Re: Necessity of GPG when using SSL
Benjamin Esham wrote on 20.02.2006 7:50: > John Clizbe wrote: >> Earthlink and Google's GMail use https on their signin page then then >> switch >> over to http once authenticated > > I saw a neat trick somewhere online... if you use > "https://mail.google.com"; as your > login page for Gmail, the entire session is encrypted. I haven't used > the normal > method since I learned how to do this. I hope someone finds this > helpful! :-) > This is even included in Gmail help and recommended by Google: https://mail.google.com/support/bin/answer.py?answer=8155 I don't understand why it isn't enabled by default. For example, at https://www.safe-mail.net/ you can use web-interface only via https:// -- Regards OpenPGP Key ID: 0x9E353B56500B8987 Encrypted e-mail preferred. signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Necessity of GPG when using SSL
John Clizbe wrote: Henry Hertz Hobbit wrote: Usually, if you are using a web interface to access your email, only the initial authentication is done via SSL. After that if your URL address shifts to using an "http://"; rather than the "https://"; you made your initial connection with means that your communication just shifted from SSL (weak encryption) to NO encryption. That is the norm. OF three major US providers I have experience with: Earthlink and Google's GMail use https on their signin page then then switch over to http once authenticated I saw a neat trick somewhere online... if you use "https:// mail.google.com" as your login page for Gmail, the entire session is encrypted. I haven't used the normal method since I learned how to do this. I hope someone finds this helpful! :-) Cheers, -- Benjamin D. Esham [EMAIL PROTECTED] | http://bdesham.net | AIM: bdesham128 Wikipedia, the Free Encyclopedia • http://en.wikipedia.org PGP.sig Description: This is a digitally signed message part ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Finally: Login via SSH authentication with OpenPGP smart card & 100% Free Software PCMCIA reader
On Sat, Feb 18, 2006 at 07:25:46AM +0100, Lionel Elie Mamane wrote: > On Sat, Feb 18, 2006 at 12:33:03AM +0200, Alon Bar-Lev wrote: >> I still don't understand why you use PKCS#1, PKCS#8, X.509, CMC, >> S/MIME and more... Why don't you invent some replacements for these >> too? > Big news for you: We are here precisely because we prefer OpenPGP to > S/MIME. And isn't PGP like way older than S/MIME anyway? The release of PGP 1.0 was in 1991. (Not that we are still interoperable with it. Comparing with PGP 2 would probably be more fair... I dunno when that is, but PGP 2.6.2 is 1994.) S/MIME seems to be born with RFC 1847, October 1995. -- Lionel ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
On protocols [was: Finally: Login via SSH authe ntication with OpenPGP smart card & 100% Free Software PCMCIA reader]
On Sun, Feb 19, 2006 at 02:54:13PM -0500, Nicholas Sushkin wrote: > On Sunday 19 February 2006 01:14, [EMAIL PROTECTED] wrote: >> On Sat, Feb 18, 2006 at 12:33:03AM +0200, Alon Bar-Lev wrote: >>> I still don't understand why you use PKCS#1, PKCS#8, X.509, CMC, >>> S/MIME and more... Why don't you invent some replacements for >>> these too? >> Big news for you: We are here precisely because we prefer OpenPGP >> to S/MIME. And *I* certainly don't use S/MIME. I use X.509 when >> really, really forced to (for TLS/SSL HTTP, jabber, POP3, IMAP4, >> ... servers), and then usually in a "flat" mode (self-signed certs, >> my own CA, ...). > Realistically speaking, when free software does not interoperate > with the commercial software with a large mindshare, it's the free > software loss. You seem to use "commercial" antagonistically to "free". A software can be both free (as in freedom) and commercial (that is, written in the goal of earning money). Realistically, in the crowds I hang out with, it is OpenPGP that has the mindshare. So even if I would prefer S/MIME, I'd be forced to use OpenPGP by the network effect. Other crowds force you to use S/MIME through the network effect. That's the nature of social crowds. And AFAIK, there is free software that supports S/MIME, isn't there? I have never tried to use them (by lack of any necessity or usefulness: nobody to communicate _with_), but I'm not hearing that they don't work or don't interoperate with proprietary implementations. -- Lionel ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: cURL keyserver handlers broken
David Shaw wrote: > On Mon, Feb 20, 2006 at 01:52:40AM +1030, Alphax wrote: > >>David Shaw wrote: >> >>>That looks correct so far. I don't suppose you have an environment >>>variable http_proxy set? >>> >> >>Yes, but I thought that --no-options would disable it... also, I've >>tried using an options file without the proxy-enabling options... >> >>So that's the problem eh? Any way to get around it? Should I just move >>all http-proxy stuff to config files? > > > If you set "keyserver-option no-http-proxy", the proxy will be > disabled, even if you have the environment variable set. > Thanks, works like a charm. Added to my config file. -- Alphax | /"\ Encrypted Email Preferred | \ / ASCII Ribbon Campaign OpenPGP key ID: 0xF874C613 |X Against HTML email & vCards http://tinyurl.com/cc9up| / \ signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Necessity of GPG when using SSL
