Re: a step in the right direction
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 18-01-16 10:54 AM, Robert J. Hansen wrote: >> (Oh, by the way, usually when I talk about DRM, I'm talking about >> giving somebody data but restricting the ways in which they can >> use that data. It's not clear to me how DRM applies when you want >> to simply not give data at all, to anybody. But this is not >> really pertinent to the discussion, so never mind.) > > I was the one who brought up DRM. > > What Stefan and Listo want is some mechanism by which, if I have a > copy of their public key, I can be prohibited from sharing that > with a keyserver. How I get to use data in my possession is > controlled by a third party -- that's DRM. In this case it's a > voluntary, half-assed DRM scheme, but it's still in the family of > DRM schemes. > > > > > ___ Gnupg-users mailing > list Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > Maybe something akin to patent law here would work better than a technological solution. Once you share something it is public unless you force the the receiving party to sign a non-disclosure document. Once you share your public key with even one person it is in the public domain. If you want to make it painful enough to prevent this from happening have the receiving party sign a contract of non-disclosure which stipulates what the penalties will be if the break the contract. Just my two cents and I'm sure it doesn't cover everything. Best Regards, Duane - -- Duane Whitty du...@nofroth.com -BEGIN PGP SIGNATURE- iQEcBAEBCAAGBQJaXlCfAAoJEOJfpr8UVxtkwgsH/3V+ZCc839yIENQDgp/Z7/Yj 3TVRRw/ELswj9emAebtIMiY5EYvQp3zhL71sTnXq8+ez0k2oc68ow4oxnwpl+9K1 psQiPVm45ouQlBlS9YJ6O8KBQRFARmP3fDt+JAwQ9a/PJRfqefdk93gVM89T+9VM V6NzkR9ktyokNmKhKi48oVXIVw2XX2DG2fuspI2QwZLqtt0PxmGdDuyiWmFZKigW mWU3evTAkzQtslsppVNenJjZjrz7XIqt/xq/CEf/PgfreeY+g7chm+fzpdvSuTMu 9hJWOkXBTx+W40/5GbLyzpSYlKcUyu8evrN8Z9Uo5CtX0E+c30cCQ0auLkPKV8o= =KRTM -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: FAQ and GNU
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 17-10-11 12:55 AM, Robert J. Hansen wrote: >> Amazing how much people want to comment on the color of this >> particular bikeshed! > > I agree. Bikeshedding frustrates me: I'll leave it at that. > Yes, but surely, given the question you must have seen this one coming :-D Best Regards, Duane - -- Duane Whitty du...@nofroth.com -BEGIN PGP SIGNATURE- iQEcBAEBCAAGBQJZ4NRIAAoJEOJfpr8UVxtkKKoIAIOXzc5A4JePwqGmYE3q68XM WaQpSw09UM6aphbFBdsocGVZ7fuCXojKTtp0Aers1LgqQX16v0KbQwDf51YjZges 2MPrK0ZkPSQC9OeIzuAyoc8GWpHRsGhZ9ZyxSjsEDWEK6hhApkyKawwwsGXk1/gp APSfRMaFhu104gf9l8gPx9Pl3Jt6UPLhmVCnWUGBhW2nnMsIXsf/JQmSzO5dQDXU OqmI3lHENMsba6c8mD6t8D0kNzkRHc/De67vv7hpSXv21UcYdBr6pKJQM8rPL08q dNxX1nbivcIgsOnDambY0MuIS2OJm0BZrm1Nfp/ExvXz7sBNJeRuijAOkM7wgK4= =fEvT -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: OT: FAQ and GNU
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 17-10-13 11:05 AM, Mario Castelán Castro wrote: > On 12/10/17 17:50, Robert J. Hansen wrote: >>> The observation that one, some, many, or all people use a >>> linguistic construct in an incorrect way do not change the fact >>> that it is incorrect. >> >> It quite definitely does. Unlike, say, French or Icelandic, >> where there's an actual institution charged with the development >> of the language, the *only* definition of correctness in English >> is found in whether it conforms to everyday usage in the >> community in question. > > Your argument is unsound, because the inference is unjustified. > The possibilities that a language is regulated by an official body > or defined by majority usage are not exhaustive. > I'd be interested to know what the other possibilities are. > Since you are talking about the definition of the English language, > and noticed that there is no official definition, then I contend > that there is no _definition_ of the English language at all. > However, from this does not follow that one individual or a > majority are allowed to dispense of any rules and do as they please > while claiming that they are speaking English. I think that if one individual tried they would initially meet with resistance. But over time language rules, both grammar and vocabulary, change. Even in a time as short as 30 years many changes have occurred in the English language. It is a dynamic language. "Resistance is futile" :-) Instead, one must apply the well-known rules of > English and use common sense in determining which words one will > regard as legitimate. Leaving this judgment to majority amounts to > the ad populum fallacy and to such blatant absurdities as regarding > the words “u”, “gotta” and “wanna” as valid synonyms of “you”, “got > to” and “want to”. > What about the role of media and its influence on popular culture? If I say "C'mon, you gotta be kiddin me" everybody knows what I'm saying and its acceptability depends on the audience. > > In short: Your argument "_many_ people use “Linux” to refer to any > Linux-based operating system, therefore it is correct English” is a > big mistake. > I think it depends on the audience :-) > > > _______ Gnupg-users mailing > list Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > Best Regards, Duane - -- Duane Whitty du...@nofroth.com -BEGIN PGP SIGNATURE- iQEcBAEBCAAGBQJZ4M4OAAoJEOJfpr8UVxtkIesIAI2+EwHt+dXPF34ed6WZXO+S J3j5tWxC/Fy/TvHg9bQKzlcXH0uEJ1DjoCTNw3WhdgdiCHGWmP6Y/LZ+DYIq0AW5 X4BL+5jeMW/8vX+AyRSWqDIgME6rCF5L21xE6Byz0Sj8fdgxnwFslYb9Gs6cH14h qHyWxyNYKUe3eWH6JEuUgkduJqAAZX0jtAwMoNBRML7ameCwsELlbNc4bMGwqFL3 NGGBCJBxvxYsIhDO5Vk1ifBGgKB0EqURHruRykWrFEZFaOOUpD5RX8toZla/yllM uhtfTfsrdL4s6Cf7XOfM3MnSCPM98WwfKuWtU2Fc74D+bLxBup1upyZWcqVNJgo= =B/ek -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Working with an Online and Offline Computer when using GnuPG - Best Practice?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 17-10-10 02:04 PM, Daniel Kahn Gillmor wrote: > On Mon 2017-10-09 23:30:22 -0300, Duane Whitty wrote: >> After saying all that I recall reading an article by the >> Washington Post (if I recall correctly) that they use two >> computers in their "safe-drop" system. > > The link you're looking for is: > > https://securedrop.org/ > > their documentation for transfer between machines is here: > > https://docs.securedrop.org/en/stable/set_up_transfer_device.html > > regards, > > --dkg > Thanks! Best Regards, Duane - -- Duane Whitty du...@nofroth.com -BEGIN PGP SIGNATURE- iQEcBAEBCAAGBQJZ3QPOAAoJEOJfpr8UVxtkp3kH/27bVFIV4hzz1t3MFfJpM1pW xXtznE+5pzdxA4YXDRN7zIEfchbjTjqT70phXDX5SkVT4agY9MgNs8MhYOy8aeAi pHVg+aNyDFp9kRvPahRpOQAhjhewEgPO4yaEyenKH4hCQ2EZMK9U93tlYG11rKBu 8EaN64d/NScLx7ngEPB9tooV1F9dyzDuNaXDw787YsapTG4N/hgjuKXMwu5YSOVb CE/6ppxTJJRxbYBPCymZvVmAiQ6hzWEMYfgsyL+D3AjgXIf1nLlcM1/3JSAaCuZ5 w9FmoX5BbTEMRL1/6GRDOYcv7Z4KeHOazZcjdaVYHTtZZcuiGd59VEjKBQGHixw= =9JNr -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: FAQ and GNU
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 17-10-09 11:06 PM, Robert J. Hansen wrote: > A request has been made that each instance of "Linux" in the FAQ > be replaced with "GNU/Linux". > > I'm not inclined to make this change. However, in order to make > sure that the FAQ reflects the community's wishes, I'm submitting > the proposal here for community feedback. > > If anyone has strong feelings on it one way or another, chime in. > > ___ Gnupg-users mailing > list Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > Rob, thanks for taking time out of your day and busy schedule for dealing with this issue. Too bad it is such a contentious issue for so many people. Thank you for your fairness and collaborative and community minded approach. Best Regards, Duane - -- Duane Whitty du...@nofroth.com -BEGIN PGP SIGNATURE- iQEcBAEBCAAGBQJZ3PVEAAoJEOJfpr8UVxtkLRQH/RDMBbl6PZ/lkXe/qYH4S2v8 QXd0qWeiniyAsfRju8bbbj3o4VF4J5P5AWcHGxbV6/uXmEZUevf3ts5Xq1e+Ow/K 5GDClHuoCa08+o8yIFDXLQ0ac/AiKg8kBl+3gp6B5v+Neln8q2zj6JBau8+0QhfQ 09NkYugoXra0kI5ISvEzW8J9KFvLi8+nA/KY78h9tASD4IN1zYgq2DtLkS/f9eNy vQ+UR0y31ZtZ0LJ+ceqf656pAk5cUp4bN4aRcTOm0ZiN9ZYBgyPZxydaiJWnpJ49 4J4piUFMWFzH7mJQRzYs3Mw8vPBkW+MKQhms+SqKIRwMIGIQ7SVd6hV/mL2JRO4= =meSP -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: FAQ and GNU
