Re: multiple instances of gpg-agent
On Thu, 21 May 2015 04:37, jeandav...@verizon.net said: --write-env-file $@{HOME@}/.gpg-agent-info I tried this and it would not work. No such file or directory. I removed the @ signs and then that part worked. Sorry, I copied it from the texinfo source and missed these escape sequences. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
[admin] Please do not reply to obvious spam
Hi! As some of you might have noticed, from time to time spam slips through the filter by means of subscribed users. That is a little bit annoying but it does not really harm. However, it is worse to reply to spam or send the mailing list owner a notice of that. That does not help. For the recent case I enabled the moderation flag on the posters account and also for an account with a similar gmail address. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Ohhhh jeeee: can't encode a 512 bit MD into a 608 bits frame
On 20/05/15 12:24, Werner Koch wrote: gpg tried to verify a key signature and ran into that problem. Of course it should not abort here. It would be helpful if you can you figure out which key causes the problem. Maybe the key shown last or the one which would be shown next. Running with --debug 64 might give some hints. Thanks for that Werner. I found the key causing the problem. I compared the output of gpg -k and gpg2 -k and then tried gpg2 --list-sigs on the first key missing from the gpg2 listing. The --list-sigs failed with the same 'Oh je... message. The key ID was 0x6e767393 gpg2 --delete-keys 0x6e767393 also failed and gave the same O j... message - that surprised me but the same command with gpg worked ok Once that key was eliminated from the public keyring, gpg2 -k listing runs to completion correctly. And also the keyID which enigmail Key Management would not display, now displays correctly. That key was not the one causing the problem. (The problem key had not been used to sign the key which would not display so I don't understand the connection between the two events.) Is it normal that gpg2 would not delete the key causing the problem ? If that is so, then we'll need to keep a copy of gnupg 1.xxx for keyring management. Philip signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Popescu and keys
Hello, I tried to read this guy's blog either but it seams like you have to pay to read it (buy credits with bitcoin). I don't know who the hell this guy thinks he is, not even Bruce Schneier asks to pay fees to read his blog/research papers, but I am just going to keep calm. So, since I wouldn't give anything more than the bandwidth I am already consuming to read this guy's blog, I guess I will never read his 'academic research on PGP', but I am really looking forward to see if he can sign the nonce you've provided with your so-called compromised key. I doubt this will ever happen. Even he never cracked any PGP keys at all, the FUD he spread around was a nice way to get some free advertising. Look, people saying his name on gnupg and enigmail lists, which are quite popular I believe. If he can prove he has your key by signing the nonce you've provided, I hereby confirm that I will subscribe to his 'academic research blog' and pay for each and every article, regardless I won't read them or have interest in them. Cheers! On 5/21/2015 3:13 AM, Robert J. Hansen wrote: In the last couple of days a few different people have pointed me to Mircea Popescu's blog, where he's claimed he's broken ~150 keys that are in common circulation among the keyservers. Unfortunately, his blog post is rather difficult to read: it's full of rude political asides that have no bearing on anything cryptological. I regret that, because it obscures what I think is a fascinating question: has he actually managed to recover private keys given just the public key? He claims to already have broken my key. If so, proving it is straightforward: sign a 256-bit value with my private key and upload it somewhere the world can see it. I'm going to be fascinated by the results, one way or another. If he can successfully do this it's going to lead to a lot of very interesting questions. For those people who are concerned about this, relax and remember to breathe. :) The 256-bit value, in base64 encoding: * anr8HIZZ1hRjeaXDxJ71qBNpw5s9r+42CqF+Bpk9vU4= ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: OPENPGP URI PROPOSAL
