Re: [cygwin] gpg-agent with ssh support ?

[Xavier Maillard]

Doug Barton  writes:

> On 3/12/15 2:59 AM, Werner Koch wrote:
>> On Wed, 11 Mar 2015 18:23, dougb@dougbarton.email said:
>>
>>> PuTTY also has its own agent support, which works quite well. I'm not
>>> sure why it's necessary to reinvent the wheel here. :)
>>
>> Because that integrates seemless with GnuPG.  For example you can use
>> your OpenPGP card (or other supoorted smartcards) for ssh.  No need for
>> the ssh-add kludge.
>
> And that would be a good reason, sure. But I don't get the impression
> that the OP has one of those. :)

Exact but I plan to get one in a quite short time ;) I am just
studying the smartcard market to choose a good one (any suggestion ?
:)).

Regards
-- Xavier.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: bugs.gnupg.org TLS certificate

[Avi]

No, Doug, I really don't have an opinion. To do so, I would have had to
given some thought to the relative merits of both sides and crystallized an
opinion. Since SSL certificates do not directly apply to me at this moment,
I have not given it the attention it deserves, and so I cannot in good
faith have a reasoned opinion; so I don't--out of ignorance if you wish. My
point in posting those links was that I remembered seeing this in the past,
and thought it fair to bring to Werner's attention that there was some
controversy, so that he can, if he wishes, research both sides and come to
his own measured opinion.

Avi

Avi


User:Avraham

pub 3072D/F80E29F9 1/30/2009 Avi (Wikimedia-related key) 
   Primary key fingerprint: 167C 063F 7981 A1F6 71EC ABAA 0D62 B019 F80E
29F9

On Thu, Mar 12, 2015 at 11:57 PM, Doug Barton 
wrote:

> It's quite disingenuous to say you don't have an opinion, when obviously
> you do.
>
> This topic was debated at length on this list when Heartbleed happened.
> There are two camps:
>
> 1. Those who think that if you offer any kind of free service, you have to
> offer all related services for free as well. "I want it, so you must give
> it to me."
>
> 2. Those who think that companies like StartSSL who are offering
> tremendous value to the community for free have the right to recoup some of
> their operational expenses for requests that go outside the norm, and/or
> cannot be handled with an automated system.
>
> If you are in the first camp, you have every right to your belief, but
> that belief does not match up with the real world.
>
> If you are in the second camp, pull up a chair, I've got a cooler full of
> $BEVERAGE that I'll be happy to share. :)
>
> Doug
>
>
> On 3/12/15 7:27 PM, Avi wrote:
>
>> I have no opinion one way or the other re: StartSSL, but there are those
>> who do:
>>
>> > avoid_startcom_startssl_like_the_plague_>
>> 
>> > shameful-security-startcom-charges-people-to-revoke-ssl-
>> certs-vulnerable-to-heartbleed.shtml>
>>
>> etc.
>>
>> Avi
>>
>>
>> 
>> User:Avraham
>>
>> pub 3072D/F80E29F9 1/30/2009 Avi (Wikimedia-related key)
>> mailto:avi.w...@gmail.com>>
>> Primary key fingerprint: 167C 063F 7981 A1F6 71EC ABAA 0D62 B019
>> F80E 29F9
>>
>> On Thu, Mar 12, 2015 at 7:47 PM, Mick Crane > > wrote:
>>
>>
>>
>>  On 12 Mar 2015, at 23:21, Hugo Osvaldo Barrera >>> > wrote:

 On 2015-03-11 17:38, Werner Koch wrote:
 On Wed, 11 Mar 2015 15:12, br...@minton.name
  said:

  git.gnupg.org ) don't use that
> certificate.  Have you considered a wildcard
> certificate?  I know this has been discussed before, e.g. at
>

 Too expensive ;-).  To stop all these complaints I will add a so
 called
 real certificate but first I need to move the tracker to another
 machine.


 Shalom-Salam,

  Werner

>>>
>>> No need for a wildcard one. Just get one free certificate for each
>>> subdomain
>>> from StartSSL.
>>>
>>
>
>
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: bugs.gnupg.org TLS certificate

[Doug Barton]

It's quite disingenuous to say you don't have an opinion, when obviously 
you do.


This topic was debated at length on this list when Heartbleed happened. 
There are two camps:


1. Those who think that if you offer any kind of free service, you have 
to offer all related services for free as well. "I want it, so you must 
give it to me."


2. Those who think that companies like StartSSL who are offering 
tremendous value to the community for free have the right to recoup some 
of their operational expenses for requests that go outside the norm, 
and/or cannot be handled with an automated system.


If you are in the first camp, you have every right to your belief, but 
that belief does not match up with the real world.


