Re: mailto with pgp fingerprint

[Werner Koch]

On Tue, 22 Jul 2014 09:40, enigm...@josuttis.de said:
> More and more we seem to have the problem of faked keys in the key
> servers. This especially applies to "well known" keys such as
> authors of magazines and famous tools.

This is actually the problem of checking the validity of the key.
Granted, gpg is not smart enough to figure out the best matching key but
that is something which can be fixed.

A more simple way of tackling this is to use PKA or DANE for key
validation: For sending mail you already need DNS and thus it would be
easy to retrieve the matching key from the DNS.  The drawback is that
this must be configured by the key owner and can't be changed by the
sender.


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Mutt: Decrypting inline gpg format directly

[Werner Koch]

On Tue, 22 Jul 2014 11:22, whirlp...@blinkenshell.org said:

> The problem is pinentry doesn't come to foreground when I invoke `gpgsm
> --import mycertkey.p12`. Shell is hanging up waiting for pinentry-curses
> to provide the passphrase. Is there any workaround to fix gpgsm and

The only problem I remember is that sometimes you need to use ^L to
redraw the mutt screen.  I have not much experience with the curses
backend because I use it only on my certification laptop.  It used to
work but its really a long time since I used mutt for crypto mails.  I
should spend some time on testing it again.


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Mutt: Decrypting inline gpg format directly

[The Fuzzy Whirlpool Thunderstorm]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Mon, Jul 21, 2014 at 02:54:23PM +0200, Werner Koch wrote:
> On Fri, 18 Jul 2014 18:18, whirlp...@blinkenshell.org said:
> 
> > I wonder if Mutt can be configured to decrypt inline pgp messages
> > automatically, without piping the attachment to `gpg --decrypt`.
> 
> IIRC, I implemented that about a decade ago.  Simply put
> 
> set crypt_use_gpgme
> 
> into your ~/.muttrc.
Yeah, I love the gpgme idea. But I dislike the gpgme part is not working
with s/mime. I mean there is always problem to invoke passphrase input
dialog on s/mime messages.

Is there any workaround to fix s/mime issue?
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.22 (GNU/Linux)

iQIcBAEBAgAGBQJTzjLvAAoJEOyCOarSHYdhF4IQAKwLsnqO7Ccbj2dmBCUhXbA8
bra3Oly28j9eK7TyV7u3Ta8r+gdj9pMGMuK5wdVewapS+ceonCipscT4ky6/J3Yk
IURdUQwq2pMLOrW4jq9ucQqEugJfnL6EQ0lk8c+QC+HjdYbt/ArD91jRlqIHCFZT
6i+553SF8zaP+AIxNbGREjCNJt/sN1RNFGdhIhZde1kBK/1Ewu0bRWFZ4aHoZ1xz
V9Wf+2Uet+Uk7T2JPEJSKlglW0MXZQ6t5BiX15vd2ZAciXToV+iySxdw7vyc4O+T
uYE7oDj9jgFPgQL98DKnXfO5tNfjDdX9DMSA3yd5F5pYifNTEDPnIExdf+qHYHwD
HXYOuVak9Q2Oj3O/LeZ9BRzb3McAwXq40oeCgF4sz4cWtGfuM6agy2oSwi+JOeRH
SvqGL6Kcac1Q762zSh+voX7Dc7jV5Ym0l5S03wRf42SUpl6dGKwtF9wY83ouDnu3
BNocA0onnVZX8e4gG0sHQ24hDByhOuEsc4sr393UGKEBWgDUYblRPhnU4ktnTgyK
Q8gbQiIipXnlL6pFJO5Ilp81s72hoO9FuMuthtJNBkGYNSihj1UdFFgWa63oPWC9
Xf2c0zmuiAOYjoLT3hlqxauK/CGzfobx4jXFiPpMxO+Uq8P7lGTepw5jqXTQ+uaC
zweB0lleWVygLob/97xs
=IOeX
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Mutt: Decrypting inline gpg format directly

