Re: trust your corporation for keyowner identification?

[Paul R. Ramer]

On 11/02/2013 07:34 PM, Leo Gaspard wrote:
> Well...
>  1) Checked by the other key's message. Because signed (K1) message from 
> Alice,
> saying she has access to K2, means any UID on K2 named Alice is as right 
> as
> the equivalent UID on K1. So the UIDs are correct.
>  2) Checked by the presence of the UID. Because, to add a UID, one must have
> control of the secret key, and thus be able to decrypt / sign messages 
> with
> it. And, as stated in (1), the UIDs are valid. So Alice, who added the 
> UIDs,
> must have access to the secret key.
> 
> The only case I could find of (2) invalid would be if Alice herself tried to
> trick you into signing a key with her name but used by Bob. Except it turns
> out that she could just as well have the key for the time of the key exchange,
> and then pass it to Bob.

In your points, (1) assumes that Key 2 has UIDs that are the same as
those on Key 1, i.e. their are no UIDs with new email addresses or
different names.  Likely, this would be true, but I am not making any
assumptions here on the UIDs.

As for (2), yes, whoever has control of the key must have created the
UIDs and can decrypt and sign messages.  But you are still assuming that
because Alice said that she owns Key 2, sent you a signed message saying
so, and the UIDs match those on Key 1 (most likely) that she has control
of the key and that you still do not need to verify that she can decrypt
and sign messages.

The probability that it is her key and that she does have control of it
is, I believe, high.  Being probable does not mean that you have
verified that she controls the key.

Cheers,

--Paul

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: trust your corporation for keyowner identification?

[Leo Gaspard]

(Sorry, I once again sent the message only to you and not to the list -- I
really need to get used to mailing lists, sorry !)

On Sat, Nov 02, 2013 at 07:08:15PM -0700, Paul R. Ramer wrote:
> On 11/02/2013 02:25 PM, Leo Gaspard wrote:
> > Isn't the presence of a UID sufficient for this matter ?
>
> No, it is not.  Here is why.  When you verify a key to sign you are
> verifying the following:
>
> 1) For each UID, that the name is correct and that the purported owner
> has control of the email in that UID (possibly also verifying the
> comment if it contains something such as "CEO ABC Corporation").
> 2) That the purported owner has control of the key and can decrypt and
> sign messages.
>
> [...]

Well...
 1) Checked by the other key's message. Because signed (K1) message from Alice,
saying she has access to K2, means any UID on K2 named Alice is as right as
the equivalent UID on K1. So the UIDs are correct.
 2) Checked by the presence of the UID. Because, to add a UID, one must have
control of the secret key, and thus be able to decrypt / sign messages with
it. And, as stated in (1), the UIDs are valid. So Alice, who added the UIDs,
must have access to the secret key.

The only case I could find of (2) invalid would be if Alice herself tried to
trick you into signing a key with her name but used by Bob. Except it turns
out that she could just as well have the key for the time of the key exchange,
and then pass it to Bob.

Where am I wrong ?

Cheers,

Leo

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: trust your corporation for keyowner identification?

[Paul R. Ramer]

On 11/02/2013 02:25 PM, Leo Gaspard wrote:
> On Sat, Nov 02, 2013 at 11:02:57AM -0700, Paul R. Ramer wrote:
>> Stan Tobias  wrote:
>>> Yes, but by remote communication.  The reasoning goes like this: The
>>> signature is validated by my certificate (or, in case 2a, by my
>>> friends'
>>> whom I trust fully).  The message is authenticated by X's valid
>>> signature,
>>> therefore the message has not been tampered with and its author is X.
>>> X says he uses a new key K2.  Because I've got this message from X,
>>> I have verified the ownership of K2, so I can sign it.
>>
>> Sorry, but this is wrong. The certificate of the first key is valid, the 
>> signature of the message is valid, but your correspondent's claim to 
>> ownership of the second key is not yet proven. While you know that whoever 
>> has control of the first key sent you that message, you have not confirmed 
>> that he can decrypt and sign with the second key.
> 
> Isn't the presence of a UID sufficient for this matter ?

