Re: Fwd: Re: Fwd: Re: Question for app developers, like Enigmail etc. - Identicons

2017-06-13 Thread Stefan Claas 

Am 12.06.2017 um 23:50 schrieb Duane Whitty:

Thanks for your input much appreciated!


I would also add one word about USB sticks:  It is very difficult to
know if they've been compromised and there are no tell-tale signs when
an attack is taking place.  I never put a USB in my computer that has
been used on a computer I don't own.
Best Regards,
Duane



Thanks for pointing this out!

I come to the conclusion after reading all the replies from this thread
that i will return to pure GnuPG usage, instead of using an email / Usenet
client with add-ons. I already found a script for PGP/MIME so that i can
decrypt/verify a message send to me when using GnuPG in command-line
mode.

Another thing i will do in the future, which i haven't read in popular 
tutorials,

is that once checking the hash/sig of the provided package i will also hash
the binaries after unpacking and print them out on a piece of paper, so 
that i

can frequently check the values.

Regards
Stefan







___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Fwd: Re: Fwd: Re: Question for app developers, like Enigmail etc. - Identicons

2017-06-12 Thread Duane Whitty 


On 17-06-12 05:45 PM, Stefan Claas wrote:
> On 12.06.17 22:35, Robert J. Hansen wrote:
>>> Is there something like a Standard Operating Procedure for GnuPG
>>> available, which fulfills security experts demands, and which can
>>> easily be adapted by an average GnuPG user, regardless of platform 
>>> and client he/she uses?
>> No.  More to the point, there can't be.  Each user faces threats
>> specific to that user; each user is responsible for their own threat
>> modeling.
>>
>> But follow the steps I outlined before and you'll significantly improve
>> your online security.  You won't be perfect -- there is no such thing as
>> perfection.  You won't be a hardened target -- that takes a lot of work.
>>  But follow those steps and you'll have taken care of the easy ways that
>> your machine can be compromised.
>>
> 
> Thank you very much for your advise, much appreciated!
> 
> Regards
> Stefan
> 
> 
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
> 
I'm not one of the many experts on the list you refer to so you'll have
to judge for yourself the usefulness of my procedures.  Comments from
more experienced users welcome as well, of course, and some very
experienced users have given you very good advice already.

Some of things I do include setting a password on the BIOS and HD and
turning my computer off when I'm not using it.  My reason for those
steps is that I am hoping it would introduce enough of a roadblock that
should someone gain physical access to my computer (a laptop) they would
need to take it with them in order to compromise it.

I also don't click on any links in emails. As well, I don't open any PDF
files I don't trust.

I believe also that it's important to consider what operating system you
use.  Some people believe that with certain OSs you are compromised the
minute you install said OS and are actually fulfilling the role of
Mallory against yourself.  This is to say that I believe Open Source is
beneficial not that it is the complete solution.

I would also add one word about USB sticks:  It is very difficult to
know if they've been compromised and there are no tell-tale signs when
an attack is taking place.  I never put a USB in my computer that has
been used on a computer I don't own.
Best Regards,
Duane

-- 
Duane Whitty
du...@nofroth.com



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Fwd: Re: Fwd: Re: Question for app developers, like Enigmail etc. - Identicons

2017-06-12 Thread Stefan Claas 
On 12.06.17 22:35, Robert J. Hansen wrote:
>> Is there something like a Standard Operating Procedure for GnuPG
>> available, which fulfills security experts demands, and which can
>> easily be adapted by an average GnuPG user, regardless of platform 
>> and client he/she uses?
> No.  More to the point, there can't be.  Each user faces threats
> specific to that user; each user is responsible for their own threat
> modeling.
>
> But follow the steps I outlined before and you'll significantly improve
> your online security.  You won't be perfect -- there is no such thing as
> perfection.  You won't be a hardened target -- that takes a lot of work.
>  But follow those steps and you'll have taken care of the easy ways that
> your machine can be compromised.
>

Thank you very much for your advise, much appreciated!

Regards
Stefan


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Fwd: Re: Fwd: Re: Question for app developers, like Enigmail etc. - Identicons

2017-06-12 Thread Robert J. Hansen 
> Is there something like a Standard Operating Procedure for GnuPG
> available, which fulfills security experts demands, and which can
> easily be adapted by an average GnuPG user, regardless of platform 
> and client he/she uses?

