Re: gnupg website

[Glenn Rempe]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Werner,

Is there a plan to take action on this TLS issue the Julien and I have
written about? I believe all Safari and iOS users are excluded from
gnupg.org without action on the TLS setup.

Cheers

On 1/26/17 11:15 AM, Julien Vehent wrote:
> Hello,
> 
> I'm the maintainer of the Server Side TLS guidelines at Mozilla.
> I'm happy to help with the HTTPS setup of gnupg.org in any way I
> can.
> 
> Here's the configuration currently measures by the TLS
> Observatory, along with some recommendations to reach Modern
> level.
> 
> --- Ciphers Evaluation --- prio cipher protocols
> pfs curves 1DHE-RSA-AES128-SHA TLSv1,TLSv1.1,TLSv1.2
> DH,2048bits 2DHE-RSA-AES256-SHA TLSv1,TLSv1.1,TLSv1.2
> DH,2048bits 3DES-CBC3-SHA   TLSv1,TLSv1.1,TLSv1.2 None
>  OCSP Staplingfalse Server Side Ordering true Curves
> Fallback  false
> 
> --- Analyzers --- * Mozilla evaluation: intermediate - for modern
> level: remove ciphersuites DHE-RSA-AES128-SHA, DHE-RSA-AES256-SHA,
> DES-CBC3-SHA - for modern level: consider adding ciphers
> ECDHE-ECDSA-AES256-GCM-SHA384, ECDHE-RSA-AES256-GCM-SHA384,
> ECDHE-ECDSA-CHACHA20-POLY1305, ECDHE-RSA-CHACHA20-POLY1305,
> ECDHE-ECDSA-AES128-GCM-SHA256, ECDHE-RSA-AES128-GCM-SHA256,
> ECDHE-ECDSA-AES256-SHA384, ECDHE-RSA-AES256-SHA384,
> ECDHE-ECDSA-AES128-SHA256, ECDHE-RSA-AES128-SHA256 - for modern
> level: remove protocols TLSv1, TLSv1.1 - for modern level: consider
> enabling OCSP stapling - for modern level: enable Perfect Forward
> Secrecy with a curve of at least 256bits, don't use DHE - for
> modern level: use a certificate of type ecdsa, not RSA
> 
> Hope this helps, Julien
> 
> On Thu 26.Jan'17 at 10:48:28 -0800, Glenn Rempe wrote:
>> Werner, you (or anyone setting up a web server themselves
>> really) might also find this config generator from Mozilla
>> helpful as a shortcut in creating what is considered a modern web
>> server config for TLS.
>> 
>> https://mozilla.github.io/server-side-tls/ssl-config-generator/
>> 
>> https://wiki.mozilla.org/Security/Server_Side_TLS
>> 
>> This config may not apply to gnupg.org directly since its not
>> clear what web server you are running. In any case it will tell
>> you which suites you are recommended to support for modern(ish)
>> browsers.
>> 
>> I would also note that there is room for improvement regarding
>> the security headers the gnupg.org sends with its content.
>> 
>> https://securityheaders.io/?q=gnupg.org=on
>> 
>> You are using HSTS, which is generally very good, but in this
>> case it forcibly breaks users experience since it requires me to
>> connect with TLS but that is not possible since you are not
>> advertising a TLS suite that shares common ground with my browser
>> (or millions of other potential visitors).
>> 
>> Cheers.
>> 
>> On 1/26/17 3:49 AM, Andrew Gallagher wrote:
>>> On 26/01/17 00:16, Andrew Gallagher wrote:
 
