On 06/02/16 19:40, Sam Pablo Kuper wrote:
>> In [this] scenario one would be able to revoke the subkeys and
>> generate new, without using an off-card copy of the master key
>
> I believe that is correct. [...]
You should just be able to use your smartcard to do all operations with
the master key
On 05/02/16 19:51, Oleg Gurevich wrote:
> ... to delete key from the keyring
It doesn't work for me either. Your error message is a lot more
descriptive, though. I just get:
> $ gpg2 --delete-secret-keys de500b3e
> gpg (GnuPG) 2.1.11; Copyright (C) 2016 Free Software Foundation, Inc.
> This is fr
On 06/02/16 15:17, Robert J. Hansen wrote:
> Proposed FAQ language -- feel free to criticize, to suggest alternate
> phrasings, or anything else. :)
While the primary key is certainly in a subordinate position to the
certificate, I don't think it's common to refer to it as a subkey of the
certifi
On 06/02/16 12:51, Robert J. Hansen wrote:
> There are no other changes to speak of. The FAQ is current, the
> contents are accurate.
I disagree on one point. It's about this[1] thread from November 2014:
On 11/11/14 12:09, Werner Koch wrote:
> On Tue, 11 Nov 2014 11:00, pe...@digitalbrains.com
On 05/02/16 15:08, Oleg Gurevich wrote:
> with GnuPG modern (2.1) i can't delete anymore a secret key based on
> smartcard. Is there an known workaround ?
Do you want the key off your keyring or off your smartcard?
Peter.
--
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You
On 05/02/16 13:34, Robert J. Hansen wrote:
> Or did I miss something?
No, I don't think so. But I was under the impression that for a while now,
people were generally advised not to rely on the uniqueness of long key ID's.
And since this seems to be all you rely on with encrypt-to, key validity no
On 05/02/16 13:06, Robert J. Hansen wrote:
> What's the justification?
If somebody can create a long-keyID-collision, and you download your own key by
that key ID and also import the other one, they might be able to be the one that
gets "encrypted-to", I think? Another way to get on your keyring
On 05/02/16 11:55, Peter Lebbing wrote:
> In fact, "things to put in gpg.conf" would seem directly opposed to:
Okay, I take that back, since section 8.7 clearly shows options you could put in
gpg.conf :).
Regarding that section, I think
> # Always add these two certificates
On 03/02/16 21:12, Robert J. Hansen wrote:
> Beyond that, if there's anything
> you've always thought the FAQ should mention, now's a great time to
> suggest it. :)
I just notice section 8.19. It says to verify a download:
> gpg foo.zip.asc
As became clear in this[1] discussion, you should alwa
On 05/02/16 00:25, da...@gbenet.com wrote:
> A list of do's and don'ts
Don't use --expert
> - weird and impracticable keys
... Don't use --expert ;P
> common sense usage - common sense
Stick to the defaults
> things to put in your gpg.conf :)
keyserver ...
And that's it.
Really. Having a l
On 05/02/16 12:01, Robert J. Hansen wrote:
> IMO, the GPH needs to be taken down.
I agree. I was composing a mail on the subject when I started... eh... composing
a different mail on a different subject ;).
Peter.
--
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send
On 04/02/16 19:20, st...@mailbox.org wrote:
> Yes, that would be useful, and the wiki is the right place to publish it.
There's already a list of terms in the FAQ as well. "Signature" is not in it,
but I don't think that's a Frequently Asked Question. The other word Don Saklad
asked, "key", is the
On 04/02/16 09:56, Robert J. Hansen wrote:
> What say y'all?
When the GnuPG default was not to show the key usage, I would have said:
unnecessary detail. In my opinion, in a very broad sense, the FAQ should be
aimed at people sticking to the defaults, not the people who tinker.
But now GnuPG show
On 02/02/16 19:35, Ludovic Hirlimann wrote:
> Sure I'm trying to gpg --edit-key XX
>
> Setup works with my other and older key.
Your gpg.conf seems okay, but when I download your key from the
keyserver, it's telling me that you revoked the key on the day you
created it. The error "secret key
On 02/02/16 13:47, Ludovic Hirlimann wrote:
> I've recently created a new key. When I try to sign with it I get the
> following error :
Could you show the exact command you're trying, and also, do you have a
gpg.conf? If so, could you include it as well.