On 2015-05-21 15:21, Daniel Kahn Gillmor wrote: On Thu 2015-05-21 11:59:07 -0400, mofo syne wrote: You might see a few copies around. This one is edited and streamlined with some advice from Hasimir to help keep this proposal focused. This is mirrored in here http://www.reddit.com/r/GnuPG/comments/36lmih/i_wonder_if_there_is_a_gpg_uri/ This proposal appears to be trying to do a lot of different things. I'm not convinced that they are all reasonable goals, or that gnupg-users is the right mailing list to discuss them on. The open...@ietf.org is a mailing list where different people discuss the standard in general. The example you give toward the end of the spec (uri handlers in web browsers) is an important example for arguing why something like this is concretely useful. Have you tried to implement this? Can modern web browser handlers work with arbitrary length data? When i try to trigger a local handler for an unknown schema in iceweasel (firefox) i see this message: Modern browsers can handle this. Some websites embed base64 uri-encoded images of several kb in length and all browsers handle this properly. -- The address wasn't understood Iceweasel doesn't know how to open this address, because one of the following protocols (openpgp) isn't associated with any program or is not allowed in this context. You might need to install other software to open this address. -- with no option to choose an external handler or anything. The same happens with several other quite standard protocols. Even some of those listed on rfc3986. This is a firefox issue, IMHO. This is configured via about:preferences#applications, since firefox does not respect OS settings in this aspect at all. Chromium, on the other hand, offers to launch xdg-open with that URL as the parameter, which fails because no handler is registered for the scheme in question. Is this the intended mechanism, or something else? openpgp://pubkey;version:GnuPG+v2;!base64::base64 data That sounds like the expected behaviour if there's no registered handler. The same would happen with things like mailto:; if you had none. There is already a vCard spec for a full pubkey -- though you might actually mean transferable public key or OpenPGP certificate: https://tools.ietf.org/html/rfc6350#section-6.8.1 Yeah, this seems to invalidate the strongest use-case for this specification. openpgp://msg;version:GnuPG+v2;!base64::base64 data When is this useful? openpgp://sigmsg;hash:SHA1;sig:base64;!::percent encoded message what about a message that is both signed and encrypted? how should it be represented? * Embedded in NFC or 2D barcode for physical messages in posters that is able store encrypted messages, public keys, or signed messages. Other than posters, it also allows for easier transferring of openpgp messages via NFC or 2D barcodes between a webbrowser in a cybercafe to a smartphone. These seem more likely to be handled by vCard or some similar approach to me. On some scenarios. But we need some sort of glue to import something from a vCard into gnupg's keyring. I don't think we need a new spec for this though. openpgp://fprint;name:clark+kent;::43:51:43:a1:b5:fc:8b:b7:0a:3a:a9:b1:0f:66:73:a8 openpgp://fprint;::43:51:43:a1:b5:fc:8b:b7:0a:3a:a9:b1:0f:66:73:a8 These fingerprints are only 128 bits long, which matches the OpenPGPv3 fingerprint format. OpenPGPv4 fingerprints are 160 bits long, and any new fingerprint standard might be longer still. Your proposal here doesn't mention any sort of versioning for fingerprints, or take into account other concerns. A large discussion about fingerprint encodings for low-bandwidth transmission can be found here: https://github.com/open-keychain/open-keychain/issues/1281 hth, --dkg ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users -- Hugo Osvaldo Barrera A: Because we read from top to bottom, left to right. Q: Why should I start my reply below the quoted text? signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: [Enigmail] Popescu and keys
On 22/05/2015 5:37 am, Werner Koch wrote: These are all encryption subkeys. The third key is the one from H. Peter Anvin. I have not found one of the fingerprints given in the said blog posting: gpg removed it while importing the key. It is a bit disturbing that the other subkey listed above has a good key binding signature. I got distracted for some time and a few weeks later the PGP team at Symantec reported back that these are all duplicated subkeys where the other subkey had no small factors. Their thesis is that this happened due to memory corruption while merging a key. They planned to investigate that further using the PGP SDK but, like me, the case was more or less forgotton. Is it possible that a keyserver running the old, buggy PKS code (v. 0.9.something) mangled these keys? Regards, Ben signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: multiple instances of gpg-agent
On 05/21/2015 05:30 AM, Werner Koch wrote: On Thu, 21 May 2015 04:37, jeandav...@verizon.net said: --write-env-file $@{HOME@}/.gpg-agent-info I tried this and it would not work. No such file or directory. I removed the @ signs and then that part worked. Sorry, I copied it from the texinfo source and missed these escape sequences. No harm done. It did not take long to figure it out. -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key:166D840A 0C610C8B Registered Machine 1935521. /( )\ Shrewsbury, New Jerseyhttp://linuxcounter.net ^^-^^ 19:45:01 up 20 days, 3:36, 2 users, load average: 5.35, 4.96, 4.73 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: OPENPGP URI PROPOSAL
