Re: Second OpenPGP-card

2024-02-20 Thread Juergen BRUCKNER via Gnupg-users 



Am 20.02.24 um 17:20 schrieb Jakob Bohm via Gnupg-users:

On 2024-02-17 12:37, Juergen BRUCKNER via Gnupg-users wrote:

Hello Jacob,

Am 17.02.24 um 12:04 schrieb Jakob Bohm via Gnupg-users:
[...]
I don't know exactly how the situation about this is in Germany. But 
here in Austria many mobile phone shops have a SIM card punch with 
which you can punch out a micro-SIM or nano-SIM from a standard-SIM.



In some other countries, the mobile providers issues SIMs that are
pre-punched to pop out either of the 3 small sim sizes from a full
credit-card sized card where key information like the PUK code and
serial number are printed.

More generally, there is no guarantee that hardware cards not sold
through mobile phone carriers keep the actual chip/electronics within
the nano-sim area near the middle of the contacts, most notably, NFC
compatible cards will often have the NFC antenna outside that area,
and it's a matter of luck if the contact card functionality works
after cutting on any given hardware model.



We are not talking about 'normal SIM cards' for use by mobile 
telephony but rather about the OpenPGP Smart Card V3.4 in SIM format 
[1]. This also doesn't have NFC functionality, so it can be punched 
fairly safely. You just have to do it right



Exactly, and there is no easy way of knowing if the cards used by
floss-shop havechip parts outside the nano-sim boundary, which is
smaller than the contact area on ID000 cards (seriously possible),
nor if those cards are internally multi-chip constructs (rare but
possible).


Thats true! Point for you ;)

regards
Juergen

--
/¯\   No  |
\ /  HTML |Juergen Bruckner
 Xin  |juergen@bruckner.email
/ \  Mail |


smime.p7s
Description: Kryptografische S/MIME-Signatur
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Second OpenPGP-card

2024-02-17 Thread Juergen BRUCKNER via Gnupg-users 

Hello Jacob,

Am 17.02.24 um 12:04 schrieb Jakob Bohm via Gnupg-users:
[...]
I don't know exactly how the situation about this is in Germany. But 
here in Austria many mobile phone shops have a SIM card punch with 
which you can punch out a micro-SIM or nano-SIM from a standard-SIM.



In some other countries, the mobile providers issues SIMs that are
pre-punched to pop out either of the 3 small sim sizes from a full
credit-card sized card where key information like the PUK code and
serial number are printed.

More generally, there is no guarantee that hardware cards not sold
through mobile phone carriers keep the actual chip/electronics within
the nano-sim area near the middle of the contacts, most notably, NFC
compatible cards will often have the NFC antenna outside that area,
and it's a matter of luck if the contact card functionality works
after cutting on any given hardware model.



We are not talking about 'normal SIM cards' for use by mobile telephony 
but rather about the OpenPGP Smart Card V3.4 in SIM format [1]. This 
also doesn't have NFC functionality, so it can be punched fairly safely. 
You just have to do it right


best regards
Juergen

[1] 
https://www.floss-shop.de/de/security-privacy/smartcards/13/openpgp-smart-card-v3.4



--
/¯\   No  |
\ /  HTML |Juergen Bruckner
 Xin  |juergen@bruckner.email
/ \  Mail |


smime.p7s
Description: Kryptografische S/MIME-Signatur
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Second OpenPGP-card

2024-02-15 Thread Juergen BRUCKNER via Gnupg-users 

Hello Matthias,

Am 13.02.24 um 17:32 schrieb Matthias Apitz:

We need here 'Microm SIM'. And I talked to the owner of floss-shop. They
do not offer a way to pop out Micro SIM.


I don't know exactly how the situation about this is in Germany. But 
here in Austria many mobile phone shops have a SIM card punch with which 
you can punch out a micro-SIM or nano-SIM from a standard-SIM.


Maybe this helps

regards
Juergen
--
/¯\   No  |
\ /  HTML |Juergen Bruckner
 Xin  |juergen@bruckner.email
/ \  Mail |


smime.p7s
Description: Kryptografische S/MIME-Signatur
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Second OpenPGP-card

2024-02-09 Thread Juergen BRUCKNER via Gnupg-users 

Hello Matthias,

Am 09.02.24 um 15:36 schrieb Matthias Apitz:

So, can I buy this card here in Europe or even in Germany?


yes you can buy this Card also in Europe:

https://www.floss-shop.de
https://www.cryptoshop.com

or you can also buy a USB/NFC-Device at Nitrokey

https://nitrokey.com

I hope this helps.

Best regards
Juergen

--
/¯\   No  |
\ /  HTML |Juergen Bruckner
 Xin  |juergen@bruckner.email
/ \  Mail |


smime.p7s
Description: Kryptografische S/MIME-Signatur
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Can IPAD or Android Tablets create Keys and use gnupg

2021-03-12 Thread Juergen Bruckner via Gnupg-users 



Am 12.03.21 um 15:29 schrieb Bernhard Reiter:

c) Are there compatible OpenPGP and OpenPGP/MIME implementations for
Android?

Yes, e.g. Openkeychain + K9Mail (both being Free Software)


I can also name following Android Apps here

  - FairEMail (+ Openkeychain)
  - R2Mail2
  - MailDroid (+ Crypto-PlugIn)

which supports BOTH OpenPGP and S/MIME.
All of them are available for a small fee.

best regards
Juergen
--
/¯\   No  |
\ /  HTML |Juergen Bruckner
 Xin  |juergen@bruckner.email
/ \  Mail |



smime.p7s
Description: S/MIME Cryptographic Signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: WKD proper behavior on fetch error

2021-01-18 Thread Juergen Bruckner via Gnupg-users 

Hello Andrew,

Am 18.01.21 um 13:17 schrieb Andrew Gallagher via Gnupg-users:

On 18/01/2021 11:33, Juergen Bruckner via Gnupg-users wrote:

Hello Andrew,

Am 18.01.21 um 12:17 schrieb Andrew Gallagher via Gnupg-users:

On 18/01/2021 11:07, Juergen Bruckner via Gnupg-users wrote:
Sequoia accepts an *invalid* certificate for the host 
'foo.abc.github.io' and that is "failure by design".


This is incorrect. Sequoia *does not* accept this invalid
certificate. Sequoia and gnupg only differ in their fallback
behaviour after the certificate has been correctly rejected.


Yes I do understand that behavior, but that wasnt explained that way
by Stefan.

And I have understood it so far that Stefan claims Sequoia recognizes
 this certificate as valid and therefore continues to work.

To my understanding, Stefen has not yet spoken of a "fallback".


Stefan's understanding of the issue is incomplete; Neal's detailed
explanation of 13th Jan above explains exactly what is going on, and it
does not involve incorrectly accepting invalid certs.


He actually went so far, to urge Werner in a more than rude way to
add this (wrong) behavior into GnuPG.


I agree that GnuPG is under no obligation to emulate Sequoia's behaviour 
here, although it would of course be preferable if a consensus could be 
arrived at.


For me personally, this is still a major obstacle to using Sequoia 
productively or to recommend it to our customers. I still regard this

 behavior as a gross error that needs to be fixed.


I think this is unfair on Sequoia. They have deviated from a draft
standard, but they have made a prima-facie case for doing so. Was this
the correct decision? I don't know. Should this decision have been 
flagged more prominiently? Perhaps. But remember that WKD is a key

discovery mechanism, not a validation mechanism. It is far from
unreasonable to consider prioritising availability over correctness.

Some things in security are absolutes, and some things are trade-offs. 
IMO this issue falls squarely in the "trade-off" category. Perhaps we 
could collectively take a breath before continuing.



___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users



I fully agree!
nothing more to say!

--
/¯\   No  |
\ /  HTML |Juergen Bruckner
 Xin  |juergen@bruckner.email
/ \  Mail |



smime.p7s
Description: S/MIME Cryptographic Signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: WKD proper behavior on fetch error

2021-01-18 Thread Juergen Bruckner via Gnupg-users 

Hello André,

Am 18.01.21 um 00:03 schrieb André Colomb:

On 17/01/2021 21.39, Juergen Bruckner via Gnupg-users wrote:

And as far as Sequoia is concerned, Stefen's explanations only confirmed
that this is software that I definitely don't want to use.
Software that accepts an invalid digital certificate as correct, has no
place in an environment where security and confidentiality are concerned.
This is an  a b s o l u t e  NO-GO.


To be fair, it's not quite that bad.  Sequoia does recognize the invalid
certificate as such, as Neal pointed out.  It just doesn't scream out
loud about it.  Instead it goes on silently trying the direct method
instead, for which everything is configured correctly in Stefan's setup.

That is not following the current WKD draft correctly, as interpreted by
the majority of those who spoke up IIRC.  But so far no scenario was
brought up where it poses an obvious security risk.  More like hiding
the problem from an admin trying to deliberately set up the advanced
method and possibly ending up with some forgotten remains of the direct
method having been used before.

In my opinion, the WKD spec needs clear rules about cases when to switch
to the direct method.  And making it hinge solely on proper DNS
configuration is perfectly fine.  Having enough control over the domain
is one more prerequisite (besides the CA stuff) which an impostor would
need to get around.  After all, the corresponding web server is trusted
to deliver the correct OpenPGP public key for authenticated communication.


[...]

Yes, I will be fair and say that Sequoia works okay so far.
And yes, it is good to hear from Neal that Sequoia actually recognizes 
this as an invalid certificate.
BUT, if a software claim to ensure secure communication, then this shown 
behavior is unacceptable to me, at least a reference to the invalid 
certificate should have to be shown.


