[Linux/OS X] Identiv SCR3500 A working with OpenPGP Smartcards 2.1?

[Scott R. Santos]

Hello everyone,

I was interested in hearing from anyone who might be using OpenPGP v2.1 
Smartcards with the Identiv SCR3500 A "SmartFold" USB Reader. A spec sheet on 
this reader can be found here:

http://files.identiv.com/products/smart-card-readers/contact/scr3500/SCR3500_A_DS.pdf

Specifically, has this reader been successfully used to read and write to 
OpenPGP v2.1 Smartcards under current distros/versions of Linux and/or Apple OS 
X using recent versions of gnupg?

The reader is natively recognized by the kernel on an up-to-date ArchLinux 
system with lsusb as:

Bus 001 Device 007: ID 04e6:5410 SCM Microsystems, Inc. SCR35xx Smart Card 
Reader
 
as well as Apple OS X (at least from reports on sites selling it), suggesting 
some level of support.

Any info would be greatly appreciated and thank you in advance,

halocaridina



___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Javascript and smartcard

[Daniel Kahn Gillmor]

On Mon 2016-09-12 06:04:19 +0200, Le Roy Francis wrote:
> Hi, I was wondering if by any chances, there is, in addition to the
> Javascript port of gpgme (OpenPGP.js), a Node.js module to interact
> with smart card?

You might consider writing a patch or extension to OpenPGP.js that knows
how to talk to gpg-agent for use of secret keys.  That way gpg-agent
could delegate the work to the smartcard via scdaemon, and OpenPGP.js
wouldn't need to know anything about the secret key material.

 --dkg


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Why would I want S/MIME?

[Aaron Toponce]

On Mon, Sep 12, 2016 at 01:31:38PM -0500, Anthony Papillion wrote:
> I understand what S/MIME is and that it's probably the easiest crypto
> solution for most email users. But why would someone comfortable with
> GnuPG use it? Does it offer any advantages over traditional PGP keys? If
> I understand correctly, it's a certificate that much like a SSL
> certificate. If that's the case, doesn't it suffer from the same
> weaknesses that SSL certs currently suffer from (like double issuance, etc)?
> 
> Why would I want to use S/MIME?

Are you comparing S/MIME to PGP/MIME and PGP/Inline? I assume so, with your
question regarding GnuPG. As such, S/MIME provides some advantages over
PGP/MIME, IMO:

* S/MIME ships the entire public key as part of the email.
* S/MIME certificates are usually created and managed by the organization.
* There as wide-spread MUA support for S/MIME (EG: Outlook).

PGP/MIME and PGP/Inline generally mean getting the public key separately.
Because PGP and OpenPGP are decentralized, trust is manual (versus CAs with SSL
certificates in S/MIME). There is not widespread support for OpenPGP public
keys in MUAs, such as Outlook and most web-based MUAs. OpenPGP keys must be
managed independently, and this has shown to be more work than most people are
willing to put in.

-- 
. o .   o . o   . . o   o . .   . o .
. . o   . o o   o . o   . o o   . . o
o o o   . o .   . o o   o o .   o o o


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

RE: Why would I want S/MIME?

[Robert J. Hansen]

> Assuming everyone is willing and comfortable with using GnuPG, is there any
> compelling reason (aside from easy setup and use) to use S/MIME?

Regulatory compliance.  For instance, if you were in the banking industry you'd 
be using S/MIME even if everyone preferred GnuPG -- S/MIME is part of several 
important banking standards, whereas GnuPG isn't.

That's the only compelling reason I can think of.



___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: What happened to this signature?

[Daniel Kahn Gillmor]

On Sun 2016-09-11 23:50:15 +0200, Ingo Klöcker wrote:
> On Sunday 11 September 2016 21:17:31 Moritz Klammler wrote:
>> Today, I've posted a signed message (OpenPGP MIME) to a public
>> mailing list I'm subscribed to.  When it was delivered back to me,
>> the signature was broken.  I investigated the case and found out that
>> some silly MTA had un-escaped a minus-character in the message body
>> (quoted-printable) and added a blank line at the top.  This is
>> annoying but is adequately explained by stupidity so it didn't alarm
>> me.  Similar things have happened to me many times in the past.  What
>> *did* alarm me is that a further investigation reveled that the
>> signature itself was changed, too.
>
> A possible explanation which does not involve any conspiracies would be 
> that Gnus, for whatever reason, signs the copy of the message that is 
> stored in the sent folder (which, I assume, is where you've got the 
> "original, good, signature" from) separately from the copy of the 
> message that it sends.