Peter.
--
I use the GNU Privacy Guard (G
On 31/01/16 16:07, st...@mailbox.org wrote:
> Hi,
>
> recently, I refreshed some keys of my GnuPG public keyring, did a check
> and learned that
>
> 1) the RSA key 46925553 Debian Archive Automatic Signing Key (7.0/wheezy)
> has been revoked [output translated into English in
> square brackets]
On 31/01/16 13:20, Andrey Utkin wrote:
> Leakage of exact number of hidden recipients can be mitigated by
> adding random number of pseudo-recipients
There is a lot of literature on masking the length of packets with
random padding. It's not as straightforward as it seems. I think this
has anologu
On 29/01/16 19:32, Bjarni Runar Einarsson wrote:
> If the user only has one public/private key pair, I assume the
> experience isn't too bad, GnuPG will just make a guess. But if
> the user has multiple keys, do they have to enter the passphrase
> for each in succession, as gpg tries to guess how t
On 2016-01-28 16:31, Aaron Tovo wrote:
I did file diffs between the new and the previous
downloads with 'diff' and they are identical. So I tried verify on
the
previous download and it worked this time. Very confusing.
My guess is that sharp-eyed Damien Goutte-Gattat was correct and you
were
On 21/01/16 16:17, Kristian Fiskerstrand wrote:
> Not following this thread too closely, but I expect --show-session-key
> and --override-session-key has been discussed.
No, not in this thread. I hadn't mentioned it since I focussed on the
archival and rotation aspect, not access to a specific ses
On 21/01/16 15:47, Andrew Gallagher wrote:
> overwrite the smartcard key with a newly generated key
Wait... Maybe I'm not following correctly, but to me it sounds like:
- Antoine has an encryption key on his smartcard, but no backup.
- If it is no longer possible to use the smartcard to decrypt d
On 21/01/16 13:34, Lachlan Gunn wrote:
> Then you rotate to the new key with little or no data loss because all of
> the session keys are logged. You can generate the key on-chip so that it is
> unable to ever leave the smartcard, which is obviously desirable from a
> security point of view.
I do
On 21/01/16 13:34, Lachlan Gunn wrote:
> You can generate the key on-chip so that it is unable to ever leave the
> smartcard, which is obviously desirable from a security point of view.
I think I prefer off-card generation, with GnuPG's random number generator,
rather than some low-power, propriet
(oops, accidentally forgot copy to list, sorry for thread breaks)
On 2016-01-21 11:29, Lachlan Gunn wrote:
> Speaking of which, is there any solution around for session key
> archiving?
Not that I'm aware of.
> Key transition would be a bit more convenient if there
> were some way to automatical
On 21/01/16 12:32, Lachlan Gunn wrote:
> The first reason is that you can't do it if the key only exists on a
> smart card.
I'd say that's a bad idea anyway. What if the smartcard breaks?
> The second is that you now have to do one decryption per
> message, so if the key is on a smartcard then it
On 21/01/16 09:54, Tzafrir Cohen wrote:
> So I guess I should just create new subkeys in the card.
That's fine for the signature key, although you could also extend its
expiration date. But rotating signature keys is generally no more work
than distributing the extended expiration date, so IMHO yo
On 20/01/16 17:48, Felix E. Klee wrote:
> Is there any workaround?
Install GnuPG 1.4 alongside your 2.1.10 (they co-exist perfectly, but they store
keys separately).
It then should be something like this:
$ gpg2 --export-secret-keys | gpg --import
Give some temporary passphrase, passes key from
On 18/01/16 14:10, Andrew Gallagher wrote:
> I find it funny that on a gpg users mailing list, out of 80 emails since
> new year, only 15 have signatures at all, and three of those are mine*.
> Even Werner doesn't sign his mails.
Since it's been debated over and over again on this mailing list, I
On 17/01/16 21:00, Doug Barton wrote:
> You glossed over the points in my previous messages about the fact
> that we cannot know for sure if the person sending the message is
> actually who we think it is [...]
