Re: Which release should we be using?
On Fri, Aug 26, 2011 at 01:41:41PM -0700, Doug Barton wrote: > Actually I think https://www.xkcd.com/936/ says it better. :) Yep, I was just going to comment that it's obvious that Randall Munroe reads this list :) > On 08/26/2011 11:08, David Tomaschik wrote: > > On Fri, Aug 26, 2011 at 12:31 PM, Faramir wrote: > >> El 26-08-2011 12:35, Aaron Toponce escribió: > >> ... > >>> Also, 62-character passphrase might be a bit extreme, giving you a > >>> false-sense of security. Using a truly random sequence of characters > >>> from the 94-printable ASCII pool of characters, a 12-character > >>> passphrase provides you with about 78-bits of entropy. If you think > >> > >> According to keepass strength measurer, you can get more than 128 bits > >> with just 30 characters (including some symbols of course). > >> > >> Usually we want strong passphrases to keep things safe while stored on > >> not-so-safe places, like attached to an email message on a mail server. > >> > >> Best Regards > > > > I really like KeePass, but the strength measure it provides is nearly > > meaningless. It assumes 8 bits of entropy per symbol, which is, as > > Aaron pointed out, wrong. Suggested readings: > > https://secure.wikimedia.org/wikipedia/en/wiki/Entropy_%28information_theory%29, > > https://secure.wikimedia.org/wikipedia/en/wiki/Password_strength and > > NIST publication 800-63. G'luck, Peter -- Peter Pentchev r...@ringlet.net r...@freebsd.org pe...@packetscale.com PGP key:http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 I had to translate this sentence into English because I could not read the original Sanskrit. signature.asc Description: Digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Which release should we be using?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Actually Anthony, you are correct. It can't be defeated, or at least as far as I know. What I was suggesting was to move the vulnerable part (bootloader and kernel) of the system off to a portable storage device, so it would be easier to keep an eye on. You can just bring it with you wherever you go. Obviously if somebody gets the storage device that contains the unencrypted bootloader and kernel, they can modify it. It's just much easier to bring a tiny flash drive with you compared to a 15.4" laptop. Check out the USB flash drives made by Ironkey, you could even take those in the shower with you! ;) Hope that clears it up, David Manouchehri On 8/26/2011 5:00 PM, Anthony Papillion wrote: > > On 8/26/2011 3:53 PM, David Manouchehri wrote: > > > The Evil Maid attack can't really be defeated, but what you can do to > > help prevent it is encrypt everything, including your /boot. Then, > > start up from a flash drive that contains a LiveUSB with kexec and > > whatever encryption program you used; after that you can load the "real" > > kernel with kexec. Of course, if somebody gets that flash drive it's > > still the same thing. > > Interesting. From what I read on Scheiner's blog and a few other places > at the time, it seemed like a pretty decent attack and it didn't look > like it could be defeated since it was a system attack rather than a > direct attack on the cryptography itself. Of course, we have to look at > risk too: how likely are most of us to have agents sneaking into our > house to secretly install software? Some of us might be pretty likely > though. > > So an Evil Maid attack is even possible if your entire hard disk is > encrypted using TruCrypt isn't it since the bootloader is still exposed > on an unprotected part of the volume. I see Scheiner suggests using a > trusted computing model but then that's easy to defeat if they have > physical access to your machine. So, ultimately, the only real way to > protect from it is the method you're describing. And, since it's much > easier to protect a flash drive than an entire computer, it's almost > infallible. > > Thanks for the info! > > Anthony -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.17 