Contact me for details

2019-07-21 Thread Mr.Francios pinault 
Good morning,

I have been trying to get in touch with you via my other email for the last 
few days but i don't get a reply back. I am checking if this one gets to 
you. Email me so that i can give you a comprehensive detail into this 
project.

Regards,
Francios pinault

Re: PGP/GnuPG unsecure, should be replaced?

2019-07-21 Thread Iain Grant 
I must have picked that up somewhere I didn't check when I was younger and
just took it as fact leading to fail :(  Sorry!

I am not a cryptographic expert - IANACE??

Iain

On Sun, Jul 21, 2019 at 8:11 PM Elmar Stellnberger 
wrote:

> Why do you think that TwoFish is bad? It was invented by Bruce Schneier
> and was in the last round of the AES competition. I believe it to be the
> better choice than AES.
> Am 20.07.19 um 21:41 schrieb Iain Grant:
>
> 2 fish... that in it's self is bad.  AES, sure lets all be ok about
> that.
>
> I also read the article and I realise I still rely on gpg far too much and
> that I need to ween myself off of it!
>
>
> Iain
>
> On Sat, Jul 20, 2019 at 8:33 PM qmi (list)  wrote:
>
>> Hi,
>>
>> On 7/19/19 1:34 PM, Stephan Seitz wrote:
>> > I found the following article about PGP/GnuPG:
>> > https://latacora.singles/2019/07/16/the-pgp-problem.html
>> >
>> > In short you should drop GnuPG because it doesn’t do anything really
>> > the right way. It should be replaced with different tools for
>> > different situations.
>>
>> I checked that article. For e.g. the article says, "If you’re lucky,
>> your local GnuPG defaults to 2048-bit RSA, the 64-bit-block CAST5 cipher
>> in CFB, ..."
>>
>> Wrong. The current implementation of GnuPG shipped by Debian Buster -
>> version 2.2.12 - does support modern cryptographic standards for
>> symmetric encryption, not only CAST5. For e.g., it does support twofish
>> and aes. Both of which use 128-bit block sizes, AFAIK. See command
>> output for gpg below about supported algorithms:
>>
>> "
>>
>> qmi@qmiacer:~$ gpg --version
>>
>> gpg (GnuPG) 2.2.12
>> (...)
>> Supported algorithms:
>> Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
>> Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
>>  CAMELLIA128, CAMELLIA192, CAMELLIA256
>> (...)
>> "
>>
>> So it's good enough, apparently.
>>
>> >
>> > Debian is using GnuPG for signing files. From the article:
>> >
>> > Signing Packages
>> >
>> > Use Signify/Minisign. Ted Unangst will tell you all about it. It’s what
>>
>> You may be right, though. That tool might have better bindings for
>> modern programming languages.
>>
>> Regards,
>> --
>> qmi
>> Email: li...@miklos.info
>>
>>

Re: PGP/GnuPG unsecure, should be replaced?

2019-07-21 Thread Elmar Stellnberger 
Why do you think that TwoFish is bad? It was invented by Bruce Schneier 
and was in the last round of the AES competition. I believe it to be the 
better choice than AES.


Am 20.07.19 um 21:41 schrieb Iain Grant:

2 fish... that in it's self is bad.  AES, sure lets all be ok about that.

I also read the article and I realise I still rely on gpg far too much 
and that I need to ween myself off of it!



Iain

On Sat, Jul 20, 2019 at 8:33 PM qmi (list) > wrote:


Hi,

On 7/19/19 1:34 PM, Stephan Seitz wrote:
> I found the following article about PGP/GnuPG:
> https://latacora.singles/2019/07/16/the-pgp-problem.html
>
> In short you should drop GnuPG because it doesn’t do anything
really
> the right way. It should be replaced with different tools for
> different situations.

I checked that article. For e.g. the article says, "If you’re lucky,
your local GnuPG defaults to 2048-bit RSA, the 64-bit-block CAST5
cipher
in CFB, ..."

Wrong. The current implementation of GnuPG shipped by Debian Buster -
version 2.2.12 - does support modern cryptographic standards for
symmetric encryption, not only CAST5. For e.g., it does support
twofish
and aes. Both of which use 128-bit block sizes, AFAIK. See command
output for gpg below about supported algorithms:

"

qmi@qmiacer:~$ gpg --version

gpg (GnuPG) 2.2.12
(...)
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
 CAMELLIA128, CAMELLIA192, CAMELLIA256
(...)
"

So it's good enough, apparently.

>
> Debian is using GnuPG for signing files. From the article:
>
> Signing Packages
>
> Use Signify/Minisign. Ted Unangst will tell you all about it.
It’s what

You may be right, though. That tool might have better bindings for
modern programming languages.

Regards,
--
qmi
Email: li...@miklos.info

Re: PGP/GnuPG unsecure, should be replaced?

2019-07-21 Thread qmi 

Hi

On 7/21/19 4:34 PM, Malte wrote:

li...@miklos.info transcribed 1.4K bytes on 20-Jul-2019 21:25:

I checked that article. For e.g. the article says, "If you’re lucky, your
local GnuPG defaults to 2048-bit RSA, the 64-bit-block CAST5 cipher in CFB,
..."


"defaults to" and "supports" are two different words with two different
meanings. GnuPG's history is full of new features getting developed
while insecure defaults being kept.


Thanks for pointing out. Correct, I was not specific enough. GnuPG 
*defaults* to AES-128 when using symmetric encryption according to its 
manual page. In practice, it appears to be using AES-256. I would be 
surprised if the GnuPG version shipped by the most developer-friendly 
Linux OS on the planet defaulted to a 64-bit block cipher. Perhaps an 
earlier version of GnuPG did default to CAST5 block cipher, as Wikipedia 
article states.


qmi

Re: PGP/GnuPG unsecure, should be replaced?

2019-07-21 Thread Malte 
li...@miklos.info transcribed 1.4K bytes on 20-Jul-2019 21:25:
> 
> I checked that article. For e.g. the article says, "If you’re lucky, your
> local GnuPG defaults to 2048-bit RSA, the 64-bit-block CAST5 cipher in CFB,
> ..."
> 
> Wrong. The current implementation of GnuPG shipped by Debian Buster -
> version 2.2.12 - does support modern cryptographic standards for symmetric
> encryption, not only CAST5. For e.g., it does support twofish and aes. Both
> of which use 128-bit block sizes, AFAIK. See command output for gpg below
> about supported algorithms:

"defaults to" and "supports" are two different words with two different
meanings. GnuPG's history is full of new features getting developed
while insecure defaults being kept.

I think, before moving to something completely new, like signify,
moving to something like Sequoia PGP (https://sequoia-pgp.org),
might be a good first step, as it fits better with the already
existing infrastructure 🤷


Sincerely,

Malte