Indeed, i believe it does.  I use notmuch-emacs, which also uses
mml-mode for composition; and that setup used to be the default
configuration before i switched over to using a native notmuch fcc
approach (see the notmuch mailing list thread starting on Message-Id:
<1465599772-10297-1-git-send-email-markwalters1...@gmail.com> is a good
example of using notmuch-specific fcc, which removes the risk of
double-signing.

--dkg


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Why would I want S/MIME?

[Anthony Papillion]

On 9/12/2016 2:10 PM, Robert J. Hansen wrote:
>> I understand what S/MIME is and that it's probably the easiest crypto
>> solution for most email users. But why would someone comfortable with
>> GnuPG use it?
> 
> There's a subtle point here.  The question isn't whether you're comfortable 
> with GnuPG; the question is whether the people you want to send email to are 
> comfortable with GnuPG.
>  
> I use S/MIME literally daily at work.  My co-workers like S/MIME because it's 
> close to an "it just works" solution.  Few of my co-workers have been willing 
> to learn GnuPG.

Your points are solid. I think that I might not have asked the right
question. Let me rephrase:

Assuming everyone is willing and comfortable with using GnuPG, is there
any compelling reason (aside from easy setup and use) to use S/MIME?




signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

RE: Why would I want S/MIME?

[Robert J. Hansen]

> I understand what S/MIME is and that it's probably the easiest crypto
> solution for most email users. But why would someone comfortable with
> GnuPG use it?

There's a subtle point here.  The question isn't whether you're comfortable 
with GnuPG; the question is whether the people you want to send email to are 
comfortable with GnuPG.
 
I use S/MIME literally daily at work.  My co-workers like S/MIME because it's 
close to an "it just works" solution.  Few of my co-workers have been willing 
to learn GnuPG.



___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Why would I want S/MIME?

[Anthony Papillion]

I understand what S/MIME is and that it's probably the easiest crypto
solution for most email users. But why would someone comfortable with
GnuPG use it? Does it offer any advantages over traditional PGP keys? If
I understand correctly, it's a certificate that much like a SSL
certificate. If that's the case, doesn't it suffer from the same
weaknesses that SSL certs currently suffer from (like double issuance, etc)?

Why would I want to use S/MIME?

Thanks,
Anthony

-- 
OpenPGP Key:4096R/0x028ADF7453B04B15
Keybase:https://keybase.io/cajuntechie
Other Key Info: http://www.cajuntechie.org/p/my-pgp-key.html
XMPP/Jabber:cajunt...@dukgo.com
VoIP/SIP:   1259...@localphone.com





signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gpg-agent only works when started in terminal

[Antony Prince]

On 09/11/2016 08:52 PM, Daniel Kahn Gillmor wrote:
> this command should not cause the pinentry to appear; what command are
> you running that actually causes pinentry to appear?  what operating
> system are you running?  are the gnupg packages supplied by the OS or
> have you built them by hand?

The command to cause pinentry to appear:
gpg2 -o enc.txt -d enc.gpg

enc.gpg is a text file encrypted to my key for testing purposes.

antony@050415:~$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:Ubuntu 14.04.5 LTS
Release:14.04
Codename:   trusty

gpg2 binary was compiled by hand.

> what does the output of the following command show?
> 
>gpg --list-secret-keys 0E98CD22ADB13E99
> 
> how about:
> 
>gpg --version

antony@050415:~$ gpg --list-secret-keys 0E98CD22ADB13E99
sec   4096R/301B1B19 2015-05-06 [expires: 2017-05-05]
uid  Antony Prince 
uid  Antony Prince 
uid  Antony Prince 
uid  Antony Prince 
ssb   4096R/ADB13E99 2015-05-06 [expires: 2017-05-05]

NOTE: uids have been altered here. They show correctly in the actual output.

antony@050415:~$ gpg --version
gpg (GnuPG) 1.4.16
Copyright (C) 2013 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later

This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: ~/.gnupg
Supported algorithms:
Pubkey: RSA, RSA-E, RSA-S, ELG-E, DSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2

> What do you have pinentry-program set to in gpg-agent.conf?