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJOWEVaAAoJEBRGiElwwjoZo3MQAKviv+/+QrMEJoF1Nnf/zg1d 6Uv+UFJYLMOQNZpwCAdnWYZsJPTUiHNLZ93CPHMe22v5fqdFYjWCLjSzoX0DE+op HYvi32WphgB4Zatrju+ilSYUk4IlKq5pj1GcnTKB1OdG7hPXkX5gkHKw9+ak3KwK Ue6WMxDQPnT5hs1MmrcbkuyLMJiWm8aspxCMEGsjAjGEhnJdjbos5eXc0R2u3P1Y yNVTe0vbABwat2lVQQAWydMEBPU8IQNTpIehHsI89po/y+EcsG2G2KQddl2QqCnj ODn8KL6taPdednuuxR/1cUBi0UCitwvLlSvwzB08DUSnt8skbtNjODvdrIEvxNio RRStoCLSersF1EhZAMaSo267GTDqieUeuO5xQV/Js6IiI/s7L6qJqkXwznmWqEXZ DqBwyVMFctL4gUGgTYdMDcRjc+1tKuQz4iEBjCTNywXWTl5uW5GJvbS1nu6sxkDW jC09H93jvCB/qpPl0dKHhma3ig/osQ+44GzGLXUIi/Z4ceak37T33a9Nd9kVVxsJ KGX2gJfy9v7x/t/C6f27s66dCRpFYvN5jXdbRdKa5lW5u+Qkjez8H3gKXmjblnc6 cFOMSf2zJLN84cF1h5/4MhVFlSTsi74xyNvQlfYJMCget48EGn87S57YknPDyhSP YG6nhqwPkgILed0SZkWd =TQtE -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Which release should we be using?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 08/26/2011 16:45, Peter Pentchev wrote: > On Fri, Aug 26, 2011 at 01:41:41PM -0700, Doug Barton wrote: >> > Actually I think https://www.xkcd.com/936/ says it better. :) > Yep, I was just going to comment that it's obvious that Randall Munroe > reads this list :) Well, like most of us I'm sure, I'm a big fan. So I would be thrilled to know that my post about that was the germ of an idea for him. OTOH that link was around for quite a while before I posted it here, so I'm perfectly satisfied chalking it up to GMTA. Doug PS, Randall if you *are* lurking here, congratulations to you and yours re https://www.xkcd.com/943/ :) - -- Nothin' ever doesn't change, but nothin' changes much. -- OK Go Breadth of IT experience, and depth of knowledge in the DNS. Yours for the right price. :) http://SupersetSolutions.com/ -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.18 (FreeBSD) iQEbBAEBCAAGBQJOWDsLAAoJEFzGhvEaGryEt/QH92jYssFuCRWfrk2SNGvbM+ko DlDkMqsxR/LsXx9FUcmPIRANnFu2ZgYslH4K+k0dNH9HvPQ29ANzEWnVVXXHLbtg kWw4CAc1Zvzzq9XY8cPQQQ4njhacb4zi2e3EPNdc9ijEHdL7K1ohrYs3ymObtMV/ 4+YsvOiTG/mIcFR3Ikb1oMGVcxVnTwCt995+nQBfEN4k2yabVMo45cgSpIUjBUqZ 1JPpBT7uW2Z71qrxmaVinyr5s4yef/GuQvvBGDrK6xqxeSYM+S1yoxSF7s6krItq VqRaWFB1ASqLye8f0dj5EWw+RkNrTNr1csn0Xo7Bo+UuZ6ChHk53aPqQGbKbZA== =MJke -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Which release should we be using?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 El 26-08-2011 15:08, David Tomaschik escribió: > On Fri, Aug 26, 2011 at 12:31 PM, Faramir > wrote: >> According to keepass strength measurer, you can get more than 128 >> bits with just 30 characters (including some symbols of course). ... > I really like KeePass, but the strength measure it provides is > nearly meaningless. It assumes 8 bits of entropy per symbol, which > is, as Aaron pointed out, wrong. Suggested readings: Maybe in past it did that, but version it assigns different values to different symbols. I just tried it, and from a to z, it gives 5 bits each symbol, but ñ gives 7 bits. / gives 4, = gives 5, ! gives 4 bits. But, while a = 5 bits, and != 4 bits, a!= 11 bits. I don't know how it does the calculations, but clearly it has become a lot more complex (which doesn't mean it has become more accurate). Another check: qwerty= 4 bits, but qytrwe= 29 bits. Unfortunately, I couldn't find any detail about the algorithm used to measure the password quality. Anyway, probably some quality checking is better than not checking at all, even if the calculated bits are wrong. Best Regards -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBCAAGBQJOWBXRAAoJEMV4f6PvczxA/9cH/jkS/lf9v1ZXGi6NsjTmIJbj pp0x7ze4gGolL0kCfS7uHY9asP1n5Lr2a+DSKSkgST67I6VCESDoAZFSu0cXHH5o YKMdXI75Zxjgz2O7iX/JmaQYCAxVOiIM077pzWEaF0w6O7mLaKTBtwZgfWIl0sEj JedfjJ0oWDYkoI5qNOs7tYdCNHFkYrx8Fxqvvwa+YgMu8LubBXSx6EOeFI8+oEYZ kTlh4qJLTziIrScVnV5SuhP0parKcVJSsQhiwUPd4r4ZvtrBxrUwG1JGZscIeLHr 3ekcNhYhVBEN5Ze7JXycbEivrqLS6Cn5BA02Ew48P31ZP+RzEGJ/WvyzO5wGZqE= =Sbtk -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Which release should we be using?