No.  More to the point, there can't be.  Each user faces threats
specific to that user; each user is responsible for their own threat
modeling.

But follow the steps I outlined before and you'll significantly improve
your online security.  You won't be perfect -- there is no such thing as
perfection.  You won't be a hardened target -- that takes a lot of work.
 But follow those steps and you'll have taken care of the easy ways that
your machine can be compromised.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Fwd: Re: Fwd: Re: Question for app developers, like Enigmail etc. - Identicons

2017-06-12 Thread Stefan Claas 
On 12.06.17 22:10, Robert J. Hansen wrote:
>> and transfer signed/encrypted messages from my online usage
>> computer with a USB stick to my offline computer and verify
>> decrypt the messages there. :-)
> If you think your online computer may be compromised, then you have no
> business sharing USB devices between it and your believed-safe computer.
>
O.k., i have for example no Tempest Attack, etc. shielded offline computer,
because i am only a little Mac user. Is there something like a Standard
Operating
Procedure for GnuPG available, which fulfills security experts demands,
and which
can easily be adapted by an average GnuPG user, regardless of platform
and client
he/she uses?

Regards
Stefan


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Fwd: Re: Fwd: Re: Question for app developers, like Enigmail etc. - Identicons

2017-06-12 Thread Robert J. Hansen 
> and transfer signed/encrypted messages from my online usage
> computer with a USB stick to my offline computer and verify
> decrypt the messages there. :-)

If you think your online computer may be compromised, then you have no
business sharing USB devices between it and your believed-safe computer.


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Fwd: Re: Fwd: Re: Question for app developers, like Enigmail etc. - Identicons

2017-06-12 Thread Stefan Claas 
On 12.06.17 21:15, Peter Lebbing wrote:

>> (Remember there are two types of companies. Those who know they got
>> hacked and those who don't know yet that they got hacked.)
>>
>>
I should put that as a signature in my email and Usenet client! :-)

Regards
Stefan



___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Fwd: Re: Fwd: Re: Question for app developers, like Enigmail etc. - Identicons

2017-06-12 Thread Stefan Claas 
On 12.06.17 21:21, Ludwig Hügelschäfer wrote:
> What you can do: Learn, learn by playing, learn by trying to
> understand what others write and by asking questions and become a
> reasonable critical user. That's the hard way, but you learn best.
> Second possibility would be to have a good experienced friend which
> guides you along the way. Third way would be to engage an expert which
> maintains your computer.
>
Thanks also for your valuable reply!

Please see also my reply to Peter.

Regards
Stefan




___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Fwd: Re: Fwd: Re: Question for app developers, like Enigmail etc. - Identicons

2017-06-12 Thread Stefan Claas 
On 12.06.17 21:15, Peter Lebbing wrote:
> On 12/06/17 20:51, Stefan Claas wrote:
>> Maybe as an additional security feature Enigmail should give
>> a key with a set trust level of "Ultimate" a different color than
>> green.
> No, that's beside the point. Once somebody gets your user privileges,
> there is no "additional security". It's game over. They could replace
> your Enigmail with their Evilmail, which seems like a good name for an
> Enigmail edited to show any fingerprint the attacker desires and give it
> any colour of the rainbow.
>
> You need to make sure your computer doesn't get hacked by someone who
> wants to subvert your use of GnuPG. Luckily, for most of us, we get
> hacked to send spam... ;)
>
> (Remember there are two types of companies. Those who know they got
> hacked and those who don't know yet that they got hacked.)
>
>

Thanks for your thought! So what i have learned from this whole
thread, also about my proposal for identicons, i should buy me
an offline computer, send Thunderbird/Enigmail to /dev/null
and transfer signed/encrypted messages from my online usage
computer with a USB stick to my offline computer and verify
decrypt the messages there. :-)

Regards
Stefan



___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Fwd: Re: Fwd: Re: Question for app developers, like Enigmail etc. - Identicons

2017-06-12 Thread Ludwig Hügelschäfer 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 12.06.17 20:51, Stefan Claas wrote:
> On 12.06.17 20:18, Ludwig Hügelschäfer wrote:
>> Hi,
>> 
>> On 12.06.17 14:52, Stefan Claas wrote:
>> 
>>> Hi Ludwig,
>>> 
>>> I just checked again. On my Mac and on my Windows Notebook i
>>> get a green bar , from a blue "Untrusted" key when i go into
>>> Enigmails Key Management and set the trust of that key to
>>> Ultimate...
>> Well, ultimate ownertrust is the wrong way. This setting is
>> reserved for your own keys. No wonder you get a green header
>> bar.
>> 
>> What are you trying to achieve?
>> 
> 
> Well, i assume that the majority of people who are using GnuPG are
> using it with Thunderbird/Enigmail.

