Re: Changing the email address of a key
Using the primary key was what I tried first. But when I saw the error message signing failed, I thought I'd have to force the proper signing subkey, like I have to do for signing emails. My setup is more or less the following: http://wiki.fsfe.org/Card_howtos/Card_with_subkeys_using_backups with the addition of a sub key for ssh authentication: http://www.programmierecke.net/howto/gpg-ssh.html - section with smartcard (openpgp) Rgds Richard $ gpg --edit-key 0AE275A9 gpg (GnuPG) 1.4.11; Copyright (C) 2010 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Secret key is available. pub 2048R/0AE275A9 created: 2012-08-07 expires: 2022-08-05 usage: SC trust: ultimate validity: ultimate sub 2048R/8760DB3E created: 2012-08-07 expires: never usage: E sub 2048R/E8401492 created: 2012-08-07 expires: never usage: S sub 2048R/5A097EF6 created: 2012-08-07 expires: never usage: S sub 2048R/EC980139 created: 2012-08-07 expires: 2022-08-05 usage: E [ultimate] (1). Richard Ulrich (ulrichard) richi...@gmail.com gpg adduid Real name: Richard Ulrich Email address: ri...@paraeasy.ch Comment: ulrichard You selected this USER-ID: Richard Ulrich (ulrichard) ri...@paraeasy.ch Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o gpg: secret key parts are not available gpg: signing failed: general error $ gpg --list-keys /home/richi/.gnupg/pubring.gpg -- pub 2048R/0AE275A9 2012-08-07 [expires: 2022-08-05] uid Richard Ulrich (ulrichard) richi...@gmail.com sub 2048R/8760DB3E 2012-08-07 sub 2048R/E8401492 2012-08-07 sub 2048R/5A097EF6 2012-08-07 sub 2048R/EC980139 2012-08-07 [expires: 2022-08-05] $ gpg --card-status Application ID ...: D276000124010205115F Version ..: 2.0 Manufacturer .: ZeitControl Serial number : 115F Name of cardholder: Richard Ulrich Language prefs ...: de Sex ..: male URL of public key : [not set] Login data ...: [not set] Private DO 1 .: [not set] Private DO 2 .: [not set] Private DO 3 .: [not set] Signature PIN : not forced Key attributes ...: 2048R 2048R 2048R Max. PIN lengths .: 32 32 32 PIN retry counter : 3 0 3 Signature counter : 6 Signature key : 6555 FA9F AEEF 386C 50E2 7AE1 02EC 6014 E840 1492 created : 2012-08-07 19:01:59 Encryption key: 3A6C CF0A C29F 3DFC 60AF DCCE 31AA D811 8760 DB3E created : 2012-08-07 19:00:54 Authentication key: 2C12 F55B 69D3 088E BFD9 C010 BABF AE12 5A09 7EF6 created : 2012-08-07 19:04:12 General key info..: pub 2048R/E8401492 2012-08-07 Richard Ulrich (ulrichard) richi...@gmail.com sec# 2048R/0AE275A9 created: 2012-08-07 expires: 2022-08-05 ssb 2048R/8760DB3E created: 2012-08-07 expires: never card-no: 0005 115F ssb 2048R/E8401492 created: 2012-08-07 expires: never card-no: 0005 115F ssb 2048R/5A097EF6 created: 2012-08-07 expires: never card-no: 0005 115F On Mi, 2012-08-29 at 14:11 +0200, Peter Lebbing wrote: On 29/08/12 13:53, Richi Lists wrote: I can't get it to work wether I try it on the primary or the sub key and whether I use gpg or gpg2. [...] $ gpg2 -v --edit-key E8401492! [...] gpg: using subkey E8401492 instead of primary key 0AE275A9 Secret key is available. Why are you forcing using the subkey? An UID is /always/ on the primary key, it makes no sense to make an UID on the subkey. I think. Simply losing the exclamation mark should fix it, or just specify $ gpg2 --edit-key 0AE275A9 Also, apart from UIDs on subkeys making no sense, it would seem to me that an UID needs to be bound with a Certification-capable signing key, whereas your signing subkey E8401492 can only make signatures on data. That's probably why GnuPG says: gpg: signing failed: Unusable secret key Although it could also be that the secret part for that subkey is simply not available? I'm not sure whether the secret key is available message I quoted above pertains to the primary key or the secret subkey you forced on the command line. If you still have problems after this explanation, please provide more data about your setup. You have two encryption subkeys, two data signature subkeys, and GnuPG complains that there are secret parts missing. It will be a lot easier to help you if you can explain what pieces of data are where :). Peter. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Changing the email address of a key
On 30/08/12 10:25, Richi Lists wrote: Using the primary key was what I tried first. But when I saw the error message signing failed, I thought I'd have to force the proper signing subkey, like I have to do for signing emails. My setup is more or less the following: http://wiki.fsfe.org/Card_howtos/Card_with_subkeys_using_backups with the addition of a sub key for ssh authentication: http://www.programmierecke.net/howto/gpg-ssh.html - section with smartcard (openpgp) The thing is that for a new UID, you need the, what they call, master key. That would be the primary key. So when you followed the instructions under the heading Remove the master key from the keyring, you where after that unable to use your master/primary key to create a new UID. So you go back a little in the document to the part where you had your USB stick with the primary key and all subkeys guarded by Orcs or some other fearsome creature. Plead with the creature to have your USB stick back, once again follow the section Go offline, import your primary key from the USB stick (wipe away the Orc spittle before inserting; ignore the chew marks on the protective cap). After you have created the new UID with the primary key and exported the whole to the USB stick, re-remove the primary key from the system. Oh, by the way, the reason you need the exclamation mark to specify which key to use to sign is because you have two signing keys. Apparently GnuPG tries it with the one you don't have the secret part for if you don't give the exclamation mark. But bear in mind the difference between a signature on a key(/UID) and on data. The signing subkey is for signatures on data. Good luck, Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at http://wwwhome.cs.utwente.nl/~lebbing/pubkey.txt ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Web-based pinentry
- Original Message - From: Michael Gauthier m...@silverorange.com To: gnupg-users@gnupg.org Cc: Michael Gauthier m...@silverorange.com Sent: Wednesday, August 29, 2012 7:32 PM Subject: Web-based pinentry As of GnuPGv2, the --command-fd method of passing passphrases no longer seems to work. Is there an alternative I can use so that the pin entry interface is still a webpage? Please let me know what I can use to handle pin-entry in a web-based system. If I have understood correctly, in gpg2, in such cases you are supposed to use no passphrase at all. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: what is killing PKI?
