Re: Security doubts on 3DES default

2017-03-16 Thread Werner Koch 
On Thu, 16 Mar 2017 15:55, pe...@digitalbrains.com said:

> Perhaps we should either retire ciphers with a 64-bit block length or
> make OpenPGP mandatorily rekey after a few gigabytes of data, so it's no
> longer up to the user to be prudent with large amounts of data.

Those who have large amounts of data to encrypt will anyway use a fast
cipher and this means AES.  Thus the 64 bit block length is in practice
only a theoretical problem.  A more practical problem is how to protect
against arbitrary I/O or storage errors.  Thus in the end you will store
the data anyway in chunks.


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


pgpl9wDm2cynq.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

RE: Security doubts on 3DES default

2017-03-16 Thread Robert J. Hansen 
> Perhaps we should either retire ciphers with a 64-bit block length or make
> OpenPGP mandatorily rekey after a few gigabytes of data, so it's no longer
> up to the user to be prudent with large amounts of data.

In the next draft of the RFC, I'd like to see 64-bit-block ciphers go the way 
of the dodo. 



___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Security doubts on 3DES default

2017-03-16 Thread Peter Lebbing 
On 16/03/17 15:21, Robert J. Hansen wrote:
> -- but I'm unaware of any reason why we should not permit using 3DES as a
> symmetric cipher.

Perhaps we should either retire ciphers with a 64-bit block length or
make OpenPGP mandatorily rekey after a few gigabytes of data, so it's no
longer up to the user to be prudent with large amounts of data.

In this stage of the game, it might make more sense to just retire those
ciphers.

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

RE: Security doubts on 3DES default

2017-03-16 Thread Robert J. Hansen 
> take rjh's caveat with a grain of salt -- GnuPG's interest is in
protecting its
> users.  If the project knows something is bad, we're going to try to
protect
> users from it.

In my defense, I never said GnuPG wasn't going to try to protect users from
dangerous things.  I said that until the RFC changes, 3DES and SHA1 will
remain in the codebase -- which is, I think, the correct position to take.

> probably not,
> but it should probably decline to generate such a thing, in the way that
it
> defaults to generating signatures using SHA256 these days.

Why?  What's the reasoning for refusing to encrypt using 3DES?

I can see "we should refuse to put 3DES in any non-final position in key or
cipher preferences" -- that would make sense: it's the cipher of last
resort, and putting it in non-final position kind of breaks that guideline
-- but I'm unaware of any reason why we should not permit using 3DES as a
symmetric cipher.

3DES is slow and obnoxious but it's not unsafe.  At 168 bits of key material
it's actually stronger than AES128.  (I'm discounting the theoretical
attacks on 3DES, as they require many orders of magnitude more memory than
exist in the entire world.)


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Security doubts on 3DES default

2017-03-16 Thread Daniel Kahn Gillmor 
On Wed 2017-03-15 07:13:18 -0400, Werner Koch wrote:
> On Tue, 14 Mar 2017 21:54, r...@sixdemonbag.org said:
>
>> So long as you understand GnuPG will not make any changes that break RFC
>> conformance... and dropping SHA1/3DES breaks RFC conformance.
>
> Well, it is possible to use
>
>   --weak-digest SHA1 --disable-cipher-algo 3DES
>
> with gpg.

and some of us have experimented with running this kind of configuration
(at the very least with --weak-digest SHA1) for quite some time now.

take rjh's caveat with a grain of salt -- GnuPG's interest is in
protecting its users.  If the project knows something is bad, we're
going to try to protect users from it.

that said, data in a store-and-forward format (or for persistent
backups) makes it tricky to fully remove something.  Should GnuPG refuse
to decrypt a symmetrically-encrypted message that uses 3DES ?  probably
not, but it should probably decline to generate such a thing, in the way
that it defaults to generating signatures using SHA256 these days.

 --dkg

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: ADMIN: Some mail addresses are now rewritten

2017-03-16 Thread Werner Koch 
On Thu, 16 Mar 2017 04:46, gnupg-users@gnupg.org said:

> IMO reply should go to the send and reply-list/group reply should go to the
> list.  Sure people make mistakes, but it's still the most reasonable behavior.

There are two schools on this matter.  This here is a privacy related
list and thus we want to avoid accidently posting a PM to the list.