Johan Wevers wrote: > Henry Hertz Hobbit wrote: > >>Usually, if you are using a web interface to access your email, only the >>initial authentication is done via SSL. After that if your URL address >>shifts to using an "http://"; rather than the "https://"; you made your >>initial connection with means that your communication just shifted from SSL >>(weak encryption) to NO encryption. That is the norm. > > Strange, I've never seen that happen. All webmail from Dutch providers that > I've accessed (my own and some for people with problems where I accessed the > mail to dump mails with large attachments that took too long to download) > were https all the way. > OF three major US providers I have experience with: Earthlink and Google's GMail use https on their signin page then then switch over to http once authenticated Comcast starts with a HTTP page, posts the info to a https URL to set a cookie then returns to http. Not a very good implementation. -- John P. Clizbe Inet: JPClizbe(a)comcast DOT nyet Golden Bear Networks PGP/GPG KeyID: 0x608D2A10 "Be who you are and say what you feel because those who mind don't matter and those who matter don't mind." - Dr Seuss, "Oh the Places You'll Go" signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Remote signing?
Matthias Urlichs wrote: > I need to sign files remotely. They're moderately large > Ideas? Use md5sum|sha1sum|[...] and sign the resulting file. Ciao, Bjørn ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Using an official Austrian key on a smartcard with OpenPG
Reinhold Kainhofer wrote: > Hi all, > I have a key on an official Austrian banking card (the operating system of the > card is ACOS, the company that provides the keys is a-trust). How can I use > this card with my Reiner SCT CyberJack card reader to sign mails using gnupg? > > The card's OS is proprietary (it also doesn't seem to be a pkcs#15 card), but > a PKCS#11 library for mozilla is provided. This works just fine in mozilla, > however, I want to sign mails in kmail, which only uses gnupg. Hi Reinhold, There is at present no PKCS#11 support in GnuPG that I know of. The only smartcard support I'm aware of is the OpenPGP card. And since it works with Mozilla, I suspect your banking card is using a X.509 certificate not a PGP key. -- John P. Clizbe Inet: JPClizbe(a)comcast DOT nyet Golden Bear Networks PGP/GPG KeyID: 0x608D2A10 "Be who you are and say what you feel because those who mind don't matter and those who matter don't mind." - Dr Seuss, "Oh the Places You'll Go" signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Using an official Austrian key on a smartcard with OpenPG
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi all, I have a key on an official Austrian banking card (the operating system of the card is ACOS, the company that provides the keys is a-trust). How can I use this card with my Reiner SCT CyberJack card reader to sign mails using gnupg? The card's OS is proprietary (it also doesn't seem to be a pkcs#15 card), but a PKCS#11 library for mozilla is provided. This works just fine in mozilla, however, I want to sign mails in kmail, which only uses gnupg. gpg --card-status doesn't seem to detect the card. Cheers, Reinhold - -- - -- Reinhold Kainhofer, Vienna, Austria email: [EMAIL PROTECTED], http://reinhold.kainhofer.com/ * Financial and Actuarial Mathematics, TU Wien, http://www.fam.tuwien.ac.at * K Desktop Environment, http://www.kde.org/, KOrganizer maintainer -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (GNU/Linux) iD8DBQFD+OSZTqjEwhXvPN0RAqVOAKCOFN5ZlUSmpUVL/xjK2+tFBCvnfgCgvfov FMxAmwFv5eCdTkddciksRoo= =92NM -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Finally: Login via SSH authentication with OpenPGP smart card & 100% Free Software PCMCIA reader
On Sunday 19 February 2006 01:14, [EMAIL PROTECTED] wrote: > On Sat, Feb 18, 2006 at 12:33:03AM +0200, Alon Bar-Lev wrote: > > I still don't understand why you use PKCS#1, PKCS#8, X.509, CMC, > > S/MIME and more... Why don't you invent some replacements for these > > too? > > Big news for you: We are here precisely because we prefer OpenPGP to > S/MIME. And *I* certainly don't use S/MIME. I use X.509 when really, > really forced to (for TLS/SSL HTTP, jabber, POP3, IMAP4, ... servers), > and then usually in a "flat" mode (self-signed certs, my own CA, > ...). Realistically speaking, when free software does not interoperate with the commercial software with a large mindshare, it's the free software loss. On the other hand, the Samba project that enabled interoperation enjoyed tremendous support and success. -- Nick smime.p7s Description: S/MIME cryptographic signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Necessity of GPG when using SSL
Henry Hertz Hobbit wrote: >Usually, if you are using a web interface to access your email, only the >initial authentication is done via SSL. After that if your URL address >shifts to using an "http://"; rather than the "https://"; you made your >initial connection with means that your communication just shifted from SSL >(weak encryption) to NO encryption. That is the norm. Strange, I've never seen that happen. All webmail from Dutch providers that I've accessed (my own and some for people with problems where I accessed the mail to dump mails with large attachments that took too long to download) were https all the way. -- ir. J.C.A. Wevers // Physics and science fiction site: [EMAIL PROTECTED] // http://www.xs4all.nl/~johanw/index.html PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Remote signing?
