Re: Email-only UIDs and verification (was: Making the case for smart cards for the average user)

[MFPA]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512



On Wednesday 18 March 2015 at 6:18:57 PM, in
, Jose Castillo
wrote:


> On Mar 16, 2015, at 8:55 PM, MFPA
> <2014-667rhzu3dc-lists-gro...@riseup.net> wrote:

MFPA>> No angle brackets around the email address means no key found.

JC> Good point, I’ll make that change.

Appreciated.

As you probably read in Daniel Kahn Gilmore's message, he has lodged a
bug report/feature request for GnuPG.


JC> As a sidenote, I
> notice that when I’m generating a key interactively, I
> get an error message of 'Name must be at least 5
> characters long’ when I try to make an email-only UID.
> It works in batch mode, and obviously with the
> allow-freeform-uid option, but just thought it was
> interesting to point out. Someone attempting to make
> such a UID in the interactive mode might be forgiven
> for putting their email address in the ‘name’ field as
> a workaround.

They would be scolded at the next prompt, then probably either give
up, or go back and enter a name, or enter their email address a second
time.

I would imagine the "average user" you are aiming at would use your
GUI to create keys. A more advanced user might read your
documentation, so you could tell them which options to use if they
wanted to create a key matching your bespoke user-id standard through
the normal GnuPG text interface.




MFPA>> Thinking about it, you don't need the user to click a
>> link or to reply to an email at all.

> This is a very good point, and I can see making this
> change.

I would think it would make it easier to code: you don't have to
bother tracking the verication link/email.



> This was in reference to the PGP global directory’s
> verification check. Having never used it I’m curious
> why the validity period is only two weeks.

Lots of activation or verification links sent out by email have a
short validity period. People are used to that.

PGP Global Directory's FAQ
 says:-

What if I don't respond to the renewal message?

The PGP Global Directory will give you two weeks to respond. If
you don't respond, your key will be removed from the directory, as
it is assumed you no longer have the key or are no longer using
the email address in the user ID of the key.




> Does the
> user have to re-verify their email address every two
> weeks? That seems excessive.

It would be.(-;

The user has two weeks to react to the verification email. Once the
user has verified the email address, the verification is good for six
months. Then they get a renewal verification email, and so on.

I have no idea why the PGP GD verification signatures last only two
weeks instead of six months. Their FAQ is silent on the matter.



MFPA>> Finally, if the person at the other end is able to
>> decrypt my message and reply to me, then the key and
>> the email address are controlled by the same person.
>> What assurance does the verification service add?

> In the case of establishing communication with someone
> you haven’t yet met, it gives you an assurance that a
> third party has verified that they were in control of
> the address on a given date within the last year.

The person at the other end decrypting my message and replying to me
shows that the key and the corresponding email address are both
controlled by the same person today (Person A), verified by me.

Additional information: the verification service verified that the key
and the email address were both controlled by the same person (Person
B)on a given verification date within the last year.

I am opening communication with the Person A at that address today. I
neither know nor care if Person B, who was there within the last year,
is the same person as person A. So I cannot think of a use for the
additional information. (I'm not saying there is no use, merely that I
can't see one.)



> If I
> query your email address and find four keys, I don’t
> know what to do;

Good question.

1. You could ask me, in an email encrypted to all four keys.

2. You could ask me, in up to four individually-encrypted emails. May
not need all four if I answer before you sent them all.

3. Out-of-bound communication, such as phone.

4. Look for clues in my email signature block or headers.



> but if one of them is trusted by the
> email verification service, which I trust, then there’s
> only one valid key.

The email verification service's signature, which warrants that the
key and email address were under common control on a specific date in
the past year. That is a reasonable first guess out of the four keys,
and makes that one key "valid" in accordance with your bespoke Signet
simplified validity scheme.




