Re: Best practice to make one's key known, was Re: German ct magazine postulates death of pgp encryption

Hi Doug, > Am 28.02.2015 um 21:36 schrieb Doug Barton : > > It's overwhelmingly likely that you are overthinking this. :) Yes, I have been known to have that tendency sometimes. :) Thanks! Will do as you suggest, then. Marco signature.asc Description: Message signed with OpenPGP using GPGMa

Re: A forgotten patch?

Well thank you for the explanation. Sadly, I think my knowledge about C is not sufficient to fully judge the situation. Although I have to say, that the first example sounds a bit like a hack. I just hope you are right, a lot depends on it. > Right he lists Microsoft and a German "newspaper", to w

Re: Best practice to make one's key known, was Re: German ct magazine postulates death of pgp encryption

On 2/27/15 10:10 PM, Marco Zehe wrote: Hi Werner et al, Am 27.02.2015 um 20:56 schrieb Werner Koch : There is no trust in keyservers by design. As soon as you start changing this you are turning PGP into a centralized system. OK, then I have a very practical question: Even though this is my

Re: German ct magazine postulates death of pgp encryption

On 2/27/15 3:15 AM, Peter Lebbing wrote: So what did this key attract, being on the keyserver for four years now? 22 Nigerian 419 scams. That's it. Twenty-two! They came in batches; I haven't seen anything since March last year. I've had a similar key out there for longer than four years, and

Re: trust paths

On 28-02-2015 18:56, Christoph Anton Mitterer wrote: > I'm not sure but I fear you have some deep misunderstanding of > cryptography... I'm not talking about mathematically proving something. After all, a government agency could make a false key with Werner Koch's name on it and send someone who

Re: German ct magazine postulates death of pgp encryption

On Sat, 2015-02-28 at 19:01 +0100, Johan Wevers wrote: > No it's not, it is much simpler. When I call my wife and are in fact > connected with a computer or agent impersonating her, they are unlikely > being able to copy her voice so good that I don't hear it. I guess you've missed some developmen

Re: German ct magazine postulates death of pgp encryption

On Sat, 2015-02-28 at 18:45 +0100, Johan Wevers wrote: > OK, not cryptographically. They could always try to bribe/threat/torture > someone to cooperate. But that model fails if you want to perform > unnoticed mass surveillance. Admittedly, when it comes to "unnoticed mass surveillance" anonymous

Re: German ct magazine postulates death of pgp encryption

On 28-02-2015 18:21, Christoph Anton Mitterer wrote: > Not sure what you refer to,... but if it's authentication schemes like > ZRTP (which TextSecure wouldn't use)... No it's not, it is much simpler. When I call my wife and are in fact connected with a computer or agent impersonating her, they a

Re: trust paths

On Sat, 2015-02-28 at 18:39 +0100, Johan Wevers wrote: > OR, in case a key belongs to a well-known person, you've seen it > mentioned in enough places and seen it used to sign gpg packages to be > rather certain that if it were a forgery someone would have noticed by > now and made noise about it.

Re: strength of voice authentication [was: Re: German ct magazine postulates death of pgp encryption]

On 28-02-2015 15:09, Daniel Kahn Gillmor wrote: > We had this discussion recently over on messag...@moderncrypto.org. What is described there is a much more confined problem. > It's far from "trivial", but breaking voice-based authentication > (particularly in the already-noisy realm of mobile p

Re: German ct magazine postulates death of pgp encryption

On 28-02-2015 13:40, Peter Lebbing wrote: > On 28/02/15 13:28, Johan Wevers wrote: >> I don't see even the NSA breaking that. > > Heh, famous last words ;). OK, not cryptographically. They could always try to bribe/threat/torture someone to cooperate. But that model fails if you want to perform

Re: trust paths

On 27-02-2015 22:30, Christoph Anton Mitterer wrote: > I meant in the sense that I want to trust e.g. Werner's key but haven't > met him in person yet,... but I might have an indirect trustpath to him > via some other persons (which I do trust). > Obviously I'll need any intermediate keys (and eno

Re: German ct magazine postulates death of pgp encryption

On Sat, 2015-02-28 at 13:28 +0100, Johan Wevers wrote: > In practice the Textsecure protocol works well of couyrse because it > uses the phone number. "In practise"... I guess that's also what most "normal" people believed about their security before Snowden. And a phone number is really no secur

Re: German ct magazine postulates death of pgp encryption

On 28/02/15 16:25, Bjarni Runar Einarsson wrote: > E-mail is the *only* surviving decentralized free and open messaging > system with any clout today. Literally everything else in common use is > proprietary and centralized. We should all be deeply worried about this. Well, I think it's a bit grim

Re: Re: German ct magazine postulates death of pgp encryption

Peter Lebbing wrote: > On 28/02/15 14:06, Ralph Seichter wrote: > > but PGP does not work for mass e-mail protection > > Let me stress again that the proper course might be to replace SMTP (e-mail) > and > then work from that. If you have a sieve and wish for something to hold > liquids, > you