> I've been dealing with this.  After watching these kinds of problems in 
> multiple
> environments I think what should happen with mailman, dkim, SPF, etc is:

We can only use what Mailman provides ;-)

> Not sure I follow, I hit group reply in Thunderbird and at the top of this
> message is:
>
> On 03/11/2017 09:27 AM, Werner Koch wrote:

Right, because my From header has not been rewritten (no reject DMARC
policy at gnupg.org).  But if you look above you can notice that Gnus
took the ML address - should be easy to fix but right now I don't have
spare cycles.


Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


pgp0fDdzGqRSj.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: ADMIN: Some mail addresses are now rewritten

2017-03-16 Thread Bill Broadley via Gnupg-users 
On 03/11/2017 09:27 AM, Werner Koch wrote:
> Hi!
> 
> You may have noted that the From address has been rewritten to show the
> list address instead of your address.  In addition a reply-to header has
> been set so that your address is also known. 

IMO reply should go to the send and reply-list/group reply should go to the
list.  Sure people make mistakes, but it's still the most reasonable behavior.

> The reason for this is that some mail sites now have a DMARC reject
> policy which leads to a bounce for all subscribers whose mail provider
> honors this DMARC policy - for example gmail.  After a few bounces
> message delivery to those subscribers will blocked by our Mailman.

I've been dealing with this.  After watching these kinds of problems in multiple
environments I think what should happen with mailman, dkim, SPF, etc is:
A) If mailman is going to leave DKIM headers intact then the email should be
   forwarded without modifications to the body/signature.  So readers of the
   mailing list should be able to DKIM verify the centor
B) if mailman is going to modify the email then it should:
   1) resign with it's DKIM key (for gnupg.org in this case)
   2) allow mailing list users to set a flag saying "Do not accept email
  from me unless properly signed with DKIM"
   3) Upon finding properly signed DKIM messages that will be stripped/resigned
  mailman should add a new header.  DKIM-verified-by-mailman or similar.

I realize this isn't the best place to discuss such things, but welcome any
input.  I'm watching the mailman list, on a #dmarc IRC channel, or similar.  But
finding a place that discusses standards that impact so many different pieces is
tricky.

> The problem with this rewriting is that it breaks quoting.  For example
> here is how I would have replied to Jeff's test mail:
> 
>   On Sat, 11 Mar 2017 15:02, gnupg-users@gnupg.org said:
>   
>   > Just a simple test message as asked by Werner to test something…
>   
>   Thank you.
> 
> Thus I think marking the address invalid would have been a better choice
> for Mailman - but there is no option for this yet.

Not sure I follow, I hit group reply in Thunderbird and at the top of this
message is:

On 03/11/2017 09:27 AM, Werner Koch wrote:
> Hi!

Which is exactly what I expected.





signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: HTTPS keyservers (with SSL-keys recording)

2017-03-16 Thread Miroslav Rovis 
On 170315-16:46+0100, Werner Koch wrote:
> On Wed, 15 Mar 2017 10:14, miro.ro...@croatiafidelis.hr said:
> 
> > keyserver hkps.pool.sks-keyservers.net:443
> 
> I guess we should better default to hkps:// if a scheme is not given.
which is, IIUC, HTTPS key protocol, like hkp:// is HTTP key protocol.

> I have not checked whether this is already the case.
No, it's not implemented, or if it is, it's not by default in my Gentoo.
But if it's local configuration, I'm not an expert to know what to
configure to get it implemented.
 
> > I record SSL-keys all the time, and I believe every communication
> > in/with my machine must be permitted by me, and open to my inspection,
> 
> I didn't understand the need for recording session keys - in general we
> try hard not to leave any trace of session keys.
How do you solve issues that arise then? How do you guard your system if
you don't have an option to inspect what it happening in your system?
There's no defence generally without knowing what happens on your turf,
not really, ever!

> BTW, we should not use the term SSL anymore.
BTW, my original title to that Youtube-dl issue contained SSL-key, not
TLS-key recording, the maintainer there changed that title...

It's very hard for me to contradict someone of your format, Werner, but
other smart people say the name change has been purely political,
without any technical merit to it... So allow me to point to you others
that contradict to you, and IMO rebellion against senseless practices is a
good thing(TM):

https://wiki.wireshark.org/SSL
and if you try:
https://wiki.wireshark.org/TLS
you get "This page does not exist yet."

> 
> Shalom-Salam,
Peace!

>Werner
> 
> -- 
> Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

Deutch schreiben, lesen und schprechen I möchte lernen... Aber kein
zeit für jetzt...
( I like German, and German-speaking nations, culture and way of life a
lot. )

Sincere respect and regards to you and your team!
-- 
Miroslav Rovis
Zagreb, Croatia
https://www.CroatiaFidelis.hr


signature.asc
Description: Digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users