On 26/08/11 21:07, Anthony Papillion wrote: >> Oh, you can own an encrypted filesystem, even if the box is down. The >> Evil Maid attack makes this trivial. And it doesn't matter the >> encryption software used either. > > I read about this attack a few years ago on Bruce Scheiner's blog. It > scared the crap out of me then and it still worries me quite a bit. Of > course, it's just a variant of what we've been telling people forever > now: if the system is compromised, encryption is useless. Still, it's > pretty scary stuff. I've taken a number of steps to make evil maid and cold boot style attacks against my new laptop much more difficult. It's funny this should come up just now, because I wrote it up earlier today. It's the latest article on my blog (first url in my sig). But yeah, if an attacker gets physical access to your machine, and they're determined enough, they can probably get in. -- Mike Cardwell https://grepular.com/ https://twitter.com/mickeyc Professional http://cardwellit.com/ http://linkedin.com/in/mikecardwell PGP.mit.edu 0018461F/35BC AF1D 3AA2 1F84 3DC3 B0CF 70A5 F512 0018 461F signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Which release should we be using?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 8/26/2011 10:25 AM, Aaron Toponce wrote: > > Oh, you can own an encrypted filesystem, even if the box is down. The > Evil Maid attack makes this trivial. And it doesn't matter the > encryption software used either. I read about this attack a few years ago on Bruce Scheiner's blog. It scared the crap out of me then and it still worries me quite a bit. Of course, it's just a variant of what we've been telling people forever now: if the system is compromised, encryption is useless. Still, it's pretty scary stuff. Anthony -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (MingW32) iQIcBAEBCAAGBQJOV/zvAAoJEFMVikTZRCu/qs8P/RCYVasGXeZrmBXUk+hy0WRd qn8iZfFLBcnnbbp+X/aroV/jK/UbH2scEbohmTosMnd4Rmr/YpS0rvTvI7Z0vZx0 bgn5xKQmLanqTvvGsPysJC7mk8kdAntpo9hMw+HufCAyzUUyKHrv7Ha+K08GueDj GXcyf97ZoYyVUFGDiB2lHGI31ZkQChejg7zjOVUQZFx5ok5YQSLBKCsa8q+e+eMB STt8P6jM24MV6d1kWvS1j4PYvykmG4FA+r2pHvl8XguogiULuzu8h6AXCEVVXPiD DgaHOuyKlEoAvoqSIHZ7d9oWDwdzKpJhZd0U4WECHgqCD+54OAKcMvsoIjugWV62 r678xJjV8w3TmJLW5mfpR1Mc7eVICvxbZjz7EfXoIKxGYt6V3KwWq6vz3Kaa2kFr RsOZN9ql328C4pHCZZ5B7B5D4qDGtKeX2rPe3YN1F8C75YEtfgDmrzmRkRRFYPGb 9i4NSo7Fjami1KIPSq2l+heK95trgXVNSh0s79BQsCu3e33AYO3j5l4u3IVxcwmy JBcEN/JVlNO2qn9iEJh+iUXVKIUZrUjUhX4H0bOoXQo4F5+c6CG52YfPON8LYu9F yBOqivAqI0nT1ulXX7pK6JC3WxlyWIea3rl9k4odso5YnlyApSUW3CKuuSd0ICb0 d4fVvqSB+YEZ9/iukQEo =BLsv -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Which release should we be using?
Actually I think https://www.xkcd.com/936/ says it better. :) On 08/26/2011 11:08, David Tomaschik wrote: > On Fri, Aug 26, 2011 at 12:31 PM, Faramir wrote: >> El 26-08-2011 12:35, Aaron Toponce escribió: >> ... >>> Also, 62-character passphrase might be a bit extreme, giving you a >>> false-sense of security. Using a truly random sequence of characters >>> from the 94-printable ASCII pool of characters, a 12-character >>> passphrase provides you with about 78-bits of entropy. If you think >> >> According to keepass strength measurer, you can get more than 128 bits >> with just 30 characters (including some symbols of course). >> >> Usually we want strong passphrases to keep things safe while stored on >> not-so-safe places, like attached to an email message on a mail server. >> >> Best Regards > > I really like KeePass, but the strength measure it provides is nearly > meaningless. It assumes 8 bits of entropy per symbol, which is, as > Aaron pointed out, wrong. Suggested readings: > https://secure.wikimedia.org/wikipedia/en/wiki/Entropy_%28information_theory%29, > https://secure.wikimedia.org/wikipedia/en/wiki/Password_strength and > NIST publication 800-63. > > -- Nothin' ever doesn't change, but nothin' changes much. -- OK Go Breadth of IT experience, and depth of knowledge in the DNS. Yours for the right price. :) http://SupersetSolutions.com/ ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Which release should we be using?