Well, to me it sounded like you said "Signature subkeys aren't enough by
themselves, so
On 17/01/16 03:19, Doug Barton wrote:
> Further I don't see signing as all that interesting either.
> [...]
> We can infer things about these topics from our knowledge/beliefs
> about the sender, but I can't think of any rational person would go
> along with a request to "Pay Joe $10,000" just beca
On 15/01/16 21:17, Glenn Rempe wrote:
> I added it at the suggestion of Werner in this post:
>
> https://lists.gnupg.org/pipermail/gnupg-users/2012-July/045059.html
>
> And these blog posts:
> http://incenp.org/notes/2015/gnupg-for-ssh-authentication.html
> http://budts.be/weblog/2012/08/ssh-auth
On 15/01/16 00:12, Andrew Gallagher wrote:
> No, because mitm doesn't mean one identity replaces another, but that the two
> identities become conflated.
Ah, we are ascribing different attributes to an "identity".
I think you mean an identity belongs to a specific person, an individual. If you
MI
On 2016-01-14 21:06, Andrew Gallagher wrote:
Granted. And it does provide a speed bump to a potential attacker, so
is preferable to nothing. But it's not a long term solution.
I disagree. It's a "good enough" solution for many circumstances. And
we know by now how well the WoT works in many ci
On 14/01/16 19:48, Lachlan Gunn wrote:
> so unless you can find the key through some out-of-band source, then for the
> initial contact you have to choose between either making an educated guess as
> to what the key is, or sending in the clear.
Or send them an e-mail saying "I've got something to
Hi Jacques,
Your guide highlighted a silly error where I had accidentally chopped
some of the trailing characters of the appropriate keygrip in
sshcontrol (Doh!). BTW I am using GnuPG 2.1.9
That's hard to spot... "Is this jumble of characters the same as the
one I just saw?"
I can now succ
On 12/01/16 12:58, Jacques Kotze wrote:
> Hi All,
Hi,
> First time post, so please excuse me if it is a ignorant noob question :)
It's not an ignorant question, and even if it were, that wouldn't be a
problem :).
> $> unset GPG_AGENT_INFO SSH_AGENT_PID SSH_AUTH_SOCK
> $> eval $(/usr/local/MacGP
On 11/01/16 17:35, Lachlan Gunn wrote:
> I actually ran into this issue the other day. For me it's problematic because
> my certification key is on an offline machine, so it's inconvenient to have to
> power it up and do a round-trip through the airgap when I'm not going to
> propagate the signatu
On 11/01/16 18:06, Martin Behrendt wrote:
> Without thinking a lot about it on my part, but wouldn't a separate
> signing sub-key help with this?
Signing other people's keys is called certifying, and certification is a
capability only the primary key has. The "Sign" capability indicates it can
cre
Hi!
> Do I have to sign it? Is there no way to configure gpg locally to
> say "the info in this key (fingerprint) is accurate", without having
> to sign?
You have to sign it; that's how it works :).
> Is the semantics of signing with lsign or sign "the info in this key
> is accurate"?
Yes. "Th
On 26/12/15 01:39, ma...@wk3.org wrote:
> do you have an estimate on the number of unique sentences published on
> the Internet?
Hm how many of those would have been generated by a Markov chain
generator that a spammer used to generate some filler text in a spam
mail? I bet you've seen the
On 25/12/15 06:19, Ineiev wrote:
> I assume the amount of entropy is what really matters. for instance,
> if on every next step you are free to choose any of 4 random words
> taken from 6-word dictionary, you may put it in a grammatically
> correct form[*], then you must get a certain entropy p
Hello,
> Correct, horse! Battery staple!
My understanding is that these words in such a passphrase are chosen by
a random number generator in a computer. I use such a passphrase; I've
let my computer pick words out of a word list based on reading
/dev/random; or actually, I'm fairly sure I
On 21/12/15 11:33, gnupgpacker wrote:
> So, how to work around and supply keys to GPGrelay even if using gpg version
> 2 and up?