- --
Best regards

MFPA  

Don't anthropomorphize computers - they hate it
-BEGIN PGP SIGNATURE-

iQF8BAEBCgBmBQJVC3C0XxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRCM0FFN0VD

Re: New "Everyman's software" from CeBIT in Germany

[da...@gbenet.com]

On 19/03/15 22:32, Ingo Klöcker wrote:
> On Thursday 19 March 2015 09:18:03 Thomas F. Ruddy wrote:
>> Dear all,
>>
>> I'd be interested in hearing Werner Koch's take on this recent
>> innovation. Werner, you speak German:
>>
>> A new "Everyman's software" featuring certification, key servers,
>> currently Windows only (Linux planned),
>>
>> https://www.sit.fraunhofer.de/de/volksverschluesselung/
>>
>> Said to be Open Source in this news-story,
>>
>> http://www.nzz.ch/mehr/digital/cebit-2015-fraunhofer-volksverschluesselung-1
>> .18505017
> 
> Both links do not provide technical details. They talk about two things 
> provided by their solution: A central PKI and some end-user-friendly software 
> for certificate creation which automagically adds the certificate to the 
> user's software (email client, browser, other software).
> 
> I don't see any indication for a new crypto-standard. So their solution will 
> either uses S/MIME or OpenPGP. I suspect it will be S/MIME because more 
> software supports S/MIME out-of-the-box. ... I guessed correctly. It's based 
> on S/MIME: 
> http://www.golem.de/news/projekt-volksverschluesselung-fraunhofer-institut-vereinfacht-s-mime-einrichtung-1503-113011.html
> 
> Moreover, at first one will have to use the eID feature of the new German 
> personal identification card for requesting the certification of one's 
> certificate.
> 
> https://www.sit.fraunhofer.de/de/news/aktuelles/presse/details/news-article/verschluesselung-fuer-alle/
>  (also in German)
> 
> 
> Another crypto project is shown at CeBIT. It's also based on the eID feature.
> 
> Governikus (developed for the German BSI) offers web application for 
> certifying one's OpenPGP key with one's personal identification card. So it's 
> basically key certification by the German government (for German citizen's 
> only).
> https://www.governikus.com/de/pressemitteilungen#entry_6938266
> 
> 
> Both services appear to be restricted to Germany.
> 
> 
> Regards,
> Ingo
> 
> 
> 
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
> 
Well if it's Windoz - then Microsoft are lurking in the woodwork - and that 
smells like very
bad news. Microsoft are never into free as in a free beer - Microsoft are into 
tying people
in to their software. End-user friendly software? Yeah right - whatever 
Microsoft does -
it's primary objective is to make more money - and does not give a shit about 
end-user
security. It's just another ploy to get users to give up Linux - or move to a 
Linux that
they control - and we have all seen how they play tricks over the years.

We have the whole house for free - that may still erk those that do not support 
free
software - and free encryption.

David


-- 
“See the sanity of the man! No gods, no angels, no demons, no body. Nothing of 
the
kind.Stern, sane,every brain-cell perfect and complete even at the moment of 
death. No
delusion.” https://linuxcounter.net/user/512854.html - http://gbenet.com



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Making the case for smart cards for the average user

[MFPA]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512



On Wednesday 18 March 2015 at 1:35:46 AM, in
,
Brian Minton wrote:


> I thought keyservers strip all punctuation. So
>  becomes foo example com.

Keyservers seem to do that.

GnuPG locating keys on the local keyring does not.

A user with GnuPG configured to automatically fetch keys from a
keyserver when not found locally might end up needlessly
re-downloading a correspondent's key each time they encrypted to (or
verified a signature from) . But they would be
stuffed when the email client was trying to match their own key to
sign a message.


- --
Best regards

MFPA  

During an eruption - move away from the volcano - not towards it
-BEGIN PGP SIGNATURE-

iQF8BAEBCgBmBQJVC1DrXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRCM0FFN0VDQTlBOEM4QjMwMjZBNUEwRjU2
QjdDNzRDRUIzMUYyNUYwAAoJEGt8dM6zHyXwKpIIAJ05WmDKk3nHRMkltXHkbSWf
ooIgxghfGVPQg3p8UhEkYUpXc3klTYYTOqfhqVj+X6IzkxRsVh1pTKHrmUyi/etz
NDyD6C9WcV8PjmkqNyTc8VeuEtoTHHFzSJgJCnpcGfo7NDNqi0Oziihtsl7eUZOD
QDLxbzGsOh8ZT1R0o9cXBoijgX7oATdnyFrJnQx4Oj0ZE2GBG58OBWNj49TPXq/A
OBL1yx3UJu4oeR3xrM4f+rzoSdfTDLiV4jyVdVDAHte/qwCGuCxJBet8kz71S+xv
xnS5MDF79J6PzJVnmoXk/SbCywK07jIxdHsWJQLF/oMgj848Qe/Ex9rBC8/aI22I
vgQBFgoAZgUCVQtQ8F8UgAAuAChpc3N1ZXItZnByQG5vdGF0aW9ucy5vcGVu
cGdwLmZpZnRoaG9yc2VtYW4ubmV0MzNBQ0VENEVFOTEzNEVFQkRFNkE4NTA2MTcx
MkJDNDYxQUY3NzhFNAAKCRAXErxGGvd45BdOAQCMpSMgXJwxmmTcRXJ/F6F5iyni
VCWDKGYUdYpHQhW38AEAte5iLUend33MxeoX37AZLWSYaRq8sJc7EL3B77menA0=
=HHqd
-END PGP SIGNATURE-


