Safely remove gnupg 1.4 without damaging gnugp 2 on Mac OS?
Dear all, I have GnuPG 1.4.11 left over from a former installation. Since I upgraded to GnuPG 2.0.22 during the installation of GPG-Suite for Mac OS (10. 8. 5 – Mountain Lion) I do not need the older version. Is it possible to remove it without hurting my keyrings? Thank you in advance for your help. best regards, -- tomasio ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: BoF at FOSDEM ?
On 23/01/14 17:27, Werner Koch wrote: is anyone interested in a BoF at FOSDEM on February 1 or 2? Anything special to put on the agenda? How long should we plan 30, 45 or 60 minutes? Sound like a good plan. My preference would be the 1st of February around lunch. Cheers, arne -- Arne Renkema-Padmos @hcisec, secuso.org Doctoral researcher CASED, TU Darmstadt SecUSo – Security, Usability and Society TU Darmstadt, Department of Computer Science Building S2|02, Room B214 Phone: +49 163 734 6164 Web: https://www.secuso.informatik.tu-darmstadt.de/de/staff/arne-renkema-padmos/ ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: BoF at FOSDEM ?
On Thu, 23 Jan 2014 23:28, arne.renkema-pad...@cased.de said: Sound like a good plan. My preference would be the 1st of February around lunch. Well, the BoF rooms are assigned on a first come first served base. Thus we can't sign up for a certain time. I am fine with Saturday, but better not before 13:00. Any topics you want to discuss? Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
his public key is 5 monitors high, and her same key is 1 ?
what are the factors involved in creating such discrepancies with folks' public key lengths ? i mean, some people's are 5 monitors high where as the other joe has seemingly created a similar key and that key is one half a monitor in 'monitor' height what does all this mean ? how have people such varying public key 'sizes' ? and how is this achieved ? are public, private, and key pairs in general stronger/safer (what ever that may mean) if observing their public keys are many monitors high or have they gone to extreme measures in something in particular ? ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: his public key is 5 monitors high, and her same key is 1 ?
On Fri, Jan 24, 2014 at 2:24 PM, shm...@riseup.net shm...@riseup.net wrote: what are the factors involved in creating such discrepancies with folks' public key lengths ? As far as I can tell, the two major factors that affect the size of public keys are: 1. Key length. (That is, a 4096-bit key will be larger than a 2048-bit or 1024-bit key.) 2. Number of signatures on the key. A brand-new key will be considerably shorter than one that has accumulated numerous signatures from other people. are public, private, and key pairs in general stronger/safer (what ever that may mean) if observing their public keys are many monitors high or have they gone to extreme measures in something in particular ? Key length does have an effect on security: 2048-bit keys are larger and harder to brute-force than 1024-bit keys. The same applies to 3072 and 4096-bit keys compared to 2048-bit ones, though there is a point of diminishing returns. -- Pete Stephenson ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: his public key is 5 monitors high, and her same key is 1 ?
On Sat, 25 Jan 2014 00:24:14 +1100 shm...@riseup.net shm...@riseup.net wrote: what are the factors involved in creating such discrepancies with folks' public key lengths ? i mean, some people's are 5 monitors high where as the other joe has seemingly created a similar key and that key is one half a monitor in 'monitor' height You can use the pgpdump tool to see all the data in a public key file. A given key might contain lots of extra data beside the actual key, like signatures and photos. -- Steve Jones st...@secretvolcanobase.org Key fingerprint: 3550 BFC8 D7BA 4286 0FBC 4272 2AC8 A680 7167 C896 signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Revocation certificates [was: time delay unlock private key.]
On 24.01.2014, Leo Gaspard wrote: Actually, this is something I never understood. Why should people create a revocation certificate and store it in a safe place, instead of backing up the main key? Because a backup only makes sense when it's stored in a diffrent place than the key itself: With every backup you create, you have one place more you'll have to keep secure, and doubled the chance that your key can be accessed. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: his public key is 5 monitors high, and her same key is 1 ?
