Re: Upload key to WKD from command line?
Thank you very much. That answered all my questions. Werner Koch schrieb am 14.02 19 21:05: > > > gpg-wks-client: Warning: policy requires 'mailbox-only' - adding user > > id 'wolfgang.tray...@posteo.de' > > > Or do I even need my secret primary key? > > Right. The primary key is required to create a new user id. gpg tries > to be helpful there but it can't work for high security environments > with an offline primary key. I would suggest that you create a second > user id with just the mail address on your other box with the primary > key. Then gpg-wks-client has no need to create it of its own. > > > Salam-Shalom, > >Werner > > -- > Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Upload key to WKD from command line?
> gpg-wks-client: Warning: policy requires 'mailbox-only' - adding user > id 'wolfgang.tray...@posteo.de' > Or do I even need my secret primary key? Right. The primary key is required to create a new user id. gpg tries to be helpful there but it can't work for high security environments with an offline primary key. I would suggest that you create a second user id with just the mail address on your other box with the primary key. Then gpg-wks-client has no need to create it of its own. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Problem with generating Brainpool P-512
On Thu, 14 Feb 2019 10:52, m...@mailbox.org said: > you should add it in the man page, because it's a FAQ: > cert-digest-algo !< SHA512 ing gpg.conf for ECC >= 512-bit Sorry, I can't parse that. Please also note that --cert-digest-algo should not be used because it viloates the OpenPGP preference system Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Problem with generating Brainpool P-512
Hi Werner, >> gpg-agent[pid]: a 256 bit hash is not valid for a 512 bit ECC key >> gpg-agent[pid]:command 'PKSIGN' failed: Invalid length > > Please provide more information: GnuPG version, OS, and command uses > to create the key. you should add it in the man page, because it's a FAQ: cert-digest-algo !< SHA512 ing gpg.conf for ECC >= 512-bit -- mlnl ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: The "advanced" URL of openpgp-webkey-service-07, and l=
On Tue 12/Feb/2019 19:36:12 +0100 Werner Koch wrote: > On Mon, 11 Feb 2019 14:04, ves...@tana.it said: > >> WELLKNOWN := >> https://openpgpkey.example.org/.well-known/example.org/openpgpkey >> >> doesn't seem to make much sense to me. I tried it with posteo.de, and got: > > The two parts were accidently swapped in the I-D. It has been corrected > in the repo. See > https://dev.gnupg.org/rD733acdda1a440ca38df4aa22711459af7c25cd2d Oh, ok, that makes some more sense. If example.org is a single domain, it is probably convenient to alias both /.well-known/openpgpkey/example.org and /.well-known/openpgpkey/ to the same directory where keys are stored. That way it also stays compatible with previous versions of this protocol. >> I'm unable to get the "flexibility in setting up the Web Key Directory >> in environments where more than one mail domain is hosted". Say I >> host A.example and B.example. Then I need to set up both subdomains >> openpgpkey.A.example and openpgpkey.B.example. Internally, they can > > You redirect the host openpgpkey.example.com and openpgpkey.example.org > to, say, webkeys.example.com but keep the path to avoid CSRF. Then you > can install gpg-wks-server on the webkeys.example.com host using its > default layout with a directory for each domain. It is really > convenient, because it requires less configuration. I have not installed gpg-wks-server, but it seems to be primarily concerned with automating key installation, not plain key retrieval. To simply retrieve a key is not a transaction, so there should be no worry of CSRF. If the domain is missing, as in the "direct" method, an appropriate URL rewriting rule can easily recover it from the HTTP_HOST server variable. I'm not clear if that may be an urlencoded IDN rather than an A-label. The domain name can also be recovered from the SNI (an A-label, according to rfc6066). BTW, the revised reason to suppress SRV records sounds paranoid, given that (e.g. in the case of DNS poisoning) a subdomain under an attacker control still has to provide a valid domain certificate. At any rate, using "wkd" rather than "openpgpkey" as a subdomain label would have leveraged previous version's recommendation. >> What if they don't match? To urlencode the local part might have been >> easier than Z-encoding its SHA1, but what's the point of doing both? > > Percent-encoding does not allow to store it as plain text files because > '/' does not need to be percent encoded and the entire length of the > filename might get too long without using a hash. According to rfc5321, the maximum total length of a user name or other local-part is 64 octets. However, yes, slashes may entail hairy scripting by those providers who allow funny characters in their email addresses. > The l= parameter has been added as an alternative way for looking up the > key for those platforms which already employ databases or such and don't > want to store extra data like a hash. Indeed, those hashes are difficult. However, after one learns how to do them, they're quite handy. Having alternative ways to retrieve (alternative?) keys sounds strange. Thank you for your attention Best Ale signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Upload key to WKD from command line?
Thank you very much for pointing to gpg-wks-client. Werner Koch schrieb am 14.02 19 08:01: > To create a publishing request use > > gpg-wks-client --create --send FINGERPRINT USERID I receive the following error (with or without `--send`): $ /lib/gnupg/gpg-wks-client --create A8FC7FEC9A68B5E0EFA25E474521F618BBEA93C8 wolfgang.tray...@posteo.de gpg-wks-client: submitting request to 'k...@posteo.de' gpg-wks-client: no confirmation required for 'wolfgang.tray...@posteo.de' gpg-wks-client: Warning: policy requires 'mailbox-only' - adding user id 'wolfgang.tray...@posteo.de' gpg-wks-client: gpg: key "A8FC7FEC9A68B5E0EFA25E474521F618BBEA93C8" not found: No secret key gpg-wks-client: error running '/usr/bin/gpg': exit status 2 gpg-wks-client: adding user id failed: General error gpg-wks-client: creating request failed: General error I have my secret subkeys on a smartcard (unlocked when issuing the command). Could that be the issue? Or do I even need my secret primary key? My GnuPG version: 2.2.13 signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users