Re: Certified OpenPGP-encryption after release of Thunderbird 78

[Mark]

So for all of us that don't use a smart card to store our keys, they are
stored in TB?  What if we also have need for that key outside of email
such as signing or decrypting files? We still need that key in GNUPG as
well. If we change the key at all then we have to make sure it has been
updated in both areas?? 

I could see a similar situation could develop with the public keys where
the ones stored in TB are not in sync with the ones stored in GNUPG. 
What happens with keys that are obtained from websites for places like
Apple, Microsoft, etc that are not being directly imported from an email?

Maybe I am overthinking it or just missing something but I see potential
problems with this. If they are not using the same data (key rings) or
in constant synchronization, the "wrong key" could be used.   Hopefully
they have a way to address this.

On 5/31/2020 1:01 AM, Patrick Brunschwig wrote:
> Mark wrote on 31.05.2020 01:28:
>> Doesn't TB also need your secret keys to decrypt messages? 
> With smartcard support via GnuPG, all secret key operations are handled
> by GnuPG, and all public key operations are handled by TB (Note: the
> standard case, without smartcard support, will be that all keys are in
> Thunderbird).
>
> The use-cases are clearly distinct:
> - encryption: you only need public keys
> - decryption: you only need secret keys
> - signing: you only need secret keys
> - verification: you only need public keys
>
>> Also what if you need your public keys outside of TB such as encrypting
>> a file?
> That's not supported by Thunderbird. The idea of OpenPGP in Thunderbird
> is that you use it for email.
>
>> The reason I'm asking is that awhile ago I posted about unknown files in
>> my GNUPG directory. PAPubring.gpg and PAsecring.gpg. I eventually found
>> out those are key rings used by a program I have called Power Archiver.
>> I'm not sure why it has it own set of keys, still awaiting an
>> explanation from support. If every app is not using the same pair of key
>> rings (and there is no synchronization between them) could that not lead
>> to problems?
> The only "problem" might be that you have different keys on different
> key rings. But this is not necessarily a problem - you use different
> keys for different purposes and you can import and export the keys
> between the tools if needed.
>
> -Patrick
>
>> On 5/30/2020 12:57 PM, Patrick Brunschwig wrote:
>>> Mark wrote on 30.05.2020 20:54:
 So then do you have multiple pairs of key rings? One pair for TB78 and
 its built in PGP and another pair as part of GNUPG?
>>> No exactly. You have your secret keys with GnuPG, and your public keys
>>> with Thunderbird. No synchronization required.
>>>
>>> -Patrick
 If so how do you keep them synchronized?

 On 5/30/2020 9:17 AM, Patrick Brunschwig wrote:
> Robert J. Hansen wrote on 30.05.2020 01:07:
>>> If TB 78 is going to have native support of openGPG encryption, then the
>>> original person in the thread should be able to export all of the keys
>>> in their key rings, and import all of those keys into TB 78, or am I
>>> missing one of the gotchas with
>>> TV 78 and it's openGPG encryption support.
>> You're missing the gotcha of "as of -Beta3, the new Thunderbird *cannot
>> even import a key*."
> I'm sorry, but that is simply not true. There is a known bug in the
> library used by Thunderbird (RNP) that leads to crashes when importing
> _certain_ keys. But I succeeded in importing all of my keys without any
> problems (more than 1.000), except for 5 V3-keys. I can definitely say
> that it's not just broken, and it can import keys.
>
>> I'm not kidding.  It is so far from complete that Kai Englert, who leads
>> the TB78 OpenPGP effort, recently proposed postponing OpenPGP support in
>> TB until version 78.2, or about a three-month delay.
> Again, that's oversimplified. OpenPGP will not be enabled _by_ _default_
> but users may still enable it manually.
>
>> At present, as of -Beta3, TB78's OpenPGP support is badly broken.
> No, it's incomplete - work in progress. That's not quite the same.
>
> -Patrick
>

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Certified OpenPGP-encryption after release of Thunderbird 78

[David Flory]

On 5/30/2020 10:17 AM, Patrick Brunschwig wrote:

[snip]

> I'm sorry, but that is simply not true. There is a known bug in the
> library used by Thunderbird (RNP) that leads to crashes when importing
> _certain_ keys. But I succeeded in importing all of my keys without any
> problems (more than 1.000), except for 5 V3-keys. I can definitely say
> that it's not just broken, and it can import keys.

