Re: Teaching GnuPG to noobs

[Werner Koch]

On Thu, 18 Jun 2015 01:24, br...@minton.name said:
> I've never heard of a spring lock, but I looked it up. It is a lock that
> anyone can momentarily be unlocked by a key, but when it is not being held
> open, shuts and locks itself.

According to my translator the German term "Schappschloss" means "spring
lock" in English.  The spring is used to push the U-bolt up when
not-locked.  At least in Germany the most common type of a padlock is a
a spring lock:

   https://upload.wikimedia.org/wikipedia/en/5/59/Padlock.svg

Cable locks for bicycles also work this way.


Shalom-Salam,

   Werner



ps.
Somet people (deliberately) forget their passphrases:

  


-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gpg-agent unable to see yubikey until manually re-running `gpg --card-status`

[Werner Koch]

On Wed, 17 Jun 2015 18:17, si...@josefsson.org said:

> I've seen the error many times, also when I used a g10code smartcard,
> but lately things have been smooth.  I think there have been a couple of

Old versions of GnuPG assumed that there is a card reader which can tell
you whether a card has been removed or inserted.  However USB tokens are
different in that you insert/remove the entire reader.  gniibe fixed
these problems some time ago.


Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Teaching GnuPG to noobs

[Stephan Beck]

Hi,

Am 16.06.2015 um 15:50 schrieb A.T. Leibson:

> Lastly, what's your favorite noob-friendly guide, and why?

I think that the guide available at (1)


(1) https://emailselfdefense.fsf.org/en/


is the most suitable for noobs (as far as I know), because it's straightforward
and short. I would not bother too much about more or less suitable metaphors, as
the most frightening (more or less suitable?) metaphor is BIG BROTHER ('s
surveillance state/s).
Well, I am not an instructor, but someone who is still learning and studying.
The leaflet available at the same address is visually attractive and explains
the absolute beginner's basics quite well.

Cheers,

Stephan







signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gpg-agent unable to see yubikey until manually re-running `gpg --card-status`

[Lance R. Vick]

I only ever tried this on 2.0.0 as far as older versions go, and that was
similarly broken. I didn't bother documenting as I saw there were some
smartcard updates in 2.1.4 so I upgraded.

Just now had another variation (on 2.1.4):

1. start gpg-agent
2. populate SSH_AUTH_SOCK
3. ssh successfully
4. remove yubikey
5. insert yubikey
6. attempt to ssh -> "Permission Denied (Publickey)"
7. `gpg --card status` -> "no card present"
8. `gpg --card status` (again) -> Got usual card output
9. ssh successfully again


On Thu, Jun 18, 2015 at 1:32 AM, Werner Koch  wrote:

> On Wed, 17 Jun 2015 18:17, si...@josefsson.org said:
>
> > I've seen the error many times, also when I used a g10code smartcard,
> > but lately things have been smooth.  I think there have been a couple of
>
> Old versions of GnuPG assumed that there is a card reader which can tell
> you whether a card has been removed or inserted.  However USB tokens are
> different in that you insert/remove the entire reader.  gniibe fixed
> these problems some time ago.
>
>
> Salam-Shalom,
>
>Werner
>
> --
> Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
>
>
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>



-- 
Lance R. Vick
__
Cell  -  407.283.7596
Gtalk -  la...@lrvick.net
Website   -  http://lrvick.net
PGP Key   -  http://lrvick.net/0x36C8AAA9.asc
keyserver -  subkeys.pgp.net
__
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Teaching GnuPG to noobs

[Chuck Peters]

Stephan Beck said:
> Am 16.06.2015 um 15:50 schrieb A.T. Leibson:
> 
> > Lastly, what's your favorite noob-friendly guide, and why?
> 
> I think that the guide available at (1)
> 
> (1) https://emailselfdefense.fsf.org/en/

Potential instructors: please explain subkeys and how it might be best to 
primarily use subkeys on your computer, tablet etc...

#5 USE IT WELL
...
IMPORTANT:
ACT SWIFTLY IF SOMEONE GETS YOUR PRIVATE KEY
If you lose your private key or someone else gets ahold of it (say, by stealing 
or cracking your computer), it's important to revoke it immediately before 
someone else uses it to read your encrypted email. This guide doesn't cover how 
to revoke a key, but you can follow the instructions on the GnuPG site. After 
you're done revoking, send an email to everyone with whom you usually use your 
key to make sure they know.
The text links to https://www.gnupg.org/gph/en/manual.html#AEN305


If I were to use the instructions and followed the link, I would say, what are 
subkeys?  And have no clue about keeping which keys or subkeys where...