MFPA expires2...@rocketmail.com wrote: What I should have added here, is that it's a symmetric relation, and people normally don't like to exclude others, as well. Avoiding others is not a trait of _usual_ _social_ behaviour, There are innumerable clubs that require membership in order to participate. This indicates that avoiding/excluding others *is* a well-established usual social behaviour. We don't have All People Haters' clubs. :-) Well, I cannot explain how the whole society works. But I would like to add just a few points. Clubs can be divided into common interest (inclusive), and elitist (exclusive), or mix thereof. The former ones (like ours, gnupg-users) accept anybody, but may need to defend themselves against trouble makers; some may require membership, but anyone can have it if he sticks to the rules. If someone from outside, or a member, starts attacking other members, only then he's punished by exclusion. In the latter case - I can't say too much, I haven't belonged to any, but I can imagine such a conversation: - Hello Fred, I'm so glad I'm here with you, you're so elite! - Oh, Barney, you always exaggerate, our club would be nothing without you! The point is you cannot be an elite alone, you need a little society of other elite persons around you, and you need to care for them; IOW you need to be social within an otherwise unsocial group. Last, but not least, I wouldn't call elitism a usual behaviour (like people normally behave in my village, or in yours), and definitely not social. On YT there used to be an interview with R. Feynman in which he tells how much he hated one elite students' club he once fell into. Excluding others is considered so anti-social, that it is plainly illegal in some countries to set up an openly men-only club, or women-only cafe (they'll fall into anti-discrimination laws). Regards, Stan. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: what is killing PKI?
Faramir faramir...@gmail.com wrote: El 28-08-2012 18:27, Stan Tobias escribió: Right, that was my point. From your previous message, I got the idea you suggested if we want to use buses, we must use them, if we want privacy, we must send clear text messages and claim don't read them!. But it can only work if we get aware about people violating our rights. No. We send letters and postcards, we cannot guarantee that nobody reads them, we cannot know if anybody reads them, and yet we can talk about Privacy. With email messages that is not the case (unless people disclosure things they saw on the messages). Privacy predates computers. It's a concept we try to extend into our digital world. We require others not to read e-mails (without an important reason), _by extension_, just as nobody is allowed to open our envelopes. By sending messages in the clear, we keep the issue *alive*, we discuss it, we test it, we complain, we get offended sometimes. Suppose, our computers were impenetrable and all our communications encrypted. Nobody, not even governments, can read anything we post. Are we better off? JUDITH: Here! I-- I've got an idea. Suppose you agree that he can't actually have babies, not having a womb, which is nobody's fault, not even the Romans', but that he can have the right to have babies. FRANCIS: Good idea, Judith. We shall fight the oppressors for your right to have babies, brother. Sister. Sorry. REG: What's the point? FRANCIS: What? REG: What's the point of fighting for his right to have babies when he can't have babies?! (source: http://montypython.50webs.com/scripts/Life_of_Brian/8.htm) I can envisage a politician comes up one day with an idea: We have total digital privacy now, digital privacy laws are no longer relevant. Let's abolish them! By extension, if we don't protect digital messages, why should we protect letters? Keeping laws is so costly. Let there be no privacy laws at all! After all, we don't take privacy from Johnny, he can always email his granny, instead of sending a postcard, right? Are we still better off? Ok, my fault, I was talking about privacy and not about her rights. I understand that the word privacy used in jargon, word cliches, language phrases, and has different meanings. It sometimes is a difficulty for me, too. Wikipedia says: The term privacy means many things in different contexts. I tried to identify and define Privacy as a *value* in our lives, which the society protects; in this sense I use the word in this thread. I don't know if my vague description was the best one, I just couln't come up with anything better. And I don't mean to pretend I have a complete understanding of it. Regards, Stan T. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: what is killing PKI?
