Re: Defaults

2015-03-18 Thread Werner Koch 
On Tue, 17 Mar 2015 20:44, r...@sixdemonbag.org said:
> Given that 2.1 introduces a lot of new capabilities (mostly with respect
> to ECC), I think now, early on in the 2.1 series, would be a good time
> to discuss changing the defaults for newly-generated certificates.

Let's do a quick check of the status quo (I removed some of the extra
diagnostics from the examples):

Create a new key:

  $ gpg --no-options --quick-gen-key 'test key '
  About to create a key for:
  "test key "
  
  Continue? (Y/n) y
  public and secret key created and signed.
  
  pub   rsa2048/50C4476F 2015-03-18
Key fingerprint = 11E9 91C2 36E0 21A6 1E35  A682 68CC E4C2 50C4 476F
  uid   [ultimate] test key 
  sub   rsa2048/807D0FF4 2015-03-18
  
What are the preferences:  
  
  $ gpg --no-options --edit-key 50C4476F
  gpg (GnuPG) 2.1.3-beta26; Copyright (C) 2015 Free Software Foundation, Inc.
  Secret key is available.
  
  pub  rsa2048/50C4476F
   created: 2015-03-18  expires: never   usage: SC  
   trust: ultimate  validity: ultimate
  sub  rsa2048/807D0FF4
   created: 2015-03-18  expires: never   usage: E   
  [ultimate] (1). test key 
  
  gpg> showpref
  [ultimate] (1). test key 
   Cipher: AES256, AES192, AES, 3DES
   Digest: SHA256, SHA384, SHA512, SHA224, SHA1
   Compression: ZLIB, BZIP2, ZIP, Uncompressed
   Features: MDC, Keyserver no-modify

Sign something (there is only the above new key in the keyring):

  $ fortune | gpg --no-options --clearsign -v 
  -BEGIN PGP SIGNED MESSAGE-
  Hash: SHA256
  
  Whenever people agree with me I always feel I must be wrong.
  -- Oscar Wilde
  gpg: RSA/SHA256 signature from: "50C4476F test key "
  -BEGIN PGP SIGNATURE-
  Version: GnuPG v2
  
  iQEcBAEBCAAGBQJVCSpjAAoJEGjM5MJQxEdvQOUH/1G0xVxUppAHjqy6E5h8Pds+
  R9IhpACMwx+b01KudyTQ1rw1Y6Gy47vRhtaZaY9H7g9Ua8N7CtDWDUlbN/A+vovr
  7NX7yh8VXNqTYg9iCbwtL3KrN5b+gImWC7XxKgmJ5MqtRdOnjrGRG+R/1Yz/K6+3
  dKtD+o7WSToWiZRaqraIEFaHuHHPhhTbZd9rPkkoVhR8IfuwVP9WiWgL1En1khiC
  jNN4XBTO6JYm9wxYnbKTr5pIkNIdkXJEXSSO0VDu+jcx0eXiQlHVM2Za+8F0e59o
  rhaD61+7MFRp7W85eq9DphK8ZQkYSiVFmxP05KtBn0ym+CWyOZQTknJTZq2rpGI=
  =TRJn
  -END PGP SIGNATURE-
   
Do an symmetric encryption:
 
  $ fortune | gpg --no-options -ca -v 
  gpg: using cipher AES
  gpg: writing to stdout
  -BEGIN PGP MESSAGE-
  Version: GnuPG v2
  
  jA0EBwMCEKZ9P8JsqIXk0n0BXv33OI6+DtCIKj4eizkTHI4uFnlwYxa8mGDmNPZX
  7f8Q0f5L621bNvyIgCrV+gmfMXbXd2jtUXOAu0Q/g9gpkNEQhEJKcFBk1VDaAM0j
  dg8LeF/iT8HUjSmsWXbOCvYRh3MtIbYSEC299yBZJ+gG44Akgypl80dubLXhcA==
  =doWz
  -END PGP MESSAGE-


Now:

>   * Offer Brainpool-512 and RSA-3072 as options for
> newly-generated certificates

The default is RSA-2048 but there is an option to create RSA-3072.  GUIs
may choose there own defaults.

Using Brainpool as default for ECC (by the time we can get ECC out of
the export mode) is obvious something the German secret services would
like to see.  Given recent revelations about the BSI and its support for
"remote forensic toolkits" (aka Federal Trojan Tool) won't convince
people that Brainpool curves are safer than NIST curves.  Anyway the
plan is to make Curve25519 the default for ECC.  There are also options
for stronger ECC curves not related to US or European standard bodies.

>   * Use AES256 for a symmetric cipher

As shown above AES128 (AES) is the default for symmetric encryption.
Symmetric encryption is for whatever reasons commonly used for bulk data
encryption and performace si a matter here:

 AES|  nanosecs/byte   mebibytes/sec   cycles/byte
CFB enc |  1.77 ns/B 537.9 MiB/s  4.08 c/B
CFB dec | 0.365 ns/B2612.1 MiB/s 0.840 c/B
 AES256 
CFB enc |  2.47 ns/B 386.5 MiB/s  5.67 c/B
CFB dec | 0.530 ns/B1799.4 MiB/s  1.22 c/B

Thus on my X220 you get a 40% speedup by using 128 bit AES.  Well, the
number are from Libgcrypt and don't include the overhead due to the
protocol but it is faster.

For public key encryption AES-256 will anyway be used by default.

>   * Raise a warning if the user attempts to encrypt more
> than 4 GiB with an old (64-bit block) cipher

Except for 3DES there is no 64 bit block cipher in the preferences:

   Cipher: AES256, AES192, AES, 3DES

A key capable of only 3DES will be rare and must have been created on
purpose or by very old software.  They want 3DES and thus they get it.

>   * Only use CAST5 if the user explicitly requests it via
> default-cipher-preferences: prefer 3DES over CAST5

Already done.  See above.

>   * Only use IDEA if the user explicitly requests it via
> default-cipher-preferences: prefer 3DES over IDEA

IDEA is not included in the preferences.

>   * Use SHA256 for RSA-3072/-4096 signatures and SHA512
> for Brainpool-512

Already used even for RSA-2048.  See example above.

>   * CAST5 is not in goo

Re: Defaults

2015-03-18 Thread Damien Goutte-Gattat 

On 03/18/2015 01:34 AM, Robert J. Hansen wrote:

I think this shouldn't be supported; CAST5 should only be used if (a) it's in 
the
recipient's key prefs and (b) it's explicitly listed in
default-cipher-prefs.


