Re: send-keys does not update my key
> On 14 Feb 2017, at 19:53, Kristian Fiskerstrand > <kristian.fiskerstr...@sumptuouscapital.com> wrote: > > Trust level is not a property of the public key, it is stored out of > band (in the local trustdb) Ah ok. Thanks. Marko --- Marko Bauhardt https://keybase.io/mbauhardt GPG Key ID: 53192101 GPG Fingerprint: DC0F E851 82A3 72E3 7FE1 ACDB 970C FD47 5319 2101 signature.asc Description: Message signed with OpenPGP using GPGMail ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: send-keys does not update my key
Hi Peter, > On 13 Feb 2017, at 12:16, Peter Lebbing <pe...@digitalbrains.com> wrote: > > > An OpenPGP public key is composed of many parts which can be reordered > without changing the meaning. Keyservers do reorder stuff, so you can't > just compare two keys byte by byte and say anything useful about their > equivalence. > > A command like > > $ gpg2 --list-options show-unusable-subkeys,show-unusable-uids > --list-sigs [KEYID] > > gives a pretty good overview of a public key. I tried that out with my two public key representations. There was a diff between the two keys. The trust level of my two IDs was `unknown` in the one public key and `ultimate` in the other key. Maybe this is the reason why the armor output is different. I mean it make sense when the key server will change the trust level of the given user-id to `unknown` while uploading. > I've changed your e-mail address so web spam scrapers can't take it > easily. ;) Thx! > If you see all the components there really are on your key > reflected in this output, then the keyserver is already fully up to date > and any further sending of your key will not change it any further. This was the case except of the trust level. > > HTH, > > Peter. Thank you. Very helpful. Marko --- Marko Bauhardt https://keybase.io/mbauhardt GPG Key ID: 53192101 GPG Fingerprint: DC0F E851 82A3 72E3 7FE1 ACDB 970C FD47 5319 2101 signature.asc Description: Message signed with OpenPGP using GPGMail ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: send-keys does not update my key
> > Signed PGP part > You can add signatures, user-ids, subkeys, etc. to a key that is > already on the server. But you cannot delete anything from it. Sure, understood. But this does not answer the question i have why i can not upload my current local GPG public key to a key server? Again i get no error message while sending the key, everything looks good. But the key will not change online. The representation online will stay the same. --- Marko Bauhardt https://keybase.io/mbauhardt GPG Key ID: 53192101 GPG Fingerprint: DC0F E851 82A3 72E3 7FE1 ACDB 970C FD47 5319 2101 signature.asc Description: Message signed with OpenPGP using GPGMail ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: content of private-keys-v1.d
Hi, > > gnupg/agent/keyformat.txt you mean here http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=blob_plain;f=agent/keyformat.txt <http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=blob_plain;f=agent/keyformat.txt> ? The part i’m interested in should be this right? {quote} ** Shadowed Private Key Format To keep track of keys stored on IC cards we use a third format for private kyes which are called shadow keys as they are only a reference to keys stored on a token: (shadowed-private-key (rsa (n #00e0ce9..[some bytes not shown]..51#) (e #010001#) (shadowed protocol (info)) ) (uri http://foo.bar x-foo:whatever_you_want) (comment whatever) ) The currently used protocol is "ti-v1" (token info version 1). The second list with the information has this layout: (card_serial_number id_string_of_key fixed_pin_length) FIXED_PIN_LENGTH is optional. It can be used to store the length of the PIN; a value of 0 indicates that this information is not available. The rationale for this field is that some pinpad equipped readers don't allow passing a variable length PIN. More items may be added to the list. {quote} With this example {quote} Key: (shadowed-private-key (rsa (n #00AA1AD2A55FD8C8FDE9E1941772D9CC903FA43B268CB1B5A1BAFDC900 2961D8AEA153424DC851EF13B83AC64FBE365C59DC1BD3E83017C90D4365B4 83E02859FC13DB5842A00E969480DB96CE6F7D1C03600392B8E08EF0C01FC7 19F9F9086B25AD39B4F1C2A2DF3E2BE317110CFFF21D4A11455508FE407997 601260816C8422297C0637BB291C3A079B9CB38A92CE9E551F80AA0EBF4F0E 72C3F250461E4D31F23A7087857FC8438324A013634563D34EFDDCBF2EA80D F9662C9CCD4BEF2522D8BDFED24CEF78DC6B309317407EAC576D889F88ADA0 8C4FFB480981FB68C5C6CA27503381D41018E6CDC52AAAE46B166BDC10637A E186A02BA2497FDC5D1221#) (e #00010001#) (shadowed t1-v1 (#D2760001240102051173# OPENPGP.1) ))) {quote} > > > Salam-Shalom, > > Werner > > -- > Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. > ___ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users --- Marko Bauhardt marko.bauha...@mailbox.org <mailto:marko.bauha...@mailbox.org> GPG Key ID: 53192101 GPG Fingerprint: DC0F E851 82A3 72E3 7FE1 ACDB 970C FD47 5319 2101 signature.asc Description: Message signed with OpenPGP using GPGMail ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: content of private-keys-v1.d