[snip]

How does one identify a v3 key?

David



OpenPGP_0xE334A5C93AE58BA6.asc
Description: application/pgp-keys


OpenPGP_signature
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Certified OpenPGP-encryption after release of Thunderbird 78

[Mark]

That is what I see happening too. When you start having multiple key
stores, which one contains the "correct" keys?  I saw that happening in
just my very limited usage where another program has its own key rings... 

On 5/31/2020 1:28 AM, Andreas Boehlk Computer-Service wrote:
> Hello Mark,
>
> I totally agree. It is not possible to have more than one key store.
> Synchronization always fails some time and the standard user cannot
> handle it. So the only solution for TB will be to use GNUPG, because it
> has the only key store for all platforms and has proved to work for
> years. That results in the only possible solution for TB to integrate
> the enigmail functionality into the code directly or live with the
> enigmail plug-in. All other solutions are defective by design from start.
>
> Andreas
>
> ://lists.gnupg.org/mailman/listinfo/gnupg-users

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Exchange between muiltiple OpenPGP implementations

[Patrick Brunschwig]

Peter Lebbing wrote on 31.05.2020 11:07:
> Hi,
> 
> On 31/05/2020 10:01, Patrick Brunschwig wrote:
>> The only "problem" might be that you have different keys on different
>> key rings. But this is not necessarily a problem - you use different
>> keys for different purposes and you can import and export the keys
>> between the tools if needed.
> 
> Does the new TB implementation support TOFU? If so, you lose your TOFU
> historical data and identity assertions when you would export/import to
> a different OpenPGP implementation. That'd be a shame. Maybe there's a
> need for a standardised interchange format for that.

TB chose (unfortunately in my eyes) to currently only support explicit
trust using their own trust handling. I hope that future versions will
support other methods.

-Patrick

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Certified OpenPGP-encryption after release of Thunderbird 78

[Patrick Brunschwig]

Andreas Boehlk Computer-Service wrote on 31.05.2020 11:09:
> Hello Patrick,
> 
> 
> Am 31.05.2020 um 10:01 schrieb Patrick Brunschwig:
>> Mark wrote on 31.05.2020 01:28:
>>> Doesn't TB also need your secret keys to decrypt messages?  
>>
>> With smartcard support via GnuPG, all secret key operations are handled
>> by GnuPG, and all public key operations are handled by TB (Note: the
>> standard case, without smartcard support, will be that all keys are in
>> Thunderbird).
>>
>> The use-cases are clearly distinct:
>> - encryption: you only need public keys
>> - decryption: you only need secret keys
>> - signing: you only need secret keys
>> - verification: you only need public keys
>>
> The standard user will not be able to work with that "solution".
> Compared to the "enigmail-solution" this is the hell and bound to fail.

Let's first define Standard users. The majority of users who use
smartcards that *I* know are expert or power users. They can handle this.

The "Standard users" I have in mind don't use GnuPG for anything else
than encrypting mails, and they don't use smartcards either. They won't
have this issue in any way.

>>> Also what if you need your public keys outside of TB such as encrypting
>>> a file?
>>
>> That's not supported by Thunderbird. The idea of OpenPGP in Thunderbird
>> is that you use it for email.
>>
> That is correct, but nevertheless it is mandatory to have and use a
> single key-store.

For which use-case precisely? If you only use OpenPGP for emails (and
given the users I know who had support cases in the past, this is true
for the majority of the Enigmail users), then this is irrelevant.

To be quite clear: Thunderbird will not support GnuPG for scenarios
other than handling secret keys. And that's only because the OpenPGP
library they use can't handle smartcards yet. Once the library will
support smartcards, I expect that GnuPG support will be removed entirely.

Note: I'm not a Thunderbird developer and I don't drive Thunderbird
decisions -- this is simply my expectation of what will happen.

