date:20140725

Re: Where to save passphrases?

2014-07-25 Thread Mathias Bauer

* Schlacta, Christ wrote on Fri, 25 Jul 2014, at 15:25 (-0700):

> I might suggest using the same passphrase...

I don't want to sound harsh, but at this point you should hold on
reading.  "Using the same passphrase" should nowadays lead to big
red STOP signs flashing up.

> ...you use for your password manager for GPG.  So long as you
> use a strong passphrase and practice good password practices on
> this password, it should remain uncompromised.

Solving the problem of memorizing/storing the GnuPG passphrase by
using another layer of software means adding further complexity.
Although this possibly may not tear down security completely, the
general level of security is not improved.  Most likely it will
decrease.  Whether this is acceptable, depends on your scenarios,
the known present ones and the possible future ones.

Being more aware of the consequences of these small actions like
"using the same password" surely belongs to the lessons learned
at least in the past year.  And, of course, how to prioritize
security in contrast to, e.g., usability.

Regards,
Mathias

-- 
CAcert Assurer

Do you want to encrypt your mail?  Then join CAcert and get your SSL
certificate from https://www.CAcert.org.  If you have any questions,
don't hesitate to ask.

OpenPGP:  ID 0x44C3983FA7629DE8 - http://www.sks-keyservers.net
Fingerprint: B100 5DC4 9686 BE64 87E9  0E22 44C3 983F A762 9DE8


pgpFag2LzC9C7.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Where to save passphrases?

2014-07-25 Thread Schlacta, Christ

I might suggest using the same passphrase you use for your password
manager for GPG.  So long as you use a strong passphrase and practice
good password practices on this password, it should remain
uncompromised.

On Fri, Jul 25, 2014 at 2:36 PM, Mathias Bauer  wrote:
> * Sudhir Khanger wrote on Fri, 25 Jul 2014, at 23:10 (+0530):
>
>> I was wondering once you have a working setup where do you save
>> your passphrases of your master and multiple subkeys.
>
> Usually it's *one* passphrase for the whole GnuPG key material.
> And even more usually this one is stored in one's human brain.
> (Some special scenarios may handle this differently.)
>
>> Is it safe to use some soft of password manager? Not really
>> ideal but I use LastPass.
>
> Maybe human brain is not ready for storing a great and still
> growing number of passwords, but it is capable to store at least
> a very small number of important passphrases.  For all those
> other passwords using a password manager may be just fine.
>
> So, if you're using a password manager for your GnuPG passphrase,
> you will either run immediately into a chicken egg dilemma as the
> manager needs a password, too.  Or you might not be concerned at
> all about security and might ask yourself why using GnuGP anyway.
>
> I'm sorry, there are only these two possibilities.
>
> Regards,
> Mathias
>
> --
> CAcert Assurer
>
> Do you want to encrypt your mail?  Then join CAcert and get your SSL
> certificate from https://www.CAcert.org.  If you have any questions,
> don't hesitate to ask.
>
> OpenPGP:  ID 0x44C3983FA7629DE8 - http://www.sks-keyservers.net
> Fingerprint: B100 5DC4 9686 BE64 87E9  0E22 44C3 983F A762 9DE8
>
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Where to save passphrases?

2014-07-25 Thread Mathias Bauer

* Sudhir Khanger wrote on Fri, 25 Jul 2014, at 23:10 (+0530):

> I was wondering once you have a working setup where do you save
> your passphrases of your master and multiple subkeys.

Usually it's *one* passphrase for the whole GnuPG key material.
And even more usually this one is stored in one's human brain.
(Some special scenarios may handle this differently.)

> Is it safe to use some soft of password manager? Not really
> ideal but I use LastPass.

Maybe human brain is not ready for storing a great and still
growing number of passwords, but it is capable to store at least
a very small number of important passphrases.  For all those
other passwords using a password manager may be just fine.

So, if you're using a password manager for your GnuPG passphrase,
you will either run immediately into a chicken egg dilemma as the
manager needs a password, too.  Or you might not be concerned at
all about security and might ask yourself why using GnuGP anyway.

I'm sorry, there are only these two possibilities.

Regards,
Mathias

-- 
CAcert Assurer

Do you want to encrypt your mail?  Then join CAcert and get your SSL
certificate from https://www.CAcert.org.  If you have any questions,
don't hesitate to ask.

OpenPGP:  ID 0x44C3983FA7629DE8 - http://www.sks-keyservers.net
Fingerprint: B100 5DC4 9686 BE64 87E9  0E22 44C3 983F A762 9DE8


pgpy2zJxEjjiT.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Where to save passphrases?