antony@050415:~$ cat ~/.gnupg/gpg-agent.conf
pinentry-program /etc/alternatives/pinentry

antony@050415:~$ /etc/alternatives/pinentry
OK Your orders please

> If it turns out that gpg is version 1.4, and has access to the secret
> key, but 2.1.15 does not, then you can try importing your secret keyring

antony@050415:~$ gpg2 --list-secret-keys 0E98CD22ADB13E99
sec   rsa4096 2015-05-06 [SC] [expires: 2017-05-05]
  591FF17F7A4AA8D0F659C482AF3D4087301B1B19
uid   [ultimate] Antony Prince 
uid   [ultimate] Antony Prince 
uid   [ultimate] Antony Prince 
uid   [ultimate] Antony Prince 
ssb   rsa4096 2015-05-06 [E] [expires: 2017-05-05]


-- 

Antony Prince

Key ID: 0xAF3D4087301B1B19
Fingerprint: 591F F17F 7A4A A8D0 F659  C482 AF3D 4087 301B 1B19
URL:
http://pool.sks-keyservers.net/pks/lookup?op=get=0xAF3D4087301B1B19



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gpg-agent only works when started in terminal

[Antony Prince]

On 09/09/2016 05:55 AM, Stephan Beck wrote:
> AFAIK, this means that the agent is not started when you "invoke gpg2
> normally" (directly from the command line?), so the environment may be
> incorrectly set. Or is there more than one agent instance running?

When gpg2 is called, the agent appears to start normally.

antony@050415:~$ sudo ps -aux | grep gpg-agent | grep -v grep

antony1717  0.0  0.0 174064   808 ?Ss   13:33   0:00
/usr/local/bin/gpg-agent

> What does a
> gpg-agent --daemon --write-env-file
> output in terms of GPG-AGENT_INFO?
> Is the correct socket being used?

antony@050415:~$ gpg-agent --daemon --write-env-file
gpg-agent[3176]: WARNING: "--write-env-file" is an obsolete option - it
has no effect
gpg-agent[3177]: gpg-agent (GnuPG) 2.1.15 started

antony@050415:~$ echo $GPG_AGENT_INFO
/run/user/1000/keyring-Hs60Gh/gpg:0:1

> And you symlinked /usr/bin/pinentry and the pinentry you might actually use?

antony@050415:~$ ls -la /usr/bin/pinentry
lrwxrwxrwx 1 root root 26 Sep 12 13:51 /usr/bin/pinentry ->
/etc/alternatives/pinentry
antony@050415:~$ ls -la /usr/local/bin/pinentry
lrwxrwxrwx 1 root root 26 Sep 12 13:51 /usr/local/bin/pinentry ->
/etc/alternatives/pinentry
antony@050415:~$ /etc/alternatives/pinentry
OK Your orders please

-- 

Antony Prince

Key ID: 0xAF3D4087301B1B19
Fingerprint: 591F F17F 7A4A A8D0 F659  C482 AF3D 4087 301B 1B19
URL:
http://pool.sks-keyservers.net/pks/lookup?op=get=0xAF3D4087301B1B19



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: What happened to this signature?

[Moritz Klammler]

>> Today, I've posted a signed message (OpenPGP MIME) to a public
>> mailing list I'm subscribed to.  When it was delivered back to me,
>> the signature was broken.  I investigated the case and found out that
>> some silly MTA had un-escaped a minus-character in the message body
>> (quoted-printable) and added a blank line at the top.  This is
>> annoying but is adequately explained by stupidity so it didn't alarm
>> me.  Similar things have happened to me many times in the past.  What
>> *did* alarm me is that a further investigation reveled that the
>> signature itself was changed, too.
>
> A possible explanation which does not involve any conspiracies would
> be that Gnus, for whatever reason, signs the copy of the message that
> is stored in the sent folder (which, I assume, is where you've got the
> "original, good, signature" from) separately from the copy of the
> message that it sends.

Thank you, I think you are right.  The "bad" signature happens to be a
valid signature of the (this time really) good message, too.  Isn't it
nice to learn new things about your MUA every day?  Quite embarrassing
though, that I didn't realize this behavior earlier.

I would still be interested to understand the meaning of the "begin of
digest" packet in a signature.  Apparently, it is not the two leftmost
bytes of the signed hash.  But what else is it then?


