Re: So on & so forth

[Nicholas Cole]

On Fri, Aug 15, 2014 at 6:54 PM, Richard Outerbridge  wrote:
> Still waiting for my email address, yet my blackphone is already in
> my hands.  Keep up the good work.
>
> I’m not going to bother with 2.1 until the Mac guyz come to their
> senses about not forking the crypto.  Could be a long wait.


They've made a fork? I hadn't realised that. Why on earth?

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: So on & so forth

[Ville Määttä]

Quite. Who are the "Mac guys" and what did they fork?

-- 
Ville

> On 19.8.2014, at 12.14, Nicholas Cole  wrote:
> 
>> On Fri, Aug 15, 2014 at 6:54 PM, Richard Outerbridge  
>> wrote:
>> Still waiting for my email address, yet my blackphone is already in
>> my hands.  Keep up the good work.
>> 
>> I’m not going to bother with 2.1 until the Mac guyz come to their
>> senses about not forking the crypto.  Could be a long wait.
> 
> 
> They've made a fork? I hadn't realised that. Why on earth?
> 
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: So on & so forth

[Werner Koch]

On Tue, 19 Aug 2014 11:14, nicholas.c...@gmail.com said:

> They've made a fork? I hadn't realised that. Why on earth?

I don't know.  However they use a set of patches (e.g. allowing 8k keys)
and thus the Mac version diverts from the gnupg.org version.  Actually
Gpg4win does the same but I take care that those patches get back to
upstream.  In fact all but one patch are regular commits done after a
release to fix Windows problems.  The remaining patch extends the GnuPG
version with the Gpg4win version.

I would appreciate if the Mac folks would decide to use gnupg-devel for
development.  It would also be desirable if the new speedo build system
from 2.1 could also be used for Mac OS.


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

ftp.gnupg.org blocking Tor IP's?

[Kristy Chambers]

Hello,
i just wanted to download gnupg via ftp from
ftp://ftp.gnupg.org/gcrypt/gnupg/gnupg-1.4.18.tar.bz2 and got the
following warning: "425 Error accepting connection; connection from
invalid IP."

My IP was: 46.4.46.66

Kind regards,
Chambers

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: ftp.gnupg.org blocking Tor IP's?

[Werner Koch]

On Tue, 19 Aug 2014 11:53, k.chamb...@openmailbox.org said:

> following warning: "425 Error accepting connection; connection from
> invalid IP."
>
> My IP was: 46.4.46.66

Sorry, I can't find your IP in the logs.  I can ping that address from
the server, traceroute shows not strangeness, and that subnet is not
blocked (one is blocked due to a DoS).

Tor exit nodes are of course not blocked.


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: So on & so forth

[Robert J. Hansen]

They've made a fork? I hadn't realised that. Why on earth?


They emphatically disagree with some of the key size limits.

To be blunt, it's made me lose a lot of faith in the developers.  In the 
grand scheme of things, it's hard to find *anything* less significant 
than whether someone uses RSA-2048 or RSA-8192.




___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: It's time for PGP to die.

[James Platt]

On Aug 18, 2014, at 3:21 PM, Robert J. Hansen  wrote:

>> At least for US persons, iirc the protection doesn't extend beyond
>> that?
> 
> No, the Fourth Amendment protects all people within U.S. borders
> equally.  Americans get no special protections over visitors to the country.

The Fourteenth Amendment makes this clear.  It was added to The Constitution 
after the American Civil War because southerners who were opposing 
reconstruction claimed that the former slaves did not have constitutional 
rights because they were not citizens.  To be more precise, constitutional 
rights apply to “…all persons within the jurisdiction of the United States.”   
In a more recent event, the Supreme Court ruled that Guantanamo Bay is in the 
jurisdiction of the United States and, therefore, the detainees moved there 
gained the protection of The Constitution.





signature.asc
Description: Message signed with OpenPGP using GPGMail
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: So on & so forth

[Robert J. Hansen]

2. They have a default skeleton gpg.conf with incompatible digest
algo etc. (as discussed many times on the list).


Use of cert-digest-algo isn't really a problem unless you're needing
people running old PGP or GnuPG to be able to verify your signatures.
That's less of a problem than using digest-algo, which can easily
produce message traffic your correspondents can't read.


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Fwd: It's time for PGP to die.

[MFPA]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Hi


On Monday 18 August 2014 at 7:11:57 PM, in
, Robert J. Hansen wrote:


> If you're a witness
> to a crime, you can be compelled to testify about what
> you see.

Yes, but they can't make you remember accurately what you saw, or tell
you what to say.