I'd not sign this statement. A lot of users caring for privacy and
safety won't go for Windows. Thunderbird is not the most popular mail
client on non-windows computers, there quite some other mail clients.

> Let's also assume they are not security experts like all you guys
> here on the list and let's also assume they are following popular
> tutorials like the ones from EFF:
> https://ssd.eff.org/en/module/how-use-pgp-windows because they know
> EFF are good people (like you security experts).
> 
> Now here is my thought. Mallory knows this very well what i have 
> described above and after he gained access to my computer he simply
> replaces on of my locally signed pub keys with a fake one where he
> sets owner trust to ultimate. A user, described as above would imho
> have a hard time to detect a fake pub key, because Enigmail shows
> for both keys a green bar.

As Robert said: If an attacker gains control over your computer,
you're busted, game over.

> Maybe as an additional security feature Enigmail should give a key
> with a set trust level of "Ultimate" a different color than green.

This would also be the case if the attacker gained access to your
computer.

What you can do: Learn, learn by playing, learn by trying to
understand what others write and by asking questions and become a
reasonable critical user. That's the hard way, but you learn best.
Second possibility would be to have a good experienced friend which
guides you along the way. Third way would be to engage an expert which
maintains your computer.

Ludwig
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEE4WAgb7FA4aaVxJnYOtv6bQCh5v4FAlk+6b4ACgkQOtv6bQCh
5v7yeg/+NG1ZJOm/is1MyiDI8eGHB2343qmCYjzlrpj5+SYBECMa5FSKqh86z+LS
xMbynzfMIVTR2imt259mHFhCCcBgx067GCCxCFOMgJgafYg0M/kf1bOQF1Hov1lD
969zfYBcHNl2lnOSA5W16nJPY0gaJoa6t+25bf3YDD/+1aMQdZpBmOpxEPPuMUqt
5Qb7LPHh0hhSNoX7TrTqcMEBQtJopDlB94xUShUujMR56udC1Mfo3LDN1BpV00sd
R+La+a94Uu+i9FkEhjFHeTcVlaN9TSofLqGBVID51h2sGG7UK/moOAv55T2GBkuh
zdTp9OirN1OIZbBIMnUfa3oe3ZbCyY24qm/XWA7gn4gTIUX9/QdT6Wz/aBDA9Rq+
fr5RDxXU5S/4kX3HODnUiGqvt8HElQAKmCkiTD6gSLM8Tsw6Bp1DK9AAMHEbgvqS
zT67rKY4ISzW4RTxqHuK4W1bury0TdSlyCCgL33CdUp+xhQazjLRfUQXzSeOaNu2
7/6LRVtOHWWUkpELaNGYGS2CPDMiPvuZuMH/Ut9CYcwGHaf1Rq2F7FH0C2Hha5Uf
6hHWVww+PrNg1Tera/yLn+P8+RCU5tkf8c+injiEN0FjYScXd0YBds704ZjdD8l8
tld1uAcxxI3FYybY05TSjKqdRNpGrJRJ14nb4Djd896jzOZDWJQ=
=CZYK
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Fwd: Re: Fwd: Re: Question for app developers, like Enigmail etc. - Identicons

2017-06-12 Thread Peter Lebbing 
On 12/06/17 20:51, Stefan Claas wrote:
> Maybe as an additional security feature Enigmail should give
> a key with a set trust level of "Ultimate" a different color than
> green.

No, that's beside the point. Once somebody gets your user privileges,
there is no "additional security". It's game over. They could replace
your Enigmail with their Evilmail, which seems like a good name for an
Enigmail edited to show any fingerprint the attacker desires and give it
any colour of the rainbow.

You need to make sure your computer doesn't get hacked by someone who
wants to subvert your use of GnuPG. Luckily, for most of us, we get
hacked to send spam... ;)

(Remember there are two types of companies. Those who know they got
hacked and those who don't know yet that they got hacked.)