On Thu, Aug 30, 2012 at 02:12:50PM +0200, Stan Tobias wrote: MFPA expires2...@rocketmail.com wrote: What I should have added here, is that it's a symmetric relation, and people normally don't like to exclude others, as well. Avoiding others is not a trait of _usual_ _social_ behaviour, There are innumerable clubs that require membership in order to participate. This indicates that avoiding/excluding others *is* a well-established usual social behaviour. We don't have All People Haters' clubs. :-) This is why jokes about anti-social networks are so much fun. Well, I cannot explain how the whole society works. But I would like to add just a few points. Clubs can be divided into common interest (inclusive), and elitist (exclusive), or mix thereof. I would argue that this division cannot be done. Associations always include some and exclude others. The former ones (like ours, gnupg-users) accept anybody, but may need to defend themselves against trouble makers; ^ inclusive ^ ^ exclusive^ some may require membership, but anyone can have it if he sticks to ^ inclusive ^ ^ exclusive the rules. If someone from outside, or a member, starts attacking other ^ members, only then he's punished by exclusion. The NSDAP or the Ku Klux Klan were quite inclusive of anyone who believed that certain racial and ethnic groups should be excluded from society. The difference (aside from methods of exclusion!) lies in the nature of the discriminator function. In the latter case - I can't say too much, I haven't belonged to any, but I can imagine such a conversation: - Hello Fred, I'm so glad I'm here with you, you're so elite! - Oh, Barney, you always exaggerate, our club would be nothing without you! The point is you cannot be an elite alone, you need a little society of other elite persons around you, and you need to care for them; IOW you need to be social within an otherwise unsocial group. Indeed: all purely exclusive clubs' memberships are identical to the null set. :-) Last, but not least, I wouldn't call elitism a usual behaviour (like people normally behave in my village, or in yours), and definitely not social. On YT there used to be an interview with R. Feynman in which he tells how much he hated one elite students' club he once fell into. Excluding others is considered so anti-social, that it is plainly illegal in some countries to set up an openly men-only club, or women-only cafe (they'll fall into anti-discrimination laws). Certain elitisms are usual, accepted, and beneficial. I would not be at all surprised to find that I am barred from membership in the American College of Physicians and Surgeons, since I am not and never have been either a physician or a surgeon. I couldn't just walk into the NSA, take a seat, and ask for some interesting crypto work to do; there are qualities they would expect me to possess before I would be accepted, and I would think they were doing a poor job if they did not enforce those requirements. No, it's only anti-social to exclude people for particular kinds of reasons. If someone joined your chess club, but never played chess and always wanted to talk about nothing but soccer at the meetings, sooner or later someone would ask him to leave. Excluding someone because he doesn't share the interest or aims of the group is accepted; excluding someone because he doesn't share the race, ethnicity, gender, etc. is (widely, but not universally) unaccepted. Often it comes down to whether or not *anyone* could make himself acceptable to the discriminator function if he wished. Yes: function is acceptable; no: function is not acceptable. Within that there are degrees of acceptability depending on the cost of the changes that might be required, so requiring certain body piercings or religious affiliations makes us more uneasy than requiring that someone show a genuine interest in the topic of the group. This is not a perfect fit; the issue is quite complex. But I think it's a usable first approximation. To draw this back toward security and privacy through crypto: I think it's natural and usual to want to exclude some from our communications. I want to exclude thieves from the set of people having access to my banking credentials, for obvious reasons. I want to exclude just about everyone from my more intimate conversations with my wife -- we feel comfortable being vulnerable in the presence of those who love us, but uncomfortable showing that same vulnerability to others. In every society there are questions it would be highly improper for a stranger to ask, often for good reasons, and it is legitimate for us to employ appropriate tools to protect our propriety. -- Mark H. Wood, Lead System Programmer mw...@iupui.edu Asking whether markets are efficient is like asking whether people are smart.
Re: what is killing PKI?
On Wed, Aug 29, 2012 at 03:14:50PM -0400, Landon Hurley wrote: [snip] I do have a question about where you talk about backups though. How does PKI prevent back up loss? If I can prove that I possess my password without ever disclosing that password to my correspondent, he never has my password and can't have it lost or stolen. Three can keep a secret, if two of them are dead. It doesn't prevent backup loss; it eliminates the cost to me should some vendor's backups go astray. No one can learn my secrets from people who never had them. I only have to disclose my public key, which is not secret, to my correspondents; my private key never leaves my equipment unless someone penetrates *my* system or steals *my* backups. -- Mark H. Wood, Lead System Programmer mw...@iupui.edu Asking whether markets are efficient is like asking whether people are smart. pgpTR4FFzpmy7.pgp Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: what is killing PKI?
On Thu, Aug 30, 2012 at 10:33:32AM -0400, Mark H. Wood wrote: On Wed, Aug 29, 2012 at 03:14:50PM -0400, Landon Hurley wrote: [snip] I do have a question about where you talk about backups though. How does PKI prevent back up loss? If I can prove that I possess my password without ever disclosing that password to my correspondent, he never has my password and can't have it lost or stolen. Three can keep a secret, if two of them are dead. It doesn't prevent backup loss; it eliminates the cost to me should some vendor's backups go astray. No one can learn my secrets from people who never had them. I only have to disclose my public key, which is not secret, to my correspondents; my private key never leaves my equipment unless someone penetrates *my* system or steals *my* backups. More to the point: my passphrase never leaves my equipment and isn't recorded anywhere outside my brain. You can only get it by getting inside my computer. That's not perfect but I like it a lot better than the current setup. -- Mark H. Wood, Lead System Programmer mw...@iupui.edu Asking whether markets are efficient is like asking whether people are smart. pgpSYdkadv9Pv.pgp Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Web-based pinentry
On Wed, 29 Aug 2012 18:32, m...@silverorange.com said: Please let me know what I can use to handle pin-entry in a web-based system. For exact that reasons (the original requester was building a student webmail system), GnuPG has a feature to make this easy. What you need to do is to provide a script which acts as the pinentry and asks the user for the passphrase. To control that script you set the environment variable PINENTY_USER_DATA to what ever value you need to control it. The variable is then passed all the way from your application via gpg to the pinentry. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Pseudonym (was Re: what is killing PKI?)
