Re: Configuring dirmngr
On Wed, 06 Sep 2017 13:59:43 -0400 Daniel Kahn Gillmor wrote: > after making that configuration file, have you explicitly restarted > dirmngr? the simplest way is: > > gpgconf --kill dirmngr > Thank you, Daniel. There was a problem with how I was restarting dirmngr on my script. You post helped identify it. And problem is solved. -- Sinceramente / Best regards, Mário J.G.P. Figueiredo Luanda, Angola (email) mar...@gmx.com (alt) kru...@openmailbox.org (phone) +244 934 535 121 pgphdrCNALNGV.pgp Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Configuring dirmngr
I'm having trouble configuring dirmngr to use a default keyserver. The current configuration file at .gnupg/dirmngr.conf contains this single line: keyserver hkp://pgp.mit.edu However trying to use --recv-keys always fails: $ gpg --recv-keys 0x194b631ab2da2888 gpg: no valid OpenPGP data found. gpg: Total number processed: 0 I can only make it work by using the deprecated method of explicitly naming the keyserver: $ gpg --keyserver hkp://pgp.mit.edu --recv-keys 0x194b631ab2da2888 key 194B631AB2DA2888: 32 signatures not checked due to missing keys gpg: key 194B631AB2DA2888: "Andreas Rönnquist " not changed gpg: Total number processed: 1 gpg: unchanged: 1 What am I doing wrong in the dirmngr configuration file? -- Sinceramente / Best regards, Mário J.G.P. Figueiredo Luanda, Angola (email) mar...@gmx.com (alt) kru...@openmailbox.org (phone) +244 934 535 121 pgp8ia8KiLWl0.pgp Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: E-mail with deniable authentication
On Tue, 29 Aug 2017 14:33:46 -0400 "Robert J. Hansen" wrote: > You can prove origination *only if* you can prove the originating PC > was not compromised. Given how common compromise is today -- a few > years ago Vint Cerf estimated one in four desktop PCs was compromised > -- this is a very high threshold to clear. > > In a theoretical sense, OpenPGP is a nonrepudiable protocol. But in a > practical sense, it is not. This isn't true. The necessity for deniability arises many times in contexts where the odds aren't measured clinically, where the possibility of one's PC being compromised isn't know or established, or which has much lower thresholds of acceptance. Examples are dictatorships, and many forms of human relationships, including job relations. I would say that it is the exact opposite of what you said, in practice OpenPGP is nonrepudiable. But that's fine. One can argue that OpenPGP isn't designed to offer that feature and probably never will. Deniability, particularly when it comes to the subject of communication, requires that the message itself can be deniable. OpenPGP does not do any of that. That level of protection exists a layer up OpenPGP. If one wants to use deniability with OpenPGP, one just needs to wrap OpenPGP messages in systems that support it. -- Sinceramente / Best regards, Mário J.G.P. Figueiredo Luanda, Angola (email) mar...@gmx.com (alt) kru...@openmailbox.org (phone) +244 934 535 121 pgphZvxJEpPyW.pgp Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gnupg or gpg-agent options for parallelism and memory usage
On Fri, 4 Aug 2017 09:56:09 + Fiedler Roman wrote: > PS: CAVEAT, gnupg-users list seems to be configured in strange way: > "reply to all" does not reply to the list, so please add address > manually. OT sidenote: Took me a while to realize this, and I must have annoyed a few people on my early replies. All fixed now. And my apologies. MF pgpngwe_StEqO.pgp Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Your Thoughts
"The researchers didn't perform an exhaustive analysis of the encryption methods devised by Alice and Bob" So there isn't much that can be said. The experiment was pretty much a game of life between the couple and Eve, with the more than predictable outcome that Eve shows signs of gaining ground right until a new cypher is devised. We have that already in the real world. There's nothing here to either support or disproof Neural Networks abilities in the field of cryptology and it is not clear at all what the objective of this experiment was or what was expected to be gained from it. Except maybe an headline on Ars Technica. Known for, among other things, to also make headlines of Elon Musk verbal diarrhea. MF On Tue, 1 Aug 2017 18:30:05 +0100 "da...@gbenet.com" wrote: > Hi All, > > I was sharing thoughts on AI in Linux facebook and Sean Rickerd > shared this link > > https://arstechnica.com/information-technology/2016/10/google-ai-neural-network-cryptography/ > > David -- Sinceramente / Best regards, Mário J.G.P. Figueiredo Luanda, Angola (email) mar...@gmx.com (alt) kru...@openmailbox.org (phone) +244 934 535 121 pgpLRcKPXAhT0.pgp Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: 'sign (and cert)' or just 'cert' on a master key with subkeus