HTH,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Fwd: Re: Fwd: Re: Question for app developers, like Enigmail etc. - Identicons

2017-06-12 Thread Stefan Claas 
On 12.06.17 20:18, Ludwig Hügelschäfer wrote:
> Hi,
>
> On 12.06.17 14:52, Stefan Claas wrote:
>
>> Hi Ludwig,
>>
>> I just checked again. On my Mac and on my Windows Notebook i get a
>> green bar , from a blue "Untrusted" key when i go into Enigmails
>> Key Management and set the trust of that key to Ultimate...
> Well, ultimate ownertrust is the wrong way. This setting is reserved
> for your own keys. No wonder you get a green header bar.
>
> What are you trying to achieve? 
>

Well, i assume that the majority of people who are using GnuPG
are using it with Thunderbird/Enigmail. Let's also assume they are
not security experts like all you guys here on the list and let's
also assume they are following popular tutorials like the ones
from EFF: https://ssd.eff.org/en/module/how-use-pgp-windows
because they know EFF are good people (like you security experts).

Now here is my thought. Mallory knows this very well what i have
described above and after he gained access to my computer he
simply replaces on of my locally signed pub keys with a fake
one where he sets owner trust to ultimate. A user, described as
above would imho have a hard time to detect a fake pub key,
because Enigmail shows for both keys a green bar.

Maybe as an additional security feature Enigmail should give
a key with a set trust level of "Ultimate" a different color than
green.

Regards
Stefan




___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Fwd: Re: Fwd: Re: Question for app developers, like Enigmail etc. - Identicons

2017-06-12 Thread Ludwig Hügelschäfer 
Hi,

On 12.06.17 14:52, Stefan Claas wrote:

> Hi Ludwig,
> 
> I just checked again. On my Mac and on my Windows Notebook i get a
> green bar , from a blue "Untrusted" key when i go into Enigmails
> Key Management and set the trust of that key to Ultimate...

Well, ultimate ownertrust is the wrong way. This setting is reserved
for your own keys. No wonder you get a green header bar.

What are you trying to achieve? I'm getting tons of "UNTRUSTED Good
signature" when reading my mailing lists, e.g. from Peter Lebbing and
a lot of others. That's the way it is, I have to accept this, my
web-of-trust is not so good. I've got a couple of good signatures, though.

One way to improve this situation is to get out, meet people, view
their Ids and receive their fingerprints, verify them and if all is
good, sign their keys.

The other would be to enable TOFU. Can't tell anything about this, I
still have to test.

Best regards

Ludwig



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Fwd: Re: Fwd: Re: Question for app developers, like Enigmail etc. - Identicons

2017-06-12 Thread Robert J. Hansen 
> If Mallory would get somehow access to my Computer and replace one
> pub key from my communication partners with a fake one and sets the
> trust level to Ultimate. How can i detect this, if i'm not always
> looking at the complete Fingerprint and compare it with a separate
> list?

If Mallory can tamper with your keyrings, that's a total game-over
condition.  At that point there are dozens of attacks open to her.  Once
you lose control of your computer, it's all over.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Fwd: Re: Fwd: Re: Question for app developers, like Enigmail etc. - Identicons

2017-06-12 Thread Peter Lebbing 
I hadn't gotten round to answer your earlier questions yet, since I
noticed a point I should first spend some effort and thinking on.

On 12/06/17 16:14, Stefan Claas wrote:
> And a question for this... If Mallory would get
> somehow access to my Computer and replace one pub key from my
> communication partners with a fake one and sets the trust level to
> Ultimate. How can i detect this, if i'm not always looking at the
> complete Fingerprint and compare it with a separate list?

It is impossible to use any form of cryptography in a secure fashion
when somebody is in a position to mess with the computer you're using it
on. Worst is someone with administrator privileges, but somebody with
the same privileges as you is already more than enough to completely
subvert your security.

They could alter your search path and put their own binaries in them.
Any program you launch, be it GnuPG, your e-mail client, your shell, or
any other program you use, could be replaced by something else. Same for
your data files, as you point out.

Your user account needs to be secure from evildoers. It depends on your
threat model how you go about this.

