Re:
On Mon, Mar 21, 2022 at 04:08:29PM +0100, BruderB wrote: > Yes, you do. > > Am 21.03.22 um 12:04 schrieb Justin Speagle via Gnupg-users: > > > > I need help > > Sent from my iPhone > > ___ > Gnupg-users mailing list > Gnupg-users@gnupg.org > https://lists.gnupg.org/mailman/listinfo/gnupg-users http://catb.org/~esr/faqs/smart-questions.html -- Mark H. Wood Lead Technology Analyst University Library Indiana University - Purdue University Indianapolis 755 W. Michigan Street Indianapolis, IN 46202 317-274-0749 www.ulib.iupui.edu signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Key Management - BSI had send private key instead of public key
On Thu, Nov 18, 2021 at 02:15:53PM +0100, Rainer Fiebig via Gnupg-users wrote: > Am 18.11.21 um 13:27 schrieb Ineiev: > > On Thu, Nov 18, 2021 at 10:48:55AM +0100, Rainer Fiebig via Gnupg-users > > wrote: > >> That's kind of a misconception: as English is a western germanic > >> language it's not that German made its way into English but English is > >> *based* on German. > > > > To be precise, not on German---it's based on the common ancestor. > > both English and German deviate considerably from it. > > > I guess that saves the day for some. I can almost hear the sigh of > relief. ;) :-) https://en.wikipedia.org/wiki/The_Story_of_English if anyone finds this interesting. -- Mark H. Wood Lead Technology Analyst University Library Indiana University - Purdue University Indianapolis 755 W. Michigan Street Indianapolis, IN 46202 317-274-0749 www.ulib.iupui.edu signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Off-topic: standards for embedded signing of digital images?
On Thu, Sep 09, 2021 at 10:43:05AM +, Oli Kon via Gnupg-users wrote: > On 2021-09-08 4:53 p.m., Mark H. Wood via Gnupg-users - > gnupg-users@gnupg.org wrote: > > I didn't know where else to turn, for folks who might be able to point > > me at standards for or discussion of embedding crypto signatures in > > image formats, to detect tampering with the image. > > There are no standards that I have ever heard about that would > be specific to ~image~ files; so I would ask this: > > Which particular image file type are you interested in (.jpg, > .tiff, .png, .bmp, .psd...) are you interested in, and why is it > not appropriate to simply consider such file as another binary > file that someone needs to digitally sign? Formats: first of all .jpg, but really any image format that can bear signature data. Why are image files special? They aren't. For every type of structured file, one must consider the structure of the file type in order to insert a signature without disrupting the other content, to identify the content which should be covered by the signature, and to locate the signature data. -- Mark H. Wood Lead Technology Analyst University Library Indiana University - Purdue University Indianapolis 755 W. Michigan Street Indianapolis, IN 46202 317-274-0749 www.ulib.iupui.edu signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Off-topic: standards for embedded signing of digital images?
I didn't know where else to turn, for folks who might be able to point me at standards for or discussion of embedding crypto signatures in image formats, to detect tampering with the image. -- Mark H. Wood Lead Technology Analyst University Library Indiana University - Purdue University Indianapolis 755 W. Michigan Street Indianapolis, IN 46202 317-274-0749 www.ulib.iupui.edu signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpg-agent and X
On Fri, Mar 05, 2021 at 10:16:41AM +0100, Klaus Ethgen wrote: > I have a my setup depending strongly on gpg-agent. For this, I preseed > some passphrases via pam_gnupg. > > While this setup work well on my Devuan machine, I have some troubles on > the Gentoo one, that I don't get solved. > > When the agent is started when I login via xdm (wdm), the agent does > never use X for displaying the pinentry. Even when `updatestartuptty` is > issued afterwards. As I use gpg-card even not everytime from the > console, I need that to display a X pinentry (currently the qt one, gtk > was preferred with gtk2 but the gtk3 one is horrible.) The only thing I can think of to check is: have you selected pinentry-qt5 using 'eselect'? -- Mark H. Wood Lead Technology Analyst University Library Indiana University - Purdue University Indianapolis 755 W. Michigan Street Indianapolis, IN 46202 317-274-0749 www.ulib.iupui.edu signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Thunderbird / Enigmail / Autocrypt
On Mon, Nov 23, 2020 at 07:08:12AM +0100, Matthias Apitz wrote: > El día lunes, noviembre 23, 2020 a las 03:03:54a. m. +0100, Johan Wevers > escribió: > > > On 22-11-2020 12:38, Juergen Bruckner via Gnupg-users wrote: > > > > > I don't understand why HTML in e-Mails is so important for some people. > > > > I agree on a personal level, but if you use your email also to > > communicate with business users (usually using Outlook) it would be nice > > to get their mails in a human readable format. Which requires, > > unfortunately, usually html. > > Since ages human read mails in ASCII or UTF-8 text. Why you think this > is not a "human readable format"? > > HTML as e-mail (read carefully: as email, not as attachment) should be > forbidden because most MUA automatically fetch additional remote content > which violates privacy and can fetch bad content into your system. > You're warned. I consider that Mutt gives me the best of both, when I configure