On Mon, 31 Jul 2017 18:38:09 +0200 Damien Goutte-Gattat wrote: > The problem with recommanding unnecessary steps is that they will > confuse the beginner and make him think that GnuPG is more difficult > to use than it already is. Which essentially describes my whole first impressions of GnuPG until I finally decided to read the official documentation. Particularly the GNU Privacy Handbook and the Mini HowTo. MF pgp1A4l6Uotfp.pgp Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: 'sign (and cert)' or just 'cert' on a master key with subkeus
On Mon, 31 Jul 2017 15:44:52 +0100 Mario Figueiredo wrote: > On a separate tutorial (2), Alan Eliasen strongly advises against this > practice. I'm replying to my own post, because the above seem a little like I'm trying to make an argument from authority. That was not my intention. It's just poorly worded. Read it as "The author of a separate tutorial advises against this practice". MF pgpcorLe_lxeq.pgp Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: 'sign (and cert)' or just 'cert' on a master key with subkeus
On Sun, 30 Jul 2017 22:19:22 +0200 Dirk-Willem van Gulik wrote: > I see a growing number of keys that have well managed & expired > separate subkeys for Signing, Encryption and Authentication switch > from ‘SC’ on the master key to just ‘C’ (all RSA, ignoring DSA). > > Would anyone know if there is some documented best practice ? Could probably be a direct application of this Debian article (1) on subkeys. And meant to to facilitate the recovery of the web of trust in case of disaster. On a separate tutorial (2), Alan Eliasen strongly advises against this practice. (1) https://wiki.debian.org/Subkeys?action=show&redirect=subkeys (2) https://futureboy.us/pgp.html#PerfectKeypair MF pgp5ZUFDCq3yg.pgp Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpg-agent cache keygrip
On Thu, 27 Jul 2017 14:23:44 +0200 Peter Lebbing wrote: > Now let's get on to a passphrase manager and GnuPG specifically. A > different way to look at it is this: would you use GnuPG to protect > your passphrase manager? This is actually a feature request I've seen > multiple times: please provide a way to use my OpenPGP key to unlock > my passphrase manager. In that way, the security of the passphrase > manager is utterly dependent on the security of GnuPG. Crack GnuPG, > and the passphrase manager falls immediately as well. This is precisely what 'pass' (1) does. I never looked back since I started using it. Of note also the fact pass is not a a compiled program, but instead a shell script smartly wrapping GnuPG functionality into the shape of a password manager. For this reason, I don't know if anyone ever ported the idea to Windows, but from what little I remember of Powershell, it would be perfectly doable. I use pass with rofi-pass to facilitate the integration with browsers and applications, allowing me to quickly enter passwords without typing them into any type of program that accepts keyboard input from the clipboard. And without *any* need for plugins of any sort on those pesky browsers. > and those who would store their GnuPG passphrases in a > passphrase manager. This indeed is not so bad if is also GnuPG that is handling your password manager. Although, I'd agree that is one thing to discover the GnuPG passphrase for a password manager and it is another thing to also discover that you now have the victim passwords for the remainder GnuPG keys accessible to you. But there are other considerations. Who am I? What I do in life? Who are my enemies? Depending on how good we are answering these questions in a rational way, I find that a large part of the general population has little to no reason to fear storing sensitive GnuPG specific data in their personal entirely-offline password store. As an FYI, I do not store the actual passphrases, but I do store the 0-type revocation certificates with 'pass'. I don't feel that threatening and it tremendously facilitates things for someone without any access to reliable and secure physical storage. There is no reason why I couldn't store the passphrases also. I will eventually, the day I start fearing my brain. -- Sinceramente / Best regards, Mário J.G.P. Figueiredo Luanda, Angola (email) mar...@gmx.com (alt) kru...@openmailbox.org (phone) +244 934 535 121 pgpN1j6KSB9Nz.pgp Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpg-agent cache keygrip
