Re: Moving away from SHA-1
On Tue, Feb 11, 2014 at 09:10:32AM +0100, Per Tunedal per.tune...@operamail.com wrote a message of 17 lines which said: When SHA-1 falls, GnuPG will otherwise be completely broken as internal key signatures, as well signatures of public keys from others and the fingerprint rely on SHA-1 hashes. Isn't three different cases? For the fingerprint, it is in the RFC 4880 (section 12.2) and GnuPG cannot change it unilaterally or it would stop to be OpenPGP-compliant. For the signatures of public keys from others, you can already put: cert-digest-algo SHA256 in your gpg.conf. I don't know why it's not the default but there is certainly a good reason in the archives mentioned by Peter Lebbing. In the mean time, you can always migrate yourself. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Trying to understand the bond between master and subordinate key pairs
I’ve read GNU Privacy Handbook, the FAQ and thought I understood the purpose of all four keys initially generated with --gen-keys. But then I found this https://wiki.debian.org/subkeys and lost it. tl;dr: There is suggested backup of ~/.gnupg, creation of a new pair of subkeys for signing, then all public keys and secret subkeys are exported, master key (for signing) is removed (but still available in backup) and finally public keys along with secret keys are imported back. This is suggested — as far as I understand — in order to keep the original master key for signing in a secret place, because master signing key = my genuine identity. But. Which public keys should be uploaded to the keyserver? Other people may verify your signature and encrypt files for you only if they have corresponding public keys (of yours). But what about gathering signatures of other people on your own public key? Should I upload public key of my master signing key along with the public key of the subordinate keypair I am planning to use daily? If not, what is the purpose of the public part of the master keypair? If I will not upload it, how other people will verify signatures I made on their keys or my own keys? Does it all mean I need at least three public keys to be known to other people — two for daily signing and encrypting and one to verify master key signatures? Do they even need to verify what I sign with my master key (I mean my keys and their keys)? I don’t get the bond between master keys and subordinate keys. Does it even exist? To me they look like totally different keys. Okay, when I usually sign files with key when I send them to Alice, and eventually I want to sign her key (…which of her keys, actually? The one she uses daily or the one she keeps like me? If she keeps it, how did it get to me? Which public keys supposed to collect signatures of other people — of the master one or newly created subordinate one?), I need to use my master key . How does she know that is also my key if they have different IDs? (Let’s assume public key of the master pair is irrelevant, and signing pubkey exchange is done via subordinate pair which never expires.) Sorry for my English. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Trying to understand the bond between master and subordinate key pairs
On Wed, Feb 12, 2014 at 4:02 AM, Faru Guredo farugur...@gmail.com wrote: I’ve read GNU Privacy Handbook, the FAQ and thought I understood the purpose of all four keys initially generated with --gen-keys. But then I found this https://wiki.debian.org/subkeys and lost it. tl;dr: There is suggested backup of ~/.gnupg, creation of a new pair of subkeys for signing, then all public keys and secret subkeys are exported, master key (for signing) is removed (but still available in backup) and finally public keys along with secret keys are imported back. This is suggested — as far as I understand — in order to keep the original master key for signing in a secret place, because master signing key = my genuine identity. But. Right, this is a reasonable thing to do. It's not mandatory, of course, but it has various advantages. Which public keys should be uploaded to the keyserver? Other people may verify your signature and encrypt files for you only if they have corresponding public keys (of yours). But what about gathering signatures of other people on your own public key? Should I upload public key of my master signing key along with the public key of the subordinate keypair I am planning to use daily? If not, what is the purpose of the public part of the master keypair? If I will not upload it, how other people will verify signatures I made on their keys or my own keys? Does it all mean I need at least three public keys to be known to other people — two for daily signing and encrypting and one to verify master key signatures? Do they even need to verify what I sign with my master key (I mean my keys and their keys)? You should upload the public key of your primary (master) key to the key servers. If you do this in GnuPG, it will automatically upload the public keys for your primary key and all the subkeys. If you use the --export command to export your public key, it will export the public key of your primary key and subkeys in one file. Similarly, when people search for your public key on the key servers they should search for the KeyID of your primary key. When they download it, they will also get