No, it is not.  Here is why.  When you verify a key to sign you are
verifying the following:

1) For each UID, that the name is correct and that the purported owner
has control of the email in that UID (possibly also verifying the
comment if it contains something such as "CEO ABC Corporation").
2) That the purported owner has control of the key and can decrypt and
sign messages.

For #1, it is possible that the user has no name or email address in the
UID(s).  Either way, you need to verify the details of the UIDs that you
intend to sign.  For #2, you need to verify the key fingerprint,
algorithm, and key size (but the fingerprint at a minimum) and then have
the user demonstrate that he can decrypt a message encrypted with the
key in question and also sign with it.  This can be done by sending a
message of unknown content (from the purported key owner's perspective)
to him to each email that he claims to have in each of his UIDs
(provided he has any) and require him to reply with a signed copy of the
decrypted message.  This serves to verify the control of the key and the
email addresses.

The reason the presence of a UID on that second key that is in
congruence with UID(s) that you have verified on the first key is not
sufficient is because although the UID may seem good (or maybe even be
identical to the UID(s) on the first key), you have not verified that he
indeed has control of the second key.  While you may feel that the key
*should* be under his control and that there is little chance that it is
not, it does not mean that you have verified his control of that second
key, which means that you have not verified that key.


>> I was commenting on why verification of key details outside of non-secure 
>> electronic channels prior to certification  is useful rather than receiving 
>> a request electronically for you to certify a person's key and assuming it 
>> to be verification enough without using another channel to verify the 
>> request and purported key details.
> 
> IMHO, exchanging emails with someone whose key you want to sign is at least as
> important as meeting him / her in person.
> 
> Indeed, a key could have a UID containing only an email address (thus could be
> signed using only an email exchange, by proving the ownership of the email
> address more than any discussion with a pretended email owner), while a UID
> containing only a name would be, IMHO, quite less common, as AFAIK, the most
> common use of PGP is for emails. (Yes, I know, it is not always the case, but
> for the average user it is.)

Verifying the key fingerprint and exchanging encrypted and signed
messages would verify control.  This is true.  You can't verify control
by talking to them in person.

Cheers,

--Paul


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Quotes from GPG users

[Stan Tobias]

On 30/10/13 11:58, Sam Tuke wrote:
> I'm working with Werner to promote GnuPG and raise awareness. To that end 
> we're
> collecting quotes from users - endorsements from people who know and trust 
> GPG,
> people like you.
> 
> If you want to help us, send your own statement about why GPG is important to
> you. Please keep it less than or equal to 130 characters, so it can be used on
> social networks.
> 
> I'll collect them and pick the best for use now and in future.

>From my past experience a few years ago in a small company I can say
that some corporate type people seem to have an irrational distrust to
anything "free".  When I tried to introduce GnuPG as part of a solution,
I had a feeling they treated it as a second rate implementation by a
bunch of amateurs.

It's not a real quote, I'm afraid, but if I could propose a slogan,
it would be something like:  "GnuPG is mainstream".

Stan T.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gpgsm and expired certificates

[Stan Tobias]

"Robert J. Hansen"  wrote:

> My previous email was pretty dry and impersonal.  This one is very personal.
>
> > Isn't the NSA "a government based organisation?" Surely
> > guilt-by-association renders every government based organisation just
> > as nefarious as the NSA.
>
> My current job 
> John Moore III, 
> Werner 
> There are a lot of people on this list 
>
> You owe all of us an apology.

To the defense of MFPA, he was speaking of government based *organisations*.
Organisations don't have a conscience.  People are a different kind, they
often work for you against general policies, if you can interpret signs
correctly and cooperate.

