Re: Protecting IDs at a key signing party
On 21/01/12 23:01, Robert J. Hansen wrote: Then they're signing it with *their* certificate, backed up by credentials that you yourself checked. How is this a problem? While I generally agree with you on the rest of your mail, this is not necessarily the case. You met them at a keysigning party. They probably presented you something they thought would prove their identity. If you read checked as you looked at it, then yes, probably that is also true :). But I interpret checked here as verified it was okay, and that is not necessarily the case. By the way, I think it's courtesy to send the signature to the key owner. But it is not a security issue. I have so far attended a keysigning party once. I noticed a few people had not published my signature (don't know why)[1]. This also weakened my own Web of Trust, which was not a big issue, but I still decided to do local signatures on those keys that did not have my exportable signature. Fine. But I also have a laptop, so I needed to export my local signatures, etcetera. A lot of overhead, what with checking fingerprints again for the local signature, all for a bit of courtesy... Peter. [1] I have a slight tremor in the hands, and I noticed sometimes my passport shaked a bit while I was holding it up so the person in front of me could check it. Perhaps they thought I was bloody nervous because I was trying to trick them?? -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at http://wwwhome.cs.utwente.nl/~lebbing/pubkey.txt ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Using root CAs as a trusted 3rd party
Hi Aaron, gnupg users, * Aaron Toponce aaron.topo...@gmail.com [21. Jan. 2012]: On Sat, Jan 21, 2012 at 10:50:11PM +0100, Gregor Zattler wrote: IMHO by signing a key you make a statement about the connection between a person or owner and the user id you sign, saying I somehow convinced myself that user owns this key. This only makes sense if you have some insight into the matter that a person which is confronted with the key only cannot have. Your signature should add some information. Merely saying I'm convinced that the user is the owner/originator of the key because someone else already signed this key, does not make much sense to me. I think you should have added a notation explaining you reasoning. I trust the encrypted connection between my browser and my bank, because the certificate they present to by browser is signed by a root CA that is installed in the browser. I do the same since my bank refuses unwaveringly to send me their certificate by snail mail. Yes I actually asked them to send me their certificate but they explicitly refused to do so and told me I am free to quit my account. In this dispute I learned I'm the only customer ever to ask for their certificate. It seems possible to make a valid corollary with OpenPGP keys. I trust a key belongs to a specific user, because that key is presented to be to be owned by a specific person is signed by a root CA. Esentially, I'm using a CA as a 3rd party to casually establish identity. At this point, I can rest assured that the key this person claims is theirs is actually theirs. Sure. Nothing wrong with that. You look at the key, see it's signed by the CA, you check the signature and decide *for yourself* that this is proof enough, that this is the users key. You take the risk. But don't use this as an argument to sign the key because then you are making a public statement instead of a private reasoning: Next time I use the very same key: I see the signature of the CA. Now there are two possibilities: a) I trust the CA. Then I check their signature, see it's good and I'm convinced it't the valid key of the user. What does your signature help me in this instance? b) I do not trust the CA. Therefore I don't even bother to check their signature. So I can't trust the validity of the key. But stop: There is a signature of Aaron Toponce. For the sake of the argument, let's assume we met at a key signing party, signed our respective keys and had a nice talk then. Now I see the users key is signed with a fully trusted key (yours) and therefore I might consider it valid -- but only because you trust a CA I don't trust. In my opinion that's the wrong outcome. Please sign keys only because of your own judgement on some facts not present with the key alone, not others (the CA). Ciao, Gregor -- -... --- .-. . -.. ..--.. ...-.- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Using root CAs as a trusted 3rd party
