Re: Fwd: Re: Fwd: Re: Question for app developers, like Enigmail etc. - Identicons

[Duane Whitty]

On 17-06-12 05:45 PM, Stefan Claas wrote:
> On 12.06.17 22:35, Robert J. Hansen wrote:
>>> Is there something like a Standard Operating Procedure for GnuPG
>>> available, which fulfills security experts demands, and which can
>>> easily be adapted by an average GnuPG user, regardless of platform 
>>> and client he/she uses?
>> No.  More to the point, there can't be.  Each user faces threats
>> specific to that user; each user is responsible for their own threat
>> modeling.
>>
>> But follow the steps I outlined before and you'll significantly improve
>> your online security.  You won't be perfect -- there is no such thing as
>> perfection.  You won't be a hardened target -- that takes a lot of work.
>>  But follow those steps and you'll have taken care of the easy ways that
>> your machine can be compromised.
>>
> 
> Thank you very much for your advise, much appreciated!
> 
> Regards
> Stefan
> 
> 
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
> 
I'm not one of the many experts on the list you refer to so you'll have
to judge for yourself the usefulness of my procedures.  Comments from
more experienced users welcome as well, of course, and some very
experienced users have given you very good advice already.

Some of things I do include setting a password on the BIOS and HD and
turning my computer off when I'm not using it.  My reason for those
steps is that I am hoping it would introduce enough of a roadblock that
should someone gain physical access to my computer (a laptop) they would
need to take it with them in order to compromise it.

I also don't click on any links in emails. As well, I don't open any PDF
files I don't trust.

I believe also that it's important to consider what operating system you
use.  Some people believe that with certain OSs you are compromised the
minute you install said OS and are actually fulfilling the role of
Mallory against yourself.  This is to say that I believe Open Source is
beneficial not that it is the complete solution.

I would also add one word about USB sticks:  It is very difficult to
know if they've been compromised and there are no tell-tale signs when
an attack is taking place.  I never put a USB in my computer that has
been used on a computer I don't own.
Best Regards,
Duane

-- 
Duane Whitty
du...@nofroth.com



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Fwd: Re: Fwd: Re: Question for app developers, like Enigmail etc. - Identicons

[Stefan Claas]

On 12.06.17 22:35, Robert J. Hansen wrote:
>> Is there something like a Standard Operating Procedure for GnuPG
>> available, which fulfills security experts demands, and which can
>> easily be adapted by an average GnuPG user, regardless of platform 
>> and client he/she uses?
> No.  More to the point, there can't be.  Each user faces threats
> specific to that user; each user is responsible for their own threat
> modeling.
>
> But follow the steps I outlined before and you'll significantly improve
> your online security.  You won't be perfect -- there is no such thing as
> perfection.  You won't be a hardened target -- that takes a lot of work.
>  But follow those steps and you'll have taken care of the easy ways that
> your machine can be compromised.
>

Thank you very much for your advise, much appreciated!

Regards
Stefan


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Fwd: Re: Fwd: Re: Question for app developers, like Enigmail etc. - Identicons

[Robert J. Hansen]

> Is there something like a Standard Operating Procedure for GnuPG
> available, which fulfills security experts demands, and which can
> easily be adapted by an average GnuPG user, regardless of platform 
> and client he/she uses?

No.  More to the point, there can't be.  Each user faces threats
specific to that user; each user is responsible for their own threat
modeling.

But follow the steps I outlined before and you'll significantly improve
your online security.  You won't be perfect -- there is no such thing as
perfection.  You won't be a hardened target -- that takes a lot of work.
 But follow those steps and you'll have taken care of the easy ways that
your machine can be compromised.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Fwd: Re: Fwd: Re: Question for app developers, like Enigmail etc. - Identicons

[Stefan Claas]

On 12.06.17 22:10, Robert J. Hansen wrote:
>> and transfer signed/encrypted messages from my online usage
>> computer with a USB stick to my offline computer and verify
>> decrypt the messages there. :-)
> If you think your online computer may be compromised, then you have no
> business sharing USB devices between it and your believed-safe computer.
>
O.k., i have for example no Tempest Attack, etc. shielded offline computer,
because i am only a little Mac user. Is there something like a Standard
Operating
Procedure for GnuPG available, which fulfills security experts demands,
and which
can easily be adapted by an average GnuPG user, regardless of platform
and client
he/she uses?

