were available from the company that supplied their
operating system, or their email application or webmail account. Or
maybe from their bank or ISP.



> -  so if some government based organisation would
> do what say commododoes it would send a signal
> to the public that it takes privacyseriously
> and I think it would encourage more people  to use
> smime.

The actions of governments and government organisations in so many
countries send signals that they are anti-privacy, or at least not
pro-privacy. I think this small contradictory signal would be in 
severe danger of being drowned out. But now I understand what you 
meant.



> -  Private certificates, are unfortunately no
> solution. Yes it ispossible with openssl to
> generate them, I have done thatmyself. However
> it is very difficult till impossible to convince
> the main email programs, such as outlook,
> thunderbird or Applemail to use them or to use
> public keys sent by suchcertificates. [4]

The email app I am using to write this message can (almost trivially)
generate and use self-signed certificates for the email accounts it
has configured. The difficulty is getting other people to persuade 
their MUA to accept them.



> Footnotes: [1]  I must add that I don't share your
> general view about government  based organisations.
> I still hope that abuse is the exception not  the
> rule..

I think I mentioned in one of my other postings that I was using 
hyperbole to make my point. I'm not quite _that_ paranoid, but I 
believe in exercising a healthy skepticism.


-- 
Best regards

MFPAmailto:expires2...@ymail.com

Experience is the name everyone gives to their mistakes


smime.p7s
Description: S/MIME Cryptographic Signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gpgsm and expired certificates

[Uwe Brauer]

>> "MFPA" == MFPA   writes:
Hello 



   > There are already several private sector CAs who provide free S/MIME
   > certificates in the hope that punters may take one of their paid
   > products instead or in addition. Potential sales is their incentive to
   > provide some products free. What would be a government's incentive to
   > provide them free of charge instead of charging for the admin? And
   > what would a government based CA bring to the party that is not
   > already available?

   > If all we are talking about is email encryption to protect people's
   > email from being read in transit, a self-signed certificate takes care
   > of the encryption without the need for a CA. The only value in using a
   > recognised CA rather than a self-signed certificate is convenience for
   > the recipient, whose MUA is likely to automatically "trust" a
   > recognised CA but would need to be "told" to accept a self-signed
   > certificate.


Ok let me try to answer this point by point. Before doing I want to
emphasise that I am taking a very pragmatic point of view here.[1]

-  NSA (among others) has abused its resource to read email
   worldwide at a very large scale.

-  so if a lot of people, say 30 % of all users would encrypt their
   email, then NSA statistical approach would *not* work that smooth
   and this is a good thing.

-  so encrypting email should be easy and look trustful for a
   majority of users 

-  usually public/private key based methods are considered relative
   secure (Even Snowden claimed that you could rely on them), this
   does not mean that the NSA could not read your email. They would
   usually try to enter your machine installing a keylogger or
   something like this. But this is beyond the statistical method I
   mentioned above.

-  if I understand correctly the real problem is not security of the
   the cipher but the authenticity of the sender and so the most
   common attack is a man in the middle attack. This is true for
   both smime and gpg. So comparing fingerprints of public key is a
   good thing, which most of us, I presume, don't do.
   

-  from my own experience I am convinced that smime is much easier
   than gpg[2] for reasons  I am not going to repeat here. (I got 7
   out of 10 of my friends/colleagues to use smime, but 0 of 10 to
   use gpg.)

-  one of the reasons some of them hesitated was the fact that the
   certificates were offered by some commercial company they did not
   know and trust.[3]
   They would have had installed it from a government based
   organisation, say the ministry of justice though.


-  so if some government based organisation would do what say commodo
   does it would send a signal to the public that it takes privacy
   seriously and I think it would encourage more people  to use smime.

-  Private certificates, are unfortunately no solution. Yes it is
   possible with openssl to generate them, I have done that
   myself. However it is very difficult till impossible to convince
   the main email programs, such as outlook, thunderbird or Apple
   mail to use them or to use public keys sent by such
   certificates. [4]

Uwe Brauer 

Footnotes:
[1]  I must add that I don't share your general view about government
 based organisations. I still hope that abuse is the exception not
 the  rule..

[2]  although pgp seems technically better, since some implementations of
 smime allow a relative short symmetric key

[3] (Besides these companies have a certain business model and their
   free certificates last short and expire usually after one year.)


[4]  I finally managed to use them in thunderbird, but is was
 complicated not something the regular user would like to do.



smime.p7s
Description: S/MIME cryptographic signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gpgsm and expired certificates

[MFPA]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Hi


On Monday 4 November 2013 at 2:02:30 PM, in
, MFPA wrote:



> Where actual identity is not required, just continuity
> of communication, I see no value in obtaining any
> certification at all.

Or, indeed, where encryption is required but not actual identity.


