Re: Docs central, with 'Email Self-Defence'
Hi, I have some links about key creation and gpg in general that I would provide of course. the problem is, that I don't know if/how correct they are because I am not that into gpg yet. Some blogposts are rather old, which can mean they are no longer up to date but doesn't have to. I don't want to spread outdated/incorrect information so how to proceed? That said, adding them to the wiki directly doesn't seem to be ideal... Am 06.06.2014 11:36, schrieb Bernhard Reiter: Friends of OpenPGP, GnuPG, End-to-End encryption, in the last 18 months, people started writing more about GnuPG and its relatives. We need to keep the overview and if possible provide a central place where people can find the best documentation for them to read. This is a task which we can and should tackle together! The sheer number of new guides and blog entry shows that there is a need for guidance. If we can help to unlock what is already there, this will further Ende-to-End encryption and help Werner and the other GnuPG developers to focus on doing the software engineeiring itself. Thus I've started http://wiki.gnupg.org/documentation and did a first entry for the new CC-BY-(SA) short guide from the FSF. I could use more critical review, so if you read it or other documents, please add a link or a comment. Regards, Bernhard ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Alice, Blake, Chloe and Dharma.
Hi all. Hello, Mike Ashley Reading gpg manuals, I wonder why the usual example agents of a cryptography-related situation are called in an unusual way. I notice that in related RFCs the usual Alice and Bob are used, and no apparent trace of Chloe or Dharma. Google doesn't reveal the origin of these names. The only pages I found are either gnupg manual itself or excerpts thereof. Could someone announce the name of the person that introduced these names? Is there something we may know of their origin? Since the gnupg manual I refer to appears to be last modified about year 2000 A.D. I chose to address my questions to both the maintainer and the community in case the maintainer's e-mail is somewhat abandoned. Thank you very much for your time. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
The purpose and origin of the file pubring.gpg~
Hi all. I just set up a keypair and I notice there is a file: -rw--- 1 1000 10 1203 Jun 6 00:32 /home/kindaro/.gnupg/pubring.gpg~ -- that is not mentioned in man gpg. It is quite a challenge to search for a tilde in the Internet but I did do my best. That same question was asked once in this very mailing list and once again in the Ubuntu forums, and both times it was dismissed as well it has a tilde in the end, it must be a backup. I don't feel satisfied with such a kind of answer. I notice the following facts about the file in question: 1. The file was created the same time as other *.gpg files in ~/.gnupg, has the same time and ownership. 2. The file has checksums different from any other *.gpg files present, however it appears to only differ in a few bytes. 3. There are no other *.gpg~ files present in ~/.gnupg. All of those facts make me doubt that the file in question is actually just a backup. Could someone clarify on this point? That is, hint an answer to questions such as: 1. What purpose does the file serve? 2. What is its importance? 3. What would be the consequence of deleting the file? 4. What would be the consequence of sharing the file? 5. What would be the consequence of having the file stolen by a malicious party? 6. In what way does it relate to some public keys stored in the keyring? 7. In what way does it relate to some private keys stored in the keyring? Thank you very much for your time. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Alice, Blake, Chloe and Dharma.
On Sun, Jun 8, 2014 at 2:19 AM, sonne kind...@gmail.com wrote: Hi all. Hello, Mike Ashley Reading gpg manuals, I wonder why the usual example agents of a cryptography-related situation are called in an unusual way. I notice that in related RFCs the usual Alice and Bob are used, and no apparent trace of Chloe or Dharma. True, but there is a Carol, Charles, Dave, etc. Typically (but not always) the names aren't just a placeholder for a participant, but the first letter of the name means something (e.g. Eve is an eavesdropper who can see but not modify the data between Alice and Bob, Mallory is a malicious attacker who can perform active attacks, etc.). See http://en.wikipedia.org/wiki/Alice_and_Bob for details. Bruce Schneier's book Applied Cryptography was published in 1996 and contains reference to several of those names. I'm not sure if that's the origin of their use in this context, though. Anyone else? Cheers! -Pete -- Pete Stephenson ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Docs central, with 'Email Self-Defence'
On 08/06/14 17:49, Suspekt wrote: I have some links about key creation and gpg in general that I would provide of course. There is a /lot/ of bad advice out there; I'd be wary of linking to it. There is no single best way, a lot of bad ways, and a lot of clashing outspoken opinions. In my humble opinion, the best advice is: stick to the defaults, they are there for a reason. Unless you have a specific threat model, in which case, good for you, work with that, not your gut feeling. Just my 2 cents, Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at http://digitalbrains.com/2012/openpgp-key-peter ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Docs central, with 'Email Self-Defence'
