Re: Non-interactive PIN not accepted, gpg hangs

[NIIBE Yutaka]

Hello,

While the discussion proceeds, I can't determine which post I should
reply.  Well, I think I reply to this post.

On 09/30/2015 10:37 PM, Laurent Blume wrote:
> The thing is, I asked around (on some other lists), and had a look at
> HSM's, we even have a hundred thousands € worth of HSM, used for
> something completely different.
> But that's the thing: those very expensive thingies, they come with an
> API and a manual, you «only» need to develop your application around it.
> The NitroKey (and others like it) are both cheaper and easier to deploy
> using off-the-shelf software (at least it looks so on paper).
> That said, maybe the Pro model is not the right one, and I made a
> mistake there out of ignorance.

I think that Nitrokey series would be a right solution, both for
hardware-wise and their perspective.

As Peter suggested, I feel that your use case is not directly related
to OpenPGP.  It seems that you just need simple (non-interactive)
public key authentication.

IIUC, I believe that Nitrokey community would be best place for such a
use case.  I guess that they are open to diverse use cases other than
OpenPGP, while I have narrow/tight perspective for my Gnuk Token,
specifically limited to OpenPGP.

I think that it is not that technically difficult to write an
application to access Nitrokey (something) for simple non-interactive
public key authentication.  If you say you made a mistake, it's just
that it has not been directly supported by existing tool of GnuPG and
its friends.

> My impression is that there are no middle-ground options between the
> cheap, personal use device and the super-expensive brick.
> If you do have suggestions, they're very welcome. I'm still assessing
> feasibility, and able to change directions.

OpenPGPcard compatible assumes it's users who control their computing.
This can be done by reasonable cost, because there are less conflicts.

Most smartcard/token applications assume that it's a company (or other
entity) who should control "consumers"' computing.  This is a
different problem to solve, and some expensive solution is only to be
expected, naturally, --- no wonder.
-- 

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: How to get your first key signed

[Bob Henson]

On 30/09/2015 8:58 pm, Robert J. Hansen wrote:
>> I create for myself a gpg key and want to get it signed
> 
> More important than whether your certificate gets signed is who signs
> the certificate, who they are connected to, and so on.
> 
> Some people will sign almost anything.  People who get a reputation for
> signing anything develop a reputation for their signatures being
> meaningless.  Some people have very strong requirements before they'll
> sign.  Their signatures are often worth quite a lot of credibility, but
> good luck getting them.
> 
> The good news is this *can be done*.  I promise.
> 
> The best thing you can do right now is to get involved in the community.
>  Get engaged in the mailing lists (here, PGP-Basics, Enigmail-Users are
> three good ones).  And when you post, sign your messages.  Over time
> people will come to trust that your signature connects to the real you,
> even if they can't promise that your name really is David Niklas, or
> can't say what you look like.
> 

Whilst that is partially useful, surely it only vouches for the fact
that the postings came from the same person and not who that person is -
and as such is of very limited use. I have a "newsgroup" key for that
purpose - but it is a tad pointless. I think I know the person who calls
himself Robert J. Hansen and you have certainly corresponded with
someone called Robert H. Henson, but we have no idea who those people
are unless we meet. Keys should only ever be signed in person and if the
person is not well known to you by sight, with some form of irrefutable
photo evidence being presented along with the key signature - a
passport, or something carrying equal weight.

There might be a possible exception where there is no individual person
to meet - the verification signature with software, say. When you have
downloaded the software from the same, known website for some time it
might be reasonable to sign the verification key - if a tad pointless if
it is only really a checksum. Perhaps the same applies to a Certificate
Authority key, say. But a signature of any person's key that you have
not met and positively verified is worse than useless as it degrades the
whole trust process. Someone who I had never previously even heard of
once signed my old, now revoked key - were that person someone "known"
to be nasty, it would have degraded my key's value. The best it could
have been is totally meaningless.


Regards,

Bob




signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: How to get your first key signed

[Peter Lebbing]

On 01/10/15 10:33, Bob Henson wrote:
> There might be a possible exception where there is no individual
> person to meet - the verification signature with software, say. When
> you have downloaded the software from the same, known website for
> some time it might be reasonable to sign the verification key - if a
> tad pointless if it is only really a checksum.

Well, it doesn't help me at all to know that the developer of said
software indeed has "David Niklas" on his passport. That gives me no
more confidence in the integrity of the software than if he had a
different name. All I need to know is that that piece of software that I
previously trusted has had an update written by the guy or girl I trust,
regardless of his or her name.[1]

I don't understand "it's only really a checksum". The key property is
that it's signed by the same developer each and every time. A checksum
has very different properties, but I might simply misunderstand you.

> Someone who I had never previously even heard of once signed my old,
> now revoked key - were that person someone "known" to be nasty, it
> would have degraded my key's value.

No, it should not degrade the key's value. Unfortunately the key's value
is in the eye of the beholder, and that eye is often not fully aware of
the lack of implications an untrusted signature has. An untrusted
signature has precisely one implication: useless baggage. It neither
increases nor decreases the value of the key it has signed.

One of the people who's key I've signed at a keysigning party gained a
signature by Adolph Hitler. Enter Godwin's Law. Anyway, he revoked the
key. I can understand that. It just looks bad when someone uses the web
interface of a keyserver to look up his key. But it doesn't degrade his
key in any way other than what is a misperception. Only trusted keys
matter. Untrusted keys can be wholly ignored. Even if they are from the
Führer.

> The best it could have been is totally meaningless.

It /is/ totally meaningless. And we should educate users that it is
meaningless.

HTH,

Peter.

[1] If some really persistent threat was Man In The Middle all the time
I downloaded the software and the key, they could replace the key all
that time by their own. Then at some point, when I trust the wrong key,
they could still do something nasty with the software. But this is a
much higher bar than once MITM'ing and inserting nastiness.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: How to get your first key signed

[Andrew Gallagher]

On 01/10/15 11:35, Peter Lebbing wrote:
> 
> Well, it doesn't help me at all to know that the developer of said
> software indeed has "David Niklas" on his passport. That gives me no
> more confidence in the integrity of the software than if he had a
> different name. All I need to know is that that piece of software that I
> previously trusted has had an update written by the guy or girl I trust,
> regardless of his or her name.[1]

Yes, trust in the intent, or competency, of a particular person is
completely different to verification of the identity of that person
(which is why I think PGP's use of the word "trust" in this context is
dangerously misleading).

