Re: gpgsm 2.4.4 cannot import my p12 certificate (but I could in earlier versions)
>>> "EB" == Eva Bolten writes: Hi > Hi, > try the following: > Export the certificate from firefox or chrome into a new file and try > to import the certificate from that file with gpgsm. Thanks. Meanwhile I found out the culprit might have been a somehow outdated (and maybe corrupted pubring file. I deleted it, and re-copied the file from my external disk. Then everything worked as expected. Regards Uwe -- I strongly condemn Hamas heinous despicable pogroms/atrocities on Israel I strongly condemn Putin's war of aggression against Ukraine. I support to deliver weapons to Ukraine's military. I support the EU and NATO membership of Ukraine. smime.p7s Description: S/MIME cryptographic signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
gpgsm 2.4.4 cannot import my p12 certificate (but I could in earlier versions)
Hi I upgraded yesterday from Ubuntu 16 to 24 and have now gpgsm 2.4.4 installed. I imported an official p12 certificate without any probblems into firefox and google chrome However when I run , | gpgsm --import Brauer.p12 ` Type the password, I recive --8<---cut here---start->8--- gpgsm: parse_bag_data(data.outerseqs): lvl=10 (_tlv_parser_next): Success - General error gpgsm: p12_parse(bag.data): @0053 lvl=10 _tlv_parser_next: Success - General error gpgsm: error parsing or decrypting the PKCS#12 file gpgsm: total number processed: 0 --8<---cut here---end--->8--- What can I do? This is an important certificate for me. -- I strongly condemn Hamas heinous despicable pogroms/atrocities on Israel I strongly condemn Putin's war of aggression against Ukraine. I support to deliver weapons to Ukraine's military. I support the EU and NATO membership of Ukraine. ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: passwords with UFT8 chars?
>>> "MA" == Matthias Apitz writes: > El día viernes, septiembre 02, 2022 a las 10:33:13a. m. +0200, Uwe Brauer via > Gnupg-users escribió: >> >> Hi >> >> Sorry for this elementary question, but I can't find an answer googling. >> >> Is it possible to have a password that contains UTF8 chars, like Arabic, >> Hebrew, Chinese or some IPA symbols??? That concerns also gpgsm > You can put whatever you want as password, also Russian in UTF-8. The > question is beeing able to key it in on any keyboard. Thanks, most of the distributions today come with a variety of keyboards for different input methods. To be on the very safe side you could save the password UFT8 in a password manager. -- I strongly condemn Putin's war of aggression against the Ukraine. I support to deliver weapons to Ukraine's military. I support the ban of Russia from SWIFT. I support the EU membership of the Ukraine. smime.p7s Description: S/MIME cryptographic signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
passwords with UFT8 chars?
Hi Sorry for this elementary question, but I can't find an answer googling. Is it possible to have a password that contains UTF8 chars, like Arabic, Hebrew, Chinese or some IPA symbols??? That concerns also gpgsm Regards Uwe Brauer -- I strongly condemn Putin's war of aggression against the Ukraine. I support to deliver weapons to Ukraine's military. I support the ban of Russia from SWIFT. I support the EU membership of the Ukraine. ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: a bit off topic, how to find encrytped files (ransom attack)
>>> "JC" == Juergen Christoffel writes: > On Fri, Aug 05, 2022 at 05:45:53PM +0200, Uwe Brauer via Gnupg-users wrote: >> 1. just for the first very rough analysis what is a convenient command to >> get a list of files that have high entropy? > The first step might be to install tripwire and only check files, which > tripwire reports as changed. See "man tripwire" after installing it. Thanks very much! > Regarding your attempt to find candidate files: >> find . -iname '*.*' -follow -print -exec ent {} \; > Files don't need to have a dot in their name. But they might have unusual > characters in their names instead. So you might actually want to use > find -type f -print0 | xargs -0 ent Well thanks again, but this does not work as expected. I obtain , | Duplicate file name. | ent -- Calculate entropy of file. Call | with ent [options] [input-file] | | Options: -b Treat input as a stream of bits |-c Print occurrence counts |-f Fold upper to lower case letters |-t Terse output in CSV format |-u Print this message | | By John Walker |http://www.fourmilab.ch/ |January 28th, 2008 ` And adding and of these suggested options does not help > Tip: "man find" and "man xargs" describe what those zeroes mean. I try it. >> So I am not sure what is the best line, but the question boils down to >> this, anybody know enough sed or awk or whatsoever to tell me how ot filter >> the ent output? > Gentle suggestion: you'd need to learn such basic usage yourself, before > you rely on them as a tool. especially when attempting to secure your > systems. > Tips (for example): > https://www.amazon.de/Learning-Perl-Making-Things-Possible/dp/1492094951 or > https://www.amazon.de/Effective-awk-Programming-Universal-Processing/dp/1491904615 Thanks my encounters with perl were well unpleasant. I might, again, try to understand awk better. Uwe Brauer -- I strongly condemn Putin's war of aggression against the Ukraine. I support to deliver weapons to Ukraine's military. I support the ban of Russia from SWIFT. I support the EU membership of the Ukraine. smime.p7s Description: S/MIME cryptographic signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: a bit off topic, how to find encrytped files (ransom attack)
>>> "RJHvG" == Robert J Hansen via Gnupg-users writes: >> 3. I could use the ent command which measure the entropy, high >> entropy is an indication of encryption (but jpg have also high >> entropy). However I should then study the distribution of each >> letter to be sure. > A JPEG *body* has high entropy. The JPEG *header* has very low > entropy. That's a relatively good way to spot container files: you > look for a low-entropy header followed by high-entropy data. Zip > files, tar.bz2 files, JPEG files, MPEG, the rest, they're all > detectable this way. > However, the output of a straight-up block cipher operating in any > modern mode (no ECB!) is going to be totally indistinguishable from a > random number generator for any reasonably-sized file. I see this can can very sophisticated very quickly, but 1. just for the first very rough analysis what is a convenient command to get a list of files that have high entropy? For example find . -iname '*.*' -follow -print -exec ent {} \; Displays to much information that is hard to follow, so I should filter it somehow like ent test.tex.gpg | Entropy = 7.997062 bits per byte. | that line could be candidate | | Optimum compression would reduce the size of this 64224 byte file by 0 percent | another candidate| | Monte Carlo value for Pi is 3.142376682 (error 0.02 percent) | last candidate | I also run Ent test.tex | Entropy = 5.133812 bits per byte. | candidate | | Optimum compression would reduce the size of this 214555 byte file by 35 percent | candidate | | Monte Carlo value for Pi is 3.999888140 (error 27.32 percent) | candidate | So I am not sure what is the best line, but the question boils down to this, anybody know enough sed or awk or whatsoever to tell me how ot filter the ent output? thanks Uwe Brauer -- I strongly condemn Putin's war of aggression against the Ukraine. I support to deliver weapons to Ukraine's military. I support the ban of Russia from SWIFT. I support the EU membership of the Ukraine. smime.p7s Description: S/MIME cryptographic signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
a bit off topic, how to find encrytped files (ransom attack)
Hi I apologize for this message that can be a bit off topic. (I am on Ubuntu 16.04) How can I find say encrypted files in my home directory? The idea is to use some magic command together with the find command. I know 1. The file command will return for example for a gpg encrypted file file .authinfo.gpg .authinfo.gpg: PGP RSA encrypted 2. However for X509 file I obtain file test.p12 file.p12: data 3. I could use the ent command which measure the entropy, high entropy is an indication of encryption (but jpg have also high entropy). However I should then study the distribution of each letter to be sure. So is there any other way to run find and some other script to find suspicious files? Google is not really helpful Regards Uwe Brauer -- I strongly condemn Putin's war of aggression against the Ukraine. I support to deliver weapons to Ukraine's military. I support the ban of Russia from SWIFT. I support the EU membership of the Ukraine. ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
[SOLVED] (was: gpgsm "Encrypt failed" "Unusable public key: 53A51054BB68F7C3" root certificate missing?)