Regards
Stefan


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Fwd: Re: Fwd: Re: Question for app developers, like Enigmail etc. - Identicons

[Robert J. Hansen]

> and transfer signed/encrypted messages from my online usage
> computer with a USB stick to my offline computer and verify
> decrypt the messages there. :-)

If you think your online computer may be compromised, then you have no
business sharing USB devices between it and your believed-safe computer.


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Fwd: Re: Fwd: Re: Question for app developers, like Enigmail etc. - Identicons

[Stefan Claas]

On 12.06.17 21:15, Peter Lebbing wrote:

>> (Remember there are two types of companies. Those who know they got
>> hacked and those who don't know yet that they got hacked.)
>>
>>
I should put that as a signature in my email and Usenet client! :-)

Regards
Stefan



___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Fwd: Re: Fwd: Re: Question for app developers, like Enigmail etc. - Identicons

[Stefan Claas]

On 12.06.17 21:21, Ludwig Hügelschäfer wrote:
> What you can do: Learn, learn by playing, learn by trying to
> understand what others write and by asking questions and become a
> reasonable critical user. That's the hard way, but you learn best.
> Second possibility would be to have a good experienced friend which
> guides you along the way. Third way would be to engage an expert which
> maintains your computer.
>
Thanks also for your valuable reply!

Please see also my reply to Peter.

Regards
Stefan




___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Fwd: Re: Fwd: Re: Question for app developers, like Enigmail etc. - Identicons

[Stefan Claas]

On 12.06.17 21:15, Peter Lebbing wrote:
> On 12/06/17 20:51, Stefan Claas wrote:
>> Maybe as an additional security feature Enigmail should give
>> a key with a set trust level of "Ultimate" a different color than
>> green.
> No, that's beside the point. Once somebody gets your user privileges,
> there is no "additional security". It's game over. They could replace
> your Enigmail with their Evilmail, which seems like a good name for an
> Enigmail edited to show any fingerprint the attacker desires and give it
> any colour of the rainbow.
>
> You need to make sure your computer doesn't get hacked by someone who
> wants to subvert your use of GnuPG. Luckily, for most of us, we get
> hacked to send spam... ;)
>
> (Remember there are two types of companies. Those who know they got
> hacked and those who don't know yet that they got hacked.)
>
>

Thanks for your thought! So what i have learned from this whole
thread, also about my proposal for identicons, i should buy me
an offline computer, send Thunderbird/Enigmail to /dev/null
and transfer signed/encrypted messages from my online usage
computer with a USB stick to my offline computer and verify
decrypt the messages there. :-)

Regards
Stefan



___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Fwd: Re: Fwd: Re: Question for app developers, like Enigmail etc. - Identicons

[Ludwig Hügelschäfer]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 12.06.17 20:51, Stefan Claas wrote:
> On 12.06.17 20:18, Ludwig Hügelschäfer wrote:
>> Hi,
>> 
>> On 12.06.17 14:52, Stefan Claas wrote:
>> 
>>> Hi Ludwig,
>>> 
>>> I just checked again. On my Mac and on my Windows Notebook i
>>> get a green bar , from a blue "Untrusted" key when i go into
>>> Enigmails Key Management and set the trust of that key to
>>> Ultimate...
>> Well, ultimate ownertrust is the wrong way. This setting is
>> reserved for your own keys. No wonder you get a green header
>> bar.
>> 
>> What are you trying to achieve?
>> 
> 
> Well, i assume that the majority of people who are using GnuPG are
> using it with Thunderbird/Enigmail.

I'd not sign this statement. A lot of users caring for privacy and
safety won't go for Windows. Thunderbird is not the most popular mail
client on non-windows computers, there quite some other mail clients.

