GnuPG 1.4.15 RAM EATER? Or just a bug?
I noticed that this 1.4.15 version consumes much more RAM than previous versions.My Linux desktop background wallpaper turns blank(dark) when encrypting/decrypting operations (which is a novelty,and that is why I detected this "problem") and when I execute the free command to analyse RAM the used RAM reaches the maximum level of my system(from a relatively low level).Is it a bug? Does it have any implications to the encryption effectiveness? ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: trust your corporation for keyowner identification?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi On Wednesday 16 October 2013 at 9:19:19 PM, in , Brian J. Murrell wrote: > The corporation would not have a copy of the private > key since the corporation is completely uninvolved > other than (unknowingly) being the identity-checker and > providing the means to authoritatively communicate with > Bob (i.e. when I "message" bob@corporate.domain I know > it's Bob that I am talking to -- somebody in IT doing a > MITM attack aside -- but maybe that's enough of a risk > to make this infeasible). You would have the same > trust that only Bob has Bob's secret key as you would > any other GPG user whose key you signed. Any given GPG > user's competency in using GPG (i.e. keeping secret > keys secret, trusting other, etc.) is up to you, as it > always is. If the key was generated, stored, or used on the company's computer, all bets are off regarding Bob being the only one with access to a copy. - -- Best regards MFPAmailto:expires2...@ymail.com A wise man once said ..."I don't know." -BEGIN PGP SIGNATURE- iPQEAQEKAF4FAlJfBPtXFIAALgAgaXNzdWVyLWZwckBub3RhdGlvbnMub3Bl bnBncC5maWZ0aGhvcnNlbWFuLm5ldEJBMjM5QjQ2ODFGMUVGOTUxOEU2QkQ0NjQ0 N0VDQTAzAAoJEKipC46tDG5pZqwD/RsaAhIQ++BVj0kdmctZOhSaN9fooa9zUM2R 6ZPj0mdIzD8yLriWXBf+LjJJH0DQTDdjQFsh7XTE/4E3K8bGybRyciOzD4WcVHNn Y4kV/kYFX+uo/bjPsTX4h4XxkyfXeKmFti5ou1yxYPVsnNk6vFz1qHqh4EibwDI2 S0ratbwE =loQ1 -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: trust your corporation for keyowner identification?
On 13-10-16 03:51 PM, Doug Barton wrote: > On 10/16/2013 05:04 AM, Brian J. Murrell wrote: > | If you worked in a corporate environment, would you trust the HR > | department there to have verified the identity of employees well > | enough to leverage that into signing a GPG key? > | > | Let's say such an environment had an messaging system where > | employees had to authenticate with their corporate IT credentials > | in order to use the system. Would that, and the assertion by HR/IT > | that a message that I get from Bob really did come from the > | employee HR verified as Bob (i.e. when they hired him) be enough > | for you trust the key you get from Bob enough to sign it that it > | really is really Bob's? So yeah. The parameters were a big vague, in retrospect. So to set some... The corporation itself does not use GPG and thus is not signing any GPG keys for their employees. I'd be surprised if many corporations were using GPG in preference to SSL (i.e. S/MIME). To be honest, I'd imagine "certificates" and "SSL PKI", etc., all bundled up into shrink-wrapped software that runs on Windows servers, bought from companies that can be sued, etc. just seems so much more "corporate"-friendly than GPG. So that said, the corporate infrastructure (i.e. being satisfied enough that Bob is Bob to hire him and put him on payroll and deduct and remit income taxes to the government and provide benefits and insurance to, etc.) would be nothing more than a proxy for meeting an individual and seeing their "government issued" ID in order to be happy enough that Bob is Bob for you to sign his key saying as much -- assuming you have a secure channel to verify that the key you are signing is Bob's. So to answer previous questions/suggestions, there is no corporate GPG key to sign Bob's key for other GPG users (employees or otherwise) to put trust into. The corporation would not have a copy of the private key since the corporation is completely uninvolved other than (unknowingly) being the identity-checker and providing the means to authoritatively communicate with Bob (i.e. when I "message" bob@corporate.domain I know it's