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 17-10-09 11:06 PM, Robert J. Hansen wrote: > A request has been made that each instance of "Linux" in the FAQ > be replaced with "GNU/Linux". > > I'm not inclined to make this change. However, in order to make > sure that the FAQ reflects the community's wishes, I'm submitting > the proposal here for community feedback. > > If anyone has strong feelings on it one way or another, chime in. > > ___ Gnupg-users mailing > list Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > I just did a search for the term "Linux" in the FAQ. I did this so that the conversation would be about a concrete instance and not based so much on abstract concepts. The search returned four instances of the word "Linux". First match was a trademark attribution of the term "Linux" to Linus Torvalds. The second match was in a sub-header for section 3.6 "From where can I download it…" "… for Linux?" with text as follows (containing 3rd match) : "The bad news is there is no single, consistent way to install GnuPG on Linux systems. The good news is that it’s usually installed by default, so nothing needs to be downloaded!" In this context does Linux mean any system running the Linux kernel or does it mean something else? The fourth match is "… for Debian GNU/Linux or Ubuntu?" also a part of the section "From where can I download it…" Best Regards, Duane - -- Duane Whitty du...@nofroth.com -BEGIN PGP SIGNATURE- iQEcBAEBCAAGBQJZ3PIVAAoJEOJfpr8UVxtk0ssH/iL7zbDmN8vZ1SoqaCjqvY0E SZxOJvnngqFTb67R40v4W8VcFe0J/aRghXLDrhRzrfuBFdAirP3iwCSItZrqUiF0 U0t7WHhUaMywI/x4HfrIUDPqJOEYJRJvNXssj9UOoG3sR86FSEIZAj7Oe5GIEYaH FAmt1dG0GOlq1f/eQYsaekVWHT4aLyJI8HkqjCEihxUoSMjyFg0WxQBYN1kGSnUt 3JOzewW3tucUpRnnT1N6BXrnjk395fiOoLo8aNQaBoq8wiKETmgUnhcwRyWmuomb hAyrBh1Kk7vj5a/7iDPwt18gsiK2kT23nvTDxfhX+vSG18onYXhbj2vMAaVY0cc= =kWvQ -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: FAQ and GNU
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 17-10-10 10:13 AM, Mike Gerwitz wrote: > On Mon, Oct 09, 2017 at 22:06:17 -0400, Robert J. Hansen wrote: >> A request has been made that each instance of "Linux" in the FAQ >> be replaced with "GNU/Linux". > > GnuPG is part of the GNU operating system. Anywhere "Linux" is > used to describe the GNU/Linux operating system, "GNU/Linux" should > be used. > > Please see: > > https://www.gnu.org/prep/maintain/maintain.html#GNU-and-Linux > I respect your point-of-view and your right to express it. I would like to point out though that this link, from gnu.org, would be expected (at least by me) to promote a GNU centric and rightfully self-promoting view of how to proceed. > > > ___ Gnupg-users mailing > list Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > I believe FAQ should be left as is. Best Regards, Duane - -- Duane Whitty du...@nofroth.com -BEGIN PGP SIGNATURE- iQEcBAEBCAAGBQJZ3OknAAoJEOJfpr8UVxtkUIkIAJ4hMgWM7E9LMgM11up9fUBf pvJ2AqLy3hwhrZkifNA543D4VoENj9FpmaajzOkjqDYeLYMT63nlA+Xv5z8/WhKT hwqs5W0kUo4O8fhuy4dDcM9yJh1P9oSBuxMhtdv5MAupI5lRAPSmP9o71rhKTHeX RC4vPColGcqrnb+D/4M2mPxoEADHxn6Tj5UZuRSqMkbm9yaBwFTrLOPQGLKLYo/j ObRuuRzA56jojBfm8YmfB3JtQ1Aw0vi3fR89UMXq7Mk4ucChNEUIypUm+ld2OQ+c juPtpMsouPzSys8FMk5237wHV0ZP4SbCJG3X0Wrr49lLB1jwTIL4E75AUwpHXug= =Blzt -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Working with an Online and Offline Computer when using GnuPG - Best Practice?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 17-10-09 11:30 PM, Duane Whitty wrote: > > > On 17-10-09 01:53 PM, Stefan Claas wrote: >> Hi all, > >> A question for the experts. > >> I plan to buy me a little Netbook next year, to use it as an >> Offline Computer, for GnuPG usage. The idea is to use my Online >> Computer to send and receive messages and to encrypt and decrypt >> messages to use the Offline Computer. So far so good. My >> question is what is the best practice to transfer the Data >> between those two Computers? > >> I read once here on the Mailing List that one should only use >> trusted USB devices, whatever that means, when using an USB >> device. > >> My idea is to use the software minimodem between the two >> Computers, connected, when required, via audio cables. > >> Is this a good idea, or does something speaks against this >> method? > >> Any thoughts are welcome! > >> Regards Stefan > > > I'm a little surprised no one has reminded us that there are no > best practices, just practices that serve our needs depending on > what value we perceive our data to have and what we perceive the > capabilities of our adversaries to have, and what the consequences > of compromise are. > > After saying all that I recall reading an article by the > Washington Post (if I recall correctly) that they use two computers > in their "safe-drop" system. Again, IIRC, the computer connected > to the Internet is not ever connected to the computer used to > encrypt or decrypt messages. The computer used to encrypt/decrypt > is not connected to anything and is booted from a read-only CDROM > which also has any required software. Data transfer is done by > recording to a write-once CDROM. No clear text is ever on the > computer connected to the Internet. There are lots of other > details to think about (defense in depth) > > Best Regards, Duane > > I find this topic quite interesting so if I may comment a little more... Firstly, I think it's really easy to get carried away here with security measures one probably doesn't really need. If you do have a need for air-gapped computers then you also have a need for a lot of other security measures. 1) How good are the locks on the doors to your house? 2) What about your windows? 3) What about fire protection? 4) What about data backups? 5) Do you have a policy and mechanism in place for how long you keep dat a? 6) How about backup security, both on-site and off-site? 7) What mechanism will you use for media destruction when your policy indicates you don't need certain data any longer? 8) How are you protecting your public/private keys? 9)... I could continue to go on but maybe I'm getting carried away here. The point I'm trying to make is that if there are lots of attack vectors and just focusing on where you encrypt/decrypt messages doesn't necessarily make you that much more protected. Just my opinion and it's not meant as criticism just as "food for though t" Best Regards, Duane - -- Duane Whitty du...@nofroth.com -BEGIN PGP SIGNATURE- iQEcBAEBCAAGBQJZ3DWtAAoJEOJfpr8UVxtkvHwH/1Bhxs7BbkE9046GI5b6nTJi bkpEzamdKldIpA4TLPdxcfg1g5pNetddXCfXSxbvqcHE/yJyt57/4Uu4uucRHZfy WPAdyXzu4LfZbGuMZNApvyJhCulzHxbFRbbCDe0B0+Tpe/tD/x65jbys8U3KpcN9 bX4V4Lml5BkjbSLGxBMNhfu53lDS7Oc8fB+pDhxFjsKtz4xEF5FRXPdep3hm6gbF pzyX/0gCnyy2Lmb4QOowK08xHooPQcEf/g41pns4c/sXqRaNNm53ehlFtmtLsb9o HLkLHlibo6r3yhwTXVmJfmA37F+aD33i9NIFbreEJlclidEwnKTYapg/WSPo2cA= =BlK7 -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Working with an Online and Offline Computer when using GnuPG - Best Practice?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 17-10-09 01:53 PM, Stefan Claas wrote: > Hi all, > > A question for the experts. > > I plan to buy me a little Netbook next year, to use it as an > Offline Computer, for GnuPG usage. The idea is to use my Online > Computer to send and receive messages and to encrypt and decrypt > messages to use the Offline Computer. So far so good. My question > is what is the best practice to transfer the Data between those > two Computers? > > I read once here on the Mailing List that one should only use > trusted USB devices, whatever that means, when using an USB > device. > > My idea is to use the software minimodem between the two > Computers, connected, when required, via audio cables. > > Is this a good idea, or does something speaks against this method? > > Any thoughts are welcome! > > Regards Stefan > I'm a little surprised no one has reminded us that there are no best practices, just practices that serve our needs depending on what value we perceive our data to have and what we perceive the capabilities of our adversaries to have, and what the consequences of compromise are. After saying all that I recall reading an article by the Washington Post (if I recall correctly) that they use two computers in their "safe-drop" system. Again, IIRC, the computer connected to the Internet is not ever connected to the computer used to encrypt or decrypt messages. The computer used to encrypt/decrypt is not connected to anything and is booted from a read-only CDROM which also has any required software. Data transfer is done by recording to a write-once CDROM. No clear text is ever on the computer connected to the Internet. There are lots of other details to think about (defense in depth) Best Regards, Duane - -- Duane Whitty du...@nofroth.com -BEGIN PGP SIGNATURE- iQEcBAEBCAAGBQJZ3DC6AAoJEOJfpr8UVxtki/YH/Rj7+gl6usd3twkGQ10VuboR qHBBpd+0zMrjfHDS713K50wexox0noCoUd7NTLt1pI8Lrl5c56+pCgdIIG+AjToX XeOGXmydvS195EDBkuJM0WZhfmFLwN23sIHUXo2Pv/TpOJOQ23scsXRgNxM0ApeA 07HHD/Uh2AT9lo32i0kOx5zUkJLhdd63mhyHCkvYDaZxxGy29RsnwiEmG7YG69m6 faNxsRsecPBl1JnB/sPFdOYETjJHpVwmuWTwpGMQDFEZT37n8D8Ib66Tv7iPxMyr RUxUNbZ5mXNqQ/TAl/ZQyejP2uIEo6Erq9w+/MHDANWe752s4l6HLnitQJXSr/M= =NVie -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Houston, we have a problem