> [1] If some really persistent threat was Man In The Middle all the time
> I downloaded the software and the key, they could replace the key all
> that time by their own. Then at some point, when I trust the wrong key,
> they could still do something nasty with the software. But this is a
> much higher bar than once MITM'ing and inserting nastiness.

And if you want to create a localsig on that basis, fire away. But
publicly certifying someone else's key is a statement of identity
verification, not trust.

A



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: How to get your first key signed

[Bob Henson]

On 01/10/2015 11:35 am, Peter Lebbing wrote:
> On 01/10/15 10:33, Bob Henson wrote:
>> There might be a possible exception where there is no individual
>> person to meet - the verification signature with software, say. When
>> you have downloaded the software from the same, known website for
>> some time it might be reasonable to sign the verification key - if a
>> tad pointless if it is only really a checksum.
> 
> Well, it doesn't help me at all to know that the developer of said
> software indeed has "David Niklas" on his passport. That gives me no
> more confidence in the integrity of the software than if he had a
> different name. All I need to know is that that piece of software that I
> previously trusted has had an update written by the guy or girl I trust,
> regardless of his or her name.[1]

That's what I was implying when I described it as a possible exception.


> I don't understand "it's only really a checksum". The key property is
> that it's signed by the same developer each and every time. A checksum
> has very different properties, but I might simply misunderstand you.

If the program has been altered the signature will fail, will it not?

> 
>> Someone who I had never previously even heard of once signed my old,
>> now revoked key - were that person someone "known" to be nasty, it
>> would have degraded my key's value.
> 
> No, it should not degrade the key's value. Unfortunately the key's value
> is in the eye of the beholder, and that eye is often not fully aware of
> the lack of implications an untrusted signature has. An untrusted
> signature has precisely one implication: useless baggage. It neither
> increases nor decreases the value of the key it has signed.
> 
> One of the people who's key I've signed at a keysigning party gained a
> signature by Adolph Hitler. Enter Godwin's Law. Anyway, he revoked the
> key. I can understand that. It just looks bad when someone uses the web
> interface of a keyserver to look up his key. But it doesn't degrade his
> key in any way other than what is a misperception. Only trusted keys
> matter. Untrusted keys can be wholly ignored. Even if they are from the
> Führer.
> 
>> The best it could have been is totally meaningless.
> 
> It /is/ totally meaningless. And we should educate users that it is
> meaningless.

Agreed. But a new user who has yet to be educated would baulk at
trusting a key signed by Genghis Khan or Atilla the Hun - however they
perceived it, they might well refuse to acknowledge the signature as
valid and would certainly not sign it or assign it user trust - that's
human nature. Human beings are essentially illogical. :-)


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: How to get your first key signed

[Mark H. Wood]

On Thu, Oct 01, 2015 at 09:33:59AM +0100, Bob Henson wrote:
> On 30/09/2015 8:58 pm, Robert J. Hansen wrote:
> >> I create for myself a gpg key and want to get it signed
> > 
> > More important than whether your certificate gets signed is who signs
> > the certificate, who they are connected to, and so on.
> > 
> > Some people will sign almost anything.  People who get a reputation for
> > signing anything develop a reputation for their signatures being
> > meaningless.  Some people have very strong requirements before they'll
> > sign.  Their signatures are often worth quite a lot of credibility, but
> > good luck getting them.
> > 
> > The good news is this *can be done*.  I promise.
> > 
> > The best thing you can do right now is to get involved in the community.
> >  Get engaged in the mailing lists (here, PGP-Basics, Enigmail-Users are
> > three good ones).  And when you post, sign your messages.  Over time
> > people will come to trust that your signature connects to the real you,
> > even if they can't promise that your name really is David Niklas, or
> > can't say what you look like.
> > 
> 
> Whilst that is partially useful, surely it only vouches for the fact
> that the postings came from the same person and not who that person is -
> and as such is of very limited use. I have a "newsgroup" key for that
> purpose - but it is a tad pointless. I think I know the person who calls
> himself Robert J. Hansen and you have certainly corresponded with
> someone called Robert H. Henson, but we have no idea who those people
> are unless we meet. Keys should only ever be signed in person and if the
> person is not well known to you by sight, with some form of irrefutable
> photo evidence being presented along with the key signature - a
> passport, or something carrying equal weight.

There are two issues here.  One is what the O.P. asked:  how to get
useful signatures which bind a key to a specific physical-world
person.  Face-to-face meetings, photo ID, etc. are all part of that.

But the other is binding a key to a reputation.  And that can be done
at arms' length, simply by doing stuff in public and signing the stuff
with your perhaps-unsigned key.  If I've examined, tested, and used
stuff bound to key X, and learned to trust it, then when I meet some
other stuff bound to key X it is not unreasonable to trust it more
readily since, by means of key X, it is bound to stuff that I already
trust.

> There might be a possible exception where there is no individual person
> to meet - the verification signature with software, say. When you have
> downloaded the software from the same, known website for some time it
> might be reasonable to sign the verification key - if a tad pointless if
> it is only really a checksum. Perhaps the same applies to a Certificate
> Authority key, say. But a signature of any person's key that you have
> not met and positively verified is worse than useless as it degrades the
> whole trust process. Someone who I had never previously even heard of
> once signed my old, now revoked key - were that person someone "known"
> to be nasty, it would have degraded my key's value. The best it could
> have been is totally meaningless.

To put my point more plainly:  signatures on products and signatures
on keys mean different things, and to gain trust for them works in
different ways.

-- 
Mark H. Wood
Lead Technology Analyst

University Library
Indiana University - Purdue University Indianapolis
755 W. Michigan Street
Indianapolis, IN 46202
317-274-0749
www.ulib.iupui.edu


signature.asc
Description: Digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: How to get your first key signed

[Andrew Gallagher]

On 01/10/15 15:18, Mark H. Wood wrote:
> 
> To put my point more plainly:  signatures on products and signatures
> on keys mean different things, and to gain trust for them works in
> different ways.

Another case where common PGP terminology is confusing. You don't really
"sign a key", you certify that a particular identity should be bound to
a key. This process uses the same algorithm as a signature, but the
semantics are different - as evidenced by the fact that [C]ertify and
[S]ign are distinct usages.

