Re: Web of Trust itself is the problem
Am Montag, den 11.01.2010, 01:26 -0500 schrieb Robert J. Hansen: > On 01/10/2010 10:57 PM, Faramir wrote: > ...I just about had a heart attack. The > voting authorities thought this was just fine... > > _ You are obviously not loved by the voting authorities :-) Greetings from the Black Forest! Bernhard > __ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users signature.asc Description: Dies ist ein digital signierter Nachrichtenteil ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: very short plaintexts symmetrically encrypted
On Sun, 10 Jan 2010 14:02 +0100, "Werner Koch" wrote: > On Sun, 10 Jan 2010 04:44:35 -0500, ved...@hush.com wrote: > > > symmetrical encryption is a simple way to avoid signing, while > > still maintaining relative reliability of knowledge as to who sent > > the message > > That is not true. For example you can't detect a replay or MitM > attack. Forgive me, but how is a MitM attack possible against a symmetric cypher using a shared, secret key? A MitM attack is really an attack on key exchange, as it requires the MitM to intercept at least one public key, and substitute another (one of his own) for it. Using symmetric crpyto, however, the key must be prearranged, or exchanged by some other trusted means. Assuming only the sender and receiver of the message know the secret key, I fail to see what a MitM can accomplish. Of course, if we just broadcast the secret key on the Internet, or something, then it's not much good--but anyone using symmetric crypto should know better. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Web of Trust itself is the problem
David Shaw writes, in part: -+- | It's not that they gave it a bit of thought and decided | against it for whatever reason - they never gave it even a | moment of thought. The only crypto they use is the crypto | that is invisible to them (usually https, which is pretty | invisible). I used to work at Verdasys. One of the strong selling points with its customers is as you say, for crypto to be in place but with no user the wiser nor need that they be. A piece of marketing material: http://www.verdasys.com/images/uploads/Encryption_DataSheet.pdf There are quite a few installations of the above at the >100,000 seats level (enterprise deployment). --dan ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Gnupg-users Digest, Vol 76, Issue 11
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 For those of us without ACM access, these papers are freely available at: 1) http://simson.net/ref/2004/chi2005_smime_submitted.pdf 2) http://www.soe.ucsc.edu/classes/cmps223/Spring09/Gaw%2006.pdf Avi -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) - GPGshell v3.75 Comment: Most recent key: Click show in box @ http://is.gd/4xJrs iF4EAREKAAYFAktLVnQACgkQDWKwGfgOKfkAcwD+Ipg7IQboIQjrhlNiKxNDhY6E 7gO6w3hT2/bhjOe6b/wA/iT2O6lmOgfWmrxDpCT5qUQ5RR+KdYHN/ZM61dBYqkmM =tjCQ -END PGP SIGNATURE- User:Avraham pub 3072D/F80E29F9 1/30/2009 Avi (Wikimedia-related key) Primary key fingerprint: 167C 063F 7981 A1F6 71EC ABAA 0D62 B019 F80E 29F9 From: "Robert J. Hansen" > To: "Mario Castelán Castro" > Date: Sun, 10 Jan 2010 23:37:12 -0500 > Subject: Re: Web of Trust itself is the problem > On 01/10/2010 11:01 PM, Mario Castelán Castro wrote: > >> Crypto is not like this. Sure, you don't need to understand Feistel > >> networks or large number theory in order to use crypto, but look at > >> what you *do* need to understand: [...] > > > > Is good if you know that, you will use the crypto better but is not > > nessesary IMO. Can you explain why that things are *nessesary* in > > order to use crypto?, we have "user friendly" crypto programs like > > seahorse, I can't figure out someone is unable to use it with the > > available "user friendly" software like seahorse. > > Read this paper: > >Garfinkel, S. L., Margrave, D., Schiller, J. I., >Nordlander, E., and Miller, R. C. 2005. How to make secure >email easier to use. In _Proceedings of the SIGCHI Conference >on Human Factors in Computing Systems_ (Portland, Oregon, USA, >April 02 - 07, 2005). CHI '05. ACM, New York, NY, 701-710. >DOI= http://doi.acm.org/10.1145/1054972.1055069 > > Also read this paper: > >Gaw, S., Felten, E. W., and >Fernandez-Kelly, P. 2006. Secrecy, flagging, and >paranoia: adoption criteria in encrypted email. >In Proceedings of the SIGCHI Conference on Human >Factors in Computing Systems (Montreal, Quebec, >Canada, April 22 - 27, 2006). R. Grinter, >T. Rodden, P. Aoki, E. Cutrell, R. Jeffries, and >G. Olson, Eds. CHI '06. ACM, New York, NY, 591-600. >DOI= http://doi.acm.org/10.1145/1124772.1124862 > > > Once you've read them, then let's have this conversation again. The > obstacles we face in crypto adoption are not related to user interfaces. > They're related to users. > > ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
[Announce] GPGME 1.3.0 released
Hi, We are pleased to announce version 1.3.0 of GnuPG Made Easy, a library designed to make access to GnuPG easier for applications. It may be found in the file (about 1.2 MB/870 KB compressed) ftp://ftp.gnupg.org/gcrypt/gpgme/gpgme-1.3.0.tar.gz ftp://ftp.gnupg.org/gcrypt/gpgme/gpgme-1.3.0.tar.bz2 The following files are also available: ftp://ftp.gnupg.org/gcrypt/gpgme/gpgme-1.3.0.tar.gz.sig ftp://ftp.gnupg.org/gcrypt/gpgme/gpgme-1.3.0.tar.bz2.sig It should soon appear on the mirrors listed at: http://www.gnupg.org/mirrors.html Bug reports and requests for assistance should be sent to: gnupg-de...@gnupg.org The sha1sum checksums for this distibution are 0db69082abfbbbaf86c3ab0906f5137de900da73 gpgme-1.3.0.tar.bz2 5365180827aa67dede556594587ee770536021a2 gpgme-1.3.0.tar.bz2.sig c7d17b6451fb7770bee696a3fe359c7f6c1be12a gpgme-1.3.0.tar.gz 573a099bf996b03d0c91796a6a403133fab7798a gpgme-1.3.0.tar.sig Noteworthy changes in version 1.3.0 (2010-01-11) * GPGME does not come with an internal libassuan version anymore. The external libassuan 1.1.0 release or later is required. For application programmers on systems that can resolve inter-library dependencies at runtime, this is a transparent change. * New engine GPGME_PROTOCOL_G13 to support the new g13 tool. * New engine GPGME_PROTOCOL_UISERVER to support UI Servers. * New API to change the passpgrase of a key. * Interface changes relative to the 1.2.0 release: ~~~ GPGME_STATUS_INV_SGNRNEW. GPGME_STATUS_NO_SGNR NEW. GPGME_PROTOCOL_G13 NEW. gpgme_op_g13_mount NEW. gpgme_g13_result_t NEW. GPGME_PK_ECDSA NEW. GPGME_PK_ECDHNEW. gpgme_op_passwd_startNEW. gpgme_op_passwd NEW. ~~~ Marcus Brinkmann m...@g10code.de -- g10 Code GmbH http://g10code.com AmtsGer. Wuppertal HRB 14459 Hüttenstr. 61 Geschäftsführung Werner Koch D-40699 Erkrath -=- The GnuPG Experts -=- USt-Id DE215605608 ___ Gnupg-announce mailing list gnupg-annou...@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-announce ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users