Re: wanted: educate us please on key dongles

On 08/30/2017 01:52 PM, Christian Seiler wrote: > Am 2017-08-30 09:01, schrieb Marc Haber: >> And I hope that it's really hard to fuck up here and to send private >> keys to the keyserver. > > I don't think that's possible with GnuPG command line, as far as > I know GnuPG will only ever send

Re: [summary] Re: wanted: educate us please on key dongles

Le Sat, Sep 09, 2017 at 08:09:00PM +, Sotirios Vrachas a écrit : > > - https://wiki.debian.org/GnuPG/StubKe > This page does not exist. > Sorry, it was . Have a nice Sunday, -- Charles Plessy Tsurumi, Kanagawa, Japan

Re: [summary] Re: wanted: educate us please on key dongles

> - https://wiki.debian.org/GnuPG/StubKe This page does not exist. signature.asc Description: OpenPGP digital signature

[summary] Re: wanted: educate us please on key dongles

Hello everybody, that thread was very interesting, and I tried to input in wiki.debian.org the information that seemed to not be covered yet. Most of the input went in two new pages: - https://wiki.debian.org/OfflineMasterKey - https://wiki.debian.org/GnuPG/StubKe I did my best to preserve

Re: wanted: educate us please on key dongles

Hello, On Wed, Aug 30 2017, Marc Haber wrote: > People keep mentioning to store the private key on a LUKS-encrypted > device. Why? Is the private key encryption that happens inside GnuPG > itself when you protect your private key with a passphrase not > sufficient? You can pass the --iter-time

Re: wanted: educate us please on key dongles

On Wed, 30 Aug 2017 10:09:38 +0100, Jonathan McDowell writes: >I think NIIBE was selling them for about €30 at DebConf, so that's a >reasonable mark up. He said Seeed are currently changing business model >to move away from low volume devices, but despite what their website >says they do still

Re: wanted: educate us please on key dongles

On Wed, 2017-08-30 at 12:50 +0200, Marc Haber wrote: > That's a point, but I cannot validate whether the free hardware > design running the free software crypto app isn't backdoored anyway due > to lack of knowledge and expertise. Some large fraction of the world could/would make the same

Re: wanted: educate us please on key dongles

Am 2017-08-30 14:45, schrieb Marc Haber: On Wed, Aug 30, 2017 at 01:52:54PM +0200, Christian Seiler wrote: Well, you could create a completely separate key pair (with a separate master key) for Debian purposes only. That would double the effort of obtaining signatures and also double the

Re: wanted: educate us please on key dongles

Ian, thanks for your level-headed response and your solid reasoning. On Wed, Aug 30, 2017 at 12:10:34PM +0100, Ian Jackson wrote: > How far down the paranoia road you want to go is up to you, but buying > an open hardware / libre firmware security device, rather than a > proprietary one, has

Re: wanted: educate us please on key dongles

On Wed, Aug 30, 2017 at 01:52:54PM +0200, Christian Seiler wrote: > Am 2017-08-30 09:01, schrieb Marc Haber: > > On Tue, Aug 29, 2017 at 04:07:45PM -0300, Henrique de Moraes Holschuh > > wrote: > > > The **public** portion of *every* key (master and all subkeys) go into > > > the public keyrings

Re: wanted: educate us please on key dongles

Marc Haber [2017-08-30 09:01:09+02] wrote: > People keep mentioning to store the private key on a LUKS-encrypted > device. Why? Is the private key encryption that happens inside GnuPG > itself when you protect your private key with a passphrase not > sufficient? A strong passphrase for the key

Re: wanted: educate us please on key dongles

Am 2017-08-30 09:01, schrieb Marc Haber: On Tue, Aug 29, 2017 at 04:07:45PM -0300, Henrique de Moraes Holschuh wrote: The **public** portion of *every* key (master and all subkeys) go into the public keyrings and also in the Debian keyring. gnupg will handle this automatically if you use

Re: wanted: educate us please on key dongles

I seem to have offended people by trying to make up my mind and introducing arguments into the discussion that might not be wanted. I can only lose by continuing this thread. No offense was ever intended, and neither was an attack. Greetings Marc --