- --
Best regards

MFPAmailto:2014-667rhzu3dc-lists-gro...@riseup.net

Amateurs built the ark. Professionals built the Titanic.
-BEGIN PGP SIGNATURE-

iPQEAQEKAF4FAlPznQhXFIAALgAgaXNzdWVyLWZwckBub3RhdGlvbnMub3Bl
bnBncC5maWZ0aGhvcnNlbWFuLm5ldEJBMjM5QjQ2ODFGMUVGOTUxOEU2QkQ0NjQ0
N0VDQTAzAAoJEKipC46tDG5pTuoD/RAU5zkY+d60HJlTpLtQAW4NS4FB2KhlNGzP
srzm8iRsfPDH1K9jabFaxq/llGrlBK7DOPmGddMwe9ty4FXvW0Mep5YOo/0ubnUk
6pX3822P7pFCKCMNcGAuV+SKIUr/EBxrEUM2NNV00efqiyiukqKtVppMFDc1qEdG
Ljoz7ig6
=9q7P
-END PGP SIGNATURE-


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: It's time for PGP to die.

[Johan Wevers]

On 19-08-2014 17:10, James Platt wrote:

> In a more recent event, the Supreme Court ruled that Guantanamo Bay
> is in the jurisdiction of the United States and, therefore, the
> detainees moved there gained the protection of The Constitution.

And do they get it or will the government just ignore the supreme court?

-- 
ir. J.C.A. Wevers
PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Fwd: It's time for PGP to die.

[Johan Wevers]

On 19-08-2014 4:43, Robert J. Hansen wrote:

> real life.  The DA is allowed to threaten prosecution of only those
> crimes the DA reasonably believes a person violated,

But that is a very vague criterium. "You liked Wikileaks on Facebook so
I'm going to sue you for terrorism and treason".

> Don't get me wrong: prosecutors have a lot of power, and I personally
> believe they have too much power with too little accountability.
> However, it's not a de-facto state of tyranny, either.

The executive branch seems to be more in the spirit of Robespierre than
that of Montesquieu. A trend in the entire western world, trias politica
exists more often than not in name only.

-- 
ir. J.C.A. Wevers
PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Fwd: It's time for PGP to die.

[MFPA]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Hi


On Monday 18 August 2014 at 1:25:41 PM, in
, Robert J. Hansen wrote:


> Basically, if the fact you know something would tend to
> implicate you in the commission of a crime, then you
> can't be compelled to reveal that you know it.  Whether
> it's a passphrase or a safe combination makes no
> difference.

So why couldn't somebody just claim that to be the case when it
wasn't?

- --
Best regards

MFPAmailto:2014-667rhzu3dc-lists-gro...@riseup.net

Ultimate consistency lies in being consistently inconsistent
-BEGIN PGP SIGNATURE-

iPQEAQEKAF4FAlPzoaRXFIAALgAgaXNzdWVyLWZwckBub3RhdGlvbnMub3Bl
bnBncC5maWZ0aGhvcnNlbWFuLm5ldEJBMjM5QjQ2ODFGMUVGOTUxOEU2QkQ0NjQ0
N0VDQTAzAAoJEKipC46tDG5pQX8D/0qgcRq+CLXWxsfh+X5b/gNr1mSqGrT+LrBx
/O7kEeZVlIdMjbh+1XWHTQfnQ/E4aIBp3Uv/lr37SOTS0KbmMJzEI7KV6CwLTfbO
1SJGYp2KlF16kPzc4P3TBp0abh+YrANaQYpPbWoy6n8krerpd0LHS9GjvVMTiu4G
R++Am4yR
=Zcv+
-END PGP SIGNATURE-


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: It's time for PGP to die.

[MFPA]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Hi


On Monday 18 August 2014 at 8:21:06 PM, in
, Robert J. Hansen wrote:



> No, the Fourth Amendment protects all people within
> U.S. borders equally.  Americans get no special
> protections over visitors to the country.

Do people at a border crossing point count as being "within" the
borders?

