Re: Making the case for smart cards for the average user

2015-03-16 Thread MFPA 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512



On Tuesday 17 March 2015 at 12:55:51 AM, in
, MFPA (me)  wrote:


> If a user has multiple email
> addresses, does the "automated email verification
> service" send a different encrypted verification link
> to each address, and then only sign the UIDs that the
> user verified? And is there the option to reply to
> email rather than click a link?

Thinking about it, you don't need the user to click a link or to reply
to an email at all. If you sign the UID and enclose the signed copy of
the key in an encrypted email to the address in the UID, they don't
get access to the certification unless they control both the email
address and the key.


- --
Best regards

MFPA  

Everyone makes mistakes. It is what you do afterwards that counts.
-BEGIN PGP SIGNATURE-

iQF8BAEBCgBmBQJVB33MXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRCM0FFN0VDQTlBOEM4QjMwMjZBNUEwRjU2
QjdDNzRDRUIzMUYyNUYwAAoJEGt8dM6zHyXw5RQH+gOihN6EeyIkACvr8sBLNICN
LTYP2F9LROGTdHcK+uA/Gv5oGxC4xQA9Vk4PVVXA9dfnQsRuKHftooYQSUZj8sNu
PHMDcY0cC1TBUfTanINMcFnHh+ptx9tzeJCVgbrO9sAP3OqSNYyu2Fh45soiB/V5
N8zaHIhwTsDFZ9Yg1q+aTDdt6oCgOKTmAsT1CjYm4M2S2YMX8NldOYbCVNA+qlMC
Pe9TeTb3KO3kcg0+HDX6jzmUcX67frHv4KSSi3wjuhkTViAiuN3xzMhMrInZdVN2
P187LGFfIJ1ctJ+7IPLXfyAK9/zU1mk8VzL/ZIRtVfkaG518emx75qy+O/viwiiI
vgQBFgoAZgUCVQd9zF8UgAAuAChpc3N1ZXItZnByQG5vdGF0aW9ucy5vcGVu
cGdwLmZpZnRoaG9yc2VtYW4ubmV0MzNBQ0VENEVFOTEzNEVFQkRFNkE4NTA2MTcx
MkJDNDYxQUY3NzhFNAAKCRAXErxGGvd45OQTAQBq3BANspJwPx9l7dBw7nuXLqj+
1tYWy788Xwrk2yR+fAEALMSrQ3tEjyx2iIbrgaumBIwj9hk9ZZF3n67GqmJVJQQ=
=IlbF
-END PGP SIGNATURE-


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Making the case for smart cards for the average user

2015-03-16 Thread MFPA 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512



On Saturday 14 March 2015 at 10:37:18 PM, in
,
Joey Castillo wrote:


> The goal is to simplify
> not just everyday things like how to make a key or
> encrypt an email, but also more complex things like
> "what is my identity and how do I verify it?" [1]
> [1]:
> https://github.com/josecastillo/signet/blob/master/guidelines.md#certification-and-trust


Although I don't really like email addresses in the UIDs of my keys, I
quite like the simplicity of your "email address only" simplified UID
format. However, I would urge you to reconsider your decision to drop
the angle brackets. At least one MUA (the MUA I am using to write this
message) sends the email address enclosed in angle brackets as the
search string for GnuPG to locate the key. No angle brackets around
the email address means no key found.

Your proposed "automated email verification service" will beat the PGP
Global Directory's verification check by encrypting the verification
message to confirm that the user is in control of the key as well as
the email address. But it retains the problem of relatively frequent
verification signatures accumulating; I don't know a solution to that.
If a user has multiple email addresses, does the "automated email
verification service" send a different encrypted verification link to
each address, and then only sign the UIDs that the user verified? And
is there the option to reply to email rather than click a link?

Finally, if the person at the other end is able to decrypt my message
and reply to me, then the key and the email address are controlled by
the same person. What assurance does the verification service add?