> Let's also assume they are not security experts like all you guys
> here on the list and let's also assume they are following popular
> tutorials like the ones from EFF:
> https://ssd.eff.org/en/module/how-use-pgp-windows because they know
> EFF are good people (like you security experts).
> 
> Now here is my thought. Mallory knows this very well what i have 
> described above and after he gained access to my computer he simply
> replaces on of my locally signed pub keys with a fake one where he
> sets owner trust to ultimate. A user, described as above would imho
> have a hard time to detect a fake pub key, because Enigmail shows
> for both keys a green bar.

As Robert said: If an attacker gains control over your computer,
you're busted, game over.

> Maybe as an additional security feature Enigmail should give a key
> with a set trust level of "Ultimate" a different color than green.

This would also be the case if the attacker gained access to your
computer.

What you can do: Learn, learn by playing, learn by trying to
understand what others write and by asking questions and become a
reasonable critical user. That's the hard way, but you learn best.
Second possibility would be to have a good experienced friend which
guides you along the way. Third way would be to engage an expert which
maintains your computer.

Ludwig
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEE4WAgb7FA4aaVxJnYOtv6bQCh5v4FAlk+6b4ACgkQOtv6bQCh
5v7yeg/+NG1ZJOm/is1MyiDI8eGHB2343qmCYjzlrpj5+SYBECMa5FSKqh86z+LS
xMbynzfMIVTR2imt259mHFhCCcBgx067GCCxCFOMgJgafYg0M/kf1bOQF1Hov1lD
969zfYBcHNl2lnOSA5W16nJPY0gaJoa6t+25bf3YDD/+1aMQdZpBmOpxEPPuMUqt
5Qb7LPHh0hhSNoX7TrTqcMEBQtJopDlB94xUShUujMR56udC1Mfo3LDN1BpV00sd
R+La+a94Uu+i9FkEhjFHeTcVlaN9TSofLqGBVID51h2sGG7UK/moOAv55T2GBkuh
zdTp9OirN1OIZbBIMnUfa3oe3ZbCyY24qm/XWA7gn4gTIUX9/QdT6Wz/aBDA9Rq+
fr5RDxXU5S/4kX3HODnUiGqvt8HElQAKmCkiTD6gSLM8Tsw6Bp1DK9AAMHEbgvqS
zT67rKY4ISzW4RTxqHuK4W1bury0TdSlyCCgL33CdUp+xhQazjLRfUQXzSeOaNu2
7/6LRVtOHWWUkpELaNGYGS2CPDMiPvuZuMH/Ut9CYcwGHaf1Rq2F7FH0C2Hha5Uf
6hHWVww+PrNg1Tera/yLn+P8+RCU5tkf8c+injiEN0FjYScXd0YBds704ZjdD8l8
tld1uAcxxI3FYybY05TSjKqdRNpGrJRJ14nb4Djd896jzOZDWJQ=
=CZYK
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Fwd: Re: Fwd: Re: Question for app developers, like Enigmail etc. - Identicons

[Peter Lebbing]

On 12/06/17 20:51, Stefan Claas wrote:
> Maybe as an additional security feature Enigmail should give
> a key with a set trust level of "Ultimate" a different color than
> green.

No, that's beside the point. Once somebody gets your user privileges,
there is no "additional security". It's game over. They could replace
your Enigmail with their Evilmail, which seems like a good name for an
Enigmail edited to show any fingerprint the attacker desires and give it
any colour of the rainbow.

You need to make sure your computer doesn't get hacked by someone who
wants to subvert your use of GnuPG. Luckily, for most of us, we get
hacked to send spam... ;)

(Remember there are two types of companies. Those who know they got
hacked and those who don't know yet that they got hacked.)