I don’t think that ignoring the recipient’s preferences should be the 
default behavior. The recipient’s choices should be honored by default 
*unless* you explicitly decide against it.


If you want to ignore a particular cipher, you could use the 
--disable-cipher-algo option. Disable CAST5 and it will never be 
selected by GnuPG even if it appears on the recipient’s list.




Do you mean signatures in general, or key signatures
(certifications)?


The former, although I think setting cert-digest-algo SHA256 by default
may be worth discussing.


Not anymore, it’s already done. :) I was wrong on that point, SHA-1 is 
no longer used by default for certifications since GnuPG 2.1.0.





signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

What am I doing wrong?

2015-03-18 Thread Mark Walter 
Hello all.

I'm having issues with encrypt and decrypt and I know it's something I'm doing 
wrong. I created a key with Kelopatra. Imported it into GNU Privacy Assistant. 
It shows up as Fully Valid.

Next, to test, I created the text file test.txt and used the following command 
to encrypt it.
gpg -e -u myu...@domain.net -r myu...@domain.net test.txt

The file test.txt.gpg showed up in my folder.

Next, I tried to decrypt it using the following syntax.
gpg -d test.txt.gpg

And I get the following error.
Gpg decryption failed: No secret key

Not sure what I'm doing wrong here. This used to not be an issue.

This is Windows Server 2012.

Thanks in advance   

Mark Walter

Business to Business Data Integration Specialist
Certified IBM System i Specialist
Paragon Consulting Services, Inc.
mwal...@paragon-csi.com
717-764-7909 ext. 20

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: What am I doing wrong?

2015-03-18 Thread Daniel Kahn Gillmor 
On Wed 2015-03-18 08:18:11 -0400, Mark Walter wrote:

> I'm having issues with encrypt and decrypt and I know it's something
> I'm doing wrong. I created a key with Kelopatra. Imported it into GNU
> Privacy Assistant. It shows up as Fully Valid.
>
> Next, to test, I created the text file test.txt and used the following 
> command to encrypt it.
> gpg -e -u myu...@domain.net -r myu...@domain.net test.txt

the -u myu...@domain.net is not doing anything here, because this is
doing encryption and not signing.  so no secret key material is used in
this step.

> The file test.txt.gpg showed up in my folder.
>
> Next, I tried to decrypt it using the following syntax.
> gpg -d test.txt.gpg
>
> And I get the following error.
> Gpg decryption failed: No secret key
>
> Not sure what I'm doing wrong here. This used to not be an issue.

It sounds to me like you imported your public key but not your secret
key.

Does your key show up in the output of "gpg --list-secret-keys"  ?

 --dkg

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

RE: What am I doing wrong?

2015-03-18 Thread Mark Walter 
No, Only the Private keys show up. What I tried to create and test was a public 
key to give to a partner for encrypting files sent to us.

Thanks.

Mark Walter

Business to Business Data Integration Specialist
Certified IBM System i Specialist
Paragon Consulting Services, Inc.
mwal...@paragon-csi.com
717-764-7909 ext. 20


-Original Message-
From: Daniel Kahn Gillmor [mailto:d...@fifthhorseman.net] 
Sent: Wednesday, March 18, 2015 8:38 AM
To: Mark Walter; gnupg-users@gnupg.org
Subject: Re: What am I doing wrong?

On Wed 2015-03-18 08:18:11 -0400, Mark Walter wrote:

> I'm having issues with encrypt and decrypt and I know it's something 
> I'm doing wrong. I created a key with Kelopatra. Imported it into GNU 
> Privacy Assistant. It shows up as Fully Valid.
>
> Next, to test, I created the text file test.txt and used the following 
> command to encrypt it.
> gpg -e -u myu...@domain.net -r myu...@domain.net test.txt

the -u myu...@domain.net is not doing anything here, because this is doing 
encryption and not signing.  so no secret key material is used in this step.

> The file test.txt.gpg showed up in my folder.
>
> Next, I tried to decrypt it using the following syntax.
> gpg -d test.txt.gpg
>
> And I get the following error.
> Gpg decryption failed: No secret key
>
> Not sure what I'm doing wrong here. This used to not be an issue.

It sounds to me like you imported your public key but not your secret key.

Does your key show up in the output of "gpg --list-secret-keys"  ?

 --dkg

-
No virus found in this message.
Checked by AVG - www.avg.com
Version: 2015.0.5751 / Virus Database: 4306/9322 - Release Date: 03/17/15

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: What am I doing wrong?

2015-03-18 Thread da...@gbenet.com 
On 18/03/15 12:18, Mark Walter wrote:
> Hello all.
> 
> I'm having issues with encrypt and decrypt and I know it's something I'm 
> doing wrong. I created a key with Kelopatra. Imported it into GNU Privacy 
> Assistant. It shows up as Fully Valid.
> 
> Next, to test, I created the text file test.txt and used the following 
> command to encrypt it.
> gpg -e -u myu...@domain.net -r myu...@domain.net test.txt
> 
> The file test.txt.gpg showed up in my folder.
> 
> Next, I tried to decrypt it using the following syntax.
> gpg -d test.txt.gpg
> 
> And I get the following error.
> Gpg decryption failed: No secret key
> 
> Not sure what I'm doing wrong here. This used to not be an issue.
> 
> This is Windows Server 2012.
> 
> Thanks in advance 
> 
> Mark Walter
> 
> Business to Business Data Integration Specialist
> Certified IBM System i Specialist
> Paragon Consulting Services, Inc.
> mwal...@paragon-csi.com
> 717-764-7909 ext. 20
> 
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
> 
So you created a private and public key - then encrypted a file and you entered 
your
passphrase (password you created when generating your keys)?

David


-- 
“See the sanity of the man! No gods, no angels, no demons, no body. Nothing of 
the
kind.Stern, sane,every brain-cell perfect and complete even at the moment of 
death. No
delusion.” https://linuxcounter.net/user/512854.html - http://gbenet.com



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

RE: What am I doing wrong?

2015-03-18 Thread Mark Walter 
Thanks so much for the help everyone. I believe I have this working as I need 
it. 

