Re: Why trust gpg4win?
Il 11/09/2013 11:48, Pete Stephenson ha scritto: > Actually, I was thinking of something that was the exact opposite: > some device (which I don't think exists) that would allow one to > connect a USB flash drive to the device, and have the device convert > that into RS232 serial data for the computer, thus avoiding any USB > interaction with the computer itself. The computer would then need to > process the serial data to read or write files on the drive. As far as > I know, nothing like that exists and I'm not sure if it'd be possible > to do. Even if it was possible, it'd be immensely slower than normal > USB connections. Actually such a module exists, and is used to add flash disk access to small microcontrollers: it's VDrive2 (VNC1L module) by Vinculum http://www.ftdichip.com/Documents/DataSheets/Modules/DS_VDRIVE2.pdf I don't think it adds anything to security, but at least it's doable :) If you are *so* concerned about key security, it's better to use an HSM. BYtE, Diego. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Where is ECC in gpg2 (specifically gnupg-2.0.21
On 09/11/2013 11:43 PM, Newton Hammet wrote: > Shouldn't I be seeing 1 or more ECC choices? GnuPG 2.1 (still currently in beta, afaict) is the first version to include ECC support for OpenPGP. the 2.0.x branch does not include ECC for OpenPGP. Regards, --dkg signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Where is ECC in gpg2 (specifically gnupg-2.0.21
Hello Everyone, I dutifully did ./configure, make, sudo make install for gunupg-2.0.21 after finally doing same for all its dependencies and then ran /usr/local/lib/gpg2 --expert --gen-key and all I got was this: newton@newton-desktop:~/gpg2_0_21/gnupg-2.0.21$ /usr/local/bin/gpg2 --expert --gen-key gpg (GnuPG) 2.0.21; Copyright (C) 2013 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Please select what kind of key you want: (1) RSA and RSA (default) (2) DSA and Elgamal (3) DSA (sign only) (4) RSA (sign only) (7) DSA (set your own capabilities) (8) RSA (set your own capabilities) Your selection? ^C gpg: signal Interrupt caught ... exiting Shouldn't I be seeing 1 or more ECC choices? Was I supposed to supply some special arguments to ./configure ? Thanks, Newton ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Is it possible to remove capabilities from an existing key?
On 09/11/2013 05:42 PM, Philip Jägenstedt wrote: > My public key has the default capabilities sign and certify. I've seen > that some people have only the certify capability in order to be able to > keep the main key offline most of the time. > > Is it technically possible to change the capabilities of an existing > key, even if there's no way to do it via --edit-key? > > If it's not possible, what would be the consequence of adding a subkey > with the sign capability, which key would be used when both are > available? i believe GnuPG uses the most-recently-updated subkey that it believes to have signing capability, unless you force the subkey in question via --local-user or --default-key with a ! suffix (see the "By key Id." section in gpg(1)). --dkg signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Is it possible to remove capabilities from an existing key?
Am Mi 11.09.2013, 23:42:30 schrieb Philip Jägenstedt: > My public key has the default capabilities sign and certify. I've seen > that some people have only the certify capability in order to be able to > keep the main key offline most of the time. It's of limited use to make a former online mainkey an offline mainkey. You should create a completely new key (on a secure system). > Is it technically possible to change the capabilities of an existing > key, even if there's no way to do it via --edit-key? May be possible (it surely would be with patching GnuPG) but is not necessary. It makes perfect sense to have signing (and even encryption) capability on an offline mainkey. > If it's not possible, what would be the consequence of adding a subkey > with the sign capability, which key would be used when both are > available? If there is a subkey then it is used always. I do not know though whether this is a direct effect (defined that way) or an indirect one: The creation date (and the selfsig date) of a subkey should always be after the creation date of the mainkey. Hauke -- Crypto für alle: http://www.openpgp-schulungen.de/fuer/bekannte/ OpenPGP: 7D82 FB9F D25A 2CE4 5241 6C37 BF4B 8EEF 1A57 1DF5 signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Confirmation of cipher?
Hello, When one signs a message GnuGPG will add "Hash:SHA1" or your preferred hash at the start of the message. However a similar line of text isn't available with an encrypted text block. Is the reason for this to hide as much information as possible from a possible attacker? Is there any way to confidently identify the encryption algorithm used with a GPG encrypted text block? Many thanks Jack Brennan. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Is it possible to remove capabilities from an existing key?