So what are data uri classified as then? https://en.wikipedia.org/wiki/Data_URI_scheme Because this is based off datauri, in terms of structure. So since datauri works, I'm inclined to think that there isn't any technical restriction to including content within a uri context as long as the appropriate handling software is available for the browser to call upon. (Besides the character limits of internet explorer of 2kb. For chrome, it's more like 2MB. stack overflow source http://stackoverflow.com/questions/15090220/maximum-length-for-url-in-chrome-browser ) On Fri, May 22, 2015 at 5:55 AM, Robert J. Hansen r...@sixdemonbag.org wrote: This proposal is to provide an alternative to the openpgp block messages, in the form of a uri ( e.g. `http://` ). The format of a URI is, generally, mechanism:address for that mechanism. For instance, email has a URI scheme: mailto:r...@sixdemonbag.org?subject=URI%20schemes FTP has one, too: ftp://ftp.gnupg.org HTTP has them: http://www.gnupg.org Filesystems have them: file:///Users/rjh/.gnupg/random_seed There's an ISO standard for serial numbers: urn:ISSN:1535-3613 Heck, there's even a URI scheme for Gopher. gopher://wait.people.still.use.gopher? You'll notice that for each of them, the first element in the URI is the protocol by which a network resource should be obtained. Web resources start with http: to let people know to use HTTP to obtain them. Mail links start with mailto:; to let people know they need an email client to obtain the resource (or, in that case, deliver to that resource). Etc. It seems to me that you're confused as to what a URI is. Your proposal actually *delivers content*, as opposed to telling people where they can find/deliver content and what protocol they should use to access it. There may be some good ideas in this proposal, but there seems to be such a misunderstanding of URIs and how they work that I'm not inclined to delve too deeply. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Lower Bound for Primes during GnuPG key generation (was Re: [Enigmail] Popescu and keys)
On 5/21/2015 at 3:45 PM, Werner Koch w...@gnupg.org wrote: Some guy downloaded most RSA keys from a keyserver and tried to factor 1.9 million moduli. They found 30 keys with a subkey having one of the first 1000 primes as a factor. I looked at 8 of those keys and found that 2 are likely PGP created and 6 are by GPG. = When GnuPG creates and RSA keypair, is there a minimum *low* for primes it will ignore? (i.e. Will GnuPG reject a prime for key generation if it is one of the first 1000 primes, or first million primes, or any fixed lower level?) And if so, Is it feasible to mount an attack on a keypair by starting with trying successive primes greater than this lower bound, and possibly successfully find *some* GnuPG secret keys? TIA, vedaal ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpg-agent override to import secret keys in 2.1
Hi On Thursday 21 May 2015 at 8:52:49 PM, in mid:555e3791.6090...@adversary.org, Ben McGinnes wrote: Hello, Does anyone know whether or not there is an override command or option to force -agent to read/import secret keys after the initial migration to version 2.1? Doesn't it detect the presence/absence of the file gpg-v21-migrated? -- Best regards MFPA mailto:2014-667rhzu3dc-lists-gro...@riseup.net To steal ideas from one person is plagiarism; to steal from many is research. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: OPENPGP URI PROPOSAL
Something that's mostly limited to web browsers and a couple of email clients. It's meant for including data in-line in web pages, not as separate documents, and has pretty close to nil adoption in the rest of the ecosystem. I'm not sure you need to wait for browsers to adopt this standard for it to take off. As Hugo Osvaldo Barrera said, That sounds like the expected behaviour if there's no registered handler. The same would happen with things like mailto:; if you had none. in regards to how unknown schemas are treated in browsers. So if you want mailto: to work, then you need to install an email handling program and point the browser to it. There is already a vCard spec for a full pubkey -- though you might actually mean transferable public key or OpenPGP certificate: If there is one that can be embedded in email links, or in a QR code etc, and can supplement pretty much all block formats for openpgp, then I'm all for it. What this uri is essentially, is just an alternative serialization that can hopefully be flexible to handle anything thrown by openpgp at it. If i have to open GPA and then copy and paste the Vcard to GPA, then I would prefer the autolaunching uri over the