Mark Walter

Business to Business Data Integration Specialist
Certified IBM System i Specialist
Paragon Consulting Services, Inc.
mwal...@paragon-csi.com
717-764-7909 ext. 20


-Original Message-
From: Gnupg-users [mailto:gnupg-users-boun...@gnupg.org] On Behalf Of 
da...@gbenet.com
Sent: Wednesday, March 18, 2015 5:08 PM
To: gnupg-users@gnupg.org
Subject: Re: What am I doing wrong?
Importance: Low

On 18/03/15 12:18, Mark Walter wrote:
> Hello all.
> 
> I'm having issues with encrypt and decrypt and I know it's something I'm 
> doing wrong. I created a key with Kelopatra. Imported it into GNU Privacy 
> Assistant. It shows up as Fully Valid.
> 
> Next, to test, I created the text file test.txt and used the following 
> command to encrypt it.
> gpg -e -u myu...@domain.net -r myu...@domain.net test.txt
> 
> The file test.txt.gpg showed up in my folder.
> 
> Next, I tried to decrypt it using the following syntax.
> gpg -d test.txt.gpg
> 
> And I get the following error.
> Gpg decryption failed: No secret key
> 
> Not sure what I'm doing wrong here. This used to not be an issue.
> 
> This is Windows Server 2012.
> 
> Thanks in advance 
> 
> Mark Walter
> 
> Business to Business Data Integration Specialist Certified IBM System 
> i Specialist Paragon Consulting Services, Inc.
> mwal...@paragon-csi.com
> 717-764-7909 ext. 20
> 
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
> 
So you created a private and public key - then encrypted a file and you entered 
your passphrase (password you created when generating your keys)?

David


--
“See the sanity of the man! No gods, no angels, no demons, no body. Nothing of 
the kind.Stern, sane,every brain-cell perfect and complete even at the moment 
of death. No delusion.” https://linuxcounter.net/user/512854.html - 
http://gbenet.com


-
No virus found in this message.
Checked by AVG - www.avg.com
Version: 2015.0.5751 / Virus Database: 4306/9322 - Release Date: 03/17/15
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

SKS Keyserver, HKPS, and GnuPG 2.1

2015-03-18 Thread Samir Nassar 
Hello,

I originally posted this on the sks-devel mailing list, but after thinking 
about it, I believe this might be something I am doing wrong on the GnuPG 
side.:

I set up a keyserver at keyserver.myriapolis.net.

What I have done so far:

Installed sks (1.1.5) from wheezy-backports

SKS is behind a nginx reverse proxy using the instructions from: 
https://bitbucket.org/skskeyserver/sks-keyserver/wiki/Peering

I can access SKS on the web through:
https://keyserver.myriapolis.net:11371/
https://keyserver.myriapolis.net:443/
http://keyserver.myriapolis.net:80/

When I access the keyserver through:

gpg-connect-agent --verbose --dirmngr 'keyserver 
http://keyserver.myriapolis.net' 'ks_get 1e42b367' /bye things work.

WHen I try the following:

gpg-connect-agent --verbose --dirmngr 'keyserver 
https://keyserver.myriapolis.net' 'ks_get 1e42b367' /bye

gpg-connect-agent --verbose --dirmngr 'keyserver 
https://keyserver.myriapolis.net:11371' 'ks_get 1e42b367' /bye

gpg-connect-agent --verbose --dirmngr 'keyserver 
hkps://keyserver.myriapolis.net:11371' 'ks_get 1e42b367' /bye

I get the following error: ERR 1 General error 

dirmngr.conf contains:

hkp-cacert /home/snassar/.gnupg/myriapolis.net.crt

Any pointers would be lovely.

Samir
PGP Fingerprint: 19AE 0BC4 7DA8 4683 3AB6 9A53 69A7 5542 488B 4A1A

signature.asc
Description: This is a digitally signed message part.
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Email-only UIDs and verification (was: Making the case for smart cards for the average user)

2015-03-18 Thread Jose Castillo 
On Mar 16, 2015, at 8:55 PM, MFPA <2014-667rhzu3dc-lists-gro...@riseup.net> 
wrote:
> I would urge you to
> reconsider your decision to drop the angle brackets. At
> least one MUA (the MUA I am using to write this message)
> sends the email address enclosed in angle brackets as the
> search string for GnuPG to locate the key. No angle
> brackets around the email address means no key found.

Good point, I’ll make that change. As a sidenote, I notice that when I’m 
generating a key interactively, I get an error message of 'Name must be at 
least 5 characters long’ when I try to make an email-only UID. It works in 
batch mode, and obviously with the allow-freeform-uid option, but just thought 
it was interesting to point out. Someone attempting to make such a UID in the 
interactive mode might be forgiven for putting their email address in the 
‘name’ field as a workaround. 

> Thinking about it, you don't need the user to click a link or to
> reply to an email at all. If you sign the UID and enclose the
> signed copy of the key in an encrypted email to the address
> in the UID, they don’t get access to the certification unless
> they control both the email address and the key.

This is a very good point, and I can see making this change. 

> But it retains the problem of relatively frequent
> verification signatures accumulating; I don't know
> a solution to that.

This was in reference to the PGP global directory’s verification check. Having 
never used it I’m curious why the validity period is only two weeks. Does the 
user have to re-verify their email address every two weeks? That seems 
excessive. Moving to an annual validity period (or through the expiration of 
the domain name if it’s expiring sooner) allows for disused keys to expire, 
while still giving you the option to revoke a UID or key sooner if necessary. 

> Finally, if the person at the other end is able to
> decrypt my message and reply to me, then the
> key and the email address are controlled by
> the same person. What assurance does the
> verification service add?

In the case of establishing communication with someone you haven’t yet met, it 
gives you an assurance that a third party has verified that they were in 
control of the address on a given date within the last year. If I query your 
email address and find four keys, I don’t know what to do; but if one of them 
is trusted by the email verification service, which I trust, then there’s only 
one valid key. 

-- 

Joey Castillo
www.joeycastillo.com


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: SKS Keyserver, HKPS, and GnuPG 2.1

2015-03-18 Thread Kristian Fiskerstrand 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 03/18/2015 03:54 PM, Samir Nassar wrote:
> Hello,
> 
> I originally posted this on the sks-devel mailing list, but after
> thinking about it, I believe this might be something I am doing
> wrong on the GnuPG side.:
> 
> I set up a keyserver at keyserver.myriapolis.net.
> 


...

