Re: content of private-keys-v1.d

2017-02-09 Thread Marko Bauhardt 
Hi,

> 
> gnupg/agent/keyformat.txt

you mean here 
http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=blob_plain;f=agent/keyformat.txt
 

 ?

The part i’m interested in should be this right?

{quote}
** Shadowed Private Key Format

To keep track of keys stored on IC cards we use a third format for
private kyes which are called shadow keys as they are only a reference
to keys stored on a token:

(shadowed-private-key
   (rsa
(n #00e0ce9..[some bytes not shown]..51#)
(e #010001#)
(shadowed protocol (info))
   )
   (uri http://foo.bar x-foo:whatever_you_want)
   (comment whatever)
)

The currently used protocol is "ti-v1" (token info version 1).  The
second list with the information has this layout:

(card_serial_number id_string_of_key fixed_pin_length)

FIXED_PIN_LENGTH is optional.  It can be used to store the length of
the PIN; a value of 0 indicates that this information is not
available.  The rationale for this field is that some pinpad equipped
readers don't allow passing a variable length PIN.

More items may be added to the list.
{quote}



With this example

{quote}
Key: (shadowed-private-key
(rsa
(n #00AA1AD2A55FD8C8FDE9E1941772D9CC903FA43B268CB1B5A1BAFDC900
2961D8AEA153424DC851EF13B83AC64FBE365C59DC1BD3E83017C90D4365B4
83E02859FC13DB5842A00E969480DB96CE6F7D1C03600392B8E08EF0C01FC7
19F9F9086B25AD39B4F1C2A2DF3E2BE317110CFFF21D4A11455508FE407997
601260816C8422297C0637BB291C3A079B9CB38A92CE9E551F80AA0EBF4F0E
72C3F250461E4D31F23A7087857FC8438324A013634563D34EFDDCBF2EA80D
F9662C9CCD4BEF2522D8BDFED24CEF78DC6B309317407EAC576D889F88ADA0
8C4FFB480981FB68C5C6CA27503381D41018E6CDC52AAAE46B166BDC10637A
E186A02BA2497FDC5D1221#)
(e #00010001#)
(shadowed t1-v1
 (#D2760001240102051173# OPENPGP.1)
)))
{quote}


> 
> 
> Salam-Shalom,
> 
>   Werner
> 
> --
> Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users


---

Marko Bauhardt
marko.bauha...@mailbox.org 

GPG Key ID: 53192101
GPG Fingerprint: DC0F E851 82A3 72E3 7FE1  ACDB 970C FD47 5319 2101



signature.asc
Description: Message signed with OpenPGP using GPGMail
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

RE: GnuPG to create CSR

2017-02-09 Thread Ali Hassan Hamed Al Ajmi (eChannels) 
I got the issue.

Firewall was blocking the "dirmngr" from communicating with CA to validate 
x.509 certificates. I have solved that by disabling it. However,
I am trying to use gpgsm from command line to do encryption/decryption & 
signing/verifying. I stuck with how to pass the passphrase in command line. I 
tried to use the option : passphrase-fd but I am getting this error:

gpgsm --batch --passphrase-fd 0 --decrypt "C:\Test\POC.txt.p7m"
gpgsm: invalid option "--passphrase-fd"

Is this a bug in the tool ( on windows/ linux). Or it is not supported

anyone could help me on that.
The idea is to use the tool on a server where no-human-interaction is required.



-Original Message-
From: Daniel Kahn Gillmor [mailto:d...@fifthhorseman.net]
Sent: Saturday, February 04, 2017 7:09 AM
To: Ali Hassan Hamed Al Ajmi (eChannels) ; 
gnupg-users@gnupg.org
Cc: Naveen Rajghatta (Risk Management) ; Subash S (IT) 

Subject: RE: GnuPG to create CSR

On Tue 2017-01-31 07:05:45 -0500, Ali Hassan Hamed Al Ajmi (eChannels) wrote:

> Thanks for your response,
>
> I have successfully created the CSR and send it to internal CA
> (Microsoft CA) team. They sent me the certificate. I have used
> Kleopatra UI to import the created certificate after save it in a file
> (attaching sample file). Using same Kleopatra UI, I have also imported
> root & intermediate certificates for the CA. looks like attached
> img(kleopatra.png): We I tried to encrypt or sign any file, it shows
> this error (attached error.png)
>
> Is there anything wrong I have done?
> Or it is just because Kleopatra does not support X.509 certificate created by 
> Microsoft CA?

I'm sorry, i don't know the answer here, as this is a platform i don't use 
myself.  hopefully someone else on the list here who uses GnuPG on Windows and 
Kleopatra can give you some feedback or suggestions for how to debug further.