- --
Best regards

MFPAmailto:2014-667rhzu3dc-lists-gro...@riseup.net

Puns are bad but poetry is verse.
-BEGIN PGP SIGNATURE-

iPQEAQEKAF4FAlPzoplXFIAALgAgaXNzdWVyLWZwckBub3RhdGlvbnMub3Bl
bnBncC5maWZ0aGhvcnNlbWFuLm5ldEJBMjM5QjQ2ODFGMUVGOTUxOEU2QkQ0NjQ0
N0VDQTAzAAoJEKipC46tDG5pCeID/1mH059v5L/9psR+zFB1tdJVK05sceROanmo
7PK43SJ98/d4uYD6mMZryGSwYpNhMzCqUOJrmxex6pTJZ2InINYt9ZvyQxYDysiM
IWMbhuFyYzetxO2FWtkjnWowNQ1th4Tx4F034kAV2NrwBJMSDXhc03eIYGSDKysK
Av0I3acr
=Pdnf
-END PGP SIGNATURE-


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: So on & so forth

[Ville Määttä]

Yeah. Ok. Assuming the Mac guys / fork referred to here are GPGTools / MacGPG2 
I can see a couple bigger issues there than just patching in support for bigger 
keys.

1. The package and gnupg2 version used has not been updated since October 2013 
(2013.10.22). If I’m not completely mistaken the version is still 2.0.22. As 
discussed on the list, one of the more important things would be timely 
updates. [1]
2. They have a default skeleton gpg.conf with incompatible digest algo etc. (as 
discussed many times on the list). I don’t think they patch an existing 
gpg.conf but they are meant to be the easy-to-use packaged installer for 
first-time users use case. [2]

[1] https://gpgtools.org
[2] 
https://github.com/GPGTools/MacGPG2/blob/dev/Formula/Patches/gnupg2/options.skel.patch

-- 
Ville

On 19 Aug 2014, at 16:48, Robert J. Hansen  wrote:

>> They've made a fork? I hadn't realised that. Why on earth?
> 
> They emphatically disagree with some of the key size limits.
> 
> To be blunt, it's made me lose a lot of faith in the developers.  In the 
> grand scheme of things, it's hard to find *anything* less significant than 
> whether someone uses RSA-2048 or RSA-8192.
> 
> 
> 
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: So on & so forth

[Doug Barton]

On 8/19/14 4:01 AM, Werner Koch wrote:

On Tue, 19 Aug 2014 11:14, nicholas.c...@gmail.com said:


They've made a fork? I hadn't realised that. Why on earth?


I don't know.  However they use a set of patches (e.g. allowing 8k keys)
and thus the Mac version diverts from the gnupg.org version.  Actually
Gpg4win does the same but I take care that those patches get back to
upstream.  In fact all but one patch are regular commits done after a
release to fix Windows problems.  The remaining patch extends the GnuPG
version with the Gpg4win version.

I would appreciate if the Mac folks would decide to use gnupg-devel for
development.  It would also be desirable if the new speedo build system
from 2.1 could also be used for Mac OS.


So, which "mac guys" are you referring to? I recently got a Macbook for 
work and have been busy trying to recreate my environment/tools. I found 
the "GPG Suite" from this web site: https://gpgtools.org/index.html 
which seemed legit enough ... are those the developers you're referring 
to? Is there any concern over using their stuff?


I got to their site from the link  on 
https://www.gnupg.org/download/index.html so I had assumed it was Ok. :-/


Doug


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: So on & so forth

[Doug Barton]

On 8/19/14 11:17 AM, Ville Määttä wrote:

1. The package and gnupg2 version used has not been updated since October 2013 
(2013.10.22). If I’m not completely mistaken the version is still 2.0.22.


Yes, that was my biggest concern as well (and you're correct on the 
version).


Is there a better solution? I'm comfortable on the command line, and 
wouldn't mind compiling my own if there was a suitable step-by-step 
guide available. I've compiled lots of stuff for FreeBSD and Linux, but 
while I've used Macs in the past I'm new to being a Mac "owner."


If "compile your own" is the right answer, I'd also be appreciative of a 
guide for getting gpg-agent running on a Mac. I see the GPG Suite 
version running in the ps list, and I know how to get .app stuff started 
at login time, but I haven't gotten to the part of the manual where it 
talks about autostart for command line stuff yet. :)


Thanks,

Doug


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: It's time for PGP to die.

[Martin Behrendt]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Am 19.08.2014 um 21:16 schrieb MFPA:
> Hi
> 
> 
> On Monday 18 August 2014 at 8:21:06 PM, in 
> , Robert J. Hansen wrote:
> 
> 
> 
>> No, the Fourth Amendment protects all people within U.S. borders
>> equally.  Americans get no special protections over visitors to
>> the country.
> 
> Do people at a border crossing point count as being "within" the 
> borders?
> 

As far as I know, at (international) airports the answer is "no".
There is a zone (that can be extended at will*), where you are
basically in no mans land.
I think that relates to the word "transit zone"[0]
A search for "airport transit zone" might get you some better information.

