Re: OT: IM encryption options [was: Re: Is the OpenPGP model still useful?]

2011-07-22 Thread Marcio B. Jr. 
Hello Daniel,
sorry for such a delay; this has been a wild JULY.


On Wed, Jul 6, 2011 at 4:09 PM, Daniel Kahn Gillmor
 wrote:
> On 07/06/2011 01:28 PM, Marcio B. Jr. wrote:
>> So far, OTR adoption seems unjustifiable, really. I mean, it uses the
>> Diffie-Hellman key exchange method with block ciphers.
>
> Why does this seem unjustifiable to you?  DH and block ciphers are
> widely-reviewed parts of the standard crypto toolkit.  Do you have
> reason to believe they're generally bad?


It seems unjustifiable because there exists an option in which secret
keys need not to take risks. And if there's any security concern and
one's to choose between zero risk and any other positive-value risk,
it's reasonable to pick the former.


>> As of what I got from your (Robert) explanation plus some preliminary
>> conclusions of my studies, making use of asymmetric algos with OpenPGP
>> would be more coherent and secure, mathematically. Is it correct?
>
> Not all of these decisions should be made on purely mathematical
> grounds.  Consider, for example, pidgin's old GPG plugin (i dont know
> whether it is still in use or under development)
>
> It worked by signing and encrypting each message before it was sent, and
> decrypting and verifying each response.
>
> However, IM messages tend to be heavily context-dependent, which makes
> them vulnerable to replay attacks.


No secret key can ever be intercepted or shared.


> For example, how many times have you written on IRC (or whatever IM
> network you use) the simple phrase "i agree"?
>
> If each message is individually signed and verified, it'd be relatively
> easy for an attacker to replay your "i agree" in another conversation,
> making it look like you agreed to something you hadn't actually agreed
> to.  OTR's stream-based approach ensures that messages are only
> authenticated as part of a single, two-party conversation.  There is no
> room for a replay attack.


I am obviously considering signing and encrypting.


> OTR also is designed so that a third-party (one not involved in the
> original communication can't conclusively prove that you wrote
> something.  this is the "off the record" part of OTR.  It's debatable
> how useful this so-called "repudiability" would be in, say, a court of
> law; but individually-signed messages clearly do *not* have this kind of
> repudiability; anyone in possession of one of these messages can
> convince any third party that you did in fact write the message.


There is secrecy sharing so maintenance of this repudiability's
effectiveness is not entirely up to you.


Regards,



Marcio Barbado, Jr.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: secring and dropbox

2011-07-22 Thread Michel Messerschmidt 
On Thu, Jul 21, 2011 at 05:17:27PM -0600, Aaron Toponce wrote:
> On Thu, Jul 21, 2011 at 05:15:25PM -0600, Aaron Toponce wrote:
> > So, it appears I'm missing some configuration in Mutt then, as it remains
> > as the PGP message without any attempt to get to the plain text. Also, how
> > do you get the plain text? I can verify the signature, but can't seem to
> > get the text out of the signature.
> 
> Nevermind. I can do it manually, but I'm not sure what I'm missing with
> Mutt. Any Mutt users here that can help me out?

mutt handled the message without error here.

In addition to the settings from gpg.rc my .muttrc contains:
set pgp_use_gpg_agent = yes
set pgp_auto_decode = yes

(I use gpg version 2.0.14)


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gpg-agent automatically use passphrase for signing subkey?

2011-07-22 Thread Charly Avital 
Chris Poole

wrote on 7/22/11 10:38:39 AM:
> On Thu, Jul 21, 2011 at 5:30 PM, Charly Avital  wrote:
>> When your passphrase has been cached for each of those *actions*, it
>> will remain in gpg-agent's "memory" for the duration of the cache set in
>> your home directory ~/.gnupg/gpg-agent.conf
> 
> That's a shame, but thanks.

Shame?
I find it very convenient.

Take care and have a fine week end.
Charly


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gpg-agent automatically use passphrase for signing subkey?

2011-07-22 Thread Chris Poole 
On Thu, Jul 21, 2011 at 5:30 PM, Charly Avital  wrote:

> gpg-agent "goes" by *actions*:  decrypt, or sign.
>
> gpg-agent is invoked whenever you use your secret key, either for
> decrypting or for signing.
>
> As far as gpg-agent is concerned, those are two different *actions*.
>
> When your passphrase has been cached for each of those *actions*, it
> will remain in gpg-agent's "memory" for the duration of the cache set in
> your home directory ~/.gnupg/gpg-agent.conf

That's a shame, but thanks.


Cheers


Chris Poole
[PGP BAD246F9]

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users