* Robert Holtzman [111018 21:43,
mID <20111018185035.gb4...@cox.net>]:
> The greatest hindrance to widespread adoption is the phrase I often
> hear..."I've got nothing to hide" It drives me up a wall.
+1
Martin
smime.p7s
Description: S/MIME cryptographic signature
_
On Mon, Oct 17, 2011 at 05:50:42PM -0600, Aaron Toponce wrote:
.snip..
>
> At any rate, I would love to see more client-to-client encryption in email.
> I've always wondered if there could be an "OTR" approach to mail, somehow,
> so people don't need to generate and manag
On 10/17/2011 4:49 PM, David Tomaschik wrote:
I like GnuPG as much as the next guy around here, but is there a
reason you want to use GPG instead of a tool designed for disk
encryption? TrueCrypt is cross-platform and works well... if you're
Windows-only, there's BitLocker, and for Linux there's
This works, thank you :)
On 10/17/2011 4:09 PM, Hauke Laging wrote:
Am Montag, 17. Oktober 2011, 13:51:03 schrieb sweepslate:
The end goal is to encrypt a volume of around 100GB of personal files
that I'll be carrying arround with me in a portable drive.
The key point is doing the encryption
On 10/17/11 5:18 PM, takethe...@gmx.de wrote:
> Hi everybody,
>
> what is the best way to protect
> your private key from getting stolen?
Page 29 (http://www.gnupg.org/gph/en/manual.html#AEN513) of the Gnu
Privacy Handbook (http://www.gnupg.org/gph/en/manual.html)recommends a
strong passphrase t
On Tue, 18 Oct 2011 16:35, jer...@jeromebaum.com said:
> operations will be the most important part to making that work, and the
> ISPs don't have to help out there (modulo webmail which isn't even
> end-point).
Even webmail. It is easy to write a browser extension to do the crypto
stuff. Insta
On 10/18/2011 11:58 AM, Werner Koch wrote:
> We did this for about 15 years - without any success. If you look
> at some of the studies you will see that you can't teach that stuff
> to non-techies - sometimes not even to engineers.
As a data point from 2005:
I was teaching computer literacy at
> Even webmail. It is easy to write a browser extension to do the crypto
> stuff. Installing browser extensions is even easier than installing
> most other software.
I'd make it a point of discussion whether it's still webmail proper then.
But you could also use Javascript, Java or Flash, so ye
On Tue, 18 Oct 2011 15:42, mw...@iupui.edu said:
> To be secure without being involved in the process is an unreasonable
> expectation which can never be met. We need to teach our kids to
> expect to protect themselves online the same way we teach them to look
We did this for about 15 years - wi
On Tue, 18 Oct 2011 16:30, pe...@digitalbrains.com said:
> Because it is the e-mail address of the recipient you look up; that's all the
> data you have in this scenario. Thus, for me you would look up a key
> corresponding to user peter at the domain digitalbrains.com. The only logical
Right. T
> I was pleased to see room for different classes of users in the STEED
> paper. When I encounter software that tries to be helpful, my own
> first thought is: how do I turn that off? But I recognized long ago
> that I was never a "typical" user and my own inclinations are no guide
> to populari
On Tue, 18 Oct 2011 15:19, r...@sixdemonbag.org said:
> Arguably we should be using 'certificate' to describe keys, but
We tried that in the Gpg4win manuals. However it turned out that this
term as other problems when used with OpenPGP keys (ah well, keyblocks).
> honestly, that's a losing batt
On Tue, Oct 18, 2011 at 04:23:42PM +0200, Jerome Baum wrote:
[snip]
> While we're discussing the STEED proposal in the other thread, do you
> think it's better to educate your users and risk loosing them or do you
> think it's better to provide "sensible" defaults for the "average"
> threat model a
> I don't see why the ISP has to be the entity providing DNS lookup.
> The one I use won't even allocate me a static address, let alone
> accept RRs from me to serve out to others. I'm not sure I'd trust
> them to get it right and *keep* it right anyway.
I should clarify. An email provider is als
> ... We can remove *needless* complexity, but security could be said
> to be the art of *introducing* specific complexity that's a lot worse
> for the attacker than it is for you. It can't be automagical.
>
> Anyway, key generation is already automated. All you have to do is
> (1) choose to em
On Tue, 18 Oct 2011 15:30, jer...@jeromebaum.com said:
> In fact to my knowledge outside of webmail and inside "private email"
> (so drop companies, universities, schools) it's usual to configure your
> own MUA, with the help of instructions from your ISP.
Well, so we need to convince them to cha
>> In fact to my knowledge outside of webmail and inside "private email"
>> (so drop companies, universities, schools) it's usual to configure your
>> own MUA, with the help of instructions from your ISP.