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: New "Everyman's software" from CeBIT in Germany

[Ingo Klöcker]

On Thursday 19 March 2015 09:18:03 Thomas F. Ruddy wrote:
> Dear all,
> 
> I'd be interested in hearing Werner Koch's take on this recent
> innovation. Werner, you speak German:
> 
> A new "Everyman's software" featuring certification, key servers,
> currently Windows only (Linux planned),
> 
> https://www.sit.fraunhofer.de/de/volksverschluesselung/
> 
> Said to be Open Source in this news-story,
> 
> http://www.nzz.ch/mehr/digital/cebit-2015-fraunhofer-volksverschluesselung-1
> .18505017

Both links do not provide technical details. They talk about two things 
provided by their solution: A central PKI and some end-user-friendly software 
for certificate creation which automagically adds the certificate to the 
user's software (email client, browser, other software).

I don't see any indication for a new crypto-standard. So their solution will 
either uses S/MIME or OpenPGP. I suspect it will be S/MIME because more 
software supports S/MIME out-of-the-box. ... I guessed correctly. It's based 
on S/MIME: 
http://www.golem.de/news/projekt-volksverschluesselung-fraunhofer-institut-vereinfacht-s-mime-einrichtung-1503-113011.html

Moreover, at first one will have to use the eID feature of the new German 
personal identification card for requesting the certification of one's 
certificate.

https://www.sit.fraunhofer.de/de/news/aktuelles/presse/details/news-article/verschluesselung-fuer-alle/
 (also in German)


Another crypto project is shown at CeBIT. It's also based on the eID feature.

Governikus (developed for the German BSI) offers web application for 
certifying one's OpenPGP key with one's personal identification card. So it's 
basically key certification by the German government (for German citizen's 
only).
https://www.governikus.com/de/pressemitteilungen#entry_6938266


Both services appear to be restricted to Germany.


Regards,
Ingo


signature.asc
Description: This is a digitally signed message part.
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: --verify --status-fd separator for multiple signatures?

[Werner Koch]

On Thu, 19 Mar 2015 18:39, patrick-mailingli...@whonix.org said:

> when using --verify combined with --status-fd [or --status-file], how
> can one notice in scripts, that processing the one signature is done and
> that further status-fd messages belong to the next message?

That is unfortunately a bit complicated due to different behaviour in
gpgsm and gpg.  I suggest to do what we do in gpgme/src/verify.c .  Of
course if would be useful to make sure that NEWSIG is also emitted by
gpg but you also need to take care of older gpg versions.

I assume adding NEWSIG to gpg has simply be forgotten.


Shalom-Salam,

   Werner


-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: --verify --status-fd separator for multiple signatures?

[Doug Barton]

On 3/19/15 10:39 AM, Patrick Schleizer wrote:

Hi,

when using --verify combined with --status-fd [or --status-file], how
can one notice in scripts, that processing the one signature is done and
that further status-fd messages belong to the next message?


You are using --with-colons, right?


--
I am conducting an experiment in the efficacy of PGP/MIME signatures. 
This message should be signed. If it is not, or the signature does not 
validate, please let me know how you received this message (direct, or 
to a list) and the mail software you use. Thanks!




signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

--verify --status-fd separator for multiple signatures?

[Patrick Schleizer]

Hi,

when using --verify combined with --status-fd [or --status-file], how
can one notice in scripts, that processing the one signature is done and
that further status-fd messages belong to the next message?

I mean, sometimes it shows SIG_ID, but not in case of ERRSIG.

So is there some line / separator that can be reliably used?