>>> "UBvG" == Uwe Brauer via Gnupg-users writes: > Hi > I am on Ubuntu 16.04 running > gpgsm (GnuPG) 2.1.11 > libgcrypt 1.6.5 > libksba 1.3.3-unknown > I am also a die hard user of emacs and use it for encrypting and > decrypting my mails. > I received a smime message from a colleague (with his public key > embedded of course). > When I tried to send him a smime encrypted and signed message I obtained > the lisp error: > Debugger entered--Lisp error: (epg-error "Encrypt failed" "Unusable public > key: 53A51054BB68F7C3") It turned out that I indeed needed root certificate AC_Sector_Publico.cer That I imported via gpgsm --import *.cer Then everything was fine. Sorry for the noise. Regards Uwe Brauer smime.p7s Description: S/MIME cryptographic signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
gpgsm "Encrypt failed" "Unusable public key: 53A51054BB68F7C3" root certificate missing?
Hi I am on Ubuntu 16.04 running gpgsm (GnuPG) 2.1.11 libgcrypt 1.6.5 libksba 1.3.3-unknown I am also a die hard user of emacs and use it for encrypting and decrypting my mails. I received a smime message from a colleague (with his public key embedded of course). When I tried to send him a smime encrypted and signed message I obtained the lisp error: Debugger entered--Lisp error: (epg-error "Encrypt failed" "Unusable public key: 53A51054BB68F7C3") I suspect that the key was signed from an authority whose root certificate I don't posses. For example using thunderbird and opening his signed message, I see I also tried to run gpgsm -e -r aro...@ucm.es epg-bug.txt But I receive gpgsm: enabled debug flags: ipc gpgsm: can't encrypt to 'aro...@ucm.es': Ambiguous name secmem usage: 0/16384 bytes in 0 blocks I am not sure whether this connected, but I do have old certificates of this user. Any help would be strongly appreciated. Regards Uwe Brauer smime.p7s Description: S/MIME cryptographic signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
gpgsm on mac (fink or ports)
Hi My main machine is a X1 running Ubuntu 16.04. I have to use a macbook as well for which I currently installed fink. I mostly signing and encrypting with smime and emacs+gpgsm work nicely on my Ubuntu machine. Does anybody know, whether I can install gpgsm on fink or ports? (Or homebrew as method of last resort?) Regards Uwe Brauer ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: root certificate for smime missing gpgconf --launch dirmngr
>>> "BM" == Brian Minton writes: > On Tue, Jun 09, 2020 at 09:40:25AM +0200, Bernhard Reiter wrote: >> If you trust a set of root certificates, like the ones shipped with your >> operating system or a different application, you could just import them all >> and mark them trusted. Of course you would need to sync this, if the set >> changes on updates. > I believe the original question was, how to allow gpg to automatically trust > the root certificates provided by the os or Thunderbird. Yes it was and I still don't know. > ___ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users smime.p7s Description: S/MIME cryptographic signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
root certificate for smime missing gpgconf --launch dirmngr
Hi I received a smime signed message, however it turns out that I cannot use it for encrypting my responsce Since > gpgsm: issuer certificate: #/CN=T-TeleSec GlobalRoot Class 2,OU=T-Systems Trust Center,O=T-Systems Enterprise Services GmbH,C=DE Is not found I have drmngr installed (Ubuntu 16.06) and run gpgconf --launch dirmngr However the root certificate is still not found. Thunderbird provides this certificate so I could install it manually. However I would prefer an automated solution. Any hints? Thanks and regards Uwe Brauer smime.p7s Description: S/MIME cryptographic signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
root certificate for smime missing gpgconf --launch dirmngr
Hi I received a smime signed message, however it turns out that I cannot use it for encrypting my responsce Since > gpgsm: issuer certificate: #/CN=T-TeleSec GlobalRoot Class 2,OU=T-Systems Trust Center,O=T-Systems Enterprise Services GmbH,C=DE Is not found I have drmngr installed (Ubuntu 16.06) and run gpgconf --launch dirmngr However the root certificate is still not found. Thunderbird provides this certificate so I could install it manually. However I would prefer an automated solution. Any hints? Thanks and regards Uwe Brauer ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gmail smime, sends two messages one is not encrypted. Experience?
>>> "MHWvG" == Mark H Wood via Gnupg-users writes: > On Sun, Dec 08, 2019 at 10:38:43AM +0100, Uwe Brauer via Gnupg-users wrote: >> Now to the question s/mime versus gnupg. >> >> There are the following points which make s/mime easier. >> >> 1. Key generation. In s/mime you apply for a certificate and don't >> have to generate the key by yourself. > Oh, I hope not. The point of asymmetric crypto is that you never, > ever, give your private key to anyone, even, *especially*, the CA. > The proper way to get an X.509 certificate is to generate a keypair, > keep the private key private, and send a CSR containing the public key > to the entity which will issue the certificate. Ah, sorry for the sloppy formulation. You are completely right. The process is, usually[1], as follows 1. For example using Comodo, you apply for a certificate. 2. Your keypair is generated by your own crypt module of the browser (quite some time ago I had a look at the corresponding javascript and it did not look suspicious). 3. You receive a link via email, which you have to open with the same browser and the same computer and your keys get signed. However the user usually does not notice all these steps, and this is what I meant. In the case for pgp the user has to generate a keypair him/herself and believe me, for most users this is much more complicated than 'applying for a certicate in comodo'. Footnotes: [1] there is one exception https://www.actalis.it/products/certificates-for-secure-electronic-mail.aspx they really generate a keypair and send it to you, no kidding. That seems to me a mayor security breach, to say the least smime.p7s Description: S/MIME cryptographic signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
[RESOLVED?] (was: [gmx+gmail])
>>> "JBvG" == Juergen Bruckner via Gnupg-users writes: Hell Juergen > Hello Uwe, > i use Gmail for business for a very long time and never had any issue > like that. You are not going to belive that. I deactivated the s/mime support of gmail's webinterface and even deleted the certificate. Then everything worked as expected. I suspect that this internal s/mime support decrypts the message and copies it in my folder, which is really bad. Unfortunately I cannot investigate this issue, since my university lacks experts in that matter. Regards Uwe smime.p7s Description: S/MIME cryptographic signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gmail smime, sends two messages one is not encrypted. Experience?