Kindly, Stan Tobias.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gpgsm and expired certificates

[Ingo Klöcker]

On Saturday 02 November 2013 19:48:39 Uwe Brauer wrote:
> >> "MFPA" == MFPA   writes:
>> Hi
>> On Sunday 27 October 2013 at 2:46:05 PM, in
>> , Uwe Brauer wrote:
>> 
>> Isn't the NSA "a government based organisation?" Surely
>> guilt-by-association renders every government based organisation
>> just
>> as nefarious as the NSA.
> 
> Your point being?
> 
> I presume it goes like this: NSA is  "a government based
> organisation" doing, among other things, violations of civil rights.
> 
> So any other government based organisation cannot be trust, end of
> argument.
> 
> Well I just talked  about a service, which provides certificates to
> its citizen. That means it signs a public/private key pair, which is
> generated by the, hopefully open source, crypto module of your
> browser.
> 
> So either you claim to have evidence that this modules have been
> hacked and the key pair is transferred to some of these evil
> organisations or I really don't see your point.

Since I had exactly the same thought as MFPA (namely that the NSA is a 
goverment based organization), I'll explain my thoughts (which could be 
different from MFPA's point).

You, Uwe Brauer, wrote:
> I would prefer a government based organisation which provides this
> service to its citizen (especially because of all which was lately
> revealed about the NSA)

where "this service" refers to the service a commercial, not goverment 
based CA like comodo offers.

I interpreted "especially because of all which was lately revealed about 
the NSA" to refer to the NSA's ability to forge certificates issued by 
commercial CAs (e.g. by forcing the CAs to provide such a certificate). 
Now my thinking was that the NSA (or some other country's secret agency, 
e.g. the German BND) probably wouldn't have more problems to get forged 
certificates if they were issued by a government based CA.

OTOH, you wrote the above in reply to Werner's
> The business model of most CAs is to sell you a subscription by
> setting the expiration time very low so that they can ask after a
> year for another fee to create a new certificate.  Here it does not
> make sense to create a new private key every year.

So, your point/hope probably was that a government based CA wouldn't 
have such a business model and would instead offer this service gratis 
to the people (so that more people would be protected from the NSA 
reading their mail). If this was your point then apparently I didn't see 
it when I first read your message.


Regards,
Ingo


signature.asc
Description: This is a digitally signed message part.
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gpgsm and expired certificates

[Filip M. Nowak]

On 02.11.2013 20:20, Peter Lebbing wrote:
> On 02/11/13 19:48, Uwe Brauer wrote:
>> So either you claim to have evidence that this modules have been hacked
>> and the key pair is transferred to some of these evil organisations or I
>> really don't see your point.
> 
> I think the most common way for an X.509 CA to be deceitful is by giving 
> someone
> else a certificate with your name on it, not by stealing your key.
> 
> (...)

Not mentioning giving away (actually signing) intermediate CA keys.

Cheers,
Filip

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gpgsm and expired certificates

[Peter Lebbing]

On 02/11/13 19:48, Uwe Brauer wrote:
> So either you claim to have evidence that this modules have been hacked
> and the key pair is transferred to some of these evil organisations or I
> really don't see your point.

I think the most common way for an X.509 CA to be deceitful is by giving someone
else a certificate with your name on it, not by stealing your key.

Then I would be under the impression I was holding an encrypted and signed
conversation with /you/, but I would be talking to the well-funded attacker that
got the false certificate. That attacker could then re-encrypt and send it on to
you, to be a man in the middle.

HTH,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gpgsm and expired certificates

[Uwe Brauer]

>> "MFPA" == MFPA   writes:

   > Hi
   > On Sunday 27 October 2013 at 2:46:05 PM, in
   > , Uwe Brauer wrote:

   > Isn't the NSA "a government based organisation?" Surely
   > guilt-by-association renders every government based organisation just
   > as nefarious as the NSA.

Your point being?

I presume it goes like this: NSA is  "a government based
organisation" doing, among other things, violations of civil rights.

So any other government based organisation cannot be trust, end of
argument.

Well I just talked  about a service, which provides certificates to its
citizen. That means it signs a public/private key pair, which is
generated by the, hopefully open source, crypto module of your browser.

So either you claim to have evidence that this modules have been hacked
and the key pair is transferred to some of these evil organisations or I
really don't see your point.

Uwe Brauer 


smime.p7s
Description: S/MIME cryptographic signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: trust your corporation for keyowner identification?