> 
> I get the following error: ERR 1 General error  source>
> 

Likely related to the PTR issues[0, 1], its already in the roadmap[2]

References:
[0] http://lists.gnupg.org/pipermail/gnupg-devel/2015-February/029491.html
[1] http://lists.gnupg.org/pipermail/gnupg-devel/2014-May/028458.html
[2] https://gnupg.org/roadmap.html

- -- 
- 
Kristian Fiskerstrand
Blog: http://blog.sumptuouscapital.com
Twitter: @krifisk
- 
Public OpenPGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3
- 
Nihil lacrima citius arescit
Nothing dries more quickly than a tear
-BEGIN PGP SIGNATURE-

iQEcBAEBCgAGBQJVCcPLAAoJEP7VAChXwav6cj4H/iFdJjkiuhWL/wE+V/X+DxIU
0p/BpiOJkt0rzgFoX5pWcEedZxDyxLkOLlIDeMIkqxdpP0CeELf+YohqoGY+0iUE
yZy5joiJqK8XMADqT5FpB301ULvRkyXiGdKFolR4uE0XBOEJx0ZY9UKG20BG0wsW
JUBIT21Kzpd4vfAEO7To8oWsxTodkdwBOSq8U0+wlMJR3eYhBAEd2hzS31N6jbvb
EC5vGKeXCFT6VJOpsW9mkLxdczWzpo/PorSnMAb8r6OAE7DIbI+p5M9FfIBBNJb1
bWsM50BQAgSsv7TA91Aa+9rmYshseTTBLiw9gJNCytd+ed3TaoBk0vo9pL1l1NA=
=1mc4
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: SKS Keyserver, HKPS, and GnuPG 2.1

2015-03-18 Thread Samir Nassar 
On Wednesday, March 18, 2015 07:28:31 PM Kristian Fiskerstrand wrote:
> Likely related to the PTR issues[0, 1], its already in the roadmap[2]

Thank you Kristian,

So I understand this better. When using non-encrypted connections GnuPG 
doesn't have a problem, but when I am using a wildcard certificate GPG 2.1 has 
a problem?

Is there anything I can do to mitigate for now?
 
Samir

signature.asc
Description: This is a digitally signed message part.
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: SKS Keyserver, HKPS, and GnuPG 2.1

2015-03-18 Thread Kristian Fiskerstrand 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 03/18/2015 08:39 PM, Samir Nassar wrote:
> On Wednesday, March 18, 2015 07:28:31 PM Kristian Fiskerstrand
> wrote:
>> Likely related to the PTR issues[0, 1], its already in the
>> roadmap[2]
> 
> Thank you Kristian,
> 
> So I understand this better. When using non-encrypted connections
> GnuPG doesn't have a problem, but when I am using a wildcard
> certificate GPG 2.1 has a problem?
> 
> Is there anything I can do to mitigate for now?

Hmm, I didn't notice that it was a wildcard cert, that should also
support holdfast.myriapolis.net in the cert matching, however it
results a redirect and  404 for [0]. If you add this as a vhost I
suspect it will work in your configuration.

References:
[0] https://holdfast.myriapolis.net/pks/lookup?op=stats

- -- 
- 
Kristian Fiskerstrand
Blog: http://blog.sumptuouscapital.com
Twitter: @krifisk
- 
Public OpenPGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3
- 
Acta est fabula
So ends the story
-BEGIN PGP SIGNATURE-

iQEcBAEBCgAGBQJVCdgDAAoJEP7VAChXwav6KAYH/jXuBobsYer/R16EFNHeCyz5
wa+9azd3oJP0t/ucVwM59vCv5dGbG4bRGqoNOp5pE9D7/BDY/F+7Y4UGJKsT1z5D
yiEL/xyfWmv18YaSYLU+WCC5UaQHZxagaJF9pcZE3VTPrBf21SIyvKm8LQ+ijrj9
iY+RHJZpOGS4U0s3M+2M3rsbZxSvO1vBeXB6KR9jzRpApcTpsZlB5tewxJGZjeGh
90RYecK8KDnjvPCOB3t7tT4/1JQHVhAIizTxc4ZoqcT3VuiAkNYEdryqUiCIeMAQ
wsnNynaXREWybQ2bkImHN4NyRzfSRbm50TNPl7RxuKQcOfkO3RC/2hhwrjoALUs=
=IGgm
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: SKS Keyserver, HKPS, and GnuPG 2.1

2015-03-18 Thread Samir Nassar 
On Wednesday, March 18, 2015 08:54:47 PM Kristian Fiskerstrand wrote:
> Hmm, I didn't notice that it was a wildcard cert, that should also
> support holdfast.myriapolis.net in the cert matching, however it
> results a redirect and404 for [0]. If you add this as a vhost I
> suspect it will work in your configuration.

I configured nginx to also server up holdfast.myriapolis.net on port 11371

testing with:

gpg-connect-agent --verbose --dirmngr 'keyserver 
https://keyserver.myriapolis.net:11371' 'ks_get 1e42b367' /bye

gpg-connect-agent --verbose --dirmngr 'keyserver 
https://holdfast.myriapolis.net:11371' 'ks_get 1e42b367' /bye

and with:

gpg-connect-agent --verbose --dirmngr 'keyserver 
hkps://keyserver.myriapolis.net:11371' 'ks_get 1e42b367' /bye

gpg-connect-agent --verbose --dirmngr 'keyserver 
hkps://holdfast.myriapolis.net:11371' 'ks_get 1e42b367' /bye

Gives this result:

OK
ERR 1 General error 
gpg-connect-agent: closing connection to agent
 
Samir


signature.asc
Description: This is a digitally signed message part.
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: what is the proper way to load gpg-agent with systemd

2015-03-18 Thread Jacky Alcine 
On Tuesday, March 17, 2015 03:48:54 PM Paulo Lopes wrote:
> Hello,
> 
> I've been using my gpg card with success in Ubuntu for a while but as
> everyone knows the init system is switching from upstart to systemd as it
> is happening on Debian and the vast majority of other distributions.
> 
> In the "past" one could start gpg-agent from the script that boots Xorg or
> even the gnome-keyring and we could "inject" a couple of variables into the
> session like
> 
> GPG_AGENT_INFO
> SSH_AGENT_PID
> SSH_AUTH_SOCK
> 
> and all applications spawned from that process inherit those vars, however
> systemd does not inherit vars from its unit files (and my experience with
> systemd is extremely low so i could be saying something wrong here).
> 
> It would be nice to have some documentation on gnupg site describing the
> best way to work with systemd...

You might want to ask the systemd-users mailing list about that.
-- 
Jacky Alcine
https://jacky.wtf

signature.asc
Description: This is a digitally signed message part.
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Defaults

2015-03-18 Thread MFPA 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512



On Wednesday 18 March 2015 at 8:09:30 AM, in
, Werner Koch wrote:



>
>   created: 2015-03-18  expires: never

Just wondering why we want keys to never expire by default.
Why is that better than a default validity period of "X" years?