Install GnuPG 1.4 alongside 2.1 and manually sync all keys from GnuPG
2.1 to 1.4, with for instance:
$ gpg2 --export | gpg --import
I'm not sure how large the overhead
On 10/12/15 21:00, Dark Penguin wrote:
> And I usually import the keys from email attachments, which I know
> are correct, because I've helped them set up PGP and I've created
> their email account. I just want to be able to have them imported
> with simply opening them with GPA and not have to sav
On 10/12/15 21:00, Dark Penguin wrote:
> (or not even seeing it, because I think it would normally close
> immediately after the program has finished running).
Oh, okay, I misunderstood your request. I thought you wanted to invoke
GPA from the command line, since you called it a command line optio
On 10/12/15 20:53, Werner Koch wrote:
> I just modified it to put an submenu item as an alias there. Is that
> better?
While I think it's a good idea to include an alias, I think you should
do that consistently for all the menus, otherwise "Documentation" and
"Related software" are going to end u
On 09/12/15 21:00, Rejo Zenger wrote:
> As I understand it, this is a problem with the session mutt runs in: each
> new mutt decryption and signing operation runs in a new session and hence
> can't access the previous' one.
>
> Probably, I can work around this, but to avoid spending hours of searc
On 09/12/15 19:11, Dark Penguin wrote:
> Of course, I could use other software if I don't like this one, but the
> question
> is "wouldn't it be convenient to add a simple commandline option to GPA to
> import a key".
For commandline usage, you can simply use GnuPG directly:
$ gpg2 --import pubk
On 08/12/15 13:16, Peter Lebbing wrote:
> The problem
> is that two software projects want opposite things; this would lead to
> an arms race.
What might be a better "fix", IMHO, would be to have GPA also warn about
this, so people know what to do. Perhaps with another e
On 08/12/15 00:00, Dark Penguin wrote:
> Erm... sorry, I am still not very good with understanding the bug
> report flow; I would have checked the Debian GPA bug page before
> writing here if I knew about its existence. ^_^' And yes, here it is,
> my "Unsupported certificate" bug!..
No problem, it
On 07/12/15 01:24, da...@gbenet.com wrote:
> Every Linux distro has gnupg installed - so at a terminal just type gpg -
> this will create ALL the folders and files needed (.gnupg) it's pointless
> installing GPA without running gpg first - I think it's pretty silly.
Eh? I don't find it silly at al
On 03/12/15 05:25, Andrey Utkin wrote:
> Is the approach of using "s2kmode = 0" and "protection sha1" together
> correct? Shouldn't "protection none" be used?
Why is all this hackery necessary? Why don't you just install GnuPG 1.4
next to your 2.1, instead of compiling a special hacked 2.1?
Peter
On 30/11/15 23:54, Andrey Utkin wrote:
> Could you please direct me to exact S2K-stuff modes for exporting it
> which would be compliant with earlier GnuPG branches 1.4 and 2.0?
> [...]
> But for unattended processing cases, I'd like a mode that makes utils
> skip all passphrase entry prompts. I g
On 30/11/15 20:10, Andrey Utkin wrote:
> Is it impossible straight from RFC 4880 in any defined mode, or is
> it just a wrong behaviour in GnuPG/Libgcrypt?
It is a specific bug of GnuPG 2.1, and Werner's comment on the bug entry
mentioned here makes me believe he intends to fix it eventually.
Gnu
On 27/11/15 22:55, Andrey Utkin wrote:
> Any comments?
Could you outline a sequence of steps that goes wrong without your
solution and right with it?
Like:
- SSH to compromised PC
- Use SSH agent forwarding
- While logged in to compromised PC, SSH from there to another
Wrong:
- Compromised PC o
On 27/11/15 12:41, Andrew Gallagher wrote:
> There's a post about how to do this in the list archives:
>
> https://lists.gnupg.org/pipermail/gnupg-users/2009-May/036505.html
Thanks for the pointer!
> ... but it's really not worth your while. So long as your primary key
> doesn't have E usage set
On 27/11/15 10:39, Dmitrii Tcvetkov wrote:
> Private key exports in cleartext.
Are you sure? I can't export an unprotected private key. The topic has come up
earlier on this mailing list, in [1].