> Uwe Brauer via Gnupg-users wrote: > Sorry, I can't help you but I do have a question, if you don't mind ... > Why are the Students at the University don't use OpenPGP with Gmail > via the free Mailvelope add-on for Firefox, Chrome? Wouldn't that be > not cheaper instead of purchasing a whole lot of S/MIME certificates? Well, first of all the university decided to use (as a understand, without charge) gmail services, since they could not effort to run their own server. Now to the question s/mime versus gnupg. There are the following points which make s/mime easier. 1. Key generation. In s/mime you apply for a certificate and don't have to generate the key by yourself. 2. Key interchange. This is in my experience the biggest problem for most users. In s/mime it is sufficient to send a sign message, it contains the public key of the sender (I don't want now to enter the technical details) 3. Software: if you use a proper MTA s/mime is usually included, while pgp is not, but a plugin has to be installed. If the user is using gmail's webinterface, which, unfortunately more and more users are doing, things get more complicated. You mentioned mailvelop, but again this is a plugin to be installed, while now gmail (at least for its business/academic suite) offers s/mime support natively. Last but not least, a lot of people in my university now posses a first class certificate anyhow, provided by the Spanish administration, which can be used for all sort of things, one of them to use it for encrypted emails. I hope that makes it clear why s/mime is preferred of pgp. Uwe Brauer smime.p7s Description: S/MIME cryptographic signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
[gmx+gmail] (was: gmail smime, sends two messages one is not encrypted. Experience?)
>>> "UBvG" == Uwe Brauer via Gnupg-users writes: >>> "UBvG" == Uwe Brauer via Gnupg-users writes: >> Hi >> It seems to me a complete security breach. > I repeated the test with other gmail accounts, with emacs or > thunderbird, always I receive messages which are on signed but not > encrypted although I did enable both options. I am deeply worried. > Anybody with the same experience, or somebody who wants to run an > experiment with me. I extended my experiment: I sent message between a gmx and a gmail account, then everything was ok, encrypted was encrypted. Signed was signed, even for seamonkey/thunderbird, so the culprit are not the MTA, but it seems that gmail does something strange. I'd love to get some confirmation about this from somebody else. Uwe Brauer smime.p7s Description: S/MIME cryptographic signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gmail smime, sends two messages one is not encrypted. Experience?
>>> "UBvG" == Uwe Brauer via Gnupg-users writes: > Hi > It seems to me a complete security breach. I repeated the test with other gmail accounts, with emacs or thunderbird, always I receive messages which are on signed but not encrypted although I did enable both options. I am deeply worried. Anybody with the same experience, or somebody who wants to run an experiment with me. Uwe Brauer smime.p7s Description: S/MIME cryptographic signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
gmail smime, sends two messages one is not encrypted. Experience?
Hi This might be slightly off topic, but I would really appreciate some feedback. My university uses a special gmail service for academic institutions. Recently gmail provides smime support itself and this has been enabled by my university. Now comes the strange thing: I use smime mostly with emacs+gnus, sometimes with thunderbird. When I sent (with emacs or thunderbird) an encrypted+signed message [1], to a person in my university which whom I have interchanged the public key, since some time, *two* messages are sent, one 1. Is encrypted and signed 2. The other is only signed. Can somebody please confirm this strange behavior? Is this connected to the fact that my university enabled smime support? It seems to me a complete security breach. Regards Uwe Brauer Footnotes: [1] purely encrypted messages are rejected by the server ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: a new free smime service, but...
> MFPA via Gnupg-users wrote in <1171562612.20191022004056@my_localhost_AR>: > |On Sunday 20 October 2019 at 3:20:41 PM, in > |, Uwe Brauer via Gnupg-users wrote:- > | > |> I just found that > |> https://extrassl.actalis.it/portal/uapub/doProcess > | > |> Provides a free smime certificate. > ... > |> does somebody know whether there is a security > |> breach, the way this > |> certificate was generated? > | > |I'm no expert but their Certificate Policy reads to me that the > |private key is compromised right from the start. I think usually the > I think it is common that S/MIME and SSL certificates are > delivered via PKCS12, including the private key. You then seem to > extract the individual things like I think this is a severe security breach. The private key should never leave your computer. > $ openssl pkcs12 -in cert.p12 -out certpem.pem -clcerts -nodes > $ # Alternatively > $ openssl pkcs12 -in cert.p12 -out cert.pem -clcerts -nokeys > $ openssl pkcs12 -in cert.p12 -out key.pem -nocerts -nodes > |keys are generated on the subscriber's device and only the public key > |goes to the CA to be certified. > This is possible via CACert.org, at least still (out of money). > You create your local signing request, and the private key.pem never > leaves your own box: > $ openssl req -nodes -newkey rsa:4096 -keyout key.pem -out creq.pem > (Ensure all email addresses of desire are included in the web > form.) > Unfortunate that besides Comodo there seems no other provider of > free S/MIME certificates. You can only self-sign, and provide Comodo does not offer this any more. At the beginning of the year they reduced the smime cerificates validity from 1 year to 1 month, now they withdraw it all together. > a safe transport for a certificate to compare with. Which is why > PGP is so nice. Well yes sort of, but I can tell you from my own experience PGP is more for hackers while smime is not. I have convinced 6 of my friends to use smime, but only one to pgp. Self signed smime certificates are basically useless, because then you have to tell the other user either to install a root certificate or to trust the certificate, in which case smime looses its convenience (compared to pgp) smime.p7s Description: S/MIME cryptographic signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: a new free smime service, but...
> Hi > On Sunday 20 October 2019 at 3:20:41 PM, in > , Uwe Brauer via Gnupg-users wrote:- > [...] > I'm no expert but their Certificate Policy reads to me that the > private key is compromised right from the start. I think usually the > keys are generated on the subscriber's device and only the public key > goes to the CA to be certified. > https://www.actalis.it/documenti-it/caact-free-s-mime-certificates-policy.aspx > 3.2.2 Proving possession of private key > The private cryptographic key corresponding to the public key > within the certificate is generated by the CA (with a suitable > algorithm, size, etc.) and subsequently sent to the subscriberin > PKCS#12 for-mat[PFX], via email, thereby insuring that the > subscriber does possess the private key.The password needed to > import the PKCS#12 file isprovided to the subscriber out-of-band > (via web), therefore protecting it from unwanted disclosure to > third parties. The CA does not retain such pass-word, so that the > legitimate subscriber –assuming that he/she keeps such password > confidential –remains the only person able to import the PKCS#12. Oops this is really bad. I should have read this. Thanks for pointing it out. I am wondering why they do such a bizarre thing? Maybe it is easier to implement? smime.p7s Description: S/MIME cryptographic signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
a new free smime service, but...
Hi I just found that https://extrassl.actalis.it/portal/uapub/doProcess Provides a free smime certificate. However the process is strange. Usually in comodo, I generated the certificate with my browser, received an email with a link, which I had to open with the browser I applied the certificate. But this time not, I just obtained a pfx file which I could import, but does somebody know whether there is a security breach, the way this certificate was generated? Thanks Uwe Brauer smime.p7s Description: S/MIME cryptographic signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
a new free smime service, but...