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 17-09-26 09:15 AM, Andrew Gallagher wrote: > On 26/09/17 12:30, Kristian Fiskerstrand wrote: >> On 09/26/2017 01:07 PM, Andrew Gallagher wrote: >>> So SKS should just say "unverified signature from >>> ". It should not repeat the purported user ID, nor >>> provide a search link that returns completely unrelated keys >>> that happen to have the same purported ID. >> >> No, that is also wrong, as it implies that anything is trusted >> unless otherwise stated. A malicious actor can claim it is >> verified all he/she wants (simply removing the disclaimer). > > Um, did you reply to the wrong paragraph? I did mention > disclaimers elsewhere, but only in passing (and tongue in cheek). > My argument is that we shouldn't be displaying unverified > information at all. > >> The user's default position NEEDS to be that nothing is verified >> until it is done locally or by an explicitly trusted third >> party. > > Absolutely. None of this is an argument against users having to do > things right. But the way to get users to do things right is to > train them to do things right from the start - and you do that by > railroading them down the straight and narrow and not even have the > option to do it any other way. That way, if the opportunity to do > it wrong arises in the future their first instinct will be "this > isn't how it's supposed to happen". If you can't train people > personally, you have to write your software so that the software > trains them. > Why? Ultimately are we not all responsible for our own actions? People should be required to make some effort. > WhatsApp gets the UX *very nearly* right. And since everyone and > his dog now uses it that's the new baseline. If it's easier to do > it wrong than in WhatsApp, it's broken. If it's harder to > understand than WhatsApp, it's broken. If you have to read more > instructions than WhatsApp, it's broken. > WhatsApp controls the key material. *Seems* safe so far but who knows. I personally would never put anything truly confidential over WhatsApp. And actually people are supposed to verify that they are messaging who they think they are messaging by doing a comparison of fingerprints or ids or whatever they are called. I only message one person with it so it's been a while since I've had to do it. But I am willing to bet lots of users don't do that verification step. It's a good UX but not perfect. Same goes for GPG in my opinion. It's good but not perfect. It never will be and I don't believe any (security) software will ever have a perfect mix of features for all users and use cases out of the "box" > It's no good implementing something correctly if it can be applied > incorrectly. Murphy's Law applies. > I don't want my software or its developers acting like my big brother! >> being able to browse the keyserver directly is too useful for >> debugging to completely remove > > Indeed, but is it necessary to display the untrustworthy user-ID > on signatures? The fingerprint should be sufficient. > > > > ___ Gnupg-users mailing > list Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > Best Regards, Duane - -- Duane Whitty du...@nofroth.com -BEGIN PGP SIGNATURE- iQEcBAEBCAAGBQJZykjZAAoJEOJfpr8UVxtkeY4IAKL6A0KqGm85yzSrEh6Stj5z sC86fbEtP/xXkrbYdUDVfkEYuj3AqkNL+E4AaJXO0xT8limk4COMRwl8346V9J7O dzNIjdHAXU0iGrIBxj+CWILyY4qxTnmDar9ef+7lKxFAbJ8pUBJVxzeh0Ci2Al2L hYXhWBrCyjqHqbMmAB/JaUBJy4BTCHNAFy704rblB2ZbqKAqbQpaTP+Jx14HWCQG saSZn8qZwbiAnVcX4vUzssOi5Ls81eEU4W5GPGOqw7u5CvyadgXuJB8578B3qjHH I9JQAIom6xrw3V8USwqsBCO4W9v3+C3fcT1WXivOJsZbKqJDRodjtBrxvKuI1/k= =oYMp -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: fingerprint of key
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 17-08-17 09:20 PM, Daniel Kahn Gillmor wrote: > On Mon 2017-08-14 22:12:18 -0300, Duane Whitty wrote: >> Actually one suggestion, the way options and commands are >> specified look the same. It might make things clearer if there >> was a difference in the way they are expressed on the command >> line. Perhaps keep the "--" for options and enter commands >> without the "--". > > I also prefer this kind of "subcommand" syntax -- it matches what > tools like git and notmuch use. However, that's a pretty radical > departure from the historical GnuPG command line, and it's likely > to break all sorts of existing things that expect to use the > canonical interface. > > If we're going to make radical departures like that, perhaps we > should be specifying an entirely new interface that just does "the > sensible bits" without all the rest of the arcana. > > --dkg > Well, I'm not familiar enough with the arcana to say whether it should be done away with or not but, I am a big believer in software not trying to guess what I want. As you said, in version 2.1 GnuPG would have complained that I hadn't entered a command, correct? Does this also mean it would have not carried out any action. In my opinion that would be the correct behaviour. I am also a fan of the Unix tradition of software that completes without error not having any output unless you have asked for output. Error output going to stderr of course :-) I have to admit to being a little hesitant making these types of comments because I don't feel I contributed enough (if anything) to have earned that right. But perhaps as a user the comment is a small contribution. I hope it is seen that way and not as a complaint. Best Regards, Duane - -- Duane Whitty du...@nofroth.com -BEGIN PGP SIGNATURE- iQEcBAEBCAAGBQJZlkdxAAoJEOJfpr8UVxtkwXwIAKg6U2hJM2v0469V3Q+dr2k8 6cn8+6nwdkARZQhABP+iSOLbFcnaGL2RLzw26+47E3pqf1X837VeHnsdBZvzQYTQ oXB/0YTmhjsjL6hpN1V5N5+CHkmMwbwyoHD7XGFpETA/1RfgrhlkqUtcfqjBCUw6 zAvUeD6/rxhASeBb1A231924iSUFqqhkf0IXGvgJmrmIU2hPCZPkdwnxEQ+Lm5K5 8AhsnEKdE3mABlqr0mMM/uuYLI1bknxYT2QtIU2Q1gwH0af4+WqLdcv9H4dMAmQS HYfYv8s8MAyoqPNZs2QXOg76TBhPHF382MYLGCzT9rHMWaRLk/6zmCZKOSiGtO0= =5mpS -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: fingerprint of key
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 17-08-17 09:18 PM, Daniel Kahn Gillmor wrote: > On Mon 2017-08-14 21:50:13 -0300, Duane Whitty wrote: >> I perceive keys in my keyring as being ones I trust because of >> out-of-band confirmation and used for two-way communications. > > You're not the only person with this perception. But i'm afraid i > think it's a mistake, unfortunately. > > Actually safely curating an OpenPGP keyring with GnuPG is a > non-trivial task. As an example, here's a damned-if-you-do, > damned-if-you-don't conundrum: > > Do you refresh the OpenPGP certificates in the keyring > regularly (e.g. from the keyservers)? if you do not, then you risk > missing notice of revocations, so you probably have some revoked > keys in your keyring which you didn't know you had. > > If you do refresh them regularly, then it's possible that things > (new user IDs, etc) get added to the certificates in your keyring > during the refresh (or possibly whole new certificates get added > entirely), and it contains things you've never actually vetted. > > > > So, how to resolve this? > > The short version is that you should treat your GnuPG keyring as > an untrusted collection of OpenPGP certificates that you know > about. But you can explicitly mark the certificates that you think > are legitimate by certifying them ("signing the keys"). In > particular, you can make non-exportable ("local") signatures over > the key+userid combinations that you have actually confirmed > out-of-band. > > Even better, if you do that with a key which you have marked with > "ultimate" ownertrust, then GnuPG will report a "validity" for > those user IDs you've signed that matches what you intended to do, > which is to curate a list of known-valid key+userid combinations. > > But treating the whole local keyring as a curated store is a > mistake. GnuPG doesn't work that way, and it doesn't expect to work > that way :( Sounds like a good approach but for someone who has more public keys stored than me. I only exchange encrypted email with a very, very small group of people and I am in regular voice communication with them. But I definitely see the merit in what you describe and believe that it is a cautious way of proceeding. I may even try working that way just to practice for the day when perhaps I consider it necessary to exchange encrypted mail with people I don't know well and don't talk with in person or on the telephone regularly. I guess using that approach I could import public keys from users on this list and then assign them various levels of trust, right down to no trust and not locally signed at all. > >> I think the VirtualBox key is just to give people assurance that >> they are downloading what they intended to download from the >> source they expected, in this case via apt or apt-get, etc. from >> an Oracle repo. > > If you fetch the key each time you download something that you want > to check against the key, how do you know it's the right key over > time? If it's "the right key" because it was fetched over a secure > channel from Oracle, why not just fetch the software over that > channel? > I suppose I chose to use apt or apt-get because it seems like a more convenient way to update things as opposed to getting it straight from Oracle. > The advantage of having a key stored locally is that you only have > to risk that network-fetch once; then you can make a local > certification over its sensible VirtualBox User ID, to mark it as > the expected key (If the User ID is *not* sensible, please complain > to VirtualBox!). Then all future updates can be verified against > the same key. > > Do you see how that's better than fetching the key each time? > Well, I see it potentially as less work but not less risk. I downloaded the key using wget and https. Then I check the validity of the key by comparing the fingerprint generated by GnuPG with what Oracle publishes on the VirtualBox site. Downloading the key once works if I implement your previous key/keyring management solution. Also, bear in mind, no software gets updated automatically on my system. I get notified of updates but when the update happens is up to me. >> I'm not exactly sure what a good suggestion would be. Would it >> be correct to say that going forward usability changes would >> probably be more likely to happen in the 2.1 branch? If so I >> guess I should upgrade to the 2.1 branch. > > If a major change is going to happen in GnuPG, it will be in the > 2.1 branch (or in 2.3 once 2.2 is released). the older branches of
