bad keysigning by Geotrust
this is what happens when someone signs a key that shouldn't be signed. it's based on an x.509 (hierarchical) trust model, not a pgp (distributed) trust model, but the consequences are the same: a certification signature that should not have been issued was issued. this is basically mallory collecting a good signature on a fraudulent key. Now here's where it gets really interesting. The phishing site... is protected by a Secure Sockets Layer (SSL) encryption certificate issued by a division of the credit reporting bureau Equifax that is now part of a company called Geotrust. The New Face of Phishing http://blog.washingtonpost.com/securityfix/2006/02/the_new_face_of_phishing_1.html -- ...atom _ PGP key - http://atom.smasher.org/pgp.txt 762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808 - A student asked his old Sufi Master if he should tie up his camel for the night, so that it wouldn't wander away while they were sleeping or if doing so was an insult to God. Should he leave the camel untied to show his trust in God that the camel wouldn't run away? The Master replied Trust God AND tie up your camel. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
[Announce] False positive signature verification in GnuPG
False positive signature verification in GnuPG == Summary === The Gentoo project identified a security related bug in GnuPG. When using any current version of GnuPG for unattended signature verification (e.g. by scripts and mail programs), false positive signature verification of detached signatures may occur. This problem affects the tool *gpgv*, as well as using gpg --verify to imitate gpgv, if only the exit code of the process is used to decide whether a detached signature is valid. This is a plausible mode of operation for gpgv. If, as suggested, the --status-fd generated output is used to decide whether a signature is valid, no problem exists. In particular applications making use of the GPGME library[2] are not affected. To solve this problem an update of the current stable version has been released (see below). Please do not send private mail in response to this message. The mailing list gnupg-devel is the best place to discuss this problem (please subscribe first so you don't need moderator approval [1]). Impact: === Signature verification of detached signatures does not work, thus modified versions of signature protected files may not be detected. All versions of gnupg prior to 1.4.2.1 are affected if they are used in certain unattended operation modes. There is no problem using GnuPG in an interactive way because GnuPG won't print any signature status at all; i.e. no Good signature. Scripts and applications using gpg or gpgv with the --status-fd option and properly parsing this output are not affected. Applications using the GPGME library[2] are not affected. The GnuPG versions 1.9 are not affected unless the currently deprecated gpg part has been enabled. Solution: = Update GnuPG as soon as possible to version 1.4.2.1. There are no fixes for older versions available, although the fix described below may be adjusted for them. To update please follow the instructions found at http://www.gnupg.org/download/ or read on: GnuPG 1.4.2.1 may be downloaded from one of the GnuPG mirror sites or direct from ftp://ftp.gnupg.org/gcrypt/ . The list of mirrors can be found at http://www.gnupg.org/mirrors.html . Note, that GnuPG is not available at ftp.gnu.org. On the mirrors you should find the following files in the *gnupg* directory: gnupg-1.4.2.1.tar.bz2 (2.8M) gnupg-1.4.2.1.tar.bz2.sig GnuPG source compressed using BZIP2 and OpenPGP signature. gnupg-1.4.2.1.tar.gz (4.0M) gnupg-1.4.2.1.tar.gz.sig GnuPG source compressed using GZIP and OpenPGP signature. gnupg-1.4.2-1.4.2.1.diff.bz2 (39k) A patch file to upgrade a 1.4.2 GnuPG source. Select one of them. To shorten the download time, you probably want to get the