Hi I just found that https://extrassl.actalis.it/portal/uapub/doProcess Provides a free smime certificate. However the process is strange. Usually in comodo, I generated the certificate with my browser, received an email with a link, which I had to open with the browser I applied the certificate. But this time not, I just obtained a pfx file which I could import, but does somebody know whether there is a security breach, the way this certificate was generated? Thanks Uwe Brauer ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: missing root certificate, SMIME spanish government
>>> "WT" == Wolfgang Traylor writes: >> However given a cer file, how can I find out its fingerprint? > This command will show you the details of the certificates from the website[1] > you mentioned including its fingerprint: > openssl x509 -noout -text -fingerprint -inform DER -in downloaded_key_file.cer Thanks > Or you import the key with `gpgsm --import file.cer` and look in the list of > `gpgsm --list-keys`. Well but if I import the key, then I don't need to add it to the trustedlist file smime.p7s Description: S/MIME cryptographic signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
missing root certificate, SMIME spanish government
Hi I am not sure that my email arrived via gmane. I received an smime signed email from a colleague. It contains a public key from https://www.sede.fnmt.gob.es/descargas/certificados-raiz-de-la-fnmt Basically the Spanish government. I installed all its root certificates in /usr/share/ca-certificates/Spain And run sudo dpkg-reconfigure ca-certificates However when I run gpgsm --encrypt -r 0xC575B0D4 test.txt I obtain pgsm: issuer certificate {B1D44FC42379FA440509C6EB39CFE835B0B82064} not found using authorityKeyIdentifier gpgsm: looking up issuer from the Dirmngr cache gpgsm: DBG: chan_5 -> LOOKUP --cache-only #/CN=AC%20FNMT%20Usuarios,OU=Ceres,O=FNMT-RCM,C=ES gpgsm: DBG: chan_5 <- ERR 167772187 Not found gpgsm: number of matching certificates: 0 gpgsm: dirmngr cache-only key lookup failed: Not found gpgsm: looking up issuer at external location gpgsm: DBG: chan_5 -> LOOKUP /CN=AC%20FNMT%20Usuarios,OU=Ceres,O=FNMT-RCM,C=ES gpgsm: DBG: chan_5 <- ERR 167772187 Not found gpgsm: number of issuers matching: 0 gpgsm: external key lookup failed: Not found gpgsm: issuer certificate not found gpgsm: issuer certificate: #/CN=AC FNMT Usuarios,OU=Ceres,O=FNMT-RCM,C=ES gpgsm: validation model used: shell gpgsm: can't encrypt to '0xC575B0D4': Missing issuer certificate secmem usage: 0/16384 bytes in 0 blocks BTW encryption with that public key works in Thunderbird, and I looked up its root certificate, I can't see anything I don't have I start to be desperate, what do I miss? Thanks Uwe Brauer smime.p7s Description: S/MIME cryptographic signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: can't encrypt with public key from sectigo (former comodo)
Sent from my iPhone > On 6. Feb 2019, at 18:03, Ingo Klöcker wrote: > > Add the CA certifcate of Sectigo to ~/.gnupg/trustlist.txt My problem was I did not know where to find that CA certificate! Pointers are welcome. Finally I solved it as I described in a different message. smime.p7s Description: S/MIME cryptographic signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
can't encrypt with public key from sectigo (former comodo)
I have used certificates from comodo since almost 10 years, without any problems. Now they changed their name to sectigo. I just received a public key from somebody, who obtained 2 days ago a certificate from them. With this certificate: Encrypting and signing still works in thunderbird But I tried the following in the command line gpgsm --encrypt -r 0xCC6EDB92 epg-error.txt And obtain gpgsm: Note: non-critical certificate policy not allowed gpgsm: dirmngr cache-only key lookup failed: Not found gpgsm: issuer certificate {09C0F2FC0BDA94DB5FFE2BDFA89942CFC9E0AD00} not found using authorityKeyIdentifier gpgsm: dirmngr cache-only key lookup failed: Not found gpgsm: issuer certificate not found gpgsm: issuer certificate: #/CN=Sectigo RSA Client Authentication and Secure Email CA,O=Sectigo Limited,L=Salford,ST=Greater Manchester,C=GB gpgsm: can't encrypt to '0xCC6EDB92': Missing issuer certificate How can I solve that issue? Thanks Uwe Brauer smime.p7s Description: S/MIME cryptographic signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
gpgsm 2 valid certificates
Hi I now posses 2 valid X509 certifcates for the same email address. In thunderbird I can import them both and select which I want to use. I hesitate to import the second one to gpgsm since it is not clear to me which will then be chosen by gnus/emacs/epa. I will also ask in the emacs mailing list Thanks Uwe Brauer ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Vulnerable clients
Sorry for this possible double posting. I am usually using gmane, but I don't see my mail appearing so I resend it to the list, to which I subscribed now. > On Tue, 15 May 2018 03:31, je...@seibercom.net said: > My conclusion is that S/MIME is vulnerable in most clients with the > exception of The Bat!, Kmail, Claws, Mutt and Horde IMP. I take the > requirement for a user consent as non-vulnerable. Most of the > non-vulnerable clients use GnuPG as their engine. Well what's about GNU emacs(+gnus/vm/rmail)? I asked in the emacs dev list and the default is to block external HTML images. This client(s) is not mentioned, I presume the authors consider it as being too *hackerish*, but it would be worthwhile to find out that with the blocking I mentioned, GNU emacs is in fact not vulnerable. > For OpenPGP I see lots of no and only a few vulnerable clients: Support > for Outlook 2007 has long been dropped and Gpg4win/GpgOL gives a big > warning when you try to use it with OL2007. All other Outlook versions > are not vulnerable. The case for Thunderbird/Enigmail is not that clear > because the researcher confirmed that Enigmail 2.0 is in general not > vulnerable; we don't know which version of Enigmail was tested. I don't > know Postbox, Apple mailers or Horde IMP. I presume the same is true for gnupg+ GNU emacs(+gnus/vm/rmail). BTW: RMS asked on the emacs devel list whether, and I quote, , | If you allow a mail user agent to render HTML for you, you expose | yourself to various kinds of surveillance and swindles. Now, it seems, | one of those might be a decryption exploit. | | Does the exploit depend on Javascript code that the MUI will execute? `---- Any comments? Thanks Uwe Brauer smime.p7s Description: S/MIME cryptographic signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
the .gnupg directory and fuse.encfs a problem
Hi I am on Kubuntu 10.04/ I have my .gnupg directory in the directory $HOME/init_files And set a symbolic link to the home directory. Everything works fine. In an attack of «paranoia» I thought this is not save. So I created a directory, using cryptkeeper which is mounted using fuse.encfs Mount gives encfs on /home/oub/ALLES/init_files/cryptstuff type fuse.encfs (rw,nosuid,nodev,default_permissions,user=oub) I then did rsync -auvz /home/oub/ALLES/init_files/.gnupg /home/oub/ALLES/init_files/cryptstuff/.gnupg And changed the symbolic link But then when I did gpgsm --list-keys I obtained gpgsm: lock not made: link() failed: Operation not permitted So what is the problem? Thanks Uwe Brauer ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: default (secret) key for gpg
Werner == Werner Koch w...@gnupg.org writes: (setq mml2015-signer 0x65AD077A) The correct setting is (setq mml2015-signers (list 0x65AD077A)) Just in case smime.p7s Description: S/MIME cryptographic signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: pgp export private key with password
David == David Shaw ds...@jabberwocky.com writes: However it seems that the application expects for some reason another a password during the import process. Interesting. I wonder why it does that - perhaps it stores the key unencrypted internally? What happens if you provide your regular key passphrase to the app on import? It does not work. It seems that the only possibility is to edit my key, delete the password and import. However I don't know yet how the private key is protected within the application.. I am still discussing with the author. Uwe smime.p7s Description: S/MIME cryptographic signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: RFC3156: application/pgp-keys support enigmail, gnus etc