 gnupg.org *does* keep 3DES at the end of the supported
 suites, so surely it should not be affected. I'm tempted to
 write this off as a mistake by ssllabs.
>>> 
>>> I've spoken to ssllabs and it appears that this was an
>>> ambiguity in the wording of their blog post. That means the
>>> downgrade to C next month is legit - not because 3DES is
>>> present, but because 3DES is present *and* GCM is absent.
>>> 
>>> What both this and Glenn's Apple issue have in common is the
>>> lack of ECDHE+GCM suites in the cipher list. I generally use
>>> the following config in Apache:
>>> 
>>> SSLCipherSuite \ "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM 
>>> EECDH+ECDSA+SHA384 \ EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 
>>> EECDH+aRSA+SHA256 \ EECDH EDH+AESGCM EDH+aRSA +3DES 3DES \
>>> !aNULL !eNULL !LOW !EXP !MD5 !KRB5 !PSK !SRP !DSS !SEED !RC4"
>>> 
>>> This uses all HIGH suites in a sensible order but still falls
>>> back to 3DES for XP compatibility. When retiring 3DES this
>>> simplifies to:
>>> 
>>> SSLCipherSuite \ "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM 
>>> EECDH+ECDSA+SHA384 \ EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 
>>> EECDH+aRSA+SHA256 \ EECDH EDH+AESGCM EDH+aRSA !MEDIUM !LOW
>>> !aNULL !eNULL !PSK"
>>> 
>>> Andrew.
>>> 
>>> 
>>> 
>>> ___ Gnupg-users 
>>> mailing list Gnupg-users@gnupg.org 
>>> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>>> 
>> 
>> ___ Gnupg-users
>> mailing list Gnupg-users@gnupg.org 
>> http://lists.gnupg.org/mailman/listinfo/gnupg-users
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEHYo11lajUTmaOI4vCiVDbdRDnGwFAliO4xoACgkQCiVDbdRD
nGzhmA/6AwxKMMt5OqvARLozbzuTDrmGb7TEfXcHKRssGHpCITEQ0kBTbiCRhszd
3NAfK/Fc+jE+ysVRQ2Khs5IQXPKiXBtGd57NjNg2/RJkDJmXHKDzWOuFW137Xhuv
asc+8e+xsMgo7/i1J32F419E1feo9jvm+QprvPZHRia85EHa60wVGllTSBgA82FN
j977NlTCDhveZuB0DJgVCsI0Wo0AdLELh2tTQD1vB+Tkizvkki1+q769u3GmDzHX
moV14oGjyI72Z8On1He1PD2UZobGyABQukQSpPsGFEh4RKgDyoe+07Uh6n3cydxH

Re: I'm confused about GPG, and it's confused about me

[Reid Vail]

On Fri, 27 Jan 2017 14:16:15 +0100
Peter Lebbing  wrote:

> Whoops, left out part of my answer.
> 
> On 27/01/17 03:25, Reid Vail wrote:
> > When I
> > used Seahorse and tried to create a new keypair it never seemed to 
> > complete. I know
> > wants random input and keystrokes to help create the keys.  Tried it 
> > several times
> > but it never succeeded.  I also tried GPA and ran it with the same intent, 
> > executed
> > all kinds of activity to generate random data.  The progress bar in the 
> > Generating
> > Key box completed but I never saw a message that said it completed 
> > successfully, and
> > the new key (if it ever did complete) never showed in the Key Manager 
> > screen.  
> 
> I'm sorry to hear you are having such trouble getting it to work! That's
> a pretty bad first user experience.
> 
> Are you doing this on a virtual machine? Certain virtual machine
> deployments have trouble gathering randomness, which prevents generating
> keys. Other than that, these programs should just have worked. Odd...
> 
> > I figured I
> > could manually use that new key to sign the public key was trying send to, 
> > which is
> > the goal.  
> 
> I don't fully understand. Are you trying to send someone else an
> encrypted document, and are you encountering the situation that GnuPG is
> warning you that there is no indication that the key belongs to the
> recipient?
> 
> Peter.
> 
> -- 
> I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
> You can send me encrypted mail if you want some privacy.
> My key is available at 
> 
Thanks very much for your reply, and I completely agree it will be simpler to
outline what I'm trying to do.  It's just this:

I have two email addresses. I'm to send an encrypted message from my gmail
address to my runbox address just to test and to make sure I understand the 
steps,
and to be sure I have the right tools loaded.

I believe I got turned around because of my really flawed understanding of
the exporting, importing and signing requirements (and because it gets 
convoluted
when it's your own addresses your working with), and because some of the GUI 
tools I
have loaded on my Linuxmint 18 KDE implementation aren't working right. 