[0] https://en.wikipedia.org/wiki/International_zone
* see also Snowden  and his whereabouts during the phase were he
applied for asylum
-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iEYEARECAAYFAlPzpooACgkQ/6vdZgk46shoFgCfc2qWkoQDDkCAH2cy/FtEH3e6
cpQAnjoh/s+VWS3wzNpbPwx9Yhb1LQBY
=7VNg
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: So on & so forth

[Ludwig Hügelschäfer]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 19.08.14 20:17, Ville Määttä wrote:
> Yeah. Ok. Assuming the Mac guys / fork referred to here are
> GPGTools / MacGPG2 I can see a couple bigger issues there than just
> patching in support for bigger keys.

Ack. Nevertheless, I don't like some of the other patches.

> 1. The package and gnupg2 version used has not been updated since 
> October 2013 (2013.10.22). If I’m not completely mistaken the
> version is still 2.0.22. As discussed on the list, one of the more
> important things would be timely updates. [1]

Ack. They use the build system from homebrew. They update recipes from
time to time, but their releases normally go only with major Mac OS X
updates (e.g. 10.8 -> 10.9), as in last october with 2.0.22. Their
main target is the gpg-plugin for Apple mail, I think.

I have cloned their build system, modify their recipe (mostly take out
some patches) and can keep my gpg2 very recent with minimum effort
from my side.

The supplied pinentry is highly integrated in Mac OS X look and feel
and works reliable - no background/foreground issues like the one from
gpg4win. But I assume, thats windows' fault, mostly.

There is no visible work towards an adoption of gupg 2.1 in their
repository.

Ludwig

-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQEcBAEBCgAGBQJT86sOAAoJEA52XAUJWdLjcX8IAKfXKT9OUtvA648kiYSc+vyE
Pk160V3NO6C0Tb68wPuaswHUlNtd1ummjqPzhOYlEn99VwYdttODH58RqhwF46CZ
A737H7iU3fRL3HRC97dZ+ZbmDvEloYRha0+HRlrUJ2cUm1zbsO3ExulPK8Nhhn1F
4az6GFEZOs2C3lwpBaY7hDeuH+JB+epqpjvBk1DAX452oaMhja1r39s0ja24w9wI
mp+k0orZoUEDtlO9LX7YjRzVqkoY/VsFGVTp8wNP/LxmfV75ZaRWG7lir+uWw9x1
1IDfPGrKu9D3birQf1NeJpBLE3vpkC21QoUSdNxgHJqtebGpKZ9OOkSbPI4Eze4=
=8ArK
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: So on & so forth

[Ville Määttä]

I just went through the process of switching to brew provided gpg2. Anyone not 
interested in the particular Mac workflow can skip this one.

So, removing GPG Suite, installed gnupg2 via brew, re-installing GPG Suite 
without MacGPG2 (i.e. the Mail.app helpers etc.). There is a bit of work 
involved in making a launchd script for gpg-agent and getting a working 
pinentry-mac but if gpg-agent is not a requirement, one can just go with the 
brew version.

Here’s a quick-n-dirty walk-through:

1. Remove GPG Suite using the uninstalled provided with the installer.
2. brew install gnupg2 (installs gpg-agent as a dependency).
3. Install GPG Suite, choose Customize —> Leave out MacGPG2
4. Install pinentry-mac, either binary [1] or source [2]. The pinentry with 
brew didn’t work for me. I went for the binary seeing as the build started 
requiring a bit too much dependencies I didn’t want to install right now. 
Latest binary worked for me.
5. Add pinentry-mac location to gpg-agent.conf, e.g. 
/usr/local/MacGPG2/libexec/pinentry-mac.app/Contents/MacOS/pinentry-mac (I just 
copied the binary to where MacGPG2 installs it.)
6. Add a ~/Library/LaunchAgents/com.ruriat.gpgagent.plist [3] <— Note that the 
name is quite freeform. Customise as needed.
7. Add the usual agent environment variables to bash profile [4].


[1] https://github.com/GPGTools/pinentry-mac/downloads
[2] https://github.com/GPGTools/pinentry-mackk

[3] My example is based on 
http://spin.atomicobject.com/2014/02/09/gnupg-openpgp-smartcard/

** START [3] com.ruriat.gpgagent.plist **


http://www.apple.com/DTDs/PropertyList-1.0.dtd";>


Label
com.ruriat.gpgagent
ProgramArguments

/usr/local/bin/gpg-agent
--daemon
--scdaemon-program
/usr/local/Cellar/gnupg2/2.0.26/libexec/scdaemon
--write-env-file
--use-standard-socket
--default-cache-ttl
43200
--enable-ssh-support
--default-cache-ttl-ssh
43200

RunAtLoad

StandardErrorPath
/dev/null
StandardOutPath
/dev/null
ServiceDescription
Run gpg-agent at login.