On 22/01/12 02:49, Aaron Toponce wrote: Yes. That's all I'm after. I think the militant I _absolutely_ won't sign any keys unless I verify their identification, face-to-face attitude is hindering adoption. There must be a way to build the WOT, while still allowing people to sign keys without meeting. Thus, the reasons for 0x10, 0x11, 0x12 and 0x13 in GnuPG for identifying how carefully you've verified the owner of a key. I'm looking for ways to build the WOT, without hindering adoption, by taking advantage of various means to establish trust of key ownership. This seems to be a method, I just want to make sure I have all my i's jotted and my t's crossed. I've taken a different approach. Rather than trying to build up a WOT by getting people to sign my key, I've just made sure that the fingerprint of my master key is spread wide and far over the Internet, and that I sign everything. The front page of my website https://grepular.com/ is signed. It displays my fingerprint, and a Google link next to it: https://encrypted.google.com/search?q=%2235BC+AF1D+3AA2+1F84+3DC3+B0CF+70A5+F512+0018+461F%22filter=0 You can see my fingerprint mentioned all over the place. I also sign all of my profiles on different sites whenever possible. A couple of examples: http://hackerbuddy.com/users/2670 https://news.ycombinator.com/user?id=mike-cardwell My fingerprint is also stored in a PKA record in the DNS: mike@Fuzzbutt:~$ dig +short txt mike.cardwell._pka.grepular.com v=pka1\;fpr=35BCAF1D3AA21F843DC3B0CF70A5F5120018461F\;uri=http://grepular.com/0018461F.pub.asc; mike@Fuzzbutt:~$ And the DNS for grepular.com even uses DNSSEC. I don't think you need to meet me in person to be confident that the key you've downloaded is mine. I sometimes wonder if the traditional public web of trust is even a good idea. Are you happy to be associated with everybody you've signed the key of and those who have signed yours? Are you sure that none of these people will do anything in the future which might cause these public associations to become a problem for you? -- Mike Cardwell https://grepular.com/ http://cardwellit.com/ OpenPGP Key35BC AF1D 3AA2 1F84 3DC3 B0CF 70A5 F512 0018 461F XMPP OTR Key 8924 B06A 7917 AAF3 DBB1 BF1B 295C 3C78 3EF1 46B4 signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
RSA padding scheme
Greetings everyone! As I understand, such asymmetric ciphers as RSA and/or ElGamal requires strong padding applied before message is encrypted. Message is of course the one-time session key, used to encipher the actual data. There are different versions of PKCS#1, NESSIE, OAEP and other schemes exist. How can I get which one is used? Trivial grep-ing through the 1.4.10 source code (which one I am using) does not help me much. Moreover I did not find the way padding can be changed/specified for example for RSA. I will be glad to understand what I am missing. -- Happy hacking, Sergey Matveev. [CYPHERPUNKS.RU][FSF][FSFE][EFF] fellow ..: ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Creating a key bearing no user ID
Hello list, I intend to use gpg only for receiving encrypted e-mail, not signing my outgoing e-mail. Because I don't want my name or e-mail address out there on the keyservers, I want do create a key without a uid. People who want to send me e-mail, get my e-mail address and keyID/fingerprint with my business card. Will this work or did I miss something? When trying to create a key with an empty uid using '--allow-freeform-uid', I get gpg: [internal]: no User-ID specified Do I have to create a regular key first and strip off the uid afterwards? Thanks a lot! Holger ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Creating a key bearing no user ID
Hello gnupg-users, I intend to use gpg only for receiving encrypted e-mail, not signing my outgoing e-mail. Because I don't want my name or e-mail address out there on the keyservers, I want do create a key without a uid. People who want to send me e-mail, get my e-mail address and keyID/fingerprint with my business card. Will this work or did I miss something? When trying to create a key with an empty uid using '--allow-freeform-uid', I get gpg: [internal]: no User-ID specified Do I have to create a regular key first and strip off the uid afterwards? Thanks a lot! Holger ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Creating a key bearing no user ID
Mega sorry for the triple post. H ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Creating a key bearing no user ID
Hello gnupg-users, I intend to use gpg only for receiving encrypted e-mail, not signing my outgoing e-mail. Because I don't want my name or e-mail address out there on the keyservers, I want do create a key without a uid. People who want to send me e-mail, get my e-mail address and keyID/fingerprint with my business card. Will this work or did I miss something? When trying to create a key with an empty uid using '--allow-freeform-uid', I get gpg: [internal]: no User-ID specified Do I have to create a regular key first and strip off the uid afterwards? Thanks a lot! Holger ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Creating a key bearing no user ID
On 1/22/2012 11:59 AM, Holger wrote: Will this work or did I miss something? The OpenPGP spec (RFC4880) says that a transferable public key (one that can be shared, basically) is required to have one or more user IDs attached (RFC4880 section 11.1). If you don't have a user ID on your certificate, you have no guarantees your certificate will be usable by other people. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: RSA padding scheme