Re: fingerprint of key
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 17-08-14 09:50 PM, Duane Whitty wrote: > > > On 17-08-14 08:50 PM, Daniel Kahn Gillmor wrote: >> On Mon 2017-08-14 19:03:19 -0300, Duane Whitty wrote: >>> I did not and still do not want to import the oracle_vbox >>> public key into my key ring. I am happy to download it and >>> check it each time. > >> I think this is an interesting choice, but i don't understand >> why you've made it. Can you say more about why you don't want >> to import the key, and why you prefer to fetch it each time? > I perceive keys in my keyring as being ones I trust because of > out-of-band confirmation and used for two-way communications. I > think the VirtualBox key is just to give people assurance that they > are downloading what they intended to download from the source > they expected, in this case via apt or apt-get, etc. from an Oracle > repo. > > >>> Before I go down the road on offering an opinion on how the >>> man page should be "fixed" (maybe it's not really broken) can >>> you explain why it would be bad to let gpg generate and display >>> the fingerprint of a key in an ascii armoured file? > >> I'm not saying it's "bad" -- it's just not what --fingerprint >> does. > >> --fingerprint List all keys (or the specified ones) along with >> their finger‐ prints. This is the same output as >> --list-keys but with the additional output of a line with the >> fingerprint. May also be combined with --list-signatures or >> --check-signatures. If this command is given twice, the >> fingerprints of all secondary keys are listed too. This >> command also forces pretty printing of fingerprints if the keyid >> format has been set to "none". > >> So it's like --list-keys, which says: > >> --list-keys -k --list-public-keys List the specified keys. If >> no keys are specified, then all keys from the configured >> public keyrings are listed. > > >> in other words (or maybe it's not as explicitly stated as it >> should be), "list all the keys in your keyring that match the >> specification". This command is not intended for listing >> fingerprints of keys that come in on stdin, or of an external >> file. > > To me that reads as "if you provide a key then the fingerprint for > that key will be provided otherwise your keyring will be used". > Thanks for correcting my understanding. >> That said, you could combine it with: > >> --no-default-keyring --keyring /path/to/file.gpg > >> (as long as the file wasn't ascii-armored, and as long as you >> weren't concerned about updating your trustdb by accident, etc). >>> Again, i'm not saying this is particularly user-friendly, i'm >>> just >> trying to help you understand the current state of the tool. > >> If you have specific suggestions for how to improve the tool, >> please suggest them! >>> --dkg > > > I'm not exactly sure what a good suggestion would be. Would it be > correct to say that going forward usability changes would probably > be more likely to happen in the 2.1 branch? If so I guess I > should upgrade to the 2.1 branch. > > I can say that what I usually end up being challenged by is > importing keys into my keyring and on being able to choose which > UID I want to sign with. Maybe that just means I don't know the > software well enough. > > For instance, last night I wanted to add a friend's new public key > to my keyring. Gpg wouldn't add the key based on his email. I had > to use his email to search the key server and then use the > fingerprint of his new key to add it to my keyring. > > The approach I took was "gpg2 --search u...@domain.com" and "gpg2 > --recv-keys key-fingerprint". Then I did a "gpg2 --edit-key > key-fingerprint" to sign the key with my default UID. I thought I > would get a menu to select options from when I used --edit-key but > instead I was presented with the prompt "gpg>" and I had to type > the sign command. It worked but I might have chosen to sign the > key with a key from a different UID. Not sure if my method of > importing to my keyring and signing the new public key was the > usual or easiest method but it worked. > > Not sure there's actually a suggestion for improvement in there > :-) but you've given me a lot to consider and digest. Sincerely, > thanks! I love learning this stuff. > > > Best Regar
Re: fingerprint of key
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 17-08-14 08:50 PM, Daniel Kahn Gillmor wrote: > On Mon 2017-08-14 19:03:19 -0300, Duane Whitty wrote: >> I did not and still do not want to import the oracle_vbox public >> key into my key ring. I am happy to download it and check it >> each time. > > I think this is an interesting choice, but i don't understand why > you've made it. Can you say more about why you don't want to > import the key, and why you prefer to fetch it each time? I perceive keys in my keyring as being ones I trust because of out-of-band confirmation and used for two-way communications. I think the VirtualBox key is just to give people assurance that they are downloading what they intended to download from the source they expected, in this case via apt or apt-get, etc. from an Oracle repo. > >> Before I go down the road on offering an opinion on how the man >> page should be "fixed" (maybe it's not really broken) can you >> explain why it would be bad to let gpg generate and display the >> fingerprint of a key in an ascii armoured file? > > I'm not saying it's "bad" -- it's just not what --fingerprint > does. > > --fingerprint List all keys (or the specified ones) along with > their finger‐ prints. This is the same output as --list-keys > but with the additional output of a line with the fingerprint. May > also be combined with --list-signatures or --check-signatures. > If this command is given twice, the fingerprints of all secondary > keys are listed too. This command also forces pretty printing > of fingerprints if the keyid format has been set to "none". > > So it's like --list-keys, which says: > > --list-keys -k --list-public-keys List the specified keys. If no > keys are specified, then all keys from the configured public > keyrings are listed. > > > in other words (or maybe it's not as explicitly stated as it should > be), "list all the keys in your keyring that match the > specification". This command is not intended for listing > fingerprints of keys that come in on stdin, or of an external > file. > To me that reads as "if you provide a key then the fingerprint for that key will be provided otherwise your keyring will be used". Thanks for correcting my understanding. > That said, you could combine it with: > > --no-default-keyring --keyring /path/to/file.gpg > > (as long as the file wasn't ascii-armored, and as long as you > weren't concerned about updating your trustdb by accident, etc). >> Again, i'm not saying this is particularly user-friendly, i'm >> just > trying to help you understand the current state of the tool. > > If you have specific suggestions for how to improve the tool, > please suggest them! >> --dkg > I'm not exactly sure what a good suggestion would be. Would it be correct to say that going forward usability changes would probably be more likely to happen in the 2.1 branch? If so I guess I should upgrade to the 2.1 branch. I can say that what I usually end up being challenged by is importing keys into my keyring and on being able to choose which UID I want to sign with. Maybe that just means I don't know the software well enough. For instance, last night I wanted to add a friend's new public key to my keyring. Gpg wouldn't add the key based on his email. I had to use his email to search the key server and then use the fingerprint of his new key to add it to my keyring. The approach I took was "gpg2 --search u...@domain.com" and "gpg2 - --recv-keys key-fingerprint". Then I did a "gpg2 --edit-key key-fingerprint" to sign the key with my default UID. I thought I would get a menu to select options from when I used --edit-key but instead I was presented with the prompt "gpg>" and I had to type the sign command. It worked but I might have chosen to sign the key with a key from a different UID. Not sure if my method of importing to my keyring and signing the new public key was the usual or easiest method but it worked. Not sure there's actually a suggestion for improvement in there :-) but you've given me a lot to consider and digest. Sincerely, thanks! I love learning this stuff. Best Regards, Duane - -- Duane Whitty du...@nofroth.com -BEGIN PGP SIGNATURE- iQEcBAEBCAAGBQJZkkVBAAoJEOJfpr8UVxtkBDsH/0zoAMEuKvkkIzVC1r6v8kq9 Tmbqvd7i4Q8YobiExGilUXSx/s0psq4JKo1qcbvpuXnsRhJM+3/tH6TTgvdLJJOq Em8NN7HygzJ3Fhb7RaGZS9dBv2FQFem3qk+oFHzUMUlUGF1gF+agpeFM/CwKGsMk ClmBW9pSqQzH2z+hWXQPdAA8k8X2Wi3KH5BlrBT3kEKw+XdUJOqme8YPqWlo97XQ /BKmpPjiBiEE7qWkOXKTdD9ySIx/XO6fmcxvJEbvqygdjh/zp/Cm5jW2MrPoQC5N jWR18G8cRa5euNfXrzvyGm5o3SZTvoOEX3VHXPvQU8tyYVOV3sQVyM2hUWpyTfg= =ZuO1 -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: fingerprint of key
