Re: 1024 key with large sub key

2017-10-04 Thread Robert J. Hansen 
> Are those the only two in GnuPG you don't see a need for?  What
> algorithms do you prefer?

I know this wasn't addressed to me, but what the heck.  I won't share my
preferences, but this is some modestly-accurate history.

Way back when, DSA and Elgamal had to be the defaults in OpenPGP because
RSA Data Security held the patent on the RSA algorithm, whereas DSA and
Elgamal were patent-free.  That patent was relinquished in September of
2000.

Twofish became part of the suite of ciphers with PGP 7, and GnuPG had to
support it because PGP 7 made it their default.  In PGP 7.1 they
switched to AES (which had just been released) but left Twofish in
because Twofish had Schneier cachet.  This is also probably why Blowfish
is still an approved algorithm.  IDEA continued to be supported almost
entirely for backwards compatibility with PGP 2.6; it has not held up at
all well, and is probably the weakest cipher in the suite.

(I have heard it said Blowfish was introduced to the spec as a fallback
in case CAST5 turned out to have flaws.  Given how similar CAST5 and
Blowfish are, design-wise, if this is true I think it was terrible
reasoning.)

So right there, you can see that DSA, Elgamal, Twofish, and Blowfish,
all exist in the spec for non-engineering reasons: patent infringement,
fame of designer, backwards compatibility, etc.

I won't bore you with my list of preferred algos, though.  :)

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

auto-key-retrieve usefulness/annoyance

2017-10-04 Thread Teemu Likonen 
A three-part recipe for small annoyance:

 1. "auto-key-retrieve" in gpg.conf
 2. Automatic signature verification in email client.
 3. The email I'm about to read was signed by a key that's not on
keyservers.

The result: There's a delay of several seconds every time I open the
message and in the end my email client (Gnus) says:

[[PGP Signed Part:No public key for B47D162E09E21476 created at
2017-10-04T11:13:25+0300 using RSA]]

:-)

-- 
/// Teemu Likonen   - .-..    //
// PGP: 4E10 55DC 84E9 DFF6 13D7 8557 719D 69D3 2453 9450 ///


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: 1024 key with large sub key

2017-10-04 Thread Whitey 
Werner Koch wrote:
> Please not again.  That whole largeRSA key mess was a compromise to
> silence a very few individuals who had, well, interesting ideas on
> required key sizes.  Sometimes it is easier to add an option than to
> spend hours on discussing their non-need.  It is kind of similar to
> Camellia or Brainpool - I don't see a reason for those alsorithms but if
> they are needed for policy or political reasons, let's add them and
> forget about it.

Are those the only two in GnuPG you don't see a need for?  What
algorithms do you prefer?

-- 
Whitey

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Smartcard not seen when reinserted

2017-10-04 Thread Franck Routier 
Le 02/10/2017 à 16:37, Matthias Apitz a écrit :
> El día lunes, octubre 02, 2017 a las 01:35:16p. m. +0200, Franck Routier 
> escribió:
>
>> My problem, in addition to the pin being cached "forever" (as long as
>> the card is inserted, with no time limit), is that when I remove and
>> reinsert the card, it is not recognized unless I restart gpg-agent.
>>
>> So here is what happens:
>>
>> card inserted
>> pam_poldi.so called (sudo)   --> PIN requested
>> pam_poldi.so called (sudo)   --> no PIN requested 
>> pam_poldi.so called (sudo)   --> no PIN requested
>> card removed (I don't like to let my card inserted, with no PIN
>> validation needed !)
>> card inserted--> card not seen (card error,
>> OpenPGP card unavailable)
>> gpgconf --kill gpg-agent   --> card seen
>> pam_poldi.so called (sudo)   --> PIN requested
>> pam_poldi.so called (sudo)   --> no PIN requested 
>> etc...
>>
>> Hence my questions:
>> 1) can I force PIN for authentication each time I use it (it seems that
>> the forcesig option is for signature only, not for authentication)
>> 2) what can I do to have my card recognized on reinsert, without
>> ressorting to killing gpg-agent
>> --> probably with some scd-event magic that's beyond my know-how for
>> now...
> I'm using the attach 'scd-event' script to lock my display on card
> removal and to unlock it on card-insert. The real work in the script is
> at line 107++
>
> Maybe it can serve you a bit.
>
>   matthias
Thanks Matthias for the input. I couldn't make the 'remove card' event
trigger anything... (with NOCARD status).
After browsing the internet a bit more, I finally tried to install pcscd
and tell scdaemon not to use its internal CCID implementation, and this
worked...
It also solves my other problem (IPN code being cached "forever"), as I
suppose pcscd reinitializes the card state after so time.

So this is solved for, by using pcscd.

Thanks again,
Franck



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users