On Sun, Jan 22, 2012 at 07:48:28PM +0400, Sergey Matveev wrote: As I understand, such asymmetric ciphers as RSA and/or ElGamal requires strong padding applied before message is encrypted. Message is of course the one-time session key, used to encipher the actual data. To use them correctly and securely, yes. There are different versions of PKCS#1, NESSIE, OAEP and other schemes exist. How can I get which one is used? Trivial grep-ing through the 1.4.10 source code (which one I am using) does not help me much. GnuPG uses PKCS #1 v1.5. This is specified in RFC 4880. Moreover I did not find the way padding can be changed/specified for example for RSA. You cannot choose a different padding scheme and remain in compliance with the OpenPGP standard. I will be glad to understand what I am missing. If the standard allowed different padding schemes, then all implementations would have to support multiple padding schemes, which would be burdensome without providing significantly more security. -- brian m. carlson / brian with sandals: Houston, Texas, US +1 832 623 2791 | http://www.crustytoothpaste.net/~bmc | My opinion only OpenPGP: RSA v4 4096b: 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187 signature.asc Description: Digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: RSA padding scheme
- User brian m. carlson on 2012-01-22 18:54:22 wrote: GnuPG uses PKCS #1 v1.5. This is specified in RFC 4880. You cannot choose a different padding scheme and remain in compliance with the OpenPGP standard. Ah! I see. Thank you! Now I understand. If the standard allowed different padding schemes, then all implementations would have to support multiple padding schemes, which would be burdensome without providing significantly more security. Hmm, I see. However does it really won't provide much higher security? Just theoretically very interested in all of that. According to Wikipedia, there are several kind of attacks against plain RSA (just some of them): * sending ciphertext with the same e to several recipients * no randomness * problems with the product of two ciphertexts So, padding should close all of those problems. As I can see, PKCS #1 1.5 just adds random pad to satisfy length requirements. Is those randomness sufficient to solve above three issues? OAEP, comparing to PKCS #1 1.5, is much more mature and looks really cool with dependent on each other X and Y. If PKCS #1 1.5 is sufficient, then OAEP just brings all-or-nothing additionally? Or because of RSA's ciphertext payload is always pretty random data (symmetric keys), then (probably) bad padding won't deal any damage? ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Creating a key bearing no user ID
On Jan 22, 2012, at 1:05 PM, Holger wrote: Hello gnupg-users, I intend to use gpg only for receiving encrypted e-mail, not signing my outgoing e-mail. Because I don't want my name or e-mail address out there on the keyservers, I want do create a key without a uid. People who want to send me e-mail, get my e-mail address and keyID/fingerprint with my business card. Will this work or did I miss something? It won't work. The OpenPGP standard requires at least one user ID on a key. It does not require that it has an email address or even your real name, so you can legally have a user ID of Anonymous or similar, but you do need something there. Note that if you are intending to get your key signed by others, most people won't sign a user ID that just reads Anonymous. David ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Creating a key bearing no user ID
On 01/22/2012 10:05, Holger wrote: Hello gnupg-users, I intend to use gpg only for receiving encrypted e-mail, not signing my outgoing e-mail. Because I don't want my name or e-mail address out there on the keyservers, Why not? I want do create a key without a uid. People who want to send me e-mail, get my e-mail address and keyID/fingerprint with my business card. Will this work or did I miss something? How will they get your public key? -- It's always a long day; 86400 doesn't fit into a short. Breadth of IT experience, and depth of knowledge in the DNS. Yours for the right price. :) http://SupersetSolutions.com/ ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: RSA padding scheme
On Sun, Jan 22, 2012 at 11:29:54PM +0400, Sergey Matveev wrote: If the standard allowed different padding schemes, then all implementations would have to support multiple padding schemes, which would be burdensome without providing significantly more security. Hmm, I see. However does it really won't provide much higher security? Just theoretically very interested in all of that. According to Wikipedia, there are several kind of attacks against plain RSA (just some of them): * sending ciphertext with the same e to several recipients This depends on a small message. All secure padding schemes avoid this problem because the pad the message so it is not small. * no randomness All secure padding schemes provide this, as well. * problems with the product of two ciphertexts This is not a problem with OpenPGP because the attacker never gets to see the value encrypted with RSA because it's the symmetric key. So, padding should close all of those problems. As I can see, PKCS #1 1.5 just adds random pad to satisfy length requirements. Is those randomness sufficient to solve above three issues? OAEP, comparing to PKCS #1 1.5, is much more mature and looks really cool with dependent on each other X and Y. The existence of PGP predates the invention of OAEP by at least three years. So it really wasn't an option, and PKCS #1 v1.5 is not insecure, so there's no reason to break backwards compatibility. If PKCS #1 1.5 is sufficient, then OAEP just brings all-or-nothing additionally? Or because of RSA's ciphertext payload is always pretty random data (symmetric keys), then (probably) bad padding won't deal any damage? Basically. The issue is that if the padding is incorrect, the message is rejected. So the attacker can't manipulate the message without risking corrupting the structure of the method. -- brian m. carlson / brian with sandals: Houston, Texas, US +1 832 623 2791 | http://www.crustytoothpaste.net/~bmc | My opinion only OpenPGP: RSA v4 4096b: 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187 signature.asc Description: Digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Creating a key bearing no user ID