Otherwise, the discussion now mainly revolves around the fact that 
Stefan still claims the certificate is valid and Sequoia continues 
because of this. (At least that's my understanding of Stefan's statements).


Best regards
Juergen

--
/¯\   No  |
\ /  HTML |Juergen Bruckner
 Xin  |juergen@bruckner.email
/ \  Mail |



smime.p7s
Description: S/MIME Cryptographic Signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: WKD proper behavior on fetch error

2021-01-18 Thread Juergen Bruckner via Gnupg-users 

Hello Andrew,

Am 18.01.21 um 12:17 schrieb Andrew Gallagher via Gnupg-users:

On 18/01/2021 11:07, Juergen Bruckner via Gnupg-users wrote:
Sequoia accepts an *invalid* certificate for the host 
'foo.abc.github.io' and that is "failure by design".


This is incorrect. Sequoia *does not* accept this invalid certificate. 
Sequoia and gnupg only differ in their fallback behaviour after the 
certificate has been correctly rejected.


Yes I do understand that behavior, but that wasnt explained that way by 
Stefan.


And I have understood it so far that Stefan claims Sequoia recognizes 
this certificate as valid and therefore continues to work.


To my understanding, Stefen has not yet spoken of a "fallback".

He actually went so far, to urge Werner in a more than rude way to add 
this (wrong) behavior into GnuPG.


For me personally, this is still a major obstacle to using Sequoia 
productively or to recommend it to our customers. I still regard this 
behavior as a gross error that needs to be fixed.


Best regards from Austria
Juergen

--
/¯\   No  |
\ /  HTML |Juergen Bruckner
 Xin  |juergen@bruckner.email
/ \  Mail |



smime.p7s
Description: S/MIME Cryptographic Signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: WKD proper behavior on fetch error

2021-01-18 Thread Juergen Bruckner via Gnupg-users 

Hello again Stefan

Am 17.01.21 um 22:27 schrieb Stefan Claas:

On Sun, Jan 17, 2021 at 10:16 PM Juergen Bruckner via Gnupg-users
 wrote:

Hi Juergen.


Your showcase with github.io also says nothing else than that Sequoia
considers an invalid certificate to be correct. That this happens in
audited software says just as much about the value of the audit.


Please try to accept that GitHub's SSL cert is *valid*, or do you think
that a CA certifies and invalid cert?


[...]

For you to take notes:
The certificate used by github issued by the CA DigiCert Inc IS valid for:

  - www.github.com
  - github.com
  - * .github.com
  - github.io
  - * .github.io
  - githubusercontent.com
  - * .githubusercontent.com

so that means the certificate MAY be valid for
  - abc.github.io

but it MUST NOT be valid for
  - foo.abc.github.com

This is stipulated in the guidelines of the CA / B forum to which all 
CAs worldwide have to adhere. DigiCert Inc. is no exception.


So what some members have already said to you here applies.
Sequoia accepts an *invalid* certificate for the host 
'foo.abc.github.io' and that is "failure by design".


That won't change if you claim the opposite a million times.

Best
Juergen
--
/¯\   No  |
\ /  HTML |Juergen Bruckner
 Xin  |juergen@bruckner.email
/ \  Mail |



smime.p7s
Description: S/MIME Cryptographic Signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: WKD proper behavior on fetch error

2021-01-17 Thread Juergen Bruckner via Gnupg-users 

Well Stefan,

Am 17.01.21 um 21:44 schrieb Stefan Claas:

On Sun, Jan 17, 2021 at 9:40 PM Juergen Bruckner via Gnupg-users
 wrote:


I can only agree with Andre's words.


Perfectly fine for me if you take this route.


And as far as Sequoia is concerned, Stefen's explanations only confirmed
that this is software that I definitely don't want to use.


You don't have to, because we live in a free world.


Yes we live in a free world, and you shouldn't forget this!



Software that accepts an invalid digital certificate as correct, has no
place in an environment where security and confidentiality are concerned.
This is an  a b s o l u t e  NO-GO.


You talking nonsense while not knowing!


Thank you very much! I'll take that as compliment!


GnuPG doesn't have to change anything here.
The change MUST be made at Sequoia, preferably yesterday!


Utterly nonsense, IMHO. sequoia-pgp, Mailvelope (supported by BSI
and *audited*) and flowcrypt do all work with github.io pages! And you
were not able to reply to me here if your WKD set-up for dummies worked
for you. So much for that part...


If something, or a software ist supported by BSI and/or audited *does 
not* say it is free of bugs or failures.


Your showcase with github.io also says nothing else than that Sequoia 
considers an invalid certificate to be correct. That this happens in 
audited software says just as much about the value of the audit.


And it's not 'my' setup for dummies, it was a general question because 
most of the explanations are very specific and can pose major problems 
for a 'beginner'.


I have been using WKD successfully in different versions for a long 
time. The only thing that was new for me in this context is the 
possibility of implementing WKD via the openpgp server using a CNAME entry.


Best
Juergen
--
/¯\   No  |
\ /  HTML |Juergen Bruckner
 Xin  |juergen@bruckner.email
/ \  Mail |



smime.p7s
Description: S/MIME Cryptographic Signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: WKD proper behavior on fetch error

2021-01-17 Thread Juergen Bruckner via Gnupg-users 

I can only agree with Andre's words.

And as far as Sequoia is concerned, Stefen's explanations only confirmed 
that this is software that I definitely don't want to use.
Software that accepts an invalid digital certificate as correct, has no 
place in an environment where security and confidentiality are concerned.

This is an  a b s o l u t e  NO-GO.

GnuPG doesn't have to change anything here.
The change MUST be made at Sequoia, preferably yesterday!

regards
Juergen

Am 17.01.21 um 21:17 schrieb André Colomb:

Hi Stefan,

On 17/01/2021 19.41, Stefan Claas via Gnupg-users wrote:

Please try to accept that GitHub (and maybe in the future others as well)
has *no* bad certificate! The only thing which could be considered "bad"
or at least sub-optimal for a global ML, like this one, Is the support in
form of the GnuPGP ecosystem devs.


GitHub's web server, *in your specific use case* is sending a
certificate proving it is an apple when you're asking for it under the
name "orange".  That makes the certificate *invalid* for that connection
request as it could not be distinguished from a man in the middle attack
asking your browser to "Please try to accept that this apple is an orange".

Don't you find it strange that you are the only one still insisting that
it's valid when several very knowledgeable people have explained to you
in many different ways why it's simply not true?

And please tone down on the GnuPG criticism.  It's your right to dislike
the software or even Werner Koch personally.  But this is not the right
place for anti-publicity or constant personal stabs against people who
have patiently spent a lot of time to help and educate you.  Please try
to keep the discussion productive.

Kind regards
André


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users



--
/¯\   No  |
\ /  HTML |Juergen Bruckner
 Xin  |juergen@bruckner.email
/ \  Mail |



smime.p7s
Description: S/MIME Cryptographic Signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: CNAME aliases for wkd.keys.openpgp.org and X.509 certificates [was: Re: WKD for GitHub pages]

2021-01-16 Thread Juergen Bruckner via Gnupg-users 

Hello Group!

Am 16.01.21 um 03:26 schrieb Vincent Breitmoser via Gnupg-users:


Daniel Kahn Gillmor via Gnupg-users  wrote:

On Mon 2021-01-11 22:59:10 +0100, Ángel wrote:

The "make a CNAME of your openpgpkeys subdomain to
wkd.keys.openpgp.org" couldn't work with https certificate validation,
thouth (or are they requesting a certificate on-the-fly?)


In fact, i believe that keys.openpgp.org *is* requesting and retaining a
certificate on-the-fly if it finds itself addressed by such a CNAME.


Yep. If that wasn't possible, we wouldn't do it.

btw, if anyone is interested: keys.o.o serves wkd for 224 domains right now.

  - V


Now I'm a bit confused :O
I thought WKD can be used with your own webserver. So why do I have to 
make a CNAME recort pointing to "wkd.keys.openpgp.org"?


Or did I understand anything wrong?

BTW ... do any of you know a tutorial to set up WKD for 'Dummies'?

best regards
Juergen


--
/¯\   No  |
\ /  HTML |Juergen Bruckner
 Xin  |juergen@bruckner.email
/ \  Mail |



smime.p7s
Description: S/MIME Cryptographic Signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: WKD & Sequoia

2021-01-13 Thread Juergen Bruckner via Gnupg-users 

Hello Stefan!


[...]

sequoia did the right step and I hope for people relying on GnuPG that
it is possible for them in the future too.


So did Sequoia do that?
You consider not to follow policies "the right step"?
Sorry, but you dont have a clue about security!

The only right way is to follow policies word by word.

So far you only presented us assumptions here, with a non working setup, 
and also a setup which never was intended for such a case.


m2c
Juergen
--
/¯\   No  |
\ /  HTML |    Juergen Bruckner
 Xin  |juergen@bruckner.email
/ \  Mail |



smime.p7s
Description: S/MIME Cryptographic Signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Mobile mini computers for GnuPG/OpenPGP usage instead of smartphone usage

2020-11-28 Thread Juergen Bruckner via Gnupg-users 

Hello Stefan,


Am 28.11.20 um 08:59 schrieb Stefan Claas via Gnupg-users:

Hi all,

some of you may remember the recent thread from me about OpenPGP usage
with smartphones. Since I sold my Android smartphone a while ago I thought
why not look for other mobile devices, which are smaller than regular notebooks
and which are maybe better suited (for me) than pure Linux smartphones.