- --
Best regards

MFPAmailto:expires2...@ymail.com

The best way to destroy your enemy is to make him your friend.
-BEGIN PGP SIGNATURE-

iPQEAQEKAF4FAlJ3y/JXFIAALgAgaXNzdWVyLWZwckBub3RhdGlvbnMub3Bl
bnBncC5maWZ0aGhvcnNlbWFuLm5ldEJBMjM5QjQ2ODFGMUVGOTUxOEU2QkQ0NjQ0
N0VDQTAzAAoJEKipC46tDG5pVJoD/i5/w+wDB4bqbDdRD1N0vNFAhOA5tP/nVP5P
pXfZV8U3XE3igNz6Y3NCrH4/kSnNyEwXUtPmo0I60TMIOJaPvJn8dkuUeaiNiERS
PGNPg4K0EIgng2OqPiUvU67feqdMCByEh1OfdZS0sbsfW7NQ0LhrcFO9gKdAllWO
+yufHrcY
=+o2F
-END PGP SIGNATURE-


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gpgsm and expired certificates

[MFPA]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Hi


On Sunday 3 November 2013 at 10:02:14 PM, in
, Uwe Brauer wrote:


>>> "Ingo" == Ingo Klöcker  writes:
>> So, your point/hope probably was that a government
>based CA > wouldn't have such a business model and
>would instead offer this > service gratis to the
>people (so that more people would be > protected
>from the NSA reading their mail). If this was your
>point > then apparently I didn't see it when I first
>read your message.

> That was *precisely* my point, thanks for clarifying it

There are already several private sector CAs who provide free S/MIME
certificates in the hope that punters may take one of their paid
products instead or in addition. Potential sales is their incentive to
provide some products free. What would be a government's incentive to
provide them free of charge instead of charging for the admin? And
what would a government based CA bring to the party that is not
already available?

If all we are talking about is email encryption to protect people's
email from being read in transit, a self-signed certificate takes care
of the encryption without the need for a CA. The only value in using a
recognised CA rather than a self-signed certificate is convenience for
the recipient, whose MUA is likely to automatically "trust" a
recognised CA but would need to be "told" to accept a self-signed
certificate.



- --
Best regards

MFPAmailto:expires2...@ymail.com

CAUTION! - Beware of Warnings!
-BEGIN PGP SIGNATURE-

iPQEAQEKAF4FAlJ3sFNXFIAALgAgaXNzdWVyLWZwckBub3RhdGlvbnMub3Bl
bnBncC5maWZ0aGhvcnNlbWFuLm5ldEJBMjM5QjQ2ODFGMUVGOTUxOEU2QkQ0NjQ0
N0VDQTAzAAoJEKipC46tDG5ptlAD/jWuP+IpjL+RRBH1CazALnqMcKfb0M4pyBoe
+9SSDpPAR3CLFKBNi9/ThnVR28BAW3DWqILMq7n+5D+0Vu3jT4nC4Tvpz2tt2YfI
rTUV37E2U62tpydkIhsHuuD9auqjtS3nwxd3db6jfTf+yzz+1LY4+pXtAipdwKQr
JUKD0Rnl
=Kt8y
-END PGP SIGNATURE-


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gpgsm and expired certificates

[MFPA]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Hi


On Saturday 2 November 2013 at 6:48:39 PM, in
, Uwe Brauer wrote:


> Your point being?

> I presume it goes like this: NSA is  "a government
> based organisation" doing, among other things,
> violations of civil rights.

> So any other government based organisation cannot be
> trust, end of argument.


Exactly.



> Well I just talked  about a service, which provides
> certificates to its citizen. That means it signs a
> public/private key pair, which is generated by the,
> hopefully open source, crypto module of your browser.

> So either you claim to have evidence that this modules
> have been hacked and the key pair is transferred to
> some of these evil organisations or I really don't see
> your point.

Simply stated, it is established that government based organisations
sometimes act in a nefarious manner, contrary to the law and contrary
to the interests of the population. I view that as a reason not to
trust government based organisations. And if I don't trust government
based organisations, I cannot trust a certification issued by one.

Of course, private companies or individuals who issue certifications
are susceptible to coercion. Whether issued by government or by
private sector, a single certification on a public key represents a
single point of failure. It does not provide any great level of
assurance the corresponding private key is controlled by the identity
it claims. Such assurance could potentially be derived from numerous
certifications that are independent from each other, but how do you
tell which are truly independent?

Where actual identity is not required, just continuity of
communication, I see no value in obtaining any certification at all.

