Re: FAQ maintenance

2016-02-27 Thread MFPA
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On Friday 26 February 2016 at 3:29:53 PM, in , Robert J. Hansen wrote: > "What do you *mean*, future keys will be expanding > to 64 characters?!" That could be mitigated against by switching from hexadecimal to, for example, base 32. Preferably

Re: FAQ maintenance

2016-02-26 Thread Doug Barton
On 02/26/2016 07:29 AM, Robert J. Hansen wrote: Why is it more resource intensive? It's far more intensive of a much more limited resource: user happiness. Normal users tend to find hexadecimal frustrating: "It's a *number*? But it uses A through F." This is something that only experience

Re: FAQ maintenance

2016-02-26 Thread Andrew Gallagher
On 26/02/16 15:29, Robert J. Hansen wrote: > > "It's a *number*? But it uses A through F." > > "I don't understand. Why do I need the long ID?" > > "Wait, now I need to use the *entire* fingerprint?" > > "You can't be serious: I need to give a 40-character serial number > whenever I need to id

Re: FAQ maintenance

2016-02-26 Thread Robert J. Hansen
> Why is it more resource intensive? It's far more intensive of a much more limited resource: user happiness. Normal users tend to find hexadecimal frustrating: "It's a *number*? But it uses A through F." "I don't understand. Why do I need the long ID?" "Wait, now I need to use the *entire*

Re: FAQ maintenance

2016-02-25 Thread Daniel Kahn Gillmor
On Thu 2016-02-25 09:50:57 -0500, Kristian Fiskerstrand wrote: > Well, it depends. Sure, should always use full fingerprint for > certificate validation etc, no question asked. But the internal keyid > and the packet structure use 64 bit keyid as identifier I consider it a bug that GnuPG uses th

Re: FAQ maintenance

2016-02-25 Thread Doug Barton
On 02/25/2016 06:50 AM, Kristian Fiskerstrand wrote: On 02/25/2016 02:38 PM, Peter Lebbing wrote: (If this feels like droning on to you, just stop reading and go do something fun!) On 2016-02-25 14:25, Kristian Fiskerstrand wrote: Now, the real question discussed here though isn't really col

Re: FAQ maintenance

2016-02-25 Thread Kristian Fiskerstrand
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 02/25/2016 08:30 PM, Peter Lebbing wrote: > On 25/02/16 20:24, Kristian Fiskerstrand wrote: >> 2.0 supports --batch --passphrase-fd 0 > > Oh! I must have mixed up some things. > > Thanks for the rectification! > > I think perhaps I was thinking

Re: FAQ maintenance

2016-02-25 Thread Peter Lebbing
On 25/02/16 20:24, Kristian Fiskerstrand wrote: > 2.0 supports --batch --passphrase-fd 0 Oh! I must have mixed up some things. Thanks for the rectification! I think perhaps I was thinking of entering a smartcard PIN, for which you do need a loopback pinentry (right??), and which was impossible t

Re: FAQ maintenance

2016-02-25 Thread Kristian Fiskerstrand
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 02/05/2016 12:23 PM, Peter Lebbing wrote: > Furthermore, I think a reasonably often asked question is "Why > can't I provide the password in a pipe to GnuPG anymore?". Old 1.4 > allowed this, but 2.0 is incapable of it and 2.1 needs a loopback >

Re: FAQ maintenance

2016-02-25 Thread Robert J. Hansen
> Yeah, the no validation mode of encrypt-to really does call for > prudence in this specific case If an attacker can control your gpg.conf file, there are so many worse things to do that it's hard for me to take this seriously. ___ Gnupg-users mailing

Re: FAQ maintenance

2016-02-25 Thread Peter Lebbing
On 25/02/16 19:11, Robert J. Hansen wrote: > If an attacker can control your gpg.conf file, there are so many worse > things to do that it's hard for me to take this seriously. I never, ever, once, argued the opposite. I sure hope you're not implying I am, or that Kristian is. If you recall, I tal

Re: FAQ maintenance

2016-02-25 Thread Kristian Fiskerstrand
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 02/25/2016 03:54 PM, Peter Lebbing wrote: > On 2016-02-25 15:50, Kristian Fiskerstrand wrote: >> (in particular in cases where action from yourself is required, >> default key for signing etc). > > I agree. Note that the discussed case, encrypt-t

