Re: Threema. / don't trust closed source software
Am 10.11.2013 02:46, schrieb Robert J. Hansen: Looking over their site briefly I was unable to find a link for source code. As a result, I think very little of it. I don't think it's wise to trust unknown third-party binaries that don't provide source. It is commercial iOS and Androif application without source code and evenn such important details like the used encryption. Don't trust closed source software products! regards, Mark -- m...@it-infrastrukturen.org http://rsync.it-infrastrukturen.org http://git.it-infrastrukturen.org ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Duplicating smartcard
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hello everyone, since I could not reveal anything useful on google, here my question. I want to have a safe backup of my smartcard which contains my primary key and two subkeys. I guessed the private keys can not be exported as it would make no sense then to have a smartcard. But if I run 'gpg --export-secret-keys' for my keys, it actually seems to export the private keys according to pgpdump. How can this be? (I see no smartcard activity on the terminal and no PIN is asked) Since I'm new to gpg and smartcards I don't know what to think of this. And still I don't know how to make a backup copy of my smartcard. Any ideas or further readings highly welcome. Best regards, Alexander -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iQGcBAEBAgAGBQJSf2TiAAoJEPz3sbTK12N5VcQL/iLOi2v78nNwN5E9D+M+6JxI 80z4L6i1ZHKT/5257d4a6SAI12CrgqjZyhtM9rHg3jq0u8LObWuW2Y41yhKE2CZH GY0cIuMkIQe1/i8Tmf7hf81KY30p/fGq/9VF5wzzQEjuQxOgBgjjEvv9T5/PSG0f Fzcpk8mf8OSRZ6dkotJYRioLFnBMfsNOdU5Q+g2I6n2hqDjYR7K4lty3RZ/WYZAJ o7oK4DIByoWz5wiXu/HyiEAU7bqdt9biFmpYDdO31DJ6hDwZN59xJ4lqnPLNCJb+ nk4eeHTCaN/8/k5AsOnSoNZa+ItmH/WYlp0zwRxStPhNuVPwMDqy7NMTq3IM5QVm rc3MXiRXYx5hiZ8bJEp3WxxLERthZqSGQUQTIcyNVA2IlK0VxmVZ9u1eECVfcrA3 aR2vzntPeFuxVU3tTrpkFzs3JnN9g1MjnXRc2TpMjcKZwZiB0BZWgFXH5PFVqC0q adpss5H5lAKwfvcxYVZTsOjr5t6CxvIgqMTESmM4pw== =bmtb -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Threema. / don't trust closed source software
Hello, On 10.11.2013 12:02, Mark Schneider wrote: (...) It is commercial iOS and Androif application without source code and evenn such important details like the used encryption. (...) Actually such information are available here: https://threema.ch/en/faq.html. They are stating that they are using NaCl (http://nacl.cr.yp.to/) for ECC and NSFileProtectionComplete (iOS) or/and self-implemented AES256 (Android) for stored messages encryption. Cheers, Filip ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Duplicating smartcard
On Sun, Nov 10, 2013 at 11:50 AM, Alexander Truemper hasgar...@hellshell.de wrote: Hello everyone, since I could not reveal anything useful on google, here my question. I want to have a safe backup of my smartcard which contains my primary key and two subkeys. Did you generate the keys on the smartcard, or did you generate them on the computer and then later transfer them to the smartcard? If you generated them on the card itself, you cannot backup the keys. If you generated them on the computer, you can back up the keys to other media prior to transferring the keys to the smartcard. Once they're on the card the private keys cannot be exported. I guessed the private keys can not be exported as it would make no sense then to have a smartcard. Correct. But if I run 'gpg --export-secret-keys' for my keys, it actually seems to export the private keys according to pgpdump. How can this be? (I see no smartcard activity on the terminal and no PIN is asked) It exports the stub private keys that, in essence, say The actual private keys exist on the smartcard with $SERIAL_NUMBER. These stubs are not private at all, and contain no actual key material. Cheers! -Pete ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Threema.
