Re: hash email addresses / directory privacy enhancement
On 29/04/14 01:17, MFPA wrote: I have a key on the servers for just over four years now with a valid address that has been used for no other purpose and has not received a single email. OK, not a statistically valid experiment but I'm sure plenty of others have done similar. I have a key on the keyservers for the singular purpose of seeing how much spam that address gets. I only get 419 scams, for some reason. These are more manual processes than usual spamming, so maybe they are also the only ones to do the extra work of scanning the keyservers? Pure conjecture. But it hardly ever happens. 22 attempted scams in 3 years, and they arrive in batches. 7 batches to be precise; 7 distinct moments in time that scams arrived on that address. HTH, Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at http://digitalbrains.com/2012/openpgp-key-peter ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: hash email addresses / directory privacy enhancement
Am Di 29.04.2014, 10:51:35 schrieb Peter Lebbing: But it hardly ever happens. 22 attempted scams in 3 years, and they arrive in batches. 7 batches to be precise; 7 distinct moments in time that scams arrived on that address. That is interesting but if it is supposed to be an answer then I guess from the perspective of the average user it answers the wrong question. The answered question is: Does uploading my certificate to a public key server cause a spam problem for me TODAY? This answer is no. But the reason is not that keyservers are kind of spam-safe but that this address source is not interesting enough for spammers (maybe they – non-crypto users – are not even aware of it) due to its limited size and the kind of users you may expect behind these addresses. But: Those of us who do not like to regularly throw their email addresses away will usually be more interested in the answer to a slightly different question: Will uploading my certificate to a public key server cause a spam problem for me someday (not in the far future)? Nobody knows. Especially as you don't get the addresses off of the keyservers. We wish for the success of crypto (in usage share). But if it ever comes (I am working hard on it...) then it will have unpleasant side effects. Hauke -- Crypto für alle: http://www.openpgp-schulungen.de/fuer/unterstuetzer/ http://userbase.kde.org/Concepts/OpenPGP_Help_Spread OpenPGP: 7D82 FB9F D25A 2CE4 5241 6C37 BF4B 8EEF 1A57 1DF5 signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: hash email addresses / directory privacy enhancement
On 29/04/14 11:13, Hauke Laging wrote: if it is supposed to be an answer then I guess from the perspective of the average user it answers the wrong question. It wasn't. It was an elaboration on one particular aspect of the answer MFPA gave. Will uploading my certificate to a public key server cause a spam problem for me someday (not in the far future)? Nobody knows. Especially as you don't get the addresses off of the keyservers. The problem with keeping an e-mail address secret is you need to keep it secret all of the time, while it only needs to leak to spammers once. Those are overwhelming odds. If just one of your correspondents is infected by a virus that harvests their addressbook or their mail folders, you've lost the battle. Thát is an answer. Not a new one, though. It's been said multiple times and can be found in the mailing list archives. The latest version of the sample-size-of-one statistics of my experiment, on the other hand, were a new addition. HTH, Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at http://digitalbrains.com/2012/openpgp-key-peter ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Validation of User ID with invalid (non UTF-8) encoding
