Exporting/ importing changes expiration date of subkeys...

[gnupgpacker]

Hello,

importing to R2mail2 is working *without* changing expiration dates, if key
is exported from GnuPG-2.1.11...

"Converting-way":
Export GnuPG-1.4.23(GPGkeys/Win7) > Import GnuPG-2.1.11(Win7) > Export
GnuPG-2.1.11(Win7) > Import R2mail2(Android-8.1) > works faultless

>> Exporting (older) RSA keys should be independent from GnuPG version 1.4x
>> or 2.2x, isn't it?
> For each import/export operation you're asking about (both successes and
> failures), could you give the following information clearly:
>  * Are you exporting secret keys?
>or exporting public keys?
RSA-4096 keypair secret + public
(1 main key C, 3 subkeys for S/A/E)

>  * where were the secret keys originally created? (on what program does
>the original export happen?)
GPGkeys with GnuPG-1.4.23(Win7)

>  * which program is doing the import?
R2mail2(Android-8.1)

>  * does the program doing the import modify the OpenPGP certificate in
>any way?
It seems to modify expiration date...

> it is not normal for the primary key to be marked as
> authentication-capable ("A").  If you have a tool that is doing that,
> please report back what tool that is, on what platform and what version!

Keys with this structure are created with GPGkeys (part of GPGshell for
Windows v3.78) and GnuPG-1.4.23, all included in Sebastians's GnuPG-Pack. 
http://www.rose-indorf.de/gnupgpack/ 

Example:
Geheimer Schlüssel ist vorhanden.
pub  4096R/C02860E1  erzeugt: 2018-11-13  verfällt: niemals Aufruf: SCA
 Vertrauen: uneingeschränkt Gültigkeit: uneingeschränkt
sub  4096R/37488B7B  erzeugt: 2018-11-13  verfällt: niemals Aufruf: E
[ uneing.] (1). test 
gpg>

In my lightweight opinion there must be issues while creating (SCA) and
exporting (date) those keys with GPGkeys/GnuPG-1.4.23(Win7)!?

Maybe time to change GnuPG setup to newer versions 2.1x or 2.2x...
But GPGrelay is needed...

Thanks for help and the constructive hint for exporting with GnuPG-2.x.
Pictures will be included in posts in the future :)

Best regards, Chris


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

WoT question - policy

[Stefan Claas]

Hi all,

i thought about creating a key certification policy, for my key,
and like to know your opinions. 



I have read in the past several policies, but i like to avoid
id-card / online video/chat etc. because i am not able
to distinguish between a real or a fake id, when doing so.

Therefore i thought to use a postcard/letter method.

Any critics are very welcome!

Regards
Stefan

-- 
https://www.behance.net/futagoza
https://keybase.io/stefan_claas


pgp9mMtlINpAG.pgp
Description: Digitale Signatur von OpenPGP
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: WoT question - policy

[Wiktor Kwapisiewicz via Gnupg-users]

On 13.11.2018 17:54, Stefan Claas wrote:
> Hi all,
> 
> i thought about creating a key certification policy, for my key,
> and like to know your opinions. 
> 
> 
> 
> I have read in the past several policies, but i like to avoid
> id-card / online video/chat etc. because i am not able
> to distinguish between a real or a fake id, when doing so.
> 
> Therefore i thought to use a postcard/letter method.
> 
> Any critics are very welcome!

Sounds interesting, would the post office check the ID of the person claiming
the letter?

It reminds me of someone's method that utilized small bank transfers (I can't
find the source though :( ).

Why not issue generic certifications instead of sig2 and sig3? There are some
arguments against them: https://debian-administration.org/users/dkg/weblog/98

Kind regards,
Wiktor

-- 
https://metacode.biz/@wiktor

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: WoT question - policy

[Stefan Claas]

On Tue, 13 Nov 2018 21:39:18 +0100, Wiktor Kwapisiewicz wrote:
> On 13.11.2018 17:54, Stefan Claas wrote:
> > Hi all,
> > 
> > i thought about creating a key certification policy, for my key,
> > and like to know your opinions. 
> > 
> > 
> > 
> > I have read in the past several policies, but i like to avoid
> > id-card / online video/chat etc. because i am not able
> > to distinguish between a real or a fake id, when doing so.
> > 
> > Therefore i thought to use a postcard/letter method.
> > 
> > Any critics are very welcome!  
> 
> Sounds interesting, would the post office check the ID of the person
> claiming the letter?

Well, i assume that the good old postman, delivering mail to your house,
is still around... :-) If i would send as some form of a registered
letter than i would say yes.
 
> It reminds me of someone's method that utilized small bank transfers
> (I can't find the source though :( ).

I also thought about PayPal etc., but decided against it after receiving
an advice.
 
