even after deleting the 1st key pair, owner's trust is defaulting to ultimate
i have created a key pair using the defaults at first. et the owners trust as ultimate using enigmail 1.7. then i realised about not adding : personal-digest-preferences SHA256 cert-digest-algo SHA256 default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed since i have not uploaded the key to public server, i immediately deleted the key. added the above three lines gnupg.conf. created a key pair with same credentials for both key pairs: name: myname email: myn...@email.com to my surprise the 2nd key pair has owners trust as ultimate. is this intended behaviour or is anything abnormal ? or is there any specific reason ? i am using gnupg 2.0.25-1 on manjaro. thanks regards, war.dhan ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: symmetric email encryption
On Sat, Jul 19, 2014 at 05:46:02PM -0700, Bob Holtzman wrote: On Sat, Jul 19, 2014 at 01:55:45PM -0400, Robert J. Hansen wrote: A factor of two is immense to you...? Yes. A secret that only I know I can keep; a secret known to two people can only be kept for a while. Yes, that's an immense difference. Old Hell's Angels saying, 3 people can keep a secret if two of them are dead. Not a very sophisticated bunch but.. Often attributed to Benjamin Franklin. -- Mark H. Wood, Lead System Programmer mw...@iupui.edu Machines should not be friendly. Machines should be obedient. signature.asc Description: Digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: scdaemon support for SmartCard-HSM
Hi Andreas, On Fri, 18 Jul 2014 16:44, andreas.schwier...@cardcontact.de said: we've added support for the SmartCard-HSM to scdaemon. Please find the patch that applies to master at [1]. If you want me to apply that patch please read doc/DETAILS on how to send a DCO. (I'd appreciate a sample card for testing but that is not a requirement). Some quick remarks: If you took anoyher app-*.c as template, please add all the copyright lines from that file and add your own copyright line (unless you have an assignbment for GnuPG with the FSF) Lines should in general not be longer that 80 characters, I spotted one or two which are longer. Someone needs to proofread the code of course ;-) 1. Signing with ECDSA: Apparently gpgsm puts the wrongs (RSAEncryption) algorithm identifier in SignerInfo when using ECDSA. As a result verification of the CMS fails with conflicting use. I doubt that gpgsm really support ECC. Thus such problems are to be expected. 2. At least on Kubuntu the PIN callback to prompt the user to enter the PIN at the reader PIN PAD does not work. gpgsm is reporting an invalid GnuPG does this on itself - no need for a callback. Well, it should do that. What pinentry are you (Kubuntu) using? 3. Apparently kleopatra only support TCOS card. It's unclear to my why this restriction is in place. The contract specified that card and thus Kleopatra did a minimal job to fulfill the requirements. For better card support you should use GPA (you may want to add support for your card there as well). Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: even after deleting the 1st key pair, owner's trust is defaulting to ultimate
On Mon, 21 Jul 2014 10:33, wardhan.v@gmail.com said: to my surprise the 2nd key pair has owners trust as ultimate. Ultimate trust is always set for newly created keys. It is not set if you import a key. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Automatic e-mail encryption
On Sat, Jul 19, 2014 at 02:26:44PM +0200, Peter Lebbing wrote: By the way: if we had a working alternative to SSL/TLS, all the mail servers could talk to eachother securely without eavesdropping. That way Please remind me why we need an alternative to TLS. the contents of e-mails is only exposed on the sending SMTP server and the receiving SMTP and mailbox servers (f.e., IMAP). The mailbox server I treat hop-by-hop encryption, not as an alternative to end-to-end, but as defense in depth. -- Mark H. Wood, Lead System Programmer mw...@iupui.edu Machines should not be friendly. Machines should be obedient. signature.asc Description: Digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: ECC and CMS (was: [Announce] The fifth Beta for GnuPG 2.1 is now available for testing)
On Tue, 8 Jul 2014 09:56, bernh...@intevation.de said: Do you also know the status of CMS (x.509) for S/MIME? May work but likely needs a bit of testing and code fiddling. I have lost most interest in CMS, thus better do not expect that I will spend time on it. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Mutt: Decrypting inline gpg format directly