If you are in the second camp, pull up a chair, I've got a cooler full 
of $BEVERAGE that I'll be happy to share. :)


Doug


On 3/12/15 7:27 PM, Avi wrote:

I have no opinion one way or the other re: StartSSL, but there are those
who do:





etc.

Avi



User:Avraham

pub 3072D/F80E29F9 1/30/2009 Avi (Wikimedia-related key)
mailto:avi.w...@gmail.com>>
Primary key fingerprint: 167C 063F 7981 A1F6 71EC ABAA 0D62 B019
F80E 29F9

On Thu, Mar 12, 2015 at 7:47 PM, Mick Crane mailto:mick.cr...@gmail.com>> wrote:




On 12 Mar 2015, at 23:21, Hugo Osvaldo Barrera mailto:h...@barrera.io>> wrote:

On 2015-03-11 17:38, Werner Koch wrote:
On Wed, 11 Mar 2015 15:12, br...@minton.name
 said:


git.gnupg.org ) don't use that
certificate.  Have you considered a wildcard
certificate?  I know this has been discussed before, e.g. at


Too expensive ;-).  To stop all these complaints I will add a so
called
real certificate but first I need to move the tracker to another
machine.


Shalom-Salam,

 Werner


No need for a wildcard one. Just get one free certificate for each
subdomain
from StartSSL.




___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: bugs.gnupg.org TLS certificate

[Avi]

I have no opinion one way or the other re: StartSSL, but there are those
who do:

<
https://danconnor.com/post/50f65364a0fd5fd1f701/avoid_startcom_startssl_like_the_plague_
>

<
https://www.techdirt.com/articles/20140409/11442426859/shameful-security-startcom-charges-people-to-revoke-ssl-certs-vulnerable-to-heartbleed.shtml
>

etc.

Avi



User:Avraham

pub 3072D/F80E29F9 1/30/2009 Avi (Wikimedia-related key) 
   Primary key fingerprint: 167C 063F 7981 A1F6 71EC ABAA 0D62 B019 F80E
29F9

On Thu, Mar 12, 2015 at 7:47 PM, Mick Crane  wrote:

>
>
> On 12 Mar 2015, at 23:21, Hugo Osvaldo Barrera  wrote:
>
>
> On 2015-03-11 17:38, Werner Koch wrote:
>
> On Wed, 11 Mar 2015 15:12, br...@minton.name said:
>
>
> git.gnupg.org) don't use that certificate.  Have you considered a wildcard
>
> certificate?  I know this has been discussed before, e.g. at
>
>
> Too expensive ;-).  To stop all these complaints I will add a so called
>
> real certificate but first I need to move the tracker to another
>
> machine.
>
>
>
> Shalom-Salam,
>
>
>  Werner
>
>
> No need for a wildcard one. Just get one free certificate for each
> subdomain
>
> from StartSSL.
>
>
> I think Werner can make his own authority and certificate ?
> That sort of information stuff used to much more readily accessible on the
> net, like how to run your own DNS.
> For forgetful people is difficult to track things down now with so much
> available.
>
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>
>
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: bugs.gnupg.org TLS certificate

[Mick Crane]

>> On 12 Mar 2015, at 23:21, Hugo Osvaldo Barrera  wrote:
>> 
>> On 2015-03-11 17:38, Werner Koch wrote:
>> On Wed, 11 Mar 2015 15:12, br...@minton.name said:
>> 
>>> git.gnupg.org) don't use that certificate.  Have you considered a wildcard
>>> certificate?  I know this has been discussed before, e.g. at
>> 
>> Too expensive ;-).  To stop all these complaints I will add a so called
>> real certificate but first I need to move the tracker to another
>> machine.
>> 
>> 
>> Shalom-Salam,
>> 
>>  Werner
> 
> No need for a wildcard one. Just get one free certificate for each subdomain
> from StartSSL.

I think Werner can make his own authority and certificate ?
That sort of information stuff used to much more readily accessible on the net, 
like how to run your own DNS.
For forgetful people is difficult to track things down now with so much 
available.___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: bugs.gnupg.org TLS certificate

[Pete Stephenson]

On Fri, Mar 13, 2015 at 12:21 AM, Hugo Osvaldo Barrera  wrote:
> On 2015-03-11 17:38, Werner Koch wrote:
>> On Wed, 11 Mar 2015 15:12, br...@minton.name said:
>>
>> > git.gnupg.org) don't use that certificate.  Have you considered a wildcard
>> > certificate?  I know this has been discussed before, e.g. at
>>
>> Too expensive ;-).  To stop all these complaints I will add a so called
>> real certificate but first I need to move the tracker to another
>> machine.
>>
>>
>> Shalom-Salam,
>>
>>Werner
>
> No need for a wildcard one. Just get one free certificate for each subdomain
> from StartSSL.