** END [3] com.ruriat.gpgagent.plist **

[4] START (file ~/.bash_profile)

GPG_TTY=$(tty)
export GPG_TTY
# GPG Agent for SSH support
if [ -f "${HOME}/.gpg-agent-info" ]; then
. "${HOME}/.gpg-agent-info"
export GPG_AGENT_INFO
export SSH_AUTH_SOCK
export SSH_AGENT_PID
fi

[4] END

-- 
Ville

On 19 Aug 2014, at 22:33, Doug Barton  wrote:

> On 8/19/14 11:17 AM, Ville Määttä wrote:
>> 1. The package and gnupg2 version used has not been updated since October 
>> 2013 (2013.10.22). If I’m not completely mistaken the version is still 
>> 2.0.22.
> 
> Yes, that was my biggest concern as well (and you're correct on the version).
> 
> Is there a better solution? I'm comfortable on the command line, and wouldn't 
> mind compiling my own if there was a suitable step-by-step guide available. 
> I've compiled lots of stuff for FreeBSD and Linux, but while I've used Macs 
> in the past I'm new to being a Mac "owner."
> 
> If "compile your own" is the right answer, I'd also be appreciative of a 
> guide for getting gpg-agent running on a Mac. I see the GPG Suite version 
> running in the ps list, and I know how to get .app stuff started at login 
> time, but I haven't gotten to the part of the manual where it talks about 
> autostart for command line stuff yet. :)
> 
> Thanks,
> 
> Doug
> 
> 
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: So on & so forth

[Werner Koch]

On Tue, 19 Aug 2014 20:41, do...@dougbarton.us said:

> I got to their site from the link  on
> https://www.gnupg.org/download/index.html so I had assumed it was
> Ok. :-/

Me too.  I do not have access to a Mac, thus I am not able to test the
stuff myself.  After they fixed some license related things and talking
an hour to one of the contributors, I once added gpgtools.org to
gnupg.org.

Regarding timely updates we have the same problem on Windows: The
Gpg4win package is huge and thus I can't easily build it along with a
new GnuPG release.  My tentative plan is to split off the GnuPG core and
provide an Windows installer just for the GnuPG code.  That installer
should be able to operate in silent mode, so that it can be used as
sub-installer from other packages.  And it would allow to update just
GnuPG.  I am currently looking in Side-by-Side assemblies (Manifest
files) to reduce problems with multiple versions of certain DLLs
installed on Windows.


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: So on & so forth

[Hauke Laging]

Am Di 19.08.2014, 14:49:37 schrieb Robert J. Hansen:
> > 2. They have a default skeleton gpg.conf with incompatible digest
> > algo etc. (as discussed many times on the list).
> 
> Use of cert-digest-algo isn't really a problem unless you're needing
> people running old PGP or GnuPG to be able to verify your signatures.
> That's less of a problem than using digest-algo, which can easily
> produce message traffic your correspondents can't read.

Without additional assumptions this is wrong for the simple reason that 
cert-digest-algo renders the self-signatures unreadable, too. A 
certificate with (valid) self-signatures using an incompatible digest is 
completely useless to the other party.


Hauke
-- 
Crypto für alle: http://www.openpgp-schulungen.de/fuer/unterstuetzer/
http://userbase.kde.org/Concepts/OpenPGP_Help_Spread
OpenPGP: 7D82 FB9F D25A 2CE4 5241 6C37 BF4B 8EEF 1A57 1DF5


signature.asc
Description: This is a digitally signed message part.
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: So on & so forth

[Peter Lebbing]

On 19/08/14 21:52, Ludwig Hügelschäfer wrote:
> Ack. They use the build system from homebrew. They update recipes from
> time to time, but their releases normally go only with major Mac OS X
> updates (e.g. 10.8 -> 10.9), as in last october with 2.0.22. Their
> main target is the gpg-plugin for Apple mail, I think.

So apparently they're not too worried about the DoS fixed in 2.0.24. And
libgcrypt 1.6.0, which succeeds a version vulnerable to "Get Your Hands Off My
Laptop" if I'm not mistaken, was released in December. I'd hazard a guess that
they ship a vulnerable 1.5.x version.