This would also have the advantage that one can use his preferred MUA
instead of the once available for Android/iOS.

After googling a bit I found these IMHO super mini PCs, which looked very
attractive to me and I purchased one (should be delivered in a couple of days).

https://www.gpd.hk/gpdmicropc

and for fans of MacBook designs:

https://www.gpd.hk/gpdpocket2

Hope you find this info useful!

P.S. I purchased the GPD MicroPC with Ubuntu Mate instead of Microsoft Windows.

P.P.S. These little computers are mostly sold out when looking around, but I had
luck to find a German reseller who still has some in stock.

Regards
Stefan


Could you please tell me more when you get this device?

best regards
Juergen

--
/¯\   No  |
\ /  HTML |Juergen Bruckner
 Xin  |juergen@bruckner.email
/ \  Mail |



smime.p7s
Description: S/MIME Cryptographic Signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Thunderbird / Enigmail / Autocrypt

2020-11-22 Thread Juergen Bruckner via Gnupg-users 


Hi Chris,

Am 22.11.20 um 10:02 schrieb gnupgpacker:

Claws Mail is an useful alternative, but please keep aware it does not
support html mail, text only!
https://www.claws-mail.org/manual/de/claws-mail-manual.html#AEN955

Best regards, Chris



I don't understand why HTML in e-Mails is so important for some people.

For example, I configured my Mailserver to sort out HTML-Mails as Spam 
as long the sender is not on a whitelist.

HTML in e-Mails is a very big security risk in my eyes.

regards
Juergen

--
/¯\   No  |
\ /  HTML |Juergen Bruckner
 Xin  |juergen@bruckner.email
/ \  Mail |



smime.p7s
Description: S/MIME Cryptographic Signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Major problems with gpg and scdaemon, help highly appriciated

2020-11-14 Thread Juergen Bruckner via Gnupg-users 

No problem!

I see.
Well I don't have any experiences with other cards than these from 
Zeitcontrol and the tokens from Yubikey and Nitrokey.
I know that the Yubikey5 supports PGP operations via RFID as a few 
customers from me use it with their mobile devices.


But as Werner stated in his e-mail before it may be a 'problem' specific 
with GnuPG as it doesn't support wireless operation for security reasons.


And I really don't know if another OpenPGP implementation does support 
smartcards/token.
This was already a big issue with Mozilla's Thunderbird 78 and it's 
native implementation of OpenPGP instead of Enigmail.


Sorry that I can't help in a better way!

best regards and a great weekend
Juergen

--
/¯\   No  |
\ /  HTML |Juergen Bruckner
 Xin  |juergen@bruckner.email
/ \  Mail |

Am 14.11.20 um 20:08 schrieb 22h39 via Gnupg-users:

Sorry Jorgen for the mail I missclicked.

As can be seen in the logs I'm using a NXP J3H145 card with this applet: 
https://github.com/ANSSI-FR/SmartPGP which is compliant with OpenPGP spec V3.4.

I can assure that this card __works__ via RFID since I can easily sign files 
using it and OpenKeychain on my phone, the problem here is created by GPG in 
conjunction with the reader.

Thanks for help,
22h49



Nov 14, 2020, 19:58 by gnupg-users@gnupg.org:


What kind of OpenPGP card do you use?
The OpenPGP Smart Card V3.3 + MiFare DESFire [1] don't support PGP operations 
via RFID.

regards
Juergen

[1] 
https://www.floss-shop.de/en/security-privacy/smartcards/4/openpgp-smart-card-v3.3-mifare-desfire
--
/¯\   No  |
\ /  HTML |Juergen Bruckner
  Xin  |juergen@bruckner.email
/ \  Mail |

Am 14.11.20 um 19:45 schrieb 22h39 via Gnupg-users:


I don't understand, then how is OpenKeychain able to use OpenPGP cards via RFID?

I can sucessfully sign using this card via my phone but It won't work with the 
reader connected to the computer.

Looking at the logs, the card exchanges exactly the same apdus when using the 
contact and contactless interface so all points to some weird bug in gpg.

Thanks for help,
22h49


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users





___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users





smime.p7s
Description: S/MIME Cryptographic Signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Major problems with gpg and scdaemon, help highly appriciated

2020-11-14 Thread Juergen Bruckner via Gnupg-users 

What kind of OpenPGP card do you use?
The OpenPGP Smart Card V3.3 + MiFare DESFire [1] don't support PGP 
operations via RFID.


regards
Juergen

[1] 
https://www.floss-shop.de/en/security-privacy/smartcards/4/openpgp-smart-card-v3.3-mifare-desfire

--
/¯\   No  |
\ /  HTML |Juergen Bruckner
 Xin  |juergen@bruckner.email
/ \  Mail |

Am 14.11.20 um 19:45 schrieb 22h39 via Gnupg-users:

I don't understand, then how is OpenKeychain able to use OpenPGP cards via RFID?

I can sucessfully sign using this card via my phone but It won't work with the 
reader connected to the computer.

Looking at the logs, the card exchanges exactly the same apdus when using the 
contact and contactless interface so all points to some weird bug in gpg.

Thanks for help,
22h49


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users





smime.p7s
Description: S/MIME Cryptographic Signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Major problems with gpg and scdaemon, help highly appriciated

2020-11-14 Thread Juergen Bruckner via Gnupg-users 


Hello 22h49

Am 13.11.20 um 20:22 schrieb 22h39 via Gnupg-users:


I have been for the life of me unable to get gpg working with the contactless 
interface in my reader.


How to reproduce:

I'm using a REINERSCT Cyberjack standard RFID dual interface class 3 reader
Simply take a Openpgp card and try to sign anything using the contactless 
interface.



As far as I know the OpenPGP function of the OpenPGP-Card cannot be used 
via NFC / RFID. You need to use the on card chip and a card reader for 
PGP operations.


regards
Juergen

--
/¯\   No  |
\ /  HTML |Juergen Bruckner
 Xin  |juergen@bruckner.email
/ \  Mail |



smime.p7s
Description: S/MIME Cryptographic Signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Traveling without a secret key

2020-07-10 Thread Juergen Bruckner via Gnupg-users 

Hi Stefan


Since you and Andrew are using smard cards or tokens I would like to
ask the following, prior considering purchasing one myself in the near
future.

Well my first choice - as it is a OpenSource product - is always a 
Nitrokey [1], I use both the NK Start as well as the NK Pro.


But also see the following


I use Windows 10 and Android (Samsung A40) and would like to know,
in case the is possible with my smartphone and under Windows 10 to
use a smard card where I can enter a PIN, thus only putting a secret
key without a passphrase on it, for ease of use, because my bank card
also has only a PIN. Is there software for such PIN entering for Win
and Android availalble and if so what Android email client software
would you or Andrew recommend, which allows to use a secret key without
a passphrase from a smard card?


Well, Nitrokeys do also work on Android devices, with a USB-Adapter.

In case you want to use your SmartCard/Token on the Andoid device via 
NFC, the best choice would be a Yubikey 5 NFC [2].


The Windows software to enter the PIN-Code is your PGP Software with 
SmartCard Support. On Android you should use Openkeychain for that.


As Android e-mail-client the most people who use PGP, also use K9-Mail;
my personal preference and my strong recommendation is the app called 
"FairEmail", as this app supports both, PGP (via Openkeychain) and also 
S/MIME.


I hope i have been able to help you a bit.

Best regards
Juergen


[1] https://www.nitrokey.com/de
[2] https://www.yubico.com

--
Juergen M. Bruckner
juergen@bruckner.email



smime.p7s
Description: S/MIME Cryptographic Signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Traveling without a secret key

2020-07-08 Thread Juergen Bruckner via Gnupg-users 
Hello Stefan,

despite my cooperation with the p≡p foundation, the lack of support for
smart cards and tokens is THE knockout criterion why I do not use
sequoia pgp.

It's a good question what to do if you lose your SC or token.
Basically, it has to be said that you should definitely have a backup of
your key. And you have to be very careful with your SC or tokens.
In principle it is almost the same as losing your credit card or
passport etc. while traveling; you have to provide alternatives (e.g.
multiple smartcards).

regards
Juergen

Am 08.07.20 um 21:17 schrieb Stefan Claas:
> Juergen Bruckner via Gnupg-users wrote:
>  
>> Well i think that's one more reason why you need a smart card or token
>> like GnuPG-Card or Nitrokey (or a Yubikey for my sake).
> 
> Hi Juergen,
> 
> well the thing is I no longer use GnuPG and instead sequoia pgp, which
> currently has no smard-card support IIRC.
> 
> And regarding smard cards, what do people do when they are traveling
> and the smard card gets by accident broken or lost?
> 
> Regards
> Stefan
> 

-- 
Juergen M. Bruckner
juergen@bruckner.email



smime.p7s
Description: S/MIME Cryptographic Signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Traveling without a secret key

2020-07-08 Thread Juergen Bruckner via Gnupg-users 
Well i think that's one more reason why you need a smart card or token
like GnuPG-Card or Nitrokey (or a Yubikey for my sake).