Daniel == Daniel Kahn Gillmor d...@fifthhorseman.net writes: Hi Uwe-- I just implemented such a feature for gnus in Xemacs, but it seems that enigmail does not recognise the key! Does anybody know whether other MUA support this format? This seems like a question you'd want to ask the MUAs themselsves. when you say enigmail does not recognize the key, how did you test it? in icedove+enigmail 1.6, if i right-click on an attachment that is of type application/pgp-keys, i get a menu option Import OpenPGP Key, which seems like it does what you would want to do with an e-mailed key. Ok I tested it now with seamonkey 2.21 (or TB 17) +enigmail 1.6 and it works as you described. I think at home I am running TB11+enigmail 1.4, so I will upgrade. Thanks. Uwe smime.p7s Description: S/MIME cryptographic signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
old pgp2.6x keys imported in gpg (compile pgp 2.6)
Hello I have a problem to import my secret key into a iOS app called iPGmail. The problem is that of course the key is password protected and the app seem to have difficulties with the password. So I just deleted the password and then can import the secret key, but I don't like this possibility and so I deleted my key. The cipher for the key protection is CAST5 However the key was originally generated with pgp 2.6.2 more than 10 years ago (yes I know it is only 1024 bit long and should not be used anymore), but could it be that such a key has some incompatibilities with RFC 4880?? I just tried to compile old 2.62 on kubuntu 10.04 but failed, does anybody has a suggestion? thanks Uwe Brauer smime.p7s Description: S/MIME cryptographic signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
default (secret) key for gpg
Hello Finally I decided to generate a new 4096 keypair. Now gpg --list-keys tells me I have sec 1024R/93B61FDD 1998-09-17 uid Uwe Brauer o...@mat.ucm.es uid Uwe Brauer o...@btmpx1.mat.uni-bayreuth.de uid Uwe Brauer oub.oub@gmail.com uid Uwe Brauer oub.oub@gmail.com sec 4096R/65AD077A 2014-01-28 uid Uwe Brauer (Second Key) o...@mat.ucm.es ssb 4096R/F7D25222 2014-01-28 So I want to use the new key as default (For Xemacs and maybe this is an addional problem) So I added to the files in .gnupg - gpg.conf: default-key 65AD077A - options: default-key 65AD077A (I even rebooted to restart the gpg-agent). But xemacs, gnus, epg always picks up the old key. I will write to that list as well, but would like to know if there is anything wrong in my setting. thanks Uwe Brauer smime.p7s Description: S/MIME cryptographic signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: old pgp2.6x keys imported in gpg (compile pgp 2.6)
Kristian == Kristian Fiskerstrand kristian.fiskerstr...@sumptuouscapital.com writes: http://www.kfwebs.net/articles/article/42/GnuPG-2.0---IDEA-support #secure method=smime mode=sign cool, thanks! smime.p7s Description: S/MIME cryptographic signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
RFC3156: application/pgp-keys support enigmail, gnus etc
Hi according to http://tools.ietf.org/html/rfc3156 A pgpmime signed message contains lines such as Content-Type: multipart/signed; boundary==-=-=; micalg=pgp-sha1; protocol=application/pgp-signature While an attached key should look like Content-Type: application/pgp-keys Required parameters: none Optional parameters: none A MIME body part of the content type application/pgp-keys contains ASCII-armored transferable Public Key Packets as defined in [1], section 10.1. I just implemented such a feature for gnus in Xemacs, but it seems that enigmail does not recognise the key! Does anybody know whether other MUA support this format? thanks Uwe Brauer smime.p7s Description: S/MIME cryptographic signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
pgp export private key with password
Hello I just tried out iPGmail a app for the iPhone which supports pgp. However I want to import my private key and here the trouble starts. For some reason iPGmail only supports private keys in armor format which are password protected. But gpg --export-secret-keys --passphrase hallo --armor oub2.asc Did not really add a passphrase, since I could import oub2.asc as a different user, without being asked the password. Any advice is strongly appreciated. Uwe Brauer smime.p7s Description: S/MIME cryptographic signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: pgp export private key with password
David == David Shaw ds...@jabberwocky.com writes: On Jan 27, 2014, at 3:02 PM, Uwe Brauer o...@mat.ucm.es wrote: Hello I just tried out iPGmail a app for the iPhone which supports pgp. However I want to import my private key and here the trouble starts. For some reason iPGmail only supports private keys in armor format which are password protected. But gpg --export-secret-keys --passphrase hallo --armor oub2.asc Did not really add a passphrase, since I could import oub2.asc as a different user, without being asked the password. I'm not sure I understand what you're trying to do. --export-secret-keys doesn't add or remove a passphrase. If the key has a passphrase, the exported one still does. If the key has no passphrase, neither does the exported one. Right there is a misunderstanding. What you say is of course correct so during exportation and importation no password is asked, however when I want to *use* the key then I must provide the password. However it seems that the application expects for some reason another a password during the import process. smime.p7s Description: S/MIME cryptographic signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
time delay unlock private key.
Hello A Long time ago, IBM's proprietary OS, called CMS had a particular feature for the login: It gave you three attempts to login in. If you failed there was a time delay of 20 min, if you failed again, the time delay was prolonged to one hour, and then I think to one day. My private pgp and smime keys are secured by a password, but there is no time delay, which makes a brute force attack possible. Could a time delay be implemented similar to the one I just mentioned? regards Uwe Brauer ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: OT: MFT and posting via gmane
Jens == Jens Lechtenboerger clou...@informationelle-selbstbestimmung-im-internet.de writes: (defun my-message-header-setup-hook () (let ((group (or gnus-newsgroup-name ))) (when (or (message-fetch-field newsgroups) (gnus-group-find-parameter group 'to-address) (gnus-group-find-parameter group 'to-list)) (insert Mail-Copies-To: never\n thanks Uwe (add-hook 'message-header-setup-hook 'my-message-header-setup-hook) Best wishes Jens ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users smime.p7s Description: S/MIME cryptographic signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: 2.x
Jens == Jens Lechtenboerger clou...@informationelle-selbstbestimmung-im-internet.de writes: On So, Dez 22 2013, Uwe Brauer wrote: Jens == Jens Lechtenboerger P.S. Do you know Mail-Followup-To (MFT)? Do you find this annoying? MFT has benefits: If I reply to a message with MFT, the To header is automatically directed to the list (instead of the From e-mail address). A small joy ;) Moreover, with MFT I know whether you would like to receive a separate copy for replies or not. I still don't understand. I am not subscribed to this mailing list and use the gmane interface. So this message is sent to a (virtual) newsgroup, and maybe mail-followup does not make sense there? I have set message-use-followup-to and message-use-mail-followup-to to 'use, but it does not do a thing. I could use message-goto-followup-to, but then which what I am supposed to insert. regards Uwe Brauer smime.p7s Description: S/MIME cryptographic signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: 2.x
Jens == Jens Lechtenboerger clou...@informationelle-selbstbestimmung-im-internet.de writes: On Sa, Dez 21 2013, Uwe Brauer wrote: I am on Kubuntu 10.04 and I have both gnupg and gnupg2 installed. Now since 2.x is not affected by the problem mentioned I prefer to use it. However how can I be sure that gnupg2 is used for my email correspondence for which I use pgp-mime and not gnupg? (I am using Xemacs+gnus) You can uninstall or update gnupg :-) well, no, because then apt-get tells me to uninstall roughly 36 package, some of them look pretty much like core programs. Alternatively, for EasyPG you can customize epg-gpg-program. (The configuration code tries gpg first, gpg2 second. So uninstall should really help.) Ok this was the variable I was looking for. I looked up gpg, epa but not epg! thanks Best wishes Jens Uwe P.S. Do you know Mail-Followup-To (MFT)? If you customized message-subscribed-addresses, my reply would automatically get the correct recipient headers, see: https://www.gnu.org/software/emacs/manual/html_node/message/Mailing-Lists.html hm, I am reading this group via gmane (and news) I use simply gnus-summary-followup-with-original which results in a mail to Newsgroups: gmane.comp.encryption.gpg.user Do you find this annoying? smime.p7s Description: S/MIME cryptographic signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: 2.x