[Paul R. Ramer]

Stan Tobias  wrote:
>Yes, but by remote communication.  The reasoning goes like this: The
>signature is validated by my certificate (or, in case 2a, by my
>friends'
>whom I trust fully).  The message is authenticated by X's valid
>signature,
>therefore the message has not been tampered with and its author is X.
>X says he uses a new key K2.  Because I've got this message from X,
>I have verified the ownership of K2, so I can sign it.

Sorry, but this is wrong. The certificate of the first key is valid, the 
signature of the message is valid, but your correspondent's claim to ownership 
of the second key is not yet proven. While you know that whoever has control of 
the first key sent you that message, you have not confirmed that he can decrypt 
and sign with the second key.

>> The idea of using a different channel for confirming key details such
>as
>> a key fingerprint is really a way of trying to avoid a
>man-in-the-middle
>> attack on the verification of the key and its UIDs.  It is not
>entirely
>> foolproof--nothing is.
>
>I don't understand how man-in-the-middle fits here, I was explorig an
>idea
>if a trust (belief) once correctly initiated could later be transferred
>purely remotely (electronically), without physical contact.

I was commenting on why verification of key details outside of non-secure 
electronic channels prior to certification  is useful rather than receiving a 
request electronically for you to certify a person's key and assuming it to be 
verification enough without using another channel to verify the request and 
purported key details.

Cheers,

--Paul
--
PGP: 3DB6D884

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Quotes from GPG users

[Sam Tuke]

On 02/11/13 17:43, Johannes Zarl wrote:
> "My handwriting is unique. With GPG, so is my email."

Brilliant, thanks! Admirably concise.

Sam.

-- 
Sam Tuke
Campaign Manager
Gnu Privacy Guard
0044 78680 77871



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Quotes from GPG users

[Sam Tuke]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On 02/11/13 17:38, kwadronaut wrote:
> GnuPG might be clumsy, but it gets my message across, to the intendent 
> recipients!

Thanks kwadronaut. You're highlighting the signing aspect here I presume?

Best,

Sam.

- -- 
Sam Tuke
Campaign Manager
Gnu Privacy Guard
0044 78680 77871
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.15 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iF4EAREIAAYFAlJ1M8QACgkQ1bR1Itj7YQXlOAD/eaCjwNr4/VIyQnoEY+P4jMYu
iDiWpGRqYkm6TALqtmwA/jn8mYtc8B6FSIelDzdpMdplALPMRfkfmsKyquo0u7qd
=fud8
-END PGP SIGNATURE-


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Quotes from GPG users

[Johan Wevers]

On 2-11-2013 17:43, Johannes Zarl wrote:

> I wonder why not more respondents have written about authenticity?

Probably because encryption is more the more important use of gpg to
most people. If you have sensitive discussions via email, my experience
is that if a stranger would imperonate one sender, it would immediately
be noticed due to lack of knowledge about things previous said.

-- 
Met vriendelijke groet / With kind regards,
Johan Wevers

PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gpgsm and expired certificates

[Johan Wevers]

On 2-11-2013 15:36, Robert J. Hansen wrote:

> I can't help but think, as I see the tenor of the discussion about the
> NSA, that there are probably thousands of good and decent people in that
> agency who are concerned with following the law and respecting civil
> liberties -- and they probably feel an awful lot like Marshal Kane right
> now, wondering whether it's even worth it.

Perhaps. But those people make me think more off whet we call here
"major in wartime": during WW2, some majors kept their position under
the Germans with the intention to prevent someone worse (like a member
of the local Nazi party) to take the post and to prevent as much cruelty
as possible. This turned out to be nearly impossible, and after the war
those majors were ot looked kindly uppon. You can't keep your hands
clean when you take such a post.

Another example would be the countless Stasi employees who really
thought they were doing the people a favor by defending them against
those evil capitalists. The people mostly didn't agree.

