Re: add-photo continued ...

2020-01-04 Thread Stefan Claas via Gnupg-users 
Stefan Claas via Gnupg-users wrote:

> Stefan Claas via Gnupg-users wrote:
> 
> > raf via Gnupg-users wrote:
> > 
> > > Stefan Claas via Gnupg-users wrote:
> > > 
> > > > Hi all,
> > > > 
> > > > some of you may remember the add-photo thread we had a while ago
> > > > and I wondered why the max image size for a UAT packet is 16 MB.
> > > > 
> > > > Recently I saw a Twitter post explaining that a .jpeg image header
> > > > can contain 16 MB of data.
> > > 
> > > That's just decadence. :-)
> > > Just because it can, doesn't mean it should.
> > > 16MB is plenty. Use tinypng.com.
> > 
> > Well, at least people can use this teqnique to fire-up important
> > documents, which should be preserverd for the next generations,
> > since SKS is censor resistant and the Ubuntu keyserver allows
> > easy retrival of documents ...
> > 
> > BTW. I just found also the authors link on twitter.
> > 
> > https://twitter.com/David3141593/status/1057042085029822464
> 
> In case people here haven't seen yet.
> 
> 

https://github.com/hockeypuck/hockeypuck/issues/68

Regards
Stefan

-- 
NaClbox: 4a64758de9e8ceded2c481ee526440687fe2f3a828e3a813f87753ad30847b56
certified OpenPGP key blocks available on keybase.io/stefan_claas
   

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: New OpenPGP packet request

2020-01-04 Thread Stefan Claas via Gnupg-users 
Stefan Claas via Gnupg-users wrote:

> Another possible solution, maybe worth to discuss, is that if all
> SKS key servers would be replaced with hockeypuck that the author
> implements the key server no modify flag, GnuPG offers.

https://github.com/hockeypuck/hockeypuck/issues/71

Regards
Stefan

-- 
NaClbox: 4a64758de9e8ceded2c481ee526440687fe2f3a828e3a813f87753ad30847b56
certified OpenPGP key blocks available on keybase.io/stefan_claas
   

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Different key pare for e-mail and signing code

2020-01-04 Thread Wiktor Kwapisiewicz via Gnupg-users 

Hi John,

On 04.01.2020 09:53, john doe wrote:

My goal is to sign code and sign/encrypt e-mail but I'm not sure what's
the best way forward:
- One key pare for e-mail (sign/encrypt) and an other key pare for
signing code
- Finding a way to do what I want with only one key pare (multiple
signing subkeys and one encryption subkey)
- Am I missing something/better approach


There is no single answer to this question. Some people use one keypair 
for signing e-mails and software because it's simpler (especially if 
people have or use Web of Trust to validate keys).


Apache, for example, recommends using separate keypair for code signing 
with specific guidelines (such as having UID comment "CODE SIGNING KEY" 
[0]). I guess this is due to the fact that one rarely signs code but 
when they do it they use a different hardware token thus avoiding the 
risk of misuse of their frequently used key (e-mail signing).


OpenPGP lacks extended key usage flags so if an object is signed, it's 
not clear what was the intention of the signer and it's theoretically 
possible to trick someone into signing an e-mail (via auto-reply or so) 
that then could be misinterpreted as software [1].


Kind regards,
Wiktor

[0]: https://www.apache.org/dev/release-signing.html#key-comment

[1]: https://stackoverflow.com/q/35840196

--
https://metacode.biz/@wiktor

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Different key pare for e-mail and signing code

2020-01-04 Thread Robert J. Hansen 
> Following my thread at (1), unless I'm missing something, it became
> apparent that Enigmail/Tunderbird does not fit the bill anymore.

It should be noted that Enigmail hasn't changed how it does anything.

> My goal is to sign code and sign/encrypt e-mail but I'm not sure what's
> the best way forward:

We don't know, either.  It's going to depend on your own personal risk
profile.

> - Am I missing something/better approach

If you want to segregate your code signing from your email, the best way
to do that is with a second certificate -- not adding subkeys to your
current one.

Ask yourself this: how often have you noticed that my signed messages
bear *two* signatures from *two* subkeys belonging to the same
certificate?  I've been doing this for years and nobody's ever noticed.
 (Or at least, nobody's ever mentioned it to me to ask why I'm doing
something so weird.)

So if you're depending on people ascribing special semantic value to
which subkey is used -- honestly, I doubt people will ever even notice
which subkey you're using.  It's simply not a use case that comes up
very often, if ever.



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Different key pare for e-mail and signing code

2020-01-04 Thread john doe 
Hello all,

Following my thread at (1), unless I'm missing something, it became
apparent that Enigmail/Tunderbird does not fit the bill anymore.


My plan is to use something like the following:

-
sec   rsa4096 2020-01-03 [C] [expires: 2020-01-04]
  3C5CFD620005347A62052A6B596CB80D30E8829D
uid   [ultimate] Firstname Lastname 
ssb   rsa4096 2020-01-03 [S] [expires: 2020-01-04]
ssb   rsa4096 2020-01-03 [S] [expires: 2020-01-04]
ssb   rsa4096 2020-01-03 [E] [expires: 2020-01-04]

With mabey more signing subkeys.


My goal is to sign code and sign/encrypt e-mail but I'm not sure what's
the best way forward:
- One key pare for e-mail (sign/encrypt) and an other key pare for
signing code
- Finding a way to do what I want with only one key pare (multiple
signing subkeys and one encryption subkey)
- Am I missing something/better approach

For now I'm considering notmuch/sup to get what I want, it looks like
Mutt uses 'ncurses' which is not an option for me.

Any input is welcome

1)
https://admin.hostpoint.ch/pipermail/enigmail-users_enigmail.net/2020-January/005562.html


P.S.

By key pare, I mean private/public key.

--
John Doe

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users