StartSSL's a great choice, as one can issue as many certificates as
one wishes for validated domain names.

Alternatively, several CAs[1][2] offer free certificates to
open-source projects. Resellers[3][4] also offer quite
reasonably-priced ($9 USD/year) certs as a standard price.

Cheers!
-Pete
Full disclosure: I'm a paying customer of StartSSL, Gandi, and
NameCheap, and have several certificates from each for different
purposes. Other than being a customer, I have no other interest in
those organizations.

[1] https://www.godaddy.com/ssl/ssl-open-source.aspx
[2] https://www.globalsign.com/en/ssl/ssl-open-source/
[3] https://www.namecheap.com/security/ssl-certificates/domain-validation.aspx
[4] https://www.gandi.net/ssl/standard

-- 
Pete Stephenson

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: bugs.gnupg.org TLS certificate

[Hugo Osvaldo Barrera]

On 2015-03-11 17:38, Werner Koch wrote:
> On Wed, 11 Mar 2015 15:12, br...@minton.name said:
> 
> > git.gnupg.org) don't use that certificate.  Have you considered a wildcard
> > certificate?  I know this has been discussed before, e.g. at
> 
> Too expensive ;-).  To stop all these complaints I will add a so called
> real certificate but first I need to move the tracker to another
> machine.
> 
> 
> Shalom-Salam,
> 
>Werner

No need for a wildcard one. Just get one free certificate for each subdomain
from StartSSL.

Cheers,

-- 
Hugo Osvaldo Barrera
A: Because we read from top to bottom, left to right.
Q: Why should I start my reply below the quoted text?


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Question concerning OpenLDAP PGP Keyserver setup guide (wiki.gnupg.org)

[Stephan Beck]

Hi,

reproducing the OpenLDAP PGP keyserver setup guide on http://wiki.gnupg.org,
published by Neal, I get the following error message:

ldapmodify: wrong attributeType at line 5, entry "olcDatabase={1}hdb,cn=config"

I am reproducing the guide on debian stable (main sources only), which uses
"hdb" (not "mdb") database format, OpenLDAP3, being the server package slapd.

To see the error message in its context:


$ sudo ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b "cn=config"  | grep 
olcDatabase:
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
olcDatabase: {-1}frontend
olcDatabase: {0}config
olcDatabase: {1}hdb


$ sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/keyserver-acls.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
ldapmodify: wrong attributeType at line 5, entry "olcDatabase={1}hdb,cn=config"


contents of keyserver-acls.ldif are as follows:


# userPassword may be written only by users themselves
dn: olcDatabase={1}hdb,cn=config
changetype: modify
add: olcAccess
# Allow access via localhost to add or modify keys.
# Allow authenticated PGP Users to update keys.
# Allow anyone else to read the keys.
olcAccess: {2} to dn.subtree="ou=PGP Keys,dc=FOO,dc=EXAMPLE,dc=ORG"
  by peername.ip=127.0.0.1 write
  by peername.ip=:: write
  by dn.regex="^uid=([^,]+),ou=PGP Users,dc=FOO,dc=EXAMPLE,dc=ORG" write
  by * read

# Allow any connection to localhost to update the PGP keys
# (including removing them!)  This is only needed if the anonymous
# updates from localhost are desired.
dn: cn=config
add: olcAllows
olcAllows: update_anon
--

It seems that the error message indicates that line 5

by peername.ip=127.0.0.1 write

has a a wrong attribute type.

I checked the LDAP for Rocket scientists guide on zytrax.com (1) and (3) for
hours, and also some documentation about the peername.ip attribute, but I cannot
figure out what's wrong.
I found that there are 2 ways of using the peername.[ip] attribute.

If you use it with ipv4 you do not have to put peername.ipv4, but just
peername.ip, being the value (127.0.0.1) that which defines the format (ipv4).
With ipv6 you would have to specify it, i.e. peername.ipv6=[ipv6]

The other way is using "peername.[type]" but that's not the case here.


Is there anyone who can lend me a hand?

TIA

Stephan

Note: On slapd debconf install I used FOO.EXAMPLE.ORG, so whenever the wiki
guide uses dc=EXAMPLE,dc=ORG I use dc=FOO,dc=EXAMPLE,dc=ORG

(1) http://www.zytrax.com/books/ldap/ch6
(2) http://www.zytrax.com/books/ldap/ch3





signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: [cygwin] gpg-agent with ssh support ?