HTH,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Fwd: Re: Fwd: Re: Question for app developers, like Enigmail etc. - Identicons

2017-06-12 Thread Stefan Claas 
On 12.06.17 16:06, Peter Lebbing wrote:
> On 12/06/17 14:52, Stefan Claas wrote:
>> I just checked again. On my Mac and on my Windows Notebook
>> i get a green bar , from a blue "Untrusted" key when i go into
>> Enigmails Key Management and set the trust of that key to
>> Ultimate...
> Don't do this! Or did you do it just for testing? "Ultimate" is for your
> own keys. It makes the key itself valid and all keys signed by that key.
> It's the odd one out, as the other trust levels only determine the
> validity of other keys signed by that key but don't affect the key itself.
>
> To make a key valid, sign it with a local signature. Or an exportable
> signature, your choice.
>

I did that for testing! And a question for this... If Mallory would get
somehow access to my Computer and replace one pub key from my
communication partners with a fake one and sets the trust level to
Ultimate. How can i detect this, if i'm not always looking at the
complete Fingerprint and compare it with a separate list?

Regards
Stefan



___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Fwd: Re: Fwd: Re: Question for app developers, like Enigmail etc. - Identicons

2017-06-12 Thread Peter Lebbing 
On 12/06/17 14:52, Stefan Claas wrote:
> I just checked again. On my Mac and on my Windows Notebook
> i get a green bar , from a blue "Untrusted" key when i go into
> Enigmails Key Management and set the trust of that key to
> Ultimate...

Don't do this! Or did you do it just for testing? "Ultimate" is for your
own keys. It makes the key itself valid and all keys signed by that key.
It's the odd one out, as the other trust levels only determine the
validity of other keys signed by that key but don't affect the key itself.

To make a key valid, sign it with a local signature. Or an exportable
signature, your choice.

HTH,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Fwd: Re: Fwd: Re: Question for app developers, like Enigmail etc. - Identicons

2017-06-12 Thread Stefan Claas 


On 07.06.17 22:23, Ludwig Hügelschäfer wrote:
> Hi Stefan,
>
> On 06.06.17 22:19, Stefan Claas wrote:
>> On 06.06.17 20:46, Charlie Jonas wrote:
>>> On 2017-06-06 19:12, Stefan Claas wrote:
 I tried also with Enigmail under OS X but when checking the
 signatures here from the list members i always get the blue
 "Untrusted Good Signature".
>>> Yes I get this as well. Interestingly whatever trust level I give
>>> keys, Enigmail on OSX seems to want to make the bar blue
>>> regardless.
>>>
>> Thanks for confirming. Hopefully Ludwig still follows this thread
>> and can tell us why it's not working, as expected.
> It's working as expected. To get a green bar in Enigmails header
> display, the key signing the message has to be at least fully valid. A
> key gets valid if you either:
>
> - sign it (whether local or exportable is not relevant)
>
> or
>
> - it is signed by
>   - at least one key you have signed and you have put "full" ownertrust
> on these
>   - at least three other keys you have signed and you have put
> "marginal" ownertrust on these
>
> This is the behaviour of the "classic" or "PGP" trust model which is
> the default in GnuPG. Enigmail only displays the result.
>
>
Hi Ludwig,

I just checked again. On my Mac and on my Windows Notebook
i get a green bar , from a blue "Untrusted" key when i go into
Enigmails Key Management and set the trust of that key to
Ultimate...

Regards
Stefan





___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Fwd: Re: Fwd: Re: Question for app developers, like Enigmail etc. - Identicons

2017-06-07 Thread Stefan Claas 
On 07.06.17 22:23, Ludwig Hügelschäfer wrote:
> Hi Stefan,
>
> On 06.06.17 22:19, Stefan Claas wrote:
>> On 06.06.17 20:46, Charlie Jonas wrote:
>>> On 2017-06-06 19:12, Stefan Claas wrote:
 I tried also with Enigmail under OS X but when checking the
 signatures here from the list members i always get the blue
 "Untrusted Good Signature".
>>> Yes I get this as well. Interestingly whatever trust level I give
>>> keys, Enigmail on OSX seems to want to make the bar blue
>>> regardless.
>>>
>> Thanks for confirming. Hopefully Ludwig still follows this thread
>> and can tell us why it's not working, as expected.
> It's working as expected. To get a green bar in Enigmails header
> display, the key signing the message has to be at least fully valid. A
> key gets valid if you either:
>
> - sign it (whether local or exportable is not relevant)
>
> or
>
> - it is signed by
>   - at least one key you have signed and you have put "full" ownertrust
> on these
>   - at least three other keys you have signed and you have put
> "marginal" ownertrust on these
>
> This is the behaviour of the "classic" or "PGP" trust model which is
> the default in GnuPG. Enigmail only displays the result.