> > I don't think it has really been documented. I guess the source code *is* the > documentation. ;). Understand hehe. Thanks a lot for all your answers! Marko ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: content of private-keys-v1.d
> On 08 Feb 2017, at 10:17, Damien Goutte-Gattat <dgouttegat...@incenp.org > <mailto:dgouttegat...@incenp.org>> wrote: > > Even when your private keys are stored on a smartcard, you would still have a > corresponding file in the private-keys-v1.d directory. But this file is only > a "stub", that is, it only tells GnuPG that the actual key material is stored > on a smart card. You mean that this “stub” contains no information which can be use to sign/decrypt/authenticate? Or in other words in case someone steal this key, he/she can nothing do with that particular key, only in case the GPG key is located on a smartcard? But if the key is not on the smart card this corresponding key can be use to sign/enc/auth? I can not really find some detailed documentation of the `private-keys-v1.d` folder. Do you have some docu? thx Marko --- Marko Bauhardt marko.bauha...@mailbox.org <mailto:marko.bauha...@mailbox.org> GPG Key ID: 53192101 GPG Fingerprint: DC0F E851 82A3 72E3 7FE1 ACDB 970C FD47 5319 2101 signature.asc Description: Message signed with OpenPGP using GPGMail ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: effect of revuid
> On 04 Feb 2017, at 03:43, Daniel Kahn Gillmor <d...@fifthhorseman.net> wrote: > > revuid does not delete a User ID, it revokes a user ID. On a typical > OpenPGP certificate, a revoked User ID is still present, but it is > marked clearly and verifiably as having been revoked. Ok. Thanks. > > Note that if you just do your revocation locally and don't find a way to > get it to your correspondents (e.g. by publishing to the keyservers, and > hoping that they all refresh regularly) then no one will know about it, > and from their point of view the User ID will not be revoked. Sure. Got it. > > > The primary key and its subkeys are still valid, yes. If you revoke the > last User ID, then arguably a cleaned version of your certificate > (without any User IDs) will not be considered a valid "transferable > public key" because it will have no User ID associated. > Oki thx. > > even if your certificate as a whole is explicitly revoked, the > mathematical object that is the secret key still exists, and can still > perform whatever operations you require of it. So yes, you should be > able to decrypt anything encrypted to any secret key you hold, > regardless of whether the certificates that contain those keys are > valid, revoked, expired, or whatever. Nice. This is an important answer. > > make sense? > Yes, totally. Thx for explanation. --- Marko Bauhardt marko.bauha...@mailbox.org <mailto:marko.bauha...@mailbox.org> Key ID: 53192101 Fingerprint: DC0F E851 82A3 72E3 7FE1 ACDB 970C FD47 5319 2101 signature.asc Description: Message signed with OpenPGP using GPGMail ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
content of private-keys-v1.d
Hi, I’m using GPG 2.0.30 on osx. My goal is to not save any private key on any machine i’m using. So i bought me a smart card (yubikey) to save my private keys there. I have 3 keys, sign/encrypt/auth. Everything works so far. I’m using the gpg-agent to use my authentication subkey from my yubikey to login on a ssh machine. It works also. But in this case a new key is generated under `gnupg/private-keys-v1.d`. My question is. What is this for a key and for what is that key used for? The folder name `private-keys-v1.d` sounds like to store keys from GPG version 1.x. But i’m using 2.0.x. Any comments about his folder? As i said before, i want to not save any key on my machine. And for now i’m not sure if i reach this goal because this new key sounds like it is a private key. Thanks Marko --- Marko Bauhardt marko.bauha...@mailbox.org <mailto:marko.bauha...@mailbox.org> Key ID: 53192101 Fingerprint: DC0F E851 82A3 72E3 7FE1 ACDB 970C FD47 5319 2101 signature.asc Description: Message signed with OpenPGP using GPGMail ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