On 1/24/2014 8:42 AM, Pete Stephenson wrote: As far as I can tell, the two major factors that affect the size of public keys are: 1. Key length. (That is, a 4096-bit key will be larger than a 2048-bit or 1024-bit key.) 2. Number of signatures on the key. A brand-new key will be considerably shorter than one that has accumulated numerous signatures from other people. Don't forget photo IDs, which can massively expand the size of a certificate. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: his public key is 5 monitors high, and her same key is 1 ?
Steve Jones: On Sat, 25 Jan 2014 00:24:14 +1100 shm...@riseup.net shm...@riseup.net wrote: what are the factors involved in creating such discrepancies with folks' public key lengths ? i mean, some people's are 5 monitors high where as the other joe has seemingly created a similar key and that key is one half a monitor in 'monitor' height You can use the pgpdump tool to see all the data in a public key file. A given key might contain lots of extra data beside the actual key, like signatures and photos. thanks for that tip ... ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: his public key is 5 monitors high, and her same key is 1 ?
Pete Stephenson: On Fri, Jan 24, 2014 at 2:24 PM, shm...@riseup.net shm...@riseup.net wrote: what are the factors involved in creating such discrepancies with folks' public key lengths ? As far as I can tell, the two major factors that affect the size of public keys are: 1. Key length. (That is, a 4096-bit key will be larger than a 2048-bit or 1024-bit key.) 2. Number of signatures on the key. A brand-new key will be considerably shorter than one that has accumulated numerous signatures from other people. that's makes sense; now i understand why Zimmerman's and callas' public keys are going through the ceiling as to who michael vario is it remains to be seen ! are public, private, and key pairs in general stronger/safer (what ever that may mean) if observing their public keys are many monitors high or have they gone to extreme measures in something in particular ? Key length does have an effect on security: 2048-bit keys are larger and harder to brute-force than 1024-bit keys. The same applies to 3072 and 4096-bit keys compared to 2048-bit ones, though there is a point of diminishing returns. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Revocation certificates [was: time delay unlock private key.]
On Thu, Jan 23, 2014 at 04:38:19PM -0800, Robert J. Hansen wrote: Well... I don't know how you type With a nine-volt battery, a paperclip, and a USB cable that has only one end -- the other is bare wires. You wouldn't believe how difficult it is to do the initial handshake, but once you've got it down you can easily tap out oh, three or four words a minute. For speed, nothing else comes close. My father gets on my case for using the nine-volt battery. In his day, they had a potato and a couple of wire leads plunged into it. But really, technology marches on and we should all embrace battery technology. Great laugh! (of course, I meant how fast) passphrase would really have to try hard to guess what passphrase I am using. And even more to remember a seven-word sentence seen once. You are not the typical use case. No one person is a typical use case. Well... You are right, of course. Yet this does not answer my second point: if the spouse is spying on you to get your passphrase and remember it, then love is already gone, and you are being subject to the usual hooker attack. Yet I do see your point for revocation certificates here, I think. Oh, just found another one in favor of revocation certificates: they can be easily sent to keyservers from cybercafes without any special software installed. Thanks and cheers, Leo ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Revocation certificates
On Fri, Jan 24, 2014 at 07:47:15AM +0100, Werner Koch wrote: [...] the usefulness of revocation certificate, just the advice always popping out to generate a revocation certificate in any case, without thinking of whether it would be useful. Okay, that is a different thing. I plan to change that with a notice saying which file has the edited revocation certificate. OK, thanks! (for the remainder of the message as well, just have nothing to answer) Guess I got my answer, with every message combined. Thanks all! Leo ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Non email addresses in UID