HTH,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Fwd: Re: Fwd: Re: Question for app developers, like Enigmail etc. - Identicons

[Stefan Claas]

On 12.06.17 20:18, Ludwig Hügelschäfer wrote:
> Hi,
>
> On 12.06.17 14:52, Stefan Claas wrote:
>
>> Hi Ludwig,
>>
>> I just checked again. On my Mac and on my Windows Notebook i get a
>> green bar , from a blue "Untrusted" key when i go into Enigmails
>> Key Management and set the trust of that key to Ultimate...
> Well, ultimate ownertrust is the wrong way. This setting is reserved
> for your own keys. No wonder you get a green header bar.
>
> What are you trying to achieve? 
>

Well, i assume that the majority of people who are using GnuPG
are using it with Thunderbird/Enigmail. Let's also assume they are
not security experts like all you guys here on the list and let's
also assume they are following popular tutorials like the ones
from EFF: https://ssd.eff.org/en/module/how-use-pgp-windows
because they know EFF are good people (like you security experts).

Now here is my thought. Mallory knows this very well what i have
described above and after he gained access to my computer he
simply replaces on of my locally signed pub keys with a fake
one where he sets owner trust to ultimate. A user, described as
above would imho have a hard time to detect a fake pub key,
because Enigmail shows for both keys a green bar.

Maybe as an additional security feature Enigmail should give
a key with a set trust level of "Ultimate" a different color than
green.

Regards
Stefan




___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Fwd: Re: Fwd: Re: Question for app developers, like Enigmail etc. - Identicons

[Ludwig Hügelschäfer]

Hi,

On 12.06.17 14:52, Stefan Claas wrote:

> Hi Ludwig,
> 
> I just checked again. On my Mac and on my Windows Notebook i get a
> green bar , from a blue "Untrusted" key when i go into Enigmails
> Key Management and set the trust of that key to Ultimate...

Well, ultimate ownertrust is the wrong way. This setting is reserved
for your own keys. No wonder you get a green header bar.

What are you trying to achieve? I'm getting tons of "UNTRUSTED Good
signature" when reading my mailing lists, e.g. from Peter Lebbing and
a lot of others. That's the way it is, I have to accept this, my
web-of-trust is not so good. I've got a couple of good signatures, though.

One way to improve this situation is to get out, meet people, view
their Ids and receive their fingerprints, verify them and if all is
good, sign their keys.

The other would be to enable TOFU. Can't tell anything about this, I
still have to test.

Best regards

Ludwig



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

GnuPG card && using the backup secret key

[Matthias Apitz]

Please note: I have changed the Subject: of the thread to match better
the real problem. 

During generating the keys on the GnuPG card, one can (and should)
create some backup of the secret key into a file. It is totally unclear
to me how to make something usefull out of this file, for example import
it into a "normal" secret keyring to use it in case of the GnuPG acrd
gots lost.

I followed some hints of  Damien Goutte-Gattat (thanks) and did:

> > First, remove the private key stubs:
> > 
> >$ rm ~/.gnupg/private-keys-v1.d/*.key
> > 
> > Then, import your backup:
> > 
> >$ gpg2 --import backup.gpg
> > 
> > You will then be prompted for the passphrase you choose when the backup 
> > was created.
> 
> I did what you suggested, but:
> 
> $ pwd
> /home/guru/.gnupg-test
> $ rm -f private-keys-v1.d/*.key
> $ GNUPGHOME=/home/guru/.gnupg-test export GNUPGHOME
> $ gpg2 --import sk_61F1ECB625C9A6C3.gpg
> gpg: key 61F1ECB625C9A6C3: no user ID
> gpg: Total number processed: 1
> gpg:   secret keys read: 1
> $ ls -l sk_61F1ECB625C9A6C3.gpg
> -r  1 guru  wheel  1865 May 14 20:29 sk_61F1ECB625C9A6C3.gpg
> 
> the file is what was swritte as backup on May 14.
> 

With Don Google I found this older thread in this mailing list here:

https://lists.gt.net/gnupg/users/40851

where Werner said after some (today outdated) hints:

«... 
Put a "disable-scdaemon" into gpg-agent.conf, give gpg-agent a HUP and
check that no scdaemon is running anymore (you may just kill it). Then
use "gpg --no-use-agent --edit-key". The command "bkuptocard" may then
be used to store a backup key on a card.

Yes, we really need a howto on recovering smartcard keys. ...»