On Thu, 27 Jul 2017 11:46:33 +0200 Peter Lebbing wrote: [...] > shared the passphrase. If you can't remember which is 1 and which is > 2, use something you can recognise. For instance, if the pinentry > asks you "Please unlock key 0x6228A8BC", you could append a C, the > very last digit of the identifier. Excellent idea in fact! Thank you. -- Sinceramente / Best regards, Mário J.G.P. Figueiredo Luanda, Angola (email) mar...@gmx.com (alt) kru...@openmailbox.org (phone) +244 934 535 121 pgpgSk0cGnYNW.pgp Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpg-agent cache keygrip
On Thu, 27 Jul 2017 12:27:30 +0100 MFPA <2014-667rhzu3dc-lists-gro...@riseup.net> wrote: > > The single point of failure stops being a passphrase used across > multiple keys; it becomes the password required to open the password > manager that protects the multiple passphrases. I already use a password manager. I use 'pass'. Most my keys are generated with `pwgen -s` (for some reason I prefer it to pass own generator). All told, I have 83 password file entries in .password-store/. But these are non essential passwords. Forums, internet services, etc. You must understand, I use old systems that I maintain for 10 years or more. Despite backups there is always the fear that I might one day lose this central password storage. So essential passwords are created differently; GnuPG keys, my 2 main email addresses, system boot, banking, taxes website, CC pin,... this world is not an easy place to live in. They do too have their entries on the password store, of course. But they must be committed to memory too. As such, for these type of passwords, you understand that a password manager acts simply as an unreliable backup store and not and not as a management tool. -- Sinceramente / Best regards, Mário J.G.P. Figueiredo Luanda, Angola (email) mar...@gmx.com (alt) kru...@openmailbox.org (phone) +244 934 535 121 pgpNdeFOqLF4v.pgp Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpg-agent cache keygrip
On Wed, 26 Jul 2017 08:52:12 +0200 Werner Koch wrote: > There is a kludge in gpg and gpg-agent described in this comment: > [...] Hello Werner, Thank you for the information and debug method. And hopefully this problem will be fixed sometime in the near future. My brain is old and tired and it can't just commit to yet another unique password of any decent quality. The sharing of passwords between different keys becomes inevitable after a certain threshold. And I suspect for everyone, not just old people. And the gpg-agent just isn't dealing with this situation in an acceptable way. -- Sinceramente / Best regards, Mário J.G.P. Figueiredo Luanda, Angola (email) mar...@gmx.com (alt) kru...@openmailbox.org (phone) +244 934 535 121 pgpxp4jM28ygg.pgp Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
gpg-agent cache keygrip
Hello everyone, I've been trying to understand gpg-agent cache behavior in the presence of two distinct keys with the same passphrase. Namely, why is that it only asks for the passphrase once, regardless of the key being used? So I've read the Assuan protocol documentation at (1), in particular the text in the linked page and the descriptions for PRESET_PASSPHRASE and GET_PASSPHRASE. But it isn't getting me any closer to understand this behavior, because from my own interpretation, it enters into contradiction with what I am experiencing. I would normally expect the gpg-agent cache to operate on a per-key basis, regardless of passphrase. And this is precisely what the description for the keygrip on the Assuan protocol seems to indicate. However, that is not what happens and gpg-agent seems to ignore the key being used and instead reuse the previously used passphrase from another key, which just happens to be the same passphrase for the new key. Is this a bug, or expected behavior? And if the latter, what is the rationale for it? Since it seems to only worsen an already weak decision security-wise, which is to choose the same passphrase for two distinct keys. (1) https://www.gnupg.org/documentation/manuals/gnupg/Agent-Protocol.html#Agent-Protocol -- Sinceramente / Best regards, Mário J.G.P. Figueiredo Luanda, Angola (email) mar...@gmx.com (alt) kru...@openmailbox.org (phone) +244 934 535 121 pgpr4BJE5tsws.pgp Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users