Proper training should include the processes to recover a loss of a private 
subkey without losing all your key signings.

The best HowTo on subkeys I have seen, but not really noob-friendly if you want 
to avoid the command line:
https://wiki.debian.org/Subkeys


Thanks,
Chuck   


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

two-lock mailbox analogy

[listo factor]

FWIW, I use the following analogy:

I have a secure steel mailbox, located on a street corner - just
like the Post Office does - that I visit occasionally to collect
the mail that my correspondents have deposited there. The only
difference between my box and those owned and operated by the
Post Office is that on my box, there is a second lock and key,
one that is required to open the slot by which the letters are
deposited into the mailbox. Copies of that key I give freely to
all that want to securely send me a message. This is the public
key: it is useless for retrieving the messages from the box, it
can be used only to deposit them.

Just like the Post Office, I have another, private key, which is in
my possession only, and which I must keep protected. This one opens
the back cover of the steel box, one through which I, just like the
post office collection truck operator, retrieve all the letters
from the mailbox.

The set of two keys, private and public, are mathematically related
in a unique way. The public key is thus also useful to confirm
that the message is deposited in my box, as opposed to somebody
else's box that happens to be located on the same street corner.

I advise those that I teach how to use GPG to completely ignore
WOT and key-signing, and to rely on rigorous out-of-channel key
fingerprint verification. If they don't, they could be depositing
their messages into an imposter's box, who could read them, and
(since he, like everybody else, is likely to be in the possession
of my public key) afterward deposit them in my mailbox. Neither
I, nor the message sender would know that such message has been
read by the imposter.

Teaching those that don't have a very concrete idea of the cost to
themselves and/or to their correspondents in case the content of
their communication is compromised is a waste of time: they lack
the motivation to put in the considerable effort that is necessary
to effectively use (as opposed to just "go through the motions")
of something as complex as GPG.

Advocating for the adoption of encrypted communication as a matter
of personal policy or principle, in conjunction with teaching the
use of a complex software system necessary to do it is, IMHO,
a big mistake.

Listo Factor



___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

gpg2 --card-status does not create key stubs

[d...@ucore.info]

Hi,
It used to work just fine, and on a new machine, after importing publikey
subkeys, `gpg --card-status` would just create secure stubs so that the gpg
smartcard can be used.

Now it is not happening. How to debug what is the issue?


Regards,
-- 
Dawid Ciężarkiewicz
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gpg-agent unable to see yubikey until manually re-running `gpg --card-status`

[Lance R. Vick]

Another example I just had happen:

1. start gpg-agent
2. populate SSH_AUTH_SOCK
3. ssh successfully
4. remove yubikey
5. insert yubikey
6. attempt to ssh -> "Permission Denied (Publickey)"
7. `gpg --card status` -> "no card present"
8. `gpg --card status` -> "no card present"
9. `gpg --card status` -> "no card present"
11. (...etc. it refused to come back this time)
12. killall gpg-agent
13. `gpg --card status` (again) -> Got usual card output
14. ssh successfully again

On Thu, Jun 18, 2015 at 10:56 AM, Lance R. Vick  wrote:

> I only ever tried this on 2.0.0 as far as older versions go, and that was
> similarly broken. I didn't bother documenting as I saw there were some
> smartcard updates in 2.1.4 so I upgraded.
>
> Just now had another variation (on 2.1.4):
>
> 1. start gpg-agent
> 2. populate SSH_AUTH_SOCK
> 3. ssh successfully
> 4. remove yubikey
> 5. insert yubikey
> 6. attempt to ssh -> "Permission Denied (Publickey)"
> 7. `gpg --card status` -> "no card present"
> 8. `gpg --card status` (again) -> Got usual card output
> 9. ssh successfully again
>
>
> On Thu, Jun 18, 2015 at 1:32 AM, Werner Koch  wrote:
>
>> On Wed, 17 Jun 2015 18:17, si...@josefsson.org said:
>>
>> > I've seen the error many times, also when I used a g10code smartcard,
>> > but lately things have been smooth.  I think there have been a couple of
>>
>> Old versions of GnuPG assumed that there is a card reader which can tell
>> you whether a card has been removed or inserted.  However USB tokens are
>> different in that you insert/remove the entire reader.  gniibe fixed
>> these problems some time ago.
>>
>>
>> Salam-Shalom,
>>
>>Werner
>>
>> --
>> Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
>>
>>
>> ___
>> Gnupg-users mailing list
>> Gnupg-users@gnupg.org
>> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>>
>
>
>
> --
> Lance R. Vick
> __
> Cell  -  407.283.7596
> Gtalk -  la...@lrvick.net
> Website   -  http://lrvick.net
> PGP Key   -  http://lrvick.net/0x36C8AAA9.asc
> keyserver -  subkeys.pgp.net
> __
>