- --
Best regards

MFPA  

Adults are obsolete children.
-BEGIN PGP SIGNATURE-

iQF8BAEBCgBmBQJVCeddXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRCM0FFN0VDQTlBOEM4QjMwMjZBNUEwRjU2
QjdDNzRDRUIzMUYyNUYwAAoJEGt8dM6zHyXwctoIALyDzC+7KX5Qr19CMwEiAa1y
/DfsdOajbB1BOSvnLK2wTjOE72SZFiqps+hiSYT9yXj/AVuXWTUSCqh0GmH11SKi
zRSj0SaH4GxBYafLT8H97N/V+xjtKMmWCeXEJ4CMePFb5yG+0iuJC/RYPJ1sCHDz
CFQZDXzbc3SxJ/G4Qs+uaZu0Qk9NM7PUfrl1hFhthA4AxulVQbncGJ42HxZBr7Qb
1xOWfyLxiMmumDs1Z3f70pVwutHTbCH0KZeEH6ccVHDrb6Cpk/jXCEREPL1uVn9Z
lZKB0sOYcIgJTW2BtCdqwQ1simL2UeDAmrqOAefgTfcfQk6jGjyg2ROzjN8pOxGI
vgQBFgoAZgUCVQnnel8UgAAuAChpc3N1ZXItZnByQG5vdGF0aW9ucy5vcGVu
cGdwLmZpZnRoaG9yc2VtYW4ubmV0MzNBQ0VENEVFOTEzNEVFQkRFNkE4NTA2MTcx
MkJDNDYxQUY3NzhFNAAKCRAXErxGGvd45GIOAQDdcS6nkrIyM6a5a+VCdxHMAvc4
UI398+chSU3UN28UCQEAgcg4vdRgoUZY670VygA7Yb1BZebk+vfz8YxPK1uhhgk=
=Jiu4
-END PGP SIGNATURE-


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: SKS Keyserver, HKPS, and GnuPG 2.1

2015-03-18 Thread Kristian Fiskerstrand 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 03/18/2015 09:13 PM, Samir Nassar wrote:
> On Wednesday, March 18, 2015 08:54:47 PM Kristian Fiskerstrand 
> wrote:
>> Hmm, I didn't notice that it was a wildcard cert, that should 
>> also support holdfast.myriapolis.net in the cert matching, 
>> however it results a redirect and404 for [0]. If you add this 
>> as a vhost I suspect it will work in your configuration.
> 
> I configured nginx to also server up holdfast.myriapolis.net on 
> port 11371

11371 is expected to be for HKP, so requiring this to be TLS is bad
practice.

> 
> testing with:
> 
> gpg-connect-agent --verbose --dirmngr 'keyserver 
> https://keyserver.myriapolis.net:11371' 'ks_get 1e42b367' /bye
> 
> gpg-connect-agent --verbose --dirmngr 'keyserver 
> https://holdfast.myriapolis.net:11371' 'ks_get 1e42b367' /bye

https shouldn't work in this regard, it require the API from HKP protocol

> 
> and with:
> 
> gpg-connect-agent --verbose --dirmngr 'keyserver 
> hkps://keyserver.myriapolis.net:11371' 'ks_get 1e42b367' /bye
> 
> gpg-connect-agent --verbose --dirmngr 'keyserver 
> hkps://holdfast.myriapolis.net:11371' 'ks_get 1e42b367' /bye
> 

What if you just update the keyserver in gpg.conf and kill the dirmngr
(it will auto-restart)?


> Gives this result:
> 
> OK ERR 1 General error  gpg-connect-agent: 
> closing connection to agent

increase verbosity, e.g. gpg --debug-level guru --search
b...@invaliddomain.com , alternatively specify debug / debug-level in
dirmngr.conf along with a log-file

> 
> Samir
> 
> 
> 
> ___ Gnupg-users
> mailing list Gnupg-users@gnupg.org 
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
> 


- -- 
- 
Kristian Fiskerstrand
Blog: http://blog.sumptuouscapital.com
Twitter: @krifisk
- 
Public OpenPGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3
- 
Testis unus, testis nullus
A single witness is no witness
-BEGIN PGP SIGNATURE-

iQEcBAEBCgAGBQJVCd36AAoJEP7VAChXwav6gDQIAJ9WiiGHT1dLkbyGAxzW8h5X
Es6CZBWZ7fAvpZvR5ES/4BtnPXC2Wcw1QAbed0fzlZDe2SJf4t6JznYsOJAm7VGS
Ru629/ecytSdPddIhQkFaI+Exc5uA4lX8qGHi6L5zKH9t9EgMbF9KBJzIDPSngFz
hbrY4d1TWHC8jX53vPIAwB2xX5EdBlQpJiKpoL+RzHkLzCh3TcnHbIcInCEUgSpI
gxPUWhvFgPX+AOS4Bpp/Mv7hE7w9Kb6KrVDA2r6jtsi/1oA2rnnz9gtZ8B1qYBlr
YYG8aoOsfb5Y00GGSRa5FL5TiSIsCehP8wA2A5pHqfLSECxm6y/PauEYCuyqkl4=
=VVlz
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: SKS Keyserver, HKPS, and GnuPG 2.1

2015-03-18 Thread Samir Nassar 
On Wednesday, March 18, 2015 09:21:08 PM Kristian Fiskerstrand wrote:
> 11371 is expected to be for HKP, so requiring this to be TLS is bad
> practice.

Oh oops. Fixed now.
 
> > gpg-connect-agent --verbose --dirmngr 'keyserver
> > hkps://keyserver.myriapolis.net:11371' 'ks_get 1e42b367' /bye
> > 
> > gpg-connect-agent --verbose --dirmngr 'keyserver
> > hkps://holdfast.myriapolis.net:11371' 'ks_get 1e42b367' /bye
> 
> What if you just update the keyserver in gpg.conf and kill the dirmngr
> (it will auto-restart)?