No such Client wrote: With due respect Mr Lebbing, my initial post - http://lists.gnupg.org/pipermail/gnupg-users/2012-August/045291.html was in response to Mr. Hansen´s post http://lists.gnupg.org/pipermail/gnupg-users/2012-August/045269.html which (from my perspective) was exceedingly rude, and arrogant. I wondered why the same company that castigates me for being rude, or insulting allows one with a ¨real name¨ to disparage another member. Not a double standard at all eh? So yes, I was intentionally rude with Mr. Hansen , (and only him afaik) as he was quite offensive to Mr. Segment.. Odd that only you seemed to find Rob's remarks offensive, and exceedingly at that. But then again, only you stooped to argumentum ad hominem. Peter Segment was not under attack, only the ideas he presented were being challenged. It's great for one to hypothesize a new idea, but with no data for support and by disagreeing with a couple decades of peer-reviewed research, then yes it's not going to be taken very seriously especially by those with academic and/or professional experience in the field. Trying to discount a research paper because of its age (when later papers reach substantially the same conclusions) is akin to want to toss legal precedent because the case was decided 100 years ago. Your use of a pseudonym does not devalue your words. Your use of personal attack does. Anonymity used in that fashion reminds me of SlashDot's Anonymous Coward moniker. You were rude to Rob. I do not know how many others on the list also found your behavior rude. (Full Disclosure: I enjoyed it. Sometimes people learn with a taste of their own medicine.. ) So it is understandable if Mr. Hansen does not hold me in the highest regard. However that is between us. Others here should promote mutual respect of all members, and not selectively attack new members, while allowing the ¨old guard¨ to speak as they like to other members with impunity. Your glee says even more about you than just the words you used to attack Rob. BTW, saying in your attack that Robert J. Hansen and Robert P. Hanssen were the same name also adds to your level of credibility. I guess you were also unaware that Rob has pointed this similar name thing out several times both here and on other crypto lists. Rude as it was, it was also entertaining. I found the example of sending 30 Israeli academics to Iran to be quite entertaining in its naïveté. I imagine details like lawfully securing visas or passing Customs were forgotten in haste to insult. This forum has always provided mutual respect to posters, but ideas are ideas, they are not people. The Old Guard, as you describe us, tend to be rather patient with new members often patiently re-answering frequently asked questions and pointing to other sources of information. I've seen much worse behavior on some other lists. I doubt Rob gives you or your words much thought or regard. He and I are both experienced of much more vociferously phrased attacks from academic realms than his corrections on why people do not avail themselves of crypto. But typically in those cases we've experienced, the attacker is buying the second pitcher of beer later in the day (depends on whether he has tenure). We are taught to attack and challenge _ideas_ especially new or unproven ones. It's how weaknesses or fallacies in a theory are exposed. It's the way peer-review works. It's the way science works. -- John P. Clizbe Inet: John (a) Gingerbear DAWT net SKS/Enigmail/PGP-EKP or: John ( @ ) Enigmail DAWT net FSF Assoc #995 / FSFE Fellow #1797 hkp://keyserver.gingerbear.net or mailto:pgp-public-k...@gingerbear.net?subject=HELP Q:Just how do the residents of Haiku, Hawai'i hold conversations? A:An odd melody / island voices on the winds / surplus of vowels signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
GnuPG 1.4.12
I'm having trouble with GnuPG on Windows 2008 R2. Exported Public key to 3rd party, but when the send file I receive the following error: Error: Can't check signature: public key not found. Any Suggesting? Bill Batte bba...@slgfa.org ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
[no subject]
Of the five or so papers that I red, the one entitled Why Johnny Cant Encrypt was very good. After I read the paper I did my first implementation of PKI with Thunderbird, Enigmail and Mozilla and Yahoo. I found my self remembering bits and parts of this forum as well as prior experience in setting up PKI infrastructure in a lab. I also began to draw certain references from studying topics such as elliptical encryption and other security related issues. All of us are new in this post 911 cyber environment and the controls are still being implemented to monitor the people that protect our national cyber infrastructure. Accountability seems to increase when the data is encrypted as opposed to plain text. I am examining Finance House applications of PKI to establish identity (not hide it) so that transaction might be verifed with due diligence. This seems to be a certificate issue. If the certificate issuers are issuing certificates with reasonable due diligence then such transactions are reasonable. It is my opinion that certificates issued merely upon sending in a jpeg of your passport are not sufficient due to the capabilities of photo shop and the like. Thus predicating identity upon easily altered JPEGS does not demonstrate reasonable due diligence in order to cross reference to the Specially Designated National List and determine whether the access of the capitol is from Listees. Thank you for your time. Frank Spruill1701 Light StreetBaltimore MD 21230 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Web-based pinentry