The NSA employees might think they are protecting the people against
someone worse than they are, but in many places outside the US the US is
now seen as the primary enemy. Not that we like terrorists that much,
but we have reached the point where the US causes more problems and
deaths of innocents than its enemies. Especially because they more or
less admit that all non-US citizens are fair game.

> They are not practicing guilt by suspicion.  They are practicing, "hey,
> let's collect as much information as possible on this crime so that we
> can find the truly guilty person."

Another problem with the US, they tend to make out for others what
"crimes" are. The wars on drugs and copyright infringement are typical
examples of where the pressure of the US goes against the interests of
the people in other countries (and even their own).

> Police do not determine guilt.  Courts determine guilt.  Police are in
> the business of collecting information.  In a very real sense, police
> are a domestic intelligence agency.

That would be true in an ideal world. In the real world the police is
often in the buisiness of fabricating and / or witholding evidence.

-- 
Met vriendelijke groet / With kind regards,
Johan Wevers

PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Quotes from GPG users

[Johannes Zarl]

On Wednesday 30 October 2013 11:58:56 Sam Tuke wrote:
> I'll collect them and pick the best for use now and in future.
> 
> Stimuli:
> You trust GPG with what?
> It's the only app that does what for you / your business?
> Without it you couldn't do what?

I wonder why not more respondents have written about authenticity? I'm not 
terribly good with this sort of thing, but I'll try:

"My handwriting is unique. With GPG, so is my email."

Cheers,
  Johannes

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Quotes from GPG users

[kwadronaut]

On 30/10/13 11:58, Sam Tuke wrote:
> Hi all,
> 
> I'm working with Werner to promote GnuPG and raise awareness. To that end 
> we're
> collecting quotes from users - endorsements from people who know and trust 
> GPG,
> people like you.
> 
> If you want to help us, send your own statement about why GPG is important to
> you. Please keep it less than or equal to 130 characters, so it can be used on
> social networks.
> 
> I'll collect them and pick the best for use now and in future.
> 

GnuPG might be clumsy, but it gets my message across, to the intendent
recipients!




signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Quotes from GPG users

[Heinz Diehl]

On 30.10.2013, Sam Tuke wrote: 

> I'll collect them and pick the best for use now and in future.

"GPG - keeps the XXX from your door!"  :-)

[Replace XXX with any three letter agency of your choice]


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Quotes from GPG users

[Heinz Diehl]

On 02.11.2013, Sam Tuke wrote: 

> Research would definitely be helpful. There are many well written guides, 
> video
> tutorials, and even e-learning courses on how to setup GPG however, and some
> applications make it very easy.

When you think of the "common windows user" who solely wants to double
click on "install.exe" and send encrypted mail after it finished: are
these people aware of those applications?
 
> While technical complexity is undoubtedly a problem, a huge number of
> technically proficient people are not using GPG simply because they aren't 
> aware
> of its existence or importance. At least, that's what my own experiences tell 
> me.

Now that you have the "NSA scandal" and the mass media have done its job,
you have a perfect growing place to start an awareness campaign :-)
So what do people want? Either they give a shit in the NSA and have
"nothign to hide", or they want to encrypt just everything.

 

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gpgsm and expired certificates

[MFPA]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Hi


On Saturday 2 November 2013 at 2:36:27 PM, in
, Robert J. Hansen wrote:


> They are not practicing guilt by suspicion. They are
> practicing, "hey, let's collect as much information as
> possible on this crime so that we can find the truly
> guilty person."

Experiences of people I know, together with footage broadcast on the
"reality TV" programmes where TV crews follow real police going about
their business, lead me to the conclusion they routinely practice
guilt by suspicion/guilt by association. If that approach fails to
find somebody the circumstantial evidence doesn't rule out, they will
switch to a genuine investigation if the matter is serious enough to
warrant the man-hours, or if it affects high-profile individuals.

No slur intended on any individual police personnel, just public
perception of the police forces' corporate approach. (And for the
record, I know many people who have formed a similar impression as
well as plenty who have formed a very different impression.)



> Police do not determine guilt.  Courts determine guilt.
> Police are in the business of collecting information.
> In a very real sense, police are a domestic
> intelligence agency.