Re: FAQ maintenance

2016-02-25 Thread Peter Lebbing
On 2016-02-25 15:50, Kristian Fiskerstrand wrote: (in particular in cases where action from yourself is required, default key for signing etc). I agree. Note that the discussed case, encrypt-to, silently encrypts to unvalidated keys that happen to be on a keyring. Just pick any key on your ke

Re: FAQ maintenance

2016-02-25 Thread Kristian Fiskerstrand
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 02/25/2016 02:38 PM, Peter Lebbing wrote: > (If this feels like droning on to you, just stop reading and go do > something fun!) > > On 2016-02-25 14:25, Kristian Fiskerstrand wrote: >> Now, the real question discussed here though isn't really >

Re: FAQ maintenance

2016-02-25 Thread Peter Lebbing
(If this feels like droning on to you, just stop reading and go do something fun!) On 2016-02-25 14:25, Kristian Fiskerstrand wrote: Now, the real question discussed here though isn't really collission but preimage attack, that is a different story and far more difficult :) Thanks for the li

Re: FAQ maintenance

2016-02-25 Thread Kristian Fiskerstrand
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 02/05/2016 01:34 PM, Robert J. Hansen wrote: >> If somebody can create a long-keyID-collision... > > That seems to be a big 'if' right now. Short collisions are easy; > long ones are nontrivial. Or did I miss something? https://www.ietf.org/ma

Re: FAQ maintenance

2016-02-25 Thread Lachlan Gunn
Le 2016-02-03 21:12, Robert J. Hansen a écrit : > Time for my semi-regular FAQ perusing and updating. I plan on updating > the FAQ to include a link to the FSF's email security guide, but that > seems like such an unobjectionable change I'm not going to kick it > around the list for pre-approval.

Re: FAQ maintenance

2016-02-05 Thread Peter Lebbing
On 05/02/16 13:34, Robert J. Hansen wrote: > Or did I miss something? No, I don't think so. But I was under the impression that for a while now, people were generally advised not to rely on the uniqueness of long key ID's. And since this seems to be all you rely on with encrypt-to, key validity no

Re: FAQ maintenance

2016-02-05 Thread Robert J. Hansen
> If somebody can create a long-keyID-collision... That seems to be a big 'if' right now. Short collisions are easy; long ones are nontrivial. Or did I miss something? ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/l

Re: FAQ maintenance

2016-02-05 Thread Peter Lebbing
On 05/02/16 13:06, Robert J. Hansen wrote: > What's the justification? If somebody can create a long-keyID-collision, and you download your own key by that key ID and also import the other one, they might be able to be the one that gets "encrypted-to", I think? Another way to get on your keyring

Re: FAQ maintenance

2016-02-05 Thread Robert J. Hansen
> Okay, I take that back, since section 8.7 clearly shows options you could put > in > gpg.conf :). I confess to some slight misdirection here. Is that a valid gpg.conf file? Sure. Will it get someone in trouble? Probably not. But is it needed? Not really. :) > Regarding that section, I t

Re: FAQ maintenance

2016-02-05 Thread Peter Lebbing
On 05/02/16 11:55, Peter Lebbing wrote: > In fact, "things to put in gpg.conf" would seem directly opposed to: Okay, I take that back, since section 8.7 clearly shows options you could put in gpg.conf :). Regarding that section, I think > # Always add these two certificates to my recipients list

Re: FAQ maintenance

2016-02-05 Thread Peter Lebbing
On 03/02/16 21:12, Robert J. Hansen wrote: > Beyond that, if there's anything > you've always thought the FAQ should mention, now's a great time to > suggest it. :) I just notice section 8.19. It says to verify a download: > gpg foo.zip.asc As became clear in this[1] discussion, you should alwa

Re: FAQ maintenance

2016-02-05 Thread Peter Lebbing
On 05/02/16 00:25, da...@gbenet.com wrote: > A list of do's and don'ts Don't use --expert > - weird and impracticable keys ... Don't use --expert ;P > common sense usage - common sense Stick to the defaults > things to put in your gpg.conf :) keyserver ... And that's it. Really. Having a l

Re: FAQ maintenance

2016-02-05 Thread Robert J. Hansen
> When the GnuPG default was not to show the key usage, I would have said: > unnecessary detail. In my opinion, in a very broad sense, the FAQ should be > aimed at people sticking to the defaults, not the people who tinker. Let me put on the maintainer hat and speak ex cathedra a moment: The FAQ i