[The Fuzzy Whirlpool Thunderstorm]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Mon, Jul 21, 2014 at 02:54:23PM +0200, Werner Koch wrote:
> On Fri, 18 Jul 2014 18:18, whirlp...@blinkenshell.org said:
> 
> > I wonder if Mutt can be configured to decrypt inline pgp messages
> > automatically, without piping the attachment to `gpg --decrypt`.
> 
> IIRC, I implemented that about a decade ago.  Simply put
> 
> set crypt_use_gpgme
> 
> into your ~/.muttrc.
Yes, gpgme backend is great. But there is a problem with s/mime
handling. Before doing any s/mime decryption/encryption, a p12 private
key is needed. Since gpgme backend uses gpgsm to handle s/mime, I need
to import my p12 certificate.
The problem is pinentry doesn't come to foreground when I invoke `gpgsm
- --import mycertkey.p12`. Shell is hanging up waiting for pinentry-curses
to provide the passphrase. Is there any workaround to fix gpgsm and
pinentry behavior to work as expected?
S/MIME works with openssl backend, via `smime_keys add_p12
mycertkey.p12`
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.22 (GNU/Linux)

iQIcBAEBAgAGBQJTzi1gAAoJEOyCOarSHYdhTx4QAKuCXkeuncna5TKZUMIsA92f
9ULu80jLC2xPU4qaC2Hz0OL91GGnY1Z7z9SnTp+JPlF+gH7XJMpFTnVKn18QEXk1
nAEmbrG0LoEQnPLlZqG6qgY+0RCXpbPMmFFQK9f0Tak3gf8B3eZvxUjFlKx2mkWg
dT42PlwgtL5G28zBsDepYckKLz9JOoeoqqwKi61pQAcqAcweNgiovgQ2Fv7OWO+L
lvW756+u/zSrygLTRyhpRn6A1pctcjolI9QNDPOGGuAKFwHLkRNUaGnDJw0NijEf
jzvxAiltEJGCjJefkWJ7CbxDycZMYdM9p2/elBxHQf/1LneQSpQMq3A5oiKw+P9+
QMHS0zERBzQWVc6PfB9+JGEOgXgkxgXEBLhlgUXaywnocLfmOiUWQ2PhjOnkDzMw
L+ykA5xJHxoBtBJ4lnm+W3X2oqip49lr2anZtnxNzlUv7Nk4HTrLtsiIX1k0b8c8
rXyg9fbdxSaWanIoeduiVzKpvH8lcfA+rcpDtCCyNZSp+mNrWnrIpP/cBUyM2Iba
CeF0uw7kRPCnUVAQ6nHkhkJPVghWEZRkZhHG14Kz6FORBdzob6HR/gB8oXrq0P2j
bQ3Kim0Vy73/kEu0bSazh46phxWmYVgjxa395EuESmdOffcpO5klxxYo6vmZ/lW2
eSOcA8LGGvqCdaJRL0Sk
=FrQr
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

mailto with pgp fingerprint

[Nicolai Josuttis (enigmail)]

More and more we seem to have the problem of faked keys in the key
servers. This especially applies to "well known" keys such as
authors of magazines and famous tools.

In addition, I have the problem that I'd like to use a special
reply-to address, which is not listed in the keyservers, but it
should be easy to associate that with a (known) public key.

So, I was wondering whether it is possible to force somehow the usage
of a specific pgp key identified by its fingerprint.

One obvious approach might be to extend the mailto format
(see http://www.rfc-editor.org/rfc/rfc2368.txt).

I was wondering whether it make sense to standardize something like
> 
or
>
> 

so that we can provide elements in websites and emails
that force mailers to automatically choose the right public key
(either from internal list or from key servers).
The semantics would be:
- use the passed pgp key with the following email address

Mailers/PGP-tools could even use this to update their key rings.
(but with appropriate interaction and/or warning/error handling,
 because this can be a simple security hole if a link just
 would assign faked associated keys.).

We could even use a syntax like:
>> 
or
>> 
to force the usage of a pgp key and derive the email address from there.