On Fri, 18 Jul 2014 18:18, whirlp...@blinkenshell.org said: I wonder if Mutt can be configured to decrypt inline pgp messages automatically, without piping the attachment to `gpg --decrypt`. IIRC, I implemented that about a decade ago. Simply put set crypt_use_gpgme into your ~/.muttrc. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Is it possible to set a passphrase_cb in gpgme with openpgp protocol
On Fri, 4 Jul 2014 11:52, ret...@rethab.ch said: I read in the ruby-bindings library that this only worked with version 1.X but seems not to work anymore with 2.X. Is there any truth to this? Right. GnuPG-2 require the gpg-agent and the gpg-agent is soley responsible for asking for the passphrase. Check out the mail archives on how to work around this (pinentry wrapper). But: On common request GnuPG 2.1 (currently in beta) has a feature to allow gpg-agent to call back to gpg (and in turn to gpgme etc) for the passphrase (see --allow-looopback-pinentry and pinentry-mode). GPGME supports this. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: even after deleting the 1st key pair, owner's trust is defaulting to ultimate
On 07/21/2014 04:33 AM, war.dhan wrote: i have created a key pair using the defaults at first. et the owners trust as ultimate using enigmail 1.7. then i realised about not adding : personal-digest-preferences SHA256 cert-digest-algo SHA256 default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed since i have not uploaded the key to public server, i immediately deleted the key. added the above three lines gnupg.conf. created a key pair with same credentials for both key pairs: name: myname email: myn...@email.com to my surprise the 2nd key pair has owners trust as ultimate. is this intended behaviour or is anything abnormal ? or is there any specific reason ? Any key created by GnuPG is automatically set to ultimate ownertrust by default, on the assumption that this is your key, so you are willing to believe any certifications that you make. If you want the 2nd key to have some other ownertrust than the first one, you should change that explicitly. But since it sounds like it is your personal key (and your only key), i don't see why you'd want to reduce the ownertrust from ultimate. --dkg signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Automatic e-mail encryption
On 21/07/14 15:32, Mark H. Wood wrote: Please remind me why we need an alternative to TLS. Well, I actually meant X.509 and the CA system, which is what is currently abundantly used in SSL and TLS. If you plug in a different form of authentication, I think the rest is okay. I treat hop-by-hop encryption, not as an alternative to end-to-end, but as defense in depth. Yes. I already explained why I think there is little difference when the mails are stored unencrypted on a mailbox server. If you only decrypt to local storage, then I agree. By the way, regarding DANE as an alternative to the CA system: I think a proper implementation of authentication through DNS could well be way better than the CA system: at least you can only be screwed by people having access to signing keys for the root and the TLD, instead of anyone with access to a CA certificate. Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at http://digitalbrains.com/2012/openpgp-key-peter ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: symmetric email encryption
On Mon, Jul 21, 2014 at 09:12:36AM -0400, Mark H. Wood wrote: On Sat, Jul 19, 2014 at 05:46:02PM -0700, Bob Holtzman wrote: On Sat, Jul 19, 2014 at 01:55:45PM -0400, Robert J. Hansen wrote: A factor of two is immense to you...? Yes. A secret that only I know I can keep; a secret known to two people can only be kept for a while. Yes, that's an immense difference. Old Hell's Angels saying, 3 people can keep a secret if two of them are dead. Not a very sophisticated bunch but.. Often attributed to Benjamin Franklin. Wow! Didn't know he was a h.a. or that he could ride. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users -- Bob Holtzman A man is a man who will fight with a sword or tackle Mt Everest in snow, but the bravest of all owns a '34 Ford and tries for 6000 in low. signature.asc Description: Digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Automatic e-mail encryption
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi On Monday 21 July 2014 at 5:23:51 PM, in mid:53cd3e97.1040...@digitalbrains.com, Peter Lebbing wrote: On 21/07/14 15:32, Mark H. Wood wrote: Please remind me why we need an alternative to TLS. Well, I actually meant X.509 and the CA system, which is what is currently abundantly used in SSL and TLS. If you plug in a different form of authentication, I think the rest is okay. Doesn't Monkeysphere [0] allow the use of the OpenPGP web of trust to authenticate certificates for TLS? [0] http://web.monkeysphere.info/ - -- Best regards MFPAmailto:2014-667rhzu3dc-lists-gro...@riseup.net None are so fond of secrets as those who do not mean to keep them -BEGIN PGP SIGNATURE- iPQEAQEKAF4FAlPNZuRXFIAALgAgaXNzdWVyLWZwckBub3RhdGlvbnMub3Bl bnBncC5maWZ0aGhvcnNlbWFuLm5ldEJBMjM5QjQ2ODFGMUVGOTUxOEU2QkQ0NjQ0 N0VDQTAzAAoJEKipC46tDG5pT4EEAMC4kI/KJAPc875se1/JPjtCKRcerlH1seD6 lASS+0xhYrOVTX8cg0bUl56ef4og4wnAVtTQ162pYB3ce6iltWFh5f2jPxbnvmbH xOOcGXQ7tkXgAgbr8YoU03s5AygLHbH6bTn8Z4idy/PCSh/EKRLxrbnij+JHsRvz 0n2cCXsu =15Ic -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Automatic e-mail encryption