On Sun, Feb 19, 2006 at 06:07:56AM +0100, Matthias Urlichs wrote: > Hello, > > I need to sign files remotely. They're moderately large, so transmitting > them back to my firewalled-off laptop (I'm usually behind a slow line), > where the secret key lives, isn't a good idea. You have two good options. Which is the best option depends on your exact circumstances. The first option is to hash the files remotely, with something like: gpg --print-md sha256 (thefile) and then make a text file of hashes on your local laptop and sign that text file. This option presumes that the link between the remote machine and your local machine is secure so that someone replacing the hash between the remote and local machine is not a risk. The other option is to make a new key (or new subkey) that can live on the remote machine. This key would be signed with your main key so there is a chain of trust. The disadvantage here is that if the remote machine (and thus the key living there) is compromised, the attacker may issue signatures using that key. You can revoke the key, of course, but this assumes that the recipients can get the revocation. David ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Remote signing?
On Sun, Feb 19, 2006 at 06:07:56AM +0100, Matthias Urlichs wrote: > Hello, > > I need to sign files remotely. They're moderately large, so transmitting > them back to my firewalled-off laptop (I'm usually behind a slow line), > where the secret key lives, isn't a good idea. create (and rotate frequently) a signing subkey and export it where the files live & sign there a ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Remote signing?
Seeing as a detached sig is just a signed hash, you could hash the file remotely then copy the hash over and construct a detached sig from that. I imagine no current app supports that kind of thing(??) so that might involve X amount of pissing about coding your own solution. Many folk just run sha1sum and sign the output of that. It's requires a extra command to be run to verify but nothing major. On 2/19/06, Matthias Urlichs <[EMAIL PROTECTED]> wrote: > Hello, > > I need to sign files remotely. They're moderately large, so transmitting > them back to my firewalled-off laptop (I'm usually behind a slow line), > where the secret key lives, isn't a good idea. > > Ideas? > > -- > Matthias Urlichs > > > > ___ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: cURL keyserver handlers broken
On Mon, Feb 20, 2006 at 01:52:40AM +1030, Alphax wrote: > David Shaw wrote: > > On Sun, Feb 19, 2006 at 11:24:40PM +1030, Alphax wrote: > > > > > >>Host: sks.keyserver.penguin.de > >>Command:SEARCH > >>gpgkeys: HTTP URL is > >>`http://sks.keyserver.penguin.de:11371/pks/lookup?op=index&options=mr > >>&search=Alphax' > >>?: localhost: Unable to connect: ec=0 > >>gpgkeys: HTTP search error 7: couldn't connect: No error > > > > > > That looks correct so far. I don't suppose you have an environment > > variable http_proxy set? > > > > Yes, but I thought that --no-options would disable it... also, I've > tried using an options file without the proxy-enabling options... > > So that's the problem eh? Any way to get around it? Should I just move > all http-proxy stuff to config files? If you set "keyserver-option no-http-proxy", the proxy will be disabled, even if you have the environment variable set. David ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: cURL keyserver handlers broken
David Shaw wrote: > On Sun, Feb 19, 2006 at 11:24:40PM +1030, Alphax wrote: > > >>Host: sks.keyserver.penguin.de >>Command:SEARCH >>gpgkeys: HTTP URL is >>`http://sks.keyserver.penguin.de:11371/pks/lookup?op=index&options=mr >>&search=Alphax' >>?: localhost: Unable to connect: ec=0 >>gpgkeys: HTTP search error 7: couldn't connect: No error > > > That looks correct so far. I don't suppose you have an environment > variable http_proxy set? > Yes, but I thought that --no-options would disable it... also, I've tried using an options file without the proxy-enabling options... So that's the problem eh? Any way to get around it? Should I just move all http-proxy stuff to config files? -- Alphax | /"\ Encrypted Email Preferred | \ / ASCII Ribbon Campaign OpenPGP key ID: 0xF874C613 |X Against HTML email & vCards http://tinyurl.com/cc9up| / \ signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: cURL keyserver handlers broken