effect of revuid
Hi, what is the effect when delete a UID via `revuid` from a given key. My key is still valid right? The uid’s are only bound to a given key and can be exchanged as much i want. right? Or are there some more effects? The only effect i see is * someone can not send an encrypted email to this email with that specific key * i can not send a signed messages with that email and specific key Can i still decrypt emails with my key sent to this revoked email? thx marko --- Marko Bauhardt marko.bauha...@mailbox.org <mailto:marko.bauha...@mailbox.org> PGP Key ID: 53192101 PGP Fingerprint: DC0F E851 82A3 72E3 7FE1 ACDB 970C FD47 5319 2101 signature.asc Description: Message signed with OpenPGP using GPGMail ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Expired GPG key for ssh authentication
> On 29 Jan 2017, at 15:18, Andrew Gallagher <andr...@andrewg.com> wrote: > > > On 29 Jan 2017, at 10:39, Marko Bauhardt <marko.bauha...@mailbox.org > <mailto:marko.bauha...@mailbox.org>> wrote: > >> Now one year later. My ssh subkey is expired. But i’m still able to login >> into my ssh-server. >> My assumption was that i can use this subkey only if this key is valid. Is >> the expired key working because i’m using the ssh-agent instead of the >> gpg-agent? > > It is still working because the remote ssh server has no concept of key > expiry. When you converted your auth subkey to ssh format you stripped all > the expiry info from it. (There is the related problem of your client > offering the expired key to the server, but this is relatively harmless). > > If you want your ssh key to stop working when the auth subkey expires, you > need to make sure to run monkeysphere on a regular basis (cron) on the remote > server, to refresh the authorized_keys and thereby overwrite any ssh keys > associated with expired pgp keys. Ssh keys themselves do not expire. > > See: http://web.monkeysphere.info/doc/ssh-user-authentication/ > <http://web.monkeysphere.info/doc/ssh-user-authentication/> Thank you Andrew. Make sense Marko signature.asc Description: Message signed with OpenPGP using GPGMail ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Expired GPG key for ssh authentication
Hi, I’m using gpg 2.0.30. I have a keyring which contains a subway which is there for authentication only. I’m using `monkeysphere s` to add this key to my ssh-agent. Using `ssh-add -L` to get the public ssh key representation to be able to add the key to my `.ssh/authorized_keys` file on the server. Everything works. But i configured my subkey to expire after one year. Now one year later. My ssh subkey is expired. But i’m still able to login into my ssh-server. My assumption was that i can use this subkey only if this key is valid. Is the expired key working because i’m using the ssh-agent instead of the gpg-agent? Any idea or comment? --- Marko Bauhardt marko.bauha...@mailbox.org <mailto:marko.bauha...@mailbox.org> Key ID: 53192101 Fingerprint: DC0F E851 82A3 72E3 7FE1 ACDB 970C FD47 5319 2101 signature.asc Description: Message signed with OpenPGP using GPGMail ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: using an expired GPG key with ssh
>> >> I know that. But i saw not really an advantage to using the gpg agent, >> except of the using of TTL’s for keys i want to add. >> What are your points to use the gpg-agent instead the ssh-agent? >> > > Using (or trying to setup) gpg-agent as a replacement for ssh-agent is > just based on one idea: if you deal with gpg-keys, have the "original" > application handle all key-related stuff, it was designed for doing so. > If nothing else interferes, less errors should occur and less attack > surface is presented. It merely is intuition, not science. Make totally sense. I will try that out. Marko -- Marko Bauhardt marko.bauha...@mailbox.org Bitte schützen Sie meine und Ihre Privatsphäre, nutzen Sie PGP Please protect my and your privacy, use PGP Key ID: 53192101 Fingerprint: DC0F E851 82A3 72E3 7FE1 ACDB 970C FD47 5319 2101 signature.asc Description: Message signed with OpenPGP using GPGMail ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: using an expired GPG key with ssh