- --
Best regards

MFPAmailto:expires2...@ymail.com

Can you imagine a world with no hypothetical situations?
-BEGIN PGP SIGNATURE-

iPQEAQEKAF4FAlJ3qQVXFIAALgAgaXNzdWVyLWZwckBub3RhdGlvbnMub3Bl
bnBncC5maWZ0aGhvcnNlbWFuLm5ldEJBMjM5QjQ2ODFGMUVGOTUxOEU2QkQ0NjQ0
N0VDQTAzAAoJEKipC46tDG5pFGMD/3YXsKuEtEf9+H4qiQckLlEkv+ulrQnuepRn
PlDE6rsbzdIaa3aU9eRCwa9mydwwIByadgI1YhrdXlnxRk2Aa6mfuoFPkg5MEa8c
3ysvmrVY5DHPkSELkEeUZe6Nk1lcJz1JUUd2vT6cNpks68kYG1Zb/VaLoKbC4sW2
ypuROxWl
=1Moi
-END PGP SIGNATURE-


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gpgsm and expired certificates

[Uwe Brauer]

>> "Ingo" == Ingo Klöcker  writes:


   > I interpreted "especially because of all which was lately revealed about 
   > the NSA" 

No it was more of a general remark, concerning NSA malpractice of
reading everybody's (uncrypted) email unconditionally.

   > So, your point/hope probably was that a government based CA
   > wouldn't have such a business model and would instead offer this
   > service gratis to the people (so that more people would be
   > protected from the NSA reading their mail). If this was your point
   > then apparently I didn't see it when I first read your message.


That was *precisely* my point, thanks for clarifying it 

Uwe Brauer 


smime.p7s
Description: S/MIME cryptographic signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gpgsm and expired certificates

[Stan Tobias]

"Robert J. Hansen"  wrote:

> My previous email was pretty dry and impersonal.  This one is very personal.
>
> > Isn't the NSA "a government based organisation?" Surely
> > guilt-by-association renders every government based organisation just
> > as nefarious as the NSA.
>
> My current job 
> John Moore III, 
> Werner 
> There are a lot of people on this list 
>
> You owe all of us an apology.

To the defense of MFPA, he was speaking of government based *organisations*.
Organisations don't have a conscience.  People are a different kind, they
often work for you against general policies, if you can interpret signs
correctly and cooperate.

Kindly, Stan Tobias.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gpgsm and expired certificates

[Ingo Klöcker]

On Saturday 02 November 2013 19:48:39 Uwe Brauer wrote:
> >> "MFPA" == MFPA   writes:
>> Hi
>> On Sunday 27 October 2013 at 2:46:05 PM, in
>> , Uwe Brauer wrote:
>> 
>> Isn't the NSA "a government based organisation?" Surely
>> guilt-by-association renders every government based organisation
>> just
>> as nefarious as the NSA.
> 
> Your point being?
> 
> I presume it goes like this: NSA is  "a government based
> organisation" doing, among other things, violations of civil rights.
> 
> So any other government based organisation cannot be trust, end of
> argument.
> 
> Well I just talked  about a service, which provides certificates to
> its citizen. That means it signs a public/private key pair, which is
> generated by the, hopefully open source, crypto module of your
> browser.
> 
> So either you claim to have evidence that this modules have been
> hacked and the key pair is transferred to some of these evil
> organisations or I really don't see your point.

Since I had exactly the same thought as MFPA (namely that the NSA is a 
goverment based organization), I'll explain my thoughts (which could be 
different from MFPA's point).

You, Uwe Brauer, wrote:
> I would prefer a government based organisation which provides this
> service to its citizen (especially because of all which was lately
> revealed about the NSA)

where "this service" refers to the service a commercial, not goverment 
based CA like comodo offers.

I interpreted "especially because of all which was lately revealed about 
the NSA" to refer to the NSA's ability to forge certificates issued by 
commercial CAs (e.g. by forcing the CAs to provide such a certificate). 
Now my thinking was that the NSA (or some other country's secret agency, 
e.g. the German BND) probably wouldn't have more problems to get forged 
certificates if they were issued by a government based CA.

OTOH, you wrote the above in reply to Werner's
> The business model of most CAs is to sell you a subscription by
> setting the expiration time very low so that they can ask after a
> year for another fee to create a new certificate.  Here it does not
> make sense to create a new private key every year.

So, your point/hope probably was that a government based CA wouldn't 
have such a business model and would instead offer this service gratis 
to the people (so that more people would be protected from the NSA 
reading their mail). If this was your point then apparently I didn't see 
it when I first read your message.


Regards,
Ingo


signature.asc
Description: This is a digitally signed message part.
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gpgsm and expired certificates

[Filip M. Nowak]

On 02.11.2013 20:20, Peter Lebbing wrote:
> On 02/11/13 19:48, Uwe Brauer wrote:
>> So either you claim to have evidence that this modules have been hacked
>> and the key pair is transferred to some of these evil organisations or I
>> really don't see your point.
> 
> I think the most common way for an X.509 CA to be deceitful is by giving 
> someone
> else a certificate with your name on it, not by stealing your key.
> 
> (...)

Not mentioning giving away (actually signing) intermediate CA keys.

Cheers,
Filip

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gpgsm and expired certificates

[Peter Lebbing]

On 02/11/13 19:48, Uwe Brauer wrote:
> So either you claim to have evidence that this modules have been hacked
> and the key pair is transferred to some of these evil organisations or I
> really don't see your point.

I think the most common way for an X.509 CA to be deceitful is by giving someone
else a certificate with your name on it, not by stealing your key.