[Brian Minton]

Another option that I often use is https://github.com/wesleyd/charade,
which opens a unix domain socket on cygwin, connected to Pageant, so
cygwin programs and windows programs that use PuTTY can share the same
authentication.  Another similar program is
http://github.com/cuviper/ssh-pageant

On Thu, Mar 12, 2015 at 3:04 PM, Doug Barton  wrote:
> On 3/12/15 2:59 AM, Werner Koch wrote:
>>
>> On Wed, 11 Mar 2015 18:23, dougb@dougbarton.email said:
>>
>>> PuTTY also has its own agent support, which works quite well. I'm not
>>> sure why it's necessary to reinvent the wheel here. :)
>>
>>
>> Because that integrates seemless with GnuPG.  For example you can use
>> your OpenPGP card (or other supoorted smartcards) for ssh.  No need for
>> the ssh-add kludge.
>
>
> And that would be a good reason, sure. But I don't get the impression that
> the OP has one of those. :)
>
> Doug
>
>
>
>
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Enigmail speed geeking

[Ville Määttä]

On 12.03.15 20:52, Robert J. Hansen wrote:
>> My point was that you wrote multiple paragraphs worth of stories on 
>> > two emails from which I really got the impression that people should
>> > just not bother.
> In response to someone who was thinking that storing keys on your hard
> drive was categorically unsafe, and that smart cards were categorically
> necessary, yes.

Absolutely. I agree. I think the difference of opinion here stems from
how I read the reply you sent. After the first couple sentences it's not
much about answering the question anymore :).

The questions was: Are smart cards a must? No they are not.

>>> The answer is, "it depends."
>>
>> Isn't "it depends" exactly what I said ?
> 
> No.  You said they add security, period, and that they either
> inconvenience minutely or add convenience.

All things being equal, they do practically add security, period :).
Well, you're quite right that it's impossible to say that they would add
security in all situations. Maybe they could also weaken it in some. But
you can use the same passphrase with or without the card. You can have
your subkeys on the card or on the computer. Maybe you can fill in the
rest. I.e. all things being equal:

The card can and on defaults probably will limit the amount of
passphrase attempts. And then it locks. Is it absolutely secure against
hacking? No. But it should be quite difficult to hack. And an important
point if to only have subkeys in there that you can revoke.

> That's not an "it depends"
> answer.  That's a "this is true in all times and situations" answer, and
> that's exactly wrong.

I said "depending on the user and use case". It is an it depends answer.

> They do *not* add security in all times and
> situations

I'm not making such a claim. The world is not black and white. Yes or no
only. I'm not talking about some theoretical, mathematically proven
statement that smart cards are more secure in every possible way. They
are not.

>, and they do *not* only ever cause minute inconvenience.

I don't know how you count the 30-45 second number from before but for
me it adds 1-10 seconds, maybe. Hard to estimate but it doesn't really
add any inconvenience to my use. And obviously, that's quite subjective.

I'm not even trying to make a point that they would be more secure all
the time. But, practically, they can be a cheap and convenient way to
add security. Everyone has to evaluate their use case though.

Here's an example. Is it better to store secret keys on each computer or
a smart card? I use multiple different computers and think that it's
more secure to have the keys on my smart card. So, more security by not
having to distribute the secret keys to all those computers. I'd say
that's convenient security as the secret keys come with me to whichever
computer I happen to be using.

-- 
Ville



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Enigmail speed geeking

[Robert J. Hansen]

> I would go so far as to say for the vast majority of users they are 
> totally unnecessary. It's cool to play with smart cards, and I'm all
> in favor of that sort of thing ... but for the overwhelming number of
> PGP users the threat model just isn't there.

I dunno.  I think there are some good arguments for regular users
employing them; I just don't think those arguments are all that compelling.

For instance, I have my smartcard cross-signed with my usual certificate
(0xD6B98E10).  If you trust 0xD6B98E10, you'll probably also trust my
smartcard certificate -- and vice-versa.  Now let's say that in a couple
of years 0xD6B98E10 gets compromised.  I revoke the certificate,
propagate the revocation, and generate a new cert (0xBADD00D5).  I sign
0xBADD00D5 with the smartcard cert and put it up on the servers.  Etc.
People can see 0xBADD00D5 is signed by my smartcard and can have
confidence this is my new certificate.

This is basically the idea of the "offline master signing key" that a
lot of people talk about, but a lot more convenient due to the smartcard
form-factor.  I don't have to worry about air-gapping the signing
system, I just have to worry about finding the card reader when it comes
time to generate a new cert.

> Further, the inconvenience of having to deal with generating and 
> socializing a new key if your smart card gets lost, becomes
> inoperable, etc. is way too high a cost for near-zero benefit.

Yep.  Don't lose 'em.




signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Enigmail speed geeking

[Doug Barton]

On 3/12/15 8:51 AM, Robert J. Hansen wrote:

For many users, smart cards are a good idea.  (I've got one myself.)
But for just as many users, smart cards are inconvenient and overkill.


