Björn Persson wrote:
Jacob Bachmeyer via Gnupg-users wrote:
Unlike HTTP, FTP is /not/ subject to simple Man-on-the-Side attacks
(which motivated the rush to HTTPS) because there is no in-protocol
redirect.
So FTP isn't vulnerable to that particular attack,
... which is impo
Werner Koch wrote:
On Wed, 21 Aug 2024 19:09, Jacob Bachmeyer said:
configured for anonymous-only. FTP is both simple and ancient, so I
Yes, the protocol is simple but most server implementaions are pretty
complex. That is why we settled for oftpd nearly decades ago. And as
we see
Werner Koch wrote:
On Tue, 20 Aug 2024 19:19, Jacob Bachmeyer said:
I would suggest checking what ftpd Debian ships and using that.
They don't provide oftpd anymore which is an anonymous only ftpd. All
others have a way larger attack surface.
I would be very surprised if whatever t
Werner Koch wrote:
On Tue, 20 Aug 2024 00:26, Jacob Bachmeyer said:
I would encourage resuming FTP distribution, since I see no plausible
security benefit to omitting it.
I agree with your arguments. However, not providing FTP saves us from a
lot of bike shedding discussions ;-)
Werner Koch via Gnupg-users wrote:
Hi!
Thanks for mentioning this.
On Sat, 17 Aug 2024 13:49, Jan Palus said:
FTP service at ftp.gnupg.org appears to be down for some
time. Couldn't find any
info about FTP decommissioning so just letting you know about the problem.
I would not consid
Eric Pruitt wrote:
On Fri, Jun 07, 2024 at 06:03:22PM -0500, Jacob Bachmeyer via Gnupg-users wrote:
Strictly, "their" is plural in English
No, it is not. "They" and "their" have been used as gender-neutral,
singular pronouns for centuries. Even if tha
Patrick F. Marques via Gnupg-users wrote:
Hi,
I was reading the gnupg documentation and although I’m not an English
native, I believe there is a “tiny” typo in this page
https://www.gnupg.org/gph/en/manual/x334.html
In the first paragraph:
(…) By personally checking the fingerprint you
Bee via Gnupg-users wrote:
Its is called "USER DATA" for a reason - you have to decide what to do
with it.
But a novel pinentry must be created to receive the data. Again, this
is circular.
If your really really want a passphrase, what about passing
the filename of a file holding the
Bee via Gnupg-users wrote:
However if you known the passphrase, you can pass it to gpg directly using
--passphrase-file and --pinentry-mode=loopback.
I figured, but am trying to avoid having the passphrase land on disk at all.
Could you set up a RAM disk for this? (I think Windows st
Matthias Apitz wrote:
El día miércoles, febrero 28, 2024 a las 10:32:43 +0100, Werner Koch via
Gnupg-users escribió:
On Tue, 27 Feb 2024 20:52, Jacob Bachmeyer said:
Therefore, pass(1) almost certainly has its own list of keys stored
pass stores the fingerprints of the keys in
Werner Koch wrote:
On Tue, 27 Feb 2024 20:52, Jacob Bachmeyer said:
[...]
logarithm problem and /vice versa/. Accordingly, RSA1024 is now
considered sufficiently dubious that some implementations no longer
support it, such as the go-crypto/openpgp library used by the newer
Which is a
Matthias Apitz wrote:
El día lunes, febrero 26, 2024 a las 06:40:26 -0600, Jacob Bachmeyer via
Gnupg-users escribió:
Matthias Apitz wrote:
[...]
Said/showed that, I can't imagine that, when I SCP the file
.password-store/test.gpg to another mobile with another OpenPGP card,
that
Matthias Apitz wrote:
[...]
Said/showed that, I can't imagine that, when I SCP the file
.password-store/test.gpg to another mobile with another OpenPGP card,
that this system would be able to decrypt the file and reencrypt it
again with the new card.
Correct. You must first copy the *new* pu
Thomas wrote:
Hi,
this is exactly what I thought.
However, there's no solution for it.
Let me repeat my comments posted previously to get an overview what is
working...
Actually I have a working setup on Windows 10, but here I use another
terminal emulator: MobaXterm.
And in the settings of M
Thomas via Gnupg-users wrote:
Hello Stephan,
thanks for your reply.
When you say I should modify ~/.ssh/config, where is this file?
On jumphost?
You need to configure SSH agent forwarding on your client, which will
provide access to your local SSH agent at the jumphost via the SSH
connec
Werner Koch wrote:
On Tue, 14 Nov 2023 20:52, Jacob Bachmeyer said:
succeed in either case. If this condition is not met, Mallory will
eventually be able to forge a signature. Therefore, smartcards do not
actually provide additional security in the typical PGP usage.
In all environme
Henning Follmann wrote:
On Mon, Nov 13, 2023 at 10:23:16PM -0600, Jacob Bachmeyer via Gnupg-users wrote:
Daniel Cerqueira wrote:
Jacob Bachmeyer writes:
[...]
Yes it does. The key can't be copied and taken away from the device. This
is an advantage.