Then I would be under the impression I was holding an encrypted and signed
conversation with /you/, but I would be talking to the well-funded attacker that
got the false certificate. That attacker could then re-encrypt and send it on to
you, to be a man in the middle.

HTH,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gpgsm and expired certificates

[Uwe Brauer]

>> "MFPA" == MFPA   writes:

   > Hi
   > On Sunday 27 October 2013 at 2:46:05 PM, in
   > , Uwe Brauer wrote:

   > Isn't the NSA "a government based organisation?" Surely
   > guilt-by-association renders every government based organisation just
   > as nefarious as the NSA.

Your point being?

I presume it goes like this: NSA is  "a government based
organisation" doing, among other things, violations of civil rights.

So any other government based organisation cannot be trust, end of
argument.

Well I just talked  about a service, which provides certificates to its
citizen. That means it signs a public/private key pair, which is
generated by the, hopefully open source, crypto module of your browser.

So either you claim to have evidence that this modules have been hacked
and the key pair is transferred to some of these evil organisations or I
really don't see your point.

Uwe Brauer 


smime.p7s
Description: S/MIME cryptographic signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gpgsm and expired certificates

[Johan Wevers]

On 2-11-2013 15:36, Robert J. Hansen wrote:

> I can't help but think, as I see the tenor of the discussion about the
> NSA, that there are probably thousands of good and decent people in that
> agency who are concerned with following the law and respecting civil
> liberties -- and they probably feel an awful lot like Marshal Kane right
> now, wondering whether it's even worth it.

Perhaps. But those people make me think more off whet we call here
"major in wartime": during WW2, some majors kept their position under
the Germans with the intention to prevent someone worse (like a member
of the local Nazi party) to take the post and to prevent as much cruelty
as possible. This turned out to be nearly impossible, and after the war
those majors were ot looked kindly uppon. You can't keep your hands
clean when you take such a post.

Another example would be the countless Stasi employees who really
thought they were doing the people a favor by defending them against
those evil capitalists. The people mostly didn't agree.

The NSA employees might think they are protecting the people against
someone worse than they are, but in many places outside the US the US is
now seen as the primary enemy. Not that we like terrorists that much,
but we have reached the point where the US causes more problems and
deaths of innocents than its enemies. Especially because they more or
less admit that all non-US citizens are fair game.

> They are not practicing guilt by suspicion.  They are practicing, "hey,
> let's collect as much information as possible on this crime so that we
> can find the truly guilty person."

Another problem with the US, they tend to make out for others what
"crimes" are. The wars on drugs and copyright infringement are typical
examples of where the pressure of the US goes against the interests of
the people in other countries (and even their own).

> Police do not determine guilt.  Courts determine guilt.  Police are in
> the business of collecting information.  In a very real sense, police
> are a domestic intelligence agency.

That would be true in an ideal world. In the real world the police is
often in the buisiness of fabricating and / or witholding evidence.

-- 
Met vriendelijke groet / With kind regards,
Johan Wevers

PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gpgsm and expired certificates

[MFPA]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Hi


On Saturday 2 November 2013 at 2:36:27 PM, in
, Robert J. Hansen wrote:


> They are not practicing guilt by suspicion. They are
> practicing, "hey, let's collect as much information as
> possible on this crime so that we can find the truly
> guilty person."

Experiences of people I know, together with footage broadcast on the
"reality TV" programmes where TV crews follow real police going about
their business, lead me to the conclusion they routinely practice
guilt by suspicion/guilt by association. If that approach fails to
find somebody the circumstantial evidence doesn't rule out, they will
switch to a genuine investigation if the matter is serious enough to
warrant the man-hours, or if it affects high-profile individuals.

No slur intended on any individual police personnel, just public
perception of the police forces' corporate approach. (And for the
record, I know many people who have formed a similar impression as
well as plenty who have formed a very different impression.)



> Police do not determine guilt.  Courts determine guilt.
> Police are in the business of collecting information.
> In a very real sense, police are a domestic
> intelligence agency.

Unfortunately, police sometimes influence the determination of guilt
by being selective in their presentation of information to the courts.
In the UK any withholding of evidence by the police has constituted
grounds for appeal since R v Fellows in July 1985.[1]

[1] The very short quote at

is the only reference I can find at the moment.


- --
Best regards

MFPAmailto:expires2...@ymail.com

The second mouse gets the cheese
-BEGIN PGP SIGNATURE-

iPQEAQEKAF4FAlJ1IEtXFIAALgAgaXNzdWVyLWZwckBub3RhdGlvbnMub3Bl
bnBncC5maWZ0aGhvcnNlbWFuLm5ldEJBMjM5QjQ2ODFGMUVGOTUxOEU2QkQ0NjQ0
N0VDQTAzAAoJEKipC46tDG5pZtwEAKgF9/mzcsvrFECNNGivhHcu+LEBtZMJMN8C
7ZLuEE//enmKy4OCW34pwJQEtTOQJCaA4UjiscrwE2EP+hSQ3Txgq32kf0uZSYY+
8ZwenQJoX3hai7sU4j9KVJ/nzFuDiKOpVBP+OXs5z40+Zt1Da2cWXHiUZOC81riQ
PeE1jeWu
=aTqy
-END PGP SIGNATURE-


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gpgsm and expired certificates

[Robert J. Hansen]

> I wish to extend my sincere and unreserved apologies to all the people
> I unintentionally offended.