vcard format. openpgp://fprint;name:clark+kent;::43:51:43:a1:b5:fc:8b:b7:0a:3a:a9:b1:0f:66:73:a8 openpgp://fprint;::43:51:43:a1:b5:fc:8b:b7:0a:3a:a9:b1:0f:66:73:a8 These fingerprints are only 128 bits long, which matches the OpenPGPv3 fingerprint format. OpenPGPv4 fingerprints are 160 bits long, and any new fingerprint standard might be longer still. Your proposal here doesn't mention any sort of versioning for fingerprints, or take into account other concerns. Its just a sketch at the moment of a serializing format within a uri container, but if that's an issue, I see no reason why you can't add a version field. Like: openpgp:fprint;version:OpenPGPv3;::43:51:43:a1:b5:fc:8b:b7:0a:3a:a9:b1:0f: 66:73:a8 (Note: btw I think i agree with that `openpgp://` should be `openpgp:`. It was intially chosen since most auto link recognizers only recognizes when the // is in front of it. Perhaps we can add it in as an optional extra, if people need it to be recognized in plain text by simple URL detecting regexes . On Fri, May 22, 2015 at 10:18 AM, Robert J. Hansen r...@sixdemonbag.org wrote: So what are data uri classified as then? Something that's mostly limited to web browsers and a couple of email clients. It's meant for including data in-line in web pages, not as separate documents, and has pretty close to nil adoption in the rest of the ecosystem. Adopting a special OpenPGP data URI scheme just for web browsers seems pretty weird to me. Especially given how difficult it would be to get the browser community to adopt it -- as a general rule, no standard can take off unless Internet Explorer supports it. (XHTML 1.0 and 1.1, may you rest in peace.) If you can get Microsoft to support this, or someone to produce an IE plugin to handle it, then maybe. But otherwise, I think a web-specific data URI for OpenPGP data is DOA. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: OPENPGP URI PROPOSAL
So what are data uri classified as then? Something that's mostly limited to web browsers and a couple of email clients. It's meant for including data in-line in web pages, not as separate documents, and has pretty close to nil adoption in the rest of the ecosystem. Adopting a special OpenPGP data URI scheme just for web browsers seems pretty weird to me. Especially given how difficult it would be to get the browser community to adopt it -- as a general rule, no standard can take off unless Internet Explorer supports it. (XHTML 1.0 and 1.1, may you rest in peace.) If you can get Microsoft to support this, or someone to produce an IE plugin to handle it, then maybe. But otherwise, I think a web-specific data URI for OpenPGP data is DOA. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: [Enigmail] Popescu and keys
On Thu, 21 May 2015 18:23, d...@fifthhorseman.net said: At least one of the keys he claimed to have broken is a degraded copy of one of H. Peter Anvin's actual subkeys, as Hanno Böck pointed out here: That reminds if of a private discussion I had last autumn. Some guy downloaded most RSA keys from a keyserver and tried to factor 1.9 million moduli. They found 30 keys with a subkey having one of the first 1000 primes as a factor. He asked a few of them and while most used different versions of GnuPG one recalled to have used a commercial PGP tool to create the key in 2007. I looked at 8 of those keys and found that 2 are likely PGP created and 6 are by GPG. | Mail | S | factor | size | keyid|created | |--+---++--+--+| | | g |0x3 | 4096 | xxx7 | 2010-12-28 | | | p | 0x49a3 | 3001 | xxx2 | 2007-04-29 | | | g | 0x1125 | 4096 | 1299816A | 2011-09-22 | | | g | 0x182d | 2048 | xxx3 | 2011-09-23 | | | g |0x3 | 4096 | xxxB | 2011-08-09 | | | g | 0xc29b | 4096 | xxx0 | 2011-02-02 | | | g | 0x3cb3 | 2048 | xxxC | 2012-02-07 | | | p | 0x1f | 2048 | xxxF | 2010-01-18 | These are all encryption subkeys. The third key is the one from H. Peter Anvin. I have not found one of the fingerprints given in the said blog posting: gpg removed it while importing the key. It is a bit disturbing that the other subkey listed above has a good key binding signature. I got distracted for some time and a few weeks later the PGP team at Symantec reported back that these are all duplicated subkeys where the other subkey had no small factors. Their thesis is that this happened due to memory corruption while merging a key. They planned to investigate that further using the PGP SDK but, like me, the case was more or less forgotton. Incidentally, I met one of the other guys with a broken subkey at LinuxCon and he told me that some folks complained that they can't encrypt to him. For other this was no problem, though. My conclusion is that there are two issue: - Someone adding broken subkeys to the keyservers with a bad key-binding signature. No problem at all. - About 30 key with a valid key binding but with a partly duplicated subkey where both have a valid key binding signature. Most likely a software bug. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: OPENPGP URI PROPOSAL