yyy yyy at yyy.id.lv Thu Aug 30 12:48:45 CEST 2012 As of GnuPGv2, the --command-fd method of passing passphrases no longer seems to work. Is there an alternative I can use so that the pin entry interface is still a webpage? Please let me know what I can use to handle pin-entry in a web-based system. If I have understood correctly, in gpg2, in such cases you are supposed to use no passphrase at all. Where can I find documentation that recommends not using a passphrase? My understanding is a passphrase is important to protect private keys in the event they are acquired: http://www.gnupg.org/gph/en/manual/c481.html#AEN506 If I don't use a passphrase, how should I protect my key (other than making it difficult to physically access)? Cheers, Mike ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: what is killing PKI?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 I see. I wasn't thinking in terms of stolen password caches, just general financial record data or whatever other operation data maybe be backed up. Much clearer now. Gratzie, Landon - Original Message From: Mark H. Wood mw...@iupui.edu Sent: Thu Aug 30 10:39:58 EDT 2012 To: gnupg-users@gnupg.org Subject: Re: what is killing PKI? On Thu, Aug 30, 2012 at 10:33:32AM -0400, Mark H. Wood wrote: On Wed, Aug 29, 2012 at 03:14:50PM -0400, Landon Hurley wrote: [snip] I do have a question about where you talk about backups though. How does PKI prevent back up loss? If I can prove that I possess my password without ever disclosing that password to my correspondent, he never has my password and can't have it lost or stolen. Three can keep a secret, if two of them are dead. It doesn't prevent backup loss; it eliminates the cost to me should some vendor's backups go astray. No one can learn my secrets from people who never had them. I only have to disclose my public key, which is not secret, to my correspondents; my private key never leaves my equipment unless someone penetrates *my* system or steals *my* backups. More to the point: my passphrase never leaves my equipment and isn't recorded anywhere outside my brain. You can only get it by getting inside my computer. That's not perfect but I like it a lot better than the current setup. - -- Mark H. Wood, Lead System Programmer mw...@iupui.edu Asking whether markets are efficient is like asking whether people are smart. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users - -- Violence is the last refuge of incompetence. -BEGIN PGP SIGNATURE- Version: APG v1.0.8 iQJBBAEBCgArBQJQP7JPJBxMYW5kb24gSHVybGV5IDxsanJodXJsZXlAZ21haWwu Y29tPgAKCRA3qYf9H1SVrG3aD/9KhBl5KuuSI+t/pIIY9x9SciHGEINgD56yoB7N kPnbNSjjV6WAarht1nt4rUnR0noejyeLEzPpIQM5UxLae+M7vg/1BUB0wgSGp6YB 5z7XZ3GMjee3aMlKEbANVIEQDYhtY35M/zxrO+9fAsEeIBYOqV4DIncd4UzhUyZF u1FIpc6wrqU0hd6cBq77umK38FSSLULh4lAvwiIyEcpNGN0YkdRxkkug1DpOXNd3 F05mEQEmlhTC7YKnuetFjisVIqS1shSArC8/g/5VkhSvLKm5K17qXi72buzIhgzY huK0Wk82FQHz5WT/hsL79Ek8mNiTA5vH62QG1ZMaNfHJNveenQYinxVfnl/B4rh6 3yyLRlST5iT5t0BV4HvRm+0v/T/ZeLmLd7S109xwtC5X23LiyEr2PK6UBqRlewPM eAvzM78aQ0z4Orp5/B5N7zXHpB8jSvVyQgYtKSxUIENmkn/WNyzZNGrRUYsMxLuy eIWyxnhR47Mfm1WFHwoQrfwDqEldH/2HjFArdq9KtMec1mwD5maAhL6XN1Z5XBVM 758GuqeR+7WIUZUoCEAIV7BYsHMCs9betYU1y+euJMNk2D9F5JtzPBallWDmPbFb m/5NBcW9rg2dneqKLA47m8YcMz17cCTXYLb95IPqXuZv6+sfnjLeg00HJp0v8/hI J1Eotw== =ijlC -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: what is killing PKI?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi On Thursday 30 August 2012 at 7:34:56 PM, in mid:8723caa5-4796-4f49-bbf3-4c933fdca...@email.android.com, Landon Hurley wrote: More to the point: my passphrase never leaves my equipment and isn't recorded anywhere outside my brain. You can only get it by getting inside my computer. Or by using a discrete surveillance camera to watch your key presses. Or how about social engineering, alcohol, pillow talk, hypnosis, rubber hose attack, etc.? - -- Best regards MFPAmailto:expires2...@rocketmail.com Dreams come true on this side of the Rainbow too! -BEGIN PGP SIGNATURE- iQCVAwUBUD/eeqipC46tDG5pAQqQ0AP/ab6FfG83lyvz4tT+hT3R9AUdbzsTbvMi gfn42wAjbh7B0VmZ0kJk1eUnUWIlaH5j/zOJtCdfMgRNMgXoSo409HoyYKujMvvy KYSBhRBmDFKBM0Oe/INaQuIhytic1rNYOb5EoefdtLfoAKPs+7qADMtYcYhWTf8P vXdi8aCerA0= =V56r -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: GnuPG 1.4.12
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi On Thursday 30 August 2012 at 6:33:38 PM, in mid:e6947082a8a17143bc9e1415d5ba086702832...@mercury.slgfa.org, Bill Batte wrote: I'm having trouble with GnuPG on Windows 2008 R2. Exported Public key to 3rd party, but when the send file I receive the following error: Error: Can't check signature: public key not found. Any Suggesting? Bill Batte bba...@slgfa.org That error message suggests that you are unable to check the third party's signature because you do not have a copy of their public key on your keyring. Has the third party sent you their public key? If so, have you imported it into your keyring? - -- Best regards MFPAmailto:expires2...@rocketmail.com When you're through changing, you're through -BEGIN PGP SIGNATURE- iQCVAwUBUD/gvaipC46tDG5pAQoD5gQAl4I1n/HSvDlhhM75Vq3ao/wR1YYaLaTs wMAQ/WASRIoYPCdkERuqTCh5qIVcsp7O3534VgUdZ/s/Hwepi+qlijhU0PU2jDBB 05yqQ5lSg/1LhPVcHUKTcDPv6GePgfYWKCAA+ezcVsdiREC14xn/T1IrTtX12a1B FlD0IlxogfQ= =GZEB -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Pseudonym (was Re: what is killing PKI?)