I would go so far as to say for the vast majority of users they are 
totally unnecessary. It's cool to play with smart cards, and I'm all in 
favor of that sort of thing ... but for the overwhelming number of PGP 
users the threat model just isn't there.


Further, the inconvenience of having to deal with generating and 
socializing a new key if your smart card gets lost, becomes inoperable, 
etc. is way too high a cost for near-zero benefit.


FWIW,

Doug


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Enigmail speed geeking

[Robert J. Hansen]

> Yes, thanks a lot. From your answer I deduce that a single-user, 
> non-professional environment may not require use of a smart card, or 
> may not require it with the necessity it may have in high-security 
> environments.

Yep!  And just as importantly: it may require it.  It depends on your
threat model and what you need to defend against.  Ultimately, it's a
judgment call.

> But on an individual level, I guess it also depends on how much you 
> love (playing with) software and related devices and are already
> used to it.

This, too!  If you want to play around with them and have fun, don't let
me stop you.  :)



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: [cygwin] gpg-agent with ssh support ?

[Doug Barton]

On 3/12/15 2:59 AM, Werner Koch wrote:

On Wed, 11 Mar 2015 18:23, dougb@dougbarton.email said:


PuTTY also has its own agent support, which works quite well. I'm not
sure why it's necessary to reinvent the wheel here. :)


Because that integrates seemless with GnuPG.  For example you can use
your OpenPGP card (or other supoorted smartcards) for ssh.  No need for
the ssh-add kludge.


And that would be a good reason, sure. But I don't get the impression 
that the OP has one of those. :)


Doug



___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Enigmail speed geeking

[Robert J. Hansen]

> My point was that you wrote multiple paragraphs worth of stories on 
> two emails from which I really got the impression that people should
> just not bother.

In response to someone who was thinking that storing keys on your hard
drive was categorically unsafe, and that smart cards were categorically
necessary, yes.  If you want to illustrate that smart cards are not
categorically necessary, you don't highlight instances where they're
useful and/or necessary: you highlight instances where they're not.  Had
the original poster said, "Is it correct to say there's no real use case
for smart cards?", I would have talked about situations where they're a
real benefit.

>>> I think they add security and depending on the user and use case 
>>> they either add inconvenience minutely or the complete opposite,
>>> they add usability.
>> 
>> The number of environments, number of users, and number of use 
>> cases, is way too vast to be able to make a glib statement like 
>> this.  You're just wrong.
>> 
>> The answer is, "it depends."
> 
> Isn't "it depends" exactly what I said :)?

No.  You said they add security, period, and that they either
inconvenience minutely or add convenience.  That's not an "it depends"
answer.  That's a "this is true in all times and situations" answer, and
that's exactly wrong.  They do *not* add security in all times and
situations, and they do *not* only ever cause minute inconvenience.




signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Enigmail speed geeking

[Ville Määttä]

On 12.03.15 19:21, Robert J. Hansen wrote:
> If you think I'm portraying them as "completely unusable," then I think
> you didn't bother to read my message very closely.

I read both of your messages quite closely. Had you merely pointed out
the downsides of having to carry a card, a reader etc. I would probably
have just agreed with you and likely just read and said nothing. My
point was that you wrote multiple paragraphs worth of stories on two
emails from which I really got the impression that people should just
not bother.

On 12.03.15 19:55, Stephan Beck wrote:
>> Yes, thanks a lot. From your answer I deduce that a single-user,
>> non-professional environment may not require use of a smart card,
>> or may not require it with the necessity it may have in high-security
>> environments.

It would appear so did Stephan.

>> I think they add security and depending on the user and use case
>> they either add inconvenience minutely or the complete opposite, they
>> add usability.
> 
> The number of environments, number of users, and number of use cases, is
> way too vast to be able to make a glib statement like this.  You're just
> wrong.  
> 
> The answer is, "it depends."
> 

Isn't "it depends" exactly what I said :)? I think you went a bit
overboard with the stories and wanted to point that out, that's all.
Smart cards are not some scary thing only "necessary" in "high-security
environments". Whatever that might mean.

-- 
Ville



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Whishlist for next-gen card

[Joey Castillo]

>
> On 20/02/15 09:32, NdK wrote:
> > 1 - support for more keys (expired ENC keys, multiple signature keys)
>

At the very least, adding expired ENC keys to the card spec is a really
great suggestion. I'm trying to pitch people on using smart cards to secure
their email, and one common question I get is "What happens if I lose my
card?" Telling them they have to generate a new key is a bitter pill if it
means they can't decrypt their old emails.