Re: FAQ maintenance

2016-02-05 Thread Peter Lebbing
On 04/02/16 09:56, Robert J. Hansen wrote: > What say y'all? When the GnuPG default was not to show the key usage, I would have said: unnecessary detail. In my opinion, in a very broad sense, the FAQ should be aimed at people sticking to the defaults, not the people who tinker. But now GnuPG show

Re: FAQ maintenance

2016-02-04 Thread da...@gbenet.com
On 04/02/16 09:29, Robert J. Hansen wrote: >> Out of curiosity - have you reviewed the latest version of ESD? > > The FSF asked Patrick Brunschwig and me to review it prior to > publication. I don't know if Patrick turned in criticisms; I gave a > couple of pages' worth. I'm pleased with the end

Re: FAQ maintenance

2016-02-04 Thread da...@gbenet.com
On 04/02/16 08:56, Robert J. Hansen wrote: >> I propose to explain the different key in the keyring: > > As near as I can tell, this question isn't asked very frequently. If > the opinion of the list is that it is, though, I'll certainly add it. > What say y'all? > >

Re: FAQ maintenance

2016-02-04 Thread Robert J. Hansen
> Out of curiosity - have you reviewed the latest version of ESD? The FSF asked Patrick Brunschwig and me to review it prior to publication. I don't know if Patrick turned in criticisms; I gave a couple of pages' worth. I'm pleased with the end result. _

Re: FAQ maintenance

2016-02-04 Thread Robert J. Hansen
> I propose to explain the different key in the keyring: As near as I can tell, this question isn't asked very frequently. If the opinion of the list is that it is, though, I'll certainly add it. What say y'all? ___ Gnupg-users mailing list Gnupg-users

Re: FAQ maintenance

2016-02-03 Thread Antoine Michard
Hi Robert, It's a great idea to update the FAQ. I propose to explain the different key in the keyring: - C for Certify. This key certify all other key in your keyring - E for Encrypt. It's use for encryption/decryption. Be aware with encryption subkey. - S for Sign. This key is use for sign docum

Re: FAQ maintenance

2016-02-03 Thread Ineiev
On Wed, Feb 03, 2016 at 03:12:59PM -0500, Robert J. Hansen wrote: > Time for my semi-regular FAQ perusing and updating. Gorgeous! > I plan on updating > the FAQ to include a link to the FSF's email security guide, Out of curiosity - have you reviewed the latest version of ESD? signature.asc De

FAQ maintenance

2016-02-03 Thread Robert J. Hansen
Time for my semi-regular FAQ perusing and updating. I plan on updating the FAQ to include a link to the FSF's email security guide, but that seems like such an unobjectionable change I'm not going to kick it around the list for pre-approval. Beyond that, if there's anything you've always thought

Re: Question about FAQ maintenance

2015-07-09 Thread Bernhard Reiter
On Wednesday 08 July 2015 at 17:45:55, Robert J. Hansen wrote: > I have a small update to the FAQ that's ready to be pushed, but I'm held > back slightly by my lack of comfort with org-mode (the format used for > the FAQ). Cool, please push it. (And think about adding a version information.) > Th

Re: Question about FAQ maintenance

2015-07-08 Thread Robert J. Hansen
> Is this still true? My suggestion would to add some date indication > so that readers can assume which version of the FAQ they are looking > at. I have a small update to the FAQ that's ready to be pushed, but I'm held back slightly by my lack of comfort with org-mode (the format used for the FA

Re: Question about FAQ maintenance

2015-07-07 Thread Robert J. Hansen
First, the good news: yes, I did receive your emails about the FAQ. Second, the bad news: I'm on vacation and won't be responding to them for another couple of days. I haven't vanished, I'm just on holiday. :) signature.asc Description: OpenPGP digital signature __

Re: Question about FAQ maintenance

2015-07-03 Thread Werner Koch
On Fri, 3 Jul 2015 11:01, bernh...@intevation.de said: > Is this still true? My suggestion would to add some date indication > so that readers can assume which version of the FAQ they are looking at. There is just one offical version and that is at https://gnupg.org - Documentation - FAQs, or:

Question about FAQ maintenance

2015-07-03 Thread Bernhard Reiter
Hi Robert, again thanks for maintaining the GnuPG FAQ, I believe it is really important to have good quality source for frequently needed answers! Some suggestions: https://gnupg.org/faq/gnupg-faq.html says | When was this FAQ last checked for accuracy? | October 2012. Is this still true? My sug