On Fri, Aug 26, 2011 at 12:31 PM, Faramir wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > El 26-08-2011 12:35, Aaron Toponce escribió: > ... >> Also, 62-character passphrase might be a bit extreme, giving you a >> false-sense of security. Using a truly random sequence of characters >> from the 94-printable ASCII pool of characters, a 12-character >> passphrase provides you with about 78-bits of entropy. If you think > > According to keepass strength measurer, you can get more than 128 bits > with just 30 characters (including some symbols of course). > > Usually we want strong passphrases to keep things safe while stored on > not-so-safe places, like attached to an email message on a mail server. > > Best Regards I really like KeePass, but the strength measure it provides is nearly meaningless. It assumes 8 bits of entropy per symbol, which is, as Aaron pointed out, wrong. Suggested readings: https://secure.wikimedia.org/wikipedia/en/wiki/Entropy_%28information_theory%29, https://secure.wikimedia.org/wikipedia/en/wiki/Password_strength and NIST publication 800-63. -- David Tomaschik, RHCE, LPIC-1 System Administrator/Open Source Advocate OpenPGP: 0x5DEA789B http://systemoverlord.com da...@systemoverlord.com ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Which release should we be using?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 El 26-08-2011 12:35, Aaron Toponce escribió: ... > Also, 62-character passphrase might be a bit extreme, giving you a > false-sense of security. Using a truly random sequence of characters > from the 94-printable ASCII pool of characters, a 12-character > passphrase provides you with about 78-bits of entropy. If you think According to keepass strength measurer, you can get more than 128 bits with just 30 characters (including some symbols of course). Usually we want strong passphrases to keep things safe while stored on not-so-safe places, like attached to an email message on a mail server. Best Regards -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBCAAGBQJOV8pFAAoJEMV4f6PvczxA1KkH/1FMlL71+PLV2dYWbZdpqPzA 6z52Gm4O+t3Gl8KmLGljZvnVph7gGPuTwYUAtndpvE/ftibiaVONvX71X0qwrkGx A7mQEtKMjYDP8YfE3Zv+GVRIft7uIspqfTk9GnnlFJ5Pzvx7bb477C4438tT+tmB uvGQDmqU1PAJ8S70WGkSTjP8uXcIHe2zOCBMsJ+TpYkIIdDLLPKrIJwz7Q7JGorI 76sNKHlPkvv7y2ns1gqI2BOxgxjoJi031h8MKSGtOMtwhCJfkSTqGS9/tOgS1JXS w/994Z32Ko7I5/BrHV0otvWDjqN7Wn5i2QOWd9IuMYwSX+ISHKrXajGn77HLDYQ= =AB0f -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Re: Which release should we be using?
> > My passphrases are > > stored in a Keepass database that resides in a TrueCrypt container. It's > > protected well. My actual key is protected by a 62 character passphrase > One could argue that this is equivalent to having a passphrase-less > keyring within the Truecrypt container. Keepass is also (usually) protected. I think you could choose not to encrypt it but what would be the point? > To take Keepass's additional encryption into account, the key within the > container could have the Keepass-passphrase. What do you mean? ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Re: Which release should we be using?
Hi! Am 20:59, schrieb Anthony Papillion: > My passphrases are > stored in a Keepass database that resides in a TrueCrypt container. It's > protected well. My actual key is protected by a 62 character passphrase One could argue that this is equivalent to having a passphrase-less keyring within the Truecrypt container. To take Keepass's additional encryption into account, the key within the container could have the Keepass-passphrase. cu, Sven ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Which release should we be using?