So everybody: hands off the Mac! ;)

I think that you should only build or fork software[1] when you're willing to
provide the service of security fixes to your users, or clearly indicate this is
out of your scope. Do they provide security support? I think the libgcrypt one
might warrant a fix. A DoS is just annoying.

Peter.

[1] Especially security software

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Fwd: It's time for PGP to die.

[Bob Holtzman]

On Mon, Aug 18, 2014 at 10:43:49PM -0400, Robert J. Hansen wrote:
> On 8/18/2014 9:32 PM, Bob Holtzman wrote:
> > There are quite a few ways police and prosecutors can coerce a 
> > suspect to hand over his encryption key(s).
> 
> Your examples which involve coercion are illegal, and the ones that are
> legal do not involve coercion.
> 
> > Dangling the prospect of a lighter sentence under the poor bugger's 
> > nose
> 
> Not coercion.
> 
> Prosecutor: "We know you have an encrypted drive partition with a lot of
> child porn on it.  Give up your passphrase and we'll reduce it to ten
> counts of possession and drop the intent to distribute, and we won't
> object to sentences running concurrently."

Which, of course, carries the implied threat of not reducing it to ten
counts and objecting to concurrency if he doesn't come across with the
keys. 

Not coercion?

> 
> Defendant: "... that sounds really good."
> 
> Or, alternately, imagine the defendant is innocent of the charge:
> 
> Defendant: "I can't accept that deal.  I'm innocent of that."  (True: if
> you're innocent of the charge, you're not allowed to plead guilty to it.
>  You might be able to talk the judge into accepting an Alford, but it'd
> be an uphill battle.)

...and if the prosecutor is hungry for another conviction to aid in his
political ambitions it's Katy bar the door and the hell with the
truth.

BTW what's an Alford? 

> 
> Or, alternately, imagine the defendant is guilty, but only of eight
> counts of possession:
> 
> Defendant: "No deal.  I'll take my risks in court.  Good luck producing
> these 'thousands of images' you're talking about."
> 
> > or conversely, threatening to come down hard, perhaps going for a 
> > death penalty.
> 
> Grossly illegal, in violation of the canons of legal ethics,

So is hiding exculpatory evidence. Of course prosecutors would never do
such a thing, right?right?

> and wil get an attorney disbarred.

If caught. Some were caught and are still practicing. It made the
papers.

http://usatoday30.usatoday.com/news/washington/judicial/2010-09-22-federal-prosecutors-reform_N.htm
http://reason.com/archives/2009/08/17/innocent-man-freed-but-shabby 

There are a bunch more.

> Don't confuse "Law & Order" re-runs with
> real life.  

Give me some credit, pal.

The DA is allowed to threaten prosecution of only those
> crimes the DA reasonably believes a person violated, and the DA is
> expressly forbidden from using the threat of the death penalty to
> persuade someone to taking a lesser sentence.

What should be and what is isn't always the same.

> 
> > The surrender of a suspect's keys would be "voluntary" and therefore 
> > constitutional.
> 
> In your first example yes, in your second example no.
> 
> Don't get me wrong: prosecutors have a lot of power, and I personally
> believe they have too much power with too little accountability.
> However, it's not a de-facto state of tyranny, either.

Of course not. Some prosecutors are real, live, human beings with
consciences. Others...

> As always, my best advice for people facing legal problems is "shut up
> and get a lawyer."
> 



> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users


-- 
Bob Holtzman
Giant intergalactic brain-sucking hyperbacteria 
came to Earth to rape our women and create a race 
of mindless zombies.  Look!  It's working!


signature.asc
Description: Digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: It's time for PGP to die.

[Robert J. Hansen]

And do they get it or will the government just ignore the supreme
court?


This is the last I will be contributing to this misbegotten thread.

The Supreme Court gets involved only rarely, but when they do, they
settle the argument with the finality of a nuclear strike.

Consider the Detainee Treatment Act of 2005, which Congress passed with
enthusiastic support from the Bush Administration.  This law claimed
that it had the right to strip the Supreme Court of jurisdiction to hear
any challenges to the Act.  The Court was not amused and in a 5-3
decision threw the entire Guantanamo Bay military commissions structure
out on its ear -- to hell with what Congress and the President wanted!

http://en.wikipedia.org/wiki/Hamdan_v._Rumsfeld

I could literally list *dozens* of cases where the Supreme Court told
Congress and the President "no" on subjects where Congress and the
President insisted they would only take "yes" for an answer.  In each
case that I'm aware of, the Supreme Court won the argument handily.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: So on & so forth

[Doug Barton]

Ville,

Thank you for your detailed response, it was very helpful. :)

I'm curious about one thing, and sorry if this is off-topic but since 
we're discussing how to keep GnuPG up to date on Mac perhaps it is close 
enough to on-topic.