Unfortunately, police sometimes influence the determination of guilt
by being selective in their presentation of information to the courts.
In the UK any withholding of evidence by the police has constituted
grounds for appeal since R v Fellows in July 1985.[1]

[1] The very short quote at

is the only reference I can find at the moment.


- --
Best regards

MFPAmailto:expires2...@ymail.com

The second mouse gets the cheese
-BEGIN PGP SIGNATURE-

iPQEAQEKAF4FAlJ1IEtXFIAALgAgaXNzdWVyLWZwckBub3RhdGlvbnMub3Bl
bnBncC5maWZ0aGhvcnNlbWFuLm5ldEJBMjM5QjQ2ODFGMUVGOTUxOEU2QkQ0NjQ0
N0VDQTAzAAoJEKipC46tDG5pZtwEAKgF9/mzcsvrFECNNGivhHcu+LEBtZMJMN8C
7ZLuEE//enmKy4OCW34pwJQEtTOQJCaA4UjiscrwE2EP+hSQ3Txgq32kf0uZSYY+
8ZwenQJoX3hai7sU4j9KVJ/nzFuDiKOpVBP+OXs5z40+Zt1Da2cWXHiUZOC81riQ
PeE1jeWu
=aTqy
-END PGP SIGNATURE-


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gpgsm and expired certificates

[Robert J. Hansen]

> I wish to extend my sincere and unreserved apologies to all the people
> I unintentionally offended.

Thank you for this.  (Seriously.)

There's an American movie that probably hasn't been seen much in Europe.
 _High Noon_, starring Gary Cooper, which may be the finest Western ever
made.  In a nutshell, the Frank Miller Gang comes to town intent on
bloodshed and violence, and to protect the town the retired police
officer, Marshal Will Kane, puts on the tin star once more.  The Frank
Miller Gang does something violent and Kane gets in the way -- the gang
retaliates and does something else violent, and Kane gets in the way and
stops that, too.

After a while the townsfolk, who were begging Marshal Kane to come out
of retirement at the beginning of the movie, are screaming their outrage
at him.  "If you'd just quit, the Frank Miller Gang would leave us
alone!  Can't you see that your meddling is just making them angry and
making the problems worse?"

In a climactic showdown Marshal Kane shatters the Miller Gang.  All the
townsfolk, who had begged him to save them and then screamed at him that
he was the problem, come around to praise him for his courage and valor.
 Marshal Kane looks them over in disgust, then tears off his badge,
throws it in the dirt, and rides off into the sunset with his
girlfriend.  The townspeople have finally done what the Frank Miller
Gang couldn't do: they've made a good and decent policeman stop caring
about his town.

I can't help but think, as I see the tenor of the discussion about the
NSA, that there are probably thousands of good and decent people in that
agency who are concerned with following the law and respecting civil
liberties -- and they probably feel an awful lot like Marshal Kane right
now, wondering whether it's even worth it.

> Which would mean police who interview people who had contact with a
> suspect, in order to "eliminate them from their enquiries," are either
> not grown-ups or are practising something in which they do not
> believe.

They are not practicing guilt by suspicion.  They are practicing, "hey,
let's collect as much information as possible on this crime so that we
can find the truly guilty person."

Police do not determine guilt.  Courts determine guilt.  Police are in
the business of collecting information.  In a very real sense, police
are a domestic intelligence agency.



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gpgsm and expired certificates

[MFPA]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Hi


On Friday 1 November 2013 at 6:47:56 PM, in
,
Robert J. Hansen wrote:


>> Isn't the NSA "a government based organisation?"
>> Surely guilt-by-association renders every government
>> based organisation just as nefarious as the NSA.

> This is why grown-ups don't believe in guilt by
> association.

Which would mean police who interview people who had contact with a
suspect, in order to "eliminate them from their enquiries," are either
not grown-ups or are practising something in which they do not
believe.


> Do you really think a bunch of graduate students
> obsessing over _La   Chanson du Roland_ are "just as
> nefarious as the NSA"?