Regards
Juergen

Am 08.07.20 um 18:36 schrieb Stefan Claas:
> Ryan McGinnis via Gnupg-users wrote:
>  
>> Six years ago Snowden said to assume the NSA can try roughly 1 Trillion 
>> passwords per second.  I imagine it's significantly
>> more by now.  
> 
> Holy cow! That raises then probably one more question, i.e. the required 
> minimum length for a strong password nowadays.
> 
> Regards
> Stefan
> 

-- 
Juergen M. Bruckner
juergen@bruckner.email



smime.p7s
Description: S/MIME Cryptographic Signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Certified OpenPGP-encryption after release of Thunderbird 78

2020-06-02 Thread Juergen Bruckner via Gnupg-users 
Hello Patrick,

> Let's first define Standard users. The majority of users who use
> smartcards that *I* know are expert or power users. They can handle this.
> 
> The "Standard users" I have in mind don't use GnuPG for anything else
> than encrypting mails, and they don't use smartcards either. They won't
> have this issue in any way.

I'm sorry but I have to contradict you in that topic.
I found out that more 'standard users' than I thought are using
Smartcards or Tokens like Nitrokey or Yubikey (or anything similiar).
It is requested in security/gpg workshops more and more, and in the last
3 or 4 workshops I've held, each of the 15 participiants already had a
Smartcard or Token and wanted to know how to use them.

So I think this is not just a topic for 'professional or power users'
but also for so called standard users.

best regards from Austria
Juergen

-- 
Juergen M. Bruckner



smime.p7s
Description: S/MIME Cryptographic Signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gmail smime, sends two messages one is not encrypted. Experience?

2019-12-10 Thread Juergen Bruckner via Gnupg-users 
Sadly i know many CA's who don't give the user any choice about this.
They say as a 'user friendly service' they generate also the key for the
user and send him a .p12-file.

Am 10.12.19 um 17:01 schrieb Mark H. Wood via Gnupg-users:
> 
> Oh, I hope not.  The point of asymmetric crypto is that you never,
> ever, give your private key to anyone, even, *especially*, the CA.
> The proper way to get an X.509 certificate is to generate a keypair,
> keep the private key private, and send a CSR containing the public key
> to the entity which will issue the certificate.
> 
> 
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
> 

-- 
Juergen M. Bruckner
juer...@bruckner.tk



smime.p7s
Description: S/MIME Cryptographic Signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gmail smime, sends two messages one is not encrypted. Experience?

2019-12-07 Thread Juergen BRUCKNER via Gnupg-users 
Hi Stefan

Thats not the approach PGP pursues.
PGP was, is and should continue to be decentralized in the future. It
was never really intended to validate identities in a wide circle, but
to secure communication, and - im parts - to ensure the integrity of
software.

The so-called WOT has proven to me in the field of PGP and does not
really need central instances

Am 07.12.19 um 21:11 schrieb Stefan Claas:
> Yes, but the is not an OpenPGP 'fault' IHMO, it is caused by users and
> the OpenPGP community in general, not accepting CAs and still relying
> on the classical WoT.
> 
> Maybe we should ask ourselves why we not have more (free) CAs for
> the OpenPGP ecosystem (wish we had more like Governikus ...)


regards
Juergen



smime.p7s
Description: S/MIME Cryptographic Signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gmail smime, sends two messages one is not encrypted. Experience?

2019-12-07 Thread Juergen BRUCKNER via Gnupg-users 
Hi Stefan,

well... what is a trusted and a untrusted CA?
Is a CA really trusted just about the fact it is "build in" in a browser
or mail client?
Is a not included CA really untrusted?

I think it is more a personal decision than anything else.

The past few years showed us very good examples why "trusted" CA are not
much better that so called untrusted ones.
And for personally .. i think i can for example trust the CA CAcert much
more than a CA which is located in China or Turkey.

So isf someone is iporting a root certificate of any CA he shows that he
is trusting this CA - not more not less

Am 07.12.19 um 20:59 schrieb Stefan Claas:
> Ah, o.k. with an own CA that make sense. However, I was also assuming
> that students may use their certs also for 'outside' comms, which then
> would require then that the other parties have always to import non-
> trusted root certs, which is not the case with commercial ones, obtained
> from globally trusted CAs.

regards
Juergen

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gmail smime, sends two messages one is not encrypted. Experience?

2019-12-07 Thread Juergen Bruckner via Gnupg-users 
This question is very easy to answer.

S/MIME has some advantages over (Open)PGP.
One of them - the most important for the usual S/MIME users - is, that
S/MIME allows the uniquely identification of a communication partner,
which is only limitedly possible with PGP.

In addition, educational institutions, such as universities, schools,
research networks etc., have their own internal CA, which keeps the
costs very manageable.

Am 05.12.19 um 23:39 schrieb Stefan Claas via Gnupg-users:
> Sorry, I can't help you but I do have a question, if you don't mind ...
> 
> Why are the Students at the University don't use OpenPGP with Gmail
> via the free Mailvelope add-on for Firefox, Chrome? Wouldn't that be
> not cheaper instead of purchasing a whole lot of S/MIME certificates?

best regards
Juergen

-- 
Juergen M. Bruckner
juer...@bruckner.tk



smime.p7s
Description: S/MIME Cryptographic Signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: [gmx+gmail] (was: gmail smime, sends two messages one is not encrypted. Experience?)

2019-12-07 Thread Juergen Bruckner via Gnupg-users 
Hello Uwe,

i use Gmail for business for a very long time and never had any issue
like that.

This message here should reach you as S/MIME signed message.

best regards
Juergen

Am 05.12.19 um 23:43 schrieb Uwe Brauer via Gnupg-users:
 "UBvG" == Uwe Brauer via Gnupg-users  writes:
> 
 "UBvG" == Uwe Brauer via Gnupg-users  writes:
>>> Hi
> 
>>> It seems to me a complete security breach.
> 
>> I repeated the test with other gmail accounts, with emacs or
>> thunderbird, always I receive messages which are on signed but not
>> encrypted although I did enable both options. I am deeply worried.
> 
>> Anybody with the same experience, or somebody who wants to run an
>> experiment with me. 
> 
> I extended my experiment: I sent message between a gmx and a gmail
> account, then everything was ok, encrypted was encrypted. Signed was
> signed, even for seamonkey/thunderbird, so the culprit are not the MTA,
> but it seems that gmail does something strange. 
> 
> I'd love to get some confirmation about this from somebody else.
> 
> Uwe Brauer 
> 
> 
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
> 

-- 
Juergen M. Bruckner
juer...@bruckner.tk



smime.p7s
Description: S/MIME Cryptographic Signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Future OpenPGP Support in Thunderbird

2019-10-14 Thread Juergen Bruckner via Gnupg-users 
Hello to all,

well it's a good thing, that openPGP shall be included to TB directly.

But ... as the Mozilla wiki [1] states in the FAQ-Section the following:


Q: Will OpenPGP cards be supported for private key storage ?

A: Probably not, because we don't use the GnuPG software that's usually
   required to access OpenPGP smartcards.

This will not be usefull for me or my company, as we only use PGP Keys
stored on smartcards.
So I guess we will have to take TB down and find other solutions.

m2c
Juergen


[1] https://wiki.mozilla.org/Thunderbird:OpenPGP:2020

-- 
Juergen M. Bruckner
juer...@bruckner.tk



smime.p7s
Description: S/MIME Cryptographic Signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: PGP Key Poisoner

2019-08-12 Thread Juergen Bruckner via Gnupg-users 
Thats pretty interesting, but the author also says he did this as showcase.
Nontheless, its not really good to have such a tool "in the wild", and
even on a plattform like GitHub

regards
Juergen

Am 11.08.19 um 23:47 schrieb Anonymous Remailer (austria):
> 
> https://github.com/skeeto/pgp-poisoner
> 
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
> 

-- 
Juergen M. Bruckner
juer...@bruckner.tk



smime.p7s
Description: S/MIME Cryptographic Signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Your Thoughts

2019-07-01 Thread Juergen Bruckner via Gnupg-users 
Hello to all,

Am 01.07.19 um 00:23 schrieb Ryan McGinnis via Gnupg-users:
> Does anyone know what PGP’s peak adoption rate was?  I always loved it in 
> concept but very very rarely saw people actually trying to use it in the 
> wild, outside of the types of people who read this list.  


Well that not pretty "in the wild" but its pretty new:
The Austrian Parliament and some parts of the Austria Government have
released a website [1] where the PGP-Keys of Members of the Parliament
and other people in the government are collected on one place.

regards
Juergen

[1] https://gvkeys.at/

-- 
Juergen M. Bruckner
juer...@bruckner.tk



smime.p7s
Description: S/MIME Cryptographic Signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: New keyserver at keys.openpgp.org - what's your take?