- --
Best regards

MFPA  

Can you imagine a world with no hypothetical situations?
-BEGIN PGP SIGNATURE-

iQF8BAEBCgBmBQJVB3uZXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRCM0FFN0VDQTlBOEM4QjMwMjZBNUEwRjU2
QjdDNzRDRUIzMUYyNUYwAAoJEGt8dM6zHyXw5+8IAJy5B9i2Jd4RY7gWFUQtyJ8t
GdUqHmGs8k3X/OwdOyvvD3GGZ7Wv/txZaHwaF8hA23axgGDnGOVfhucFe3BkQAFV
EHXJ/+cmmtt3Hp7uSKMoL8vFvv9ePJnQOZ1y4cMsP9jEpdZ1/dX8iV70MYVtd+Dk
uu0uqOt/MsQOg5Q45LmbCvhlL2ZDNoWqj4dmjdQ3t/LLWH2yI2yPQlk0KqJCB7LN
QUIww+p+81q4R1RWbP2o+wHFH8Ch4NL6oF3hCAO/mQmF117wxxOiyB+oULmjrNrD
Y0VYFbg9m23e/9EbtzBMvim6XRQhMbGwhWHy28yXuYX6vUQrmk5kHWmXdta1N5KI
vgQBFgoAZgUCVQd7oF8UgAAuAChpc3N1ZXItZnByQG5vdGF0aW9ucy5vcGVu
cGdwLmZpZnRoaG9yc2VtYW4ubmV0MzNBQ0VENEVFOTEzNEVFQkRFNkE4NTA2MTcx
MkJDNDYxQUY3NzhFNAAKCRAXErxGGvd45PdmAQCjnWO9c1n74cf/2jU5OA9H+cgc
HGU6wx1jaNzZjr9+3gEAcE6FbOrBfJEz648Ps/j3x3otTG+PxJFxzBzOyyid4gs=
=GLMZ
-END PGP SIGNATURE-


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

possible sshcontrol flag for ssh key comment?

2015-03-16 Thread Donavan-Ross Costaras 
Hi,

I'm pretty new to pgp and gpg so please bare with me.

I'm using gnupg 2.1.2 and trying to use an authentication sub key for ssh
logins. I'm also attempting to not go via converting the gpg key into an
ssh key. I.e. I use the new --key-grip option and load the key-grip
straight into .gnupg/sshcontrol

All's groovy until I tried to use it for gitolite. Gitolite uses the
presented ssh key as authentication against it's collection of ssh pub
keys. So in order to authenticate with the correct user you need to present
the correct key.

To present the correct key I use .ssh/confg to define the identityFile (ssh
key) used for that user.

The problem is I can't add an ssh comment if I don't put the key through
something like monkeyshere or gpgkey2ssh. With the comment being the
virtual ssh key location .ssh/config works as normal for defining hosts and
associated keys.

So, in my limited understanding, would it not be useful to be able to set
the ssh key comment in the .gnupg/sshcontrol file as a flag? So that if I
add the keygrip to sshcontrol and do ssh-add -L I would be presented with:

ssh-rsa ***key*** comment-as-flag

as apposed to:

ssh-rsa ***key*** (none)

Or am I being silly and should just go via transforming in into an actual
ssh key and importing that via ssh-add. Does that not create two keys from
one though?

I think I'm subscribed to the list but in case I'm not please cc me.

Thanks,
Donavan
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Making the case for smart cards for the average user

2015-03-16 Thread Peter Lebbing 
On 15/03/15 23:24, Jose Castillo wrote:
> I think it’s encouraging, in a perverse way, to hear that when GCHQ
> sought to compromise SIM card encryption keys [4], they had to resort
> to spying on the employees generating them.

Perhaps the SIM cards are relatively well protected from remote access;
the session keys for GSM communication are not. IIRC, it requires an
on-line attack and would leave traces as soon as GSM network operators
started looking for such attacks, so it's less sneaky. But there were
two interesting talks on the subject at the 31C3:

http://media.ccc.de/browse/congress/2014/31c3_-_6249_-_en_-_saal_1_-_201412271715_-_ss7_locate_track_manipulate_-_tobias_engel.html#video

http://media.ccc.de/browse/congress/2014/31c3_-_6122_-_en_-_saal_1_-_201412271830_-_mobile_self-defense_-_karsten_nohl.html#video

Apparently GCHQ still wanted the SIM keys, though :).

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Enigmail speed geeking

2015-03-16 Thread Stephan Beck 
Am 16.03.2015 um 08:48 schrieb Werner Koch:
> On Sun, 15 Mar 2015 23:38, st...@mailbox.org said:
> 
>> Thanks, Werner. I read that, but I was particularly interested in how to get
>> GnuPG work with haveged.
> 
> You should feed it into /dev/random or get into the kernel proper.  This
> way all applications can benefit from it.

Ok, thanks, properly enabled and working

[README]
[...]
Non-zero "-r" options are used to test the haveged random number generator; The
random number generator will be configured, the initial data collection pass
will be executed, configuration details will be written to stdout, and a "-r"
KB sample of output will be written to the sample output file for all "-r" > 1.
[...]

$ sudo haveged -r 2
Writing 2 K byte output to sample


Cheers,
Stephan




signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Enigmail speed geeking

2015-03-16 Thread Werner Koch 
On Sun, 15 Mar 2015 23:38, st...@mailbox.org said:

> Thanks, Werner. I read that, but I was particularly interested in how to get
> GnuPG work with haveged.

You should feed it into /dev/random or get into the kernel proper.  This
way all applications can benefit from it.

> So, I guess it would not be possible for an interested user to have GnuPG work
> with haveged by using configuration files or load instructions

This requires to add a new entropy gathering module or add it to
rndlinux.c.  However, I assume that proper output of haveged is pretty
system and compiler dependent.  Thus it belongs into the OS kernel.


Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users