K == K Raven m...@kairaven.de writes: Hi, I'm using Kubuntu (13.10) too and because many packets depend on gnupg, i use the Alternatives system to leave gnupg1 installed and use gnupg2 in parallel. You can see that on http://wiki.kairaven.de/open/krypto/gpg/p/gpg4#linux (in German, but the commandos are readable). Sure, you must repeat the steps after gnupg updates. Alternatively (at the end of the chapter), you can rename the gnupg1 binaries and make symlinks to gnupg2, but i don't like that. Thanks, since I am German, I can read this document :-D smime.p7s Description: S/MIME cryptographic signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
2.x (was: [Announce] [security fix] GnuPG 1.4.16 released)
Werner == Werner Koch w...@gnupg.org writes: Hello! Along with the publication of an interesting new side channel attack by Daniel Genkin, Adi Shamir, and Eran Tromer we announce the availability of a new stable GnuPG release to relieve this bug: Version 1.4.16. This is a *security fix* release and all users of GnuPG versions 1.x are advised to updated to this version. GnuPG versions 2.x are not affected. See below for the impact of the problem. I am on Kubuntu 10.04 and I have both gnupg and gnupg2 installed. Now since 2.x is not affected by the problem mentioned I prefer to use it. However how can I be sure that gnupg2 is used for my email correspondence for which I use pgp-mime and not gnupg? (I am using Xemacs+gnus) thanks Uwe Brauer smime.p7s Description: S/MIME cryptographic signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpg-rsa-key decryption with a mobile
Werner == Werner Koch w...@gnupg.org writes: On Wed, 18 Dec 2013 18:31, sys...@ioioioio.eu said: Here, we describe a new acoustic cryptanalysis key extraction attack, applicable to GnuPG's current implementation of RSA. The attack can Well that is what I posted a few hours ago to this list ;-). Since you are mentioned in this webpage, do you know by any chance whether gpgsm is vulnerable in a similar way? Uwe Brauer smime.p7s Description: S/MIME cryptographic signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
gpgsm, certificate expired, different certificate, epa does not encrypt
Hello I am using Xemacs, gnus the epa pkg for encrypting s/mime using gpgsm. I have several email accounts with different (comodo certificates). Now one certificate for the address addre...@gmail.com has expired. However I want to send an email from address2 (whose certificate is *not* expired) to a recipient. However when I try to encrypt this message, it does not work. I obtain an error message, whose epa bug trace I attach. It is not clear to me, who is the culprit, epa or gpgsm. But I consider this is a BUG, I don't want to use the expired certificate but one which is not expired. thanks Uwe Brauer gpgsm --no-tty --status-fd 1 --yes --output /tmp/oub/epg-outputR_HIIF --detach-sign -u F69E1EFB6147C786 gpgsm: note: non-critical certificate policy not allowed gpgsm: note: non-critical certificate policy not allowed gpgsm: note: non-critical certificate policy not allowed gpgsm: CRLs not checked due to --disable-crl-checks option gpgsm: certificate has expired gpgsm: (expired at 2013-12-16 23:59:59) gpgsm: note: non-critical certificate policy not allowed gpgsm: note: non-critical certificate policy not allowed gpgsm: note: non-critical certificate policy not allowed gpgsm: CRLs not checked due to --disable-crl-checks option gpgsm: NOTE: won't be able to encrypt to `burr...@gmail.com': Certificate expired gpgsm: DBG: adding certificates at level -1 [GNUPG:] SIG_CREATED D 1 2 00 20131218T101015 AF791B3AE3CCA0A1A9575730F69E1EFB6147C786 gpgsm: signature created gpgsm --no-tty --status-fd 1 --yes --output /tmp/oub/epg-outputR_HVSL --encrypt -r 768D0C6F306269A7 -r F69E1EFB6147C786 gpgsm: note: non-critical certificate policy not allowed gpgsm: note: non-critical certificate policy not allowed gpgsm: note: non-critical certificate policy not allowed gpgsm: CRLs not checked due to --disable-crl-checks option gpgsm: note: non-critical certificate policy not allowed gpgsm: note: non-critical certificate policy not allowed gpgsm: note: non-critical certificate policy not allowed gpgsm: CRLs not checked due to --disable-crl-checks option gpgsm: certificate has expired gpgsm: (expired at 2013-12-16 23:59:59) gpgsm: note: non-critical certificate policy not allowed gpgsm: note: non-critical certificate policy not allowed gpgsm: note: non-critical certificate policy not allowed gpgsm: CRLs not checked due to --disable-crl-checks option gpgsm: can't encrypt to `burr...@gmail.com': Certificate expired [GNUPG:] INV_RECP 5 burr...@gmail.com gpgsm --no-tty --status-fd 1 --yes --output /tmp/oub/epg-outputR_HicR --detach-sign -u F69E1EFB6147C786 gpgsm: note: non-critical certificate policy not allowed gpgsm: note: non-critical certificate policy not allowed gpgsm: note: non-critical certificate policy not allowed gpgsm: CRLs not checked due to --disable-crl-checks option gpgsm: certificate has expired gpgsm: (expired at 2013-12-16 23:59:59) gpgsm: note: non-critical certificate policy not allowed gpgsm: note: non-critical certificate policy not allowed gpgsm: note: non-critical certificate policy not allowed gpgsm: CRLs not checked due to --disable-crl-checks option gpgsm: NOTE: won't be able to encrypt to `burr...@gmail.com': Certificate expired gpgsm: DBG: adding certificates at level -1 [GNUPG:] SIG_CREATED D 1 2 00 20131218T101051 AF791B3AE3CCA0A1A9575730F69E1EFB6147C786 gpgsm: signature created gpgsm --no-tty --status-fd 1 --yes --output /tmp/oub/epg-outputR_HvmX --encrypt -r F69E1EFB6147C786 -r F69E1EFB6147C786 gpgsm: note: non-critical certificate policy not allowed gpgsm: note: non-critical certificate policy not allowed gpgsm: note: non-critical certificate policy not allowed gpgsm: CRLs not checked due to --disable-crl-checks option gpgsm: certificate has expired gpgsm: (expired at 2013-12-16 23:59:59) gpgsm: note: non-critical certificate policy not allowed gpgsm: note: non-critical certificate policy not allowed gpgsm: note: non-critical certificate policy not allowed gpgsm: CRLs not checked due to --disable-crl-checks option gpgsm: can't encrypt to `burr...@gmail.com': Certificate expired [GNUPG:] INV_RECP 5 burr...@gmail.com ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpgsm, certificate expired, different certificate, epa does not encrypt
Jens == Jens Lechtenboerger clou...@informationelle-selbstbestimmung-im-internet.de writes: On Mi, Dez 18 2013, Uwe Brauer wrote: I am using Xemacs, gnus the epa pkg for encrypting s/mime using gpgsm. Hi Uwe, if I understand you correctly, you fail to encrypt to your From address, right? Not really, my from address is o...@mat.ucm.es the corresponding certificate is *NOT* expired. I have also a gmail account whose certificate is expired, but which does not play any role here. Or should not play any role here. If I’m not mistaken, epa does not encrypt to From addresses by default. What did you do to make that happen? Does your gpgsm.conf contain “encrypt-to” for the expired certificate? No! Yuk there is indeed a line! :'( encrypt-to burr...@gmail.com Why the hell is this line there? Maybe I did some testing and forgot about it. :-D Thanks very much Uwe smime.p7s Description: S/MIME cryptographic signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpgsm and expired certificates
MFPA == MFPA expires2...@ymail.com writes: Hi On Thursday 7 November 2013 at 11:16:36 AM, in mid:87txfotqaz@gilgamesch.quim.ucm.es, Uwe Brauer wrote: I had to search for and import some more root certificates from the Comodo website before I could encrypt to you using my mailer's built-in s/mime. Microsoft Crypto-API no use, even after your and comodo's certificates imported into certmgr.msc. I'm probably doing something wrong there, but it's not clear what to do. For something that is supposed to be easier than OpenPGP, s/mime doesn't seem easy to me. That is really odd, I have successfully interchanged s/mime emails, with users using thunderbird or outlook + windows + Comodo certificates. None of them had to install the root certificates. It seems to me that the BAT does not support Comodo CA. Uwe smime.p7s Description: S/MIME cryptographic signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpgsm and expired certificates