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 17-08-14 05:58 PM, Daniel Kahn Gillmor wrote: > On Mon 2017-08-14 13:25:58 -0300, Duane Whitty wrote: >> Thanks for your response. So, what you are saying is that the >> man page is wrong ;-) > > I didn't think that was what i was saying, but there have certainly > been bugs in the documentation in the past. Is there specific text > that you think is wrong? do you have a suggestion about what it > should be changed to? > > --dkg > The situation is a little more clear since your last response. If I may quote you: "the trouble with these two invocations of gpg is that they offer no command. Each invocation of GnuPG is supposed to include exactly one command and zero or more options. ..." I ran gpg2 --with-fingerprint oracle_vbox.asc which did what I wanted and I received no complaints. I did not and still do not want to import the oracle_vbox public key into my key ring. I am happy to download it and check it each time. When I looked at the man page for how to do this it looked like gpg2 - --fingerprint oracle_vbox.asc should do the job but as you have pointed out gpg expects a key in my keyring to perform that action on. After reading the man page several times for the 1.4 and 2.0 versions I can see nothing that would make me believe that I needed to provide the program with a key from my keyring. That's fine though, I'm still learning. Now that you point it out I can see that --with-fingerprint is an option under the section "Key related options" and so it makes sense that a command should be entered as well. I am not sure I understand why it would be bad to do the following, which implies not importing the key to a keyring: gpg --with-fingerprint --fingerprint < public-key-file.asc where I substituted --fingerprint for --import However if I do that it's the same as running: gpg2 --with-fingerprint --fingerprint and the oracle_vbox.asc file containing the key is completely ignored and there are no warnings that it was ignored. Before I go down the road on offering an opinion on how the man page should be "fixed" (maybe it's not really broken) can you explain why it would be bad to let gpg generate and display the fingerprint of a key in an ascii armoured file? By the way, I really appreciate the assistance you're giving me in helping me to understand this. I know your busy. Best Regards, Duane - -- Duane Whitty du...@nofroth.com -BEGIN PGP SIGNATURE- iQEcBAEBCAAGBQJZkh4hAAoJEOJfpr8UVxtkwj0H/0bPfVYbKMlbvLBsF+9pTFPW 9PwNRA47dARN8eBwtRr106br0iCLFxs31ObXyh80M+cGJFTIQN61y3FfD8GsEv9/ BS9xzjHv4q/sO+pF2yOy2ygmjoxouvbPIL86yobhJA+bKBw4piH9UxaPnQmO+SLC j450uLxl2C7ZWOcSI4bi0myHTnsZkvkbrPlYfo0zjbyJXIP+3DonRZhhVR2nzUwr DNX1K5TRy2Dw4NN430o0q9Bcef05XywExJFpCaxFWDOJdTgwVOkrfodDoaXKotjx M+nqD9sduQHXiCeXR1cN7aZ9rYCJ301xeFAiRJTOHl/sTUpoEdP2sj5i3Fog+pQ= =mBYf -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: fingerprint of key
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 17-08-14 12:14 PM, Daniel Kahn Gillmor wrote: > On Mon 2017-08-14 03:32:08 -0300, Duane Whitty wrote: >> I was recently trying to compare the fingerprint of a key I >> downloaded to its online stated value. I thought I should be >> able to accomplish my goal with "gpg --fingerprint >> public-key-file.asc". Gpg returned "gpg: error reading key: No >> public key" > > "gpg --fingerprint" displays the fingerprint of a key that is > already in the user's keyring. > > you'll need to "gpg --import public-key-file.asc" first, and then > ask for its fingerprint, especially with older versions of gnupg. > > If you really want to isolate the imported key, you can use an > ephemeral GNUPGHOME directory, like so: > > export GNUPGHOME=$(mktemp -d) gpg --import < public-key-file.asc > gpg --fingerprint rm -rf $GNUPGHOME > > with more modern versions of gnupg, you can just use: > > gpg --with-fingerprint --import-options show-only --import < > public-key-file.asc > > hth, > > --dkg > Hi Daniel, Thanks for your response. So, what you are saying is that the man page is wrong ;-) Best Regards, Duane - -- Duane Whitty du...@nofroth.com -BEGIN PGP SIGNATURE- iQEcBAEBCAAGBQJZkc8RAAoJEOJfpr8UVxtk+5MIAKEtESbPZG+CHDr6hh+dkRaf OhlOQyNw9HuZzAhOXKQZKXukiwDSinlOQ+cJn4JbYtYUVZtDCQz/mu/WAkgtdN5U WM4FrZYxciDdJrZKzD4i+sc6MujKo2UEeTz4MqDO1DhKaD94fJ3EqRakPzmD6t7Y 1F6mvWDquz0Camr41NTrrkB3v6ISt7b/TA3H5v/XJCfZ9Wv5GHNKxzFeftmBEcQY lw/9geYKRahIFKGdMHVA2eQQteW4uq8wMgJSDUEOuxv/WyztWxvNeiwzZtjhAYl2 3J1j3pvL9XV7Q/Y+u/sjE941ieVSr3nbm7xy/VW5GLyWxWP3/dgjsh0CEaqGTjM= =TLc2 -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
fingerprint of key
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Tested on: $ gpg --version gpg (GnuPG) 1.4.16 $ gpg2 --version gpg (GnuPG) 2.0.22 lsb_release -a No LSB modules are available. Distributor ID: Ubuntu Description:Ubuntu 14.04.5 LTS Release:14.04 Codename: trusty I was recently trying to compare the fingerprint of a key I downloaded to its online stated value. I thought I should be able to accomplish my goal with "gpg --fingerprint public-key-file.asc". Gpg returned "gpg: error reading key: No public key" So I did a search and found --with-fingerprint. Worked as I hoped it would. According to gpg(1) and gpg2(1) - "--with-fingerprint Same as the command --fingerprint but changes only the format of the output and may be used together with another command." So is this a bug in gpg or a bug in the man page or am I missing something so trivial and obvious that I will smack myself in the forehead when someone points it out to me? I understand dev cycles are being focused primarily(?) on the 2.1 branch but I figured this might be worth mentioning. I confess, I haven't checked the archives to see if it already has been. Best Regards, Duane - -- Duane Whitty du...@nofroth.com -BEGIN PGP SIGNATURE- iQEcBAEBCAAGBQJZkUPfAAoJEOJfpr8UVxtkLy8H/3ffsaDpy1YWfZNjRBTu3vGZ H/QrXGa7Mo7I9yFTojhyI9u9GCPzPu3sl/ZbvwGXEVpMoME5VuU8Fz5Dl1DGd9GF E1qT6Kk2L+H/eZiQNc4LFXjn3TQXNCIjq/HFiw7Eh/31eUcBZ+6/kjd9pvRmtzEO S4SAVn36PId23pZln/qaLJIpgmqBdGKWZ9KtmguDu9mMr63SDfJXRrSxdTvkjEBT 8w/3C3bs1/i0qEUepGXAlIIsllSQ2OgUZB477JTk8YfH/LH5WHDLvm+tHcTZ5Jg7 uYstNr8dgQEWSmqvWrQXBCZp3qTSfI1xW7Nzug8DtNFZ1Np2uhVuo2Uqv5HIZcg= =t2JQ -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Fwd: Re: Fwd: Re: Question for app developers, like Enigmail etc. - Identicons
On 17-06-12 05:45 PM, Stefan Claas wrote: > On 12.06.17 22:35, Robert J. Hansen wrote: >>> Is there something like a Standard Operating Procedure for GnuPG >>> available, which fulfills security experts demands, and which can >>> easily be adapted by an average GnuPG user, regardless of platform >>> and client he/she uses? >> No. More to the point, there can't be. Each user faces threats >> specific to that user; each user is responsible for their own threat >> modeling. >> >> But follow the steps I outlined before and you'll significantly improve >> your online security. You won't be perfect -- there is no such thing as >> perfection. You won't be a hardened target -- that takes a lot of work. >> But follow those steps and you'll have taken care of the easy ways that >> your machine can be compromised. >> > > Thank you very much for your advise, much appreciated! > > Regards > Stefan > > > ___ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > I'm not one of the many experts on the list you refer to so you'll have to judge for yourself the usefulness of my procedures. Comments from more experienced users welcome as well, of course, and some very experienced users have given you very good advice already. Some of things I do include setting a password on the BIOS and HD and turning my computer off when I'm not using it. My reason for those steps is that I am hoping it would introduce enough of a roadblock that should someone gain physical access to my computer (a laptop) they would need to take it with them in order to compromise it. I also don't click on any links in emails. As well, I don't open any PDF files I don't trust. I believe also that it's important to consider what operating system you use. Some people believe that with certain OSs you are compromised the minute you install said OS and are actually fulfilling the role of Mallory against yourself. This is to say that I believe Open Source is beneficial not that it is the complete solution. I would also add one word about USB sticks: It is very difficult to know if they've been compromised and there are no tell-tale signs when an attack is taking place. I never put a USB in my computer that has been used on a computer I don't own. Best Regards, Duane -- Duane Whitty du...@nofroth.com signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Fwd: Re: Question for app developers, like Enigmail etc. - Identicons