Thank you for this.  (Seriously.)

There's an American movie that probably hasn't been seen much in Europe.
 _High Noon_, starring Gary Cooper, which may be the finest Western ever
made.  In a nutshell, the Frank Miller Gang comes to town intent on
bloodshed and violence, and to protect the town the retired police
officer, Marshal Will Kane, puts on the tin star once more.  The Frank
Miller Gang does something violent and Kane gets in the way -- the gang
retaliates and does something else violent, and Kane gets in the way and
stops that, too.

After a while the townsfolk, who were begging Marshal Kane to come out
of retirement at the beginning of the movie, are screaming their outrage
at him.  "If you'd just quit, the Frank Miller Gang would leave us
alone!  Can't you see that your meddling is just making them angry and
making the problems worse?"

In a climactic showdown Marshal Kane shatters the Miller Gang.  All the
townsfolk, who had begged him to save them and then screamed at him that
he was the problem, come around to praise him for his courage and valor.
 Marshal Kane looks them over in disgust, then tears off his badge,
throws it in the dirt, and rides off into the sunset with his
girlfriend.  The townspeople have finally done what the Frank Miller
Gang couldn't do: they've made a good and decent policeman stop caring
about his town.

I can't help but think, as I see the tenor of the discussion about the
NSA, that there are probably thousands of good and decent people in that
agency who are concerned with following the law and respecting civil
liberties -- and they probably feel an awful lot like Marshal Kane right
now, wondering whether it's even worth it.

> Which would mean police who interview people who had contact with a
> suspect, in order to "eliminate them from their enquiries," are either
> not grown-ups or are practising something in which they do not
> believe.

They are not practicing guilt by suspicion.  They are practicing, "hey,
let's collect as much information as possible on this crime so that we
can find the truly guilty person."

Police do not determine guilt.  Courts determine guilt.  Police are in
the business of collecting information.  In a very real sense, police
are a domestic intelligence agency.



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gpgsm and expired certificates

[MFPA]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Hi


On Friday 1 November 2013 at 6:47:56 PM, in
,
Robert J. Hansen wrote:


>> Isn't the NSA "a government based organisation?"
>> Surely guilt-by-association renders every government
>> based organisation just as nefarious as the NSA.

> This is why grown-ups don't believe in guilt by
> association.

Which would mean police who interview people who had contact with a
suspect, in order to "eliminate them from their enquiries," are either
not grown-ups or are practising something in which they do not
believe.


> Do you really think a bunch of graduate students
> obsessing over _La   Chanson du Roland_ are "just as
> nefarious as the NSA"?

> If you do, then I think your paranoia is so out of hand
> you really   ought consider seeking professional help.
> And no, I'm not kidding.

I was merely making use of hyperbole to challenge the previous
poster's assertion that a government based organisation would be
preferable to the current CA service providers, "especially because of
all which was lately revealed about the NSA."

What I was trying to convey, was my opinion that the revelation of
unpalatable/nefarious behaviour on the part of a government
organisation seems a pretty odd reason to call for services, currently
provided by private-sector CAs, to instead be provided by a government
organisation.


- --
Best regards

MFPAmailto:expires2...@ymail.com

ETHERNET(n): device used to catch the Ether bunny
-BEGIN PGP SIGNATURE-

iPQEAQEKAF4FAlJ1CDJXFIAALgAgaXNzdWVyLWZwckBub3RhdGlvbnMub3Bl
bnBncC5maWZ0aGhvcnNlbWFuLm5ldEJBMjM5QjQ2ODFGMUVGOTUxOEU2QkQ0NjQ0
N0VDQTAzAAoJEKipC46tDG5psMYD/0oWmmq62IUWF3LIDqxtUyzlbNKwwX2iisIU
wdqYDeh5K2ha+sZ7kcIHyDLiGy0qRzoHe+S0LudBWLVk2nuZhpOfGRQj2qh+eCSk
bhIp2BHNbb9j6AyHWFOPLnUrCdiH68iLFa3v+S47BptNwlHx+fHvSw4GqGXaISLc
t5TWlDEZ
=lO5E
-END PGP SIGNATURE-


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gpgsm and expired certificates

[MFPA]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Hi


On Friday 1 November 2013 at 7:25:30 PM, in
,
Robert J. Hansen wrote:


> But since some of
> my R&D funding comes from the government, I'm just as
> nefarious as the NSA.

[...]

> John Moore III, who hasn't been seen on this list in
[...]
> Apparently John's
> contributions to the GnuPG community mean nothing,
> because he's just as nefarious as the NSA.