Am 08.06.2014 18:28, schrieb Peter Lebbing: On 08/06/14 17:49, Suspekt wrote: I have some links about key creation and gpg in general that I would provide of course. There is a /lot/ of bad advice out there; I'd be wary of linking to it. I understand that. But those links are out there and just by searching on the internet you'll find a lot of some, because they seem to quite popular on google... Maybe start a bad practice list? naming and shaming? There is no single best way, a lot of bad ways, and a lot of clashing outspoken opinions. In my humble opinion, the best advice is: stick to the defaults, they are there for a reason. Unless you have a specific threat model, in which case, good for you, work with that, not your gut feeling. I really like the idea of taking the threat model approach. The problem I see: What if I have a thread model with needs beyonds defaults? Say I assume that someone could launch a targeted attack, where should I look up best practices then? I recently started to dive into gpg and find it very hard to find reliable information between just stick to the defaults and look up rfc4880. Looking at the gnupg homepage I can choose between 1-4 howtos, a 158 page manual, the man page, the gnu privacy handbook and the gnu FAQ. I think that is part of the reason for many blog posts and some of the questions on this mailinglist: based on the official documentations it's kind of hard to do the step between beginner and master of the gpg universe. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: The purpose and origin of the file pubring.gpg~
On Sat, 7 Jun 2014 18:04, kind...@gmail.com said: once again in the Ubuntu forums, and both times it was dismissed as well it has a tilde in the end, it must be a backup. I don't feel satisfied Standard Unix pattern for a backup of another file. Another common pattern are temporary files whicg start with .#. It is common that cron jobs remove such files after some time if the program did not do it due to an unexpected event. 1. What purpose does the file serve? Backup done by gpg while working on the file. 2. What is its importance? None. It does not make sense to automatically delete it because the next modification of the file will create a new one. 3. What would be the consequence of deleting the file? None. 4. What would be the consequence of sharing the file? No different from ~/.gnupg/pubring.gpg. It hat the public keys. However, ~/.gnupg/pubring.gpg~ also stores cache of key signature verification results. 5. What would be the consequence of having the file stolen by a malicious party? You should not trust your box anymore. I someone got access to the box the box has been comprimised. The public keyring is the least of your problems. You need to assume that secret keys are compromised (~/.gnupg/secring.gpg or ~/.gnupg/private-keys-v1.d/) 6. In what way does it relate to some public keys stored in the keyring? It is a backup of them. Modification of these files (e.e. adding or editing keys) works by taking a temporary copy of the file, change that file, rename the original file to pubring.gpg~, and the rename the temporary file to pubring.gpg. 7. In what way does it relate to some private keys stored in the keyring? Private keys are not stored there. However, the secring.gpg is modified using the same scheme but to minimize the available secret key material the backup file is deleted. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Google releases beta OpenPGP code
I hope the two code bases can create a common API. It would be really useful to be able to test one against the other. I have to say that the OpenPGPJs developers have been quite responsive to the bugs I've been raising. I personally think their project is a gold mine. And personally, I do not trust google. Enough said in that regard. ;-) Anyhow, with regard to, Most people value the ability to access their messages from anywhere, using webmail, and won't want to have to carry their private keys with them. I've been working on such a project. Little by little. If you'd care to help, feel free to hack/clone/steal/whatever. The project is designed so that, you can create your own css file and make it look like google or whatever. You can find it here: https://github.com/timprepscius/mv With a test site here:http://pmx.mooo.com (I haven't optimized the js files into one [will eventually do], so allow much time to load) -tim ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Trust and distrust [was: Re: Google releases beta OpenPGP code]
On Sun, Jun 08, 2014 at 01:13:27PM -0400, t...@piratemail.se wrote: And personally, I do not trust google. Enough said in that regard. ;-) Sorry to hijack this topic, but... Why would you trust the OpenPGP.js developers? At least, you can hold google as accountable for their actions. You cannot for them: perhaps they do not even physically exist, and are just nameholders for a three-letter-agency project, willingly introducing backdoors in this project. Maybe they just fixed the bugs you reported because it made them look less conspicuous. Maybe will bring us all very far away. What's great about open source is that you do not at all have to trust the maintainer of a project. You only have to trust the project -- and by this I mean the fact that at least a developer will have noticed the flaw. I may even distrust Werner, and yet use gpg -- if e.g. I trust another gnupg developer. And even this trust is not strictly required: you can always inspect the source code all by yourself. Sure, this model of trust the