Bob that I am talking to -- somebody in IT doing a MITM attack aside -- but maybe that's enough of a risk to make this infeasible). You would have the same trust that only Bob has Bob's secret key as you would any other GPG user whose key you signed. Any given GPG user's competency in using GPG (i.e. keeping secret keys secret, trusting other, etc.) is up to you, as it always is. The misunderstanding that the corporation is somehow involved with keys and signing I think was the biggest misunderstanding. They are not. They provide nothing more than asserting that Bob is Bob and providing a means of ensuring that I am communicating with Bob when I think I am communicating with Bob -- again, IT launching a MITM attack aside). Cheers, b. signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: trust your corporation for keyowner identification?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 10/16/2013 05:04 AM, Brian J. Murrell wrote: | If you worked in a corporate environment, would you trust the HR | department there to have verified the identity of employees well | enough to leverage that into signing a GPG key? | | Let's say such an environment had an messaging system where | employees had to authenticate with their corporate IT credentials | in order to use the system. Would that, and the assertion by HR/IT | that a message that I get from Bob really did come from the | employee HR verified as Bob (i.e. when they hired him) be enough | for you trust the key you get from Bob enough to sign it that it | really is really Bob's? What would the purpose of such a signature be? Would you be distributing your signature, or would it be local to your key ring? If you're distributing the signature, would you distribute it only within the company, or outside too? Are you talking about signing with your personal key, or signing with your company key? If the latter, does that key ever see the light of day outside the company? Just to be clear, I'm not being snarky here. As others have said you have asked an interesting question, but there are not enough details (for me at least) to give you an answer. Doug -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.19 (GNU/Linux) iQEcBAEBCAAGBQJSXu4zAAoJEFzGhvEaGryEzs0IALynXU0C9+oH9brK4LBwbKWJ FHGnQC7HPnPUYS/S7kbMWV4DID9L8x4xV9KJxDoPZ9MaFFLY3d5OGhDpj5IoHJ8T ehLXbqsHto6sKiZ0un3uWAYowS8TyIhk3UwR5tyzJIJRhP6kvfJpvKRmtjfHaymV 1K6xgVnXv9PfoCVsFQiN7Q/L30fnzWoIdIJbAJ+M5kbKvXdqWRFgTUBLLrdyqJUA wA022xB+RA9glk1Kb8gDAZohMBcPz9oLEdDs0z/hnSOU4T5BBQi+O5Xu/4/uAjjw 8qtNWUuITOJtvkYxp2we209Dt/H2YzYnZttRZnjo/vmInQiWFDO6dBc+yo3rjYc= =Hgba -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: trust your corporation for keyowner identification?
If you worked in a corporate environment, would you trust the HR department there to have verified the identity of employees well enough to leverage that into signing a GPG key? This is the wrong question, really. HR is pretty good about verifying identity documents. HR gets specialized training in what proper identity documents look like and HR typically has ways to check those documents with the government. Even small firms do a lot of identity verification -- in the United States you can't legally work without presenting your employer with a passport (or, alternately, a driver's license and Social Security card). Not even a McDonald's or a 7-11 will let you work there without providing them with those documents. But HR is probably really bad about understanding the nuances of the Web of Trust, what it means to make a certification, whether a certification should be made at all, what level of certification should be made, and so forth. The limiting factor here is technological skill, not document verification. That said, I've worked for two companies that did this and did it quite competently. I haven't kept up with PGP since they got bought out by Symantec, but I know that from at least '95 to '05 they would issue corporate signatures to employee certificates, if the employee requested it. They did this so that other users could be confident in who was really an employee of PGP Security and who wasn't. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: trust your corporation for keyowner identification?