Done

> increase verbosity, e.g. gpg --debug-level guru --search
> b...@invaliddomain.com , alternatively specify debug / debug-level in
> dirmngr.conf along with a log-file

$ gpg --debug-level guru --search sa...@samirnassar.com
gpg: enabled debug flags: packet mpi cipher filter iobuf memory cache memstat 
trust hashing extprog cardio assuan clock
gpg: DBG: [not enabled in the source] start
gpg: DBG: chan_3 <- # Home: /home//.gnupg
gpg: DBG: chan_3 <- # Config: /home//.gnupg/dirmngr.conf
gpg: DBG: chan_3 <- OK Dirmngr 2.1.2 at your service
gpg: DBG: chan_4 <- # Home: /home//.gnupg
gpg: DBG: chan_4 <- # Config: /home//.gnupg/dirmngr.conf
gpg: DBG: chan_4 <- OK Dirmngr 2.1.2 at your service
gpg: DBG: connection to the dirmngr established
gpg: DBG: chan_4 -> KEYSERVER --clear hkps://keyserver.myriapolis.net
gpg: DBG: chan_4 <- OK
gpg: DBG: chan_4 -> KS_SEARCH -- sa...@samirnassar.com
gpg: DBG: chan_4 <- ERR 1 General error 
gpg: error searching keyserver: General error
gpg: keyserver search failed: General error
gpg: DBG: chan_4 -> BYE
gpg: DBG: [not enabled in the source] stop
gpg: random usage: poolsize=600 mixed=0 polls=0/0 added=0/0
  outmix=0 getlvl1=0/0 getlvl2=0/0
gpg: secmem usage: 0/32768 bytes in 0 blocks


signature.asc
Description: This is a digitally signed message part.
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: SKS Keyserver, HKPS, and GnuPG 2.1

2015-03-18 Thread Kristian Fiskerstrand 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 03/18/2015 10:08 PM, Samir Nassar wrote:
> On Wednesday, March 18, 2015 09:21:08 PM Kristian Fiskerstrand
> wrote:
>> 11371 is expected to be for HKP, so requiring this to be TLS is
>> bad practice.
> 

...

> gpg: DBG: chan_4 <- ERR 1 General error  gpg:
> error searching keyserver: General error gpg: keyserver search
> failed: General error gpg: DBG: chan_4 -> BYE gpg: DBG: [not
> enabled in the source] stop gpg: random usage: poolsize=600 mixed=0
> polls=0/0 added=0/0 outmix=0 getlvl1=0/0 getlvl2=0/0 gpg: secmem
> usage: 0/32768 bytes in 0 blocks

Are you only experiencing issues with your own server or with HKPS in
general? Is dirmngr compiled with gnutls support?

gpg-connect-agent --dirmngr 'KEYSERVER --help' /bye
S # Known schemata:
S #   hkp
S #   hkps
S #   http
S #   finger
S #   kdns

or ldd /usr/bin/dirmngr|grep gnutls
> 
> 
> 
> ___ Gnupg-users mailing
> list Gnupg-users@gnupg.org 
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
> 


- -- 
- 
Kristian Fiskerstrand
Blog: http://blog.sumptuouscapital.com
Twitter: @krifisk
- 
Public OpenPGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3
- 
"Statistics are like a bikini. What they reveal is suggestive, but
what they conceal is vital."
(Aaron Levenstein)
-BEGIN PGP SIGNATURE-

iQEcBAEBCgAGBQJVCerJAAoJEP7VAChXwav6QawH/iYRspyutKC0pdqH9XmGF9gL
U2k7au0hFbXFP9BwTa2k80uAQCtNve6AaZVtEaCwbr/+rSw8tlTdv8/8qfuvZmFG
2jcl2T/jkl7Ute7tlw9OxWptDbBsdPIpzmY41iRBT/7NQ3G2tZL1ScwGqEpj4kjn
63qKoW1YoysK32Og1wSKyQQoXotnyBkmUjeTjN8Lf2wPB9KvyH+7mkYWDfFbv8eM
n10JT41AEKE0VRICNrCPJZnxaDo/PRR4fZrCbGsvYuoxlG2nw8KXbMvc7Kg7X87M
HxY7k7GNBwLEAEaNUZS+qj6Ax5MvNCpKUj6vlDLoHe0lWcx6mM+b6tli1Cx+Xc4=
=QBc6
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: SKS Keyserver, HKPS, and GnuPG 2.1

2015-03-18 Thread Samir Nassar 
On Wednesday, March 18, 2015 10:14:53 PM Kristian Fiskerstrand wrote:
> gpg-connect-agent --dirmngr 'KEYSERVER --help' /bye
> S # Known schemata:
> S #   hkp
> S #   hkps
> S #   http
> S #   finger
> S #   kdns

Same.
 
When I set the keyserver to: hkp://keyserver.myriapolis.net everything works.

When I set the keyserver to: hkps://keyserver.myriapolis.net it stops working.

To test whether it is a general hkps problem or now, I tried: 
hkps://keys.niif.hu with the same issue.

Is it possible that dirmngr isn't reading the cert I have for myriapolis.net 
properly?

Samir

signature.asc
Description: This is a digitally signed message part.
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: SKS Keyserver, HKPS, and GnuPG 2.1

2015-03-18 Thread Kristian Fiskerstrand 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 03/18/2015 10:33 PM, Samir Nassar wrote:
> On Wednesday, March 18, 2015 10:14:53 PM Kristian Fiskerstrand
> wrote:
>> gpg-connect-agent --dirmngr 'KEYSERVER --help' /bye S # Known
>> schemata: S #   hkp S #   hkps S #   http S #   finger S #
>> kdns
> 
> Same.
> 
> When I set the keyserver to: hkp://keyserver.myriapolis.net
> everything works.
> 
> When I set the keyserver to: hkps://keyserver.myriapolis.net it
> stops working.
> 
> To test whether it is a general hkps problem or now, I tried: 
> hkps://keys.niif.hu with the same issue.
> 
> Is it possible that dirmngr isn't reading the cert I have for
> myriapolis.net properly?

try renaming  /home/snassar/.gnupg/myriapolis.net.crt to
/home/snassar/.gnupg/myriapolis.net.pem

if that doesn't help , can you increase debug verbosity in
dirmngr.conf and set the logfile?
$ cat dirmngr.conf
verbose
debug 4096
debug-level 4096
debug-all
log-file /tmp/dirmngr.log

- -- 
- 
Kristian Fiskerstrand
Blog: http://blog.sumptuouscapital.com
Twitter: @krifisk
- 
Public OpenPGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3
- 
"A committee is a group that keeps minutes and loses hours."
(Milton Berle)
-BEGIN PGP SIGNATURE-

iQEcBAEBCgAGBQJVCfDfAAoJEP7VAChXwav6rr8H/jl2Vlly7ivDNnT/BmhhYRUq
qoX3AFDbW8z7p7V9RZ07oxFI0GL5qim1VoMgJQZjb0Ygv2F9f7oOfeu1KOBAxxok
CKEBGQinxj/PRQi8uIT5ZrTVJIsDTyTG6QnmbMBpABoqOMDOrVXwhfGlec5YqxuA
h5ReotqLH8LzrQj9EA/MBPKv4XHFW/tAfvXzLj4oyPqeUAGdOyT/RF6VPswwk4ce
0RlQ5MbNNAuYqvgJ1KRujgg9I/2M9jTvx88n//N+XI1yc07iXsSVBig+zi9WF06W
kSeATYbxk19ssKSK3sVHpnIuceLThRC0Xw4Mh/2bVJeDFGM0QDYaYtLMuhI8rmE=
=XC4g
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: SKS Keyserver, HKPS, and GnuPG 2.1

2015-03-18 Thread Samir Nassar 
On Wednesday, March 18, 2015 10:40:57 PM Kristian Fiskerstrand wrote:
> try renaming  /home/snassar/.gnupg/myriapolis.net.crt to
> /home/snassar/.gnupg/myriapolis.net.pem

Done.