2019-06-21 Thread Juergen Bruckner via Gnupg-users 
Hey all,

here is a article (only in german) from Heise:

https://www.heise.de/security/meldung/Neuer-OpenPGP-Keyserver-liefert-endlich-verifizierte-Schluessel-4450814.html

regards
Juergen

Am 19.06.19 um 00:53 schrieb Earle Lowe via Gnupg-users:
> On Fri, Jun 14, 2019 at 7:35 AM Stefan Claas  wrote:
>>
>>
>> Fully agree. I proposed a couple of years ago to Phil Zimmermann's
>> Silent Circle*, in Switzerland, to run a modern key server in form
>> like we had with pgp.com. Never received a reply ...
>>
>> *IIRC out of business and Mr. Zimmermann now works afaik for
>> startpage.com, in the Netherlands, and is involved in Openspace.
>>
>> Regards
>> Stefan
> 
> Silent Circle is still in business (AFAIK) - but they don't make
> phones anymore, a software-only company now.
> 
> And keyserver.pgp.com is definately still around (the much-maligned
> Global Directory) - which interestingly enough does a number of things
> the new key server does, like email verification, enforcing one email
> one key, stripping off signatures, one can remove keys, and zero
> federation with other key servers.
> 
> -Earle
> 
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
> 

-- 
Juergen M. Bruckner
juer...@bruckner.tk



smime.p7s
Description: S/MIME Cryptographic Signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Enforcing password complexity for private keys

2019-04-30 Thread Juergen Bruckner 
Well I may be (partly) wrong, but I guess a 6digit PIN-Code on the
GnuPG-Card may be complex enough for the most security settings.

my2c
Juergen

Am 30.04.19 um 19:40 schrieb David Milet:
> Yes, we’re considering using smart cards or usb devices like Yubikey.
> Do those enforce password complexity?
> 
> To answer suggestions in other replies, our developers are savvy enough, and 
> we do have recurring training in place to stress the importance of good 
> passwords. But we know also that some developers will choose the weakest 
> password the system allows, making them the weakest link.
> 
>> On Apr 30, 2019, at 13:21, Juergen Bruckner  wrote:
>>
>> Hello David,
>>
>> have you ever thought about using SmartCards?
>> GnuPG has a built in SmartCard service.
>>
>> regards
>> Juergen
>>
>>> Am 30.04.19 um 12:55 schrieb David Milet:
>>> Hello
>>>
>>> We’re considering rolling out GnuPG at work for developers to sign git 
>>> commits.
>>> How can we prevent developers from choosing a trivial password?
>>>
>>> Is there a way for GnuPG to enforce some password complexity on the private 
>>> keys?
>>>
>>> Is that something that a Yubikey could do? 
>>>
>>> Many thanks!
>>> David
>>> ___
>>> Gnupg-users mailing list
>>> Gnupg-users@gnupg.org
>>> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>>>
>>
>> -- 
>> Juergen M. Bruckner
>> juer...@bruckner.tk
>>
>> ___
>> Gnupg-users mailing list
>> Gnupg-users@gnupg.org
>> http://lists.gnupg.org/mailman/listinfo/gnupg-users
> 
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
> 

-- 
Juergen M. Bruckner
juer...@bruckner.tk



smime.p7s
Description: S/MIME Cryptographic Signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Enforcing password complexity for private keys

2019-04-30 Thread Juergen Bruckner 
Hello David,

have you ever thought about using SmartCards?
GnuPG has a built in SmartCard service.

regards
Juergen

Am 30.04.19 um 12:55 schrieb David Milet:
> Hello
> 
> We’re considering rolling out GnuPG at work for developers to sign git 
> commits.
> How can we prevent developers from choosing a trivial password?
> 
> Is there a way for GnuPG to enforce some password complexity on the private 
> keys?
> 
> Is that something that a Yubikey could do? 
> 
> Many thanks!
> David
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
> 

-- 
Juergen M. Bruckner
juer...@bruckner.tk



smime.p7s
Description: S/MIME Cryptographic Signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: What to do with public key signature

2019-04-11 Thread Juergen Bruckner 
Hello Chris!

Well I think it is NOT your task to publish this key on a keyserver.
It is the decision of the owner of the key to publis it or not.
So in my opinion the best way is just to sign it and send it back to the
owner.

my 2 cents
Juergen

Am 11.04.19 um 10:57 schrieb Chris Narkiewicz via Gnupg-users:
> So I received a public key from a party. I verified it and I'm ready to sign 
> it.
> 
> What's next step? What should I ideally do with that signature?
> 
> 1) send back to the key owner hoping that he will publish it to the keyserver?
> 2) should I just push it to keyserver myself?
> 3) what if the key owner did not publish his key?
> 
> Best regards,
> Chris
> 
> 
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
> 

-- 
Juergen M. Bruckner
juer...@bruckner.tk



smime.p7s
Description: S/MIME Cryptographic Signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Generating revocation certificate

2019-04-08 Thread Juergen Bruckner 
Hello André

> I'm using (up to date) Trisquel.
> 
That is a Ubuntu-Flavor based on Ubuntu Xenial (16.04 LTS).
This Version needs GnuPG 1.x for the signing/validating of the
Repository-Keys. So you can't uninstall GnuPG 1.x

regards
Juergen

-- 
Juergen M. Bruckner
juer...@bruckner.tk



smime.p7s
Description: S/MIME Cryptographic Signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Generating revocation certificate

2019-04-07 Thread Juergen Bruckner 
Hi André,

which Operating System do you use?

regards
Juergen

Am 06.04.19 um 21:21 schrieb André Ockers:
> Hi Peter and list,
> 
> 
> Op 06-04-19 om 21:02 schreef Peter Lebbing:
>> The error message is really unclear, but the problem probably is that
>> you should have used "gpg2" instead of "gpg", consistently. So just
>> leave "gpg" behind and only use "gpg2" ever. Well, until an updated
>> Trisquel drops the old 1.4 and both refer to the same version.
>>
>> GnuPG 1.4 and 2.1+ do not mix well in certain scenarios. You probably
>> encountered one.
> 
> I'm now running Synaptic and when I try to remove gnupg, a pop up tells
> me that automatically the following packages will be removed:
> 
>   * apt,
>   * apt-listchanges,
>   * apt-utils,
>   * libcryptui0a,
>   * seahorse-daemon,
>   * seahorse-nautilus,
>   * signing-party,
>   * tasksel,
>   * tasksel-data,
>   * trisquel-desktop-common,
>   * trisquel-keyring,
>   * trisquel-minimal,
>   * trisquel-release-upgrader-gtk,
>   * unattended-upgrades,
>   * update-manager,
>   * update-notifier and
>   * update-notifier-common
> 
> which would probably be a bad idea, wouldn't it?
> 
> Thank you,
> 
> Best regards,
> 
> André Ockers
> 
> 
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
> 

-- 
Juergen M. Bruckner
juer...@bruckner.tk



smime.p7s
Description: S/MIME Cryptographic Signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Gnupg-users Digest, Vol 184, Issue 22

2019-02-03 Thread Juergen Bruckner 
Hi Stefan,

youre welcome! :)

I really don't know how far the developement of this software is.
They did introduce their project to a few people at the FOSDEM 2016.
And if I remember right they did get a funding by the p≡p Foundation;
but not fully sure about this last point.

regards
Juergen

Am 03.02.19 um 21:56 schrieb Stefan Claas:
> On Sun, 3 Feb 2019 21:43:34 +0100, Juergen Bruckner wrote:
> 
> Hi Juergen,
> 
>> ever had a look at "Jami" (formerly 'ring') [1]
>>
>>
>> regards
>> Juergen
>>
>> [1]https://jami.net/
> 
> Thanks a lot, will look into it.
> 
> Regards
> Stefan
> 

-- 
Juergen M. Bruckner
juer...@bruckner.tk



smime.p7s
Description: S/MIME Cryptographic Signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Gnupg-users Digest, Vol 184, Issue 22

2019-02-03 Thread Juergen Bruckner 
Hello Stefan,

ever had a look at "Jami" (formerly 'ring') [1]


regards
Juergen

[1]https://jami.net/

Am 03.02.19 um 12:49 schrieb Stefan Claas:
> On Sun, 3 Feb 2019 04:14:06 -0500, Robert J. Hansen wrote:
>>> Maybe someone, in the future, can pick-up the idea of PGPfone and develop 
>>> it further
>>> so that it can be used on Linux too or modern macOS. The old Windows 
>>> version still runs
>>> fine, under Windows 7, for example.  
>>
>> Why?
>>
>> It's a serious question.  What exact feature set was there present in
>> PGPfone which you believe is not easily available with out-of-the-box
>> software solutions?
> 
> What i liked about PGPfone was that you could directly connect to your
> communications partner, without any servers involved and it was super
> easy to use. You simply put in the (current) IP Adress, connect and then
> read some displayed letters to each other, to prevent MITM, and then
> communicated. There was no learning curve involved.
> 
> I think i have to look harder to find a cross-platform FOSS solution
> that works the same.
> 
> Regards
> Stefan
>  
> 
> 
> 
> 
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
> 

-- 
Juergen M. Bruckner
juer...@bruckner.tk



smime.p7s
Description: S/MIME Cryptographic Signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Garbled data in keyservers

2018-12-09 Thread Juergen Bruckner 


Am 09.12.18 um 18:24 schrieb Dirk Gottschalk via Gnupg-users:
> And further, why should anyone run something like a ca CA for free.
> Sure, CAcert does it. But that's the onlöy organisation I know who does
> this.

Also WPIA [1] plans to do this and started a audit process for their CA.

regards
Juergen

[1] https://wpia.club
-- 
Juergen Bruckner
juer...@bruckner.tk



smime.p7s
Description: S/MIME Cryptographic Signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: a minimal version of PGP/GPG for the Win32/64 bits for command line

2018-12-07 Thread Juergen Bruckner 
Hello!