A



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Seperate Session Key and Encrypted Data

[Anthony Papillion]

I 

On October 1, 2015 9:38:13 AM CDT, Christian Loehle  
wrote:
>I want to use gpg to encrypt a potentially large file to some
>(cloud-like) storage provider, the recipients are not known at the time
>of uploading.
>What I want to do is to send the encrypted session key of the file to a
>recipient, when I 'add' them, without re-uploading or even touching the
>original (encrypted) file.
>This should be possible, does anyone know how to? I'm also open to
>other
>suggestions.

Is there any reason why you can't just symmetrically encrypt it then send an 
encrypted message to them with the passphrase using their PGP key? 


-- 
Phone:  +1.845.666.3312
Skype:   CajunTechie 
SIP/VoIP:  17772471...@in.callcentric.com
PGP Key:   0x53B04B15
Fingerprint:   C5CE  E687  DDC2  D12B 9063  56EA  028A DF74  53B0  4B15



___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Seperate Session Key and Encrypted Data

[Daniel Koszta]

You can use the --show-session-key and --override-session-key option for
gpg.

$ gpg --encrypt <<< "Test Message" > msg
$ gpg --decrypt --show-session-key msg
$ gpg --decrypt --override-session-key 'the_session_key_gpg_gave_you'

Note that you do not need your private key for the last operation.

However, I'm not sure of the security implications of this. From the gpg
manual:

> We think that Key Escrow is a Bad Thing

(Sorry if this message appear twice on the list; I couldn't see the first
one either in my inbox or the archives of the mailing list.)

2015-10-01 16:38 GMT+02:00 Christian Loehle :

> I want to use gpg to encrypt a potentially large file to some
> (cloud-like) storage provider, the recipients are not known at the time
> of uploading.
> What I want to do is to send the encrypted session key of the file to a
> recipient, when I 'add' them, without re-uploading or even touching the
> original (encrypted) file.
> This should be possible, does anyone know how to? I'm also open to other
> suggestions.
>
>
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Facebook and OpenPGP

[Jon Millican]

On 26 September 2015 at 03:24, Christian Heinrich 
> wrote:
>
> So as far as I am aware there is no integration with the Facebook
> GraphAPI yet :(

Hi, I'm Jon - I work on OpenPGP support at Facebook. I thought you might be 
interested to hear that we now support fetching public keys via the Graph API.

Keys can be fetched from someone's profile "public_key" field, e.g. you could 
fetch my public key with the query:

  /1617090031?fields=public_key

If you would like to experiment with this, you can try it out with the Graph 
API Explorer at https://developers.facebook.com/tools/explorer/145634995501895/ 
(you'll need to be logged in to use the tool).

Reference: https://developers.facebook.com/docs/graph-api/reference/user 



signature.asc
Description: Message signed with OpenPGP using GPGMail
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: How to get your first key signed

[Robert J. Hansen]

> Whilst that is partially useful, surely it only vouches for the fact
> that the postings came from the same person and not who that person is -
> and as such is of very limited use.

Yes.  No.  Somewhere in between.

Some years ago a user on PGP-Basics was irate over how I refused to sign
my messages.  My argument was basically the one you were using: that
nobody on the list had verified my identity and that made my signatures
of marginal use.  This fellow insisted, and insisted rudely, so John
Clizbe, John W. Moore, and I all conspired together to make a point: we
created a keypair, shared it amongst us, and all three of us used the
exact same certificate to sign our emails.

It took a few months for anyone to notice.

So sure, yes, without identity verification it's hard to have confidence
in someone's legal identity, absolutely.  But even with identity
verification, most people don't even bother to check to see that the
signing certificate's email address matches the one on the email.
Identity verification is a useful step: it's not a sufficient one by itself.

> purpose - but it is a tad pointless.

Pointless in the sense of *legal* identity.  But there are many
identities other than the legal.

One of my favorite books, _Shibumi_, was written by an author named
Trevanian.  Trevanian was infamously private and withdrawn: there are
only a few interviews with him and they were all conducted via letter or
email.  Trevanian wrote books, had some amazing ideas and insights, and
was even responsible for a great Clint Eastwood movie (_The Eiger
Sanction_).  Trevanian was a real identity, as real as you could hope for.

And then there was Rodney William Whitaker, a professor at a small
American university who never amounted to very much.  Except that,
unbeknownst to the world at large, he was Trevanian.

So let's imagine, for sake of argument, that Trevanian had an OpenPGP
certificate which he used to sign all of his books, plays, and
screenplays, so that people could be confident they were reading an
authentic Trevanian work.  If I just read _The Eiger Sanction_, okay,
fine, that signature has little merit for me.  But then would come
_Shibumi_ and _The Summer of Katya_ and by the time _The Crazyladies of
Pearl Street_ came out I could be confident that if I saw Trevanian's
signature on an ebook, that ebook would be worth my hard-earned money.

Trevanian is an identity every bit as real as Rodney William Whitaker.
Trevanian can amass reputation, engage in interviews and communication,
opine on things, have fans and foes, the whole nine yards.  The only
thing Trevanian can't do is get a driver's license, because Trevanian
isn't a *legal* identity.

> are unless we meet. Keys should only ever be signed in person and if the
> person is not well known to you by sight, with some form of irrefutable
> photo evidence being presented along with the key signature - a
> passport, or something carrying equal weight.

No.  Absolutely not.  This is flat wrong.

You don't get to control what somebody else's signing policy is.  They
get to decide that on their own.  Neither you nor I nor anyone else gets
a vote in it.  We don't get to say what they should or should not do.

I have determined what *my own* signing policy is, and yes, it depends
on face to face meetings and identity documents.  That's because it
makes sense for my needs to do this.  But other people will have
different needs, and I've got no business telling them what their
signing policy should be.  Neither do you.



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Seperate Session Key and Encrypted Data

[Koszta Dániel]

You can use the --show-session-key and --override-session-key option for
gpg.

$ gpg --encrypt <<< "Test Message" > msg
$ gpg --decrypt --show-session-key msg
$ gpg --decrypt --override-session-key 'the_session_key_gpg_gave_you'

Note that you do not need your private key for the last operation.