Questions:
- Would such a thing make sense or am I missing something?
- Is there even something like that already there or on the way?
- If not, is somebody familiar with the process or even willing
  to propose this as a RFC?
- Other thoughts?

And BTW, if this is too much out of scope of GnuPG issues:
- What would be the right place to discuss such a thing?

Best
 Nico

-- 
Nicolai M. Josuttis
www.josuttis.de
mailto:n...@enigmail.net
PGP fingerprint: CFEA 3B9F 9D8E B52D BD3F 7AF6 1C16 A70A F92D 28F5


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Automatic e-mail encryption

[Mike Cardwell]

* on the Mon, Jul 21, 2014 at 06:23:51PM +0200, Peter Lebbing wrote:

> By the way, regarding DANE as an alternative to the CA system: I think a 
> proper
> implementation of authentication through DNS could well be way better than the
> CA system: at least you can only be screwed by people having access to signing
> keys for the root and the TLD, instead of anyone with access to a CA 
> certificate.

I believe Postfix already has support for using DANE and it's on the roadmap
for Exim too. I already have it set up for my own domain "grepular.com":

  mike@flan:~$ dig +short mx grepular.com
  10 mx1.grepular.com.
  20 mx2.grepular.com.
  mike@flan:~$ dig +short tlsa _25._tcp.mx1.grepular.com
  3 0 1 3469CFEC16545C38CCADC72D5E7A11E11254D53AA69E587C135D9874 300FF144
  mike@flan:~$ dig +short tlsa _25._tcp.mx2.grepular.com
  3 0 1 6643FEEA7C7B382BE1D09422FAABEB6B47642BE87178BDD73637B175 CE34370E
  mike@flan:~$ 

My SMTP certs are also signed by a traditional CA at the same time, so
there's two ways of verifying that the certs are correct.

I also have it set up for the website at https://grepular.com/ - If you're
using Firefox, have a DNSSEC capable resolver and are using the addon
from https://www.dnssec-validator.cz/, it will display a nice green icon
in the address bar to show you that DNSSEC is in use, and another to show
you that DANE validated, when visiting https://grepular.com/

Thanks to signed DNS, you can also fetch my PGP key safely and
independently of keyservers:

  gpg --auto-key-locate pka -ear mike.cardwell(NOSPAM)@grepular.com

That command will cause GnuPG to perform the following DNS lookup:

  mike@flan:~$ dig +short TXT mike.cardwell(NOSPAM)._pka.grepular.com
  
"v=pka1\;fpr=35BCAF1D3AA21F843DC3B0CF70A5F5120018461F\;uri=http://grepular.com/0018461F.pub.asc";
  mike@flan:~$ 

Then fetches the key from http://grepular.com/0018461F.pub.asc and
validates that the fingerprint matches the one in the DNS response.

Also, all of my email is encrypted at rest thanks to GnuPG. Even the
stuff which was not encrypted when it was sent:

  https://grepular.com/Automatically_Encrypting_all_Incoming_Email
  https://grepular.com/Automatically_Encrypting_all_Incoming_Email_Part_2

-- 
Mike Cardwell  https://grepular.com https://emailprivacytester.com
OpenPGP Key35BC AF1D 3AA2 1F84 3DC3   B0CF 70A5 F512 0018 461F
XMPP OTR Key   8924 B06A 7917 AAF3 DBB1   BF1B 295C 3C78 3EF1 46B4


signature.asc
Description: Digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Mutt: Decrypting inline gpg format directly

[Heinz Diehl]

On 21.07.2014, Werner Koch wrote: 

> IIRC, I implemented that about a decade ago.  Simply put
> set crypt_use_gpgme into your ~/.muttrc.

Besides that this requires mutt to be compiled with "--enable-gpgme",
it never worked for me. The inline gpg/pgp mail is just showed as
plain text.

Anyway, nobody really wants inline pgp email either, so I'm just happy with
my simple procmail rules. Thanks, Mathias, for your improvements!


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users