-Patrick

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

gpg generate key is not finishing

[Williams, Chad L via Gnupg-users]

Attempting to generate a key on Solaris 10 server using the below command

gpg --full-generate-key --pinentry-mode=loopback

Everything seem to be working but the key generation never completes.

Its been setting at this point for 10 hours.  I tried to produce more entropy 
by running suggested command on other console and the agent is running

  root  8249 28754   0 21:48:19 pts/12  0:02 gpg --full-generate-key 
--pinentry-mode=loopback
root 17222 1   0 19:55:32 ?   0:08 gpg-agent --homedir 
/root/.gnupg --use-standard-socket --daemon


GnuPG needs to construct a user ID to identify your key.

Real name: root1
Email address: root@localhost
Comment:
You selected this USER-ID:
"root1 "

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
afkkdkdkdkdkdkkdkdkdkdkk

DXC Technology Company - Headquarters: 1775 Tysons Boulevard, Tysons, Virginia 
22102, USA.
DXC Technology Company -- This message is transmitted to you by or on behalf of 
DXC Technology Company or one of its affiliates. It is intended exclusively for 
the addressee. The substance of this message, along with any attachments, may 
contain proprietary, confidential or privileged information or information that 
is otherwise legally exempt from disclosure. Any unauthorized review, use, 
disclosure or distribution is prohibited. If you are not the intended recipient 
of this message, you are not authorized to read, print, retain, copy or 
disseminate any part of this message. If you have received this message in 
error, please destroy and delete all copies and notify the sender by return 
e-mail. Regardless of content, this e-mail shall not operate to bind DXC 
Technology Company or any of its affiliates to any order or other contract 
unless pursuant to explicit written agreement or government initiative 
expressly permitting the use of e-mail for such purpose. --.
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Certified OpenPGP-encryption after release of Thunderbird 78

[Andreas Boehlk Computer-Service]

Hello Mark,

I totally agree. It is not possible to have more than one key store.
Synchronization always fails some time and the standard user cannot
handle it. So the only solution for TB will be to use GNUPG, because it
has the only key store for all platforms and has proved to work for
years. That results in the only possible solution for TB to integrate
the enigmail functionality into the code directly or live with the
enigmail plug-in. All other solutions are defective by design from start.

Andreas




Am 31.05.2020 um 01:28 schrieb Mark:
> Doesn't TB also need your secret keys to decrypt messages?  
> 
> Also what if you need your public keys outside of TB such as encrypting
> a file?
> 
> The reason I'm asking is that awhile ago I posted about unknown files in
> my GNUPG directory. PAPubring.gpg and PAsecring.gpg. I eventually found
> out those are key rings used by a program I have called Power Archiver.
> I'm not sure why it has it own set of keys, still awaiting an
> explanation from support. If every app is not using the same pair of key
> rings (and there is no synchronization between them) could that not lead
> to problems?
> 
> Thanks
> 
> On 5/30/2020 12:57 PM, Patrick Brunschwig wrote:
>> Mark wrote on 30.05.2020 20:54:
>>> So then do you have multiple pairs of key rings? One pair for TB78 and
>>> its built in PGP and another pair as part of GNUPG?
>> No exactly. You have your secret keys with GnuPG, and your public keys
>> with Thunderbird. No synchronization required.
>>
>> -Patrick
>>> If so how do you keep them synchronized?
>>>
>>> On 5/30/2020 9:17 AM, Patrick Brunschwig wrote:
 Robert J. Hansen wrote on 30.05.2020 01:07:
>> If TB 78 is going to have native support of openGPG encryption, then the
>> original person in the thread should be able to export all of the keys
>> in their key rings, and import all of those keys into TB 78, or am I
>> missing one of the gotchas with
>> TV 78 and it's openGPG encryption support.
> You're missing the gotcha of "as of -Beta3, the new Thunderbird *cannot
> even import a key*."
 I'm sorry, but that is simply not true. There is a known bug in the
 library used by Thunderbird (RNP) that leads to crashes when importing
 _certain_ keys. But I succeeded in importing all of my keys without any
 problems (more than 1.000), except for 5 V3-keys. I can definitely say
 that it's not just broken, and it can import keys.