However, I'm not sure of the security implications of this. From the gpg
manual:

> We think that Key Escrow is a Bad Thing

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Facebook and OpenPGP

[Melvin Carvalho]

On 1 October 2015 at 17:56, Jon Millican  wrote:

> On 26 September 2015 at 03:24, Christian Heinrich <
> christian.heinr...@cmlh.id.au> wrote:
> >
> > So as far as I am aware there is no integration with the Facebook
> > GraphAPI yet :(
>
> Hi, I'm Jon - I work on OpenPGP support at Facebook. I thought you might
> be interested to hear that we now support fetching public keys via the
> Graph API.
>
> Keys can be fetched from someone's profile "public_key" field, e.g. you
> could fetch my public key with the query:
>
>   /1617090031?fields=public_key
>
> If you would like to experiment with this, you can try it out with the
> Graph API Explorer at
> https://developers.facebook.com/tools/explorer/145634995501895/ (you'll
> need to be logged in to use the tool).
>

This is really fantastic!

Just out of curiosity would you consider using public / private key to log
in to facebook too without a password a good thing.

I know facebook would unlikely have a business case to prioritize this as
few would use it.  But Id be curious to know whether developers would
consider it a cool feature ...


>
> Reference: https://developers.facebook.com/docs/graph-api/reference/user
>
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>
>
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: GnuPG User ID expiry

[Werner Koch]

On Wed, 30 Sep 2015 05:37, d...@fifthhorseman.net said:

> In the subprompt GnuPG provides, use "1" (or "2", etc) to select which
> user ID you want.  then use "expire" to change the expiration for that

Well, you can do that but gpg ignores it.  The expiration date is taken
from the primary user id and the "expire" command only works on that
user id.

For easier debugging I just checked in a feature to show only self
signatures:

  $ ../g10/gpg2 --edit-key 5DE249965B0358A2
  [...]
  gpg> check selfsig
  uid  Werner Koch 
  sig-35DE249965B0358A2 1999-03-15 never   [self-signature]
   [expires: 2005-12-31 17:52:41]
  sig!35DE249965B0358A2 1999-04-19 never   [self-signature]
   [expires: 2005-12-31 17:52:41]
  sig!35DE249965B0358A2 2004-03-21 never   [self-signature]
   [primary]
   [expires: 2009-07-11 18:07:36]
  sig!35DE249965B0358A2 1999-04-19 never   [self-signature]
   [expires: 2005-12-31 17:52:41]
  sig!35DE249965B0358A2 2005-04-10 never   [self-signature]
   [primary]
   [expires: 2009-07-11 18:07:36]
  sig!35DE249965B0358A2 2004-03-21 never   [self-signature]
   [primary]
   [expires: 2009-07-11 18:07:36]
  sig!35DE249965B0358A2 2004-03-21 never   [self-signature]
   [primary]
   [expires: 2009-07-11 18:07:36]
  sig!35DE249965B0358A2 2005-04-10 never   [self-signature]
   [primary]
   [expires: 2009-07-11 18:07:36]
  sig!35DE249965B0358A2 2007-08-05 never   [self-signature]*
   [primary]
   [expires: 2011-07-11 22:00:08]
  1 bad signature

Which shows that the 2007 selfsig is the used one.  The listing also
shows the primary flag and the exiration time from each signature and
thus shows the history of my key (preference and expiration changes).



Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Seperate Session Key and Encrypted Data

[Christian Loehle]

I want to use gpg to encrypt a potentially large file to some
(cloud-like) storage provider, the recipients are not known at the time
of uploading.
What I want to do is to send the encrypted session key of the file to a
recipient, when I 'add' them, without reuploading or even touching the
original file.
This should be possible, does anyone know how to? I'm also open to other
suggestions

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: How to get your first key signed

[Robert J. Hansen]

> Names are tremendously fluid instruments.  Charles Martel, the hero of
> France, didn't actually have a last name...

Oh, man -- I completely forgot the great one from modernity.  You can be
elected President under a pseudonym.  Not only that: *it's already
happened*.  President Ulysses Simpson Grant.

His real name was Hiram Ulysses Grant.  That's what's on his birth
certificate.  When he was seventeen he asked Congressman Thomas Hamer to
nominate him for West Point (the American Army's military college).
Hamer got the name wrong and wrote it down as "Ulysses Simpson Grant".
Grant refused to correct Hamer's error, though, as he thought that "U.S.
Grant" was a much better set of initials for a military officer than "HUG".

So if a pseudonym's good enough to get elected President of the United
States... is it a pseudonym at all?  Would you refuse to sign Ulysses S.
Grant's certificate on the grounds that "well, that isn't your *real* name"?

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: How to get your first key signed

[jonas hedman]

On 15-10-01 13:05:28, Robert J. Hansen wrote:
> > Whilst that is partially useful, surely it only vouches for the fact
> > that the postings came from the same person and not who that person is -
> > and as such is of very limited use.
> 
> Yes.  No.  Somewhere in between.
> 
> Some years ago a user on PGP-Basics was irate over how I refused to sign
> my messages.  My argument was basically the one you were using: that
> nobody on the list had verified my identity and that made my signatures
> of marginal use.  This fellow insisted, and insisted rudely, so John
> Clizbe, John W. Moore, and I all conspired together to make a point: we
> created a keypair, shared it amongst us, and all three of us used the
> exact same certificate to sign our emails.
> 
> It took a few months for anyone to notice.
> 
> So sure, yes, without identity verification it's hard to have confidence
> in someone's legal identity, absolutely.  But even with identity
> verification, most people don't even bother to check to see that the
> signing certificate's email address matches the one on the email.
> Identity verification is a useful step: it's not a sufficient one by itself.

Doesn't all decent e-mail clients automagically check if a signature is
legit and matches the known public key?