MFPA == MFPA expires2...@ymail.com writes: Hi Hi On Monday 4 November 2013 at 10:43:43 PM, in mid:87habrrdnk@mat.ucm.es, Uwe Brauer wrote: - from my own experience I am convinced that smime is much easierthan gpg[2] for reasons I am not going to repeat here. (I got 7out of 10 of my friends/colleagues to use smime, but 0 of 10 to use gpg.) Depending on the software people are using. I'm willing to accept that there are probably more people for whom S/MIME is easier to use. Well take for example iOs: using pgp is a sort of a nightmare. The reasons why I think smime is easier to use for the average user are: smime is already installed in most MUA (so no additional software+plugin) keypairs are generated and signed by the trust center. Public keys are automatically embedded in the signatures. The email app I am using to write this message can (almost trivially) generate and use self-signed certificates for the email accounts it has configured. The difficulty is getting other people to persuade their MUA to accept them. Aha I see you use the BAT, an email program I have not seen in use, for almost a decade. Good and bad news. Gpgsm allowed my to use your public keys after having fireing up a series of questions, iOs also, (if you don't mind I send you to test messages later privately) However thunderbird refuses to use yoru public key claiming it cannot be trusted. So I am afraid the issue is to persuade the not only the people but also the software. I think I mentioned in one of my other postings that I was using hyperbole to make my point. I'm not quite _that_ paranoid, but I believe in exercising a healthy skepticism. Ok I have seen this now. regards Uwe smime.p7s Description: S/MIME cryptographic signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpgsm and expired certificates
MFPA == MFPA expires2...@ymail.com writes: Hello There are already several private sector CAs who provide free S/MIME certificates in the hope that punters may take one of their paid products instead or in addition. Potential sales is their incentive to provide some products free. What would be a government's incentive to provide them free of charge instead of charging for the admin? And what would a government based CA bring to the party that is not already available? If all we are talking about is email encryption to protect people's email from being read in transit, a self-signed certificate takes care of the encryption without the need for a CA. The only value in using a recognised CA rather than a self-signed certificate is convenience for the recipient, whose MUA is likely to automatically trust a recognised CA but would need to be told to accept a self-signed certificate. Ok let me try to answer this point by point. Before doing I want to emphasise that I am taking a very pragmatic point of view here.[1] - NSA (among others) has abused its resource to read email worldwide at a very large scale. - so if a lot of people, say 30 % of all users would encrypt their email, then NSA statistical approach would *not* work that smooth and this is a good thing. - so encrypting email should be easy and look trustful for a majority of users - usually public/private key based methods are considered relative secure (Even Snowden claimed that you could rely on them), this does not mean that the NSA could not read your email. They would usually try to enter your machine installing a keylogger or something like this. But this is beyond the statistical method I mentioned above. - if I understand correctly the real problem is not security of the the cipher but the authenticity of the sender and so the most common attack is a man in the middle attack. This is true for both smime and gpg. So comparing fingerprints of public key is a good thing, which most of us, I presume, don't do. - from my own experience I am convinced that smime is much easier than gpg[2] for reasons I am not going to repeat here. (I got 7 out of 10 of my friends/colleagues to use smime, but 0 of 10 to use gpg.) - one of the reasons some of them hesitated was the fact that the certificates were offered by some commercial company they did not know and trust.[3] They would have had installed it from a government based organisation, say the ministry of justice though. - so if some government based organisation would do what say commodo does it would send a signal to the public that it takes privacy seriously and I think it would encourage more people to use smime. - Private certificates, are unfortunately no solution. Yes it is possible with openssl to generate them, I have done that myself. However it is very difficult till impossible to convince the main email programs, such as outlook, thunderbird or Apple mail to use them or to use public keys sent by such certificates. [4] Uwe Brauer Footnotes: [1] I must add that I don't share your general view about government based organisations. I still hope that abuse is the exception not the rule.. [2] although pgp seems technically better, since some implementations of smime allow a relative short symmetric key [3] (Besides these companies have a certain business model and their free certificates last short and expire usually after one year.) [4] I finally managed to use them in thunderbird, but is was complicated not something the regular user would like to do. smime.p7s Description: S/MIME cryptographic signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpgsm and expired certificates
Ingo == Ingo Klöcker kloec...@kde.org writes: I interpreted especially because of all which was lately revealed about the NSA No it was more of a general remark, concerning NSA malpractice of reading everybody's (uncrypted) email unconditionally. So, your point/hope probably was that a government based CA wouldn't have such a business model and would instead offer this service gratis to the people (so that more people would be protected from the NSA reading their mail). If this was your point then apparently I didn't see it when I first read your message. That was *precisely* my point, thanks for clarifying it Uwe Brauer smime.p7s Description: S/MIME cryptographic signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpgsm and expired certificates
MFPA == MFPA expires2...@ymail.com writes: Hi On Sunday 27 October 2013 at 2:46:05 PM, in mid:8761si4vrm@mat.ucm.es, Uwe Brauer wrote: Isn't the NSA a government based organisation? Surely guilt-by-association renders every government based organisation just as nefarious as the NSA. Your point being? I presume it goes like this: NSA is a government based organisation doing, among other things, violations of civil rights. So any other government based organisation cannot be trust, end of argument. Well I just talked about a service, which provides certificates to its citizen. That means it signs a public/private key pair, which is generated by the, hopefully open source, crypto module of your browser. So either you claim to have evidence that this modules have been hacked and the key pair is transferred to some of these evil organisations or I really don't see your point. Uwe Brauer smime.p7s Description: S/MIME cryptographic signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpgsm and expired certificates
Werner == Werner Koch w...@gnupg.org writes: On Sat, 26 Oct 2013 22:03, o...@mat.ucm.es said: know by the date of the certificate which certificate to use for which message? - old for old messages Note, that there is no need for a certificate for decryption - only the private key is required. The certificate is only used to show some meta information. Now I am confused. Most likely my knowledge of certificates is not correct. (I played around with openssl to generate my own, useless, certificates). I thought a certificate consists of a key pair (private/public) which is signed by the Authority (here comodo). When I apply for a certificate, the keypair is generated by the crypto module of the browser and then signed. So I thought when I apply for a new certificate a new key pair is generated which gets signed again. But your comment above seems to indicate that the old pair gets a new signature. Is this correct? But what if I apply with a different browser I applied the last time. thanks Uwe Brauer smime.p7s Description: S/MIME cryptographic signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpgsm and expired certificates
If you generate a new keypair for the new certificate (which is probably a good idea) then gpgsm (and presumably any other certificate-using software) will figure out what private key will be needed to decrypt a particular message and, so long as you still have the private key on your system, will use it as needed even if the corresponding certificate has expired. So gpgsm (and others) will also figure out which private key to use for signing: that is the new one, once the old certificate is expired? Which means in the case of smime, also to embedd the corresponding new public key in the signature. thanks Uwe smime.p7s Description: S/MIME cryptographic signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpgsm and expired certificates