If I have a passphrase on a private key, and I export it, it prompts me for the
passphrase and the ex
On 23/11/15 21:31, James wrote:
> It appears that information I had read previously was erroneous. I was
> under the impression the capabilities (at least for the primary key)
> were set in stone, hence my apprehension at avoiding those insatiable
> knobs and gears I like to tinker with. ;)
Well,
On 23/11/15 17:20, James wrote:
> If you create a primary key, upload it to a public
> keyserver and later decide: "hrm, my public key should really only
> certify, not sign," it's a bit too late. (although not impossible,
> difficult to change ex post facto).
Okay, so let me answer this one detai
On 23/11/15 08:54, Jan Suhr wrote:
> 2nd factors are usually not access protected at all e.g. may have a
> display (which allows funny hacks[1]).
Ah, that makes sense! I forgot about that because I myself would
actually like an OTP protected by PIN as complete two-factor solution
(have the device
On 21/11/15 18:23, NdK wrote:
> I didn't look at the code (so this could be completely wrong and I'd be
> happy!), but if the OTP key is decrypted using a key in the chip after
> verifying that the card accepts the PIN, then it's even worse, since
> that master key is in cleartext somewhere outside
On 21/11/15 13:09, Peter Lebbing wrote:
> GnuPG outputs both a "Secret-Key Packet" as well as all UID's and
> binding signatures. It might output all certifications by others on the
> key as well; I'm going to write a separate mail about this.
Okay, it turns out
On 17/11/15 15:53, Andrew Gallagher wrote:
> No, there is no public key data embedded in the private key, but you can
> regenerate the important mathematical bits of the public key from the
> private key, and you can fill in your name, email etc. from memory. So
> it's not absolutely necessary - bu
On 21/11/15 09:00, Jan Suhr wrote:
> All serious findings are fixed already. Look for the "Note" at the end
> of each issue description.
I suppose by "serious" you mean "defined as 'Critical' in the pentest"?
There are unfixed issues with severity "High":
Firmware:
NK-01-008 OTP can be unlocked b
On 18/11/15 16:59, da...@gbenet.com wrote:
> 0x5E5CCCB4A4BF43D7 has expired - that's the only thing "bad" about it.
I could not reproduce this:
> $ gpg2 -k 2C53B2ED
> pub rsa2048/2C53B2ED 2015-08-21 [expired: 2015-08-28]
> uid [ expired] Test Teststra Jr.
> $ gpg2 --check-sig DCDFDFA4
On 18/11/15 13:53, da...@gbenet.com wrote:
> I downloaded the key and all sub-keys. Neither GPA Kgpg or Kleopatra give
> any warnings
> about this key. You don't say what's bad about it - which is why your not
> getting much help
> here.
Actually, I understand what he means, I just don't know h
On 17/11/15 15:33, Andrew Gallagher wrote:
>> https://alexcabal.com/creating-the-perfect-gpg-keypair/
>
> This is a fairly good article - I've used it myself for reference in the
> past. Also have a look at:
I disagree, I'd recommend people not to read that article, let alone
follow its advice.
On 29/10/15 17:23, Daniel Baur wrote:
> isn’t it a little bit problematic that GPG now logs how often I received
> emails by someone else?
I would think that in most situations, that is not a problem. If you exclusively
use webmail, there isn't such a record directly on your computer's disk, but y
On 12/10/15 17:32, Mark H. Wood wrote:
> Dare I suggest that people who need private and/or integrity-protected
> email for professional use should hire a professional to interview
> them, set up the software according to the client's standards for
> professional practice, and explain its use?
Exc
On 08/10/15 21:51, Antony Prince wrote:
> I haven't had a single issue with any of the traffic I route through it, so
> I'm assuming it is fine.
The issue with PMTU discovery only happens when there is a smaller MTU in the
middle of the path from you to another system. This can be a very rare
occ
On 08/10/15 21:26, Antony Prince wrote:
> I host a server in this pool and it is set to drop all IPv4 ICMP packets
I hope you mean specifically dropping all ICMP echo-request packets, not all
ICMP packets. Because some ICMP packets are *essential* for proper functioning
of your internet connection
On 04/10/15 20:05, Richard Höchenberger wrote:
> I find the repeated explanations of how to unsubscribe extremely unhelpful,
> bordering to disrespect, since it does not provide the kind of help this
> users needs.