On 08/23/2011 02:04 AM, Werner Koch wrote: > On Tue, 23 Aug 2011 03:47, papill...@gmail.com said: > > Spying on X windows is pretty easy and thus Pinentry tries to make it > harder. Werner, Since I've never used Pinentry, I'm obviously missing something here. While I'm aware that spying on X-Window is not too complicated, how does manually entering a passphrase into Pinentry make snooping harder. Admittedly, I've never looked at the code so I probably don't know the whole story. Is entry into Pinentry vulnerable to traditional keylogging? Anthony ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Which release should we be using?
On Tue, 23 Aug 2011 03:47, papill...@gmail.com said: > stored in a Keepass database that resides in a TrueCrypt container. It's > protected well. My actual key is protected by a 62 character passphrase ... as long as the box is pwoered down. Hard disk encryption does not help if the box is up and you are attacked by malware. > that I'd like to cut and paste into GPG. Considering all of that, I > think it's a bit extreme to say cutting and pasting a passphrase from Spying on X windows is pretty easy and thus Pinentry tries to make it harder. If you store your passphrase elsewhere; feed it directly to gpg-agent (gpg-preset-passphrase or a custom pinentry) without that manual c+p. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Which release should we be using?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 08/22/2011 07:01 AM, Werner Koch wrote: > On Mon, 22 Aug 2011 10:29, papill...@gmail.com said: > >> because I don't like having to use pinentry since it doesn't support cut >> and paste. My questions are these: > > That is on purpose. If you have your passphrase on file for c+p you may > as well use no passphrase at all. gpg-agent caches your passphrase; set > the caching time to whatever you l; this is far safer than to use c+p. Hi Werner, I'm not sure I can see how being able to cut and paste a passphrase is in any way like not having a passphrase at all. My passphrases are stored in a Keepass database that resides in a TrueCrypt container. It's protected well. My actual key is protected by a 62 character passphrase that I'd like to cut and paste into GPG. Considering all of that, I think it's a bit extreme to say cutting and pasting a passphrase from two heavily encrypted containers is such that you may as well not have a passphrase at all. Still, thanks for your input. I suppose I could always implement c+p in my version of pinentry or I'll just stick with 1.4.x for a while. Thanks! Anthony -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBCAAGBQJOUwaUAAoJEFMVikTZRCu/MEYP/36u1JOBc0OjeO7Ti+NDszII ho2RPGzqnLhP0QiBsjvDNXdxCr4y8u7LWFhkHtcpKvdrmUwqminSvm2Fgv3Jxw6o TX5q3hwmUT1oPiYwVXr4toGwnxgG1kS78WpFcMYfQiPf4L3igRslM5Ai/0PaE6K3 Zrpnmh4FtFq8i5CVnPR0S8RUEBKHibdWJY4yTPPj9YrXThlDtNK5m05bWjbylwGT NOZReM4xLoOzKsnsBnC71lqyDoyGN67dYiuIZXNiVmW+8CTTtxWtyNAndzRI48hb NMBEL4C1Bmpm6hWXepj+3g7iXRSxCe07TRBHxJRbxRYXPeWc4Yr5BloVtj/pJfIE IMgohU/bY7XMc31/Q5RPWrSa/JGCz/itv6XW93fkkhE3hdp2gzaZJM6UufCz2Vrx E9EG4OJZTiYQDomEagoEywsjI9vKwDLr7qpiekYsf2vKctE+0cj8xYDUQZ4f1vK0 WuSf5KGSU5EgjAfFblZoq/ck3nagw+B/VcNzYlaJyyroOTy/t7p+bvmR85oiqg5J UZr7shMIIy8D+9A66/rNT0lUzYLv7lpv6lyikQoY65eO6gu3nqFA8pqO09CD8lHE hcHD0/EcecCcZmAQ/Sic71jVzAxq7JKbA38RntWvQoK4BVPY3LDhBBMW97WHAT3k XQve2O8L1vegnGfxatE1 =nsTK -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Which release should we be using?
On Mon, 22 Aug 2011 16:25, w...@gnupg.org said: > Anyway, if you want to enable cut+paste just go ahead and implement it > in a pinentry version (to be exact, disable the the secure text entry > widget). Please don't ask me to do that: I consider it as false However if people here think that such a pinentry version is useful, I see no problem to put it as an additional pinentry into the standard pinentry package. Make sure to build it similar to the other ones. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Which release should we be using?