Regards,

--dkg
"Disclaimer! This email message is intended for the named recipient only. If 
you are not the intended recipient and if you have received this message by 
error, please immediately notify us through E-Mail at not...@bankmuscat.com and 
please delete this message from your system. E-mail communications are insecure 
and capable of interception and corruption, bank muscat would not be liable for 
incorrect, incomplete transmission, loss or damage on this account or delayed 
receipt of this e-mail."

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Non-deterministic behavior using GnuPG and a smart-card

2017-02-09 Thread Peter Lebbing 
Hello,

BTW, welcome to the list, Basil! I think it's interesting you encrypt
each and every mail you receive. That exercises all components a lot, it
might lead to some useful insights on how things might be improved. In
fact, we just encountered such an insight I think!

On 09/02/17 07:02, NIIBE Yutaka wrote:
> This should be fixed.

As a short term solution, you could revoke the encryption subkey and
create a new one with a common keylength; your current subkey is 3104
bits long for some reason, but the common keylength closest would be
3072 bits.

*However*, since you still want to decrypt mail already encrypted to the
revoked key, you would have to store an on-disk regular copy of that
subkey on your PC. If I understand correctly, you already use a regular
on-disk key on your smartphone, so this might not be a problem to you.

Changing subkey stuff has no effect on certifications; if people signed
your key, that signature will still be valid since it is on the primary
key (and an UID), subkeys are not involved in the process.

I'm curious how you ended up with 3104-bits RSA keys on your smartcard
in the first place, by the way!

HTH,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Non-deterministic behavior using GnuPG and a smart-card

2017-02-09 Thread Dr. Basil Becker 
Hi Peter et al. 

Am 9. Februar 2017 11:08:12 MEZ schrieb Peter Lebbing :
>Hello,
> I think it's interesting you encrypt
>each and every mail you receive. That exercises all components a lot,
>it
>might lead to some useful insights on how things might be improved. In
>fact, we just encountered such an insight I think!

To encrypt every mail I receive is an option, that my mail - provider offers. I 
uploaded my public key and each incoming mail becomes encrypted. In my opinion 
quite a good trade off, given the general usage of mail encryption outside of 
this list. 
>
>On 09/02/17 07:02, NIIBE Yutaka wrote:
>> This should be fixed.
>
Is there anything else I could provide in order to help with the 
bug-fix?Logs,traces anything? Of course I can offer my environment to do some 
tests. 
Should I file a bug report for this issue? 

>As a short term solution, you could revoke the encryption subkey and
>create a new one with a common keylength;

Yes, this is an option. 

>
>If I understand correctly, you already use a regular
>on-disk key on your smartphone, so this might not be a problem to you.
>
Actually, I'm using my smart-card also on my phone through an USB OTG cable. 
Nevertheless, I have an backup of my encryption key, I could facilitate to 
overcome the current limitations. 

>Changing subkey stuff has no effect on certifications; if people signed
>your key, that signature will still be valid since it is on the primary
>key (and an UID), subkeys are not involved in the process.
>
Thanks for pointing out. I'll consider using a more standard encryption key. 

>I'm curious how you ended up with 3104-bits RSA keys on your smartcard
>in the first place, by the way!
>
I decided for this unusual key length more or less for the reason of obscurity. 
I had the unproven hope that using an unusual key length would make attacks 
harder. However, I did not expect it to complicate the general usage :) 

Cheers 
Basil 


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Is NFC Appropriate?

2017-02-09 Thread Adam Sherman 
Good Morning,

As a very happy Yubikey 4[2] user, where my latop does not contain any
secret keys, I would now like to enjoy secure email on my smart phone
and tablet(s). Enter an NFC-capable SmartCard.

I have nowhere near the depth of understanding required to evaluate
this. Is it reasonable and appropriate to use a sub-key on an
NFC-capable SmartCard, such as the YubiKey Neo[3], in conjunction with
K9 Mail[4]?

This has been discussed at least once[1].

Thank you for your input,

A.


[1]: https://lists.gnupg.org/pipermail/gnupg-users/2015-April/053487.html
[2]: https://www.yubico.com/products/yubikey-hardware/yubikey4/
[3]: https://www.yubico.com/products/yubikey-hardware/yubikey-neo/
[4]: https://k9mail.github.io/

-- 
Adam Sherman 





signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Is NFC Appropriate?