the public keys for the subkeys. I don’t get the bond between master keys and subordinate keys. Does it even exist? To me they look like totally different keys. Okay, when I usually sign files with key when I send them to Alice, and eventually I want to sign her key (…which of her keys, actually? The one she uses daily or the one she keeps like me? If she keeps it, how did it get to me? Which public keys supposed to collect signatures of other people — of the master one or newly created subordinate one?), I need to use my master key . How does she know that is also my key if they have different IDs? (Let’s assume public key of the master pair is irrelevant, and signing pubkey exchange is done via subordinate pair which never expires.) Subkeys are bound to their respective primary key by signatures made by the primary key. When you sign someone else's key, you sign the public key of that person's primary key. Similarly, when they sign your key, they sign your primary key. Since the subkeys are bound to their respective primary keys, the trust in the primary key is automatically applied to any subkeys without any additional signatures being required. For example, see my key 0x85EB9F44 (which can be found on the keyservers at http://pool.sks-keyservers.net:11371/pks/lookup?op=vindexfingerprint=onsearch=0x9A5CC3A485EB9F44) -- my primary key (pub) has collected signatures from several people on my user ID (uid). I also have signing and encryption subkeys (sub) that are bound (sig sbind) to the primary key and which I use for day-to-day signing and encrypting of files and messages. I only use my primary key for signing other people's public keys (subkeys cannot make certifications on other people's public keys) or when generating new subkeys. Otherwise, the subkeys are used for all the usual purposes. In general, people do not need to know the KeyIDs of the subkeys -- that is handled automatically by GnuPG. Similarly, you generally do not need to concern yourself with the KeyIDs of your subkeys, nor do you need to tell GnuPG to specifically use them (GnuPG will sign messages with the newest signing subkey by default). In short: your subkeys are linked to your primary key and GnuPG will handle subkeys automatically and transparently without your needing to worry about their KeyIDs. Cheers! -Pete ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Trying to understand the bond between master and subordinate key pairs
Am Mi 12.02.2014, 07:02:51 schrieb Faru Guredo: This is suggested — as far as I understand — in order to keep the original master key for signing in a secret place, because master signing key = my genuine identity. But. Signing (data) is not the relevant aspect of a mainkey. Certification (i.e. signing key components) is. You can create mainkeys which are not capable (i.e: not allowed) of signing data at all. Which public keys should be uploaded to the keyserver? All public keys must be available to the public. (You cannot even prevent that from happening.) The public mainkey is necessary for the verification that the subkeys belong to this mainkey. Furthermore it is needed for the fingerprint check. But what about gathering signatures of other people on your own public key? Should I upload public key of my master signing key along with the public key of the subordinate keypair I am planning to use daily? These two components are not related at all. These should be two distinct questions. I don’t get the bond between master keys and subordinate keys. Does it even exist? The mainkey binds the subkeys by signing them. Signature subkeys have to sign the mainkey, too, in order to become valid. OpenPGP considers signatures by a subkey as equivalent to those by a mainkey. But if everyone understand what this means (and how it can be checked) then you can use the protected mainkey for more secure signatures (if you do not have a more secure other key). You can use it for more secure encryption, too (again: If everyone involved understands how to do that). To me they look like totally different keys. They are, technically. They could even be exchanged. But the OpenPGP key format marks one as the mainkey and the other ones as subkeys. Okay, when I usually sign files with key when I send them to Alice, and eventually I want to sign her key (…which of her keys, actually? The one she uses daily or the one she keeps like me? If she keeps it, how did it get to me? Which public keys supposed to collect signatures of other people — of the master one or newly created subordinate one?), I need to use my master key . How does she know that is also my key if they have different IDs? That's not the way keys are used. You tell the application to use the key 0x. That always refers to a mainkey. The OpenPGP subsystem (GnuPG) then selects the appropriate key: either the mainkey of a subkey. Your contacts only verify 0x. Possible subkeys are verified automatically (you cannot prevent that). Signatures are shown to be made by the mainkey. More precise: GnuPG does show you the subkey which made the signature but I don't believe any GUI does (in a way useful to beginners). You can even force GnuPG to use a certain subkey (if technically possible) or the mainkey and thus override the automatic selection. But I have never seen a higer-level application offering that. (Let’s assume public key of the master pair is irrelevant, That is not a useful assumption. Hauke -- Crypto für alle: http://www.openpgp-schulungen.de/fuer/unterstuetzer/ http://userbase.kde.org/Concepts/OpenPGP_Help_Spread OpenPGP: 7D82 FB9F D25A 2CE4 5241 6C37 BF4B 8EEF 1A57 1DF5 signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Trying to understand the bond between master and subordinal key pairs