BZIP2 compressed file. Please try another mirror if exceptional your mirror is not yet up to date. In the *binary* directory, you should find these files: gnupg-w32cli-1.4.2.1.exe (1.4M) gnupg-w32cli-1.4.2.1.exe.sig GnuPG compiled for Microsoft Windows and OpenPGP signature. Note that this is a command line version and now comes with a graphical installer tool. The source files are the same as given above. Note, that a new version of the Gpg4Win package[3], including an updated version of GnuPG, will be available later today. In order to check that the version of GnuPG which you are going to install is an original and unmodified one, you can do it in one of the following ways: * If you already have a trusted version of GnuPG installed, you can simply check the supplied signature. For example to check the signature of the file gnupg-1.4.2.1.tar.bz2 you would use this command: gpg --verify gnupg-1.4.2.1.tar.bz2.sig This checks whether the signature file matches the source file. You should see a message indicating that the signature is good and made by that signing key. Make sure that you have the right key, either by checking the fingerprint of that key with other sources or by checking that the key has been signed by a trustworthy other key. Note, that you can retrieve the signing key using finger wk 'at' g10code.com or finger dd9jn 'at' gnu.org or using the keyservers. From time to time I prolong the expiration date; thus you might need a fresh copy of that key. Never use a GnuPG version you just downloaded to check the integrity of the source - use an existing GnuPG installation! Watch out for a Good signature messages. * If you are not able to use an old version of GnuPG, you have to verify the SHA-1 checksum. Assuming you downloaded the file gnupg-1.4.2.1.tar.bz2, you would run the sha1sum command like this: sha1sum gnupg-1.4.2.1.tar.bz2 and check that the output matches the first line from the following list: 1c0306ade25154743d6f6f9ac05bee74c55c6eda gnupg-1.4.2.1.tar.bz2 cefc74560f21bde74eed298d86460612cd7e12ee
Re: Necessity of GPG when using SSL
On Tue, Feb 14, 2006 at 10:34:38PM +0100, Jim Berland wrote: Hi everybody, I understand the use of GPG end-to-end-encryption and use it with a few of my contacts. What I want to make sure is the following. I am going to move to China for some time. My email ISP is located outside China and I connect to it via SSL. So if I am only concerned about the Chinese (whatever the reason; maybe my doubts are unreasonable?) and not about the complete end-to-end-encryption of GPG, the SSL encryption alone will do the job. Is that correct? You haven't specified your threat model precisely enough, for the vague one you presented the answer is both yes and no. SSL webmail and GPG protect against different things. Yes - because SSL webmail access is good enough to prevent the operators of great chinese firewall of snooping into what do you do on your mailbox. No - because SSL protects only against eavesdropping of mailbox access. It doesn't protect your email in transit from server to server (unless all the servers in the way support SMTP/TLS and you trust the operators of the servers). For example, if you write from your SSL webmail to someone in .cn, the contentrs of the mail can be observed by the operatros of said firewall. Alex ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: OpenPGP smartcard: addcardkey fails