On Sun, Feb 19, 2006 at 11:24:40PM +1030, Alphax wrote: > Host: sks.keyserver.penguin.de > Command:SEARCH > gpgkeys: HTTP URL is > `http://sks.keyserver.penguin.de:11371/pks/lookup?op=index&options=mr > &search=Alphax' > ?: localhost: Unable to connect: ec=0 > gpgkeys: HTTP search error 7: couldn't connect: No error That looks correct so far. I don't suppose you have an environment variable http_proxy set? David ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: cURL keyserver handlers broken
David Shaw wrote: > On Sun, Feb 19, 2006 at 04:42:19PM +1030, Alphax wrote: > >>David Shaw wrote: >> >>>On Sun, Feb 19, 2006 at 04:09:32PM +1030, Alphax wrote: >>> >>> Under GPG 1.4.3rc1 I'm completely unable to get the cURL-type keyserver handlers to function correctly. For example, using the following command: gpg --no-options --keyserver sks.keyserver.penguin.de --search Alphax I get the error: ?: localhost: Unable to connect: ec=0 gpgkeys: HTTP search error 7: couldn't connect: No error >>> >>> >>>Keep in mind 1.4.3rc1 is a development version and hasn't been >>>released yet. gnupg-devel would be a more appropriate place. >>> >>>That said, please run with: >>> >>> --debug 1024 --keyserver-options keep-temp-files >>> >>>added to your command line, and post the results as well as the >>>contents of your tempin.txt file (the location of the tempin.txt file >>>may vary on different systems, but will be shown in the debug >>>output). It looks like you're not talking to sks.keyserver.penguin.de >>>at all. >>> >> >>Well, I know it exists; the second time I ran it (using an older version >>of GPG) I *did* get results. > > > No question that it exists. Just that gpgkeys wasn't talking to it... > > The output you sent is helpful. Can you do another run, but add: > --keyserver-options verbose verbose verbose > > (that's 3x verbose) > gpg --no-options --debug 1024 --keyserver-options verbose --keyserver-options verbose --keyserver-options verbose --keyserver-options keep-temp-files --keyserver sks.keyserver.penguin.de --search Alphax gpg: NOTE: THIS IS A DEVELOPMENT VERSION! gpg: It is only intended for test purposes and should NOT be gpg: used in a production environment or with production keys! gpg: DBG: expanding string "C:\GnuPG\gpgkeys_hkp.exe -o "%O" "%I"" gpg: DBG: args expanded to "C:\GnuPG\gpgkeys_hkp.exe -o "C:\DOCUME~1\Andrew\LOCALS~1\Temp\gpg-6CC115\tempout.txt" "C:\DOCUME~1\Andrew\LOCALS~1\Temp\gpg-6CC115\tempin.txt"", use 1, keep 1 gpg: DBG: using temp file `C:\DOCUME~1\Andrew\LOCALS~1\Temp\gpg-6CC115\tempin.txt' gpg: searching for "Alphax" from hkp server sks.keyserver.penguin.de gpg: DBG: system() command is C:\GnuPG\gpgkeys_hkp.exe -o "C:\DOCUME~1\Andrew\LOCALS~1\Temp\gpg-6CC115\tempout.txt" "C:\DOCUME~1\Andrew\LOCALS~1\Temp\gpg-6CC115\tempin.txt" Host: sks.keyserver.penguin.de Command:SEARCH gpgkeys: HTTP URL is `http://sks.keyserver.penguin.de:11371/pks/lookup?op=index&options=mr &search=Alphax' ?: localhost: Unable to connect: ec=0 gpgkeys: HTTP search error 7: couldn't connect: No error gpg: key "Alphax" not found on keyserver secmem usage: 1408/1408 bytes in 2/2 blocks of pool 1408/32768 The only difference in tempin.txt was that "OPTION verbose" appeared three times.. -- Alphax | /"\ Encrypted Email Preferred | \ / ASCII Ribbon Campaign OpenPGP key ID: 0xF874C613 |X Against HTML email & vCards http://tinyurl.com/cc9up| / \ signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Remote signing?
Hello, I need to sign files remotely. They're moderately large, so transmitting them back to my firewalled-off laptop (I'm usually behind a slow line), where the secret key lives, isn't a good idea. Ideas? -- Matthias Urlichs ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: OpenLDAP schema to store OpenPGP keys?
Peter Palfrader schrieb: > http://asteria.noreply.org/~weasel/PGPKeyserverSchema.zip Thanks! One question, though: Where is this schema from? Is it the "new" one the GnuPG announcement was talking about or is it a schema shipped with with a commercial(?) keyserver? > If you get an LDAP keyserver running please document your steps > somewhere and let us know. I will. Regards, Walter ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users