GnuPG is also available as PortableApp.
www.portableapps.com

regards
Juergen

Am 07.12.18 um 17:05 schrieb Ángel:
> On 2018-12-07 at 13:04 +0100, Jan Kamracki wrote:
>> Hello!
>>
>>
>> I need a GPG/PGP version running from the command line for Win32/64
>> bits.
>> Something like PGP5i.
>> I wanted to generate a pair of keys and send someone a gpg.exe/pgp.exe
>> + public key, so that he could encrypt a file without any installation
>> PGP/GPG and send it to me.
>> What do you propose?
>>
> Point them to https://www.gpg4win.org/
> 
> I think you could extract the command line binaries and run them as
> portable apps, but actually, I think it would be easier for them to run
> the installer and have a nice GUI app rather than a cli app.
> Not to mention that, if you expected to send them gpg.exe by email so
> that they could reply with an encrypted mail, (a) you are setting a very
> bad precedent expecting them to run an arbitrary executable they
> received from an untrusted medium and (b) the mail server would most
> likely block your message anyway.
> 
> Best regards
> 
> 
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
> 

-- 
Juergen Bruckner
juer...@bruckner.tk



smime.p7s
Description: S/MIME Cryptographic Signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Need help with GPG + Thunderbird + Enigmail on a RaspberryPi

2018-11-18 Thread Juergen BRUCKNER 
Hi Stefan,

the ex- and import of the keys at commandline in terminal works fine.

But I wanted to make screenshots of the process for a presentation i
would use for a training of "newbies" and there i under no circumstances
want to work in terminal or commandline interface.

And i could reproduce this error/failure on another Raspi too.

regards
Juergen

Am 18.11.18 um 15:34 schrieb Stefan Claas:
> On Sun, 18 Nov 2018 14:52:14 +0100, Juergen Bruckner wrote:
>> Hello Groups,
>>
>> I do this as crossposting on gnupg and enigmail - lists.
>>
>> Raspian: November 2018 (Kernel 4.4)
>> Thunderbird: 52.9.1 - 32bit
>> Enigmail 2.0.8 (20180804-1515)
>> all installed from the Raspbian-sources
>>
>> At the moment I try to etablish a "Backup-Mail-Client" on a
>> RaspberryPi with Thunderbird, GnuPG and Enigmail.
>> So far so good - I brought all to run, except problems with the import
>> of GPG keys.
>> When I try to import a key I just exported a minute before from my
>> desktop pc there is only the public key imported. And YES I double
>> checked to export the secret key.
>> I did export and try to import via Enigmail.
>>
>> Can anyone figure out where i make a mistake or where there is an
>> error?
> 
> Hi Juergen,
> 
> while i no longer use Enigmail, i would try to export your secret key
> with gpg --export-secret-key Juergen and then see if it imports
> properly on the other side.
> 
> Regards
> Stefan
> 
> 
> 
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
> 

-- 
Juergen M. Bruckner
juer...@bruckner.tk



smime.p7s
Description: S/MIME Cryptographic Signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Need help with GPG + Thunderbird + Enigmail on a RaspberryPi

2018-11-18 Thread Juergen Bruckner 
Hello Groups,

I do this as crossposting on gnupg and enigmail - lists.

Raspian: November 2018 (Kernel 4.4)
Thunderbird: 52.9.1 - 32bit
Enigmail 2.0.8 (20180804-1515)
all installed from the Raspbian-sources

At the moment I try to etablish a "Backup-Mail-Client" on a RaspberryPi
with Thunderbird, GnuPG and Enigmail.
So far so good - I brought all to run, except problems with the import
of GPG keys.
When I try to import a key I just exported a minute before from my
desktop pc there is only the public key imported. And YES I double
checked to export the secret key.
I did export and try to import via Enigmail.

Can anyone figure out where i make a mistake or where there is an error?

best regards
Juergen

-- 
Juergen M. Bruckner
juer...@bruckner.tk



smime.p7s
Description: S/MIME Cryptographic Signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: OpenPGP key verification + legal framework

2018-11-05 Thread Juergen Bruckner 
Hello all,

there is a lot of hassle about using Gmail, but this is not really the
topic here.

If I want an "independent" ID verification on my GPG key, I can also use
CAcert. There the signing of GPG keys is offered for a long time.

best regards
Juergen

Am 05.11.18 um 18:03 schrieb Damien Goutte-Gattat via Gnupg-users:
> Hi,
> 
> On Mon, Nov 05, 2018 at 05:13:41PM +0100, Juergen Bruckner wrote:
>> I just tried to register with a key who has several user-ID's
>> (e-mail-adresses) and I always got the error that the user-ID is not the
>> same as in log-in/registered e-mail.
> 
> From what they say on the home page [1] this is expected: your key is
> supposed to have only one user ID whose email component must match
> the email address of your Google account...
> 
> ... which, by the way, is a big "no" for me. :/
> 
> 
> Damien
> 
> 
> [1] https://cryptonomica.net/#!/
> 
>> To become member of Cryptonomica:
>> [...]
>> Public PGP Key should have one user ID with first name, last
>> name and user e-mail. E-mail in the key should be the same as in
>> Google account, that you use to login to Cryptonomica server.
>>
>> ___
>> Gnupg-users mailing list
>> Gnupg-users@gnupg.org
>> http://lists.gnupg.org/mailman/listinfo/gnupg-users

-- 
Juergen M. Bruckner
juer...@bruckner.tk



smime.p7s
Description: S/MIME Cryptographic Signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: OpenPGP key verification + legal framework

2018-11-05 Thread Juergen Bruckner 
Hello All!

I just tried to register with a key who has several user-ID's
(e-mail-adresses) and I always got the error that the user-ID is not the
same as in log-in/registered e-mail.

And yes to see the list of Notaries before registration would be very good.

regards
Juergen

Am 05.11.18 um 17:01 schrieb Wiktor Kwapisiewicz via Gnupg-users:
> On 05.11.2018 15:21, Viktor wrote:
>> Dear All,
>>
>> (...)
>>
>> I would be very interested to hear feedback, criticism and suggestions
>> on our project. And also to establish contacts with people interested in
>> cooperation.
> Looks interesting.
> 
> But the language on the registration dialog [0] seems a little bit
> unsettling:
> 
>> user personal data provided for key verification stored for forever
> and can not be deleted or removed by user's request.
> 
> Maybe it would also be a good idea to provide a list of locations of
> Notaries before registration. I'd like to see if there is one nearby, if
> not, there is not much benefit for me to register (at least now).
> 
> Kind regards,
> Wiktor
> 
> [0]: https://cryptonomica.net/#!/registration
> 

-- 
Juergen M. Bruckner
juer...@bruckner.tk



smime.p7s
Description: S/MIME Cryptographic Signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: GPG on Android

2018-11-05 Thread Juergen Bruckner 
Hi Werner

I know its not the perfect setup, but it is practicable for me, and as i
usually just work with subkeys i feel on a more safe side with this.
Tokens are always a good idea, and if anyone can use them its
recommended to do it that way.

There are good reasons why GPG supports Tokens/Cards by default ;)

best regards
Juergen

Am 05.11.18 um 10:41 schrieb Werner Koch:
> On Sun,  4 Nov 2018 23:20, juer...@bruckner.tk said:
> 
>> I for myself did configure MailDroid that way, that for each
>> crypto-operation, decrypt, sign, encrypt I have to enter my passwort
>> each time.
> 
> That does not help.  A bugged phone will for sure employ a keylogger and
> thus you can also work without a passphrase.  To protect your key you
> need to move the key to a separate hardware device (aka token).  This
> may not help to protect you messages but at least you token must be close
> to the device so that an attacker can make use of your keys.
> 
> 
> Shalom-Salam,
> 
>Werner
> 
> 

-- 
Juergen M. Bruckner
juer...@bruckner.tk



smime.p7s
Description: S/MIME Cryptographic Signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: GPG on Android

2018-11-04 Thread Juergen Bruckner 
Hello Roland,

I for myself did configure MailDroid that way, that for each
crypto-operation, decrypt, sign, encrypt I have to enter my passwort
each time.

With pincards on Android I have absolutely NO experience, but im sure,
one of our fellow list members can give you a answer on this specific
question.

best regards
Juergen

Am 04.11.18 um 22:55 schrieb Roland:
> Hello list,
> 
> I share the wish for encrypted email on Android, but I am afraid of storing a 
> secret key on my android phone. (theft, hacking, loss, etc) 
> 
> How do you feel about that?
> 
> Could a pincard be connected via micro USB? And made to work?
> 
> Greetz
> Roland 
> 
> 
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
> 

-- 
Juergen M. Bruckner
juer...@bruckner.tk



smime.p7s
Description: S/MIME Cryptographic Signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: GPG on Android

2018-11-04 Thread Juergen Bruckner 
Hello All,

in this topic I forgot to mention another android-mail-app.
Thanks to Chris for the hint!

This app is from an austria developer (rundquadarat OG) and called
"R2Mail 2" [1]. It has fully GPG and X.509 (aka S/MIME) support.
This app comes in a test version with limited functions and has a
licence key [2] to buy for full functions. With a price around 5 EUR it
is not that expensive.

The developer was in a parental leave - which i knewed - and should be
back to office now.

best regards
Juergen


[1]
https://play.google.com/store/apps/details?id=at.rundquadrat.android.r2mail2
[2]
https://play.google.com/store/apps/details?id=at.rundquadrat.android.r2mail2license

-- 
Juergen M. Bruckner
juer...@bruckner.tk



smime.p7s
Description: S/MIME Cryptographic Signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: GPG on Android

2018-11-04 Thread Juergen BRUCKNER 
Hello!

Sorry for late reply, your message was classified as spam :(

Am 04.11.18 um 10:04 schrieb gnupgpac...@on.yourweb.de:
> 
> Hello Juergen,
> thanks for kind explanation about MailDroid :)
> 
Youre very welcome

> Does MailDroid support several different mail accounts using GPG and/or
> S/Mime?
> 
Yes, MailDroid does support several different mail accounts.
You can mix the crypto functions with each account, means you can use
GPG for account A and C, S/MIME for B and combine GPG and S/MIME for D.