On Fri, 24 Jan 2014 12:15:40 -0500 Daniel Kahn Gillmor d...@fifthhorseman.net wrote: There are already systems that make use of the flexibility in this field. For example SSH hosts can publish their RSA host key in an OpenPGP certificate using the monkeysphere (i'm a contributor to the monkeysphere project): http://web.monkeysphere.info/ This looks pretty cool, and does cover some of the things I've been thinking about. I've been wondering about communications secured with OpenPGP, it strikes me that it's not really necessary to even involve SSL; and the nightmares that seems to involve. Does monkeysphere have any aims to do complete connection security via OpenPGP? Other people advocate including a human-readable name without an e-mail address as a User ID, so that you can refer to a person without making any claim about e-mail addresses (i'm don't find the utility of this use case particularly convincing myself, but it doesn't seem terrible). The use case for this would match more closely what the GPG manpage and the PGP key signing party protocol dictate; i.e. that participants verify state issued photo Id to confirm the name of the key holder is their real name - none of my state issued Id has my email address on it. Plus it makes a bit more sense in the case of multiple UIDs, one for your name and possibly many for your email address. So the general question you're asking about is being done already. As for facebook or openid or webforums other identifiers, i don't think those have been particularly well-thought through yet. Under what circumstances would you use them? My thinking is that identity as it is used on the Internet (or the world in general) doesn't really match the way OpenPGP is used. To take an obscure example: some people have noticed that Github has no verification that commits submitted in repositories are actually made by the users registered with those name and email addresses with them, nor can it. This makes it possible, and some trolls have, to impersonate Github users. Git allows for signing commits with keys, but there's not really any way to associate those keys with accounts. Sticking the URL of a Github account in a UID field and having other contributors to a project sign that UID makes it possible to cross verify commits with users. Note that at no stage in this processes is Github required to implement or do anything and no-one's state confirmed identity is involved. Github could of course sign that URL UID if they wished to without saying anything about the user's passport. So I'm led to the idea that associating keys with areas on the web where a person's work, writings, etc... are known is more important than some sort of confirmation of a person's name, which is not even a unique identifier. If, for example, you'd signed your commits to monkeysphere I'd be able to verify your claim that you are a contributor to it (not that I doubt, or have any reason to doubt that). -- Steve Jones st...@secretvolcanobase.org Key fingerprint: 3550 BFC8 D7BA 4286 0FBC 4272 2AC8 A680 7167 C896 signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Non email addresses in UID
I think it makes a lot of sense to be able to associate more things with OpenPGP keys. I'm particularly interested in seeing OTR keys and XMPP identities in OpenPGP keys. .hc On 01/23/2014 05:50 PM, Steve Jones wrote: I've been thinking about UIDs in keys, rfc4880 section 5.1 says that by convention a UID is an rfc2822 email address but this is not a requirement[1]. Gnupg does enforce that restriction unless you explicitly disable it. It would seem to make sense to include other strings that can identify a user, many people have various URLs which could be said to relate to their identity, Facebook accounts, blogs etc... It could potentially be useful to be able to associate a key with these other identities, i.e. if you get an email purporting to be from someone you only know on a webforum it would be useful to be able to verify this. I'm curious what other people on this list think of this. [1] http://tools.ietf.org/html/rfc4880#section-5.11 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users -- PGP fingerprint: 5E61 C878 0F86 295C E17D 8677 9F0F E587 374B BE81 signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: BoF at FOSDEM ?
On 24/01/14 13:03, Werner Koch wrote: On Thu, 23 Jan 2014 23:28, arne.renkema-pad...@cased.de said: Sound like a good plan. My preference would be the 1st of February around lunch. Well, the BoF rooms are assigned on a first come first served base. Thus we can't sign up for a certain time. I am fine with Saturday, but better not before 13:00. Ok. Any topics you want to discuss? My personal pet-problem is the usability of tools like GPG. Salam-Shalom, Werner -- Arne Renkema-Padmos @hcisec, secuso.org Doctoral researcher CASED, TU Darmstadt ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: BoF at FOSDEM ?