This feature is not without precedent; the NIST standard for CAC/PIV cards
includes fields for 20 retired "key management" keys, which are used to
decrypt old messages. [1] I think this one feature would go a long way to
making smart cards a more accessible solution for everyday use.

[1]:
http://csrc.nist.gov/publications/nistpubs/800-73-3/sp800-73-3_PART4_piv-transitional-interface-data-model-spec.pdf
in item 2.4.7, "Key History Object".

-- 

Joey Castillo
www.joeycastillo.com
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Enigmail speed geeking

[Robert J. Hansen]

> That's quite a personal issue to count as a failing of smart cards.

Sure!  And I even said that.  "For many users, smart cards are a good
idea.  (I've got one myself.)  But for just as many users, smart cards
are inconvenient and overkill."  Your use case isn't my use case.

That said, I've heard from enough people over the years sharing the "I
can never find a reader when I need one" problem for me to think I'm not
alone.

>> I'm not sure the (marginal) additional security from using a smart 
>> card is worth the (very real) usability expense.
> 
> Oh, you mean like being able to use a more humane PIN / passphrase?

Depends on the user.  I personally have three different 128-bit
passphrases memorized (sixteen random bytes base-64 encoded).  Other
people have trouble remembering their four-digit ATM PIN code.

Will I get additional security from using a smart card?  Depends on my
specific usage and my goals, but in most of my cases, no.  Enough to
justify the usability expense?  Again: it depends on my specific usage
and my goals, but in most of my cases, no.

But that doesn't mean I don't use my smart card.  I do.  I just use it
in use cases where it makes sense to do it.

>> Then I discovered the downside of USB tokens: they don't take well 
>> to going through the wash.
> 
> Are you serious? I wouldn't know but I'm guessing the computer you 
> use to decrypt those messages won't take too well to water either.

Probably not, but in my defense, Apple didn't put a hole in my laptop
and give me a glossy brochure showing a MacBook Pro hanging off my
keychain, either.  Rainbow Technologies did, and what happened to the
token after that was predictable.  It went where my car keys did.
Namely, the wash.

> Sure you need a reader and sure, you shouldn't throw the reader into
> water but come on. You go out of your way to make them sound like 
> something completely unusable.

Not "completely unusable".  In the best case, a smart card adds 30-45
seconds to my operation time.  That's a price I'm willing to pay for
certain operations.  For others, it's not.

If you think I'm portraying them as "completely unusable," then I think
you didn't bother to read my message very closely.  Their usability and
appropriateness is *intensely* dependent on the user and the operating
environment.  For some users they make a lot of sense.  For others, they
don't.

> I think they add security and depending on the user and use case
> they either add inconvenience minutely or the complete opposite, they
> add usability.

The number of environments, number of users, and number of use cases, is
way too vast to be able to make a glib statement like this.  You're just
wrong.  :)

The answer is, "it depends."



smime.p7s
Description: S/MIME Cryptographic Signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Enigmail speed geeking

[Stephan Beck]

Am 12.03.2015 um 16:51 schrieb Robert J. Hansen:
>> As to your enigmail essay, point 1, would you go that far that
>> keeping keys on hard disk is unsafe and using a smart card is a
>> must?

> 
> If email crypto makes it hard to read email, few people will adopt the
> technology.  We want technologies that make our lives easier, not
> harder.  Smart cards, although a really good idea in certain
> environments, make crypto harder in a lot of environments.  I'm not sure
> the (marginal) additional security from using a smart card is worth the
> (very real) usability expense.
> 
> Is it unsafe to keep your keys on your hard disk?  Dunno.  Depends a lot
> on your situation.

> 
> Is using a smart card a must?  Dunno.  Depends a lot on your situation.
> 
> Hope this helps.  :)


Yes, thanks a lot. From your answer I deduce that a single-user,
non-professional environment may not require use of a smart card,
or may not require it with the necessity it may have in high-security
environments. As Andreas pointed out in his message, there are the USB
sticks as, for instance, the Yubico Key that my email provider offers or has
been offering for a while. I was actually thinking about moving in that 
direction.
As to the "email crypto (devices/technology/software) have to be easy to use"
and "it makes crypto harder" arguments, that's certainly true for extending
(mass) usage. But on an individual level, I guess it also depends on how much
you love (playing with) software and related devices and are already used to it.
The cries for simplifying GnuPG, for instance, that have been resounding
throughout this list lately may be reasonable up to some point,
but, in my case, I like it (and the WoT as a central concept behind it) too much
to ever change (to another mail/file encryption software). And for me there is a
bunch of commands/options yet to be discovered!