it: auto_view text/html and in .mailcap: text/html; \ lynx -dump -force_html %s; \ copiousoutput The text is flattened. The result is sometimes ugly, but readable. Attachments (such as images, or things purporting to be images) are presented separately, and I can open them if I choose. (Or I can copy them out and inspect them in other ways, if I'm suspicious. Examining the un-rendered structure and content of some malicious messages can be briefly entertaining.) I would be mildly surprised to learn that my co-workers, outside of my immediate workgroup, are even aware that I don't see their emails rendered the way they do. And nobody has ever told me, "your message looks funny," except an occasional comment that someone couldn't open the "attachment" (meaning the PGP/MIME signature). Those stopped when I got a corporate X.509 certificate and configured Mutt to use S/MIME for internal mail. Other console MUAs probably can do similar things when configured to do so. -- Mark H. Wood Lead Technology Analyst University Library Indiana University - Purdue University Indianapolis 755 W. Michigan Street Indianapolis, IN 46202 317-274-0749 www.ulib.iupui.edu signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: keys require a user-id
On Wed, May 20, 2020 at 03:27:28PM -0700, Mark wrote: > Did a bit more experimenting with it. You can have something only in > the first name field but it has to be a minimum of 5 characters and the > first one must be a letter. .. *sigh* https://www.kalzumeus.com/2010/06/17/falsehoods-programmers-believe-about-names/ > On 5/20/2020 3:16 PM, Mark wrote: > > It must be... With all the talk of "anonymous" keys I wanted to see if I > > could create one with Kleopatra, especially since it says optional for > > name. > > > > On 5/20/2020 12:27 AM, Andrew Gallagher wrote: > >>> On 20 May 2020, at 06:32, Mark wrote: > >>> > >>> Just to test this out I tried creating a new key in Kleopatra with no > >>> name and then with just a single name and it would not let me do it. It > >>> had to have a first and at least a last initial. > >> This must be a Kleopatra limitation. I have successfully created IDs > >> consisting of a single word using the gpg command line. > >> > >> Such a limitation would be user-hostile, as there are people in some > >> cultures who have only one name, the Indonesian dictator Suharto being one > >> famous example. > ___ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users -- Mark H. Wood Lead Technology Analyst University Library Indiana University - Purdue University Indianapolis 755 W. Michigan Street Indianapolis, IN 46202 317-274-0749 www.ulib.iupui.edu signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gmail smime, sends two messages one is not encrypted. Experience?
On Sun, Dec 08, 2019 at 10:38:43AM +0100, Uwe Brauer via Gnupg-users wrote: > Now to the question s/mime versus gnupg. > > There are the following points which make s/mime easier. > > 1. Key generation. In s/mime you apply for a certificate and don't >have to generate the key by yourself. Oh, I hope not. The point of asymmetric crypto is that you never, ever, give your private key to anyone, even, *especially*, the CA. The proper way to get an X.509 certificate is to generate a keypair, keep the private key private, and send a CSR containing the public key to the entity which will issue the certificate. -- Mark H. Wood Lead Technology Analyst University Library Indiana University - Purdue University Indianapolis 755 W. Michigan Street Indianapolis, IN 46202 317-274-0749 www.ulib.iupui.edu signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gmail smime, sends two messages one is not encrypted. Experience?
On Sat, Dec 07, 2019 at 09:51:34PM +0100, Stefan Claas via Gnupg-users wrote: > Juergen BRUCKNER wrote: > > > Hi Stefan > > > > Thats not the approach PGP pursues. > > PGP was, is and should continue to be decentralized in the future. It > > was never really intended to validate identities in a wide circle, but > > to secure communication, and - im parts - to ensure the integrity of > > software. > > Well, the integrity of software can also be shown with a simple hash > value posted, because I can not verify if the sig belongs to person > xyz, even when he / she has a lot of fan sigs from people unknown to > me. Yes, if you trust that the page with the hash on it has not been compromised. Once the bad guy is inside the site, changing the hash is just as easy as replacing the software. Signatures depend on material that is *not* in the same place with the signed object (if we're doing it right) and thus can be verified from independent sources. Simple hashes can only detect simple failures. They have no value against a careful adversary. PKC, used properly, can raise the cost of compromise, by increasing the number of places that the bad guy must break into and get out of undetected. This is the electronic analog of a principle in physical security: require the bad guy to spend time, make noise, and create a visible mess, to increase his fear of being discovered to the point that the expectation of winning is not worth the expectation of losing. -- Mark H. Wood Lead Technology Analyst University Library Indiana University - Purdue University Indianapolis 755 W. Michigan Street Indianapolis, IN 46202 317-274-0749 www.ulib.iupui.edu signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gmail smime, sends two messages one is not encrypted. Experience?