/Jonas


signature.asc
Description: Digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Facebook and OpenPGP

[Kristian Fiskerstrand]

On 10/01/2015 10:35 PM, Melvin Carvalho wrote:


> 
>> Quick question:  I just uploaded my key and the dropdown said 
>> "public" ... does this mean I can get at it without an access 
>> token?  That would be super cool!
> 
> 
> 
> I was actually looking into the same thing myself by trying
> something as simplistic as curl queries for the API :) Another
> thing that strikes me, but granted I haven't done much research, is
> that the key can't be requested by username, only by user id. So if
> anyone were to want to using it as a keyserver / CA of sorts to
> establish identity for a user profile they believe to be genuine,
> they couldn't do so from outside of FB.
> 
> 
>> It works!  I found how:
> 
>> curl  https://www.facebook.com/melvo/publickey/download/
> 

Thats great, thanks! :)

-- 

Kristian Fiskerstrand
Blog: http://blog.sumptuouscapital.com
Twitter: @krifisk

Public OpenPGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3

"Knowing is not enough; we must apply. Willing is not enough; we must do."
(Johann Wolfgang von Goethe)



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: How to get your first key signed

[Robert J. Hansen]

(This came just to me, not to the mailing list.  I'm assuming Bob
intended to reply-all and just hit the wrong button.  If I'm in error,
Bob, please forgive me.)

> What would be no use, and possibly harmful, would be to sign that 
> certificate just because you had seen it a couple of times - unless 
> you've met him and certified in person by some means that he is 
> indeed the owner of that pseudonym you cannot ask other people to 
> accept your opinion as to who he is or might be by signing his key.

This depends on what a certification means.

You have a belief that a certification must, _a priori_, be connected to
a legal identity.  This isn't necessarily true.  Imagine there are
thousands, millions, of self-styled prophets who announce tomorrow's
lottery numbers.  They sign each pronouncement.  One particular lottery
prophet has always been right.  Someone then asks you, "So this lottery
prophet, 0xBADD00D5F00DBAD, is he for-real?"

And you could say, "All I know is, the person who uses that certificate
has always been right so far."

And that would be a certification, and that would be a perfectly
appropriate usage of certification.  If other people want to project
onto your certification that the prophet's name is Maurice Micklewhite,
or whatever -- that's their projection and their folly, not yours.  Your
certification was accurate and appropriate.

> Sorry, I don't believe in gods, ghosts or pseudonyms - none of them 
> exist.

Neither does "Bob Henson".  The collection of bits that represent the
glyphs that make up "Bob Henson" has no more connection to you than the
word "gift" does to a ... well, to something.  In German it's poison, in
English it's a present.  Neither one is right or wrong.  What matters is
whether we can use a pseudonym to identify a figure, not whether that
actually happens to be the person's given name.

Look at how many people have read the teachings of Jesus Christ.  Are
his teachings any different just because his name was actually Isho?

Err -- well -- maybe it was Isho.  Probably.  But it was also probably
Yeshua ben Yosef.  Christ grew up speaking Aramaic in conversation and
Hebrew in the temple.  He had two names: in Aramaic he was Isho, in
Hebrew he was Yeshua, and after his death accidents of transliteration
into Greek turned Yeshua into Iesous, which then turned into Latin as
Iesus, and then when Latin invented the J- letter he became Jesus.  Look
at how many names that guy's had over the years, and during his life *no
two groups could agree on his legal name*.

Look at William Shakespeare.  We've got six of his signatures, and they
all have different spellings of his name:

* Willm Shakp
* William Shaksper
* Wm Shakspe
* William Shakspere
* Willm Shakspere
* William Shakespeare

... and these were all recognized as his legal name.  (All six
signatures are on legal documents.)

Names are tremendously fluid instruments.  Charles Martel, the hero of
France, didn't actually have a last name.  "Martel" is an appellation he
picked up on the battlefield: it means "hammer".  Chuck the Hammer was
so named because of how he beat the Moors at the Battle of Poitiers in
732.  Within a few years, the "pseudonym" of Martel became his very real
last name just by dint of how many Frenchmen would look at you funny if
you suggested his name was something *other* than Martel.

If you think pseudonyms don't exist, well--there are two possibilities I
can see.  If you're saying that "all names are really pseudonymous to
one degree or another, so it doesn't make sense to call some names true
names and some other ones fake", then I agree with you.  If you're
saying that "only true names exist and I insist on calling Jesus 'Isho',
Charles Martel 'Charles', William Shakespeare 'Wm Shakspe', and so on,"
then I think you're quite wrong.  :)

I dunno.  If any observant Jews want to argue with me that the
Tetragrammaton is the original true name and that everything else is
pseudonymous, I think that would be a fascinating theological argument
we should have off-list.  :)

> If there is no fairly fixed procedure and standard for signing

There have been a large number of well-meaning, well-intentioned people
who have wanted there to be one--but there isn't one and never has been.

> Why in all the years of use of PGP/GnuPG have the pundits always 
> advocated and laid down rules for key signing parties and face to 
> face meetings?

Nobody has.  They've laid down *guidelines*.  "We think this is a pretty
good procedure to follow, and here's why.  Ultimately, though, it's up
to you."

Last year I was sitting in the audience at a keysigning event emceed by
Samir Nassar.  Samir was absolutely fastidious about how he did things,
but at the same time, he wasn't walking through the aisles of chairs
making sure that everybody was double-checking two forms of government
ID.  How could he?  Crazy to even suggest it.  He did what he could,
accepted there 

Re: Facebook and OpenPGP

[jonas hedman]

On 15-10-01 19:14:49, Melvin Carvalho wrote:
> On 1 October 2015 at 17:56, Jon Millican  wrote:
> 
> > On 26 September 2015 at 03:24, Christian Heinrich <
> > christian.heinr...@cmlh.id.au> wrote:
> > >
> > > So as far as I am aware there is no integration with the Facebook
> > > GraphAPI yet :(
> >
> > Hi, I'm Jon - I work on OpenPGP support at Facebook. I thought you might
> > be interested to hear that we now support fetching public keys via the
> > Graph API.
> >
> > Keys can be fetched from someone's profile "public_key" field, e.g. you
> > could fetch my public key with the query:
> >
> >   /1617090031?fields=public_key
> >
> > If you would like to experiment with this, you can try it out with the
> > Graph API Explorer at
> > https://developers.facebook.com/tools/explorer/145634995501895/ (you'll
> > need to be logged in to use the tool).
> >
> 
> This is really fantastic!
> 
> Just out of curiosity would you consider using public / private key to log
> in to facebook too without a password a good thing.
> 
> I know facebook would unlikely have a business case to prioritize this as
> few would use it.  But Id be curious to know whether developers would
> consider it a cool feature ...