As much as I am trying to put this dog to rest, allow me to (politely) retort. Odd that only you seemed to find Rob's remarks offensive, and exceedingly at that. I was not the only one to find them offensive. The only one brave enough to address the fact, and careless enough to do so knowingly making me the bad guy, and callous enough to reciprocate rudeness in the intentional knowledge that it would influence my reputation. And trust tends to go along with reputation. Your name, whether real or imagined, is still what commands respect or sneers. But then again, only you stooped to argumentum ad hominem. aye sir. Peter Segment was not under attack,only the ideas he presented were being challenged. Perhaps he was not personally under attack, however the way that you speak to people (see respect) matters. Even if Mr.Hansen had evidence, that is no excuse to rudely dismiss another in such a way that brings them public shame and puts Mr.Segment in a fight/flight position. (if peter had responded to defend his name (see respect), it may have led to animosity. If he did not, he may be seen as weak, or conceding the high-ground to Mr. Hansen. In the course of human events, conflicts have started for far less. Since Mr. Segment did not respond, no one else (at least publically) knows of his position regarding the matter. However just because one has evidence does not mean you can speak to anyone however ye like and claim that the evidence gives you the right to ignore the emotional side of people. Trust, respect, and the other social values are at the root of it, emotionally-based. As rational as people may try to appear, even they are driven by emotions at their core. That should not be undermined. That is the principle which Mr.Hansen dismissively ignored for Mr.Segment, and why I (a third party, who has no knowledge, relationship, nor affiliation with Mr.Segment in any way) could justify speaking to Mr. Hansen in such a way. It's great for one to hypothesize a new idea, but with no data for support and by disagreeing with a couple decades of peer-reviewed research, then yes it's not going to be taken very seriously especially by those with academic and/or professional experience in the field. Of course not. However even if it is not taken seriously, notification of such could surely be done in a more polite way? If everyone else in effect states their opinion,as many postings lack the peer-reviewed research, why should Mr.Segment be arbitrarily held to a higher standard when it suits one person? I will quote a few passages, all which oddly enough are lacking the evidence coming from a formal usability study, peer-reviewed journal to reinforce my point Mr.Clizbe. http://lists.gnupg.org/pipermail/gnupg-users/2012-August/045261.html / / /The problem you are talking about is routine. I faced it when I was the chief sysadmin for a law firm and deployed GnuPG to 150+ desktops. Pretty much anyone who has ever deployed GnuPG and/or PGP has faced it. Solutions to this problem exist, are well-known, and pretty thoroughly tested. Deploying PKI is nowhere near as big of a problem as convincing people I think the other 99% deserve better. And if you draw the line anywhere in between, then you're adopting my position but just quibbling over precisely where you want the line to be drawn. (T)hat PKI adds benefit to their lives./ Perhaps my reading comprehension skills are lacking, however I fail to see any of the above quotes (all authored oddly enough by Mr. Hansen) as having any of the evidence that he (seemingly arbitrarily) prosecutes Mr.Segment for failing to provide. Is this a valid evidence of hypocrisy? I will allow the fellow readers of the thread to join together in peerage to review such evidence for themselves. Trying to discount a research paper because of its age (when later papers reach substantially the same conclusions) is akin to want to toss legal precedent because the case was decided 100 years ago. Agreed. How is this relevant to the point of mutual respect or even the topic? Your use of a pseudonym does not devalue your words. I consider myself fortunate that you Sir, are of an open mind. Your use of personal attack does. Ah yes now I understand!, Without evidence, I am stating opinions and pet theories , however with evidence, I can legitimately speak to anyone as dismissively as I please and call this an academic exchange of ideas!. (which is strictly impersonal, as evidence is what matters ja? ) Anonymity used in that fashion reminds me of SlashDot's Anonymous Coward moniker. You were rude to Rob. I do not know how many others on the list also found your behavior rude. Well, how about if i (hypothetically) told you that : / I really don't care what your pet theory is until such time as you get out into the field, do a formal usability study, write up the results and get them accepted to a peer-reviewed journal. Once you do that, I
Ideas and criticism (was Re: Pseudonym?)
I'm going to be (mostly) staying out of this one, but I think I may have a couple of useful remarks here -- But typically in those cases we've experienced, the attacker is buying the second pitcher of beer later in the day (depends on whether he has tenure). I can't speak about any institutions other than the ones I've worked at: but in both graduate school and my employers since, if Alice is able to demonstrate to Bob that his cherished idea is faulty, Bob buys Alice a beverage -- not as a way of acknowledging Alice's victory, but as a way of expressing a tangible thank-you to Alice for helping Bob become better at his task. This principle is not modern: it's about as old as the hills. You can even find it in the Tanakh: As iron sharpens iron, so a friend sharpens a friend. (Mishlei 27:17) We are taught to attack and challenge _ideas_ especially new or unproven ones. It's how weaknesses or fallacies in a theory are exposed. It's the way peer-review works. It's the way science works. Consider a high school student who's wracked with self-doubt over asking a pretty girl out: will she say yes? Will she say no? This student is so wrapped around the axle over the answer that by the time he finally gets up the nerve to ask her out they're already facing 30 and are meeting up at their ten-year high school reunion. The student cares more about the answer, and what the answer says about *him*, than