2014-07-25 Thread Sudhir Khanger

I am slowly getting the hang of GnuPG. I was wondering once you have a
working setup where do you save your passphrases of your master and
multiple subkeys. Is it safe to use some soft of password manager? Not
really ideal but I use LastPass.

-- 
Regards,
Sudhir Khanger.
sudhirkhanger.com
https://github.com/donniezazen

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: mailto with pgp fingerprint

2014-07-25 Thread Thomas Harning

On Fri, 25 Jul 2014 14:44:54 +0100
MFPA <2014-667rhzu3dc-lists-gro...@riseup.net> wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA512
> 
> Hi
> 
> 
> On Friday 25 July 2014 at 2:01:28 PM, in
> ,
> Schlacta, Christ wrote:
> 
> 
> > On Jul 25, 2014 5:30 AM, "MFPA"
> > <2014-667rhzu3dc-lists-gro...@riseup.net> wrote:
> >> If I recall correctly, PGP's keyserver "PGP Global
> >> Directory" sends an email to each email address in the
> >> uids when a key is submitted, and only lists those
> >> uids whose email address replies. It re-sends these
> >> verification emails every six months, and deletes keys
> >> if there is no reply. It also allows anybody with
> >> access to your email address to delete your key and
> >> upload a different one, according to Wikipedia [0].
> 
> > I just recently published a number of keys, and never
> > noticed any such emails.
> 
> 
> Did you publish them to the (stand-alone) "PGP Global Directory?"
> rather than to one of the keyservers that propagates the keys to each
> other?
> 
> It's possible the "PGP Global Directory" has changed it's processes,
> but any such change is not yet reflected in their FAQ page [0], which
> still says:-
> 
> "What new features are available with the PGP Global Directory?
> The PGP Global Directory uses next-generation keyserver technology; it
> sends verification messages to the email addresses on a submitted key
> and lets you manage your own key, including removing it--features not
> available on keyservers with older keyserver technology."
> 
> and:-
> 
> "Does the PGP Global Directory use any other methods for keeping
> itself free of unusable keys?
> Yes. The PGP Global Directory re-verifies keys every six months by
> sending a renewal email message to the email address on the key. If
> the key owner does not respond, the key will be removed from the
> directory. In order for the key to remain on the PGP Global Directory,
> the owner must approve the renewal request. This feature ensures the
> PGP Global Directory will always contain only current keys."
> 
> 
> [0] .
> 
> 
> - --
> Best regards
> 
> MFPAmailto:2014-667rhzu3dc-lists-gro...@riseup.net
> 
> The cure for anything is salt water - sweat, tears, or the sea.
> -BEGIN PGP SIGNATURE-
> 
> iPQEAQEKAF4FAlPSX1xXFIAALgAgaXNzdWVyLWZwckBub3RhdGlvbnMub3Bl
> bnBncC5maWZ0aGhvcnNlbWFuLm5ldEJBMjM5QjQ2ODFGMUVGOTUxOEU2QkQ0NjQ0
> N0VDQTAzAAoJEKipC46tDG5pBioD/j0j6cGF9Half1AQsqrvJvyAZo78qkPygBsK
> USkWeGrc1cFWuuqb6tAWJ5EFX46ez/JWbodD106so0ltNLPLgcrkor+ZEDjquI7C
> iHtH33j7h0ZEoCbwdtodhr+9C7ejwh+DahhpSNuHZgHfl4iG8xH8WpmMaJTSLu/i
> th42v9JR
> =Zdfe
> -END PGP SIGNATURE-

While PGP Global Directory provides for some basic level of "this email address 
belongs to this key"... its key signing policy leads to "cruft" buildup.

Back in April 2011 I signed up for it and got a series of key signatures every 
few weeks until January 2012 when I got fed up with it. There are now 14 
expired signatures 'stuck' on my key and published to the directories...


-- 
Thomas Harning 


pgpMmjtgnJbu8.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: mailto with pgp fingerprint

2014-07-25 Thread Alexander Reiter

MFPA wrote:
> If I recall correctly, PGP's keyserver "PGP Global Directory" sends an
> email to each email address in the uids when a key is submitted, and
> only lists those uids whose email address replies. It re-sends these
> verification emails every six months, and deletes keys if there is no
> reply. It also allows anybody with access to your email address to
> delete your key and upload a different one, according to Wikipedia
> [0].

"Instead of revoking your key, simply remove it from the directory."
   -- PGP Global Directory Frequently Asked Questions (FAQ)

Meaning that gpg --keyserver ldap://keyserver.pgp.com --refresh-keys
would result in unchanged keys, even if I had revoked them.