Hi, Some keys stored on the public key servers have User IDs which seem to be encoded with a different encoding than UTF-8. For example the key with key ID 0xA8364AC589C44886 shows an invalid character when viewed online: http://pgp.mit.edu/pks/lookup?search=0xA8364AC589C44886 gpg is able to validate the User ID $ gpg --check-sigs 0xA8364AC589C44886 pub 1024D/89C44886 1999-09-30 uid Lasse M\xberkedahl Larsen l...@gr3.dk sig! 89C44886 1999-09-30 Lasse M\xberkedahl Larsen l...@gr3.dk sub 2048g/0CA36EF9 1999-09-30 sig! 89C44886 1999-09-30 Lasse M\xberkedahl Larsen l...@gr3.dk My own Java based tool however fails to validate this User ID, i.e., the calculated hash always returns a different value. Also PGP desktop reports that the signature is incorrect. Any idea why this User ID validates correctly with gpg but not with other tools? Does gpg handle non-UTF-8 encoded User IDs differently? Kind regards, Martijn Brinkers ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Validation of User ID with invalid (non UTF-8) encoding
On Tue, 29 Apr 2014 11:11, martijn.l...@gmail.com said: Some keys stored on the public key servers have User IDs which seem to be encoded with a different encoding than UTF-8. Right. Old PGP versions didn't care about the requirement for utf-8 and used whatever the terminal was configured to (i.e. Latin-1). But that should only be a display problem. See below for the code GPA uses to detect and fix the display problem. $ gpg --check-sigs 0xA8364AC589C44886 pub 1024D/89C44886 1999-09-30 uid Lasse M\xberkedahl Larsen l...@gr3.dk sig! 89C44886 1999-09-30 Lasse M\xberkedahl Larsen l...@gr3.dk sub 2048g/0CA36EF9 1999-09-30 sig! 89C44886 1999-09-30 Lasse M\xberkedahl Larsen l...@gr3.dk My own Java based tool however fails to validate this User ID, i.e., the calculated hash always returns a different value. Also PGP desktop Note that the above output is for humans and has been sanitized to inhibit attacks using ANSI control sequences. To check the signature you need to use the bare OpenPGP packets and not some gpg output. I am not aware of any PGP problems with user ids - the verification uses the data verbatim and is transparent to the encoding. Shalom-Salam, Werner /* Return the user ID, making sure it is properly UTF-8 encoded. Allocates a new string, which must be freed with g_free (). */ static gchar * string_to_utf8 (const gchar *string) { const char *s; if (!string) return NULL; /* Due to a bug in old and not so old PGP versions user IDs have been copied verbatim into the key. Thus many users with Umlauts et al. in their name will see their names garbled. Although this is not an issue for me (;-)), I have a couple of friends with Umlauts in their name, so let's try to make their life easier by detecting invalid encodings and convert that to Latin-1. We use this even for X.509 because it may make things even better given all the invalid encodings often found in X.509 certificates. */ for (s = string; *s !(*s 0x80); s++) ; if (*s ((s[1] 0xc0) == 0x80) ( ((*s 0xe0) == 0xc0) || ((*s 0xf0) == 0xe0) || ((*s 0xf8) == 0xf0) || ((*s 0xfc) == 0xf8) || ((*s 0xfe) == 0xfc)) ) { /* Possible utf-8 character followed by continuation byte. Although this might still be Latin-1 we better assume that it is valid utf-8. */ return g_strdup (string); } else if (*s !strchr (string, 0xc3)) { /* No 0xC3 character in the string; assume that it is Latin-1. */ return g_convert (string, -1, UTF-8, ISO-8859-1, NULL, NULL, NULL); } else { /* Everything else is assumed to be UTF-8. We do this even that we know the encoding is not valid. However as we only test the first non-ascii character, valid encodings might follow. */ return g_strdup (string); } } -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: hash email addresses / directory privacy enhancement
Eh, I consider the possibility of address harvesting an opportunity for a bit of sport. I enjoy occasionally crafting a new regular expression to make maildrop automatically toss a new strain of UCE. -- Mark H. Wood, Lead System Programmer mw...@iupui.edu Machines should not be friendly. Machines should be obedient. signature.asc Description: Digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: hash email addresses / directory privacy enhancement