> if that doesn't help , can you increase debug verbosity in
> dirmngr.conf and set the logfile?
> $ cat dirmngr.conf
> verbose
> debug 4096
> debug-level 4096
> debug-all
> log-file /tmp/dirmngr.log

Results:

2015-03-18 22:57:20 dirmngr[23026.0] listening on socket 
'/home/snassar/.gnupg/S.dirmngr'
2015-03-18 22:57:20 dirmngr[23027.0] permanently loaded certificates: 0
2015-03-18 22:57:20 dirmngr[23027.0] runtime cached certificates: 0
2015-03-18 22:57:21 dirmngr[23027.0] handler for fd 0 started
2015-03-18 22:57:21 dirmngr[23027.0] DBG: chan_0 -> # Home: 
/home/snassar/.gnupg
2015-03-18 22:57:21 dirmngr[23027.0] DBG: chan_0 -> # Config: 
/home/snassar/.gnupg/dirmngr.conf
2015-03-18 22:57:21 dirmngr[23027.0] DBG: chan_0 -> OK Dirmngr 2.1.2 at your 
service
2015-03-18 22:57:21 dirmngr[23027.0] connection from process 23024 (1000:1000)
2015-03-18 22:57:21 dirmngr[23027.0] DBG: chan_0 <- KEYSERVER --clear 
hkps://keyserver.myriapolis.net
2015-03-18 22:57:21 dirmngr[23027.0] DBG: chan_0 -> OK
2015-03-18 22:57:21 dirmngr[23027.0] DBG: chan_0 <- KS_SEARCH -- 
sa...@samirnassar.com
2015-03-18 22:57:21 dirmngr[23027.0] getnameinfo returned for 
'keyserver.myriapolis.net': 'keyserver.myriapolis.net' [already known]
2015-03-18 22:57:22 dirmngr[23027.0] TLS verification of peer failed: 
status=0x0042
2015-03-18 22:57:22 dirmngr[23027.0] TLS verification of peer failed: The 
certificate is NOT trusted. The certificate issuer is unknown. 
2015-03-18 22:57:22 dirmngr[23027.0] DBG: expected hostname: 
keyserver.myriapolis.net
2015-03-18 22:57:22 dirmngr[23027.0] DBG: BEGIN Certificate 'server[0]':
2015-03-18 22:57:22 dirmngr[23027.0] DBG:  serial: 
4BC6878D433B6F5CA74E0142C8C2CA6B
2015-03-18 22:57:22 dirmngr[23027.0] DBG:   notBefore: 2013-12-11 00:00:00
2015-03-18 22:57:22 dirmngr[23027.0] DBG:notAfter: 2015-12-11 23:59:59
2015-03-18 22:57:22 dirmngr[23027.0] DBG:  issuer: CN=COMODO RSA Domain 
Validation Secure Server CA,O=COMODO CA Limited,L=Salford,ST=Greater 
Manchester,C=GB
2015-03-18 22:57:22 dirmngr[23027.0] DBG: subject: 
CN=*.myriapolis.net,OU=EssentialSSL Wildcard,OU=Domain Control Validated
2015-03-18 22:57:22 dirmngr[23027.0] DBG:   hash algo: 1.2.840.113549.1.1.11
2015-03-18 22:57:22 dirmngr[23027.0] DBG:   SHA1 fingerprint: 
47D0B4CAA99B5D3F9EA9C2E2F26B380CD60129C7
2015-03-18 22:57:22 dirmngr[23027.0] DBG: END Certificate
2015-03-18 22:57:22 dirmngr[23027.0] DBG: BEGIN Certificate 'server[1]':
2015-03-18 22:57:22 dirmngr[23027.0] DBG:  serial: 
2B2E6EEAD975366C148A6EDBA37C8C07
2015-03-18 22:57:22 dirmngr[23027.0] DBG:   notBefore: 2014-02-12 00:00:00
2015-03-18 22:57:22 dirmngr[23027.0] DBG:notAfter: 2029-02-11 23:59:59
2015-03-18 22:57:22 dirmngr[23027.0] DBG:  issuer: CN=COMODO RSA 
Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater 
Manchester,C=GB
2015-03-18 22:57:22 dirmngr[23027.0] DBG: subject: CN=COMODO RSA Domain 
Validation Secure Server CA,O=COMODO CA Limited,L=Salford,ST=Greater 
Manchester,C=GB
2015-03-18 22:57:22 dirmngr[23027.0] DBG:   hash algo: 1.2.840.113549.1.1.12
2015-03-18 22:57:22 dirmngr[23027.0] DBG:   SHA1 fingerprint: 
339CDD57CFD5B141169B615FF31428782D1DA639
2015-03-18 22:57:22 dirmngr[23027.0] DBG: END Certificate
2015-03-18 22:57:22 dirmngr[23027.0] DBG: BEGIN Certificate 'server[2]':
2015-03-18 22:57:22 dirmngr[23027.0] DBG:  serial: 
2766EE56EB49F38EABD770A2FC84DE22
2015-03-18 22:57:22 dirmngr[23027.0] DBG:   notBefore: 2000-05-30 10:48:38
2015-03-18 22:57:22 dirmngr[23027.0] DBG:notAfter: 2020-05-30 10:48:38
2015-03-18 22:57:22 dirmngr[23027.0] DBG:  issuer: CN=AddTrust External CA 
Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE
2015-03-18 22:57:22 dirmngr[23027.0] DBG: subject: CN=COMODO RSA 
Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater 
Manchester,C=GB
2015-03-18 22:57:22 dirmngr[23027.0] DBG:   hash algo: 1.2.840.113549.1.1.12
2015-03-18 22:57:22 dirmngr[23027.0] DBG:   SHA1 fingerprint: 
F5AD0BCC1AD56CD150725B1C866C30AD92EF21B0
2015-03-18 22:57:22 dirmngr[23027.0] DBG: END Certificate
2015-03-18 22:57:22 dirmngr[23027.0] DBG: BEGIN Certificate 'server[3]':
2015-03-18 22:57:22 dirmngr[23027.0] DBG:  serial: 01
2015-03-18 22:57:22 dirmngr[23027.0] DBG:   notBefore: 2000-05-30 10:48:38
2015-03-18 22:57:22 dirmngr[23027.0] DBG:notAfter: 2020-05-30 10:48:38
2015-03-18 22:57:22 dirmngr[23027.0] DBG:  issuer: CN=AddTrust External CA 
Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE
2015-03-18 22:57:22 dirmngr[23027.0] DBG: subject: CN=AddTrust External CA 
Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE
2015-03-18 22:57:22 dirmngr[23027.0] DBG:   hash algo: 1.2.840.113549.1.1.5
2015-03-18 22:57:22 dirmngr[23027.0] DBG:   SHA1 fingerprint: 
02FAF3E291435468607857694DF5E45B68