On 17-06-05 11:11 PM, Daniel Kahn Gillmor wrote: > On Tue 2017-06-06 01:24:43 +0200, Stefan Claas wrote: >> On 05.06.17 22:26, Daniel Kahn Gillmor wrote: >>> what does "bullet-proof" mean, specifically? >> >> For me it means that the idendicons should be visually easy to read >> and cryptographically secure. Sorry that i have no better explanation. > > here's one way to try to frame the question: Imagine the situation as a > game, where you have two players on one team, "defense" named Alice and > Bob; Alice wants to send a message to Bob. Another player on the > opposing team, "offense", is named Mallory, is trying to send a message > to Bob as well, but trying to trick Bob into thinking that the incoming > message comes from Alice. > > The way the game is played, either Alice or Mallory gets to send a > message. Bob has to decide whether the message actually came from > Alice. If Bob gets it right, the "defense" wins. If Bob gets it wrong, > the "offense" wins. The game is played multiple times. > > Is that the scenario you're thinking of? If so, does the defense need > to win 100% of the time over thousands of games? or is it acceptable > for offense to win occasionally? > > In any case question is: how much work does Mallory need to do to get > Bob to make a mistake? How frequently can Mallory trick Bob into > accepting mail from her as though it were from Alice? Conversely, how > many messages that were actually from Alice can Bob accidentally reject > without making Alice upset enough to give up on the entire > communications scheme? > > When you frame the problem this way, you can start thinking more > concretely about what "bulletproof" means, and you can actually design > user trials to test proposals. > > There are probably other ways to concretize the problem, this is just > one that i've come up with. But without a concrete way to understand > what we're looking for, words like "bullet proof" or "easy to read" or > "cryptographically secure" are tough to get people to agree on. > > I suspect (as discussed upthread) that TOFU will have better metrics for > "defense" at the game described above than any attempt that involves > asking people to visually distinguish deterministically-generated > identicons. But i don't know, because i haven't tested it. > >--dkg > Excellent scenario and explanation Daniel, thank you! I firmly believe your suspicions regarding identicons will be fully shown accurate. However, I am having difficulty following how TOFU would/could provide better metrics for the "defense" side of the game. As I understand the concept of TOFU (Trust On First Use), when you receive a signed email gpg tests that signature against the key retrieved from the public key servers associated with the email. To me this says nothing about whether you are actually communicating with who you think you are communicating with. It justs says "Yes, the signature on the email you received was generated by the same key associated with that email address on the public key servers." This is not enough to convince me I am communicating with someone I know. For instance, I have not imported even one of the many keys I receive from emails to this mailing list into my keyring because there is no trust there. And when I move to gpg 2.1 I will make certain that TOFU is not enabled. I think TOFU could potentially be a win for Mallory. TOFU may make people more likely to take for granted that they are communicating with a trusted party because the email they received says it's someone they trust and GPG says it's a good signature from al...@example.com. The problem with this is that they never communicated with Alice to learn her email address is actually al...@trustme.com. My personal opinion, for whatever that is worth, is that TOFU is going to have people sending signed/encrypted email back and forth to each other without them having done the work to ensure they are actually communicating with their intended parties. Trust takes work. Once the work on establishing identities has been done and trust has been established there is no need to remember keys because the key will be locally associated with the email address belonging to the trusted party you wish to communicate with. Best Regards, Duane -- Duane Whitty du...@nofroth.com signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Don't send encrypted messages to random users to test your gpg
Hi list, When I checked my email this morning I had an encrypted message from someone I didn't know and had never heard of signed with a signature for which no public key was available. When I saw the email with a subject "test, test, hello" (or something to that effect" I decided not to let Thunderbird/Enigmail process it but rather I copy and pasted the cypher text into a file and used the command line to look at it.. The message and relevant gpg output was: "Subject: test, test - hello hey, i hope you don't mind - I just wanted to test using GPG and I picked you at random." gpg: Signature made Mon 29 May 2017 02:59:23 AM ADT gpg:using RSA key (deleting for email to list) gpg: Can't check signature: No public key" To the person who sent me this my reply is that yes I do mind. I tend to believe no harm is intended and I'm not terribly upset over it but I consider it to be bad Internet etiquette. It would be only a little more acceptable if you had published your public key so that the signature you used to sign with could at least be verified. Having hashed that out welcome to the community :-) To test your setup try this link, https://emailselfdefense.fsf.org/en/ I haven't used it myself but unless someone from the list knows why it shouldn't be used it should fine. I also highly recommend reading https://www.gnupg.org/faq/gnupg-faq.html The above links are just to get started. Happy pgp'ing Best Regards, Duane -- Duane Whitty du...@nofroth.com signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Mailvelope browser extension for webmail
Hi list, Thoughts on the Mailvelope browser extension...? Here's some of their material: https://www.mailvelope.com/en/faq "What is the purpose of this project? Mailvelope is an easy-to-use web-browser extension which brings OpenPGP encryption to webmail services such as Gmail™, Yahoo™ and others. With its unintrusive interface fully integrated into your webmail service, Mailvelope instantly secures your personal and professional email communications." Next one seems a little concerning to me but I'm no browser expert: "Where are my keys stored? Mailvelope stores the keys in the local storage of the browser and only there. This is a file in the user data directory of Chrome or the profiles folder of Firefox. If you clear temporary browsing data this will not affect the key storage of Mailvelope. If you delete the Mailvelope Chrome extension, then the key storage will also be removed from your file system. On Firefox there is an additional confirmation dialog once you remove the Mailvelope add-on that allows to delete all keys or leave them in the profile folder of the system." https://www.mailvelope.com/en/blog/security-warning-mailvelope-in-firefox "15/05/2017 | Security notice: Mailvelope in the current version of Firefox browser. We are in the possession of a security audit that was requested by the email provider Posteo and conducted by Cure53, which has revealed that the Firefox security structure is currently unable to offer a sufficiently safe environment for the Mailvelope browser extension. Mailvelope naturally relies on the security of the underlying browser platform. In the present case, we are unable to offer a remedy ourselves. Nevertheless, Mozilla is already working on a fundamental improvement of the add-on system. In November 2017, Firefox is scheduled to finally switch to an overhauled add-on structure, which will then offer sufficient protection against attacks. A new Mailvelope version for the new, improved Firefox structure is already in the making. Until Mozilla has modified the architecture, the following safety recommendations apply: Be sure to use a separate Firefox profile for Mailvelope with no other extensions installed. Make sure your password for your PGP key is as secure as possible. Take care that you do not accidentally install any other add-ons in this profile, which may make you vulnerable to attacks. The security audit also demonstrated some positive results regarding Mailvelope. Posteo writes about this: There was a check made as to whether email providers for which Mailvelope is used could access a Mailvelope user’s private keys saved in the browser – this was not possible. All other attempts made by the security engineers to access private keys saved in Mailvelope, such as operating third party websites or man-in-the-middle attacks, were also unsuccessful. Security Audits such as the one performed by Posteo serve as an important indicator that shows how we can further improve Mailvelope. At this point, we’d like to thank Posteo for conducting the audit and thus their contribution to the Mailvelope project." I didn't see any Google related security information or notices. Best Regards, Duane -- Duane Whitty du...@nofroth.com signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Smart card