It
Daniel Cerqueira wrote:
Jacob Bachmeyer writes:
The problem here is that, while the key never leaves the smartcard,
the /entire/ device that accesses the smartcard must be trusted, as a
backdoor on the device could steal plaintext or submit extra items for
signing. A PIN does not solve the
Daniel Cerqueira via Gnupg-users wrote:
Jeff Schmidt writes:
[...]
You may want to consider using an OpenPGP smartcard (for example, a
Yubikey). Seems that you are a good fit.
Using a OpenPGP smartcard, the private key never leaves the smartcard.
The smartcard can also be used on a smartphone
Daniel Cerqueira via Gnupg-users wrote:
Hi everyone.
I want to send my po translation of GnuPG.
Werner told me to send a signed git patch to a list.
So, I signed my git commit with my GnuPG key. And when I do
`git format-patch master` the created patch does not have this signature.
How can I
raf via Gnupg-users wrote:
[...]
While testing these, I just noticed that /usr/bin/file
on my macOS-10.14 laptop shows a different keyid to
what libmagic shows. That's bizarre.
For some encrypted files of mine, /usr/bin/file (v5.33)
shows 3A0FC449 817C22BA but libmagic/rh shows 49C40F3A
BA227C81
Werner Koch wrote:
On Mon, 11 Sep 2023 22:29, Jacob Bachmeyer said:
So using threads to compute a blinded RSA operation would just about
recover the computational cost of blinding the calculation? How would
No. I gave this as an example where you could else see on how to speed
up th
Werner Koch via Gnupg-users wrote:
[...]
On Sat, 9 Sep 2023 22:07, Robert J. Hansen said:
and for the vast majority of users isn't worth it. The easy wins (28%
cost savings on RSA encryption! Whee, almost half a millisecond!) are
The blinding we use for RSA (to mitigate side-channe
John Scott via Gnupg-users wrote:
Reduce, reuse, and recycle: why make a fresh public key pair when you can
reduce, reuse, and recycle one you've already got?
Simple: to limit the exposure of the corresponding private key and the
work required to rotate any given keypair. Closely related, i
Dennis Clarke via Gnupg-users wrote:
Dear GnuPG type folks :
I don't know what this means. Can we just compile with a decent C
compiler such as the LLVM/Clang in FreeBSD ?
[...]
Libgcrypt v1.10.2 has been configured as follows:
[...]
Please not that your compiler does not s
Alexander Leidinger via Gnupg-users wrote:
[...]
I don't remember if there was a challenge/response or not. As I still
have the email with the signed key, I can tell that the signature can
arrive via a TLS encrypted SMTP channel directly from governicus (and
they have a SPF setup but not DKIM
Michael Richardson wrote:
Jacob Bachmeyer wrote:
>> I'm unclear if this is a new feature (I think so), and if so what
happens if
>> the sender hasn't upgraded yet?
>>
> My understanding: ADKs are new and do not work without support on the
> sender's side. The ADK is a req
Michael Richardson wrote:
Jacob Bachmeyer via Gnupg-users wrote:
> ADKs seem particularly valuable to me as a solution to the "group inbox"
> problem that avoids actually sharing private key material: simply
> attach encryption subkeys for all recipients
Johan Wevers via Gnupg-users wrote:
On 2023-04-30 14:58, Andrew Gallagher via Gnupg-users wrote:
[...]
The danger of an “ignore ADK” option is that it gives a false sense of
security. It is already possible for an employer to require escrow of the
decryption subkeys of their employees - AD
Ave Milia via Gnupg-users wrote:
Logically, it probably should not be as simple as the developer deploying their
personal public key into the target environment and then signing their
artifact, for two reasons: the target environment gets wiped, and it
practically cannot account for all perso
Dmytro Kovalov wrote:
Hello Jacob ,
Thanks for the fast response!
So you mentioned the problem is in clang ATT compatibility. But could
you please confirm the UAL supports ATT style , because I haven't
found any information there.
UAL is ?
The key hint here for me was that you mentioned re
Dmytro Kovalov via Gnupg-users wrote:
Hello,
I found a strange libgcrypt behavior on ARM with clang built.
There is a big gap in performance of libgcrypt, built by clang, in
comparison with gcc on my ARM target machine.
The simple profile test shows 100-500% advantage of gcc gcrypt.
I found a
Phil Pennock via Gnupg-users wrote:
[...]
Problem: we use PGP for signing and for certain transactions which need
high confidentiality, but for the most part, for most of our staff,
setting up a PGP-capable mail client with our mail-provider is a pain
and we're not interested. We want the PGP k
Tony Lee via Gnupg-users wrote:
[...]
I was pleased to receive a rapid response from Werner Koch, who
explained that the nominated count_value of 1024 actually used a default
count_value compatible with gpg 1.4, and then went on to explain that
OpenPGP used an SHA1-based Key Distribution Funct
Diez via Gnupg-users wrote:
Is it possible "extract" Sign usage from master key an put it into a
subkey with the same ID and fingerprint? I'm think no.
This email is to verify that, indeed, it is not possible.