On Fri, 24 Jan 2014 21:14, arne.renkema-pad...@cased.de said: My personal pet-problem is the usability of tools like GPG. Okay, thus we have - Report on current keyserver work [Kristian] - Make GPG invisible to the user [Arne] - ECC and GnuPG progress [Werner] Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Non email addresses in UID
On 01/24/2014 12:48 PM, Steve Jones wrote: On Fri, 24 Jan 2014 12:15:40 -0500 Daniel Kahn Gillmor d...@fifthhorseman.net wrote: http://web.monkeysphere.info/ This looks pretty cool, and does cover some of the things I've been thinking about. I've been wondering about communications secured with OpenPGP, it strikes me that it's not really necessary to even involve SSL; and the nightmares that seems to involve. Does monkeysphere have any aims to do complete connection security via OpenPGP? what do you mean complete connection security via OpenPGP? OpenPGP is not a stream-based communications protocol, it's a specification of a message format and a certificate format. Inventing a new stream-based communications protocol from scratch and shoehorning it into OpenPGP doesn't sound like a great idea to me. Monkeysphere uses OpenPGP's certificate format to provide a way for people to verify the keys used in SSH and TLS (and elsewhere -- OTR would be a lovely addition, for example). It does not intend to supplant those communications techniques. So I'm led to the idea that associating keys with areas on the web where a person's work, writings, etc... are known is more important than some sort of confirmation of a person's name, which is not even a unique identifier. If, for example, you'd signed your commits to monkeysphere I'd be able to verify your claim that you are a contributor to it (not that I doubt, or have any reason to doubt that). how are other people going to verify these propose User IDs? If you make a data element a subkey or a notation in your self-signature, you are not asking other people to attempt to certify it. If you make the same data element a User ID or User Attribute, then you are effectively putting it out there for other people to attempt to verify and then certify. If you came to me and said I am the person who blogs at https://www.example.com/stevejones; , how am i supposed to verify that? when would you want me to certify it? --dkg signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Non email addresses in UID
On Fri, 24 Jan 2014 17:16:28 -0500 Daniel Kahn Gillmor d...@fifthhorseman.net wrote: what do you mean complete connection security via OpenPGP? OpenPGP is not a stream-based communications protocol, it's a specification of a message format and a certificate format. Inventing a new stream-based communications protocol from scratch and shoehorning it into OpenPGP doesn't sound like a great idea to me. OpenPGP is a packetised data format. There's nothing stopping it being used to send a stream of encrypted and signed data packets. The main thing you lose is the complicated and messy handshake at the start which seems to be the cause of so many implementation bugs. You do loose the possibility of perfect forward secrecy though. It was more an idle musing than anything else though. how are other people going to verify these propose User IDs? If you make a data element a subkey or a notation in your self-signature, you are not asking other people to attempt to certify it. If you make the same data element a User ID or User Attribute, then you are effectively putting it out there for other people to attempt to verify and then certify. If you came to me and said I am the person who blogs at https://www.example.com/stevejones; , how am i supposed to verify that? when would you want me to certify it? Well the simplest way would be if I signed my blog posts. It's easy enough to verify that my emails and posts are signed with the same key. Cryptographically easy that is, the existing tools are not so good for this kind of method of operation. Otherwise by usual web of trust means. If people who know me by other means are convinced that that blog is mine they can sign that UID, in the same manner as people could sign a photo attribute if they know what I look like. Finally there's the possibility of explicit verification, if someone sends me a challenge and I publish that challenge's signature on my blog then that verifies that I am in control of that private key and can publish to that blog. Which reminds me that I'd really like an email client that automatically signs keys at level 1 (persona) of anyone who replies with a signed email that quotes a significant portion of the text I sent, as this effectively counts as a challenge response protocol in my book. -- Steve Jones st...@secretvolcanobase.org Key fingerprint: 3550 BFC8 D7BA 4286 0FBC 4272 2AC8 A680 7167 C896 signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users