Thanks, i'm aware of the classic trust model.
>
> You may read more about this here:
> https://enigmail.wiki/Key_Management#The_Web_of_Trust
>
> There's a lot more information about the web of trust out in the web.
>
> Disclaimer: Configuring GnuPG to use the TOFU trust model may change
> this behaviour.

I configured GnuPG to use the TOFU model and expected that Enigmail
would switch from blue Untrusted to green when TOFU gives "full" trust
to a pub key. For example when i downloaded a signed Usenet message
as a test (where Enigmail showed me a blue bar) and let GnuPG verify
the saved file manually it gave me the statistics. After downloading a
second file, where Enigmail correctly showed the blue bar again, i ran
the file via GnuPG and it gave "full" trust to the message. After that
i klicked again in Enigmail in the Usenet thread and voila i had a green
bar. So that is the reason why i thought Enigmail would give me with
the new trust model also a green bar when checking here list members
messages.

Regards
Stefan

And appologies for the multiple thread chaos!



___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Fwd: Re: Fwd: Re: Question for app developers, like Enigmail etc. - Identicons

2017-06-07 Thread Ludwig Hügelschäfer 
Hi Stefan,

On 06.06.17 22:19, Stefan Claas wrote:
> On 06.06.17 20:46, Charlie Jonas wrote:
>> On 2017-06-06 19:12, Stefan Claas wrote:
>>> I tried also with Enigmail under OS X but when checking the
>>> signatures here from the list members i always get the blue
>>> "Untrusted Good Signature".
>> Yes I get this as well. Interestingly whatever trust level I give
>> keys, Enigmail on OSX seems to want to make the bar blue
>> regardless.
>> 
> Thanks for confirming. Hopefully Ludwig still follows this thread
> and can tell us why it's not working, as expected.

It's working as expected. To get a green bar in Enigmails header
display, the key signing the message has to be at least fully valid. A
key gets valid if you either:

- sign it (whether local or exportable is not relevant)

or

- it is signed by
  - at least one key you have signed and you have put "full" ownertrust
on these
  - at least three other keys you have signed and you have put
"marginal" ownertrust on these

This is the behaviour of the "classic" or "PGP" trust model which is
the default in GnuPG. Enigmail only displays the result.

You may read more about this here:
https://enigmail.wiki/Key_Management#The_Web_of_Trust

There's a lot more information about the web of trust out in the web.

Disclaimer: Configuring GnuPG to use the TOFU trust model may change
this behaviour.

Ludwig

BTW: Could you please stop forwarding your replies to the list? Now
there are 6 threads titled "Question for app developers, like Enigmail
etc. - Identicons" on the list. Just click on "Reply to list" when
replying. Thanks.



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Fwd: Re: Fwd: Re: Question for app developers, like Enigmail etc. - Identicons

2017-06-07 Thread Stefan Claas 

Am 07.06.2017 um 10:57 schrieb Peter Lebbing:


On 07/06/17 07:55, Stefan Claas wrote:

The procedure went like this: I inserted my id-card in a certified
card reader, which i purchased, startet the german certified id-card
software "AusweisApp2" to connect to the CA Server and the server
checked my id-card online and after verification send the signed
pub-key to my email address.

What prevents someone else from doing this with your ID-card? For
instance, someone with whom you live?



The ID-card is protected with a pin which i have memorized.
But good that you bring this point up! Should my ID-card get's
stolen the thief can only try thee times to guess the pin.

Regards
Stefan


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Fwd: Re: Fwd: Re: Question for app developers, like Enigmail etc. - Identicons

2017-06-07 Thread Peter Lebbing 
On 07/06/17 07:55, Stefan Claas wrote:
> The procedure went like this: I inserted my id-card in a certified
> card reader, which i purchased, startet the german certified id-card
> software "AusweisApp2" to connect to the CA Server and the server
> checked my id-card online and after verification send the signed
> pub-key to my email address.

What prevents someone else from doing this with your ID-card? For
instance, someone with whom you live?