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi On Tuesday 29 April 2014 at 3:23:10 PM, in mid:20140429142310.ge14...@iupui.edu, Mark H. Wood wrote: Eh, I consider the possibility of address harvesting an opportunity for a bit of sport. I enjoy occasionally crafting a new regular expression to make maildrop automatically toss a new strain of UCE. Does toss in this context mean send, delete, or reject? - -- Best regards MFPAmailto:2014-667rhzu3dc-lists-gro...@riseup.net Gypsy Dwarf Escapes Prison: Small Medium at large -BEGIN PGP SIGNATURE- iPQEAQEKAF4FAlNf5YlXFIAALgAgaXNzdWVyLWZwckBub3RhdGlvbnMub3Bl bnBncC5maWZ0aGhvcnNlbWFuLm5ldEJBMjM5QjQ2ODFGMUVGOTUxOEU2QkQ0NjQ0 N0VDQTAzAAoJEKipC46tDG5p+2kEAJz+1J5tyXCQhtBqO+sAt7ndmZC/5TyAZlXT Ys9xyK+8zt0xjc/ijzGwABbdyJs8698BbYQRBrSv5GHkAyFWXjbcfjXWAcn0IaTB XyeqR8uYu+YRB/5hXV2zTHOu/yhGl5H/E/t5TTv+AITuVlWmSYFEwYIZ3N3igiGW iErCmtRX =uBbF -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: hash email addresses / directory privacy enhancement
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi On Tuesday 29 April 2014 at 10:59:21 AM, in mid:535f77f9.8070...@digitalbrains.com, Peter Lebbing wrote: The problem with keeping an e-mail address secret is you need to keep it secret all of the time, while it only needs to leak to spammers once. Those are overwhelming odds. Does the email address really need to leak to spammers at all? I have a couple of domains set up with catch-all email forwarding; occasionally for about a couple of weeks one or other domain receives spam messages addressed to (or bounces to messages spoofed to be from) random names at the domain, then it stops and doesn't happen again for months or years. If just one of your correspondents is infected by a virus that harvests their addressbook or their mail folders, you've lost the battle. For a couple of weeks until the spammer moves onto a new set of email addresses. But, just maybe, it becomes an ongoing problem and makes the address unuseable. In that case, somebody who uses a unique email address to correspond with each contact simply tells that contact a new address and retires the old one. - -- Best regards MFPAmailto:2014-667rhzu3dc-lists-gro...@riseup.net Confusion is always the most honest response -BEGIN PGP SIGNATURE- iPQEAQEKAF4FAlNf7OVXFIAALgAgaXNzdWVyLWZwckBub3RhdGlvbnMub3Bl bnBncC5maWZ0aGhvcnNlbWFuLm5ldEJBMjM5QjQ2ODFGMUVGOTUxOEU2QkQ0NjQ0 N0VDQTAzAAoJEKipC46tDG5pRhoEALkc01i9Ssiu5til0n53MGG/UFuEz0fovMss 2XcW9fWpyxnuRUAAgqed2QNEiSjX3VIB+ivDsS6g0m0xsWdURHA7GPuSYJmkvnlC pTuT25EUqPOXaYcoNZWAig+UjdD/sDEg0GZn1C1ASby5pn/hYb/54T63pBJEnWJR 5DbVLg0x =wD/x -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: hash email addresses / directory privacy enhancement
I don't know how much of a spam problem there is by having keyservers harvested for their e-mail addresses, but if indeed it does become a problem, then maybe at that point, the e-mail addresses should not be listed on the keyserver. When a person generates a new key, the e-mail required by gnupg for key generation, can be listed as something benign such as n...@my.keys The key will still be identified by the fingerprint, and the e-mail address can be given out by the owner to whomever she/he wants to give it to. Many keys no longer have the original e-mail address as when they were generated, so the question becomes; If the key is accessible by the fingerprint and key name, and people consider the fingerprint the most trustable identifier of the key, and an attacker cannot forge a key with the same fingerprint, then why is it necessary to have the e-mail address on the keyserver at all? vedaal ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: hash email addresses / directory privacy enhancement
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi On Tuesday 29 April 2014 at 7:18:40 PM, in mid:20140429181840.457e7a0...@smtp.hushmail.com, ved...@nym.hush.com wrote: When a person generates a new key, the e-mail required by gnupg for key generation, can be listed as something benign such as n...@my.keys Or, IMHO better still, left blank. Although I would prefer the ability to include it hashed. so the question becomes; If the key is accessible by the fingerprint and key name, and people consider the fingerprint the most trustable identifier of the key, and an attacker cannot forge a key with the same fingerprint, then why is it necessary to have the e-mail address on the keyserver at all? I think it is more a convenience than a necessity. But it became a de facto standard, which the writers of some email software have relied upon to select encryption keys by email address. - -- Best regards MFPAmailto:2014-667rhzu3dc-lists-gro...