My public key has the default capabilities sign and certify. I've seen that some people have only the certify capability in order to be able to keep the main key offline most of the time. Is it technically possible to change the capabilities of an existing key, even if there's no way to do it via --edit-key? If it's not possible, what would be the consequence of adding a subkey with the sign capability, which key would be used when both are available? Philip signature.asc Description: This is a digitally signed message part ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Support for additional ECC Curves in GnuPG (gcrypt)
Hi Everyone, Do you know if someone is currently working to implement additional curves in ECC and especially to have an alternative to the NIST ones in gcrypt/GnuPG? and I was wondering if we are bound to the ones defined in: http://tools.ietf.org/html/rfc6637#section-11 Thank you, Cheers. -- -- Alexandre Dulaunoy (adulau) -- http://www.foo.be/ -- http://www.foo.be/cgi-bin/wiki.pl/Diary -- "Knowledge can create problems, it is not through ignorance --that we can solve them" Isaac Asimov ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: --list-options show-notations does not work with --with-colons
On 09/11/2013 11:56 AM, Hauke Laging wrote: > Am Mi 11.09.2013, 10:07:30 schrieb Daniel Kahn Gillmor: > >> Should i be able to see the notations when using --with-colons somehow? > > show-sig-subpackets is your friend. Thanks, that does produce a tremendous amount of info, and within it i can find the subpacket i'm interested in (though now i'll have to write another sub-parser just for that line). should we note in the documentation that show-notations doesn't work in --with-colons mode? or would folks be interested in a patch to support it? --dkg signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: --list-options show-notations does not work with --with-colons
Am Mi 11.09.2013, 10:07:30 schrieb Daniel Kahn Gillmor: > Should i be able to see the notations when using --with-colons somehow? show-sig-subpackets is your friend. -- Crypto für alle: http://www.openpgp-schulungen.de/fuer/bekannte/ OpenPGP: 7D82 FB9F D25A 2CE4 5241 6C37 BF4B 8EEF 1A57 1DF5 signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
--list-options show-notations does not work with --with-colons
I'm trying to programmatically look at the notations in all the self-sigs in an OpenPGP certificate. But: gpg --fingerprint --fingerprint --fixed-list-mode --list-options show-notations --with-colons --check-sigs "$fpr" does not show me the notations. if i omit --with-colons, then i get the notations in human-readable form, but i don't want to try to parse that. Should i be able to see the notations when using --with-colons somehow? --dkg pgpMMc_aMhGwP.pgp Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Upgrading keys to larger than 1024
Thanks everyone - I will try contacting the people who have signed my keys by email and see what they say - I very rarely see them in real life. Regards, Adam On 10 September 2013 19:29, Daniel Kahn Gillmor wrote: > On 09/10/2013 12:47 PM, AdamC wrote: > > I have keys that I have used (sparingly) since 2004. This is a 1024 > > keysize. That keypair has a few signatures through key signing. > > > > What is the best approach to upgrading keys to 4096? Is it just create a > > new keypair and then go to lots of key signing events again (pain), or is > > there a way to do this with my current keys? > > There's no way to directly upgrade if your primary key is weaker than > you'd like. > > You should create a new keypair and go out in the world and meet people > who will sign your key. it doesn't have to be a pain :) > > Ana wrote up some good suggestions about how to do a key transition: > > http://ekaia.org/blog/2009/05/10/creating-new-gpgkey/ > > Regards, > > --dkg > > -- -- You back your data up on the same planet? http://www.monkeez.org PGP key: 0x7111B833 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: message digest for signed emails
Hi, 0n 13/09/10@14:35 Daniel Kahn Gillmor told me: > On 09/10/2013 02:23 PM, Adam Gold wrote: > > > 'source ~/.mutt/gpg.rc' to the mutt config file. I also added > > sorry, i don't know much about mutt or how it integrates with gpg. > maybe someone else on the list can help you with that, or you IMHO mutt is just using gpg's CLI to sign the message. You should have a look at the command line set in pgp_sign_command (from .mutt/gpgrc). If you paste that commad on the prompt you will get the very same type of sigs mutt is using. - maik -- DISCLAIMER: If you have received this e-mail unintended, it's the senders fault. Since he sent the message unencryted trough untrusted networks, you are entitled to read or publish the content or simply delete and forget about it. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Why trust gpg4win?