> If you do, then I think your paranoia is so out of hand
> you really   ought consider seeking professional help.
> And no, I'm not kidding.

I was merely making use of hyperbole to challenge the previous
poster's assertion that a government based organisation would be
preferable to the current CA service providers, "especially because of
all which was lately revealed about the NSA."

What I was trying to convey, was my opinion that the revelation of
unpalatable/nefarious behaviour on the part of a government
organisation seems a pretty odd reason to call for services, currently
provided by private-sector CAs, to instead be provided by a government
organisation.


- --
Best regards

MFPAmailto:expires2...@ymail.com

ETHERNET(n): device used to catch the Ether bunny
-BEGIN PGP SIGNATURE-

iPQEAQEKAF4FAlJ1CDJXFIAALgAgaXNzdWVyLWZwckBub3RhdGlvbnMub3Bl
bnBncC5maWZ0aGhvcnNlbWFuLm5ldEJBMjM5QjQ2ODFGMUVGOTUxOEU2QkQ0NjQ0
N0VDQTAzAAoJEKipC46tDG5psMYD/0oWmmq62IUWF3LIDqxtUyzlbNKwwX2iisIU
wdqYDeh5K2ha+sZ7kcIHyDLiGy0qRzoHe+S0LudBWLVk2nuZhpOfGRQj2qh+eCSk
bhIp2BHNbb9j6AyHWFOPLnUrCdiH68iLFa3v+S47BptNwlHx+fHvSw4GqGXaISLc
t5TWlDEZ
=lO5E
-END PGP SIGNATURE-


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gpgsm and expired certificates

[MFPA]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Hi


On Friday 1 November 2013 at 7:25:30 PM, in
,
Robert J. Hansen wrote:


> But since some of
> my R&D funding comes from the government, I'm just as
> nefarious as the NSA.

[...]

> John Moore III, who hasn't been seen on this list in
[...]
> Apparently John's
> contributions to the GnuPG community mean nothing,
> because he's just as nefarious as the NSA.

[...]

> Werner has taken money from the German government to do
> crypto-related software development.  Apparently Werner
> is just as nefarious as the   NSA.

> There are a lot of people on this list who have some
> kind of   connection to the government.

[...]

> You owe all of us an apology.

I wish to extend my sincere and unreserved apologies to all the people
I unintentionally offended.


- --
Best regards

MFPAmailto:expires2...@ymail.com

Wise men learn many things from their enemies.
-BEGIN PGP SIGNATURE-

iPQEAQEKAF4FAlJ1CrBXFIAALgAgaXNzdWVyLWZwckBub3RhdGlvbnMub3Bl
bnBncC5maWZ0aGhvcnNlbWFuLm5ldEJBMjM5QjQ2ODFGMUVGOTUxOEU2QkQ0NjQ0
N0VDQTAzAAoJEKipC46tDG5pbWgD/R8Te7PplXFDJE0Y6TfxOCC5WYQfSqsZTuxO
uXzaASDkYC2LuzhaW9T5cCcMxuXWuYLVGUpe3BbyR3ZquTZE0MlRhYDzaSycIDfr
EQr3YchjgybnXrvXZL2DOEv66BiHtSxwps4A6+NpV4NH/Rlvkf6i6Smrp1Z42j/N
4PLSP81B
=rUME
-END PGP SIGNATURE-


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: make gpg-agent forget the PIN

[Peter Lebbing]

On 02/11/13 12:26, Werner Koch wrote:
> Or better: pull off the card and take it with you.

I unplug my reader (USB) when I don't use it; I leave the card in. I now have
OpenPGP v2 cards, but I earlier had v1 cards that started to malfunction after
some time. I had the impression that they were most likely to keep working if I
didn't remove them from the cardreader, so I tried to avoid that. Also, a worn
out USB connector is very easy to replace when you know which side of a
soldering iron is the hot side. If the contacts of my cardreader wear out, I
can't replace them as easily.