Even though I might share your sentiment on the rest of your mail, I personally
fin
On 04/10/15 17:04, joe.asmod...@sigaint.org wrote:
> Therefore, I agree that a blanket holding that all digital
> signatures are non-repudiable is unlikely.
I think you're moving the goal posts. I think Rob says that he's unaware of any
case where a specific digital signature was argued to be non-
On 03/10/15 14:04, Guan Xin wrote:
> What happened to being guilty once proven guilty until
> proven innocent?
> Your key is the proof.
Please stop trolling.
Peter.
--
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My k
On 01/10/15 13:08, Bob Henson wrote:
> If the program has been altered the signature will fail, will it not?
Well, first of all, a checksum is not a cryptographic hash. It has
different properties: a checksum usually has no collision resistance.
Which is why the designers of WEP should have never
On 01/10/15 10:33, Bob Henson wrote:
> There might be a possible exception where there is no individual
> person to meet - the verification signature with software, say. When
> you have downloaded the software from the same, known website for
> some time it might be reasonable to sign the verificat
On 01/10/15 08:06, NIIBE Yutaka wrote:
> Although I have a bit of experience with Poldi, frankly speaking, I
> don't quite understand the need for local login authentication with
> OpenPGPcard. For me, if I do some access control for my own PC, it
> would be better to consider removing keyboard fr
On 30/09/15 15:37, Laurent Blume wrote:
> Ultimately, a lot will depend on that, LUKS volumes, file encryption
> before transfer (GPG and SMIME), Apache secret keys (I've not dared yet
> think about that one), maybe some others if the PCI auditor feels like it.
Yes. I have no experience in highly
On 30/09/15 14:04, Laurent Blume wrote:
> There are human resource issues there, but let's focus on the technical
> side.
Yes, I realise that.
> I've thought about it, but it's not that obvious to set up. It depends
> on scdaemon, which is started by gpg-agent.
> It means I would need to create a
On 30/09/15 11:20, Laurent Blume wrote:
> I really, really need it to be non-interactive.
You can't unlock the card when the server is booted and then leave it
unlocked for the whole time the server is up? You could do it in an SSH
session, when correctly set up.
The OpenPGP Card does not permit
On 30/09/15 02:17, NIIBE Yutaka wrote:
> Perhaps, if there are some demands, I should write U2F module using
> gpg-agent (and revive Scute, accordingly). I believe that this is a
> way to go, for those users who want to consolidate things cleanly.
Personally, my main interest lies with authentica
On 28/09/15 20:39, sam...@riseup.net wrote:
> Hi all
Hi!
> Thanks for your comments, not exactly a ringing endorsement!
Well, for some reason I never got the mail that started this discussion,
a reply by Robert J. Hansen was the first I saw of it. And I didn't
check the website. But the quotes f
On 28/09/15 20:12, Robert J. Hansen wrote:
> First, I love the Thorn Letter Agency: I'm going to have to steal it.
Hehe, go ahead ;).
> I mean, taken at their word, that's what they seem to be saying, right?
Absolutely. And it's curious that they're sprinkling technical terms in the rest
of what
On 28/09/15 19:00, Robert J. Hansen wrote:
> Cryptography is not like virginity, where once you lose it it's gone
> forever.
I think they mean that your private key material is compromised, meaning
"þey"[1] can decrypt any future messages encrypted to that key. Sloppily
formulated, but I don't thi
On 16/09/15 17:39, Werner Koch wrote:
> For my own needs I am working on yet another dm-crypt wrapper which will
> be another backend for g13.
I'd much prefer dm-crypt as backend, so all the better! In fact, I think
LUKS might be better than plain dm-crypt; it seems to be getting the
most love fro
On 09/09/15 22:17, Kostiantyn Chertov wrote:
> log-file /var/log/scd.log
The user you're running GnuPG as probably doesn't have permission to
create files in /var/log. So this can only work when the file is already
created with the correct permissions, and even then there might be a
reason GnuPG n
On 06/09/15 10:11, Dongsheng Song wrote:
> On 2015-09-05 17:40, Werner Koch wrote:
>> - The random number generator may not produce random output.