[...]

> Werner has taken money from the German government to do
> crypto-related software development.  Apparently Werner
> is just as nefarious as the   NSA.

> There are a lot of people on this list who have some
> kind of   connection to the government.

[...]

> You owe all of us an apology.

I wish to extend my sincere and unreserved apologies to all the people
I unintentionally offended.


- --
Best regards

MFPAmailto:expires2...@ymail.com

Wise men learn many things from their enemies.
-BEGIN PGP SIGNATURE-

iPQEAQEKAF4FAlJ1CrBXFIAALgAgaXNzdWVyLWZwckBub3RhdGlvbnMub3Bl
bnBncC5maWZ0aGhvcnNlbWFuLm5ldEJBMjM5QjQ2ODFGMUVGOTUxOEU2QkQ0NjQ0
N0VDQTAzAAoJEKipC46tDG5pbWgD/R8Te7PplXFDJE0Y6TfxOCC5WYQfSqsZTuxO
uXzaASDkYC2LuzhaW9T5cCcMxuXWuYLVGUpe3BbyR3ZquTZE0MlRhYDzaSycIDfr
EQr3YchjgybnXrvXZL2DOEv66BiHtSxwps4A6+NpV4NH/Rlvkf6i6Smrp1Z42j/N
4PLSP81B
=rUME
-END PGP SIGNATURE-


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gpgsm and expired certificates

[Robert J. Hansen]

My previous email was pretty dry and impersonal.  This one is very personal.


Isn't the NSA "a government based organisation?" Surely
guilt-by-association renders every government based organisation just
as nefarious as the NSA.


My current job is in software forensics -- discovering new ways to  
pull information off electronic media.  Most of the people funding  
research in this area are connected to the government somehow.  I  
would describe what a typical week for me entails but I'm pretty sure  
I would terrify and traumatize a good portion of the list.  (A great  
week for me is one in which I don't have to see, hear, or even think  
about, the three words, "Daddy, no, stop!")  But since some of my R&D  
funding comes from the government, I'm just as nefarious as the NSA.


John Moore III, who hasn't been seen on this list in ages, was always  
quite open about the fact he served in the Marine Corps attached to a  
signals intelligence unit at Fort Meade.  I'll let you do the math and  
figure out what three letter agency at Fort Meade does signals  
intelligence.  Apparently John's contributions to the GnuPG community  
mean nothing, because he's just as nefarious as the NSA.


Werner has taken money from the German government to do crypto-related  
software development.  Apparently Werner is just as nefarious as the  
NSA.


There are a lot of people on this list who have some kind of  
connection to the government.  Many of them -- us -- are deeply  
concerned about civil liberties, surveillance, and the future of  
liberty.  We are not your enemies and we do not deserve to be tarred  
with that brush.


You owe all of us an apology.


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gpgsm and expired certificates

[Robert J. Hansen]

Isn't the NSA "a government based organisation?" Surely
guilt-by-association renders every government based organisation just
as nefarious as the NSA.


This is why grown-ups don't believe in guilt by association.

To take an example: the graduate students at the University of Iowa  
who teach undergraduate courses on classical French literature are  
University employees. (Unionized ones at that: United  
Electicalworkers/Committee to Organize Graduate Students, *represent*!  
[1])  As University employees, they are officially also government  
employees, since the University is funded by the State.


Do you really think a bunch of graduate students obsessing over _La  
Chanson du Roland_ are "just as nefarious as the NSA"?


If you do, then I think your paranoia is so out of hand you really  
ought consider seeking professional help.  And no, I'm not kidding.


If you don't, then let's dial back the rhetoric.  Governments are  
*big* *big* things with lots of employees, and they deserve better  
treatment than this.




[1] Yes, I was a card-carrying union man and served as a union  
officer.  Try not to keel over from the shock.  ;)


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gpgsm and expired certificates

[MFPA]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Hi


On Sunday 27 October 2013 at 2:46:05 PM, in
, Uwe Brauer wrote:



> I would prefer a government based organisation which
> provides this service to its citizen (especially
> because of all which was lately revealed about the NSA)

Isn't the NSA "a government based organisation?" Surely
guilt-by-association renders every government based organisation just
as nefarious as the NSA.