Re: wanted: educate us please on key dongles

On Wed, Aug 30, 2017 at 12:50:53PM +0200, Marc Haber wrote: > On Wed, Aug 30, 2017 at 12:42:13PM +0200, Adam Borowski wrote: > > * with Yubikey 4 (suspected): they send the secret handshake, get a > > copy of the key, and you don't even know anything happened > > That's a point, but I cannot

Re: wanted: educate us please on key dongles

Marc Haber writes ("Re: wanted: educate us please on key dongles"): > That's a point, but I cannot validate whether the free hardware > design running the free software crypto app isn't backdoored anyway due > to lack of knowledge and expertise. You don't need to be able to val

Re: wanted: educate us please on key dongles

On Wed, Aug 30, 2017 at 12:42:13PM +0200, Adam Borowski wrote: > On Wed, Aug 30, 2017 at 12:17:33PM +0200, Marc Haber wrote: > > On Wed, Aug 30, 2017 at 10:09:38AM +0100, Jonathan McDowell wrote: > > > The Start is based on the GnuK and I think should be upgradable to do 4K > > > keys. The Pro

Re: wanted: educate us please on key dongles

On Wed, Aug 30, 2017 at 12:17:33PM +0200, Marc Haber wrote: > On Wed, Aug 30, 2017 at 10:09:38AM +0100, Jonathan McDowell wrote: > > The Start is based on the GnuK and I think should be upgradable to do 4K > > keys. The Pro uses a non-free smartcard internally for the RSA > > operations. I believe

Re: wanted: educate us please on key dongles

On Wed, Aug 30, 2017 at 10:09:38AM +0100, Jonathan McDowell wrote: > On Tue, Aug 29, 2017 at 07:34:35PM +0200, Marc Haber wrote: > > Their web page says that it will only suppor 2048 bit RSA keys, which is > > the limitation of most USB crypto tokens on the market today. The > > Nitrokey Pro will

Re: wanted: educate us please on key dongles

On Tue, Aug 29, 2017 at 07:34:35PM +0200, Marc Haber wrote: > On Fri, Aug 11, 2017 at 01:41:39PM +0100, Jonathan McDowell wrote: > > * GnuK: My favourite choice. It's slow with RSA4096, but does > > support it. The hardware is open. The software is open (you can > > compile and

Re: wanted: educate us please on key dongles

On Tue, Aug 29, 2017 at 04:07:45PM -0300, Henrique de Moraes Holschuh wrote: > On Tue, 29 Aug 2017, Marc Haber wrote: > > - Which key goes on the paper slab that everybody uses to collect > > signatures? The certification only master key? > > The main key fingerprint. Which happens to be the

Re: wanted: educate us please on key dongles

On Tue, 29 Aug 2017, Marc Haber wrote: > - Which key goes on the paper slab that everybody uses to collect > signatures? The certification only master key? The main key fingerprint. Which happens to be the certification master key in gnupg, yes. > - For which (set of) keys should I have

Re: wanted: educate us please on key dongles

On Fri, Aug 11, 2017 at 01:41:39PM +0100, Jonathan McDowell wrote: > * If you don't want to buy hardware, use an offline master key. Create >a certification only master key using something like PGP Clean Room >on a non-networked host, and store that on a USB key you only ever put >

Re: wanted: educate us please on key dongles

On 08/29/2017 07:34 PM, Marc Haber wrote: > On Fri, Aug 11, 2017 at 01:41:39PM +0100, Jonathan McDowell wrote: >> * Yubikey. I'm not sure about this; it's entirely closed these days >> I believe. However they're easily available and I understand >> they're pretty robust in terms of

Re: wanted: educate us please on key dongles

On Fri, Aug 11, 2017 at 01:41:39PM +0100, Jonathan McDowell wrote: > * GnuK: My favourite choice. It's slow with RSA4096, but does > support it. The hardware is open. The software is open (you can > compile and flash it using tools available in main). Upstream is > responsive

Re: wanted: educate us please on key dongles

On Fri, Aug 11, 2017 at 04:52:36PM -0300, Henrique de Moraes Holschuh wrote: > On Fri, 11 Aug 2017, Jonathan McDowell wrote: > > I see no reason why the master key should ever be used for > > signatures in such a scenario, so it seems sensible to indicate that > > it is purely for certification. >