Charly Avital wrote: kendrick eastes wrote on 11/10/13, 3:17 AM: might be better received at a cryptography based mailing list, also, do you plan on releasing source? apologies if this double sends, I've been having network issues recently. The source belongs to the company whose web site figures in the link I sent. No source = Don't use. Companies have their own commercial interests, can die be bought, can be leaned on by their home nation state, plus states can spy, emit trojans, want to weaken cryptography/ security. I have no connection whatsoever with that company, I was just asking the GnuPG-users list for an opinion. Sorry for the misunderstanding. Charly Cheers, Julian -- Julian Stacey, BSD Unix Linux C Sys Eng Consultant, Munich http://berklix.com Interleave replies below like a play script. Indent old text with . Send plain text, not quoted-printable, HTML, base64, or multipart/alternative. Extradite NSA spy chief Alexander. http://berklix.eu/jhs/blog/2013_10_30 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Duplicating smartcard
On 10.11.2013, Alexander Truemper wrote: But if I run 'gpg --export-secret-keys' for my keys, it actually seems to export the private keys according to pgpdump. How can this be? (I see no smartcard activity on the terminal and no PIN is asked) It's not the real secret key, but the stub which points to it which gets exported. So don't panic :-) ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Threema.
On 09-11-2013 23:48, Charly Avital wrote: https://threema.ch/en/ What do you think of it? As others have mentioned, it seems to be closed source (and since it's payware I doubt they'll release the code). Further the Android version strongly suggests to use it with a Google account for push notifications and updates, which in itself is of course a security risk. Although they do offer a version without having to use Google stuff. -- ir. J.C.A. Wevers PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: trust your corporation for keyowner identification?
Paul R. Ramer free10...@gmail.com wrote: Stan Tobias st...@privatdemail.net wrote: Yes, but by remote communication. The reasoning goes like this: The signature is validated by my certificate (or, in case 2a, by my friends' whom I trust fully). The message is authenticated by X's valid signature, therefore the message has not been tampered with and its author is X. X says he uses a new key K2. Because I've got this message from X, I have verified the ownership of K2, so I can sign it. Sorry, but this is wrong. The certificate of the first key is valid, the signature of the message is valid, but your correspondent's claim to ownership of the second key is not yet proven. While you know that whoever has control of the first key sent you that message, you have not confirmed that he can decrypt and sign with the second key. This is a technicality that can be fixed by sending and an encrypted unknown message and awaiting a decrypted version, just as you've described elsewhere. I haven't tried to cover every minute detail of verification, my general idea is to replace direct contact with electronic signed messages, after having properly initialized the exchange (verified, etc.). The question is: do signatures supply an authenticated channel which can serve instead of physical contact, or not? For me, at this point, the question is still open. I've been reading subsequent discussion, I think Leo Gaspard has made a few excellent points. I have nothing significant to add here. I have one question, though. My understanding is that e-mail verification by sending encrypted message is part of identity verification (it defends against petty fraud, but that's the least we can do). Why is it important to verify the owner can _decrypt_ a message? Can you sketch a problem this verification defends against? Stan Tobias ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: trust your corporation for keyowner identification?
Paul R. Ramer free10...@gmail.com wrote: On 11/05/2013 09:26 AM, Leo Gaspard wrote: However, I think in this case (assuming there are no more UID on key 2 than on key 1), assertions are sufficient, *because* there are two assertions, one in both ways. I mean : * Owner of Key 1 says (s)he is owner of Key 2 (through signed message saying you so) * Owner of Key 2 says (s)he is owner of Key 1 (through signed UID on Key 2) So, except in case of collusion between owners of Keys 1 and 2, I believe there is no way one can be wrong in signing Key 2 (of course, if Key 1 is signed). There could be collusion with only one key. Verification of the key details cannot address this. IIUC, your point is that verification would enable one to avoid collusion, as it is the only flaw I can see in this verification scheme. Except collusion can not be avoided in any way, AFAIK. No. Avoiding collusion is impossible here. It just comes down to you vouching through your signature on the second key that you have *verified* it. Nothing more, nothing less. If you didn't follow all of the steps to verify it, why would you sign it with an exportable signature? You verify the key(s) by inspecting them and drawing conclusions. You have a mathematical proof in front of your eyes. If verification is not gathering evidence (for building certainty, or strong belief), then what is it? Stan Tobias ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users