I'm not a big user of facebook myself but this would indeed be a pretty
cool and great feature!

/j


signature.asc
Description: Digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: How to get your first key signed

[Robert J. Hansen]

> Doesn't all decent e-mail clients automagically check if a signature is
> legit and matches the known public key?

Probably not "all", but a lot, yes.

The problem comes from you can't force a user to pay attention to a
warning.  Some years ago a friend of mine, Peter Likarish, invented a
browser plugin that would detect phishing sites.  When you hit a
suspected phishing site it would display a big red banner across the top
of the screen.  In controlled usability trials (he was a university
researcher), not a single person noticed the big red banner across the
top of the screen.  In exit interviews those who did notice it said they
assumed it was a banner ad and they just ignored it.

Users have become so accustomed to advertisements trying to attract
their attention that it's actually become difficult for apps to warn
people of real dangers.  This is a real concern in the usability field.
 It's a hard problem.



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Facebook and OpenPGP

[Melvin Carvalho]

On 1 October 2015 at 17:56, Jon Millican  wrote:

> On 26 September 2015 at 03:24, Christian Heinrich <
> christian.heinr...@cmlh.id.au> wrote:
> >
> > So as far as I am aware there is no integration with the Facebook
> > GraphAPI yet :(
>
> Hi, I'm Jon - I work on OpenPGP support at Facebook. I thought you might
> be interested to hear that we now support fetching public keys via the
> Graph API.
>
> Keys can be fetched from someone's profile "public_key" field, e.g. you
> could fetch my public key with the query:
>
>   /1617090031?fields=public_key
>
> If you would like to experiment with this, you can try it out with the
> Graph API Explorer at
> https://developers.facebook.com/tools/explorer/145634995501895/ (you'll
> need to be logged in to use the tool).
>
> Reference: https://developers.facebook.com/docs/graph-api/reference/user
>

Quick question:  I just uploaded my key and the dropdown said "public" ...
does this mean I can get at it without an access token?  That would be
super cool!


>
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>
>
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Facebook and OpenPGP

[Melvin Carvalho]

On 1 October 2015 at 22:30, Kristian Fiskerstrand <
kristian.fiskerstr...@sumptuouscapital.com> wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA512
>
> On 10/01/2015 10:28 PM, Melvin Carvalho wrote:
> >
> >
>
> ...
>
> >
> > Reference:
> > https://developers.facebook.com/docs/graph-api/reference/user
> >
> >
> > Quick question:  I just uploaded my key and the dropdown said
> > "public" ... does this mean I can get at it without an access
> > token?  That would be super cool!
> >
> >
>
> I was actually looking into the same thing myself by trying something
> as simplistic as curl queries for the API :) Another thing that
> strikes me, but granted I haven't done much research, is that the key
> can't be requested by username, only by user id. So if anyone were to
> want to using it as a keyserver / CA of sorts to establish identity
> for a user profile they believe to be genuine, they couldn't do so
> from outside of FB.
>

It works!  I found how:

curl  https://www.facebook.com/melvo/publickey/download/

-BEGIN PGP PUBLIC KEY BLOCK-
Version: GnuPG v1.4.11 (GNU/Linux)

mQENBE3ZoEcBCADXmHWK/QhE82aPiOco5zWzTpRwbbzcerhYMUArsEOohQin18Tr
Ri2v2Rfm0wWPWVl8VHOfgwu/+f9ddAyQasSA7+PhydCo5X3oGph6f9DBtotLTKHk
NK7AfE9DzQSKhuCF0o9ps+l8hE067bdJwnNjnwq/7z1YKf6FZ3s0NkcBEy5EWbla
zDNHBPgMTePg558hrPKCxAHnPn5Xf7vBlakRMuIVxBEZG648Z+0cPRKTSpqFE7vo
qvxuAkcBoVlbhIwf5bX2rJOJHjOePRgdSLOleuhitQCWpAVw3eez+p8UmnL1vH1d
wgCZzSYBXiD389xhG2byx4SZfZk7mJnHr9JfABEBAAG0Kk1lbHZpbiBDYXJ2YWxo
byA8bWVsdmluY2FydmFsaG9AZ21haWwuY29tPokBOAQTAQIAIgUCTdmgRwIbAwYL
CQgHAwIGFQgCCQoLBBYCAwECHgECF4AACgkQEU73vJRgRYPfBwf+O2uf1fKenDQh
qnrlMGC2n2XU/JRX5dhiRtKYkoYi8dFELMFJg/ng2FOc7DalQw/PGIaXIiuxg23r
K3Eq6hCzx+cYiSTKjnqD/QkhYAfjdD8PsIatGwu+/OF53NXA6hjveOHyo5c/Lq51
Jh7cZRd5AJko8Kk3toCqZKJhfbZ9+e49HsIj0i0qrtyD/7hR9UYl2wEJQ91H6fZg
7DvfrlA9aywAx6cvo0p9BBvX4hLMd9dPfL35UjVq4xJUBsgpf9By70Yw6SRgPGyz
9vyM6Ka0lXm65BvIsalgvhkR72E5Zi7M+lfO0HgZa2DgeObEi7yx2NfwGrJkIYyD
33Xw5xh017kBDQRN2aBHAQgArxEdGGZCNPAPjLf0bdi6rILv2seRiggU6f7SC8+G
hAFjPnBAUV+ccC/1NIUr10HHOWDKWLqdBqLk7rJoDdjFGeoS18auISgk+h3kTsSY
dMi/o3TmHFmVPX6dMjSL2rac7GrNKL70Dg8gZ3ku7VmaueoG+H592sYxc32cr+MM
MFRFP5sai2hClug4qCgnt2pFtcvmlT2yk5YXNpgnjXHjUcEzn6FwonKcjISezTE8
I1RYltFef/7R40rF/h+6JQSO2eOdMtlKv3cfdxd08CpynMjtN3YTGW709hwW3/J/
lGenSTDF8OLEIhvm4sELUCpCaL6WTf7xdQNWkShPgX2HOwARAQABiQEfBBgBAgAJ
BQJN2aBHAhsMAAoJEBFO97yUYEWD2E0H/idszAlTu5WhjSjYZL79qNwWuA0qjJtf
4Bm5BOYEItGAhNt8vpweGw+KRvn3+KdfvYXe49fShY3TFvgTjloR6yKY1SKvYbUu
TojGAI798vh68dLoBJGWHfh0fmcSYE0O6SaBiBWRHnszBfsOTSiF3FKE3NxKsC6u
zXYBuT8sgFn8RLILRiWeBZZXkzq4CYjNNnuxWqv9tW0NkRvjwQUR32L3o7sEYHiE
UDi6nCOUeG3rXfpzITHB+TvIGCG7ZPjkyfqRGxb9c6Je3pm76UtGOkLCYJwoeD38
aWWdvQyNlhT4sq5U9KDZifaQ0gVsW+PKuU8TCXECJ0SJVPaKAwauhfw=
=QoVU
-END PGP PUBLIC KEY BLOCK-