> I'm not kidding.  It is so far from complete that Kai Englert, who leads
> the TB78 OpenPGP effort, recently proposed postponing OpenPGP support in
> TB until version 78.2, or about a three-month delay.
 Again, that's oversimplified. OpenPGP will not be enabled _by_ _default_
 but users may still enable it manually.

> At present, as of -Beta3, TB78's OpenPGP support is badly broken.
 No, it's incomplete - work in progress. That's not quite the same.

 -Patrick

 ___
 Gnupg-users mailing list
 Gnupg-users@gnupg.org
 http://lists.gnupg.org/mailman/listinfo/gnupg-users
> 
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
> 



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Certified OpenPGP-encryption after release of Thunderbird 78

[Andreas Boehlk Computer-Service]

Hello Patrick,


Am 31.05.2020 um 10:01 schrieb Patrick Brunschwig:
> Mark wrote on 31.05.2020 01:28:
>> Doesn't TB also need your secret keys to decrypt messages?  
> 
> With smartcard support via GnuPG, all secret key operations are handled
> by GnuPG, and all public key operations are handled by TB (Note: the
> standard case, without smartcard support, will be that all keys are in
> Thunderbird).
> 
> The use-cases are clearly distinct:
> - encryption: you only need public keys
> - decryption: you only need secret keys
> - signing: you only need secret keys
> - verification: you only need public keys
> 
The standard user will not be able to work with that "solution".
Compared to the "enigmail-solution" this is the hell and bound to fail.

>> Also what if you need your public keys outside of TB such as encrypting
>> a file?
> 
> That's not supported by Thunderbird. The idea of OpenPGP in Thunderbird
> is that you use it for email.
> 
That is correct, but nevertheless it is mandatory to have and use a
single key-store.

>> The reason I'm asking is that awhile ago I posted about unknown files in
>> my GNUPG directory. PAPubring.gpg and PAsecring.gpg. I eventually found
>> out those are key rings used by a program I have called Power Archiver.
>> I'm not sure why it has it own set of keys, still awaiting an
>> explanation from support. If every app is not using the same pair of key
>> rings (and there is no synchronization between them) could that not lead
>> to problems?
> 
> The only "problem" might be that you have different keys on different
> key rings. But this is not necessarily a problem - you use different
> keys for different purposes and you can import and export the keys
> between the tools if needed.
> 
As I stated before: This is a real problem. Multiple keys-stores are not
manageable and this planned solution is much more complicated than the
current with enigmail. Therefore it is bound to be a non-starter.

> -Patrick
> 
>> On 5/30/2020 12:57 PM, Patrick Brunschwig wrote:
>>> Mark wrote on 30.05.2020 20:54:
 So then do you have multiple pairs of key rings? One pair for TB78 and
 its built in PGP and another pair as part of GNUPG?
>>> No exactly. You have your secret keys with GnuPG, and your public keys
>>> with Thunderbird. No synchronization required.
>>>
>>> -Patrick
 If so how do you keep them synchronized?

 On 5/30/2020 9:17 AM, Patrick Brunschwig wrote:
> Robert J. Hansen wrote on 30.05.2020 01:07:
>>> If TB 78 is going to have native support of openGPG encryption, then the
>>> original person in the thread should be able to export all of the keys
>>> in their key rings, and import all of those keys into TB 78, or am I
>>> missing one of the gotchas with
>>> TV 78 and it's openGPG encryption support.
>> You're missing the gotcha of "as of -Beta3, the new Thunderbird *cannot
>> even import a key*."
> I'm sorry, but that is simply not true. There is a known bug in the
> library used by Thunderbird (RNP) that leads to crashes when importing
> _certain_ keys. But I succeeded in importing all of my keys without any
> problems (more than 1.000), except for 5 V3-keys. I can definitely say
> that it's not just broken, and it can import keys.
>
>> I'm not kidding.  It is so far from complete that Kai Englert, who leads
>> the TB78 OpenPGP effort, recently proposed postponing OpenPGP support in
>> TB until version 78.2, or about a three-month delay.
> Again, that's oversimplified. OpenPGP will not be enabled _by_ _default_
> but users may still enable it manually.
>
>> At present, as of -Beta3, TB78's OpenPGP support is badly broken.
> No, it's incomplete - work in progress. That's not quite the same.
>
> -Patrick
> 
> 
> 
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
> 