On 22/08/11 15:25, Werner Koch wrote: > BTW, pinentry is a separate package from GnuPG and easy to hack. On this note, if anybody is interested, I recently wrote a pinentry wrapper for password protecting a smartcard pin: https://grepular.com/Protecting_PGP_Smartcards_from_Observation_Attacks It's open source, and written in Perl, so it might be a good starting point for people who want to hack similar things together. -- Mike Cardwell https://grepular.com/ https://twitter.com/mickeyc Professional http://cardwellit.com/ http://linkedin.com/in/mikecardwell PGP.mit.edu 0018461F/35BC AF1D 3AA2 1F84 3DC3 B0CF 70A5 F512 0018 461F signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Which release should we be using?
On Mon, 22 Aug 2011 15:27, dpmc...@gmail.com said: > extremely shortsighted. Any password management program like Keepass > makes transfer via the clipboard easy and relatively safe (clearing it > after 10 seconds), so that doesn't sound like the safety of "no > passphrase at all". You may not understand for what the passphrase in GPG is used: It is a fail-stop mechanism to mitigate the compromise of a secret key. In that it is similar to the master passphrases of all these password managers. Anyway, if you want to enable cut+paste just go ahead and implement it in a pinentry version (to be exact, disable the the secure text entry widget). Please don't ask me to do that: I consider it as false security. BTW, pinentry is a separate package from GnuPG and easy to hack. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Which release should we be using?
On Mon, Aug 22, 2011 at 7:01 AM, Werner Koch wrote: > On Mon, 22 Aug 2011 10:29, papill...@gmail.com said: > >> because I don't like having to use pinentry since it doesn't support cut >> and paste. My questions are these: > > That is on purpose. If you have your passphrase on file for c+p you may > as well use no passphrase at all. gpg-agent caches your passphrase; set > the caching time to whatever you l; this is far safer than to use c+p. So you're enforcing policy via disabling copy and paste? This is extremely shortsighted. Any password management program like Keepass makes transfer via the clipboard easy and relatively safe (clearing it after 10 seconds), so that doesn't sound like the safety of "no passphrase at all". -Dan ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Which release should we be using?
On Mon, 22 Aug 2011 10:29, papill...@gmail.com said: > because I don't like having to use pinentry since it doesn't support cut > and paste. My questions are these: That is on purpose. If you have your passphrase on file for c+p you may as well use no passphrase at all. gpg-agent caches your passphrase; set the caching time to whatever you l; this is far safer than to use c+p. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Which release should we be using?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 So I'm currently running 1.4.10 for GNU/Linux even though I know that 2.0 has been out for a while. I chose to stick with 1.4.10 and 1.4.11 because I don't like having to use pinentry since it doesn't support cut and paste. My questions are these: 1) Is there any real reason why I *shouldn't* be using the 1.4.x branch of GPG? and 2) If I should be using 2.0, is there a way to disable pinentry so gpg can work the way the 1.4.x releases do? Thanks! Anthony -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBCAAGBQJOUhNRAAoJEFMVikTZRCu/wJ4P/06+2DhvBLDlHrtdGWUypbpC GjwiYLWWT22Bfim3+9a+qUghn1v3HZiuxnqiYysBsrlxgS4M/5GjtOK1SoqfDKhz DB2o8/pO74H57b3b96Ex67J/Ct15TkViQa/782G4kbjo42LhHMMkiQ5Qu0BXBZ+t 0f6qswU1BBO7rn8pA9o2rpktsvZHdx0omtIQd7WdTRzs9gqb6gBipH2vyxObP/9n wXiagPgdF+/U85eLyZxeK5tBTi+FSjdNZH1b5dIsjKBJWPWEBBPsoY37oqrcc+8y krNt/ZNqoKSSJ3VmT6NLhto+FE///WiWeYFuWm1uTrp+VkFGvjZjOiQEWu5KdxF3 kFjcodLDs27fscNWzD+jT+FAytdzmzMHCEa6FarDY0zaguG1WRlJm6P1t5HwG12L ZIM7CantCNFgW1x2HmQOZcZw7oiQoPkMCZTde/8q8F1YR3bj7rPvxJw5fQ/3u7B4 Fjh8RlFs8F80I8fZeqhaaLAwYHQ8Z+HfwrKx0+QuoRETO6zMvG1onXTQP287Nr+P jhEAVqS44scBSdtWuUqPGKocGhkRPGL04mwv1O3WAHwxHYQQ2EYTP+RIvQ2bmxB5 vStdK4FJNz/ISz503TbqzJbFDy8knIdpcMa7XKaEJ+gV5f4QxaSIfwxDMWVAmyVu gdVBZfDLCw6VNZOVqZkF =6ELm -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users