Re: LDAP-based Keyserver

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 02/28/2015 01:23 PM, Hauke Laging wrote: > Am Sa 28.02.2015, 12:27:05 schrieb Neal H. Walfield: > >> In that time, OpenLDAP configuration has gotten a lot more >> complicated. I've modernized and significantly expanded his >> tutorial. You can

Re: Re: Thoughts on GnuPG and automation

Hi Dan, I dedicated an most of the blog post to answering that question (why it breaks Mailpile), did you not read it or did I fail to communicate? - Bjarni On 28 Feb 2015 12:44, "Daniel Kahn Gillmor" wrote: > On Fri 2015-02-27 07:19:41 -0500, Bjarni Runar Einarsson > wrote: > > I think you mi

strength of voice authentication [was: Re: German ct magazine postulates death of pgp encryption]

On Sat 2015-02-28 13:28:06 +0100, Johan Wevers wrote: > In practice the Textsecure protocol works well of couyrse because it > uses the phone number. One usually knows that number already from a > contact. Most people I communicatw with often I even recognise by > voice alone - taking over the pho

Re: LDAP-based Keyserver

Am Sa 28.02.2015, 12:27:05 schrieb Neal H. Walfield: > In that time, OpenLDAP configuration has gotten a lot more > complicated. I've modernized and significantly expanded his tutorial. > You can find it here: > > http://wiki.gnupg.org/LDAPKeyserver Doesn't refer to your work but is a general

Re: German ct magazine postulates death of pgp encryption

On 28/02/15 14:06, Ralph Seichter wrote: > but PGP does not work for mass e-mail protection Let me stress again that the proper course might be to replace SMTP (e-mail) and then work from that. If you have a sieve and wish for something to hold liquids, you could plug up all the holes or say "Blow

Re: German ct magazine postulates death of pgp encryption

It looks like we agree on most aspects, but to get back to the original question of this thread: From what I have seen since the nineties (I do remember donating money for Philip Zimmermann), PGP is great for users with a solid foundation in cryptography, but it is too complicated for avarage users

Re: Re: Thoughts on GnuPG and automation

On Fri 2015-02-27 07:19:41 -0500, Bjarni Runar Einarsson wrote: > I think you misunderstood my complaint. I don't mind if the agent is a > persistance daemon that provides GPG-related services, that's all well > and good. It's good process separation and I have no problem with that. > > My gripe

Re: German ct magazine postulates death of pgp encryption

On 28/02/15 13:28, Johan Wevers wrote: > I don't see even the NSA breaking that. Heh, famous last words ;). Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at

Re: German ct magazine postulates death of pgp encryption

On 2015-02-28 12:37, Ralph Seichter wrote: > On 28.02.2015 00:48, Hugo Osvaldo Barrera wrote: > > > Please, stop spreading the iMessage falacy, it's system offers privacy > > only from *some* parties, but not from everyone. > > I invite you to read my message again. I used iMessage as an example

Re: German ct magazine postulates death of pgp encryption

I think a bit of opportunistic encryption without proper identity verification can be a very good thing. I was just pointing out that you need to know the limits of that way of working, and make a conscious decision whether you need proper verification or not. But I didn't indicate that clearly en

Re: German ct magazine postulates death of pgp encryption

On 27-02-2015 19:16, Christoph Anton Mitterer wrote: > This is basically what they want: Anonymous cryptography, whose complete > security is based on some good luck whether you've communicated with the > right peer the first time. In practice the Textsecure protocol works well of couyrse because

Re: German ct magazine postulates death of pgp encryption

On 27-02-2015 16:57, Mark H. Wood wrote: > It's always good to look for patterns that lead to useful > simplification. But there comes a point at which no further > simplfication can be done without making the system less useful. Well, in making it more beginner friendly, I imagine a system that

Re: German ct magazine postulates death of pgp encryption

On 28.02.2015 00:48, Hugo Osvaldo Barrera wrote: > Please, stop spreading the iMessage falacy, it's system offers privacy > only from *some* parties, but not from everyone. I invite you to read my message again. I used iMessage as an example for usability (as did c't editor Jürgen Schmidt), not f

LDAP-based Keyserver

Hi, Nearly a decade ago, Walter Haidinger posted a how to describing how to setup an OpenLDAP PGP keyserver. http://lists.gnupg.org/pipermail/gnupg-users/2006-February/028058.html In that time, OpenLDAP configuration has gotten a lot more complicated. I've modernized and significantly expande

Re: A forgotten patch?

On Sat, 28 Feb 2015 03:02, a...@raxys.net said: > of GnuPG in 2009. According to him, the patch fixes lots of problems > that might be usable as in attack vectors on GnuPG. It seems however, as > if this patch was never included into upstream GnuPG. Because of that, This comes up every once in a