2017-02-09 Thread Arthur Ulfeldt 
Yes it works great, I do this with k9+openkeychain on Android

Den tor. 9. feb. 2017 09.27 skrev Adam Sherman :

> Good Morning,
>
> As a very happy Yubikey 4[2] user, where my latop does not contain any
> secret keys, I would now like to enjoy secure email on my smart phone
> and tablet(s). Enter an NFC-capable SmartCard.
>
> I have nowhere near the depth of understanding required to evaluate
> this. Is it reasonable and appropriate to use a sub-key on an
> NFC-capable SmartCard, such as the YubiKey Neo[3], in conjunction with
> K9 Mail[4]?
>
> This has been discussed at least once[1].
>
> Thank you for your input,
>
> A.
>
>
> [1]: https://lists.gnupg.org/pipermail/gnupg-users/2015-April/053487.html
> [2]: https://www.yubico.com/products/yubikey-hardware/yubikey4/
> [3]: https://www.yubico.com/products/yubikey-hardware/yubikey-neo/
> [4]: https://k9mail.github.io/
>
> --
> Adam Sherman 
>
>
>
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Non-deterministic behavior using GnuPG and a smart-card

2017-02-09 Thread Dr. Basil Becker 
Hello,

On 09.02.2017 07:02, NIIBE Yutaka wrote:
> Hello,
> 
> [...]
> This should be fixed.
> 
I opened an issue for this topic: https://bugs.gnupg.org/gnupg/issue2953

Cheers,
Basil



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Is NFC Appropriate?

2017-02-09 Thread Adam Sherman 
On 2017-02-09 11:15 AM, Adam Sherman wrote:
> Is it reasonable and appropriate to use a sub-key on an NFC-capable
> SmartCard, such as the YubiKey Neo[3], in conjunction with K9
> Mail[4]?

Re-reading my own post, I realize that I was not clear on my actual
question. Let me rephrase:

Is using an NFC Smart Card with a smart phone for PGP secure? What
pitfalls exist?

Thank you,

A.


-- 
Adam Sherman 



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Is NFC Appropriate?

2017-02-09 Thread Adam Sherman 
On 2017-02-09 06:49 PM, Arthur Ulfeldt wrote:
> A hash of The message passes through near field magnetic induction which
> does emit radio waves. Then a response is sent back containing the
> description key for that message.  Perhaps someone here knows if a
> secure channel is negotiated for this exchange. I'm guessing not.
> 

How is the PIN transmitted, does anyone know?

A.

-- 
Adam Sherman 



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Is NFC Appropriate?

2017-02-09 Thread Dr. Basil Becker 
Hello,

On 09.02.2017 23:46, Adam Sherman wrote:
> On 2017-02-09 11:15 AM, Adam Sherman wrote:
>> Is it reasonable and appropriate to use a sub-key on an NFC-capable
>> SmartCard, such as the YubiKey Neo[3], in conjunction with K9
>> Mail[4]?
> 
> Re-reading my own post, I realize that I was not clear on my actual
> question. Let me rephrase:
> 
> Is using an NFC Smart Card with a smart phone for PGP secure? What
> pitfalls exist?
> 
I'm not going to answer your question directly, but if you're unsure
about NFC's reliability, you could start with USB on-the-go [1]. This
way you could keep your already existing Yubikey 4, which also allows
stronger keys than the Yubikey NEO.

Cheers,
Basil


[1] https://en.wikipedia.org/wiki/USB_On-The-Go
> 
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
> 



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Is NFC Appropriate?

2017-02-09 Thread Arthur Ulfeldt 
So you weren't alike if you can do this (yes it works) rather you where
asking if you should ;-)

A hash of The message passes through near field magnetic induction which
does emit radio waves. Then a response is sent back containing the
description key for that message.  Perhaps someone here knows if a secure
channel is negotiated for this exchange. I'm guessing not.

With all such things it's useful to consider the overall situation for
yourself and decide if it protect against the threats that affect you.

My situation is fine with that risk, because there are easier ways to get
the key (rubber hoses and the usual discussion here)

Den tor. 9. feb. 2017 15.40 skrev Adam Sherman :

> On 2017-02-09 11:15 AM, Adam Sherman wrote:
> > Is it reasonable and appropriate to use a sub-key on an NFC-capable
> > SmartCard, such as the YubiKey Neo[3], in conjunction with K9
> > Mail[4]?
>
> Re-reading my own post, I realize that I was not clear on my actual
> question. Let me rephrase:
>
> Is using an NFC Smart Card with a smart phone for PGP secure? What
> pitfalls exist?
>
> Thank you,
>
> A.
>
>
> --
> Adam Sherman 
>
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Is NFC Appropriate?

2017-02-09 Thread Adam Sherman 
On 2017-02-09 07:18 PM, Dr. Basil Becker wrote:
> I'm not going to answer your question directly, but if you're unsure
> about NFC's reliability, you could start with USB on-the-go [1]. This
> way you could keep your already existing Yubikey 4, which also allows
> stronger keys than the Yubikey NEO.

Thanks for that pointer, it is extremely helpful.

A.


-- 
Adam Sherman 



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users