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Fwd: Re: Fwd: Re: Question for app developers, like Enigmail etc. - Identicons

2017-06-06 Thread Stefan Claas 
On 07.06.17 00:04, MFPA wrote:

>
>
> On Tuesday 6 June 2017 at 5:07:18 PM, in
> , Stefan Claas
> wrote:-
>
>
> > Therefore qualified CA's
> > in my opinion are mandatory where each user in each
> > country [may] register
> > with his/her id-card so that it's guaranteed that
> > Alice is not Eve.
>
> Assuming the users trust both the CA and the entity that issued the
> id-card.
>
Well, that's debatable. As an example:

My old pub-key had a sig3 from a well known german computer
magazine, which i believe a lot of people here in Germany would trust.
Their procedure was that you attend their booth at electronic fairs
show up with your id-card and a fillet out form, containing your data and
the pub key data. They carefully checked then the filled out form with
your id-card. So it's imo compareable with key signing parties you
attend. But who guarantees that an id-card is not fake with this
classical procedure?

My new pub-key bears a sig3 from a german CA which is run on
behalf of  our interior ministry. People may not trust our government
but the procedure how the pub-key was verified* tells me that the
sig3 issued to that person is correct.

*our new german id-card contains a chip and when you look at it
i would say this sort of modern id-card can not be faked.

The procedure went like this: I inserted my id-card in a certified
card reader, which i purchased, startet the german certified id-card
software "AusweisApp2" to connect to the CA Server and the server
checked my id-card online and after verification send the signed
pub-key to my email address. Can this procedure be faked by
criminals etc.? I doubt it.

Regards
Stefan
 




___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Fwd: Re: Fwd: Re: Question for app developers, like Enigmail etc. - Identicons

2017-06-06 Thread Stefan Claas 
On 06.06.17 20:46, Charlie Jonas wrote:
> On 2017-06-06 19:12, Stefan Claas wrote:
>> I tried also with Enigmail under OS X but when checking the signatures here
>> from the list members i always get the blue "Untrusted Good Signature".
> Yes I get this as well. Interestingly whatever trust level I give keys,
> Enigmail on OSX seems to want to make the bar blue regardless.
>
Thanks for confirming. Hopefully Ludwig still follows this thread and
can tell us why it's not working, as expected.

Regards
Stefan


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Fwd: Re: Fwd: Re: Question for app developers, like Enigmail etc. - Identicons

2017-06-06 Thread Charlie Jonas 
On 2017-06-06 19:12, Stefan Claas wrote:
> I tried also with Enigmail under OS X but when checking the signatures here
> from the list members i always get the blue "Untrusted Good Signature".

Yes I get this as well. Interestingly whatever trust level I give keys,
Enigmail on OSX seems to want to make the bar blue regardless.

-- 
Charlie Jonas ch...@srcf.net

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Fwd: Re: Fwd: Re: Question for app developers, like Enigmail etc. - Identicons

2017-06-06 Thread Stefan Claas 
On 06.06.17 12:46, Peter Lebbing wrote:

> On 06/06/17 05:30, Duane Whitty wrote:
>> As I understand the concept of TOFU (Trust On First Use), when you
>> receive a signed email gpg tests that signature against the key
>> retrieved from the public key servers associated with the email.

> TOFU is about *consistency*. It says: this e-mail is signed by the same
> key you've seen on all the earlier messages you received from this
> e-mail address. It keeps count, and alerts you when all of a sudden you
> start receiving signatures made by a different key.

Is TOFU verifying the email address from the from: header of the message
and then compares it with the email address in the UID? I ask, because
if i would use a free form UID with no email address, or i use an Anon
Remailer with a nym account where both email addresses are not identical.
>
> Note that it can also be combined with the Web of Trust. You could use
> TOFU just to track consistency and not award validity to keys, or you
> could use TOFU to award marginal validity and obtain the remaining
> validity from, e.g., marginally trusted Web of Trust signatures.
>
> But TOFU isn't for everyone, and neither is the Web of Trust. It's your
> call.
>
> By the way, it is my feeling Stefan Claas is looking for TOFU. The
> Identicon scheme feels like TOFU with the database on external storage,
> to wit, the user's brain :). Better to store that database on disk,
> IMHO. The (only) net loss is that there is no synchronization between
> different devices.

I just installed modern GnuPG and used it with two inline PGP messages from
Usenet and i like it. :-)
>
> My Enigmail works with TOFU, although I can't see any statistics. But it
> correctly awards a green bar with "Good signature" to my TOFU-verified keys.
>
I tried also with Enigmail under OS X but when checking the signatures here
from the list members i always get the blue "Untrusted Good Signature".

Regards
Stefan



___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users