>> >> But the question i have is, will `ssh-add` or `monkeysphere >> subkey-to-ssh-agent` will fail when my GPG subkey is expired? > > Quote (using nroff): > The monkeysphere commands work from a set of user IDs to deter‐ > mine acceptable keys for ssh and TLS authentication. OpenPGP > keys are considered acceptable if the following criteria are met: > The key must have the ‘authentication’ (‘a’) usage flag set. The > key itself must be valid, i.e. it must be well‐formed, not ex‐ > pired, and not revoked. The relevant user ID must be signed by a > trusted identity certifier. Thanks. This is what i searched for. I should read the manual more precisely ;) > > > According to the gnupg.info manual it is possible to use the gpg.agent > "as a drop-in replacement" for the ssh-agent (and I'd prefer doing > that) I know that. But i saw not really an advantage to using the gpg agent, except of the using of TTL’s for keys i want to add. What are your points to use the gpg-agent instead the ssh-agent? Thanks for your comments Marko -- Marko Bauhardt marko.bauha...@mailbox.org Bitte schützen Sie meine und Ihre Privatsphäre, nutzen Sie PGP Please protect my and your privacy, use PGP Key ID: 53192101 Fingerprint: DC0F E851 82A3 72E3 7FE1 ACDB 970C FD47 5319 2101 signature.asc Description: Message signed with OpenPGP using GPGMail ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
using an expired GPG key with ssh
Hi, i plan to use my GPG authentication key to do a login via ssh onto my server. I tried monkeysphere to convert my GPG key to a ssh key, and adding the key to the ssh-agent. Everything works as expected. But the question i have is, will `ssh-add` or `monkeysphere subkey-to-ssh-agent` will fail when my GPG subkey is expired? Has anyone experience with GPG and ssh authentication? Should i use the gpg-agent instead of the ssh-agent? Thanks Marko -- Marko Bauhardt marko.bauha...@mailbox.org Bitte schützen Sie meine und Ihre Privatsphäre, nutzen Sie PGP Please protect my and your privacy, use PGP Key ID: 53192101 Fingerprint: DC0F E851 82A3 72E3 7FE1 ACDB 970C FD47 5319 2101 signature.asc Description: Message signed with OpenPGP using GPGMail ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: uploading subkeys
> > You may use this notation to force the use of this subkey. However, an > OpenPGP key(block) always consists of a primary key and optional ant > number of subkeys. Ok. > The transfer format does only allow sending of > entire OpenPGP key(block)s. > Ok, thx. This was not clear for me. Can you point me to some documentation about key blocks and primary key / subkey? Thx Marko ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: uploading subkeys
> You can either upload the whole public set or none of it, you can't or > at least I know of no way of uploading only the public part of the sub keys. As far as i know it is possible to upload a sub key via the id of the sub key ending with the exclamation mark `!`. I mean does it make sense to send public key of my certification key as well to the key server? I assume that the public key for encryption and sign is enough. > > As for the keyserver, I recommend sks-keyservers.net[1], either > hkp://pool.sks-keyservers.net or hkps://hkps.pool.sks-keyservers.net > which you will need to have a GnuPG compiled with GnuTLS support and > also the cert from the keyserver[2] > > [1]: https://sks-keyservers.net/ > [2]: https://sks-keyservers.net/overview-of-pools.php#pool_hkps Ok, thanks. marko ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
uploading subkeys
Hi, i have a keyring which contains a master key for certification and 3 sub keys, one for encryption, one for sign and the third one for authentication. So my question is which key should i upload to a key server. I mean should i upload the master key id via `gpg —send-key EMAIL` / `gpg —send-key MASTERKEY` or should i send sub key after by sub key. For example first the encryption key and after that the key for signing, via `gpg -send-key SUBKEY!`? What is the difference between uploading the master key and uploading the sub keys separately? I have the feeling that it make sense to share my public key for encryption and my public key for signing separately. Which key server do you recommend to use? Thx Marko ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users