- --
Best regards

MFPAmailto:expires2...@ymail.com

Free advice costs nothing until you act upon it
-BEGIN PGP SIGNATURE-

iPQEAQEKAF4FAlJzusxXFIAALgAgaXNzdWVyLWZwckBub3RhdGlvbnMub3Bl
bnBncC5maWZ0aGhvcnNlbWFuLm5ldEJBMjM5QjQ2ODFGMUVGOTUxOEU2QkQ0NjQ0
N0VDQTAzAAoJEKipC46tDG5pit0EAIiKQnBVsZmESaFATJVSGJ5NHCkKAQ3JzvO1
Qnqy6fV+bF1dKbI6fiymsZpRsx1jppnR5lBNGzFWqXsSTfrp3h99k2YzAYnPi67C
/XAC3D665XDz0ty3vNKx5p+bO4/BaBHbp7deQcLkNwortGS70Gx1zKRH02IJi+I5
fVjbyLyJ
=rXTe
-END PGP SIGNATURE-


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gpgsm and expired certificates

[Uwe Brauer]

>> "Werner" == Werner Koch  writes:

   > On Sun, 27 Oct 2013 10:23, p...@heypete.com said:
   >> Correct, though it is possible (but usually recommend against) to
   >> create a new certificate using the same private keypair as before. In

   > The business model of most CAs is to sell you a subscription by
   > setting the expiration time very low so that they can ask after a
   > year for another fee to create a new certificate.  Here it does not
   > make sense to create a new private key every year.


Well comodo is free (still) and to prolong the certificate  seems free to for
the moment, but I agree I would prefer a government based organisation
which provides this service to its citizen (especially because of all
which was lately revealed about the NSA)
   > GnuPG basically does the same by allowing you to prolong the expiration
   > time.
I don't want to enter a flame war here and in principle I'd prefer gpg
over smime but in reality I have to use smime, because


-  it is implemented in almost all MUA while gpg is not[1]

-  it is so much easier to install for the people I communicate with
   than gpg. 

I recall that I tried to convince gpg and after some hours he almost
yelled at me, while he was able to set up smime in 5 minutes.

The reasons for this are the following.



-  As I said smime is already installed in almost all MUA, so no
   need to install gpg and to install a plugin for the MUA

-  the user does not have to generate a keypair. Well this is not
   entirely true, as we mentioned earlier, but the user applies for
   a certificate picks it up and he is set.

-  the user does not have to exchange public keys, he just sends a
   signed message which includes his public key.


So if the big MUAS and not only thunderbird, but at least outlook apple
mail, and iOS mail, would

-  support gpg natively

-  when use gpg in the mailreader for the first time, it would
   silently generate a key pair

-  when sending a signed message it would always embed the public
   key in the signature


Then a think gpg would be as easy to use as smime, but till then


Uwe Brauer 



Footnotes:
[1]  I tried to use gpg on a non jailbroken iPhone and it is honestly a hassle.



smime.p7s
Description: S/MIME cryptographic signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gpgsm and expired certificates

[Werner Koch]

On Sun, 27 Oct 2013 10:23, p...@heypete.com said:

> Correct, though it is possible (but usually recommend against) to
> create a new certificate using the same private keypair as before. In

The business model of most CAs is to sell you a subscription by setting
the expiration time very low so that they can ask after a year for
another fee to create a new certificate.  Here it does not make sense to
create a new private key every year.

GnuPG basically does the same by allowing you to prolong the expiration
time.

> I interpreted Werner's comment to mean "In order to decrypt messages
> encrypted to you, you only need a private key. You don't need a valid
> certificate to decrypt old messages that were encrypted to a
> now-expired certificate."

Correct.


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gpgsm and expired certificates

[Pete Stephenson]

On Sun, Oct 27, 2013 at 11:01 AM, Uwe Brauer  wrote:
>
>> If you generate a new keypair for the new certificate (which is
>> probably a good idea) then gpgsm (and presumably any other
>> certificate-using software) will figure out what private key will be
>> needed to decrypt a particular message and, so long as you still have
>> the private key on your system, will use it as needed even if the
>> corresponding certificate has expired.
>
> So gpgsm (and others) will also figure out which private key to use for
> signing: that is the new one, once the old certificate is expired?
>
> Which means in the case of smime, also to embedd the corresponding
> new public key in the signature.

I can't speak specifically for gpgsm, as I only use GPG with OpenPGP
keys and not x.509 certs, but I would venture that the answer to your
question is "yes, gpgsm will select the correct private key for
signing" as that's standard behavior for such software.

Werner or others could answer authoritatively.

-- 
Pete Stephenson

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gpgsm and expired certificates

[Uwe Brauer]

   > If you generate a new keypair for the new certificate (which is
   > probably a good idea) then gpgsm (and presumably any other
   > certificate-using software) will figure out what private key will be
   > needed to decrypt a particular message and, so long as you still have
   > the private key on your system, will use it as needed even if the
   > corresponding certificate has expired.

So gpgsm (and others) will also figure out which private key to use for
signing: that is the new one, once the old certificate is expired? 

Which means in the case of smime, also to embedd the corresponding
new public key in the signature.

thanks

Uwe 


smime.p7s
Description: S/MIME cryptographic signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gpgsm and expired certificates

[Pete Stephenson]

On Sun, Oct 27, 2013 at 9:53 AM, Uwe Brauer  wrote:
>>> "Werner" == Werner Koch  writes:
>
>> On Sat, 26 Oct 2013 22:03, o...@mat.ucm.es said:
>>> know by the date of the certificate which certificate to use for which
>>> message?
>>>
>>> -  old for old messages
>
>> Note, that there is no need for a certificate for decryption - only the
>> private key is required.  The certificate is only used to show some meta
>> information.
>
> Now I am confused. Most likely my knowledge of certificates is not
> correct. (I played around with openssl to generate my own, useless,
> certificates).
>
> I thought a certificate consists of a key pair (private/public) which is
> signed by the Authority (here comodo).