This proposal is to provide an alternative to the openpgp block messages, in the form of a uri ( e.g. `http://` ). The format of a URI is, generally, mechanism:address for that mechanism. For instance, email has a URI scheme: mailto:r...@sixdemonbag.org?subject=URI%20schemes FTP has one, too: ftp://ftp.gnupg.org HTTP has them: http://www.gnupg.org Filesystems have them: file:///Users/rjh/.gnupg/random_seed There's an ISO standard for serial numbers: urn:ISSN:1535-3613 Heck, there's even a URI scheme for Gopher. gopher://wait.people.still.use.gopher? You'll notice that for each of them, the first element in the URI is the protocol by which a network resource should be obtained. Web resources start with http: to let people know to use HTTP to obtain them. Mail links start with mailto:; to let people know they need an email client to obtain the resource (or, in that case, deliver to that resource). Etc. It seems to me that you're confused as to what a URI is. Your proposal actually *delivers content*, as opposed to telling people where they can find/deliver content and what protocol they should use to access it. There may be some good ideas in this proposal, but there seems to be such a misunderstanding of URIs and how they work that I'm not inclined to delve too deeply. signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: OPENPGP URI PROPOSAL
On Thu 2015-05-21 11:59:07 -0400, mofo syne wrote: You might see a few copies around. This one is edited and streamlined with some advice from Hasimir to help keep this proposal focused. This is mirrored in here http://www.reddit.com/r/GnuPG/comments/36lmih/i_wonder_if_there_is_a_gpg_uri/ This proposal appears to be trying to do a lot of different things. I'm not convinced that they are all reasonable goals, or that gnupg-users is the right mailing list to discuss them on. The open...@ietf.org is a mailing list where different people discuss the standard in general. The example you give toward the end of the spec (uri handlers in web browsers) is an important example for arguing why something like this is concretely useful. Have you tried to implement this? Can modern web browser handlers work with arbitrary length data? When i try to trigger a local handler for an unknown schema in iceweasel (firefox) i see this message: -- The address wasn't understood Iceweasel doesn't know how to open this address, because one of the following protocols (openpgp) isn't associated with any program or is not allowed in this context. You might need to install other software to open this address. -- with no option to choose an external handler or anything. Chromium, on the other hand, offers to launch xdg-open with that URL as the parameter, which fails because no handler is registered for the scheme in question. Is this the intended mechanism, or something else? openpgp://pubkey;version:GnuPG+v2;!base64::base64 data There is already a vCard spec for a full pubkey -- though you might actually mean transferable public key or OpenPGP certificate: https://tools.ietf.org/html/rfc6350#section-6.8.1 openpgp://msg;version:GnuPG+v2;!base64::base64 data When is this useful? openpgp://sigmsg;hash:SHA1;sig:base64;!::percent encoded message what about a message that is both signed and encrypted? how should it be represented? * Embedded in NFC or 2D barcode for physical messages in posters that is able store encrypted messages, public keys, or signed messages. Other than posters, it also allows for easier transferring of openpgp messages via NFC or 2D barcodes between a webbrowser in a cybercafe to a smartphone. These seem more likely to be handled by vCard or some similar approach to me. openpgp://fprint;name:clark+kent;::43:51:43:a1:b5:fc:8b:b7:0a:3a:a9:b1:0f:66:73:a8 openpgp://fprint;::43:51:43:a1:b5:fc:8b:b7:0a:3a:a9:b1:0f:66:73:a8 These fingerprints are only 128 bits long, which matches the OpenPGPv3 fingerprint format. OpenPGPv4 fingerprints are 160 bits long, and any new fingerprint standard might be longer still. Your proposal here doesn't mention any sort of versioning for fingerprints, or take into account other concerns. A large discussion about fingerprint encodings for low-bandwidth transmission can be found here: https://github.com/open-keychain/open-keychain/issues/1281 hth, --dkg ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: [Enigmail] Popescu and keys
