Re: pgp key servers cors support

2014-04-20 Thread Kristian Fiskerstrand 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 04/19/2014 11:40 PM, t...@piratemail.se wrote:
> 
> 
> Greetings,
> 
> I believe I asked a pgp key server http interface question on this 
> list a while ago, and received a useful response.
> 
> I also wrote tobug-pks@mit.eduwith the request below.. With no 
> response.

For questions regarding keyservers, sks-devel[0] is probably your best
bet..

> 
> 
> 
> Is there any way that the http pgp key servers could be changed to 
> provide cors headers allowing access from any site? This could
> also be done through some proxy server (njinx?) which accepts,
> forwards and then concatenates cors headers to the response.

This is alreday included in the SKS trunk as of commit [1] for an
upcoming 1.1.5 release. Once that is released
subset.pool.sks-keyservers.net[2] will be bumped to this as a min
requirement and can be used for your purposes.


> 
> I realize this is not the pgp keyserver mailing list. But I figure 
> the developers of that server also reside in this list -- and I'm
> not sure exactly which list is the right list to post to.
> 

References
[0] http://lists.nongnu.org/archive/html/sks-devel/
[1]
https://bitbucket.org/skskeyserver/sks-keyserver/commits/f6e4e88a049a3497cc17b0ad15530782d78bc59f?at=default
[2] https://sks-keyservers.net/overview-of-pools.php#pool_subset

- -- 
- 
Kristian Fiskerstrand
Blog: http://blog.sumptuouscapital.com
Twitter: @krifisk
- 
Public PGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3
- 
"I have always wished that my computer would be as easy to use as my
telephone.
My wish has come true -- I no longer know how to use my telephone"
(Bjarne Stroustrup, April 1999)
-BEGIN PGP SIGNATURE-

iQIcBAEBCgAGBQJTU/fUAAoJEPw7F94F4TaggwwP/jNtYKU4h27XPGudP8GmxKF3
0MIYyXUYqQElcHyNl/Ji/hcCrILZ8bj2XCyxMvulNEvNs23lLxCccziL0t8FKCOG
iralbpjwszSqmeKsuZ1dr5ZsG2DzOvqgLz3d/k1pRSo3XHwmB4rlvM3W++hlwT/A
sYNizJVwrQ2OdZSApnnufub4b0VNcTvIIalMDnkAtI43Dk4hL1gFaPEpbnLneExd
lDDcUKDyqudBi7oNvQhS8nIGiPOp4cmU/+AJy5nU0NoNTJ60CYBO97TIifgWJuY5
Dwt6aSEoXZTraIS0tlEWguzY3Le4ztY/8ho9HSKgKSshatCq5z2LUfpZpVZvBQ3r
vK4fgK0uGpHm1oz9ah9V0lH1nWnSWKYvDldrm44k9PJ3F7zl3gSSAGi+A+2OFqGY
mDVrFmidLUEztKnD0hw7Hee1Ooj36EUBkYxhTGdGxDLzvY7ZKkq7so6stsc4FmSj
mhOw10ju1SF8Ag1dWe3VH+H22dsukU6B+ZgEKlKRnO0R2ZPFJ08ik/WiKBjyJ+N9
cveOxZeIKGsb/urJtR8ExTLt3fVW7ampDRlz0624FcGc4ETY54x/tEDQWD9XEN37
haM9MWr8xTQR5katIwnq80h1xSpEJVvoBi+8jWI6C9LyW8TGD9fb+lw87lRbTFkt
rCzcQ3DejmyS82DZCZrh
=Rp3p
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gpg Feature request: merge gpg.exe and gpgsm.exe into one tool

2014-04-20 Thread Peter Lebbing 
On 19/04/14 23:31, Thomas Schittli wrote:
> It does not make sense to manage another kind of certs just because
> applications that suport/use GnuPG did not added gpgsm support.

> [...]

> I made a test with Git: I just renamed gpgsm.exe to gpg.exe. It worked
> perfectly!

I see the real problem in a different area.

gpg.exe with OpenPGP keys generates OpenPGP messages. gpgsm.exe with X.509
certificates generates CMS messages. Applications calling gpg.exe expect an
OpenPGP message. If you replace this OpenPGP message by a CMS message, perhaps
the application will still work. Or it will break in certain places or break
after the author of the application changes it in a way that needs OpenPGP
messages, because the author is under the /correct/ impression that gpg.exe
gives him an OpenPGP message, or parses an OpenPGP message passed to it.

Most applications should be using GPGME anyway instead of calling gpg.exe
directly, and X.509 support for GPGME is something that is being worked on, so
an application that doesn't mind whether it handles OpenPGP messages or CMS
messages can just use the appropriate functions of GPGME.

> Therefore I'm pretty sure it was a conceptual error to support X.509 in
> another tool. If X.509 were added into gpg, then every application would
> immediately had support for both worlds :-)

Unfortunately, no. A lot of applications would break. Suppose you are expecting
a certain subsystem to generate German messages, and you put those messages on
your website. If the subsystem would suddenly switch to Chinese, do you think
your clients from Switzerland would be happy that they now had support for both
languages, or do you think they would contact support and ask what the #@%& that
stuff on your site is supposed to mean? ;)

It's up to the applications. If they call gpg.exe directly, they are
expecting OpenPGP functionality. You can just break that assumption and hope the
application still works, but it seems to me you're breaking the expectations the
programmer had when he wrote the code calling gpg.exe directly.

On the other hand, if the application uses GPGME, then CMS support (and thus the
X.509 trust model) seems to be already in the works, and when applications
choose they also want to support that, it might be as easy to support both
OpenPGP and CMS as it is to support just one. I don't know if CMS support in
GPGME is already usable, but it seems much more viable to do a feature
request[1] in that area than to request that the two binaries gpg.exe and
gpgsm.exe, which handle completely different messages, be merged into one. I
don't think that is going to happen, because it would break a lot of 
applications.

HTH,

Peter.

[1] Possibly involving funding

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gnupg smartcard on boot for LUKS on sid debian howto ?

2014-04-20 Thread tux . tsndcb 
Hello Peter,

I've read the README.gnupg file in cryptsetup, and it is indicate 3 steps to do 
:

1) First, you'll have to create the encrypted keyfile by:

# dd if=/dev/random bs=1 count=256 | gpg --no-options --no-random-seed-file \
--no-default-keyring --keyring /dev/null --secret-keyring /dev/null \
--trustdb-name /dev/null --symmetric --output /etc/keys/cryptkey.gpg

2) Formate the partition with this cryptkey.gpg key file

# /lib/cryptsetup/scripts/decrypt_gnupg /etc/keys/crytpkey.gpg | \
cryptsetup --key-file=- luksFormat /dev/

3) Modifie the /etc/crypttab file :

cdev1   /dev/  /etc/keys/cryptkey.gpg  
luks,keyscript=decrypt_gnupg



But in fact I've a problem in the step 1, because if I use the command line :

# dd if=/dev/random bs=1 count=256 | gpg --no-options --no-random-seed-file \
--no-default-keyring --keyring /dev/null --secret-keyring /dev/null \
--trustdb-name /dev/null --symmetric --output /etc/keys/cryptkey.gpg

It is not my gnupg key use to encrypt this cryptkey.gpg file, so it will be not 
my gnupg key on my smartcard use to decrypt it.

How can I modify in this command line to use my gnupg key to generate this 
cryptkey.gpg ?

Thanks in advanced for your return.

Best Regards.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users