Cheers,
Patrick

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Article in Forbes.

[Hans-Christoph Steiner]

Sounds like you should report it directly to GPGTools.org.  I'm sure they have
a bug tracker or mailing address somewhere.

Have you seen any technical details on this attack?  Its hard to tell exactly
what's happening from that article.

.hc

Eric F:
> Perhaps not directly gnupg related, more OS X related. But, with both
> GPGtools an GnuPG for OS X I'll post it here... (and there was this OS X
> sec. discussion the other week) :)
> 
> It's seem like “Gatekeeper” is only using http if I read it correctly.
> 
> Ex-NSA Researcher Finds Sneaky Way Past Apple Mac's Gatekeeper
> http://www.forbes.com/sites/thomasbrewster/2015/03/17/apple-mac-gatekeeper-bypass-exacerbated-by-unencrypted-av-downloads/
> 
> “He found around 150 on his own machine, including hugely popular
> software like Microsoft Word and Excel, Apple’s own iCloud Photos and
> Dropbox. The list also included Apple’s developer tool *XCODE and email
> encryption key management software GPG Keychain, both of which he abused
> in his proof of concept attacks*.”
> 
> 
> I have no idea how this works, but one question that came in mind was if
> a hijacked “GPG Keychain” on a Mac computer could form a threat to gpg
> on other platforms?
> 
> Anyway, interesting reading. Just wanted to share.
> 
> /Eric
> 
> 
> 
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
> 

-- 
PGP fingerprint: 5E61 C878 0F86 295C E17D  8677 9F0F E587 374B BE81
https://pgp.mit.edu/pks/lookup?op=vindex&search=0x9F0FE587374BBE81

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: USB key form-factor smart-card readers with pinpads?

[Sam Kuper]

On 13/01/2014, Peter Lebbing  wrote:
> On 12/01/14 00:18, Sam Kuper wrote:
>> Again, perhaps I am wrong. But if I am not, then the use of OpenPGP
>> cards with non-pinpad readers still makes no sense (at least, not to
>> me).
>
> Since most readers don't filter VERIFY commands

Yes, I'm getting to realise this. Ideally, it ought ought to be
possible to easily tell before buying a reader whether it does this or
not.

Apologies for my delay in replying, btw.

> and additionally you can't
> force
> the OpenPGP smartcard to require a VERIFY before each decryption anyway,
> the
> pinpad really doesn't add much at all for decryption.
>
> With regard to the PIN not being known to the attacker when using a pinpad:
> Werner disagrees that a pinpad can reliably accomplish that. I did a
> feature
> request about a year ago, you should read this thread: [1]. And especially
> Werners answer in [2]. So according to him, it doesn't add much for
> signatures
> either.

Thank you for the links.

> A bugged reader firmware (certainly a possibility) would even still work in
> the
> face of a reader filtering VERIFY commands. I think most readers have
> upgradeable firmware. If an attacker has your PC and knows a vulnerability
> in
> the firmware upgrade method, they can just flash their own firmware in your
> smartcard reader. This is a really difficult to solve scenario. I do think
> it
> requires a rather capable attacker.

Again, I know of no easy way to discover the "flashability" of a
reader in advance of a purchase. No-one has collated this information
for popular readers, as far as I'm aware.

Readers really ought to require physical access (e.g. by means of a
jumper pin that would switch between normal functionality with
flashing disabled in order to be re-flashed.

Best regards,

Sam

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: SKS Keyserver, HKPS and GnuPG 2.1

[Werner Koch]

On Wed, 18 Mar 2015 22:52, david.j.woo...@gmail.com said:

> I debugged this issue a few days ago. I've posted a patch for testing and
> hopefully incorporation into a future GnuPG 2.1 build at

It is on my shortlist.

Thanks,

  Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

New "Everyman's software" from CeBIT in Germany

[Thomas F. Ruddy]

Dear all,

I'd be interested in hearing Werner Koch's take on this recent
innovation. Werner, you speak German:

A new "Everyman's software" featuring certification, key servers,
currently Windows only (Linux planned),

https://www.sit.fraunhofer.de/de/volksverschluesselung/

Said to be Open Source in this news-story,

http://www.nzz.ch/mehr/digital/cebit-2015-fraunhofer-volksverschluesselung-1.18505017

-- 

Thomas Ruddy, Germany






signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users