Werner == Werner Koch w...@gnupg.org writes: On Sun, 27 Oct 2013 10:23, p...@heypete.com said: Correct, though it is possible (but usually recommend against) to create a new certificate using the same private keypair as before. In The business model of most CAs is to sell you a subscription by setting the expiration time very low so that they can ask after a year for another fee to create a new certificate. Here it does not make sense to create a new private key every year. Well comodo is free (still) and to prolong the certificate seems free to for the moment, but I agree I would prefer a government based organisation which provides this service to its citizen (especially because of all which was lately revealed about the NSA) GnuPG basically does the same by allowing you to prolong the expiration time. I don't want to enter a flame war here and in principle I'd prefer gpg over smime but in reality I have to use smime, because - it is implemented in almost all MUA while gpg is not[1] - it is so much easier to install for the people I communicate with than gpg. I recall that I tried to convince gpg and after some hours he almost yelled at me, while he was able to set up smime in 5 minutes. The reasons for this are the following. - As I said smime is already installed in almost all MUA, so no need to install gpg and to install a plugin for the MUA - the user does not have to generate a keypair. Well this is not entirely true, as we mentioned earlier, but the user applies for a certificate picks it up and he is set. - the user does not have to exchange public keys, he just sends a signed message which includes his public key. So if the big MUAS and not only thunderbird, but at least outlook apple mail, and iOS mail, would - support gpg natively - when use gpg in the mailreader for the first time, it would silently generate a key pair - when sending a signed message it would always embed the public key in the signature Then a think gpg would be as easy to use as smime, but till then Uwe Brauer Footnotes: [1] I tried to use gpg on a non jailbroken iPhone and it is honestly a hassle. smime.p7s Description: S/MIME cryptographic signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
gpgsm and expired certificates
Hello I use gpgsm, via gnus+Xemacs and I have installed a free certificate from Comodo. This certificate expires in a couple of weeks and I have to apply for a new one. However I need the old one to read old messages. Can gpgsm deal with this situation? thanks Uwe Brauer smime.p7s Description: S/MIME cryptographic signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpgsm and expired certificates
Werner == Werner Koch w...@gnupg.org writes: On Sat, 26 Oct 2013 12:02, o...@mat.ucm.es said: Can gpgsm deal with this situation? Sure. That is a very common situation. Although I am myself not using gpgsm for mail encryption, I use it to maintain all kind of X.509 certificates. FWIW, gpgsm passed several conformance tests with quite good results [1] and was recently approved for secret communication (at the Germany's entry level VS/NfD). Good, so if I understand that correctly once I have the new certificate then I only have to import it into gpgsm and gpgsm will know by the date of the certificate which certificate to use for which message? - old for old messages - the new for the new messages thanks Uwe Brauer smime.p7s Description: S/MIME cryptographic signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: embedded public key in signature as in smime.
Daniel == Daniel Kahn Gillmor d...@fifthhorseman.net writes: On 01/08/2013 05:02 PM, Uwe Brauer wrote: Are there any plans to modify the signature (backward compatible?) such that it contains the public key embedded as in smime? Not that i know of. Why do you think this would be useful? I think it would make it easier to interchange public keys. I have tried over many years to encourage my friends to use pgp, one of the obstacles was the extraction and interchange of the public keys. I started to use smime recently and besides its flaws I have to admit that the key interchange is easier (most likely be more insecure) You could do all of this within the existing OpenPGP specification, but to make it actually useful (and not just bloat your signatures in ways that no one else bothers to take advantage of) you might want to modify GnuPG a bit. Here are some thoughts on how you might approach it if you think this is a worthwhile goal. OpenPGP notations: https://tools.ietf.org/html/rfc4880#section-5.2.3.16 thanks [snip] So to extend gpg, you might add some other --verify-options directive like import-embedded-key-notation. make sense? I think it does, but it sounds like a project for the (far) future. regards Uwe smime.p7s Description: S/MIME cryptographic signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
embedded public key in signature as in smime.
Hello Are there any plans to modify the signature (backward compatible?) such that it contains the public key embedded as in smime? thanks Uwe Brauer smime.p7s Description: S/MIME cryptographic signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
gpgsm: smime, various secret keys, various email addresses how to configure
Hello I am not sure that this is the correct list to ask and whether my question is too elementary, but I could not find a solution using google. I started to use smime, via xemacs, gnus, epg and gpgsm. [1] I have 3 accounts, one for work two private ones. I obtained free certificates from www.comodo.com. Now the issue is that epg (the lisp interface) chooses the first secret keys which is listed via gpgsm --list-secrect-keys For any email, even if I use a different account. However I would like to have us...@gmail.com key1 us...@gmail.com key2 us...@gmail.com key3 The epg author referred to the gpgsm manual or the mailing list, however I can't find a relevant description Can somebody help me? Thanks very much in advance Uwe Brauer Footnotes: [1] I used gpg, but most of the people I correspondence considered it as to user unfriendly. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
same key: pgp 2.6 version and gpg version: keyserver
Hello Several years ago I submitted my pgp 2.6 to the key server http://math-www.uni-paderborn.de/pgp/. Now I successfully exported that key to gpg. (The key as in both program the same ID) I would like to submit both version of the same key to a more recent key server like sks.keyserver.penguin.de. Is this possible, or would the same key in different flavours cause problems and confusions? Thanks Uwe Brauer pgpDX2lRrABVI.pgp Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: same key: pgp 2.6 version and gpg version: keyserver
David == David Shaw [EMAIL PROTECTED] writes: David On Thu, Jul 21, 2005 at 05:21:13PM +, Uwe Brauer wrote: David == David Shaw [EMAIL PROTECTED] writes: David On Thu, Jul 21, 2005 at 04:18:00PM +, Uwe Brauer David wrote: There is only one version of the key whether it David is in PGP or GPG. Go ahead and submit it to any David keyserver you like. David David I am confused. From what I read pgp 2.6 and gpg are not compatible, see http://www.gnupg.org/gph/en/pgp2x.html [1] I cannot as a gpg user use the pgp public key in order to send a message. Do you agree? David No. Aha, I asked some weeks ago about how to import my pgp 2.6 to gpg, because following the rules mentioned above gpg --import private.pgp and the alike did NOT work, that is I used the imported key and tried to send myself a message using enigmail and failed, the reason seems to be IDEA (well you can compile IDEA support into gpg however this is not standard.) See the messages: Message-ID: [EMAIL PROTECTED] Message-ID: [EMAIL PROTECTED] and especially Message-ID: [EMAIL PROTECTED] Where Werner advice to empty the pass-phrase in pgp2.6 import it to gpg and then introduce a pass-phrase. So I conclude from that that a pgp2.6 with IDEA protected pass-phrase is NOT the same as the imported key into gpg, where the pass phrase is protected by other algorithm. Uwe ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
problems with the mailing list
Hello I subscribed yesterday to the list, got the typical welcome msg, but my posting of today got refused, reason being that I am a non member. I am using the gmane fontend in order to communicate with the list. Could anybody tell me what is the reason for this strange behaviour. Thanks Uwe Brauer ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users