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 17-04-10 12:25 AM, Robert J. Hansen wrote: >> I think this is being confounded by adjoining two >> conversations---that smartcards provide additional security given >> a compromised system, and the satirical quote your provided. I >> was referring in this case to the latter. > > If you send or receive sensitive communications from a compromised > endpoint, you're screwed. The smartcard will not save you. It > can't. > > When I hear people talk about how the smartcard will keep their > keys safe even after a system compromise, I hear that as being like > a survivalist talking about how great it is his tiny bomb shelter > will keep his seeds safe after a direct hit from a nuclear bomb. > Great, I'm very happy for you, but you're giving *terrible* advice > to people who are worried about the bomb dropping. Even > encouraging them to move somewhere that's not a high-priority > target for a nuclear strike, as impractical as that advice is, is > better. > >> My point is that if you base your entire threat model and >> practices on the fact that some attacker somewhere is going to >> succeed in a targeted attack against you, then you may as well >> give up on security period. > > If your threat model includes Tier-1 actors, you're gonna get > Mossaded. > > You. Cannot. Win. > > Therefore, any threat model that assumes you're the target of > Tier-1 interest is inherently -- I'll say it again -- screwed. > Once you become a target of Tier-1 interest it's all over. > > Don't come to their attention. And don't mislead newbies by making > them think they can win against Tier-1s, either. > >> You seem to be suggesting that key safety isn't even a concern if >> you're compromised---that nothing else matters, and the >> distinction between a compromise as you described with or without >> access to the key(s) is irrelevant. > > You seem to think that your bomb shelter surrounded by five > hundred meters of radioactive fused glass is somehow a win. After > all, your keys are safe, right? > > Preserve the security of your endpoint system. Nothing else will > do. > > ___ Gnupg-users mailing > list Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > <> What if it's your business that's the target of tier 1 Western Intelligence actors who are interested in collecting intelligence on said target so as to bestow competitive advantage to your competitors for whatever the reason may be? My explicit assumptions for such a situation is that they don't want their target to know they are under surveillance and as result they aren't going to be knee-capping the target's employees to get their desired information. Business premises and data at rest and in transit is fair game as is the use of malware, root kits, warrantless wiretaps, etc. Perhaps the situation is that you're a Canadian jet engine manufacturer that has come up with a prototype for super efficient mach 2 capable engines for commercial aircraft :-D Of course you want to make sure that you and your engineers and other employees with access to sensitive data employ whatever measures you can to avoid a data compromise. :-D Obviously I'm trying to lighten the mood a little and still explore what the possibility is, if any, of protecting data from the prying eyes of tier 1 actors who might not think that what you have is important enough to kill or injure you for but that they would try very hard to get by employing other efforts. I'm not saying having a smart card reader and a pin pad here is going to be the magic amulet to protect your interests. <> Best Regards, Duane - -- Duane Whitty -BEGIN PGP SIGNATURE- iQEcBAEBCAAGBQJY68CqAAoJEOJfpr8UVxtkPOIH/jpUNl8F1UCzfMUq1MGSK3Dk eapTNjg4iX8slRTqrLLc/JNmjoqHQjYgVTMLd5suwse+JIt/diaKwThTgxUov6Wc k5xRtlFILb7XMJNveEL6kK919Sgwm0I/AHIaIffNjIAXIoItfJ3yeZrqW5a0vD6+ AZHylpvtohXnGgEMN6TcNUm+D4VoBTRHz6G4BoxuUuV9iXWveVPaDDuion+swpDn o3EbHcqaJI53bRwDH1+2adJqCxHssc1Ph2q7ySH8ZKxUIwCYilGw5HBMoDUdRtoC 4nVFmv8xbVZcGNB1ZEdt0HWZzMc1H2fb+nTvRYjc3vjAzMBaXosbgzaj9orUnZE= =qDYH -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: How do you help someone to encrypted email (Re: How do you let your M.D. ...)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 16-12-02 03:39 AM, Bernhard Reiter wrote: >> so that it's easier for folks unfamiliar to setup and use than >> having to go over the too long material > > Within next year, someone will just need to use an email client > that support the following technical solution: > > https://wiki.gnupg.org/WKD > > This is something the GnuPG team is actively working on. > > Best Regards, Bernhard > > > > ___ Gnupg-users mailing > list Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > First let me say thank you to the developers of gnupg and all the tools and scripts and everything else that goes into creating and running a project as complex as this. And thanks to all the helpful people on the list. Regarding WKD: I'm sure this will be a great tool for fetching public keys and will make life easier for many people on this list. Thank you for your efforts Bernhard! (Putting on fireproof suit :-) ) My personal feeling and opinion however is that public key management is not the barrier to adoption of gnupg for everyday users who would like to increase their security. I believe that outside of the lack of awareness that their privacy is being ignored, the problem is mostly private key management and the unfortunate fact that most of the email clients that most people use on the most popular platforms don't support encrypting and decrypting mail. I'll be the first to admit that I don't know how to make it easy for users to be able to generate a private/public key pair wherein the private key can be stored relatively securely and be available for use with their gmail or other email platform of choice from the desktop, laptop, tablet, and phone. Sure you can use a smart card reader to solve the availability issues but then you have to deal with all the software issues. Most people have no knowledge about any of this let alone the existence of tools like smart card readers. I realize there is an argument to be made that people need to exercise personal responsibility when it comes to their security. But I believe adoption will be limited to the technically adept until we can make using encryption and decryption an understandable and short process for people who only use their computers to run "canned" applications and send mail. (Thinking out loud) I wonder if a solution akin to what the password managers do is possible? Maybe storing a private key in a password manager would work for a lot of users. It's not as if anyone would be forced to do this. Create a partnership with a few of the password managers that would require a key be protected by a 30+ character random password and then users could access their private key from anywhere once they've logged into their password manager. Just a thought and clearly it's not the most secure method but maybe it is secure enough? Still doesn't solve the problem of having gnupg available and integrated on all the different platforms. (keeping fireproof suit on for a while :-) ) Thanks for your indulgence and patience :-) Best Regards, Duane - -- Duane Whitty du...@nofroth.com -BEGIN PGP SIGNATURE- iQEcBAEBCAAGBQJYQYvKAAoJEOJfpr8UVxtkJPgH/1iH2Lk9WFUgE+mkhbJRivsc HnPOzCY+XqWQkWSy7T9kgGddvnf/0jhanApsOnkOiVIUI44XOxuH2dViUbkoEDbj bl+eAjVttVzpyoyVhgwU7jmnsxj4BRvH+6vbTWp3bWt1Cdwz5MTcvsL1nfAgm7zR gAXR251Ul0kL+rFuM/SWe6DXlYoj5ZPWZRpCUR+cuP55PzYJTnoJeAvSMtoktBbH aFDVVyltNJhjikMRTDZ93VJWd0KAytGjCZntnYtwssFbxNkBJIh92ODkEuB8Rj/M mAqnzpKW7TLOjaAFXnD3Nyg4ATy4M3oK0hm+qV6IbTqEjzXspHlw/wubBHwZWfA= =Dm3t -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