On Wed, 2014-02-12 at 11:38 +0100, gnupg-users-requ...@gnupg.org wrote: Am Mi 12.02.2014, 07:02:51 schrieb Faru Guredo: This is suggested???as far as I understand???in order to keep the original master key for signing in a secret place, because master signing key = my genuine identity. But. Signing (data) is not the relevant aspect of a mainkey. Certification (i.e. signing key components) is. You can create mainkeys which are not capable (i.e: not allowed) of signing data at all. Which public keys should be uploaded to the keyserver? All public keys must be available to the public. (You cannot even prevent that from happening.) The public mainkey is necessary for the verification that the subkeys belong to this mainkey. Furthermore it is needed for the fingerprint check. But what about gathering signatures of other people on your own public key? Should I upload public key of my master signing key along with the public key of the subordinate keypair I am planning to use daily? These two components are not related at all. These should be two distinct questions. I don?t get the bond between master keys and subordinate keys. Does it even exist? The mainkey binds the subkeys by signing them. Signature subkeys have to sign the mainkey, too, in order to become valid. OpenPGP considers signatures by a subkey as equivalent to those by a mainkey. But if everyone understand what this means (and how it can be checked) then you can use the protected mainkey for more secure signatures (if you do not have a more secure other key). You can use it for more secure encryption, too (again: If everyone involved understands how to do that). To me they look like totally different keys. They are, technically. They could even be exchanged. But the OpenPGP key format marks one as the mainkey and the other ones as subkeys. Okay, when I usually sign files with key when I send them to Alice, and eventually I want to sign her key (?which of her keys, actually? The one she uses daily or the one she keeps like me? If she keeps it, how did it get to me? Which public keys supposed to collect signatures of other people ??of the master one or newly created subordinate one?), I need to use my master key . How does she know that is also my key if they have different IDs? That's not the way keys are used. You tell the application to use the key 0x. That always refers to a mainkey. The OpenPGP subsystem (GnuPG) then selects the appropriate key: either the mainkey of a subkey. Your contacts only verify 0x. Possible subkeys are verified automatically (you cannot prevent that). Signatures are shown to be made by the mainkey. More precise: GnuPG does show you the subkey which made the signature but I don't believe any GUI does (in a way useful to beginners). You can even force GnuPG to use a certain subkey (if technically possible) or the mainkey and thus override the automatic selection. But I have never seen a higer-level application offering that. (Let?s assume public key of the master pair is irrelevant, That is not a useful assumption. I kept wondering about this too. Thanks a lot for the explanation of how it works. I am still puzzled, however. Can anyone explain the logical reason as to why we need this jungle in OpenPGP, which thankworthily is usually more or less hidden from the user anyways? A good reason would help the complicated workings to stick with my memory :-) Why would we need more than one key and this hierarchy on top of it? (Proper padding according to the standard to my knowledge removes even the dangers of using the same RSA key for signatures as well as for ciphers.) Is the necessity(given that it is there) for the subkey hierarchy endemic to RSA or would such a structure also be needed for ECC or other cryptosystems? Cheers, Michael Anders ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Organizing a GPG key signing party in London
Hi, I'm organizing a pgp key signing party in London on March the 25th at 6:30 PM BST in the mozilla space of the mozilla office in London. I've been trying to reach out to Londoners and Uk users of pgp using twitter ( https://twitter.com/lhirlimann/status/432867811002564608 ), I've tried to contact the Linux Users group, but din't get much out of it. So I'm going to try to get some atention here. The space is limited in the london office so you'll need to register using event brite at https://www.eventbrite.fr/e/gpg-key-signing-party-london-uk-tickets-10551117677 . Ludo -- [:Usul] SRE Team at Mozilla QA Lead fof Thunderbird http://sietch-tabr.tumblr.com/ smime.p7s Description: S/MIME Cryptographic Signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Trying to understand the bond between master and subordinal key pairs