I personally recommend the paid version of MailDroid, named "MailDroid
pro" as it has a bit more functions than the free app.
The costs are around 8-10 EUR.

Be aware that you need also the Flipdog CryptoPlugin, in which you
manage keys and certs. It has its own certificate store and acess the
device store as well.

> I am using K9-Mail in conjunction with CipherMail for S/Mime, but CiperMail
> only supports *one* S/Mime account...

Yes this problem is well known

> Thx and regards!
> 
> 

If you have any questions please do not hesitate to write me. you can
also write directly if you prefer.

best regards from Austria
Juergen



>> --
>>
>> Message: 5
>> Date: Sat, 3 Nov 2018 19:13:52 +0100
>> From: Juergen BRUCKNER 
>> To: gnupg-users@gnupg.org
>> Subject: Re: GPG on Android
>> Message-ID: 
>> Content-Type: text/plain; charset="utf-8"
>>
>> Hello Masha,
>>
>> as you are new to this whole topic, I guess the easiest way to use
>> encrypted mail (either GPG and/or S/MIME) on a Android device would be
>> the app "MailDroid".
>> It comes in a free version[1] (with advertisings) and in a "pro"
>> version[2] (without advertisings) and supports both GPG and S/MIME.
>> MailDroid also supports POP and IMAP, and works fine with Googlemail.
>>
>> You need to install the additional Flipdog CryptoPlugin[3] on your
>> device, where you import and manage the keys.
>> You have to create the keys for example on a desktop computer and import
>> it to your android device and into the CryptoPlugin.
>>
>> I use MailDroid since several years without any problems, and can fully
>> recommend it for beginners.
>>
>> There is also a app named "K-9 Mail"[4], which supports GPG (but not
>> S/MIME). As far I know you also need several additional software for K-9
>> Mail.
>> In my eyes its not really recommendable for beginners. I tried it years
>> ago and found it a bit complicated to use for myself. But thats a
>> personal opinion.
>>
>> The best would be to try both, MailDroid and K-9 Mail and then make your
>> personal choice.
>> If you need help with MailDroid you can contact me. For K-9 Mail I am
>> sure that here are also some people who can help you with it.
>>
>> best regards
>> Juergen
>>
>> [1] https://play.google.com/store/apps/details?id=com.maildroid
>> [2] https://play.google.com/store/apps/details?id=com.maildroid.pro
>> [3]
>> https://play.google.com/store/apps/details?id=com.flipdog.crypto.plugin
>> [4] https://play.google.com/store/apps/details?id=com.fsck.k9
>>
> 

-- 
Juergen M. Bruckner
juer...@bruckner.tk



smime.p7s
Description: S/MIME Cryptographic Signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: GPG on Android

2018-11-03 Thread Juergen BRUCKNER 
Hello Masha,

as you are new to this whole topic, I guess the easiest way to use
encrypted mail (either GPG and/or S/MIME) on a Android device would be
the app "MailDroid".
It comes in a free version[1] (with advertisings) and in a "pro"
version[2] (without advertisings) and supports both GPG and S/MIME.
MailDroid also supports POP and IMAP, and works fine with Googlemail.

You need to install the additional Flipdog CryptoPlugin[3] on your
device, where you import and manage the keys.
You have to create the keys for example on a desktop computer and import
it to your android device and into the CryptoPlugin.

I use MailDroid since several years without any problems, and can fully
recommend it for beginners.

There is also a app named "K-9 Mail"[4], which supports GPG (but not
S/MIME). As far I know you also need several additional software for K-9
Mail.
In my eyes its not really recommendable for beginners. I tried it years
ago and found it a bit complicated to use for myself. But thats a
personal opinion.

The best would be to try both, MailDroid and K-9 Mail and then make your
personal choice.
If you need help with MailDroid you can contact me. For K-9 Mail I am
sure that here are also some people who can help you with it.

best regards
Juergen

[1] https://play.google.com/store/apps/details?id=com.maildroid
[2] https://play.google.com/store/apps/details?id=com.maildroid.pro
[3] https://play.google.com/store/apps/details?id=com.flipdog.crypto.plugin
[4] https://play.google.com/store/apps/details?id=com.fsck.k9



Am 03.11.18 um 17:04 schrieb Yagthara Aghhay-Boor:
> Hello Group,
> 
> I'm very new to GPG and email encryption and looking for a app to use gpg
> and signed email on my android devices.
> Can you recommend me a email app to use with pgp on Android?
> 
> best
> Masha
> 
> 
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
> 

-- 
Juergen M. Bruckner
juer...@bruckner.tk



smime.p7s
Description: S/MIME Cryptographic Signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Slightly OT - i need the proper wording for a signed document

2018-11-03 Thread Juergen BRUCKNER 
Hello Stefan, Hello all,

of course it is possible, that several people sign (and/or timestamp) a
document.
Just a example out of my business:
There is a contract to be signd by mor than 2 persons or parties. So i
make a document of it - for example a pdf file (which is recommended) -
and send it to the next person who has to sign it, this person signs and
send it to another person for signing ... and so on.
As long the document is not edited all signatures stay intact and valid.

This is necessary, as otherwise there never could be signed a contract
between 2 parties.

regards
Juergen

Am 03.11.18 um 17:21 schrieb Stefan Claas:
> On Sat, 3 Nov 2018 10:43:49 +0100, Stefan Claas wrote:
>> On Fri, 2 Nov 2018 15:42:40 +0100, Stefan Claas wrote:
> 
>>> I strongly assume that it is also possible that someone
>>> else can sign my .pdf too with a qualified signature and
>>> this will also not invalidate my qualified signature, unless
>>> of course someone would *edit* my document.  
>>
>> Just did a test with an older .pdf, which was signed with my
>> non-qualified D-Trust certificate and time stamped with
>> freetsa. Now i signed it again with my qualified D-Trust certificate
>> and time stamped again.
>>
>> Works perfect! :-)
> 
> Small update: A Usenet friend just signed my .pdf too, with his
> qualified D-Trust certificate and it works like expected. :-)
> 
> Regards
> Stefan
> 
> 
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
> 

-- 
Juergen M. Bruckner
juer...@bruckner.tk



smime.p7s
Description: S/MIME Cryptographic Signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Slightly OT - i need the proper wording for a signed document

2018-11-02 Thread Juergen BRUCKNER 
Hello Dirk,

Am 02.11.18 um 15:20 schrieb Dirk Gottschalk via Gnupg-users:
> You mean, you "tampered" with the file and the signature is still
> valid? Are you sure? Then Adome does sometging really bad, IMHO.
> 
> Such a signature should ensure that the file is unmodified completely.
> otherwise somebody can modify it in a way that could be used as a
> backdoor to the signature, at least in theory.

That is correct, that a signature is valid if there is added a timestamp
AFTER sign the document. Very simplified it uses the same method for
timestamping as for signing, and it is a kind of 2nd signature on the
same document. the document is NOT altered or manipulated.

regards
Juergen

-- 
Juergen M. Bruckner
juer...@bruckner.tk



smime.p7s
Description: S/MIME Cryptographic Signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Choice of ECC curve on usb token

2018-06-29 Thread Juergen Bruckner 
Hello Damien,

Am 2018-06-29 um 18:07 schrieb Damien Cassou:
> Moreover, Nitrokey Storage only supports NIST and Brainpool, nothing
> else.
Im not fully sure but i guess for your purposes you would need Nitrokey
Pro[1]

best regards
Juergen

[1] https://shop.nitrokey.com/de_DE/shop/product/nitrokey-pro-3
-- 
Juergen M. Bruckner
juer...@bruckner.tk



smime.p7s
Description: S/MIME Cryptographic Signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gnupg.org Listserver maybe misconfigured?

2018-06-18 Thread Juergen BRUCKNER 
Hello Mark!

Thank you very much for your answer and clarificattion.

Am 2018-06-18 um 19:18 schrieb Mark Rousell:
> I note that your bruckner.tk domain appears to have a p=none policy so,
> if I understand all this correctly, it should not matter to you.
> 
> In short, there is nothing to worry about (as far as I can see).
> Everything is working as it should.

best regards
Juergen
-- 
Juergen M. Bruckner
juer...@bruckner.tk



smime.p7s
Description: S/MIME Cryptographic Signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

gnupg.org Listserver maybe misconfigured?

2018-06-18 Thread Juergen BRUCKNER 
Hello guys,

could it be happen that the Server for the GnuPG.org Mailinglists is
kinda misconfigured?

My weekly DMARC-Report says that gnupg.org sent in sum 477 Mails in the
name of the Domain 'bruckner.tk' last week.