Here's the output from gpg -K ... Since there are duplicates it might be best 
delete
them all and start again, with a closer read of the manual.  

rsv2@rsv2-Serval-Pro ~ $ gpg -K
/home/rsv2/.gnupg/secring.gpg
-
sec   2048R/26F66FEB 2016-11-09
uid  Reid Vail 
ssb   2048R/14C2E935 2016-11-09

sec   3072R/709C5420 2016-11-10
uid  Reid-Gmail 
ssb   3072R/A284EB64 2016-11-10

sec   2048R/A780EFF6 2017-01-17
uid  Reid Vail (runbox) 
ssb   2048R/1ED8FE07 2017-01-17

sec   2048R/23FFE4EF 2015-10-04
uid  Reid Vail 
ssb   2048R/385F695B 2015-10-04

sec   2048R/044D3458 2017-01-24
uid  reid s. vail (GMAIL 1-23) 
ssb   2048R/6A4EDEAB 2017-01-24

Reid







___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Expired GPG key for ssh authentication

[Marko Bauhardt]

> On 29 Jan 2017, at 15:18, Andrew Gallagher  wrote:
> 
> 
> On 29 Jan 2017, at 10:39, Marko Bauhardt  > wrote:
> 
>> Now one year later. My ssh subkey is expired. But i’m still able to login 
>> into my ssh-server.
>> My assumption was that i can use this subkey only if this key is valid. Is 
>> the expired key working because i’m using the ssh-agent instead of the 
>> gpg-agent?
> 
> It is still working because the remote ssh server has no concept of key 
> expiry. When you converted your auth subkey to ssh format you stripped all 
> the expiry info from it. (There is the related problem of your client 
> offering the expired key to the server, but this is relatively harmless).
> 
> If you want your ssh key to stop working when the auth subkey expires, you 
> need to make sure to run monkeysphere on a regular basis (cron) on the remote 
> server, to refresh the authorized_keys and thereby overwrite any ssh keys 
> associated with expired pgp keys. Ssh keys themselves do not expire.
> 
> See: http://web.monkeysphere.info/doc/ssh-user-authentication/ 
> 

Thank you Andrew.
Make sense

Marko



signature.asc
Description: Message signed with OpenPGP using GPGMail
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Expired GPG key for ssh authentication

[Andrew Gallagher]

> On 29 Jan 2017, at 10:39, Marko Bauhardt  wrote:
> 
> Now one year later. My ssh subkey is expired. But i’m still able to login 
> into my ssh-server. 
> My assumption was that i can use this subkey only if this key is valid. Is 
> the expired key working because i’m using the ssh-agent instead of the 
> gpg-agent?

It is still working because the remote ssh server has no concept of key expiry. 
When you converted your auth subkey to ssh format you stripped all the expiry 
info from it. (There is the related problem of your client offering the expired 
key to the server, but this is relatively harmless). 

If you want your ssh key to stop working when the auth subkey expires, you need 
to make sure to run monkeysphere on a regular basis (cron) on the remote 
server, to refresh the authorized_keys and thereby overwrite any ssh keys 
associated with expired pgp keys. Ssh keys themselves do not expire. 

See: http://web.monkeysphere.info/doc/ssh-user-authentication/

Andrew. ___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Expired GPG key for ssh authentication

[Marko Bauhardt]

Hi,
I’m using gpg 2.0.30. I have a keyring which contains a subway which is there 
for authentication only. I’m using `monkeysphere s` to add this key to my 
ssh-agent. Using `ssh-add -L` to get the public ssh key representation to be 
able to add the key to my `.ssh/authorized_keys` file on the server. Everything 
works. But  i configured my subkey to expire after one year.

Now one year later. My ssh subkey is expired. But i’m still able to login into 
my ssh-server.
My assumption was that i can use this subkey only if this key is valid. Is the 
expired key working because i’m using the ssh-agent instead of the gpg-agent?

Any idea or comment?

---

Marko Bauhardt
marko.bauha...@mailbox.org 

Key ID: 53192101
Fingerprint: DC0F E851 82A3 72E3 7FE1  ACDB 970C FD47 5319 2101



signature.asc
Description: Message signed with OpenPGP using GPGMail
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users