2012-01-22T16:11:14-08:00, Doug Barton: On 01/22/2012 10:05, Holger wrote: I intend to use gpg only for receiving encrypted e-mail, not signing my outgoing e-mail. Because I don't want my name or e-mail address out there on the keyservers, Why not? One reason is spam, though we haven't seen excessive abuse of the keyserver-data or the keyservers themselves yet. Of course I could simply omit the e-mail address. Another one: My full name is rather unique and I don't want to reveal with whom I communicate i.e. who signed my key. On the other hand, public keys can be easily polluted with bogus signatures ... but I guess the average researcher is not aware of that and the versed is able to filter out the bogus ones. So maybe I should refrain from participating in the web of trust and build my personal star of trust?! I want do create a key without a uid. People who want to send me e-mail, get my e-mail address and keyID/fingerprint with my business card. Will this work or did I miss something? How will they get your public key? By keyID/fingerprint from the keyserver-net. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Creating a key bearing no user ID
Holger wrote: 2012-01-22T16:11:14-08:00, Doug Barton: On 01/22/2012 10:05, Holger wrote: I intend to use gpg only for receiving encrypted e-mail, not signing my outgoing e-mail. Because I don't want my name or e-mail address out there on the keyservers, Why not? One reason is spam, though we haven't seen excessive abuse of the keyserver-data or the keyservers themselves yet. Of course I could simply omit the e-mail address. Another one: My full name is rather unique and I don't want to reveal with whom I communicate i.e. who signed my key. On the other hand, public keys can be easily polluted with bogus signatures ... but I guess the average researcher is not aware of that and the versed is able to filter out the bogus ones. So maybe I should refrain from participating in the web of trust and build my personal star of trust?! I have a very unique last name and I'm not afraid of the keyservers. I know of about six John Clizbes. We differ by middle initial and name. BTW, if I represented an entity concerned with whomever you communicated, I would likely not bother with your key. It would be much easier to have a copy of your outgoing mail retained by your ISP. Keyserver SPAM is a straw-man argument. Yes, it's possible for an address to be pulled from the key on a keyserver, in fact, I'm convinced harvesting probably takes place. But testing I did a few years ago found the amount of SPAM attributable to a key on a keyserver was not significantly different from that received as just random SPAM noise from an unused ISP account. I've seen no volume of SPAM since then to challenge that conclusion. I want do create a key without a uid. People who want to send me e-mail, get my e-mail address and keyID/fingerprint with my business card. Will this work or did I miss something? How will they get your public key? By keyID/fingerprint from the keyserver-net. And how, exactly do they first get the KeyID/Fingerprint? Or do you intend to limit encrypted communication to those whom you have first made contact and handed a business card? -- John P. Clizbe Inet:John (a) Mozilla-Enigmail.org FSF Assoc #995 / FSFE Fellow #1797 hkp://keyserver.gingerbear.net or mailto:pgp-public-k...@gingerbear.net?subject=HELP Q:Just how do the residents of Haiku, Hawai'i hold conversations? A:An odd melody / island voices on the winds / surplus of vowels ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: RSA padding scheme
- User brian m. carlson on 2012-01-23 00:47:03 wrote: * sending ciphertext with the same e to several recipients This depends on a small message. All secure padding schemes avoid this problem because the pad the message so it is not small. * no randomness All secure padding schemes provide this, as well. * problems with the product of two ciphertexts This is not a problem with OpenPGP because the attacker never gets to see the value encrypted with RSA because it's the symmetric key. Hmm, true. Seems really pretty secure in PGP context. The existence of PGP predates the invention of OAEP by at least three years. So it really wasn't an option, and PKCS #1 v1.5 is not insecure, so there's no reason to break backwards compatibility. Yeah, agreed. Basically. The issue is that if the padding is incorrect, the message is rejected. So the attacker can't manipulate the message without risking corrupting the structure of the method. I see. Well, thank you very much for the explanation and information! ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