Re: SKS Keyserver, HKPS, and GnuPG 2.1

2015-03-18 Thread Daniel Kahn Gillmor 
On Wed 2015-03-18 18:03:11 -0400, Samir Nassar wrote:
> On Wednesday, March 18, 2015 10:40:57 PM Kristian Fiskerstrand wrote:
>> try renaming  /home/snassar/.gnupg/myriapolis.net.crt to
>> /home/snassar/.gnupg/myriapolis.net.pem
>
> Done.

It looks to me like you're using the server's certificate as the CA
certificate.  I don't think that's going to work.  Maybe you want to use
the Addtrust root cert (attached here)

and then point hkp-cacert to that?

--dkg

-BEGIN CERTIFICATE-
MIIENjCCAx6gAwIBAgIBATANBgkqhkiG9w0BAQUFADBvMQswCQYDVQQGEwJTRTEU
MBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFkZFRydXN0IEV4dGVybmFs
IFRUUCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBFeHRlcm5hbCBDQSBSb290
MB4XDTAwMDUzMDEwNDgzOFoXDTIwMDUzMDEwNDgzOFowbzELMAkGA1UEBhMCU0Ux
FDASBgNVBAoTC0FkZFRydXN0IEFCMSYwJAYDVQQLEx1BZGRUcnVzdCBFeHRlcm5h
bCBUVFAgTmV0d29yazEiMCAGA1UEAxMZQWRkVHJ1c3QgRXh0ZXJuYWwgQ0EgUm9v
dDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALf3GjPm8gAELTngTlvt
H7xsD821+iO2zt6bETOXpClMfZOfvUq8k+0DGuOPz+VtUFrWlymUWoCwSXrbLpX9
uMq/NzgtHj6RQa1wVsfwTz/oMp50ysiQVOnGXw94nZpAPA6sYapeFI+eh6FqUNzX
mk6vBbOmcZSccbNQYArHE504B4YCqOmoaSYYkKtMsE8jqzpPhNjfzp/haW+710LX
a0Tkx63ubUFfclpxCDezeWWkWaCUN/cALw3CknLa0Dhy2xSoRcRdKn23tNbE7qzN
E0S3ySvdQwAl+mG5aWpYIxG3pzOPVnVZ9c0p10a3CitlttNCbxWyuHv77+ldU9U0
WicCAwEAAaOB3DCB2TAdBgNVHQ4EFgQUrb2YejS0Jvf6xCZU7wO94CTLVBowCwYD
VR0PBAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wgZkGA1UdIwSBkTCBjoAUrb2YejS0
Jvf6xCZU7wO94CTLVBqhc6RxMG8xCzAJBgNVBAYTAlNFMRQwEgYDVQQKEwtBZGRU
cnVzdCBBQjEmMCQGA1UECxMdQWRkVHJ1c3QgRXh0ZXJuYWwgVFRQIE5ldHdvcmsx
IjAgBgNVBAMTGUFkZFRydXN0IEV4dGVybmFsIENBIFJvb3SCAQEwDQYJKoZIhvcN
AQEFBQADggEBALCb4IUlwtYj4g+WBpKdQZic2YR5gdkeWxQHIzZlj7DYd7usQWxH
YINRsPkyPef89iYTx4AWpb9a/IfPeHmJIZriTAcKhjW88t5RxNKWt9x+Tu5w/Rw5
6wwCURQtjr0W4MHfRnXnJK3s9EK0hZNwEGe6nQY1ShjTK3rMUUKhemPR5ruhxSvC
Nr4TDea9Y355e6cJDUCrat2PisP29owaQgVR1EX1n6diIWgVIEM8med8vSTYqZEX
c4g/VhsxOBi0cQ+azcgOno4uG+GMmIPLHzHxREzGBHNJdmAPx/i9F4BrLunMTA5a
mnkPIAou1Z5jJh5VkpTYghdae9C8x49OhgQ=
-END CERTIFICATE-
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: SKS Keyserver, HKPS, and GnuPG 2.1

2015-03-18 Thread Samir Nassar 
On Wednesday, March 18, 2015 06:18:53 PM Daniel Kahn Gillmor wrote:
> It looks to me like you're using the server's certificate as the CA
> certificate.  I don't think that's going to work.  Maybe you want to use
> the Addtrust root cert (attached here)

Ahem. You are so very right. Somehow it escaped me that what I want for the 
setup is the CA cert, this despite dirmngr.conf having the line: hkp-cacert

> and then point hkp-cacert to that?

Now things work. I feel a bit foolish, but it's just wounded ego.

David Wood wrote me off-list and pointed out 
https://bugs.g10code.com/gnupg/issue1792 fixes access to my keyserver so I am 
writing for clarification.

Thank you Kristian and Daniel and David for your help.

Samir


signature.asc
Description: This is a digitally signed message part.
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

SKS Keyserver, HKPS and GnuPG 2.1

2015-03-18 Thread David Wood 
Dear all,

Apologies for the thread break - I was reading via the archives and have
only just subscribed.

I debugged this issue a few days ago. I've posted a patch for testing and
hopefully incorporation into a future GnuPG 2.1 build at
https://bugs.g10code.com/gnupg/issue1792

With this patch, hkps://hkps.pool.sks-keyservers.net works correctly for me.


David
-- 
David Wood
david.j.woo...@gmail.com
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users