community is far from perfect, heartbleed being the latest proof of that. But it is better than trust the maintainer, who is always part of the community. And what's great about google's project is that they are quite likely to be highly audited: if anyone found a willingly placed security flaw in google's end-to-end library, it would mean a lot of prestige. So, even if I trusted google less than OpenPGP.js developers [and who tells us these developers are not disguised google agents?], I would likely, after a period during which security experts will have had their time with this new library, trust it more than OpenPGP.js. Despite the fact that it might have a backdoor while the other does not. Because the opposite is even more likely. Cheers, Leo ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Docs central, with 'Email Self-Defence'
Am So 08.06.2014, 18:51:39 schrieb Suspekt: There is a /lot/ of bad advice out there; I'd be wary of linking to it. I understand that. But those links are out there and just by searching on the internet you'll find a lot of some, because they seem to quite popular on google... Maybe start a bad practice list? naming and shaming? There are recommendations you can discuss for quite a while but there are also (and that's probably the majority of cases you mean) statements which are stupid or plain wrong. Before you can use a key you have to make it valid. In order to get this done just set the owner trust to ultimate... And incomplete information: After creating the key create a revocation certificate, too. I still have to be told why it shall be possible to have a safe backup of the revocation certificate but impossible (or less possible) to have a safe backup of the secret mainkey... When I encounter such statements (more or less limited to German pages) then I contact the author or leave a comment on that page. As they all make the same mistakes I meanwhile have a list of text blocks which I can use with copypaste... I even offer to check articles before or after publication: http://www.openpgp-schulungen.de/fuer/webautoren/ I recommend that all qualified people do the same when encountering bad articles. It seems important to me to increase the quality of information out there. Hauke -- Crypto für alle: http://www.openpgp-schulungen.de/fuer/unterstuetzer/ http://userbase.kde.org/Concepts/OpenPGP_Help_Spread OpenPGP: 7D82 FB9F D25A 2CE4 5241 6C37 BF4B 8EEF 1A57 1DF5 signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Docs central, with 'Email Self-Defence'
On 08/06/14 20:34, Hauke Laging wrote: After creating the key create a revocation certificate, too. I still have to be told why it shall be possible to have a safe backup of the revocation certificate but impossible (or less possible) to have a safe backup of the secret mainkey... This one seems easy... leakage of the revocation certificate is much more benign. No secret stuff is compromised, and in order for the leakage to be useful, your adversary would need to publish the revocation certificate, so you would notice. This in stark contrast with the private key, which can be used without you noticing, to read your secrets. And any new secrets produced in the future, on account of you not noticing. So the storage requirements for the revocation certificate are much less demanding than for the backup secret keys, meaning there are more places you can keep it, meaning you have a higher chance of still being able to access it. ... because a revocation certificate is only useful when the key backup is lost. So obviously you should make sure that they are stored separately. This is one of the silly recommendations I've also seen: store your revocation certificate with your private key. That only covers the case of forgetting the passphrase; in all other cases it's useless (I think). And that's hoping you didn't use the same passphrase with your encrypted USB-drive and lost access to the certificate as well. It all boils down to: a safe backup depends on what you are backing up. I recommend that all qualified people do the same when encountering bad articles. The problem lies in qualified. I think the authors of the bad advice consider themselves qualified, for instance. Otherwise why are they giving advice. It seems important to me to increase the quality of information out there. H... this is the internet. I don't think you can keep the bad advice off the net. You need to have the good advice in a prominent place. But maybe that's what you meant. HTH, Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at http://digitalbrains.com/2012/openpgp-key-peter ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
GnuPG 2.1 exporting secret keys
Hi, I'm trying to export the secret keys which were generated with the latest GPG 2.1 beta. I do however receive the following error: ~$ gpg2 -v --export-secret-key -a -o test.key 2BAD7887 gpg: NOTE: THIS IS A DEVELOPMENT VERSION! gpg: It is only intended for test purposes and should NOT be gpg: used in a production environment or with production keys! gpg: writing to 'test.key' gpg: key 2BAD7887: asking agent for the secret parts gpg: key 2BAD7887: error receiving key from agent: Missing item in object - skipped gpg: key 2BAD7887/F1D5FF9D: asking agent for the secret parts gpg: key 2BAD7887/F1D5FF9D: error receiving key from agent: Missing item in object - skipped gpg: WARNING: nothing exported Any idea what I'm doing wrong or what might be the problem? Kind regards, Martijn Brinkers ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
