Re: Revocation certificate for sub key?
Il 13/12/2013 23:56, adrelanos ha scritto: Is it possible to create a revocation certificate just for sub keys and not the master key? I can't see how it can be useful... This would be useful for offline master keys. Trusted persons could be given the revocation certificate for sub keys and send it to key servers when they suspect compromise. But should the sub key revocation certificate get into the wrong hands due to compromise, the damage would be limited. Since you still have your secure offline main key, you can revoke subkeys yourself... Or am I missing something? BYtE, Diego. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Revocation certificate for sub key?
This would be useful for offline master keys. Trusted persons could be given the revocation certificate for sub keys and send it to key servers when they suspect compromise. But should the sub key revocation certificate get into the wrong hands due to compromise, the damage would be limited. Since you still have your secure offline main key, you can revoke subkeys yourself... Or am I missing something? Others may be able to do that faster. That time advantage might result in much less damage when it comes to important keys, such as linux distribution signing keys. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Revocation certificate for sub key?
Am Fr 13.12.2013, 22:56:07 schrieb adrelanos: Hi, Is it possible to create a revocation certificate just for sub keys and not the master key? --edit-key 0x12345678 key 1 revkey That's doesn't create a revocation certificate, that revokes the key. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Another step towards crowdfunding
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Thanks for your carefully considered input Micah. On 13/12/13 22:23, Micah Lee wrote: I tweeted the video and it's getting some pickup: https://twitter.com/micahflee/status/411569314097934336 Awesome! One way that I think the blog could be improved is by providing permalinks for the individual posts. This has been on the todo list for a while (the blog is all static hand written HTML at the moment). I made separate pages as requested just now and they're online. Should make linking easier (just click on the article headings on the blog front page). Looking back through this list archives it appears that this fundraising campaign actually has a matching grant, to use non-profit development language? Each donation is doubled? No we don't have a sponsor offering that at the moment (I'd be delighted if we did). Which archived mail gave you that impression? In the video you say that GPG is used by the government, hackers, and billion dollar companies. I think when promoting GPG it's good to include in that list activists, journalists, whistleblowers, and ordinary people that care about privacy. I think you can brag about widespread use amongst this same set of people: https://www.torproject.org/about/torusers.html.en Good point, I'll speak to Anna who made the video about getting it changed. Finally, if you're raising money to rebuild the website, could you add HTTPS to your to do list? I guess you're referring to the blog (gnupg.org is HTTPS accessible, but blog.gnupg.org is not)? The new site will host the blog on a single (not sub) domain, so all pages will be reachable by an encrypted connection. Does that answer your question? Best, Sam. - -- Sam Tuke Campaign Manager Gnu Privacy Guard Tel: +49 176 81923811 IM: samt...@jabber.fsfe.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.15 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iF4EAREIAAYFAlKslhkACgkQ1bR1Itj7YQUUsgD/QZREgToDdk13xSmKcMOyCEvl Ofd0bFpow40F32DA0p4BAJU7OfmVeb+HOQJWVWSA7sxxyD8nHApjt5a6attmKOMN =5v3W -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Revocation certificate for sub key?
On 12/14/2013 12:01 PM, adrelanos wrote: [hauke wrote:] Am Fr 13.12.2013, 22:56:07 schrieb adrelanos: Hi, Is it possible to create a revocation certificate just for sub keys and not the master key? --edit-key 0x12345678 key 1 revkey That's doesn't create a revocation certificate, that revokes the key. If you are comfortable with either the GNUPGHOME environment variable or gpg's --homedir option, you should be able to make what you're looking for: Make a new temporary gnupg homedir. import your primary secret key and your subkey into that homedir. from that homedir, take Hauke's advice and then export the key to a text file someplace safe. this text file will contain the revocation for the subkey. delete/purge/get rid of the temporary homedir. if/when you need to revoke your subkey, you can just gpg --import the stored text file, and then --send-key to push it to the public keyservers. does this make sense? --dkg PS your e-mail client appears to be breaking message threading (no In-Reply-To: or References: headers), and fails to provide attribution for your quoted text (i had to re-insert that hauke was the source of the good advice above). This makes it more difficult for people to carry on a conversation with you over e-mail. Please consider fixing your client or choosing a different one that supports proper message threading and attribution. thanks! signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Sharing/Storing a private key
On Fri, Dec 13, 2013 at 12:12:12PM +0100, Mindiell wrote: Hello, I'm using GPG regularly and did want to save my private key. [...] I found (http://point-at-infinity.org//) too, but it wasn't really usable beacause it has too many limitations IMHO. So I did it myself : ShareIt (https://gitorious.org/shareit) [...] It is using the Shamir's Sharing Secret Algorithm (http://en.wikipedia.org/wiki/Shamir%27s_Secret_Sharing). [...] Any Comments and/or critics are more than welcome, especially on security issues. AFAIK, *is* an implementation of SSS. So, why would you write a new version? I must say I didn't look at the source, as I do not see the point at first. So, this is a warning about security issues : something you made yourself is likely to be unsafe. A tested implementation exists. Maybe is there really a point in writing it, but I can't see which. Maybe if you explained what the limitations of are...? HTH, Leo ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Another step towards crowdfunding
On Fri, 13 Dec 2013 17:05, christophe.bro...@cnamts.fr said: * a very lean and clean GnuPG blog design :) and excellent promotional video ! I was somehow able to convice Sam not to install Wordpress like blogging software right now. Which also means that for comments you need to resort to gnupg-users ;-). Will GnuPG blogs be cross-posted to the gnupg-users list? :) ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Revocation certificate for sub key?
Am Sa 14.12.2013, 17:01:23 schrieb adrelanos: Am Fr 13.12.2013, 22:56:07 schrieb adrelanos: Hi, Is it possible to create a revocation certificate just for sub keys and not the master key? --edit-key 0x12345678 key 1 revkey That's doesn't create a revocation certificate, that revokes the key. It does create a revocation certificate. But it imports it automatically. There is a simple solution, maybe (matter of taste) easier than dkg's proposal: Make a backup of the key (i.e. export both secret and public key), do the above, export the certificate (public key), delete both secret and public key and import your backup. The exported certificate contains the revocation certificate. You may reduce the file by deleting all but one UIDs and all other subkeys after the backup and before the revkey. Hauke -- Crypto für alle: http://www.openpgp-schulungen.de/fuer/unterstuetzer/ http://userbase.kde.org/Concepts/OpenPGP_Help_Spread OpenPGP: 7D82 FB9F D25A 2CE4 5241 6C37 BF4B 8EEF 1A57 1DF5 signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users