On Wed, Oct 16, 2013 at 4:20 PM, Johan Wevers wrote: > On 16-10-2013 15:28, Pete Stephenson wrote: > >> I would be reasonably sure that a key signed by an HR department >> actually belongs to the named person, > > Although I would certainly NOT assume that that person would be the only > one with access to the secret key. Most companies would keep a copy. Good point. That would definitely throw a wrench in the system. Cheers! -Pete ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: trust your corporation for keyowner identification?
On 16-10-2013 15:28, Pete Stephenson wrote: > I would be reasonably sure that a key signed by an HR department > actually belongs to the named person, Although I would certainly NOT assume that that person would be the only one with access to the secret key. Most companies would keep a copy. -- ir. J.C.A. Wevers PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: trust your corporation for keyowner identification?
On Oct 16, 2013, at 8:04 AM, "Brian J. Murrell" wrote: > If you worked in a corporate environment, would you trust the HR > department there to have verified the identity of employees well enough > to leverage that into signing a GPG key? > > Let's say such an environment had an messaging system where employees > had to authenticate with their corporate IT credentials in order to use > the system. Would that, and the assertion by HR/IT that a message that > I get from Bob really did come from the employee HR verified as Bob > (i.e. when they hired him) be enough for you trust the key you get from > Bob enough to sign it that it really is really Bob's? > > I guess what I am describing is a virtual key signing party where the > verification of IDs is being done by the corporation instead of the > individuals. It's an interesting question, but it would not be enough for me. If you think about it, this is effectively the same as Alice signing Baker's key, and then Charlie signing Baker's key because Charlie knows Alice (and not necessarily Baker). If I were Charlie, I would not be willing to sign Baker's key, even if I knew and trusted Alice, without verifying Baker myself. A somewhat related case would be when the corporation itself has a corporate signing key and on HR/IT approval, signs employee keys. (This sort of thing is one of the classic uses for trust signatures). In that case, you can either trust the corporate signing key or not, as you like. David ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: trust your corporation for keyowner identification?
On Wed, Oct 16, 2013 at 08:04:39AM -0400, Brian J. Murrell wrote: > If you worked in a corporate environment, would you trust the HR > department there to have verified the identity of employees well enough > to leverage that into signing a GPG key? Not without investigating their procedures. > Let's say such an environment had an messaging system where employees > had to authenticate with their corporate IT credentials in order to use > the system. Would that, and the assertion by HR/IT that a message that > I get from Bob really did come from the employee HR verified as Bob > (i.e. when they hired him) be enough for you trust the key you get from > Bob enough to sign it that it really is really Bob's? > > I guess what I am describing is a virtual key signing party where the > verification of IDs is being done by the corporation instead of the > individuals. Then let the corporation (i.e. HR) do the signing and you decide whether to trust HR's signatures. Really this should be designed into the corporation rather than pasted on. The chief security officer should somehow determine what would be satisfactory procedures for verifying identity for the purpose of issuing such signatures and get it accepted as a requirement for HR. Probably this will be designed in consultation with HR so that it will actually be implemented properly and not be a constant source of pushback. The meaning of such signatures should be documented and published internally, so that relying parties know what they are getting and can decide for what and how far they are willing to rely on them. Part of the determination should be the purpose and scope of such signatures. One factor in the steady drizzle of corporate security failures is the notion that one can buy a box of security off the shelf and thereafter be secure, without thinking about what one is doing. It seems to me that designing secure processes for your specific needs should work better and be cheaper in the end. -- Mark H. Wood, Lead System Programmer mw...@iupui.edu Machines should not be friendly. Machines should be obedient. signature.asc Description: Digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: trust your corporation for keyowner identification?