On Sat, Dec 07, 2019 at 08:59:16PM +0100, Stefan Claas via Gnupg-users wrote: > Juergen Bruckner via Gnupg-users wrote: > > Hi Juergen, > > > This question is very easy to answer. > > > > S/MIME has some advantages over (Open)PGP. > > One of them - the most important for the usual S/MIME users - is, that > > S/MIME allows the uniquely identification of a communication partner, > > which is only limitedly possible with PGP. > > > > In addition, educational institutions, such as universities, schools, > > research networks etc., have their own internal CA, which keeps the > > costs very manageable. > > Ah, o.k. with an own CA that make sense. However, I was also assuming > that students may use their certs also for 'outside' comms, which then > would require then that the other parties have always to import non- > trusted root certs, which is not the case with commercial ones, obtained > from globally trusted CAs. Here, the University has a deal with an academic consortium to provide cert.s chained back, ultimately, to a well-known commercial provider. I just submit a CSR to a website, a globally-valid cert. is issued to me in a few hours, and my department is not billed for anything. It's probably cheaper than all the paperwork required to process a requisition and chargeback. We use this, not only for email, but for websites and other network services, where there is no viable OpenPGP-based alternative. The ability to issue email certificates was actually added later, when the Powers That Be became increasingly concerned about phishing. > > Am 05.12.19 um 23:39 schrieb Stefan Claas via Gnupg-users: > > > Sorry, I can't help you but I do have a question, if you don't mind ... > > > > > > Why are the Students at the University don't use OpenPGP with Gmail > > > via the free Mailvelope add-on for Firefox, Chrome? Wouldn't that be > > > not cheaper instead of purchasing a whole lot of S/MIME certificates? -- Mark H. Wood Lead Technology Analyst University Library Indiana University - Purdue University Indianapolis 755 W. Michigan Street Indianapolis, IN 46202 317-274-0749 www.ulib.iupui.edu signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Future OpenPGP Support in Thunderbird
On Sat, Oct 12, 2019 at 10:13:59AM +0300, Teemu Likonen via Gnupg-users wrote: > Philipp Klaus Krause [2019-10-08T15:34:28+02] wrote: > > > It would be really nice, if Thunderbird could add an option to use the > > gpg key storage instead of its own, [...] > > I agree with that even though I have never really used Thunderbird. > > But using a custom key storage and implementation (or do they use > Sequoia PGP library?) is an interesting choice in the world of Unix-like > systems. It's pretty much the normal way elsewhere, though. > > PGP and GnuPG and the related communities have tried really hard to > build a system based on person's long-term identity keys. All that web > of trust thing relies on keys that are used relatively long time. But as > we know this doesn't work for most people. People are really bad at > maintaining long-term identity keys. I think this is the most important > reason why other software just auto-generate "device keys" or > "application keys" and exchange them. They just forget about the > identity part and keys' usage in the long term. Change your phone or > just reinstall the application and you'll have new keys. Keys come and > go and it's perfectly normal. That would be one of the reasons why I tend to avoid "other software". My primary use-case is identity, not secrecy. I am not alone: quite a few employers are at last discovering crypto signatures in their efforts to combat spear-phishing, and spending quite a bit of money and effort to deploy them. (I accept that most of them are using S/MIME rather than OpenPGP, but that's a detail; identity is important.) > Thunderbird seems to be going to that direction and it is probably a > good thing. From the mindset of crypto nerds (like us) or Unixy tool box > this can be a barrier, obviously. Humph, I was already grumpy about Mozilla products' insistence on having their own insular X.509 store, meaning that I have to install certificates twice (once for Firefox, again for *everything else*.) Maybe there will be an add-on, so that those who care can choose to integrate Thunderbird into their systems rather than having it still standing off to one side haughtily awaiting special treatment. -- Mark H. Wood Lead Technology Analyst University Library Indiana University - Purdue University Indianapolis 755 W. Michigan Street Indianapolis, IN 46202 317-274-0749 www.ulib.iupui.edu signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Essay on PGP as it is used today
On Mon, Jul 22, 2019 at 03:46:18PM +, Ryan McGinnis via Gnupg-users wrote: >[1]https://www.schneier.com/blog/archives/2018/05/details_on_a_ne.html > >� 3. Why is anyone using encrypted e-mail anymore, anyway? Reliably and >easily encrypting e-mail is an insurmountably hard problem for reasons >having nothing to do with today's announcement. If you need to >communicate securely, use Signal. If having Signal on your phone will >arouse suspicion, use WhatsApp.� Depends on your threat model. For mine, reliably and easily encrypting email is almost absurdly simple: 1) Use PGP 2) Don't send secrets to people I don't trust to keep them. Anyway, 99% of my PGP use is for the opposite of secrecy: I sign my emails so that (if you care enough to install PGP) you can be highly assured that they're from me. -- Mark H. Wood Lead Technology Analyst University Library Indiana University - Purdue University Indianapolis 755 W. Michigan Street Indianapolis, IN 46202 317-274-0749 www.ulib.iupui.edu signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users