On 02/12/2014 06:40 AM, Michael Anders wrote: I am still puzzled, however. Can anyone explain the logical reason as to why we need this jungle in OpenPGP, which thankworthily is usually more or less hidden from the user anyways? A good reason would help the complicated workings to stick with my memory :-) Why would we need more than one key and this hierarchy on top of it? (Proper padding according to the standard to my knowledge removes even the dangers of using the same RSA key for signatures as well as for ciphers.) it's a bad idea to use the same key for multiple mechanisms. keeping the uses distinct is the most reliable way to avoid cross-protocol attacks. For a given key, it's very difficult to effectively mandate that everything uses proper padding or that different uses will use distinct padding from every other use. Being able to associate keys with your primary identity that might be used in other contexts (c.f. recent discussions about bitcoin and otr) is a useful feature. Is the necessity (given that it is there) for the subkey hierarchy endemic to RSA or would such a structure also be needed for ECC or other cryptosystems? here are four reasons at least that are not specific to any particular public key cryptosystem. there are probably more: * offline primary keys * subkeys that are incapable of being abused to make fraudulent OpenPGP identity certifications * subkey-specific export: you can make a key, let an agent use it on your behalf in one context without allowing that agent access to any of your other keys. * frequent expiry/rollover of encryption or signing subkeys while the primary key (and thus the user's identity) stays constant. this can deal with a heavily-used signing public key, for example, to mitigate attacks that scale with volume of visible signatures. for encryption keys, this can also potentially be used as a (weak) form of forward secrecy, assuming the user actually destroys the secret key when it expires. Regards, --dkg signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Moving away from SHA-1
Hi Kristian, Thanks for the link. I've studied some interesting threads. Anyhow, I'm surprised that apparently there isn't any decision on how to move to the next OpenPGP standard, or what it would look like. Or has something been decided? I just want to be updated as I haven't followed the discussion for some years. It might be of interest for others as well. Yours, Per Tunedal On Wed, Feb 12, 2014, at 9:39, Kristian Fiskerstrand wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi Per, On 02/12/2014 09:31 AM, Per Tunedal wrote: Hi Peter, Yes, I've searched the archives. Conclusion: There's not any immediate danger to GnuPG. But, all the same: I cannot find any information on what's the plans for the future. Sooner or later a transition to some other hash has to take place, hasn't it? The appropriate place for such a change would be new defaults in the standards, i.e. that this likely would be part of a future V5 OpenPGP key format. The appropriate ML for that would be [0] References: [0] http://www.ietf.org/mail-archive/web/openpgp/current/maillist.html - -- - Kristian Fiskerstrand Blog: http://blog.sumptuouscapital.com Twitter: @krifisk - Public PGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 - Aut disce aut discede Either learn or leave -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJS+zNOAAoJEPw7F94F4TagzXAP/Riqy9hbjuncUmGbDU+hOgMw nnjSFw41uP+UqVKypo5RTCfkv59euPRq8d0MYPtUEeSLvbMkX40Hhl/i0AilM4MD zq+LuytJ+SiQMdzlU+helyMWU5hLObOLkl4JmPzAmAaXM6MXDedn4UNpcpFxGhPt Zh4uQ2VFjzXQCH5gTKyRL6liq/+TPb/m5wpNjYqqiKxDkmeFnh9MtPTE7Qo/raYi eCbPN8zcL8e+Z4FofNGTY62hTFve0SrC6JVWq1S/EG4Usgf8Mp7Ab/ppuCHlnVee 78McbqdOgSkp5IINe0il2k+tpO6q+uauX/hPkv49cZc2d+FqAhRWCMCaNZ//v8uk jYDnFSoW0p3I9BFr4CjlmfN7E/PfKGjFHooU8isyHlBBSlgFTuJ96UU0283I5+iv AKVDwNxBAGqljvGbdPzObhGU5P7s7whZFzUzDiVkFLdRTT4c6BwFUmqkxNtUTV+F zmWH+HCR/FLpmvq8SXsBKuJbvxm8JbxLXEABJJEPTObK82ClE9DiK5mWIrBF/1H2 xk/TZo8+bZtWALzAkCDWV+VejazMgV2x9u+pFnNzXB4dRuCRW94tlcbbbRwMC6YV y1aH1ma4I7ggcOzmyV46XzNuRaclgbxpvCrUiFj0fzxF9R1mafEL5bWtfbi8Xl1e I/6BWRgyN+kqqiihWJSu =FBe2 -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Organizing a GPG key signing party in London
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi On Wednesday 12 February 2014 at 11:40:23 AM, in mid:52fb5da7.7010...@mozilla.com, Ludovic Hirlimann wrote: Hi, I'm organizing a pgp key signing party in London on March the 25th at 6:30 PM BST in the mozilla space of the mozilla office in London. I've been trying to reach out to Londoners and Uk users of pgp using twitter ( https://twitter.com/lhirlimann/status/432867811002564608 ), I've tried to contact the Linux Users group, but din't get much out of it. So I'm going to try to get some atention here. The space is limited in the london office so you'll need to register using event brite at https://www.eventbrite.fr/e/gpg-key-signing-party-london-uk-tickets-10551117677 . It may also be worthwhile listing it on Biglumber.com. - -- Best regards MFPAmailto:2014-667rhzu3dc-lists-gro...@riseup.net If it aint broke, fix it till it is broke! -BEGIN PGP SIGNATURE- iPQEAQEKAF4FAlL7+phXFIAALgAgaXNzdWVyLWZwckBub3RhdGlvbnMub3Bl bnBncC5maWZ0aGhvcnNlbWFuLm5ldEJBMjM5QjQ2ODFGMUVGOTUxOEU2QkQ0NjQ0 N0VDQTAzAAoJEKipC46tDG5pDTsD/Rdg84Q22vEXC1LR86nHK6F3IAeBXUdXWqkO Y2dt/sB1VEM50d4qyYAL7hIeBJOaqbhQ0TBXOk5ZmxZBMHjc0q9UakgfTPtmH28v 17D5bM7ApuZzzO8bl8RdbCfhN4miQ83jLKEgWOpc6I4SO122GgKdtoRwsYXMFHuz EvRWr0z3 =Gi/y -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users