___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: mailto with pgp fingerprint

2014-07-25 Thread MFPA

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Hi

On Friday 25 July 2014 at 3:12:58 PM, in
, Thomas
Harning wrote:

> While PGP Global Directory provides for some basic
> level of "this email address belongs to this key"...
> its key signing policy leads to "cruft" buildup.

Yes, I wasn't promoting it. Just replying to Steve's post about
keyservers verifying UIDs by sending emails being a "nice solution"
and had it been discussed - by showing him that it had actually been
tried and there is an instance publicly available. I was hoping that
Steve would then search for discussions on "PGP Global Directory" to
see arguments for and against, or maybe that somebody would briefly
summarise here.

> Back in April 2011 I signed up for it and got a series
> of key signatures every few weeks until January 2012
> when I got fed up with it. There are now 14 expired
> signatures 'stuck' on my key and published to the
> directories...

And I guess these have been leaked onto the networked keyservers,
rather than being confined to PGP Global Directory? I never really saw
the point of those signatures from the directory: if it was listed
there, it had been verified in the last six months, and once a user
had downloaded and used it for communication, they knew whether or not
it worked.

- --
Best regards

MFPAmailto:2014-667rhzu3dc-lists-gro...@riseup.net

Courage is not the absence of fear, but the mastery of it.
-BEGIN PGP SIGNATURE-

iPQEAQEKAF4FAlPSa3RXFIAALgAgaXNzdWVyLWZwckBub3RhdGlvbnMub3Bl
bnBncC5maWZ0aGhvcnNlbWFuLm5ldEJBMjM5QjQ2ODFGMUVGOTUxOEU2QkQ0NjQ0
N0VDQTAzAAoJEKipC46tDG5p8LoD/RN/S+yms9N/Igu0XJbpCxai6MVbYuZ8FW8R
evzqYbR7E08R3ThgSfXOakwBEJkuCII60XYzF27g3ztK+qdcHtDZvQUwe4OwgdkU
YxEcES9x8glee3WudRCl1NXpOBDyKkBfb/ESaIvjK0RdVEYpStMGx3b6X1/gzEM+
d8jDOc74
=TeLf
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: mailto with pgp fingerprint

2014-07-25 Thread MFPA

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Hi

On Friday 25 July 2014 at 2:01:28 PM, in
,
Schlacta, Christ wrote:

> On Jul 25, 2014 5:30 AM, "MFPA"
> <2014-667rhzu3dc-lists-gro...@riseup.net> wrote:
>> If I recall correctly, PGP's keyserver "PGP Global
>> Directory" sends an email to each email address in the
>> uids when a key is submitted, and only lists those
>> uids whose email address replies. It re-sends these
>> verification emails every six months, and deletes keys
>> if there is no reply. It also allows anybody with
>> access to your email address to delete your key and
>> upload a different one, according to Wikipedia [0].

> I just recently published a number of keys, and never
> noticed any such emails.

Did you publish them to the (stand-alone) "PGP Global Directory?"
rather than to one of the keyservers that propagates the keys to each
other?

It's possible the "PGP Global Directory" has changed it's processes,
but any such change is not yet reflected in their FAQ page [0], which
still says:-

"What new features are available with the PGP Global Directory?
The PGP Global Directory uses next-generation keyserver technology; it
sends verification messages to the email addresses on a submitted key
and lets you manage your own key, including removing it--features not
available on keyservers with older keyserver technology."

and:-

"Does the PGP Global Directory use any other methods for keeping
itself free of unusable keys?
Yes. The PGP Global Directory re-verifies keys every six months by
sending a renewal email message to the email address on the key. If
the key owner does not respond, the key will be removed from the
directory. In order for the key to remain on the PGP Global Directory,
the owner must approve the renewal request. This feature ensures the
PGP Global Directory will always contain only current keys."

[0] .