When I suspect I might need the card again soon, I don't unplug the reader. But
I know myself: when I leave for a moment, I might not think of a card that's
still attached and the PIN unlocked. I live on campus, with 9 other students in
this building, and I don't always lock my door. I don't think anyone will come
in, notice the unlocked card, and out of curiosity see what encrypted stuff they
can read, but I just feel a bit awkward when I leave the card unlocked. It's not
a solid argument, but I dislike feeling a bit awkward, so I "lock" the card.

I don't even have encrypted stuff that would be interesting to my housemates.
For example, even if they knew my credit card details, they wouldn't use them.
Or the private key to my own X.509 CA, as another example. It's just that
feeling a bit awkward thing :).

If people are determined and they are able to acces my cardreader with OpenPGP
card in, they are also already sitting at my computer. Then they can do all
sorts of interesting stuff. I just trust my OpenPGP card to keep its private key
to itself; even though other people can get physical access to the card if
they're determined to do so. If I'm up against adversaries that can extract
private keys from OpenPGP cards, I'm out of my league anyway.

I will move to my own house fairly soon; then my computer will be more secure 
:).

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Quotes from GPG users

[Sam Tuke]

On 31/10/13 08:33, Heinz Diehl wrote:
> Raised awareness does seldom lead to change (just as knowledge and
> attitudes). Before developing a strategy on promoting the use of 
> GPG, the barriers which prevent people from using it should be 
> explored and fed back into the implementation strategy.

Research would definitely be helpful. There are many well written guides, video
tutorials, and even e-learning courses on how to setup GPG however, and some
applications make it very easy.

While technical complexity is undoubtedly a problem, a huge number of
technically proficient people are not using GPG simply because they aren't aware
of its existence or importance. At least, that's what my own experiences tell 
me.

> Maybe some principles from social marketing (insight, exchange..) 
> would fit as a good starting point for a campaign.

I'd like to explore this off-list; sounds like you've got some interesting 
ideas.

Best,

Sam.

-- 
Sam Tuke
Campaign Manager
Gnu Privacy Guard
0044 78680 77871



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Quotes from GPG users

[Sam Tuke]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On 30/10/13 19:31, Martin Gollowitzer wrote:
> Unfortunately, this is slightly longer (it's really hard to stick to 130 
> characters):

Yes, it really is :)

> GnuPG allows for both proving a message's authenticity and preventing 
> eavesdropping. It's one of the most important tools I use every day.

Thanks Martin - that last sentence is great even by itself.

Best,

Sam.

- -- 
Sam Tuke
Campaign Manager
Gnu Privacy Guard
0044 78680 77871
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.15 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iF4EAREIAAYFAlJ06q0ACgkQ1bR1Itj7YQWP0AD+OVEwU+EN3/5/DuHf87k4xjOO
jB0SCGPr2GujMdtAvNoBAMH3w2wkQZC2+3Q6vRTp767tRhpzkO3Zq4XT2gLmESA0
=dwhb
-END PGP SIGNATURE-


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Quotes from GPG users

[Sam Tuke]

On 31/10/13 22:47, Paul R. Ramer wrote:
> Well, here is my input for your project.
> 
> I wouldn't be able to communicate sensitive documents without it.

Many thanks Paul!

Sam.

-- 
Sam Tuke
Campaign Manager
Gnu Privacy Guard
0044 78680 77871



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: make gpg-agent forget the PIN

[Werner Koch]

On Fri,  1 Nov 2013 20:17, pe...@digitalbrains.com said:

> It's called 'scforget' here.

Or better: pull off the card and take it with you.


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: make gpg-agent forget the PIN

[Johannes Zarl]

Thanks! That was exactly what I was looking for.

  Johannes

On Friday 01 November 2013 20:17:41 Peter Lebbing wrote:
> Hi Johannes,
> 
> > Is there any way to explicitly tell gpg-agent to forget the pin as well?
> 
> Based on a post once made by Werner, I have this script:
> 
> ---8<->8---
> #!/bin/sh
> 
> gpg-connect-agent 'SCD RESET' /bye
> ---8<->8---
> 
> It's called 'scforget' here.
> 
> HTH,
> 
> Peter.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users