Was such a howto ever written?

Thanks

matthias

-- 
Matthias Apitz, ✉ g...@unixarea.de, ⌂ http://www.unixarea.de/  ☎ 
+49-176-38902045
Public GnuPG key: http://www.unixarea.de/key.pub


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Question for app developers, like Enigmail etc. - Identicons

[Stefan Claas]

On 12.06.17 17:28, Robert J. Hansen wrote:
>> I agree with you and it makes perfect sense, but then it would raise
>> another question. How should an average user of GnuPG, like me,
>> then handle this.
> It cannot be the job of the GnuPG team to teach people how to safely
> administer their operating system.  There are too many operating
> systems, too many different threat models, too many different use cases,
> for anyone to go down that rabbit-hole.
>
> Some generally good advice might include:
>
> - Keep your operating system up to date
> - Disable Flash in your browser
> - Disable Java Web Start in your browser
> - Install ad blocking and tracker blocking plugins into your browser
> - Only run software from trusted sources
> - Only use USB thumb drives with machines you trust
> - Only use USB thumb drives that came from trusted sources
>
Thank you very much for the tip about USB thumb drives!

Regards
Stefan



___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Question for app developers, like Enigmail etc. - Identicons

[Robert J. Hansen]

> I agree with you and it makes perfect sense, but then it would raise
> another question. How should an average user of GnuPG, like me,
> then handle this.

It cannot be the job of the GnuPG team to teach people how to safely
administer their operating system.  There are too many operating
systems, too many different threat models, too many different use cases,
for anyone to go down that rabbit-hole.

Some generally good advice might include:

- Keep your operating system up to date
- Disable Flash in your browser
- Disable Java Web Start in your browser
- Install ad blocking and tracker blocking plugins into your browser
- Only run software from trusted sources
- Only use USB thumb drives with machines you trust
- Only use USB thumb drives that came from trusted sources

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Fwd: Re: Fwd: Re: Question for app developers, like Enigmail etc. - Identicons

[Robert J. Hansen]

> If Mallory would get somehow access to my Computer and replace one
> pub key from my communication partners with a fake one and sets the
> trust level to Ultimate. How can i detect this, if i'm not always
> looking at the complete Fingerprint and compare it with a separate
> list?

If Mallory can tamper with your keyrings, that's a total game-over
condition.  At that point there are dozens of attacks open to her.  Once
you lose control of your computer, it's all over.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Question for app developers, like Enigmail etc. - Identicons

[Stefan Claas]

On 12.06.17 16:31, Peter Lebbing wrote:
> I hadn't gotten round to answer your earlier questions yet, since I
> noticed a point I should first spend some effort and thinking on.
>
> On 12/06/17 16:14, Stefan Claas wrote:
>> And a question for this... If Mallory would get
>> somehow access to my Computer and replace one pub key from my
>> communication partners with a fake one and sets the trust level to
>> Ultimate. How can i detect this, if i'm not always looking at the
>> complete Fingerprint and compare it with a separate list?
> It is impossible to use any form of cryptography in a secure fashion
> when somebody is in a position to mess with the computer you're using it
> on. Worst is someone with administrator privileges, but somebody with
> the same privileges as you is already more than enough to completely
> subvert your security.
>
> They could alter your search path and put their own binaries in them.
> Any program you launch, be it GnuPG, your e-mail client, your shell, or
> any other program you use, could be replaced by something else. Same for
> your data files, as you point out.
>
> Your user account needs to be secure from evildoers. It depends on your
> threat model how you go about this.

I agree with you and it makes perfect sense, but then it would raise
another question. How should an average user of GnuPG, like me,
then handle this. I mean what you just said is not mentioned in
GnuPG tutorials and you can't expect that every GnuPG is trained
on that subject as well.

Would it then not be good if Enigmail, for the casual user, would
display a different color than green, for the explained scenario?

Regards
Stefan




___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Fwd: Re: Fwd: Re: Question for app developers, like Enigmail etc. - Identicons

[Peter Lebbing]

I hadn't gotten round to answer your earlier questions yet, since I
noticed a point I should first spend some effort and thinking on.