On Wed, Feb 15, 2006 at 07:50:17PM +0100, Lionel Elie Mamane wrote: Hi, I'm trying to generate an authentication subkey (tied to my main OpenPGP key) in my OpenPGP (FSFE Fellowship) smartcard (for poldi / SSH use), but can't get it to work. gpg --edit-card and --card-status works like a charm. I tried with the built-in ccid driver, same result: Command addcardkey gpg: DBG: ccid-driver: sending 6F 09 00 00 00 00 14 04 00 00 00 00 05 00 CA 00 6E 00 A1 gpg: DBG: ccid-driver: status: 00 error: 00 octet[9]: 04 data: 00 00 CB 4F 10 D2 76 00 01 24 01 01 01 00 01 00 00 03 9D 00 00 73 81 9D C0 01 78 C1 05 01 04 00 00 20 C2 05 01 04 00 00 20 C3 05 01 04 00 00 20 C4 07 00 FE FE FE 03 03 03 C5 3C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 C6 3C C4 85 A6 CD 7E C6 6E 9E EC 33 65 F2 70 F2 75 E4 C3 2F 6C A5 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 CD 0C 00 00 00 00 00 00 00 00 00 00 00 00 5E 07 6C 6D 61 6D 61 6E 65 90 00 F3 gpg: DBG: ccid-driver: sending 6F 09 00 00 00 00 15 04 00 00 00 40 05 00 CA 00 C4 00 4B gpg: DBG: ccid-driver: status: 00 error: 00 octet[9]: 04 data: 00 40 09 00 FE FE FE 03 03 03 90 00 24 Signature key : [none] Encryption key: [none] Authentication key: [none] Please select the type of key to generate: (1) Signature key (2) Encryption key (3) Authentication key Your selection? 3 gpg: DBG: ccid-driver: sending 6F 0A 00 00 00 00 16 04 00 00 00 00 06 00 DA 00 C4 01 01 18 gpg: DBG: ccid-driver: status: 00 error: 00 octet[9]: 04 data: 00 00 02 90 00 92 Key is protected. gpg: secret key parts are not available gpg: Key generation failed: general error gpg: DBG: ccid-driver: sending 6F 0A 00 00 00 00 17 04 00 00 00 40 06 00 DA 00 C4 01 00 59 gpg: DBG: ccid-driver: status: 00 error: 00 octet[9]: 04 data: 00 40 02 90 00 D2 -- Lionel ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
OpenPGP smartcard: addcardkey fails
Hi, I'm trying to generate an authentication subkey (tied to my main OpenPGP key) in my OpenPGP (FSFE Fellowship) smartcard (for poldi / SSH use), but can't get it to work. gpg --edit-card and --card-status works like a charm. Command addcardkey gpg: detected reader `SCM SCR 335 (60600ad9) 00 00' Signature key : [none] Encryption key: [none] Authentication key: [none] Please select the type of key to generate: (1) Signature key (2) Encryption key (3) Authentication key Your selection? 3 gpg: 3 Admin PIN attempts remaining before card is permanently locked Admin PIN PIN Key is protected. gpg: secret key parts are not available gpg: Key generation failed: general error Running with --debug 2048 Command addcardkey gpg: DBG: send apdu: c=00 i=CA p0=00 p1=6E lc=-1 le=256 gpg: DBG: PCSC_data: 00 CA 00 6E 00 gpg: DBG: response: sw=9000 datalen=201 gpg: DBG: dump: 4F 10 D2 76 00 01 24 01 01 01 00 01 00 00 03 9D 00 00 73 81 9D C0 01 78 C1 05 01 04 00 00 20 C2 05 01 04 00 00 20 C3 05 01 04 00 00 20 C4 07 00 FE FE FE 03 03 03 C5 3C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 C6 3C C4 85 A6 CD 7E C6 6E 9E EC 33 65 F2 70 F2 75 E4 C3 2F 6C A5 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 CD 0C 00 00 00 00 00 00 00 00 00 00 00 00 5E 07 6C 6D 61 6D 61 6E 65 gpg: DBG: send apdu: c=00 i=CA p0=00 p1=C4 lc=-1 le=256 gpg: DBG: PCSC_data: 00 CA 00 C4 00 gpg: DBG: response: sw=9000 datalen=7 gpg: DBG: dump: 00 FE FE FE 03 03 03 Signature key : [none] Encryption key: [none] Authentication key: [none] Please select the type of key to generate: (1) Signature key (2) Encryption key (3) Authentication key Your selection? 3 gpg: DBG: send apdu: c=00 i=DA p0=00 p1=C4 lc=1 le=-1 gpg: DBG: PCSC_data: 00 DA 00 C4 01 01 gpg: DBG: response: sw=9000 datalen=0 gpg: DBG: dump: Key is protected. gpg: secret key parts are not available gpg: Key generation failed: general error gpg: DBG: send apdu: c=00 i=DA p0=00 p1=C4 lc=1 le=-1 gpg: DBG: PCSC_data: 00 DA 00 C4 01 00 gpg: DBG: response: sw=9000 datalen=0 gpg: DBG: dump: Running pcscd in debug mode gives: ccid_usb.c:375:OpenUSBByName() Found Vendor/Product: 04E6/5115 (SCM SCR 335) ccid_usb.c:377:OpenUSBByName() Using USB bus/device: 002/007 ccid_usb.c:720:get_data_rates() IFD does not support GET_DATA_RATES request: Broken pipe ifdhandler.c:250:IFDHGetCapabilities() lun: 0, tag: 0xFAE ifdhandler.c:292:IFDHGetCapabilities() Reader supports 1 slots ifdhandler.c:725:IFDHPowerICC() lun: 0 Card ATR: 3B FA 13 00 FF 81 31 80 45 00 31 C1 73 C0 01 00 00 90 00 B1 winscard_msg_srv.c:203:SHMProcessEventsServer() Common