@riseup.net Of course it's a good idea - it's mine! -BEGIN PGP SIGNATURE- iPQEAQEKAF4FAlNf9mJXFIAALgAgaXNzdWVyLWZwckBub3RhdGlvbnMub3Bl bnBncC5maWZ0aGhvcnNlbWFuLm5ldEJBMjM5QjQ2ODFGMUVGOTUxOEU2QkQ0NjQ0 N0VDQTAzAAoJEKipC46tDG5pNoED/3670bloe3SMow42GKhkZ2ZF2KIk/ZizmczJ B0rl9rNWOlvqCqwACE3WrpyhiD0drwWy8ho4koPpqVm1IpAClH9c2UKj5TOkcoiv yl8LzscfvuIIiee/xNIH/Uq0s5DDBECharMyiL264v9bKvM0l8QRcA96B5mKiMek CUE/fnyX =IB77 -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: UI terminology for calculated validities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi On Monday 28 April 2014 at 8:22:44 PM, in mid:535eaa84.9010...@digitalbrains.com, Peter Lebbing wrote: - trust-model direct (and then set validity with trust command) - trust: ultimate (note: don't do this!) But unless I am missing something, trust: ultimate is the only way the trust command can validate a key without removing validity from all the keys on the keyring that are validated by signatures. - -- Best regards MFPAmailto:2014-667rhzu3dc-lists-gro...@riseup.net We're all shipwrecked on this idea that everything has to be explained. -BEGIN PGP SIGNATURE- iPQEAQEKAF4FAlNf/BNXFIAALgAgaXNzdWVyLWZwckBub3RhdGlvbnMub3Bl bnBncC5maWZ0aGhvcnNlbWFuLm5ldEJBMjM5QjQ2ODFGMUVGOTUxOEU2QkQ0NjQ0 N0VDQTAzAAoJEKipC46tDG5pFt0D/1WBtZxIrzbdmow/yw7fBIlhHLoe6XgKmN+W SjvuhCn6DvL2MpzavV4abQvm7E6olS0v+bMyzCQrEgDjRincuHUsso3XmQMMSCdC 6//zrUk9YIpKYl4gsEpS3Spp3+1juPfuWj0r9o40jH+nUYfSUOofaIgjhvf0qe/M boDVEBmT =pY5b -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: UI terminology for calculated validities
Am Di 29.04.2014, 20:22:52 schrieb MFPA: validate a key without removing validity from all the keys on the keyring that are validated by signatures. I don't understand that. Hauke -- Crypto für alle: http://www.openpgp-schulungen.de/fuer/unterstuetzer/ http://userbase.kde.org/Concepts/OpenPGP_Help_Spread OpenPGP: 7D82 FB9F D25A 2CE4 5241 6C37 BF4B 8EEF 1A57 1DF5 signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: UI terminology for calculated validities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi On Tuesday 29 April 2014 at 8:34:27 PM, in mid:1495086.yRroNSC0aI@inno, Hauke Laging wrote: Am Di 29.04.2014, 20:22:52 schrieb MFPA: But unless I am missing something, trust: ultimate is the only way the trust command can validate a key without removing validity from all the keys on the keyring that are validated by signatures. I don't understand that. The selection of trust-model direct tells your copy of GNUPG to ignore signatures, and thereby removes validity from all the keys on the keyring that are validated by signatures. Trust: ultimate validates a key whatever trust-model is in operation, (but also allows whoever controls that key to tell your copy of GnuPG what keys to accept). Trust: followed by any other option except ultimate appears to have no effect unless the trust-model direct is in operation. Have I got this right? - -- Best regards MFPAmailto:2014-667rhzu3dc-lists-gro...@riseup.net I hit the CTRL key but I'm still not in control! -BEGIN PGP SIGNATURE- iPQEAQEKAF4FAlNgNN5XFIAALgAgaXNzdWVyLWZwckBub3RhdGlvbnMub3Bl bnBncC5maWZ0aGhvcnNlbWFuLm5ldEJBMjM5QjQ2ODFGMUVGOTUxOEU2QkQ0NjQ0 N0VDQTAzAAoJEKipC46tDG5pLXsD/36Wj4oVmagdywJZhmWukGCJ/ys+mH9ImjgT Zgy4h7c062auYqFfaTN6ScBZqxGZDuso6PnZAi+4iyCgkk3HAUHBBT2RGE6/jnBy qTAf5/ZiZtJzt4p8q/wOsBsdNTPxkPvY1HLJbJJl9BH/U7NW38hnCuQViyb+rXEF p5NIiPWR =acCn -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Get expiration date by searching on keyservers
Hi, I use '--keyserver srv --search-keys key' to get info on a number of keys. As far as I can tell, that doesn't return an expiration date (if that exists). Are there other ways to easily check on the exp. date, besides importing the key and then verifying the expiration date? thanks, koen ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users