he cares about what the answer is, or for that matter ever getting an answer in the first place. If I, today, at age 37, could go back in time 20 years and give myself at age 17 some advice, I'd say, Just ask her out already. Maybe she'll say yes. Maybe she'll say no. Either way, you'll have your answer and you'll go on with your life. Please stop wrapping your self-worth up in decisions that other people will make. It's really easy for us to think that if we get rejected for a date, that it somehow means we're defective or faulty or something. And that's crazy: rejection is about as personal as junk email. The first dozen times or so it stings, then you get really good at laughing over it, and then you lose your fear of rejection and you start having a lot more success. Who cares if you get rejected a hundred times if it means that on your hundred-and-first try you wind up having the cup of coffee that ultimately turns into the next sixty years and three kids? Likewise with ideas. It's really easy for us to think that if our ideas get rejected, that it somehow means we're stupid or idiots or foolish or something. And that's just as crazy: a bad idea just means that you had a bad idea. The first dozen or so times it stings. Then you get really good at laughing over it, and the next thing you know you've unleashed a hundred bad ideas on the world... and one really, really good one that people will be talking about for years to come. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: what is killing PKI?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 I think Mark actually wrote that originally, in response to my query about what he meant regarding backup. Just in case that was me originally though, that list all breaks down to social engineering and rubber hose cryptanalysis. I'd assume though that the number of people who discuss PKI as pillow talk must be pretty low. Alcohol is a potential security risk I suppose. I've given lectures on worse when drunk. Hypnosis is ridiculous though. Not going to work. As for rbc and remote surveillance, you're done for. All but the last would still require access to the key as well though, assuming they don't have a problem torturing and stealing your laptop. Landon - Original Message From: MFPA expires2...@rocketmail.com Sent: Thu Aug 30 17:43:13 EDT 2012 To: Landon Hurley on GnuPG-Users gnupg-users@gnupg.org Cc: Landon Hurley ljrhur...@gmail.com Subject: Re: what is killing PKI? Hi On Thursday 30 August 2012 at 7:34:56 PM, in mid:8723caa5-4796-4f49-bbf3-4c933fdca...@email.android.com, Landon Hurley wrote: More to the point: my passphrase never leaves my equipment and isn't recorded anywhere outside my brain. You can only get it by getting inside my computer. Or by using a discrete surveillance camera to watch your key presses. Or how about social engineering, alcohol, pillow talk, hypnosis, rubber hose attack, etc.? - -- Best regards MFPAmailto:expires2...@rocketmail.com Dreams come true on this side of the Rainbow too! - -- Violence is the last refuge of incompetence. -BEGIN PGP SIGNATURE- Version: APG v1.0.8 iQJBBAEBCgArBQJQP/lPJBxMYW5kb24gSHVybGV5IDxsanJodXJsZXlAZ21haWwu Y29tPgAKCRA3qYf9H1SVrDvRD/9k6unvLEQi4nDiMGFHiXz9ZxywpucyIKqPCXMG pyUhq2h515doSjrSulOx4PNlXY2laN599OAUy8WUR2QMffpsU2rh9jRlayRyLz8e ftIxQiPI2ZTyCBteUoTozgyMDt/2lXv8+ByrSfZJxsJ8z12q2YNTg0+jHWBM3iVN Ia/LYYV4t6Tgm0JhYMvHpYUoDI/6J57uMSBOpHjmofx73tT1i/DeEvrmimo2E5eb wUasxIeMtQEb2msPtLlnOKWTczgjwhZ0LGJZmd1ZregLy/zJfm+UGruLZUPak+UE SsGbq7Gui1kZX2dkjA0RQFxH7bhVSS0gGMP625xclfqxHjQ2QIkpvPCTkek060Xr meBLri8Ge0S8jV+20Jjc0DKWs6xXUhAkwrCNztHaVtx8VKmi5yIXfueifZh4p9Fg 5et2G8fWOQnw+MAZHhPG4WtjiZd3dxABitniZ5P3JCfvcPI0Lw7zXjkSJDRLuyIU FiO1/+5joteZMTEPt5F0sSgwiKVdW/As5dsCGPcu0CXJ8AfyxFoikYC3fbuKUcmM OaMC6br7cdVrEha9yLIt8/5M3uAFXvzhNJ8ONuI12SKTK0EOqtFVTT1nMPt32Apy GluuMBDAEwQmoZv2A9S1IasFPrhiJk8RKTHrE+YGzRv+WZyyK8ENvcEdFQTvrLB2 IQ8sMg== =uI/n -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: what is killing PKI?
On 8/30/12 7:37 PM, Landon Hurley wrote: I'd assume though that the number of people who discuss PKI as pillow talk must be pretty low. http://en.wikipedia.org/wiki/Clayton_J._Lonetree Historically, this is among the most effective ways of getting secrets out of someone. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: what is killing PKI?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 I meant PKI specifically not secrets in general. Obviously sex for people is a great motivator. Why don't you tell me about your private keys would be an amazing pick up line though. - Original Message From: Robert J. Hansen r...@sixdemonbag.org Sent: Thu Aug 30 19:43:08 EDT 2012 To: gnupg-users@gnupg.org Subject: Re: what is killing PKI? On 8/30/12 7:37 PM, Landon Hurley wrote: I'd assume though that the number of people who discuss PKI as pillow talk must be pretty low. http://en.wikipedia.org/wiki/Clayton_J._Lonetree Historically, this is among the most effective ways of getting secrets out of someone. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users - -- Violence is the last refuge of incompetence. -BEGIN PGP SIGNATURE- Version: APG v1.0.8 iQJBBAEBCgArBQJQP/+CJBxMYW5kb24gSHVybGV5IDxsanJodXJsZXlAZ21haWwu Y29tPgAKCRA3qYf9H1SVrCwrEACjTTwLiswUltJ/akl7mk8VMRJMo31bsOsqA6Cz Sl3efQJF+VWv+Te3sstglB1u/IcOxY6aaBiV9gFo2yZdkBzbWG1CVn4Z6vsb8Ile cCE0nQvNjpqtkLF5vTqniEE9VGu7Gbu3z4Tp0Q9hYj0Q/GTJDIrG+o2HVjOKHpSi dQ7S5s/W2eqZoPXVkndC3yvTSFveraw7ti1G6qs4CwOzCSyPF2G05nppQCJrR8Aj uHLrWZ8Kg0i56nSt5c4YjTRMLkfdsLQL6m2ZmYd7OoSxne89Q8QjWDnRfTBNFs2W UFdJexpciZgzR91pDE90QHgZSjkPIr888YKyKOLQ1hno2Lm7WIcbmhCC3KrJb+b7 MEpQgQNc69quP7XeYjyLLnFePxn9bmzq/S7NBiuiL2082o/6mFIuLmNRNAvrGNAB RfvsLjIFpS5zsA9vsJI+PMu2lqbdxqgzYoH+0PLLEn6oLI3n9cSVe4OIfRE6PoZk 1mL3HjzrEhwjp/FZUwbeQ6QryLEr5Rjh43ZYeAJZbdbwHnYTCXeTG80yncdfFUBI Pcd28cN/RmOyIZ3U96U0fOTD8WhaDejrgBAYp9nD0Zc9zMXgO5L/34P/xj4h0EYf uwkGFxQl1A5PmuleZfT1u+BuBjFMapZ1DaDE1lKB54KkWd7JlFntMFpgKiMm2YO6 5F+UTg== =YLRa -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: what is killing PKI?