On 12/06/17 16:14, Stefan Claas wrote:
> And a question for this... If Mallory would get
> somehow access to my Computer and replace one pub key from my
> communication partners with a fake one and sets the trust level to
> Ultimate. How can i detect this, if i'm not always looking at the
> complete Fingerprint and compare it with a separate list?

It is impossible to use any form of cryptography in a secure fashion
when somebody is in a position to mess with the computer you're using it
on. Worst is someone with administrator privileges, but somebody with
the same privileges as you is already more than enough to completely
subvert your security.

They could alter your search path and put their own binaries in them.
Any program you launch, be it GnuPG, your e-mail client, your shell, or
any other program you use, could be replaced by something else. Same for
your data files, as you point out.

Your user account needs to be secure from evildoers. It depends on your
threat model how you go about this.

HTH,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Fwd: Re: Fwd: Re: Question for app developers, like Enigmail etc. - Identicons

[Stefan Claas]

On 12.06.17 16:06, Peter Lebbing wrote:
> On 12/06/17 14:52, Stefan Claas wrote:
>> I just checked again. On my Mac and on my Windows Notebook
>> i get a green bar , from a blue "Untrusted" key when i go into
>> Enigmails Key Management and set the trust of that key to
>> Ultimate...
> Don't do this! Or did you do it just for testing? "Ultimate" is for your
> own keys. It makes the key itself valid and all keys signed by that key.
> It's the odd one out, as the other trust levels only determine the
> validity of other keys signed by that key but don't affect the key itself.
>
> To make a key valid, sign it with a local signature. Or an exportable
> signature, your choice.
>

I did that for testing! And a question for this... If Mallory would get
somehow access to my Computer and replace one pub key from my
communication partners with a fake one and sets the trust level to
Ultimate. How can i detect this, if i'm not always looking at the
complete Fingerprint and compare it with a separate list?

Regards
Stefan



___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Fwd: Re: Fwd: Re: Question for app developers, like Enigmail etc. - Identicons

[Peter Lebbing]

On 12/06/17 14:52, Stefan Claas wrote:
> I just checked again. On my Mac and on my Windows Notebook
> i get a green bar , from a blue "Untrusted" key when i go into
> Enigmails Key Management and set the trust of that key to
> Ultimate...

Don't do this! Or did you do it just for testing? "Ultimate" is for your
own keys. It makes the key itself valid and all keys signed by that key.
It's the odd one out, as the other trust levels only determine the
validity of other keys signed by that key but don't affect the key itself.

To make a key valid, sign it with a local signature. Or an exportable
signature, your choice.

HTH,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Fwd: Re: Fwd: Re: Question for app developers, like Enigmail etc. - Identicons

[Stefan Claas]

On 07.06.17 22:23, Ludwig Hügelschäfer wrote:
> Hi Stefan,
>
> On 06.06.17 22:19, Stefan Claas wrote:
>> On 06.06.17 20:46, Charlie Jonas wrote:
>>> On 2017-06-06 19:12, Stefan Claas wrote:
 I tried also with Enigmail under OS X but when checking the
 signatures here from the list members i always get the blue
 "Untrusted Good Signature".
>>> Yes I get this as well. Interestingly whatever trust level I give
>>> keys, Enigmail on OSX seems to want to make the bar blue
>>> regardless.
>>>
>> Thanks for confirming. Hopefully Ludwig still follows this thread
>> and can tell us why it's not working, as expected.
> It's working as expected. To get a green bar in Enigmails header
> display, the key signing the message has to be at least fully valid. A
> key gets valid if you either:
>
> - sign it (whether local or exportable is not relevant)
>
> or
>
> - it is signed by
>   - at least one key you have signed and you have put "full" ownertrust
> on these
>   - at least three other keys you have signed and you have put
> "marginal" ownertrust on these
>
> This is the behaviour of the "classic" or "PGP" trust model which is
> the default in GnuPG. Enigmail only displays the result.
>
>
Hi Ludwig,

I just checked again. On my Mac and on my Windows Notebook
i get a green bar , from a blue "Untrusted" key when i go into
Enigmails Key Management and set the trust of that key to
Ultimate...