>
> Well, so we need to convince them to change those instructions.
Yes and this is what I s
On 18/10/11 16:00, Mark H. Wood wrote:
> I don't see why the ISP has to be the entity providing DNS lookup.
Because it is the e-mail address of the recipient you look up; that's all the
data you have in this scenario. Thus, for me you would look up a key
corresponding to user peter at the domain d
On Tue, 18 Oct 2011 15:05, r...@sixdemonbag.org said:
> No, it's still a single file ("pubring.gpg", for instance, is the public
> keyring). I just can't promise that it's still a raw stream of RFC4880
> octets.
It still is for the public keys.
2.1 changes the format of the secring (well, dropp
> Just wondering if anyone knows of any scripts for collecting keys into
> a keyring prior to a key signing party (i.e., for people who intend to
> participate to submit their keys)?
Can't give software names but look at what the open-source conferences
use. Debian should have some tools to show a
On 10/18/2011 8:53 AM, takethe...@gmx.de wrote:
> I read a smartcard is simply a chip card. Why is it save, what's a
> PIN?
PIN: Personal Identification Number.
The idea is the secret key material is stored on the card, not on the
PC. The secret key material is located in write-only memory: f
> Right, that's a good point I think we all considered "trivial" when
> maybe we shouldn't have. In your threat model you should determine for
> how long your data should be safe (per attacker type) before you go
> ahead and make decisions about key protection.
To clarify, this is what we should t
> Well, not quite. Eventually you would get it. The task of security
> systems is to make "eventually" be longer than:
>
> o the payoff is worth; or
> o the time it takes to be discovered; or
> o the time it takes for the secured object to lose its value.
>
> Statistically, that is. You cou
Hullo,
Just wondering if anyone knows of any scripts for collecting keys into
a keyring prior to a key signing party (i.e., for people who intend to
participate to submit their keys)?
Regards,
Fraser
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
> (a) is true, but it doesn't lead anywhere useful. That makes it
> trivial.
Seems like you keep asserting Jerome posed (a) as something insightful. I don't
remember someone other than you posing (a) at all.
I really see no point in keeping on telling people they said something different
than wh
On 2011-10-18 16:06, takethe...@gmx.de wrote:
> Thanks to everyone for the helpful answers. Maybe I'll buy a
> smartcard, it seems more convinient than rebooting for every email.
What country are you in? For Germany, kernelconcepts sells the OpenPGP
card v2 and cryptoshop sells a very basic USB ca
On Tue, Oct 18, 2011 at 02:10:07PM +0200, Jerome Baum wrote:
> >> I'm going to lean very far out the window and assume he meant the actual
> >> private key, not the private key-ring/-file/...
> >
> > I'm not sure I understand the distinction you're making there.
>
> One is protected with a passph
On Mon, Oct 17, 2011 at 05:50:42PM -0600, Aaron Toponce wrote:
[snip]
> At any rate, I would love to see more client-to-client encryption in email.
> I've always wondered if there could be an "OTR" approach to mail, somehow,
> so people don't need to generate and manage their own sets of keys, as t
Thanks to everyone for the helpful answers. Maybe I'll buy a smartcard, it
seems more convinient than rebooting for every email.
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
I don't see why the ISP has to be the entity providing DNS lookup.
The one I use won't even allocate me a static address, let alone
accept RRs from me to serve out to others. I'm not sure I'd trust
them to get it right and *keep* it right anyway.
If the ISPs won't cooperate, maybe the antivirus v
I'm going to keep this as short as possible, because we've already hit
the point at which we're casting far more heat than light.
> Oddly, I don't recall Jerome ever making a statement remotely like
> "If I steal your decrypted key, ...". I only remember him stating
> that he thought, as did I, th
> It doesn't prevent a trojan from signing something other than what you
> intended (if it's your master key on card, even another key or a new
> sub-key) but whether this is a problem depends on your threat model.
I should mention that the current OpenPGP card spec doesn't let the card
know wheth
On 18/10/11 15:23, Jerome Baum wrote:
> It doesn't prevent a trojan from signing something other than what you
> intended (if it's your master key on card, even another key or a new
> sub-key) but whether this is a problem depends on your threat model.
The signature problem can still be solved by
>> Skimmed over this. You say that you need ISP support to get the
>> system adopted (for the DNS-based distribution). Wouldn't that
>> hinder adoption?
>
> Please look at how most people use mail: They get a mail address from
> their ISP, a preinstalled MUA and so on. Mail works for them
> in
On 18/10/11 15:08, Jerome Baum wrote:
> It's one thing to be picky when it adds to the discussion proper. That
> would be the case when we're distinguishing between the key as it is
> stored on disk (encrypted, inside a key-file/-ring/...) and the key as
> it is stored in memory (unencrypted). That
On 18/10/11 15:05, Robert J. Hansen wrote:
>> IIRC "nowadays" is store a separate file per key?