On Wed, Oct 16, 2013 at 2:04 PM, Brian J. Murrell wrote: > If you worked in a corporate environment, would you trust the HR > department there to have verified the identity of employees well enough > to leverage that into signing a GPG key? In general, I'd be fine with that. Corporations generally need a fairly large amount of information about their employees (e.g. for tax purposes) and so should be able to verify the identity of employees with a high degree of confidence. > Let's say such an environment had an messaging system where employees > had to authenticate with their corporate IT credentials in order to use > the system. Would that, and the assertion by HR/IT that a message that > I get from Bob really did come from the employee HR verified as Bob > (i.e. when they hired him) be enough for you trust the key you get from > Bob enough to sign it that it really is really Bob's? > > I guess what I am describing is a virtual key signing party where the > verification of IDs is being done by the corporation instead of the > individuals. In my specific case, I only publicly sign (as opposed to locally sign) keys when I have (a) personally met a person and verified their ID and key fingerprint/details or (b) a person is well-known to me (e.g. a family member, long time friend, etc.) and they provide me their key fingerprint and communicate in a way that I can verify who they are (e.g. I call them on the phone, recognize their voice, and they read me their key fingerprint). I would be reasonably sure that a key signed by an HR department actually belongs to the named person, but I wouldn't publicly assert that by signing their key. Your mileage may vary. :) Cheers! -Pete ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
trust your corporation for keyowner identification?
If you worked in a corporate environment, would you trust the HR department there to have verified the identity of employees well enough to leverage that into signing a GPG key? Let's say such an environment had an messaging system where employees had to authenticate with their corporate IT credentials in order to use the system. Would that, and the assertion by HR/IT that a message that I get from Bob really did come from the employee HR verified as Bob (i.e. when they hired him) be enough for you trust the key you get from Bob enough to sign it that it really is really Bob's? I guess what I am describing is a virtual key signing party where the verification of IDs is being done by the corporation instead of the individuals. Cheers, b. signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Issues when switching between smartcards
In data martedì 15 ottobre 2013 16:16:48, Kevin ha scritto: > Personally, I have found that "killall gpg-agent" works for me in these > cases, without much fuss. However, since you have a different reader, > and most probably different OS, etc, YMMV. After some mail exchange with Ludovic Rousseau (many thanks for his help and patience) , I solved the issues upgrading ccid to 1.4.13, but mainly looking at the bios setup where I found that the laptop was configured to power on and off the reader according to the fact that the card was inserted or not. It seems that this confuses smart card driver (basically, when powered off the reader is not even visible in lsusb). I don't konw if this is an issue that can be dealt with changin something in driver code (probably it should handle this behaviour more nicely), but telling bios to always keep reader powered solved my issue (basically now I'm relying on linux usb power management to avoid waste when card is not inserted) -- Fabio ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: New GPLv3 OpenPGP card implementation (on a java card).
On Wed, Oct 16, 2013 at 11:40 AM, Werner Koch wrote: > On Tue, 15 Oct 2013 11:41, p...@heypete.com said: > >> Also, are there any smartcards out there that would support DSA/ELG >> keys? All the cards I've seen and used support RSA only. > > You don't want DSA on smartcards - at least not until they are able to > do deterministic DSA (rfc-6979). I knew that DSA fails catastrophically with low entropy (where "catastrophically" = "leaking the private key"), but I would hope that any DSA-capable smartcard would have a decent hardware RNG built in. I'm not familiar with RFC 6979. Thanks for the link. It's good to see people taking that issue into account. Cheers! -Pete ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: New GPLv3 OpenPGP card implementation (on a java card).
On Tue, 15 Oct 2013 11:41, p...@heypete.com said: > Also, are there any smartcards out there that would support DSA/ELG > keys? All the cards I've seen and used support RSA only. You don't want DSA on smartcards - at least not until they are able to do deterministic DSA (rfc-6979). ECC on smartcards is available for a very long time because that used to be the only method to do pubkey crypto with reasonable performance on cards without a hardware exponentiation circuit. The ZeitControl cards have support for some NIST curves but it is not yet supported by by the OpenPGP card application. I am not sure whether it is a good idea to go with the NIST curves because ECDSA suffers from the same problem has DSA. What about trying to implement Ed25519 on a Java card? Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Issues when switching between smartcards
Personally, I have found that "killall gpg-agent" works for me in these cases, without much fuss. However, since you have a different reader, and most probably different OS, etc, YMMV. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users