Regards
Stefan





___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: changing the passphrase of the secret key stored in the GnuPG card

[Matthias Apitz]

El día lunes, junio 12, 2017 a las 01:28:28p. m. +0200, Damien Goutte-Gattat 
escribió:

> On 06/12/2017 07:31 AM, Matthias Apitz wrote:
> > Now we are on track with my question. The background is/was: what
> > exactly I have todo with this backup key, for example in case the GnuPG
> > card gets lost or stolen?
> 
> You would have to import your backup key into your private keyring using 
> gpg's --import command.
> 
> First, remove the private key stubs:
> 
>$ rm ~/.gnupg/private-keys-v1.d/*.key
> 
> Then, import your backup:
> 
>$ gpg2 --import backup.gpg
> 
> You will then be prompted for the passphrase you choose when the backup 
> was created.

I did what you suggested, but:

$ pwd
/home/guru/.gnupg-test
$ rm -f private-keys-v1.d/*.key
$ GNUPGHOME=/home/guru/.gnupg-test export GNUPGHOME
gpg2 --import sk_61F1ECB625C9A6C3.gpg
gpg: key 61F1ECB625C9A6C3: no user ID
gpg: Total number processed: 1
gpg:   secret keys read: 1
$ ls -l sk_61F1ECB625C9A6C3.gpg
-r  1 guru  wheel  1865 May 14 20:29 sk_61F1ECB625C9A6C3.gpg

the file is what was swritte as backup on May 14.

Any idea what I do wrong?

matthias

-- 
Matthias Apitz, ✉ g...@unixarea.de, ⌂ http://www.unixarea.de/  ☎ 
+49-176-38902045
Public GnuPG key: http://www.unixarea.de/key.pub


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: changing the passphrase of the secret key stored in the GnuPG card

[Damien Goutte-Gattat]

I forgot an important detail:

On 06/12/2017 01:28 PM, Damien Goutte-Gattat wrote:

First, remove the private key stubs:

   $ rm ~/.gnupg/private-keys-v1.d/*.key


This command will delete *all* your private keys. You should use it "as 
is" only if *all* your private keys are stored on a smartcard.


If you have other private keys in your keyring that are not stored on a 
smartcard, do *not* delete all files in ~/.gnupg/private-keys-v1.d! 
Instead, get the keygrip of each of your card keys


  $ gpg2 --with-keygrip --list-secret-keys

and delete only the corresponding files under ~/.gnupg/private-keys-v1.d.

Damien



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: changing the passphrase of the secret key stored in the GnuPG card

[Damien Goutte-Gattat]

On 06/12/2017 07:31 AM, Matthias Apitz wrote:

Now we are on track with my question. The background is/was: what
exactly I have todo with this backup key, for example in case the GnuPG
card gets lost or stolen?


You would have to import your backup key into your private keyring using 
gpg's --import command.


First, remove the private key stubs:

  $ rm ~/.gnupg/private-keys-v1.d/*.key

Then, import your backup:

  $ gpg2 --import backup.gpg

You will then be prompted for the passphrase you choose when the backup 
was created.


At this point, it's as if you had never used a smartcard.

Once you have a new smartcard to replace your lost one, you may move the 
restored keys to the new smartcard using the keytocard command.


(Note that depending on what happened to your original card, you may 
prefer to *revoke* those keys and generate new keys.)




How can I simulate this and check if the passphrase works correctly.


Copy your current .gnupg directory to a temporary GNUPGHOME:

  $ cp -r .gnupg ~/testbackup
  $ export GNUPGHOME=~/testbackup

Then you can test the above procedure:

- Remove the key stubs:

  $ rm ~/testbackup/private-keys-v1.d/*.key

- Import your backup:

  $ gpg2 --import backup.gpg

At this point, you will know if the passphrase works correctly.