Re: wanted: educate us please on key dongles

On Fri, 11 Aug 2017, Jonathan McDowell wrote: > On Fri, Aug 11, 2017 at 10:08:16AM -0700, Sean Whitton wrote: > > On Fri, Aug 11 2017, Jonathan McDowell wrote: > > > * If you don't want to buy hardware, use an offline master > > > key. Create > > >a certification only master key using

Re: wanted: educate us please on key dongles

Hi there, On 08/11/2017 07:29 PM, Sean Whitton wrote: > On Fri, Aug 11 2017, Christian Seiler wrote: > >> - on the computers I use daily the filesystem doesn't contain any >> private keys, but only stubs for the subkeys so that GnuPG >> automatically tells me to insert the key > > I

Re: wanted: educate us please on key dongles

On Fri, Aug 11 2017, Christian Seiler wrote: > - on the computers I use daily the filesystem doesn't contain any > private keys, but only stubs for the subkeys so that GnuPG > automatically tells me to insert the key I think I know what you mean by "stub", but what gpg command

Re: wanted: educate us please on key dongles

On Fri, Aug 11, 2017 at 10:08:16AM -0700, Sean Whitton wrote: > Thank you for the explanation. > > On Fri, Aug 11 2017, Jonathan McDowell wrote: > > > * If you don't want to buy hardware, use an offline master > > key. Create > >a certification only master key using something like PGP

Re: wanted: educate us please on key dongles

Hello, Thank you for the explanation. On Fri, Aug 11 2017, Jonathan McDowell wrote: > * If you don't want to buy hardware, use an offline master > key. Create >a certification only master key using something like PGP Clean Room >on a non-networked host [...] By default, GnuPG creates

Re: wanted: educate us please on key dongles

Hi, Am 2017-08-11 14:41, schrieb Jonathan McDowell: * Yubikey. I'm not sure about this; it's entirely closed these days I believe. However they're easily available and I understand they're pretty robust in terms of living on a keyring all the time. I bought a YubiKey 4 a

Re: wanted: educate us please on key dongles

On Wed, Aug 02, 2017 at 10:16:29PM +0200, Adam Borowski wrote: > It would be nice if someone knowledgeable could educate the rest of us > about physical key dongles -- a number of DDs/DMs/contributors still > keep their secret keys on a regular disk, and could use a primer. Me > included. I do

Re: wanted: educate us please on key dongles

On 02/08/17 21:16, Adam Borowski wrote: > Hi! > Continuing from IRC: > It would be nice if someone knowledgeable could educate the rest of us about > physical key dongles -- a number of DDs/DMs/contributors still keep their > secret keys on a regular disk, and could use a primer. Me included. I

Re: wanted: educate us please on key dongles

On Thu, Aug 03, 2017 at 11:19:25AM +0200, Wouter Verhelst wrote: > Having said all that, I'll repeat what I said on the gnupg-users > mailinglist a while back[1]: [...] > [1] That should have said https://lists.gnupg.org/pipermail/gnupg-users/2017-April/058035.html Having said all that, I'd be

Re: wanted: educate us please on key dongles

On Wed, Aug 02, 2017 at 10:16:29PM +0200, Adam Borowski wrote: > Hi! > Continuing from IRC: > It would be nice if someone knowledgeable could educate the rest of us about > physical key dongles -- a number of DDs/DMs/contributors still keep their > secret keys on a regular disk, and could use a

Re: wanted: educate us please on key dongles

Quoting Adam Borowski (2017-08-02 16:16:29) > There are docs available on the interwebs, but: > 21:22 < lamby> The concept of following random docs/commands on the web in >order to get a "super secure" key makes me smie :) Ah - enlightening: I always wondered what a smiey looked

Re: wanted: educate us please on key dongles

On 08/02/2017 10:16 PM, Adam Borowski wrote: Hi! Continuing from IRC: It would be nice if someone knowledgeable could educate the rest of us about physical key dongles -- a number of DDs/DMs/contributors still keep their secret keys on a regular disk, and could use a primer. Me included. I

wanted: educate us please on key dongles

Hi! Continuing from IRC: It would be nice if someone knowledgeable could educate the rest of us about physical key dongles -- a number of DDs/DMs/contributors still keep their secret keys on a regular disk, and could use a primer. Me included. I do have a backup key with plenty of sigs that's