>
> Why not trust Windows CryptoAPI (CryptGenRandom) like libressl ?
May I suggest that you take down your compiled 64-bits versions and
issue a warn
Hello,
On 31/08/15 21:08, Crissy Lynn wrote:
> I have tried any and everything the be taken OFF of this random
> mailing list!!! I've 'Unsubscribed' 10 times. Can someone PLEASE
> explain why I keep getting these emails!??
I might have an idea about that. Gmail has an unusual feature: you can
On 22/08/15 17:25, Dongsheng Song wrote:
> Now I want to create my new key like this:
>
> sec rsa4096/93D374EB 2015-08-22 [C]
> uid [ultimate] example
> ssb rsa2048/466D08E1 2015-08-22 [S]
> ssb rsa2048/AD92E667 2015-08-22 [E]
> ssb rsa2048/07DEFA25 2015-08-22 [A]
> ssb ed25519/
On 27/08/15 23:11, Robert J. Hansen wrote:
> For a 64-bit cipher, you'll probably wind up [...]
> A 128-bit cipher will begin to repeat after [...]
I think it's a good idea to stress you're talking about the block size,
not about the key size. Something like "a cipher with a 64 bit block size".
On 28/08/15 16:12, Johan Wevers wrote:
> I see this attitude a lot among software developers and it irritates me:
> drop support for "obsolete" features and still try to force everyone to
> upgrade, [...]
1.4 is fully supported, but occupies a niche. Support is not dropped, nobody
forces you to up
On 21/08/15 11:00, Peter Lebbing wrote:
> Does GnuPG (or GPG-Agent in 2.1) actually check that the challenge sent
> by the server is not a validly formatted OpenPGP signature or certification?
I should note that it is not possible for an SSH server to evoke a data
signature from gpg-agent r
On 21/08/15 11:31, Dongsheng Song wrote:
> But I still did't know why the master key have sign and certify
> capabilities in the default ?
I suppose because it doesn't hurt. They're both signatures in essence;
cryptographically they are the same and exchangable. The difference only
lies in the int
In the thread "The best practice of master/sub key capabilities",
Dongsheng Song asked for advice and gave an example where a master key
has both Certify and Authenticate set, and an example where a subkey has
both Sign and Authenticate set. I wrote in a reply in that thread:
> But it suddenly daw
On 20/08/15 17:01, Peter Lebbing wrote:
> Most importantly, it's generally advised not to do encryption and
> signing with the same key material.
This is just a general recommendation, and abusing the fact a key is
used for both encryption and signatures is an intricate matter. But
si
> When I create new master/sub key, in the following 2 choice, I'm
> wondering which is better?
I'd recommend the defaults as best practice. They're there for a reason.
Why are you restricting yourself to "the following 2 choices"? They both
seem ill-advised (and unusual as well). Most importantly
On 14/08/15 14:45, Dongsheng Song wrote:
> D:\>gpg -u "7547A8A9\!" --clearsign relay.txt
> gpg: skipped "7547A8A9\!": No secret key
> gpg: relay.txt: clearsign failed: No secret key
I think the escape of the exclamation mark might not be correct for Windows
shell usage.
> D:\>gpg -u "7547A8A9!"
On 12/08/15 20:55, Víctor Cuadrado Juan wrote:
> This seems like a bug.
The serial number is part of the application ID, it's not a bug. The one is
more verbose than the other. The AID ends in four zeroes, but the part before
that is the serial number and manufacturer ID.
HTH,
Peter.
--
I use
On 12/08/15 12:25, Mirimir wrote:
> I got that OP is migrating to new hardware, so I don't see why identical
> installations would be problematic.
Right, yes, then a full copy makes a whole lot more sense. I got thrown off by
the fact that the error message seems to indicate the key already existe
On 12/08/15 04:00, Mirimir wrote:
> It's simplest to just copy the gpg folder. Importing private keys is
> broken by design.
I don't think I agree with either statement. Copying the folder comes
with its own caveats: don't copy random_seed, and you might not want two
identical installations with r
601 - 700 of 1395 matches
Mail list logo