>
> No, it's still a single file ("pubring.gpg", for instance, is the public
> keyring). I just can't promise that it's still a raw stream of RFC4880
> octets.
ls ~/.gnupg/private-keys-v1.d/
Peter.
> If someone sniffs your PIN, and has trojaned or rooted your computer, he could
> use your smartcard while it is still plugged in to your computer, just like
> you
> are using your smartcard.
If you're worried about this you should be able to find a smartcard
reader with PIN entry that GnuPG sup
On 18/10/11 15:05, Robert J. Hansen wrote:
> On 10/18/2011 8:36 AM, Jerome Baum wrote:
>> Have you looked at my original statement?
>
> Yes.
Oddly, I don't recall Jerome ever making a statement remotely like "If I steal
your decrypted key, ...". I only remember him stating that he thought, as did
On 2011-10-18 15:05, Robert J. Hansen wrote:
> On 10/18/2011 8:36 AM, Jerome Baum wrote:
>> I recall making the distinction between a key* and a key-ring/-file,
>> not between a key-ring and a key-file.
>
> A distinction that has been lost on apparently everyone here. Please
> use accepted termin
On 10/18/2011 9:08 AM, Jerome Baum wrote:
> Makes sense if there's no context. But there's context here --
> "cryptography". In that context, key means something specific.
This ain't EUROCRYPT or FINANCIAL CRYPTOGRAPHY. If you're reading
professional journals that are talking about crypto in pure
On 2011-10-18 14:48, Peter Lebbing wrote:
> On 18/10/11 14:36, Jerome Baum wrote:
>> * I'm going to take the word to mean what it says: "key", not what I can
>> flexibly interpret it as: "encrypted key".
>
> One of those metal things in my pocket? What good are they for encryption?
> Even
> if yo
On 18/10/11 14:53, takethe...@gmx.de wrote:
> I read a smartcard is simply a chip card. Why is it save, what's a
> PIN? Say I'm using it on a PC with a trojan in the background
> that logs my keystrokes (my password) and can send data (my key)
> via internet to an attacker. How is access restr
On 10/18/2011 8:36 AM, Jerome Baum wrote:
> Have you looked at my original statement?
Yes.
> I recall making the distinction between a key* and a key-ring/-file,
> not between a key-ring and a key-file.
A distinction that has been lost on apparently everyone here. Please
use accepted terminolog
Monday, October 17, 2011, 11:30:48 PM, Robert wrote:
> Smartcard and a good PIN. That's pretty much the gold standard. It's
> not the best way (there is no 'best way'), but it's generally an
> excellent place to start from.
I read a smartcard is simply a chip card. Why is it save, what's a
PI
On 18/10/11 14:36, Jerome Baum wrote:
> * I'm going to take the word to mean what it says: "key", not what I can
> flexibly interpret it as: "encrypted key".
One of those metal things in my pocket? What good are they for encryption? Even
if you manage to read it in, it still has way too little ent
On 2011-10-18 14:22, Robert J. Hansen wrote:
> On 10/18/2011 8:10 AM, Jerome Baum wrote:
>> If I manage to steal your private keyring, then yes the very strong
>> passphrase should grind my attempts to steal your key to a halt. If I
>> manage to steal your private _key_ OTOH, I don't need to get pa
On 10/18/2011 8:10 AM, Jerome Baum wrote:
> If I manage to steal your private keyring, then yes the very strong
> passphrase should grind my attempts to steal your key to a halt. If I
> manage to steal your private _key_ OTOH, I don't need to get past your
> passphrase as that doesn't come into pla
>> I'm going to lean very far out the window and assume he meant the actual
>> private key, not the private key-ring/-file/...
>
> I'm not sure I understand the distinction you're making there.
One is protected with a passphrase (i.e. it's encrypted), the other is
in the clear.
If I manage to st
On 17 October 2011 20:11, Werner Koch wrote:
> Hi!
>
> Over the last year Marcus and me discussed ideas on how to make
> encryption easier for non-crypto geeks. We explained our plans to
> several people and finally decided to start a project to develop such a
> system. Obviously it is based on
Aaron Toponce writes:
> I've added it with "my_hdr OpenPGP id=${pgp_sign_as}\;url=...". The only
> question remaining, for me, is whether or not it should be "X-OpenPGP" or
> "OpenPGP" as the header field name. I've heard various positions on this,
> but nothing definitive.
No X-OpenPGP please.
50 matches
Mail list logo