Moritz
-- 
OpenPGP:

Public Key:   http://openpgp.klammler.eu
Fingerprint:  2732 DA32 C8D0 EEEC A081  BE9D CF6C 5166 F393 A9C0


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Local-signing without (offline) private master key

[Nathan Musoke]

> Now I want to import someone else's key to verify a signature. In order
> to verify that signature, I need to at least locally sign the owner's
> key, AFAIK. However, I would need my offline master key (read: really
> inconvenient) to issue a signature.

I'm no expert, but as far as I know you don't need to locally sign a key to
verify a signature. My understanding is that setting the local trust should
be sufficient to make GnuPG happy. See
https://www.gnupg.org/gph/en/manual/x334.html

(Someone please correct me if I'm wrong...)

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Local-signing without (offline) private master key

[Kristian Fiskerstrand]

On 09/12/2016 01:08 PM, Nathan Musoke wrote:
>> Now I want to import someone else's key to verify a signature. In order
>> to verify that signature, I need to at least locally sign the owner's
>> key, AFAIK. However, I would need my offline master key (read: really
>> inconvenient) to issue a signature.
> 
> I'm no expert, but as far as I know you don't need to locally sign a key to
> verify a signature. My understanding is that setting the local trust should
> be sufficient to make GnuPG happy. See
> https://www.gnupg.org/gph/en/manual/x334.html
> 
> (Someone please correct me if I'm wrong...)

This is wrong, trust and validity are distinct and separate concepts.
You use a local signature to assign an ephemeral validity, trust would
be a matter of whether you believe/trust in the other party's ability to
certify third parties (and with the exception of ultimate trust, that
you should only use on keys you control yourself already requires the
key to be validated)

-- 

Kristian Fiskerstrand
Blog: https://blog.sumptuouscapital.com
Twitter: @krifisk

Public OpenPGP certificate at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3

Ab esse ad posse
From being to knowing



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Local-signing without (offline) private master key

[Damien Goutte-Gattat]

On 09/12/2016 11:04 AM, André Colomb wrote:

Maybe the upcoming TOFU trust model would help my usage pattern?


I think so. Marking the binding between your correspondent's key and its 
email address with a "good" TOFU policy (something that does not require 
your private primary key) would be equivalent to locally signing the 
key: it's a private statement (only available to yourself) that you 
regard that key as valid, i.e. as belonging to the User ID it carries.


This does not prevent you from continuing to use the Web-of-Trust if 
you're so inclined, as the "tofu+pgp" model allows you to use both TOFU 
assertions and WoT certifications to validate a key.


If you're already using GnuPG >= 2.1.10 (with support for the TOFU 
model), I would argue this is your best option.


Regards,

Damien



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Local-signing without (offline) private master key

[Kristian Fiskerstrand]

On 09/12/2016 11:04 AM, André Colomb wrote:
> What is the recommended practice if I only want to verify message
> integrity, but don't have the master key with Certify ability available?

I'd suggest creating another primary key for explicit local
certification purposes you never use anywhere else, and can rotate that
as often as wanted to start fresh from time to time.

-- 

Kristian Fiskerstrand
Blog: https://blog.sumptuouscapital.com
Twitter: @krifisk

Public OpenPGP certificate at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3

Veni vidi velcro
I came, I saw, I got stuck



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Local-signing without (offline) private master key

[André Colomb]

Hi all,

this is my first post to GnuPG-users, please be gentle :-)

My OpenPGP setup currently includes an offline master key (see attached
public key) with three subkeys on a Yubikey USB "smartcard". Amongst
them is a signing subkey with "usage: S" flag, but only the master key
has the Certify capability (usage: SC).

Now I want to import someone else's key to verify a signature. In order
to verify that signature, I need to at least locally sign the owner's
key, AFAIK. However, I would need my offline master key (read: really
inconvenient) to issue a signature.

What is the recommended practice if I only want to verify message
integrity, but don't have the master key with Certify ability available?

One solution that comes to mind would be to add a new certification
subkey that I keep on my machine instead of the smartcard, and only use
it for local signatures. Would that make sense or what complications
should I expect?

Building a Web of Trust with an offline master key seems rather
difficult, even just to verify incoming emails. Maybe the upcoming TOFU
trust model would help my usage pattern?

Thanks for any pointers or explanation.

Kind regards,
André
-- 
Greetings...
From: André Colomb 



0x9F45D0FB.asc
Description: application/pgp-keys


signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users