I notice you suggested (home)brew as the source of the gpg2 package. Can 
you say a little about the relative value of that project vs. MacPorts, 
Fink, or Rudix? I'm very slightly familiar with the first, and not 
really familiar with the others except by name, so I'm looking for pros, 
cons, advice, etc.


Thanks again,

Doug

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: So on & so forth

[Peter Lebbing]

On 19/08/14 22:27, Peter Lebbing wrote:
> I think that you should only build or fork software[1] when you're willing to
> provide the service of security fixes to your users, or clearly indicate this 
> is
> out of your scope. Do they provide security support?

I'm starting to regret my from-the-sideline know-it-better comments. They aren't
charging any money for it, and it's all open source. They don't owe anybody
anything for as far as I can see.

My apologies. I was out of line. It's fair to bring up the matter of security
updates, but not in the manner I did.

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Fwd: It's time for PGP to die.

[Robert J. Hansen]

Not coercion?


Nope.  That's a trade.

Passphrase coercion is like so: "you will produce the passphrase, or you
will sit in jail until you decide to produce the passphrase, and we're
just fine if you sit in there the rest of your natural life, and once we
get the passphrase then we'll decide whether we want to prosecute you
further, and if we do then your time sitting in jail while deciding to
cough up the passphrase won't count against whatever prison term you
ultimately get."

What the prosecutor is offering there is, "you will plead guilty to
lesser charges, but I'm only willing to do this if you're willing to
show me the full extent of your illegal activities, so cough up the
passphrase so I can verify it for myself."

When you're facing coercion, you're not getting anything out of the
trade.  When you agree to something as part of a plea agreement, you do.
Or maybe you think that you should be allowed to get a plea deal just
by showing up, without cooperating with the State in any way?


BTW what's an Alford?


http://lmgtfy.com/?q=alford+plea


So is hiding exculpatory evidence. Of course prosecutors would never
do such a thing, right?right?


The vast majority of prosecutors would not.  Some would, and in such
cases I think the doctrine of prosecutorial immunity should be waived.

Snark is not serious argument.


There are a bunch more.


So what?  There are a bunch of prosecutors.  If even 1% of prosecutors
are corrupt -- which would make them on balance a bunch of saints by the
standards of the rest of society -- that's still a large number.  The
fact there are a large number of abuses is kind of unsurprising given a
country with over 300 million people.  It's the law of large numbers:
one-in-a-million events literally happen thousands of times a day.


Don't confuse "Law & Order" re-runs with real life.


Give me some credit, pal.


You're the one who didn't know what an Alford plea was.  Just sayin'.

Please note: I'm not saying prosecutorial abuse doesn't happen, that
it's not a problem, or that we haven't vastly overcriminalized our civil
life.  But this paranoid fantasy some people have going, where they
believe *every* prosecutor is corrupt... that's just childish.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Fwd: It's time for PGP to die.

[MFPA]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Hi


On Tuesday 19 August 2014 at 10:05:23 PM, in
, Robert J. Hansen wrote:



> What the prosecutor is offering there is, "you will plead guilty to
> lesser charges, but I'm only willing to do this if you're willing to
> show me the full extent of your illegal activities, so cough up the
> passphrase so I can verify it for myself."
>
> When you're facing coercion, you're not getting anything out of the
> trade.

In my opinion that is pure semantics.

The situation you described can be characterised as the prosecutor
telling the accused that they will suffer X regardless, plus the
threat that they will additionally suffer Y if they refuse to
co-operate.

That seems to resemble the definition of Coercion [0]:-

"The action or practice of persuading someone to do something by using
force or threats."

[0] 




- --
Best regards

MFPAmailto:2014-667rhzu3dc-lists-gro...@riseup.net

No matter what a man's past may have been, his future is spotless.
-BEGIN PGP SIGNATURE-

iPQEAQEKAF4FAlPzxDJXFIAALgAgaXNzdWVyLWZwckBub3RhdGlvbnMub3Bl
bnBncC5maWZ0aGhvcnNlbWFuLm5ldEJBMjM5QjQ2ODFGMUVGOTUxOEU2QkQ0NjQ0
N0VDQTAzAAoJEKipC46tDG5ph5kD/0q4ZWtNYVLRdgmtcCv877H8fV+o0yaoC2Ud
h4nkA/K9kEC8ILA9QLhYOnLB7cpXwwATWAsLCgDTOHmK7R+raQANQKfAXnxaDKaR
9k/CfoSyUsB7+eXinVrIjRq7ELMhnRbMsBsPhS8mEKcz2p8wCafC3HkW5CuHYRvx
RewEIzom
=9Mhf
-END PGP SIGNATURE-


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Fwd: It's time for PGP to die.