If I understand correctly, "same ID and fingerprint" would mean that it
is *exac
Gilberto F da Silva via Gnupg-users wrote:
Slackware64 15
slack15@darkstar:~/.config$ gpg --version
gpg (GnuPG) 1.4.23
[...]
I may be misunderstanding, but I do not think that GPG 1.4.x ever even
supported X.509 at all. Maybe you also have a gpg2 command? Maybe
there is another gpg so
Lars Noodén via Gnupg-users wrote:
On 5/5/22 01:11, Jacob Bachmeyer wrote:
> Lars Noodén via Gnupg-users wrote:
>> A removable hard drive might be an option, if the storage time
>> is less than a decade and there are decent storage conditions
>> in regards to chemicals, temperature, humidity, and
Lars Noodén via Gnupg-users wrote:
A removable hard drive might be an option, if the storage time is less
than a decade and there are decent storage conditions in regards to
chemicals, temperature, humidity, and so on. Flash memory seems to lose
its charge rather quickly, measured in months.
W
Francis Kp via Gnupg-users wrote:
First of all, thank you for taking your time to reply to this email. I
tried it using the -l flag. The config file was found in the directory
before that. Below is the command I executed.
$ gcc -I /home/user/Desktop/gnupg-1.4.13
-l/home/user/Desktop/gnupg-1.4.13
Daniel Colquitt via Gnupg-users wrote:
Whilst AES128 is probably okay for now, SHA1 has been broken for well over 15
years.
Has it really been that long? ... No, it has not been: a free-start
collision was found on the SHA-1 compression function in 2015, less than
7 years ago.
As far as I
jonkomer via Gnupg-users wrote:
When the keyserer operator operates outside
of the EU I don't think that is a legal problem.
If an individual that requests his personal information is
removed (i.e., the "right to be forgotten") is EU resident,
GDPR applies regardless of the jurisdiction in whic
Felix E. Klee wrote:
After I unlock an OpenPGP SmartCard V2.1 in my SPR332 [mod][1], I can
use it to decrypt as many files as I want. While this is convenient, it
is not great if the system is compromised and I forget to unplug the
card reader.
Is there any way to limit how long the OpenPGP Sma
Robert J. Hansen via Gnupg-users wrote:
When generating the key-pair with Re: pgp263iamulti06, the
"randomness" is obtained by user's keyboard input. Is it
then that the above applies only when the session key is
generated?
No, the whole CSPRNG is (probably) compromised. PGP 2.6.3 used
keyboa
Matthias Apitz wrote:
El día viernes, octubre 29, 2021 a las 08:35:43p. m. -0500, Jacob Bachmeyer via
Gnupg-users escribió:
Matthias Apitz wrote:
The question here is: Can I somehow transfer the keys from the used
OpenPGP card to this new card (and copy over the tree of encrypted
Matthias Apitz wrote:
The question here is: Can I somehow transfer the keys from the used
OpenPGP card to this new card (and copy over the tree of encrypted
passwords to the phone) or do I have to move the passwords in clear and
crypt them again with the new card?
If I understand correctly that
Damien Goutte-Gattat via Gnupg-users wrote:
On Fri, Oct 29, 2021 at 04:04:11PM +0200, Romain LT via Gnupg-users
wrote:
[...]
private-keys-v1.d/
folder with private keys files, named afte key or subkey keygrip
Is there only the private key part of my own keys in this ? or
is there a way to obtai
Joel Rees via Gnupg-users wrote:
Can I ask what new reason to make Stallman a scapegoat has emerged?
The recent round of attacks on Stallman seem to have begun after RMS
returned to the FSF Board. There is some controversy over the factual
basis for these attacks. (In other words, there are
Vincent Pelletier wrote:
On Mon, 22 Mar 2021 17:32:14 -0500, Jacob Bachmeyer via Gnupg-users
wrote:
The difference is that you *know* an unencrypted key is lying around at
risk of compromise, and you knowingly chose to take that risk when you
chose to store the key unencrypted
Robert J. Hansen via Gnupg-users wrote:
I first heard of the GNU Project and the Free Software Foundation in
1995. For twenty-six years I've supported the FSF and FSFE in a
variety of different ways. For these twenty-six years, Richard
Stallman has been at the forefront of the FSF. In all th
jsmith9...@gmx.com wrote:
[...]
A private key protected by weak blowfish cipher is by no means more at risk
compared to an unencrypted key, which GnuPG has no problem with.
The difference is that you *know* an unencrypted key is lying around at
risk of compromise, and you knowingly chose
jsmith9810--- via Gnupg-users wrote:
Hello all,
I have a private key protected by blowfish cipher that despite a random salt and several rounds of
RIPEMD160 iterations is still considered "weak" by GnuPG and it refuses to do anything
with it. When I try to import this key manually (--import),
Andreas K. Huettel wrote:
Am Mittwoch, 17. März 2021, 21:07:16 CET schrieb Andreas K. Huettel:
I'm pretty sure they didnt have different versions, sorry.
(I rebooted the machine a few minutes earlier because of a kernel update.)
OK now it's getting very strange.
On a second PC with the same
52 matches
Mail list logo