And if you want to change the passphrase of your backup:

  $ gpg2 --edit-key Matthias passwd
  $ gpg2 -o backup-with-new-password.gpg --export-secret-keys

Once you are satisfied, you can wipe the testbackup directory out.

Hope that helps,

Damien



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: setting GnuPG card to 'not forces' does not let sign

[Werner Koch]

On Mon, 12 Jun 2017 12:38, g...@unixarea.de said:

> Do you know of any other CCID reader for ID-000 size cards?

I have a sample of the Gemalto Shell Token here.  It has been around for
quite some time and the kernelconcept folks that it works nicely.  See

  https://www.floss-shop.de/en/security-privacy/

On that page you also find the a bit more expensive uTrust token which
would be my preferred choice. I used it for many years until it broke due
to my fault.  In fact I recycled the case for my gnuk token.


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


pgppoxqma_HMx.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: setting GnuPG card to 'not forces' does not let sign

[Matthias Apitz]

El día domingo, junio 11, 2017 a las 08:59:37p. m. +0200, Werner Koch escribió:

> On Fri,  9 Jun 2017 08:39, g...@unixarea.de said:
> 
> > I know, this is not a GnuPG issue, but I wanted to mention it here to
> > ask if others has similar experiences, even on Linux or other OS, or if
> > it worth to get a new OMNIKEY device or even another device.
> 
> You better avoid everything with an Omnikey chip in it.  I had only
> trouble with it and they never responded to questions.  Well, it works
> on Windows because they fix their hardware with their Windows driver.

Do you know of any other CCID reader for ID-000 size cards?

matthias

-- 
Matthias Apitz, ✉ g...@unixarea.de, ⌂ http://www.unixarea.de/  ☎ 
+49-176-38902045
Public GnuPG key: http://www.unixarea.de/key.pub


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

RE: GPG4Win Advice

[Ian A Morris]

Hi Peter,

Thank you very much for your email. It has answered a lot of the queries I had. 
Going forward, I think I may be able to wrap this all up in a PowerShell script 
to enable the removal of the original files and the required error checking. 
Most likely I will create a temp csv from the contents of the folder, process 
each file, check that there is an .txt and .asc of each file present and then 
move the .asc files to the required outbound folder and then move the 
unencrypted file to and archive on  separate fileserver. I can move forward 
with this because of your email. 

Many Thanks for your assistance

Kind Regards

Ian A Morris
IT Consultant
Bimshire Consultancy Ltd
Mobile   : +44 (0)7958 216696
Email   :  ian.mor...@bimshireconsultancy.co.uk
Website : www.BimshireConsultancy.co.uk
 

-Original Message-
From: Peter Lebbing [mailto:pe...@digitalbrains.com] 
Sent: 11 June 2017 20:53
To: Ian A Morris; gnupg-users@gnupg.org
Cc: Ian A Morris
Subject: Re: GPG4Win Advice

On 08/06/17 16:39, Ian A Morris wrote:
> When using the GUI there are options for the following, “Remove 
> unencrypted original file when don”

This is an extra convenience added by the GUI program. It is not in the command 
line interface.

> Gpg2 –batch –recipient /x / –encrypt-files –armor 
> C:\Location\*.txt

The simplest way is to follow this by
> del C:\Location\*.txt

but this introduces a race condition. So it's probably better to do something 
like

for x in C:\Location\*.txt
gpg2 ... --encrypt $x
del $x
next

However, it's been many years since I last did anything with MS-DOS/Windows 
batch files and I don't have the correct syntax ready. It needs to bail out 
when gpg2 errors, but that is way beyond my limited recollection of batch files.

Oh, and when building a gpg command line, you're supposed to put options before 
the command. However, it does try to cope with people putting options after the 
command. (And in the quote above, my e-mail client ended up putting an en-dash 
where there should be two ascii dashes, which kinda spoils the didactic value.) 
I'd suggest the following command line:

> gpg2 --batch --recipient XX --armour --encrypt-files C:\Location\*.txt

I see you're mailing from a .UK address, so I thought I could point out armour 
can be spelled with British spelling as well :-). --armor works just as well.

HTH,

Peter.

--
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 



___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users