Stephan


> 
> 
> 
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
> 






signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Enigmail speed geeking

[Ville Määttä]

> But for just as many users, smart cards are inconvenient and overkill.
> Frankly, they have awful usability, just terrible.
…
> finding the smart card is
> easy -- it's in my wallet -- but finding the smart card *reader* is the
> sort of thing that leads me to crazed conspiracy theories.

That's quite a personal issue to count as a failing of smart cards. That
whole rant about the reader being MIA is, /for me personally/, a
complete non-issue. I keep it attached to the smart card.

> I'm not sure
> the (marginal) additional security from using a smart card is worth the
> (very real) usability expense.

Oh, you mean like being able to use a more humane PIN / passphrase?

On 12.03.15 18:25, Robert J. Hansen wrote:
> Then I discovered the downside of USB tokens: they don't
> take well to going through the wash.

Are you serious? I wouldn't know but I'm guessing the computer you use
to decrypt those messages won't take too well to water either.

Sure you need a reader and sure, you shouldn't throw the reader into
water but come on. You go out of your way to make them sound like
something completely unusable. I think they add security and depending
on the user and use case they either add inconvenience minutely or the
complete opposite, they add usability.

-- 
Ville



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Enigmail speed geeking

[Robert J. Hansen]

> There are USB-Sticks with an embedded smart card controller that
> take away the burden to find a working card reader (which _is_ a real
> pain). The one we use has a standard CCID interface that works
> without driver installation on the majority of operating systems.

Yeah -- back in 2000 I used a Rainbow iKey, which was one of the first
USB tokens.  Then I discovered the downside of USB tokens: they don't
take well to going through the wash.  (You know how when you pull
clothes out of the dryer they've got all kinds of static electricity on
them?  USB tokens don't take kindly to that.)

I dunno, maybe today we've got USB tokens that can survive the wash.
Wouldn't surprise me.  Unfortunately, I don't have the money to make a
good empirical test.




signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Enigmail speed geeking

[Andreas Schwier]

On 03/12/2015 04:51 PM, Robert J. Hansen wrote:
> For many users, smart cards are a good idea.  (I've got one myself.)
> But for just as many users, smart cards are inconvenient and overkill.
> Frankly, they have awful usability, just terrible.  When I receive an
> email message encrypted to my smart card key, finding the smart card is
> easy -- it's in my wallet -- but finding the smart card *reader* is the
> sort of thing that leads me to crazed conspiracy theories.  Is the
> reader attached to my laptop?  Did I leave it at the office?  Did I kick
> it under the sofa?  Did the space aliens from Zarbnulax take it?
There are USB-Sticks with an embedded smart card controller that take
away the burden to find a working card reader (which _is_ a real pain).
The one we use has a standard CCID interface that works without driver
installation on the majority of operating systems.

-- 

-CardContact Software & System Consulting
   |.##> <##.|   Andreas Schwier
   |#   #|   Schülerweg 38
   |#   #|   32429 Minden, Germany
   |'##> <##'|   Phone +49 571 56149
-http://www.cardcontact.de
 http://www.tscons.de
 http://www.openscdp.org
 http://www.smartcard-hsm.com


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Enigmail speed geeking

[Robert J. Hansen]

> As to your enigmail essay, point 1, would you go that far that
> keeping keys on hard disk is unsafe and using a smart card is a
> must?

For many users, smart cards are a good idea.  (I've got one myself.)
But for just as many users, smart cards are inconvenient and overkill.
Frankly, they have awful usability, just terrible.  When I receive an
email message encrypted to my smart card key, finding the smart card is
easy -- it's in my wallet -- but finding the smart card *reader* is the
sort of thing that leads me to crazed conspiracy theories.  Is the
reader attached to my laptop?  Did I leave it at the office?  Did I kick
it under the sofa?  Did the space aliens from Zarbnulax take it?

The upshot of it is that whenever I want to decrypt messages sent to my
smart card, in the best case scenario (I remember where the reader is
and it's within a few meters of my desk) it takes me 30-45 seconds to
read the message.  In the worst-case scenario, I'm in Valencia, Spain,
and my reader is in Washington, D.C., and there's no way I'm reading
this traffic until I get home.  (And in case you're wondering, yes, that
really happened to me.)

If email crypto makes it hard to read email, few people will adopt the
technology.  We want technologies that make our lives easier, not
harder.  Smart cards, although a really good idea in certain
environments, make crypto harder in a lot of environments.  I'm not sure
the (marginal) additional security from using a smart card is worth the
(very real) usability expense.

Is it unsafe to keep your keys on your hard disk?  Dunno.  Depends a lot
on your situation.

Is using a smart card a must?  Dunno.  Depends a lot on your situation.