---snip---
gnupg.org 
217.69.76.57 
Total   SPF Aligned DKIM Aligned
251 0%  0%

2001:aa8:fff1:2100::57


Total   SPF Aligned DKIM Aligned
226 0%  0%
---snip---

Any Ideas?

best regards
Juergen
-- 
Juergen M. Bruckner
juer...@bruckner.tk



smime.p7s
Description: S/MIME Cryptographic Signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: [Announce] [security fix] GnuPG 2.2.8 released (CVE-2018-12020)

2018-06-11 Thread Juergen Bruckner 
I did NOT encrypt the Message, just signed it with my PGP-Key - This
message is now without sign or encrypt

Am 2018-06-10 um 22:50 schrieb Jean-David Beyer:
> On 06/10/2018 01:25 PM, Juergen Bruckner wrote:
>> Hello Werner,
>>
>> i Use Linux Mint 18.3 with GnuPG 2.1.11; which is the easiest way to
>> Update it to 2.2.8?
>>
>>
>> I'm pretty new to the Linux-World, but as far i know i have NOT included
>> a "own" GnuPG Repo in my Repo-List.
>>
>> best regards
>> Juergen
>>
>> Am 2018-06-08 um 15:40 schrieb Werner Koch:
>>> Hello!
>>>
>>> We are pleased to announce the availability of a new GnuPG release:
>>> version 2.2.8.  This version fixes a critical security bug and comes
>>> with some other minor changes.
>>>
>>>
>>> Impact
>>> ==
>>>
>>> All current GnuPG versions are affected on all platforms.
>>>
>>> All mail clients and other applications which make use of GPG but are
>>> not utilizing the GPGME library might be affected.
>>>
>>> The OpenPGP protocol allows to include the file name of the original
>>> input file into a signed or encrypted message.  During decryption and
>>> verification the GPG tool can display a notice with that file name.  The
>>> displayed file name is not sanitized and as such may include line feeds
>>> or other control characters.  This can be used inject terminal control
>>> sequences into the out and, worse, to fake the so-called status
>>> messages.  These status messages are parsed by programs to get
>>> information from gpg about the validity of a signature and an other
>>> parameters.  Status messages are created with the option "--status-fd N"
>>> where N is a file descriptor.  Now if N is 2 the status messages and the
>>> regular diagnostic messages share the stderr output channel.  By using a
>>> made up file name in the message it is possible to fake status messages.
>>> Using this technique it is for example possible to fake the verification
>>> status of a signed mail.
>>>
>>> Although GnuPG takes great care to sanitize all diagnostic and status
>>> output, the case at hand was missed but finally found and reported by
>>> Marcus Brinkmann.  CVE-2018-12020 was assigned to this bug; GnuPG tracks
>>> it at <https://dev/gnupg.org/T4012>.
>>>
>>>
>>> Solution
>>> 
>>>
>>> If your application uses GPGME your application is safe.  Fortunately
>>> most modern mail readers use GPGME, including GpgOL and KMail.  Mutt
>>> users should make sure to use "set crypt_use_gpgme".
>>>
>>> If you are parsing GnuPG status output and you use a dedicated file
>>> descriptor with --status-fd you are safe.  A dedicated file descriptor
>>> is one that is not shared with the log output.  The log output defaults
>>> to stderr (2) but may be a different if the option --logger-fd is used.
>>>
>>> If you are not using --verbose you are safe.  But take care: --verbose
>>> might be specified in the config file.  As a short term mitigation or if
>>> you can't immediately upgrade to the latest versions, you can add
>>> --no-verbose to the invocation of gpg.
>>>
>>> Another short term mitigation is to redirect the log output to a
>>> different file: For example "--log-file /dev/null".
>>>
>>> The suggested solution is to update to GnuPG 2.2.8 or a vendor provided
>>> update of their GnuPG version.
>>>
>>> To check whether the bug has been fixed you may use the simple test at
>>> the end of this mail [1].
>>>
>>>
>>> About GnuPG
>>> ===
>>>
>>> The GNU Privacy Guard (GnuPG) is a complete and free implementation
>>> of the OpenPGP standard which is commonly abbreviated as PGP.
>>>
>>> GnuPG allows to encrypt and sign data and communication, features a
>>> versatile key management system as well as access modules for public key
>>> directories.  GnuPG itself is a command line tool with features for easy
>>> integration with other applications.  A wealth of frontend applications
>>> and libraries making use of GnuPG are available.  As an Universal Crypto
>>> Engine GnuPG provides support for S/MIME and Secure Shell in addition to
>>> OpenPGP.
>>>
>>> GnuPG is Free Software (meaning that it respects your freedom).  It can
>>> be freely used, modified

Re: [Announce] [security fix] GnuPG 2.2.8 released (CVE-2018-12020)

2018-06-11 Thread Juergen Bruckner 
> (Could you please trim your quotes? Incidentally, this would have
> prevented the problem in the first place, both on the first and on your
> reply).
> 
Thanks for the hint


> It would appear that at least Enigmail (mine is from Debian
> stable/stretch) ignores an inline encrypted block if it is indented, but
> interprets it if it is quoted *and* indented. So while there was no
> attempt to decrypt the block in the first message by Werner, as soon as
> it was part of a quote, starting with ">   ", Enigmail will try to
> process it. Type in the passphrase "abc" without quotes, and you'll
> decrypt the test message part of the announcement.
> 
and thanks again for the info

regards
Juergen

-- 
Juergen M. Bruckner
juer...@bruckner.tk



smime.p7s
Description: S/MIME Cryptographic Signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: [Announce] [security fix] GnuPG 2.2.8 released (CVE-2018-12020)

2018-06-10 Thread Juergen Bruckner 
Hello Werner,

i Use Linux Mint 18.3 with GnuPG 2.1.11; which is the easiest way to
Update it to 2.2.8?


I'm pretty new to the Linux-World, but as far i know i have NOT included
a "own" GnuPG Repo in my Repo-List.

best regards
Juergen

Am 2018-06-08 um 15:40 schrieb Werner Koch:
> Hello!
> 
> We are pleased to announce the availability of a new GnuPG release:
> version 2.2.8.  This version fixes a critical security bug and comes
> with some other minor changes.
> 
> 
> Impact
> ==
> 
> All current GnuPG versions are affected on all platforms.
> 
> All mail clients and other applications which make use of GPG but are
> not utilizing the GPGME library might be affected.
> 
> The OpenPGP protocol allows to include the file name of the original
> input file into a signed or encrypted message.  During decryption and
> verification the GPG tool can display a notice with that file name.  The
> displayed file name is not sanitized and as such may include line feeds
> or other control characters.  This can be used inject terminal control
> sequences into the out and, worse, to fake the so-called status
> messages.  These status messages are parsed by programs to get
> information from gpg about the validity of a signature and an other
> parameters.  Status messages are created with the option "--status-fd N"
> where N is a file descriptor.  Now if N is 2 the status messages and the
> regular diagnostic messages share the stderr output channel.  By using a
> made up file name in the message it is possible to fake status messages.
> Using this technique it is for example possible to fake the verification
> status of a signed mail.
> 
> Although GnuPG takes great care to sanitize all diagnostic and status
> output, the case at hand was missed but finally found and reported by
> Marcus Brinkmann.  CVE-2018-12020 was assigned to this bug; GnuPG tracks
> it at .
> 
> 
> Solution
> 
> 
> If your application uses GPGME your application is safe.  Fortunately
> most modern mail readers use GPGME, including GpgOL and KMail.  Mutt
> users should make sure to use "set crypt_use_gpgme".
> 
> If you are parsing GnuPG status output and you use a dedicated file
> descriptor with --status-fd you are safe.  A dedicated file descriptor
> is one that is not shared with the log output.  The log output defaults
> to stderr (2) but may be a different if the option --logger-fd is used.
> 
> If you are not using --verbose you are safe.  But take care: --verbose
> might be specified in the config file.  As a short term mitigation or if
> you can't immediately upgrade to the latest versions, you can add
> --no-verbose to the invocation of gpg.
> 
> Another short term mitigation is to redirect the log output to a
> different file: For example "--log-file /dev/null".
> 
> The suggested solution is to update to GnuPG 2.2.8 or a vendor provided
> update of their GnuPG version.
> 
> To check whether the bug has been fixed you may use the simple test at
> the end of this mail [1].
> 
> 
> About GnuPG
> ===
> 
> The GNU Privacy Guard (GnuPG) is a complete and free implementation
> of the OpenPGP standard which is commonly abbreviated as PGP.
> 
> GnuPG allows to encrypt and sign data and communication, features a
> versatile key management system as well as access modules for public key
> directories.  GnuPG itself is a command line tool with features for easy
> integration with other applications.  A wealth of frontend applications
> and libraries making use of GnuPG are available.  As an Universal Crypto
> Engine GnuPG provides support for S/MIME and Secure Shell in addition to
> OpenPGP.
> 
> GnuPG is Free Software (meaning that it respects your freedom).  It can
> be freely used, modified and distributed under the terms of the GNU
> General Public License.
> 
> 
> Noteworthy changes in version 2.2.8
> ===
> 
>   * gpg: Decryption of messages not using the MDC mode will now lead
> to a hard failure even if a legacy cipher algorithm was used.  The
> option --ignore-mdc-error can be used to turn this failure into a
> warning.  Take care: Never use that option unconditionally or
> without a prior warning.
> 
>   * gpg: The MDC encryption mode is now always used regardless of the
> cipher algorithm or any preferences.  For testing --rfc2440 can be
> used to create a message without an MDC.
> 
>   * gpg: Sanitize the diagnostic output of the original file name in
> verbose mode.  [#4012,CVE-2018-12020]
> 
>   * gpg: Detect suspicious multiple plaintext packets in a more
> reliable way.  [#4000]
> 
>   * gpg: Fix the duplicate key signature detection code.  [#3994]
> 
>   * gpg: The options --no-mdc-warn, --force-mdc, --no-force-mdc,
> --disable-mdc and --no-disable-mdc have no more effect.
> 
>   * agent: Add DBUS_SESSION_BUS_ADDRESS and a few other envvars to the
> list of startup environment variables.  [#3947]
> 
> 
> Getting t