Mostly correct.

All that is needed to encrypt/decrypt/sign/verify messages is the
public/private keys themselves. The certificate is a signed,
structured format that binds a particular public key to an identity
(be it an email address, a name, a website, etc.). The certificate is
for public consumption: Comodo is asserting to the world that this
particular public key (and it's corresponding private key, which only
you know) belongs to you (or your website, email, etc.).

On your end, all you need is the private key to decrypt messages
encrypted to your public key. You don't need a certificate to decrypt
messages that had already been encrypted to that public key -- a
certificate may expire at a certain time, but the private key has no
baked-in expiration date.

> When I apply for a certificate, the keypair is generated by the crypto
> module of the browser and then signed.

Correct.

> So I thought when I apply for a new certificate  a new key pair
> is generated which gets signed again.

Correct, though it is possible (but usually recommend against) to
create a new certificate using the same private keypair as before. In
general, you should create a new keypair when applying for a new
certificate.

> But your comment above seems to indicate that the old pair gets a new
> signature. Is this correct?  But what if I apply with a different
> browser I applied the last time.

I interpreted Werner's comment to mean "In order to decrypt messages
encrypted to you, you only need a private key. You don't need a valid
certificate to decrypt old messages that were encrypted to a
now-expired certificate."

If you generate a new keypair for the new certificate (which is
probably a good idea) then gpgsm (and presumably any other
certificate-using software) will figure out what private key will be
needed to decrypt a particular message and, so long as you still have
the private key on your system, will use it as needed even if the
corresponding certificate has expired.

Cheers!
-Pete

-- 
Pete Stephenson

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gpgsm and expired certificates

[Uwe Brauer]

>> "Werner" == Werner Koch  writes:

   > On Sat, 26 Oct 2013 22:03, o...@mat.ucm.es said:
   >> know by the date of the certificate which certificate to use for which
   >> message?
   >> 
   >> -  old for old messages

   > Note, that there is no need for a certificate for decryption - only the
   > private key is required.  The certificate is only used to show some meta
   > information.

Now I am confused. Most likely my knowledge of certificates is not
correct. (I played around with openssl to generate my own, useless,
certificates).

I thought a certificate consists of a key pair (private/public) which is
signed by the Authority (here comodo).
When I apply for a certificate, the keypair is generated by the crypto
module of the browser and then signed.

So I thought when I apply for a new certificate  a new key pair
is generated which gets signed again.

But your comment above seems to indicate that the old pair gets a new
signature. Is this correct?  But what if I apply with a different
browser I applied the last time.

thanks

Uwe Brauer 


smime.p7s
Description: S/MIME cryptographic signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gpgsm and expired certificates

[Werner Koch]

On Sat, 26 Oct 2013 22:03, o...@mat.ucm.es said:

> know by the date of the certificate which certificate to use for which
> message?
>
> -  old for old messages

Note, that there is no need for a certificate for decryption - only the
private key is required.  The certificate is only used to show some meta
information.

> -  the new for the new messages

Expired certificates are not used and thus a now valid one will be used.


Shalom-Salam,

   Werner


-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gpgsm and expired certificates

[Uwe Brauer]

>> "Werner" == Werner Koch  writes:

   > On Sat, 26 Oct 2013 12:02, o...@mat.ucm.es said:
   >> Can gpgsm deal with this situation?

   > Sure.  That is a very common situation.

   > Although I am myself not using gpgsm for mail encryption, I use it to
   > maintain all kind of X.509 certificates.  FWIW, gpgsm passed several
   > conformance tests with quite good results [1] and was recently approved
   > for secret communication (at the Germany's entry level VS/NfD).

Good, so if I understand that correctly once I have the new certificate
then I only have to import it into gpgsm and gpgsm will know by the date of the
certificate which certificate to use for which message?

-  old for old messages

-  the new for the new messages

thanks

Uwe Brauer 


smime.p7s
Description: S/MIME cryptographic signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gpgsm and expired certificates

[Werner Koch]

On Sat, 26 Oct 2013 12:02, o...@mat.ucm.es said:

> Can gpgsm deal with this situation?

Sure.  That is a very common situation.

Although I am myself not using gpgsm for mail encryption, I use it to
maintain all kind of X.509 certificates.  FWIW, gpgsm passed several
conformance tests with quite good results [1] and was recently approved
for secret communication (at the Germany's entry level VS/NfD).


Salam-Shalom,

   Werner


[1]
Watch out for Aegypten, which included GnuPG, in 
https://www.bsi.bund.de/DE/Themen/weitereThemen/VerwaltungsPKIVPKI/Interoperabilitaetstest/Testberichte/testberichte_node.html
 

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users