- --
Best regards

MFPAmailto:2014-667rhzu3dc-lists-gro...@riseup.net

The cure for anything is salt water - sweat, tears, or the sea.
-BEGIN PGP SIGNATURE-

iPQEAQEKAF4FAlPSX1xXFIAALgAgaXNzdWVyLWZwckBub3RhdGlvbnMub3Bl
bnBncC5maWZ0aGhvcnNlbWFuLm5ldEJBMjM5QjQ2ODFGMUVGOTUxOEU2QkQ0NjQ0
N0VDQTAzAAoJEKipC46tDG5pBioD/j0j6cGF9Half1AQsqrvJvyAZo78qkPygBsK
USkWeGrc1cFWuuqb6tAWJ5EFX46ez/JWbodD106so0ltNLPLgcrkor+ZEDjquI7C
iHtH33j7h0ZEoCbwdtodhr+9C7ejwh+DahhpSNuHZgHfl4iG8xH8WpmMaJTSLu/i
th42v9JR
=Zdfe
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: mailto with pgp fingerprint

2014-07-25 Thread Schlacta, Christ

On Jul 25, 2014 5:30 AM, "MFPA" <2014-667rhzu3dc-lists-gro...@riseup.net>
wrote:
>
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA512
>
> Hi
>
>
> On Wednesday 23 July 2014 at 9:02:23 PM, in
> , steve wrote:
>
>
> > Wouldn’t it be a nice solution, if key server software
> > had a mechanism for users to verify their UserID by
> > sending a mail to the mail address in question.
>
> If I recall correctly, PGP's keyserver "PGP Global Directory" sends an
> email to each email address in the uids when a key is submitted, and
> only lists those uids whose email address replies. It re-sends these
> verification emails every six months, and deletes keys if there is no
> reply. It also allows anybody with access to your email address to
> delete your key and upload a different one, according to Wikipedia
> [0].

I just recently published a number of keys, and never noticed any such
emails.

>
> [0] <
https://en.wikipedia.org/wiki/Key_server_%28cryptographic%29#Problems_with_keyservers
>
>
> - --
> Best regards
>
> MFPAmailto:2014-667rhzu3dc-lists-gro...@riseup.net
>
> Yellow snow is not lemon flavoured
> -BEGIN PGP SIGNATURE-
>
> iPQEAQEKAF4FAlPSTQtXFIAALgAgaXNzdWVyLWZwckBub3RhdGlvbnMub3Bl
> bnBncC5maWZ0aGhvcnNlbWFuLm5ldEJBMjM5QjQ2ODFGMUVGOTUxOEU2QkQ0NjQ0
> N0VDQTAzAAoJEKipC46tDG5p/rMD/2jee+I7sU1i7Dj7dD1U1NXfxfeXADVVpoSg
> O+cdMw4rhJLUbYg4c6GIvnvN6EeqvV5I85QMEvwpgimvY910Md2/KViqb6S215wY
> WbtwAmVLyRdrB3pa8+03iTbGpaqlP6hjULDo8qEP0t63PLXHXujPqjoMmkg1/JHk
> CXLcHH/4
> =+CbD
> -END PGP SIGNATURE-
>
>
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: mailto with pgp fingerprint

2014-07-25 Thread MFPA

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Hi

On Wednesday 23 July 2014 at 9:02:23 PM, in
, steve wrote:

> Wouldn’t it be a nice solution, if key server software
> had a mechanism for users to verify their UserID by
> sending a mail to the mail address in question.

If I recall correctly, PGP's keyserver "PGP Global Directory" sends an
email to each email address in the uids when a key is submitted, and
only lists those uids whose email address replies. It re-sends these
verification emails every six months, and deletes keys if there is no
reply. It also allows anybody with access to your email address to
delete your key and upload a different one, according to Wikipedia
[0].

[0] 

- --
Best regards

MFPAmailto:2014-667rhzu3dc-lists-gro...@riseup.net

Yellow snow is not lemon flavoured
-BEGIN PGP SIGNATURE-

iPQEAQEKAF4FAlPSTQtXFIAALgAgaXNzdWVyLWZwckBub3RhdGlvbnMub3Bl
bnBncC5maWZ0aGhvcnNlbWFuLm5ldEJBMjM5QjQ2ODFGMUVGOTUxOEU2QkQ0NjQ0
N0VDQTAzAAoJEKipC46tDG5p/rMD/2jee+I7sU1i7Dj7dD1U1NXfxfeXADVVpoSg
O+cdMw4rhJLUbYg4c6GIvnvN6EeqvV5I85QMEvwpgimvY910Md2/KViqb6S215wY
WbtwAmVLyRdrB3pa8+03iTbGpaqlP6hjULDo8qEP0t63PLXHXujPqjoMmkg1/JHk
CXLcHH/4
=+CbD
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Where to save passphrases?

Re: Where to save passphrases?

Re: Where to save passphrases?

Where to save passphrases?

Re: mailto with pgp fingerprint

Re: mailto with pgp fingerprint

Re: mailto with pgp fingerprint

Re: mailto with pgp fingerprint

Re: mailto with pgp fingerprint

Re: mailto with pgp fingerprint

10 matches

Site Navigation

Mail list logo

Footer information