-- 
Lance R. Vick
__
Cell  -  407.283.7596
Gtalk -  la...@lrvick.net
Website   -  http://lrvick.net
PGP Key   -  http://lrvick.net/0x36C8AAA9.asc
keyserver -  subkeys.pgp.net
__
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gpg-agent unable to see yubikey until manually re-running `gpg --card-status`

[NIIBE Yutaka]

Hello,

Thank you for more information.

On 06/19/2015 06:57 AM, Lance R. Vick wrote:
> Another example I just had happen:
> 
> 1. start gpg-agent
> 2. populate SSH_AUTH_SOCK
> 3. ssh successfully
> 4. remove yubikey
> 5. insert yubikey
> 6. attempt to ssh -> "Permission Denied (Publickey)"
> 7. `gpg --card status` -> "no card present"
> 8. `gpg --card status` -> "no card present"
> 9. `gpg --card status` -> "no card present"
> 11. (...etc. it refused to come back this time)
> 12. killall gpg-agent
> 13. `gpg --card status` (again) -> Got usual card output
> 14. ssh successfully again

This is not reproducible here.  The second SSH (#6) just works.

My environment is GnuPG 2.1.5 on Debian GNU/Linux, and I use in-stock
CCID driver (I don't install PC/SC service).

Please let me know if you have PC/SC service or not.  If yes, could
you please let me know the version of pcscd and libccid (if you are
using GNU system or Mac OS).

Are there any other programs which might access Yubikey?  Or, do you
have multiple gpg-agent(s) / scdaemon(s), by chance, when you get such
an error?
-- 

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Teaching GnuPG to noobs

[Faramir]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

El 17-06-2015 a las 11:15, Robert J. Hansen escribió:
...
> The most common one I've found is not understanding the material as
> well as they think.  This tends to come through most in the
> metaphors an instructor uses.  For instance, I frequently encounter
> instructors who tell the class to imagine a lock with two keys, one
> that locks it and one that unlocks it, and they proceed to use that
> lock metaphor to explain crypto.
> 
> It's absurd.  Who in the class has ever seen a lock with two keys,
> one that locks it and one that unlocks?  The metaphor's ridiculous:
> the locks the students are familiar with require *no* keys to lock
> and only one key to unlock.

  I remember a tutorial that compared it to a lock and 1 key. I keep
the key, and send the lock to the person that will send messages to
me. The person writes the message, put it in a box, and locks the box
with the lock.
  I think that is very accurate, because I can encrypt messages to
your public key, even if I don't have a key of my own (of course, in
that case I can't sign the message, but that is a different operation).

  Maybe the magical wax could be useful to explain signatures? Or... I
can send you a sample of my DNA. Then I write a message, and sign it
using my blood as ink (ouch!), you get the message, run a DNA test...
The only way somebody can fake my signature would involve stealing a
sample of my blood, but then, it would be like stealing my private key.

  Best Regards

-BEGIN PGP SIGNATURE-
Version: GnuPG v2
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBCAAGBQJVg23fAAoJEMV4f6PvczxAhWkH/2oOKNgGU76BEf4Mo4xNZOIJ
n/tVzzIRX5Oygjk//RRe9qwWCXSAU7CCOuqqy2xDyHcrVCxgI1lwhd6KBFx6uNOe
g1xSkhHRDyJxd/67etgo0BaV4g0MrB0/LZHp5LXxUDXJjWOg3zpdS8X+TECIh2TA
pFyfr+aL2Tu0BhylcOoZYvK7WDp7QCDgAW+jOHciwvTK3WfY1ArXrJ8dTxPNT1qn
VlpgxrzbVoyZ/hD707qMdvjYjf9vUI5DNBZ6vPVcHBFIcwMsjzWSzeZHwSx8nbu2
zD7Z1UyvIBHN5cyProuBQJFmiIbzyNZ+m5R5kSSQZzX+rkA9g7tkQSla1Rr+PYo=
=usmm
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users