gnupg over Internet
Hi, I can no longer use my laptop where I had gnupg, Thunderbird, and Enigmail installed. I do have my keys backed-up on an accessible medium. Now I am thinking I might like to avoid from now on being dependent on local hardware. Any ideas, tips, random thoughts on how I could use gnupg from any random Internet cafe or library computer? Has anyone gotten around the problem of USB HDs being so easily compromised? It would be convenient to run gnupg from a USB stick with a card reader plugged into another USB port but I don't believe that is safe. For instance, I am currently using a computer (a Mac) at a local university for which I have a temporary login account. I have shell access but no administrative privileges. Even if I could install software on my account I would not want to. There's also no DVD installed. Excuse the cliche but I am trying to describe being a "road warrior" without the laptop. Let's say no hardware at all except my card reader and pin pad and maybe a near field radio id device and of course an android phone :-) which I have gnupg on but haven't figured out yet how to effectively use it. Any help is appreciated. -- Best Regards, Duane Duane Whitty du...@nofroth.com ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: What is a reliable way to backup/restore my keys and test?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 16-09-14 05:24 PM, Daniel Kahn Gillmor wrote: > Thanks for the very thorough walk-through, Robert. > > Perhaps GnuPG ought to produce some kind of interchangeable backup > automatically on its own that it can re-consume, so this kind of > involved process isn't necessary. > > A couple notes below: > > On Wed 2016-09-14 15:01:47 -0400, Robert J. Hansen wrote: >> The following is the procedure I use on UNIX systems: >> >> First, export all public certificates into a public keyring: >> >> $ gpg --armor --export > pub.asc >> >> Second, export all secret certificates into a secret keyring: >> >> $ gpg --armor --export-secret-keys > priv.asc > > the above two steps should include the arguments "--export-options > export-local" just before "--export". > I am unable to find any references in man to export-local in - --export-options except for export-local-sigs. Maybe this is an undocumented parameter to the --export-options option? What is it supposed to do? >> Import your secret certificates: >> >> $ gpg --import < priv.asc >> >> Import your public certificates: >> >> $ gpg --import < pub.asc > > > The above two steps should include the arguments "--import-options > import-local" just before "--import". > Same here, can't find the parameter import-local, just import-local-sigs > > hth, > > --dkg > Best Regards, Duane - -- Duane Whitty du...@nofroth.com -BEGIN PGP SIGNATURE- iQEcBAEBCAAGBQJX2q4aAAoJEOJfpr8UVxtkYKQIAJXXOW0XXwa8em36YjkyzGY3 bz2QpikFEe6b4mBvEE6IUy/DR7//fy4WnA3SZCUP2JbKrdRUFJGStgirmH1uMcby TLBslsAh3tdmQ7ryrLKISZDqLIDhXcuSnKIjgaH01a6/JqNVK3Ig/HMo4wwQ4idU HeOc7+5bzD/JSwbaACh/oPtiDglFmRrwr0JD/QjRvWfAJkctIJzFpMiM5JtwKn5M 4sKo9Q7sCd7CupL115gqjBDyrCH/O8QDqrFtBn628KIQmUp0nBY1Pqew2jWSzOpj BFZAq/bh8SwAYhctSPnqm7y5Wz/06LANcrXHd9Tifaypo2xZXpTcklb9SkjBgw4= =0hD0 -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: What is a reliable way to backup/restore my keys and test?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 16-09-14 04:01 PM, Robert J. Hansen wrote: >> I am relatively new to GNUPG so my apologies in advance if this >> question > is >> trivial. > > Welcome! And your question is not trivial. > > The following is the procedure I use on UNIX systems: > > First, export all public certificates into a public keyring: > > $ gpg --armor --export > pub.asc > > Second, export all secret certificates into a secret keyring: > > $ gpg --armor --export-secret-keys > priv.asc > > Third, export ownertrust values and save those: > > $ gpg --armor --export-ownertrust > trust.asc > > Fourth, copy all the *.conf files in ~/.gnupg into your current > directory: > > $ cp ~/.gnupg/*.conf . > > Fifth, put these, and all your GnuPG .conf files, all into a > single archive: > > $ tar cJf gpg-backup.txz pub.asc priv.asc trust.asc *.conf > > Copy gpg-backup.txz to the new machine. Once you've done that, > uncompress it on the new machine: > > $ tar xJf gpg-backup.txz > > Import your secret certificates: > > $ gpg --import < priv.asc > > Import your public certificates: > > $ gpg --import < pub.asc > > Import your ownertrust values: > > $ gpg --import-ownertrust < trust.asc > > Make sure your ~/.gnupg directory exists. If it doesn't, run gpg > with no arguments and hit Ctrl-C to break out of it. > > $ gpg > > Copy your .conf files into ~/.gnupg: > > $ cp *.conf ~/.gnupg > > ... And at that point you should be done. This technique should > work regardless of whether you're migrating from 1.4 to 2.0, 1.4 to > 2.1, 2.0 to 1.4, 2.0 to 2.1, 2.1 to 2.0, or 2.1 to 1.4. No matter > which you're doing, you're covered. > >> I've just copied my .gnupg directory to a usb key as a backup >> measure, > which >> I found as a method (more or less) on >> http://www.glump.net/content/gpg_intro/. > > It's a good idea to not copy the random_seed file. PRNG states > should not be shared between computers. > >> How can I make sure my private key and trust assignments were >> copied > properly? > > Follow the above process and they will be. Your private > certificates were exported, as were the trust assignments. > >> Once I have completed my OS upgrade how do I restore my keys and >> the trust levels assigned to them? > > See the above process. > >> I use Thunderbird/Enigmail which is using gpg2 but I originally >> created my > key >> pair using gpg 1.4. Does this have any ramifications? > > None. > > Thanks for the detailed walk-through, Robert. Much appreciated! Best Regards, Duane - -- Duane Whitty du...@nofroth.com -BEGIN PGP SIGNATURE- iQEcBAEBCAAGBQJX2qv1AAoJEOJfpr8UVxtkNEQH/iImTGTQNomSipe0B2yccLMd I1OKbeAIP59sORzC8UegelhtH4k1F9WZRVZUjRXfeEY4jWK5GX1pSsZbSIuDZGL/ 0qHS63nrLm5qbSD7VSEzEmadHCVATkChYFBUGdPP2i1fCWjU1cWlJrNQxAohBZHr ZUC/zh8BsXzIAbtLnb6zRgQ8lxgxLZzozLprwn5eGfnTBsC7GtSO/sjSQgC2hVpn rRTviX3TNapt3DlnY4MtM/NNUOdWKeCGp+DkZBXiem1KDkIr+cfnuUY8+N/oJtfo SlgJ3LrLS6I/w8eQ4Ru+qBK4qal28OChrO8fbtX+BY+4H8cdXjrsjqk7MpQZtEM= =qOtt -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
What is a reliable way to backup/restore my keys and test?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hello, I am relatively new to GNUPG so my apologies in advance if this question is trivial. I have been following the list and have seen discussions of how to fix problems regarding backing up and restoring of keys but I have not seen anything on how to do it properly to begin with. I've just copied my .gnupg directory to a usb key as a backup measure, which I found as a method (more or less) on http://www.glump.net/content/gpg_intro/. I am planning on upgrading my OS and I need to test this backup. How can I make sure my private key and trust assignments were copied properly? Once I have completed my OS upgrade how do I restore my keys and the trust levels assigned to them? I use Thunderbird/Enigmail which is using gpg2 but I originally created my key pair using gpg 1.4. Does this have any ramifications? $ uname -a Linux XXX 4.2.0-38-generic #45~14.04.1-Ubuntu SMP Thu Jun 9 09:28:50 UTC 2016 i686 i686 i686 GNU/Linux $ /usr/bin/gpg --version gpg (GnuPG) 1.4.16 Copyright (C) 2013 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Home: ~/.gnupg Supported algorithms: Pubkey: RSA, RSA-E, RSA-S, ELG-E, DSA Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH, CAMELLIA128, CAMELLIA192, CAMELLIA256 Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224 Compression: Uncompressed, ZIP, ZLIB, BZIP2 $ /usr/bin/gpg2 --version gpg (GnuPG) 2.0.22 libgcrypt 1.5.3 Copyright (C) 2013 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Home: ~/.gnupg Supported algorithms: Pubkey: RSA, ELG, DSA, ?, ? Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH, CAMELLIA128, CAMELLIA192, CAMELLIA256 Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224 Compression: Uncompressed, ZIP, ZLIB, BZIP2 Thunderbird 38.8.0 I hope this provides the required information. Please let me know if I should include something else. Best Regards, Duane - -- Duane Whitty du...@nofroth.com -BEGIN PGP SIGNATURE- iQEcBAEBCAAGBQJX2WhlAAoJEOJfpr8UVxtkQ/sH/jZm9A0C927WXrEk68jk6+KF Dj3M0KzOqjtb1h6VJJOPWxbbqRFwgnrksnn/Le8CBT0THwobbMd9wdlmT4PRBL6o K0u1ir0bG5HwghYmzH7/nUmVio1c4s7SO8LfxzAW5AzaheTrcRaaCmspoP4fFXo+ eVbegU0RVt0Om9iXIxb8C/Ti1vmNmzT2SYrUraTUMsFYF5bqi1lE+TUhWO3Bi55z kzLqFIVaSq6PfncmdSLzeUEy/4PG3aRRM1VC23jCqeUWUm6Ch2EO7nlWAWJIQqjF xujHiMJzqckufNIC4f6wYSUeuiqGzt32Cj0FNkS8CK8TCeimwQkFaWbooGcwjAQ= =njvq -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users