> Why not issue generic certifications instead of sig2 and sig3? There
> are some arguments against them:
> https://debian-administration.org/users/dkg/weblog/98

Yes, i remember this blog post and thought about this as well.

I like to point out that i remember RSA encryption, before PGP was
available and there was no WoT, so only people who knew each other
communicated that way.

When i first learned about PGP in 94/95 i also thought why should
people sign each other's key for a WoT and why do we need a global WoT
and what is it good for.

With my humble approach i like to be honest, in that form, that i did
my best for certifying someones key which might be useful for someone
else, entering the WoT, without letting third parties know   that i know
a person personally, or have a longtime online friendship etc. or that i
belong to a certain group of people.

With the postal approach the requester does not need to send his
address in encrypted form in case my computer would be compromised.
When someone request a signature i don't keep records on my computer
later. I only keep the postcard as souvenir.

With the sig0 approach i have the following problem: I could create
a couple of fake keybase accounts, for example, give each other
a sig0 and then what is this good for if i follow the advise from
the blog and what trust should a third party gain from this many sig0
on such a key? 

Regards
Stefan


-- 
https://www.behance.net/futagoza
https://keybase.io/stefan_claas


pgpQw5yQxsRDu.pgp
Description: Digitale Signatur von OpenPGP
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Exporting/ importing changes expiration date of subkeys...

[Daniel Kahn Gillmor]

On Tue 2018-11-13 09:15:46 +0100, gnupgpacker wrote:
> Hello,
>
> importing to R2mail2 is working *without* changing expiration dates, if key
> is exported from GnuPG-2.1.11...
>
> "Converting-way":
> Export GnuPG-1.4.23(GPGkeys/Win7) > Import GnuPG-2.1.11(Win7) > Export
> GnuPG-2.1.11(Win7) > Import R2mail2(Android-8.1) > works faultless
>
>>> Exporting (older) RSA keys should be independent from GnuPG version 1.4x
>>> or 2.2x, isn't it?
>> For each import/export operation you're asking about (both successes and
>> failures), could you give the following information clearly:
>>  * Are you exporting secret keys?
>>or exporting public keys?
> RSA-4096 keypair secret + public
> (1 main key C, 3 subkeys for S/A/E)
>
>>  * where were the secret keys originally created? (on what program does
>>the original export happen?)
> GPGkeys with GnuPG-1.4.23(Win7)
>
>>  * which program is doing the import?
> R2mail2(Android-8.1)
>
>>  * does the program doing the import modify the OpenPGP certificate in
>>any way?
> It seems to modify expiration date...

have you reached out to the r2mail2 author about this?  it sounds to me
like it's possible that gpg 1.4 is exporting multiple binding signatures
per subkey, and r2mail2 is only seeing one of them (or something like
that).

does the same thing happen if you export public key material, without
the secret key material?  If it does, that might be easier to debug,
because you should be able to send just the public key material to
someone else who can help debug (i'd understand you being unwilling to
send the secret key to someone else).

I've cc'ed Stefan from r2mail2 here, in the hopes that he can take a
look.

>> it is not normal for the primary key to be marked as
>> authentication-capable ("A").  If you have a tool that is doing that,
>> please report back what tool that is, on what platform and what version!
>
> Keys with this structure are created with GPGkeys (part of GPGshell for
> Windows v3.78) and GnuPG-1.4.23, all included in Sebastians's GnuPG-Pack. 
> http://www.rose-indorf.de/gnupgpack/ 

This sounds like a bug in gnupgpack, but i don't see a good way to
report bugs at the URL above.  I would generally not recommend such a
configuration.


> In my lightweight opinion there must be issues while creating (SCA) and
> exporting (date) those keys with GPGkeys/GnuPG-1.4.23(Win7)!?

well, you said that they imported correctly into other programs, right?
so maybe the issue is at the intersection of r2mail2 and classic GnuPG.

> Maybe time to change GnuPG setup to newer versions 2.1x or 2.2x...
> But GPGrelay is needed...

GPGrelay should really upgrade to the modern GnuPG suite.  Maybe as a
user you can ask the author what's blocking them from upgrading?

--dkg


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Exporting/ importing changes expiration date of subkeys...

[gnupgpacker]

Hello,

> well, you said that they imported correctly into other programs, right?
> so maybe the issue is at the intersection of r2mail2 and classic GnuPG.

Yes, same opinion...


> This sounds like a bug in gnupgpack, but i don't see a good way 
> to report bugs at the URL above.

In "Impressum" an email address is provided, I did contact Sebstian by
myself...
www.rose-indorf.de/gnupgpack/home.html#8 


> GPGrelay should really upgrade to the modern GnuPG suite.  Maybe as a
> user you can ask the author what's blocking them from upgrading?

Did try it several times, but no response. Development seems to be stopped
since 2005...
https://sourceforge.net/projects/gpgrelay/files/ 

Thx + regards!


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users