curl -I  https://www.facebook.com/melvo/publickey/download/
HTTP/1.1 200 OK
Content-Disposition: attachment; filename="melvo.asc"
X-Content-Type-Options: nosniff
Content-Type: application/pgp-keys


First class work!



>
> - --
> - 
> Kristian Fiskerstrand
> Blog: http://blog.sumptuouscapital.com
> Twitter: @krifisk
> - 
> Public OpenPGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net
> fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3
> - 
> Aut disce aut discede
> Either learn or leave
> -BEGIN PGP SIGNATURE-
>
> iQEcBAEBCgAGBQJWDZf9AAoJECULev7WN52FFpsH/jbC5TZCvJxQSZVmNt6ENQal
> k0GWRjzQ5wuwju3QxKr8fCSSK6HV6jzn9Jd3WGY6BmxaIlQPJPz1YmP/IbDp+lsk
> WR6LQUDp5boje6vFprK6nM87wQU6qEPpw56rDJN6IBhYRHCQYbM7IPOYYXltLTa5
> OuuP4KxBhWVJz3Yytq8u1ZHY+RTuO0S3Oy/jz6lFQ9/OFOUvovub9FkFqTwHtOyy
> ndkEb26g8e2A1yt13c0Eu8gufWeG3H+AkZiN6+yb34XOFcemrP3SpWkNWLUKeiqj
> OoKRfJMR4XKEdUaJmdP0ZjuN2HBc9xsnYoln561wM+qwJsmPZFvUZH4G5H+vbUc=
> =yw8Q
> -END PGP SIGNATURE-
>
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Facebook and OpenPGP

[Kristian Fiskerstrand]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 10/01/2015 10:28 PM, Melvin Carvalho wrote:
> 
> 

...

> 
> Reference:
> https://developers.facebook.com/docs/graph-api/reference/user
> 
> 
> Quick question:  I just uploaded my key and the dropdown said
> "public" ... does this mean I can get at it without an access
> token?  That would be super cool!
> 
> 

I was actually looking into the same thing myself by trying something
as simplistic as curl queries for the API :) Another thing that
strikes me, but granted I haven't done much research, is that the key
can't be requested by username, only by user id. So if anyone were to
want to using it as a keyserver / CA of sorts to establish identity
for a user profile they believe to be genuine, they couldn't do so
from outside of FB.

- -- 
- 
Kristian Fiskerstrand
Blog: http://blog.sumptuouscapital.com
Twitter: @krifisk
- 
Public OpenPGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3
- 
Aut disce aut discede
Either learn or leave
-BEGIN PGP SIGNATURE-

iQEcBAEBCgAGBQJWDZf9AAoJECULev7WN52FFpsH/jbC5TZCvJxQSZVmNt6ENQal
k0GWRjzQ5wuwju3QxKr8fCSSK6HV6jzn9Jd3WGY6BmxaIlQPJPz1YmP/IbDp+lsk
WR6LQUDp5boje6vFprK6nM87wQU6qEPpw56rDJN6IBhYRHCQYbM7IPOYYXltLTa5
OuuP4KxBhWVJz3Yytq8u1ZHY+RTuO0S3Oy/jz6lFQ9/OFOUvovub9FkFqTwHtOyy
ndkEb26g8e2A1yt13c0Eu8gufWeG3H+AkZiN6+yb34XOFcemrP3SpWkNWLUKeiqj
OoKRfJMR4XKEdUaJmdP0ZjuN2HBc9xsnYoln561wM+qwJsmPZFvUZH4G5H+vbUc=
=yw8Q
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: How to get your first key signed

[Christopher Beck]

On 09/30/15 19:17, David Niklas wrote:
> Hello,
> I create for myself a gpg key and want to get it signed, however I've
> sent out half a dozen requests and so far I've gotten only negative
> responses to the effect that I must know so-and-so and we must met in
> person (considering that the person responds at all).
> Now, I'm a student (think penny less), and live in a rural area 100mi
> from the nearest LUG and people out here are _very_ computer illiterate
> to the point where educated people think that turning a computer off
> will damage it, or that the computer loses power (1GHz becomes .2GHZ),
> as it grows older. So no one has a key, at all. And they would not want
> to help create a web of trust even if I asked and explained it to them.
> They just don't believe in security around here (Oh, that would never
> happen to me! There are laws against that! You are a security freak.)
>
> I want to develop FOSS and feel obligated to get a key to protect uses
> of the software I'm modifying from MITM attacks.
>
> Thanks, David
>
>
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
Hi David,

I know that problem. But I did the following: I used "The Harvester" [1]
and did a search on the domain of my university on public key servers
and found out many people here, who use GPG. I just started e-mailing
some of them and met them to cross sign the keys. So my suggestion is,
look up the mail-addresses of a university when you are (for some
reasons) in that city. Okay, this requires you to travel, but you can
try that if you are in some other city for some reason.

I am active member of a local association and there are some people
using GPG, too. So to make it more comfortable to others, we created an
extra key, stored it on a smart-card and use this key to sing our keys.
This is uploaded on out website and people who trust out SSL-CA
(cacert.org) could think of trusting this key in addition to it's own
WoT. We also put up our finger-prints to the contact fields of our
members (from those, who have GPG).

Additionally, you could add your GPG-finger-print to every presentation
you'll hold at university. This might also help.


[1]: https://code.google.com/p/theharvester/
[2]:

-- 
I use GnuPG (GPG) for E-Mail encryption and signing. If you want some privacy, 
my public key ID is 2F9D4F14. The file "singature.asc" this message includes 
contains a cryptographic signature which enables you to verify this E-Mail 
really was written by me.