On 21/07/14 21:15, MFPA wrote: Doesn't Monkeysphere [0] allow the use of the OpenPGP web of trust to authenticate certificates for TLS? I don't think this helps much authenticating one SMTP server to another. Even if it would be possible, they are usually operated by ISP's; I don't see them using the WoT for that any time soon. Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at http://digitalbrains.com/2012/openpgp-key-peter ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Automatic e-mail encryption
On 07/21/2014 09:23 AM, Peter Lebbing wrote: By the way, regarding DANE as an alternative to the CA system: I think a proper implementation of authentication through DNS could well be way better than the CA system: at least you can only be screwed by people having access to signing keys for the root and the TLD, instead of anyone with access to a CA certificate. SSL/TLS is designed to (primarily) do two things, of roughly equivalent importance depending on the context: 1. Provide a framework to cryptographically secure the communication channel 2. Provide some level of assurance that the endpoint you've connected to is actually the entity you intended to communicate with What DANE does is provide a DNS resource record which gives you the signature of the certificate that's relevant to the host name you want to connect to. The system assumes that both the host record and the DANE RR (TLSA) are signed with DNSSEC. This facilitates purpose number 1 above as it allows the connection to start off encrypted. It also allows your client to verify that the certificate it gets is the one it was looking for. Assuming that you have the same level of confidence in the organization you're communicating with to manage their DNSSEC keys properly as you do for them to manage their SSL keys properly, it also fulfills purpose number 2. As Peter points out however, you're simply transferring your trust in the hierarchy above the organization you're communicating with from the CAs to the TLD and root zone operators. The good news is that for now the TLDs have proven very trustworthy in their handling of their own DNSSEC keys, and replacing them due to a compromise is orders of magnitude easier than revoking/replacing CA signing certs. I will leave judgment of how the root zone operators are doing up to the reader, as my opinion would undoubtedly be biased. :) hth, Doug ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Mutt: Decrypting inline gpg format directly
On Fri, Jul 18, 2014 at 06:18:39PM +0200, The Fuzzy Whirlpool Thunderstorm wrote: I wonder if Mutt can be configured to decrypt inline pgp messages automatically, without piping the attachment to `gpg --decrypt`. I know, piping works, but it'd be more convenient to have mutt do the piping task and automatically display the decrypted message inside. If anyone has an idea or experience with Mutt, please give your answer. I use this in my ~/.muttrc, which seems to work: message-hook '!(~g|~G) ~b^-BEGIN\ PGP\ (SIGNED\ )?MESSAGE' exec check-traditional-pgp It's borrowed from someone, but I don't remember where I originally saw it. You can also use ESCP in the message pager to manually check a message. Cheers, Jeff ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Automatic e-mail encryption
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi On Monday 21 July 2014 at 8:56:21 PM, in mid:53cd7065.7040...@digitalbrains.com, Peter Lebbing wrote: I don't think this helps much authenticating one SMTP server to another. Even if it would be possible, they are usually operated by ISP's; I don't see them using the WoT for that any time soon. But an individual user could use it for authenticating the first/last hop between their MUA or browser or SMTP server and their ISP or email provider's servers. - -- Best regards MFPAmailto:2014-667rhzu3dc-lists-gro...@riseup.net 1 + 1 = 3, for large values of 1 -BEGIN PGP SIGNATURE- iPQEAQEKAF4FAlPNvKhXFIAALgAgaXNzdWVyLWZwckBub3RhdGlvbnMub3Bl bnBncC5maWZ0aGhvcnNlbWFuLm5ldEJBMjM5QjQ2ODFGMUVGOTUxOEU2QkQ0NjQ0 N0VDQTAzAAoJEKipC46tDG5pn/cD/A0PU2IdxpzHiU9Wdone+m7oB+EIJXKq7tpq f4u3cNYmndDNPiFTFu3RY+lVPYMWmcOjWMh4Taftmy7zvNP8lj6JEaYQEep7BJlE WsAWL+wFRBqL1yaTleqGs7vWQb22Bxcne7/ycaqMUlA54PMDMoLEP72eoHtKNThA yYQfdoCp =h3fC -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users