[Robert J. Hansen]

> In my opinion that is pure semantics.

In other news, water is wet, bricks are heavy, and politicians lie.

Yes, it's pure semantics.  It's *law*.  What, were you expecting
something else?  Wake up and realize the essential nature of what you're
talking about: law is *all about* formalism, syntax, semantics.  If you
think law is other than this, then -- well -- this conversation just
ceased being worth my time.  Discussing law with people who complain
about "semantics" is like discussing biology with Creationists.

> The situation you described can be characterised...

The great thing about liberty is everyone has the right to an opinion.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Fwd: It's time for PGP to die.

[MFPA]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Hi


On Tuesday 19 August 2014 at 11:48:29 PM, in
, Robert J. Hansen wrote:


> Yes, it's pure semantics.  It's *law*.  What, were you
> expecting something else?

Fair comment, but what has been described as "bargaining" is still
coercion.



> The great thing about liberty is everyone has the right
> to an opinion.

It had to be good for something.


- --
Best regards

MFPAmailto:2014-667rhzu3dc-lists-gro...@riseup.net

To know what we know, and know what we do not know, is wisdom.
-BEGIN PGP SIGNATURE-

iPQEAQEKAF4FAlPz24RXFIAALgAgaXNzdWVyLWZwckBub3RhdGlvbnMub3Bl
bnBncC5maWZ0aGhvcnNlbWFuLm5ldEJBMjM5QjQ2ODFGMUVGOTUxOEU2QkQ0NjQ0
N0VDQTAzAAoJEKipC46tDG5pshsEAI5Zg1+T2KqDdeVsAOx63fsYukAi4hCDOsj1
REqcD0ChkBXRxTo0o2He2WQKo5Ojst5jPSlbGRqnkJz5DC9jkS9JwvTyTLye7r/W
Fn+t4r9pgO7yH/fJl2KEhvlq/hxI1iMQTHbIZXHczONrVwUUUFZsEG3jxuLku7dt
uNiTe+TU
=FtsL
-END PGP SIGNATURE-


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: It's time for PGP to die.

[Johan Wevers]

On 19-08-2014 22:49, Robert J. Hansen wrote:

>> And do they get it or will the government just ignore the supreme
>> court?

> I could literally list *dozens* of cases where the Supreme Court told
> Congress and the President "no" on subjects where Congress and the
> President insisted they would only take "yes" for an answer.  In each
> case that I'm aware of, the Supreme Court won the argument handily.

Ah yes, the supreme court has had its say. Now the question is, do the
prisoners at Guantanomo Bay notice anything of it? Or will they still be
tortured, have no access to lawyers and get still no fair trial and the
right to sue for damages if they win after many years of imp[risonment
without any formal case?

-- 
ir. J.C.A. Wevers
PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: It's time for PGP to die.

[MFPA]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Hi


On Wednesday 20 August 2014 at 7:04:23 AM, in
, Johan Wevers wrote:


> Now the
> question is, do the prisoners at Guantanomo Bay notice
> anything of it? Or will they still be tortured, have no
> access to lawyers and get still no fair trial and the
> right to sue for damages if they win after many years
> of imp[risonment without any formal case?

Not to mention having first been abducted and forcibly transported
halfway round the world.



- --
Best regards

MFPAmailto:2014-667rhzu3dc-lists-gro...@riseup.net

A closed mouth gathers no foot
-BEGIN PGP SIGNATURE-

iPQEAQEKAF4FAlP0QSdXFIAALgAgaXNzdWVyLWZwckBub3RhdGlvbnMub3Bl
bnBncC5maWZ0aGhvcnNlbWFuLm5ldEJBMjM5QjQ2ODFGMUVGOTUxOEU2QkQ0NjQ0
N0VDQTAzAAoJEKipC46tDG5pdLcEAJlXSLYUxcm1QeZ+439MFZoZAyb5phu1hB5P
vlwNDT7F5rmUdK+7lmgkBH4ySBwjimW5I7dflQjwP4BwNJo07SoiPBoJXWdZcJSx
qqq5zEfowfxXkDw+FQwITgiLaeL0+05woa9VR2pHSYdBH0Rl5XjXNz4cBxRa2Na5
iKs/T0Z4
=Vb6j
-END PGP SIGNATURE-


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users