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 El 28-08-2012 20:01, MFPA escribió: Hello, IMHO, the main trouble probably is people don't feel the need to protect their privacy. So why do they use envelopes rather than postcards, and keep secret the PIN for their cashpoint cards? There may be several reasons for that, and I'd like to ask about them to the friends that, being capable of using GPG, have said no, I don't want to bother with installing it to me. But a priori, probably they use envelopes to keep all the paper sheets together. And I don't think they would send a PIN on a letter. But if they do, probably they would say but the mail-man can't know there is a PIN inside my letter, why would he open the envelope?. Ok, maybe they trust mail office doesn't open envelopes. They have too many letters and too little time, and no interest on reading letter. But email messages don't go straight from your hand to mail-man's hand, they have to travel a bit before reaching the mail server, and if you are using Wi-Fi, anyone in router's range can take a look at it. If we add the fact Eve doesn't even have to re-seal the envelope, then we may have a problem. Best Regards -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (MingW32) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iQEcBAEBCAAGBQJQQBEeAAoJEMV4f6PvczxAJW4H+wXE6nYdHU4bCKws3HN1/sVP q5aoeolTRqwdvzJ+repmVWKtdV8toHZkLD5Wo2047EAkmZK2ROwXeWqzOY1klCXE b9YwWaDzUPOhCzs9Hv8psPAZdIeVdmYGCS09AKfUNBFH09u9innICZiPGdgJdMYn oLj6BnTZzzUpGwPToXXbJeapGJKQWyjPrWJdh+RbSiNqJoQazEj3TiuLErq+n52L fZqxlrZH5WEbqHHqrqd1PRiickEULmPlbg/8YORYUIn2CEkhI9Z0dsNDCbpBjgvn XomWp6Ozv68P2yj6bmZ/cy+o6JTgA16v86BqZmpxeJDG4QuNfWjeg2AizSf2/vc= =dV82 -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: What is stopping PKI from growing was: Re: what is killing PKI?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 El 29-08-2012 5:28, antispa...@sent.at escribió: Hello List! I'm (for some of you) your worst nightmare. Somebody who does not master the fine arts of cryptography, yet has an oppinion about cryptography. I might say I enjoy reading the thread on PKI, but I wasn't able to read it all. I don't think that is anybody's nightmare. After all, many of us are not masters of cryptography. Please understand this is not a flame against Landon, but rather at the whole culture of having a debate that puts people into two groups: a small one formed by initiated and a huge one with lay people. I am using Right, but it doesn't require high technological skills or a degree in computer science to become an initiated. It can be explained in 20 minutes, while you drink a coffee. Manuals are long and sometimes hard to understand, because they must cover a lot of information, and list all these options we will never use (but are still there, because what I don't use is a must-have for other people). Just stay with us a bit, and soon you'll find yourself transformed into a GPG initiated. ... I think the argument with the envelope instead of a postcard is dated before considering encryption as an electronic envelope. Anyway, while Well, but it is. It is an almost impossible to open envelope, but encrypted email still have the recipient's address, and the info of the sender, at plain sight. ... stereotypical nerd living in a basement. The real postman has way too much on his hands to waste time with every private message. Yet, the message might be delivered into the hands of a servant or family member. It's them, the people around, who are the most interested to find out the juicy story. That is also very true, Eve is probably very close to either the sender or the recipient. Unless we are talking about NSA, CIA, or Men in Black, but if that is the case, then using cryptography is only a small part of the protection measures. I see webmail as far from a barrier. Get one plain text editor with encrypt / decrypt abilities. Than just copy and paste the armored text. Or even better, attach the armored file to the message, and then you don't even have to worry about html stuff messing it. What can be simpler? Why do I have to handle a buggy slow beast like thunderbird or evolution when I can do it with the balast provided by a As a thunderbird user, I don't find it buggy or slow. At least, it didn't use to be slow. ... everything on a 386. So, instead of having a complicated system with problems, just use a web interface and do all the mails offline in a folder. Faster, more portable. Not sure about the faster part, you have more steps to follow to send a message. But it still can be done. And as you need to carry your encryption tools with you, you can also carry a portable install of Thunderbird+GPG+Enigmail. Well, not sure if GPG2 will run in portable mode, but for a while we can still use 1.4.x branch ... Why look down at people? Lay people? A concept invented by the religious / initiated caste to sepparate themselves from the disgusting masses. Lol, it is not like that. It is we are talking about encryption and why except us -the paranoid guys- the other people don't use it. It is not about education level, intelligence, or anything like that, in fact, if we were looking down at people, we would be saying they aren't capable of using this stuff, instead of that, we are talking about why don't they use it? How can we make them use it?. ... It's cute to develop bondage though some sort of initiation, say Dungeons and Dragons if you like a cliché, but it's still jacking off. The world is the thing out, at large, and not some meetings in a basement. Initiation? I'm lost now... I came here, joined the list, read a bit, made some questions, tried GPG, left a orphan key... and somehow, now I'm a GPG user. And to think it all started when a teacher said well, this is my public key, your assignment is to send an encrypted message to me, that is the link to PGP's site. And of course, I thought isn't there a free version? By the way, some years ago I went to a CAcert assurer's meeting. It was on a coffee shop, no basements involved. ... Even if gpg is easily obtainabe, that is, still, almost nothing. Gpg is not a portable app. One must read a few cryptic pages. Even if clear, It used to be. You can still get the portable version. they are boring. Generate a key. What size? The answers are quite liberal: it depends on what you need. It should be *2048 or read some Unfortunately, it really depends on your needs. But there is hope: the standard answer here is most people should stick to the defaults. There are even some straight forward wizards to set it up and generate your key (like enigmail's wizard). Options are more complex, but people with unusual needs should know they have to devote more time