Christopher Beck, DL1CHB

Gerhart-Hauptmann-Str. 1
91058 Erlangen
Tel.: 09131 / 9245437
Fax.: 09131 / 8148708
Jabber: bec...@jabber.org



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Local PAM authentication with OpenPGP Card (was Re: PAM authentication with gpg or ssh key)

[NIIBE Yutaka]

On 09/30/2015 07:54 PM, Peter Lebbing wrote:
> So that's my scenario. I'm just expressing my idea of what would be
> cool. If you decide to work on authentication with OpenPGP cards, this
> is an idea for one way of using it.

Thank you for explanation.  I could imagine the use case for
OpenPGPcard authentication for local sudo (or remote sudo).  I guess
that this can be done by pam module for SSH authentication by
ssh-agent.  If really needed, we could write new pam module doing
similar by connecting gpg-agent (instead of socket for ssh).

Although I have a bit of experience with Poldi, frankly speaking, I
don't quite understand the need for local login authentication with
OpenPGPcard.  For me, if I do some access control for my own PC, it
would be better to consider removing keyboard from a PC, or securing
access to the room where I have a PC.

Anyway, I do understand now, there are some needs for local login
authentication with OpenPGPcard.

Thank you, again.
-- 

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Facebook and OpenPGP

[Christian Heinrich]

Jon,

On Fri, Oct 2, 2015 at 1:56 AM, Jon Millican  wrote:
> On 26 September 2015 at 03:24, Christian Heinrich
>  wrote:
> Keys can be fetched from someone's profile "public_key" field, e.g. you
> could fetch my public key with the query:
>
>   /1617090031?fields=public_key

How will this be integrated with
https://developers.facebook.com/docs/apps/upgrading#upgrading_v2_0_user_ids
or should the username be subsitituted instead e.g.
https://www.facebook.com/cmlh.id.au/publickey/download ?

Is lookup by e-mail address, similar to
https://sks-keyservers.net/pks/lookup?op=vindex=christian.heinrich%40cmlh.id.au,
on your roadmap too?


-- 
Regards,
Christian Heinrich

http://cmlh.id.au/contact

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Local PAM authentication with OpenPGP Card (was Re: PAM authentication with gpg or ssh key)

[Peter Lebbing]

On 01/10/15 08:06, NIIBE Yutaka wrote:
> Although I have a bit of experience with Poldi, frankly speaking, I
> don't quite understand the need for local login authentication with
> OpenPGPcard.  For me, if I do some access control for my own PC, it
> would be better to consider removing keyboard from a PC, or securing
> access to the room where I have a PC.

For me, it's about getting rid of the root password altogether.
Authentication as root can only be done with an OpenPGP Card and its PIN.

Or by booting the system into single user mode ;). Your comment
regarding securing the room is very true: once someone has unfettered
access to the machine, it's near impossible to secure. This is not a
threat model I consider. Once they have physical access to the machine,
I give up.

I'm primarily (though not exclusively) talking about machines that
normally run headless. But sometimes you can't use SSH with an OpenPGP
card to solve a problem, for instance if it's the network that is not
working. So you really need to connect a monitor to the system and do a
local login.

Thank you for your response and giving it thought!

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: AW: Seperate Session Key and Encrypted Data

[Daniel Kahn Gillmor]

On Thu 2015-10-01 07:52:51 -0700, Christian Loehle wrote:
> That's what I would do if I had no other choice. The real downside is
> that it doesn't follow a standard(like openpgp) and I will have to write
> more code on the client side, compared to a standard openpgp solution.
> It just seems like there is no reason why separating the session key and
> the data wouldn't be supported, but I couldn't find anything about it.

The OpenPGP standard leaves this sort of approach open.  GnuPG
facilitates some part of it, but not everything.

First, take a look at --show-session-key and --override-session-key --
this makes it possible to extract a session key from an existing PKESK
or SKESK packet, and to use a known session key to decrypt a packet.

You should be able to use the gpgsplit tool to take a stream of packets
and split it into individual files.  You can use /bin/cat to collect a
set of individual files and reassemble them into an OpenPGP packet
stream.

So the only functionality GnuPG is missing to assemble the workflow
you're describing would be a new GnuPG command named something like
--generate-pkesk-with-session-key.  If that command was available, the
full workflow described by the original poster would be something you
could probably cobble together with a couple shell scripts.

Note: this is *not* something i'd want people to do as part of the
normal user interface of GnuPG.  This is a feature that would be useful
for GnuPG as an OpenPGP programming toolkit.  The fact that GnuPG is
widely used as both a user-facing tool and as a programming toolkit is
one of the things that makes it less convenient for both use cases :(

  --dkg

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: How to get your first key signed

[Guan Xin]

On Thu, Oct 1, 2015 at 7:05 PM, Robert J. Hansen  wrote:
>
> Some years ago a user on PGP-Basics was irate over how I refused to sign
> my messages.  My argument was basically the one you were using: that
> nobody on the list had verified my identity and that made my signatures
> of marginal use.  This fellow insisted, and insisted rudely, so John
> Clizbe, John W. Moore, and I all conspired together to make a point: we
> created a keypair, shared it amongst us, and all three of us used the
> exact same certificate to sign our emails.
>
> It took a few months for anyone to notice.

So you three will share the same reputation on the mailing list.
If at least one of you commit crimes with your signed messages,
you will share the same legal liability unless proved not guilty
by other means, e.g. your private key was stolen or was derived
from your public key by the others, and etc..

I don't think that's a problem because it doesn't cause any confusion
neither online nor offline.


> So sure, yes, without identity verification it's hard to have confidence
> in someone's legal identity, absolutely.  But even with identity
> verification, most people don't even bother to check to see that the
> signing certificate's email address matches the one on the email.

It's sad to hear that anyone takes it seriously to check that
a certificate's email address matches the originating mail address.
This really messes things up in the sense that it causes
additional inconvenience with little benefit.

I sign my files with exactly the same key no matter if they were sent
from my private email, business email, with IM tools, via http or fax.
In the last three cases there is no originating email address to check.

Of course I can use different keys, but what's the point?
More keys, more smart cards, more easily lost or forgotten,
more difficult to recognize by eye from their fingerprints ...

Guan

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users