Hope this helps.  :)



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: AES-NI, symmetric key generation

[Werner Koch]

On Thu, 12 Mar 2015 11:08, p...@heypete.com said:

> I (perhaps incorrectly) interpreted the question as "If GnuPG makes
> backwards-incompatible changes in the future, would it be possible for
> one who knows the encryption algorithm used, key, etc. of a message to
> decrypt that message with other, non-GnuPG tools?"

Sure.  As long as the tool understand the OpenPGP protocol.

> For example, if one knows that CAST5-CFB, ZIP, and salted-and-iterated
> S2K was used (as well as the value of the salt and number of
> iterations), might one be able to decrypt the message using OpenSSL
> and other common utilities? I suspect yes, as the encryption and

Yes.  Many years ago there used to be a toolset with reference
implementation based on OpenSSL.  IIRC, it was also available as a
printed book.


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: AES-NI, symmetric key generation

[Pete Stephenson]

On Thu, Mar 12, 2015 at 10:56 AM, Werner Koch  wrote:
> On Wed, 11 Mar 2015 20:39, p...@heypete.com said:
>
>>> One more question: Is there any standardization in output formats
>>> between encryption programs and libraries, for example say you encrypt
>>> with AES128 in CBC, with the same key (directly or via passphrase), and
>>> since the output will have to have, in addition to the actual
>>> ciphertext, algorithm indentification on it, possible pasphrase-to-key,
>>> plus mode-specific data such as the iv/nonce, is there a specification
>>> of the format of how these come in?
>>
>> You'd have to ask Werner, the head developer, about that.
>
> Sorry, I do not understand the question.  The format is defined by the
> OpenPGP standard or the CMS standard (aka S/MIME).  There are also some
> other less common formats.
>
> Or is the question how applications present this to the user or whether
> a standard API is defined?  That is not defined by one of these
> protocols.

I (perhaps incorrectly) interpreted the question as "If GnuPG makes
backwards-incompatible changes in the future, would it be possible for
one who knows the encryption algorithm used, key, etc. of a message to
decrypt that message with other, non-GnuPG tools?"

For example, if one knows that CAST5-CFB, ZIP, and salted-and-iterated
S2K was used (as well as the value of the salt and number of
iterations), might one be able to decrypt the message using OpenSSL
and other common utilities? I suspect yes, as the encryption and
compression methods are standards, but doing so would probably be
non-trivial.

I could be wrong with both the interpretation of the question and the
answer, though.

Cheers!
-Pete

-- 
Pete Stephenson

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: [cygwin] gpg-agent with ssh support ?

[Werner Koch]

On Wed, 11 Mar 2015 18:23, dougb@dougbarton.email said:

> PuTTY also has its own agent support, which works quite well. I'm not
> sure why it's necessary to reinvent the wheel here. :)

Because that integrates seemless with GnuPG.  For example you can use
your OpenPGP card (or other supoorted smartcards) for ssh.  No need for
the ssh-add kludge.


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: AES-NI, symmetric key generation

[Werner Koch]

On Wed, 11 Mar 2015 20:39, p...@heypete.com said:

>> One more question: Is there any standardization in output formats
>> between encryption programs and libraries, for example say you encrypt
>> with AES128 in CBC, with the same key (directly or via passphrase), and
>> since the output will have to have, in addition to the actual
>> ciphertext, algorithm indentification on it, possible pasphrase-to-key,
>> plus mode-specific data such as the iv/nonce, is there a specification
>> of the format of how these come in?
>
> You'd have to ask Werner, the head developer, about that.

Sorry, I do not understand the question.  The format is defined by the
OpenPGP standard or the CMS standard (aka S/MIME).  There are also some
other less common formats.

Or is the question how applications present this to the user or whether
a standard API is defined?  That is not defined by one of these
protocols.


Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

RE: [cygwin] gpg-agent with ssh support ?

[Saxena, Deepak]

Hi,

I am curious on how/if gpg4win integrates with Windows credential providers. We 
at SafeNet have smart cards and middleware for our smartcard, SAC, registers 
itself as a credential provider any Windows application that leverages MS 
crypto libraries can integrate with it.

Can anyone help me with that?

-- Deepak Saxena
The information contained in this electronic mail transmission 
may be privileged and confidential, and therefore, protected 
from disclosure. If you have received this communication in 
error, please notify us immediately by replying to this 
message and deleting it from your computer without copying 
or disclosing it.



___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: [cygwin] gpg-agent with ssh support ?

[Doug Barton]

On 3/11/15 11:30 PM, Xavier Maillard wrote:


Doug Barton  writes:


Otherwise, there is an easy way to solve your problem on the Windows
platform, you should strongly consider it.


I fear I do not understand. Did I miss something ? Off course I'd
rather go the easy way ! :D


Try reading my previous post, and the web page that I included the URL 
for. It will explain it for you. :)


Doug



___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users