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Exchange between muiltiple OpenPGP implementations

[Peter Lebbing]

Hi,

On 31/05/2020 10:01, Patrick Brunschwig wrote:
> The only "problem" might be that you have different keys on different
> key rings. But this is not necessarily a problem - you use different
> keys for different purposes and you can import and export the keys
> between the tools if needed.

Does the new TB implementation support TOFU? If so, you lose your TOFU
historical data and identity assertions when you would export/import to
a different OpenPGP implementation. That'd be a shame. Maybe there's a
need for a standardised interchange format for that.

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Certified OpenPGP-encryption after release of Thunderbird 78

[Patrick Brunschwig]

Mark wrote on 31.05.2020 01:28:
> Doesn't TB also need your secret keys to decrypt messages?  

With smartcard support via GnuPG, all secret key operations are handled
by GnuPG, and all public key operations are handled by TB (Note: the
standard case, without smartcard support, will be that all keys are in
Thunderbird).

The use-cases are clearly distinct:
- encryption: you only need public keys
- decryption: you only need secret keys
- signing: you only need secret keys
- verification: you only need public keys

> Also what if you need your public keys outside of TB such as encrypting
> a file?

That's not supported by Thunderbird. The idea of OpenPGP in Thunderbird
is that you use it for email.

> The reason I'm asking is that awhile ago I posted about unknown files in
> my GNUPG directory. PAPubring.gpg and PAsecring.gpg. I eventually found
> out those are key rings used by a program I have called Power Archiver.
> I'm not sure why it has it own set of keys, still awaiting an
> explanation from support. If every app is not using the same pair of key
> rings (and there is no synchronization between them) could that not lead
> to problems?

The only "problem" might be that you have different keys on different
key rings. But this is not necessarily a problem - you use different
keys for different purposes and you can import and export the keys
between the tools if needed.

-Patrick

> On 5/30/2020 12:57 PM, Patrick Brunschwig wrote:
>> Mark wrote on 30.05.2020 20:54:
>>> So then do you have multiple pairs of key rings? One pair for TB78 and
>>> its built in PGP and another pair as part of GNUPG?
>> No exactly. You have your secret keys with GnuPG, and your public keys
>> with Thunderbird. No synchronization required.
>>
>> -Patrick
>>> If so how do you keep them synchronized?
>>>
>>> On 5/30/2020 9:17 AM, Patrick Brunschwig wrote:
 Robert J. Hansen wrote on 30.05.2020 01:07:
>> If TB 78 is going to have native support of openGPG encryption, then the
>> original person in the thread should be able to export all of the keys
>> in their key rings, and import all of those keys into TB 78, or am I
>> missing one of the gotchas with
>> TV 78 and it's openGPG encryption support.
> You're missing the gotcha of "as of -Beta3, the new Thunderbird *cannot
> even import a key*."
 I'm sorry, but that is simply not true. There is a known bug in the
 library used by Thunderbird (RNP) that leads to crashes when importing
 _certain_ keys. But I succeeded in importing all of my keys without any
 problems (more than 1.000), except for 5 V3-keys. I can definitely say
 that it's not just broken, and it can import keys.

> I'm not kidding.  It is so far from complete that Kai Englert, who leads
> the TB78 OpenPGP effort, recently proposed postponing OpenPGP support in
> TB until version 78.2, or about a three-month delay.
 Again, that's oversimplified. OpenPGP will not be enabled _by_ _default_
 but users may still enable it manually.

> At present, as of -Beta3, TB78's OpenPGP support is badly broken.
 No, it's incomplete - work in progress. That's not quite the same.

 -Patrick




signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users