On Wed, Sep 11, 2013 at 11:01 AM, Jan wrote: > On 10/09/2013 15:18, NdK wrote: > You'd be exposed nearly to the same attack vectors. Plus some more (the ones that handle the extra layer), so you'd have to check more code. >>> >>> So what about using that free USB stack for AVR's to implement a flash >>> device? You would be able to audit about everything; flylogic even has >>> these nice pictures of the ATmega88 masks... >> >> Sorry, I don't follow your reasoning here. >> Pete proposed to use an USB-to-Serial interface to avoid attacks against >> the USB stack on the PC. Why should an AVR be used to implement a flash >> device? > > > Maybe Pete meant such an USB-to-Serial interface > http://www.robotsimple.com/Computer_Interface/USB_to_Serial_Adapter ? Actually, I was thinking of something that was the exact opposite: some device (which I don't think exists) that would allow one to connect a USB flash drive to the device, and have the device convert that into RS232 serial data for the computer, thus avoiding any USB interaction with the computer itself. The computer would then need to process the serial data to read or write files on the drive. As far as I know, nothing like that exists and I'm not sure if it'd be possible to do. Even if it was possible, it'd be immensely slower than normal USB connections. My thought was that since serial is older and simpler than USB that it would be possible to better audit and secure the connection between the flash drive and the computer using such a method. My idea was derived from one of the ways CAcert keeps their root certificate secure: the signing system is kept offline, but is connected via a serial cable to an online computer (e.g. the web server). The simple daemon that listens on the serial port of the signing system will only respond to requests for signing things but they did not implement any file-transfer-over-serial functionality so it would (presumably) be impossible to compromise the root certificate remotely. My idea would be for something similar, but with file-transfer capability over serial. The device you linked to, which is quite common, is the opposite: one can connect a serial device (say a microcontroller, a UPS, etc.) to the device, which converts it to USB and transmits that data to the computer. The device appears as a serial port on the computer. In brief, the device you linked to tunnels serial-over-USB. My thought was to do filesystem-access-over-serial. Mine is probably a very silly idea and I was basically throwing the idea at the wall to see if it'd stick. :) -- Pete Stephenson ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Why trust gpg4win?
On 10/09/2013 15:18, NdK wrote: You'd be exposed nearly to the same attack vectors. Plus some more (the ones that handle the extra layer), so you'd have to check more code. So what about using that free USB stack for AVR's to implement a flash device? You would be able to audit about everything; flylogic even has these nice pictures of the ATmega88 masks... Sorry, I don't follow your reasoning here. Pete proposed to use an USB-to-Serial interface to avoid attacks against the USB stack on the PC. Why should an AVR be used to implement a flash device? Maybe Pete meant such an USB-to-Serial interface http://www.robotsimple.com/Computer_Interface/USB_to_Serial_Adapter ? Nevertheless this seems quite tricky to handel. Is it better to use a CD-RW to transfer data between an offline and an online PC than to use an ordinary USB stick? Which other medium might be good? Kind regards, Jan ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Transfer subkey to other keyring
Peter Lebbing wrote > I believe once GnuPG has a secret key, it won't update it anymore with any > subsequent imports. So to get the additional subkey, re-export the whole > thing, > delete the existing one on the other system and import your re-exported > whole thing. i can confirm this. i've deleted the entire secret key from my less protected keychain, including the previous expired subkeys, and after that gpg --import imported the subkeys i wanted (all of them that got exported with --export-secret-subkeys from the more protected keyring). Peter Lebbing wrote >>gpg: secret keys unchanged: 1 > > This message to me implies it is actually possible to change something > about a > secret key. I haven't figured out what yet. me, too. if gpg printed something like: "secret key already exists, aborting." then i would have tried your suggested method of deleting the entire secret key block on my own. shall i/we record a bug in the gpg bug tracker for this? -- • attila lendvai • PGP: 963F 5D5F 45C7 DFCD 0A39 -- “I know that most men, including those at ease with problems of the greatest complexity, can seldom accept even the simplest and most obvious truth if it be such as would oblige them to admit the falsity of conclusions which they have delighted in explaining to colleagues, which they have proudly taught to others, and which they have woven, thread by thread, into the fabric of their lives.” — Leo Tolstoy (1828–1910) Or in short: “Science advances one funeral at a time.” — Max Planck (1858–1947), paraphrased -- View this message in context: http://gnupg.10057.n7.nabble.com/Transfer-subkey-to-other-keyring-tp31272p32397.html Sent from the GnuPG - User mailing list archive at Nabble.com. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