channel packet arrival winscard_msg_srv.c:212:SHMProcessEventsServer() SHMProcessCommonChannelRequest detects: 7 pcscdaemon.c:151:SVCServiceRunLoop() A new context thread creation is requested: 7 winscard_svc.c:136:ContextThread() Thread is started: 7 winscard_msg_srv.c:274:SHMProcessEventsContext() correctly processed client: 7 winscard_svc.c:178:ContextThread() Client is protocol version 2:0 winscard_msg_srv.c:274:SHMProcessEventsContext() correctly processed client: 7 winscard.c:159:SCardEstablishContext() Establishing Context: 17033377 winscard_msg_srv.c:274:SHMProcessEventsContext() correctly processed client: 7 winscard.c:213:SCardConnect() Attempting Connect to SCM SCR 335 (60600ad9) 00 00 using protocol: 3 prothandler.c:130:PHSetProtocol() Attempting PTS to T=1 ifdhandler.c:375:IFDHSetProtocolParameters() lun: 0, protocol T=1 ifdhandler.c:1171:extra_egt() Extra EGT patch applied winscard.c:323:SCardConnect() Active Protocol: T=1 winscard.c:333:SCardConnect() hCard Identity: 18d6c winscard_msg_srv.c:274:SHMProcessEventsContext() correctly processed client: 7 winscard_msg_srv.c:274:SHMProcessEventsContext() correctly processed client: 7 And then a lot of: winscard_msg_srv.c:274:SHMProcessEventsContext() correctly processed client: 7 winscard.c:1464:SCardTransmit() Send Protocol: T=1 ifdhandler.c:831:IFDHTransmitToICC() lun: 0 winscard_msg_srv.c:274:SHMProcessEventsContext() correctly processed client: 7 winscard.c:1464:SCardTransmit() Send Protocol: T=1 ifdhandler.c:831:IFDHTransmitToICC() lun: 0 Any clue? Thanks in advance. -- Lionel ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: OpenPGP smartcard: addcardkey fails
On Wed, Feb 15, 2006 at 07:50:17PM +0100, Lionel Elie Mamane wrote: I'm trying to generate an authentication subkey (tied to my main OpenPGP key) in my OpenPGP (FSFE Fellowship) smartcard (for poldi / SSH use), but can't get it to work. gpg --edit-card and --card-status works like a charm. Forgot to mention: [EMAIL PROTECTED]:~$ gpg --version gpg (GnuPG) 1.4.2 Copyright (C) 2005 Free Software Foundation, Inc. This program comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it under certain conditions. See the file COPYING for details. Home: ~/.gnupg Supported algorithms: Pubkey: RSA, RSA-E, RSA-S, ELG-E, DSA Cipher: 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512 Compression: Uncompressed, ZIP, ZLIB, BZIP2 [EMAIL PROTECTED]:~$ /usr/sbin/pcscd --version pcsc-lite version 1.2.9-beta10. Copyright (C) 1999-2002 by David Corcoran [EMAIL PROTECTED]. Copyright (C) 2001-2005 by Ludovic Rousseau [EMAIL PROTECTED]. Copyright (C) 2003-2004 by Damien Sauveron [EMAIL PROTECTED]. Report bugs to sclinux@linuxnet.com. With an SCR335 reader from http://www.kernelconcepts.de/products/security.shtml -- Lionel ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: OpenPGP smartcard: addcardkey fails
Lionel Elie Mamane wrote: Hi, I'm trying to generate an authentication subkey (tied to my main OpenPGP key) in my OpenPGP (FSFE Fellowship) smartcard (for poldi / SSH use), but can't get it to work. gpg --edit-card and --card-status works like a charm. Command addcardkey gpg: detected reader `SCM SCR 335 (60600ad9) 00 00' Signature key : [none] Encryption key: [none] Authentication key: [none] Please select the type of key to generate: (1) Signature key (2) Encryption key (3) Authentication key Your selection? 3 gpg: 3 Admin PIN attempts remaining before card is permanently locked Admin PIN PIN Key is protected. gpg: secret key parts are not available gpg: Key generation failed: general error snip Any clue? Thanks in advance. Is the secret part of the primary key available in your local keyring? -- Alphax | /\ Encrypted Email Preferred | \ / ASCII Ribbon Campaign OpenPGP key ID: 0xF874C613 |X Against HTML email vCards http://tinyurl.com/cc9up| / \ signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users