On Thu 2015-05-21 12:23:20 -0400, Daniel Kahn Gillmor wrote: Which key does he claim to have broken? If Mircea has broken your encryption-capable subkey (0xB8A6B74C001892C2) then he might only be able to decrypt messages sent to you, but not sign them. To provide him with an opportunity to demonstrate this (Hi Mircea!), i've produced this message, encrypted to rjh's encryption-capable subkey. Mircea, if you can decrypt it, you should find a secret message, signed by me, which includes within it the message-id of the e-mail i'm replying to. I've been informed by Mircea offlist that he has no interest in continuing this conversation, so i'm dropping him from CC here. It appears to me that he has nothing concrete to demonstrate, and he has shown an inability to correct factual errors he has already published. Not very impressive :( I think there's nothing interesting to see here, but if i hear anything more substantive, i'll be sure to follow up on this thread to let people know. Regards, --dkg signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
gpg-agent override to import secret keys in 2.1
Hello, Does anyone know whether or not there is an override command or option to force -agent to read/import secret keys after the initial migration to version 2.1? The basic scenario here is a primary workstation which the initial migration was performed on and a subsequent decommisioning of another workstation and keys generated on that workstation need to be merged with the primary. Not to mention the inevitable situation of replacing systems and needing to move everything, not just a subset. Regards, Ben signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: [Enigmail] Popescu and keys
Which key does he claim to have broken? If Mircea has broken your encryption-capable subkey (0xB8A6B74C001892C2) then he might only be able to decrypt messages sent to you, but not sign them. He didn't say. You're correct in that I made an unfounded assumption; thank you for the correction. :) Given the poor communication patterns and lack of retraction of unfounded claims, i'm not currently worried that this is a real attack. I am prepared to take it seriously if Mircea can follow up effectively on either of the challenges here, though. Likewise. I'm not worried about this, and I hope no one else on these lists is, either. signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
OPENPGP URI PROPOSAL
You might see a few copies around. This one is edited and streamlined with some advice from Hasimir to help keep this proposal focused. This is mirrored in here http://www.reddit.com/r/GnuPG/comments/36lmih/i_wonder_if_there_is_a_gpg_uri/ Last updated: 2015-05-22 *=OPENPGP URI PROPOSAL=## Brief/Objective * This proposal is to provide an alternative to the openpgp block messages, in the form of a uri ( e.g. `http://` ). This would make such messages more web friendly, as well as taking advantage of autolaunching apps to handle such messages. Such links may be embedded within email messages or webclients, or as a 2d barcode on a physical poster. This aims to be flexible and futureproof, by supporting any mix of variables or payload that may be thrown in it's way (e.g. percent encoding, base64, etc... ) *## Schema Description ##* openpgp:// [mode] [;key:value] [;key?length!encoding::value] ;?length!encoding::payload_data * `openpgp://` - is the start of the openpgp uri * `;`- is used as a delimiter. * `[;key:value]` - for simple keyvalues: `;name:clark` * `[;key?length!encoding:value]` - `::` - is used to aid visual inspection, since the content would be more of a long complex string, rather than a simple key:value pair - `[;key?length:value]` - safely read in string: `;name?10::clark;kent` - `[;key?encoding:value]` - `;sig!base64::f4h5k34589ht...` * `;?length!encoding::payload_data` - payload do not require key value. But it has optional encoding and length (Which may have a default setting based on mode. E.g. public keys are often always encoded in base64 ) - `;::f4h5k34589ht...` - `;!base64::f4h5k34589ht...` - `;!octet?100::8BinaryStream` - `;!json?17::{key:[1,2,3,4]}` * `$encoding` - is used to define how the string is encoded, e.g. base64,json,1010101 * `?length` - is used to define how many characters to read ahead as a string. Afterwards, it will just keep scanning for the next `;` or end of string. * `#type` this might be needed if we need to declare the type of a variable (undecided if it is needed in this standard proposal) *### Mode keywords ###* So far this is what I thought for gpg keywords for the `mode` * `pubkey` = public key * `prvkey` = private key * `encmsg` = encrypted message * `sigmsg` = signed message * `fprint` = key fingerprint *### extra thoughts ###* * http://tools.ietf.org/html/rfc1738 - Uniform Resource Locators (URL) * http://tools.ietf.org/html/rfc3986 - Uniform Resource Identifier (URI): Generic Syntax * http://tools.ietf.org/html/rfc3987 - Internationalized Resource Identifiers (IRIs) *# Structure Examples #* e.g. For pubkey: openpgp://pubkey;version:GnuPG+v2;!base64::base64 data For pubkey (with implied encoding. Default for pubkey mode payload is base64): openpgp://pubkey;version:GnuPG+v2;::base64 data For encrypted msg: openpgp://msg;version:GnuPG+v2;!base64::base64 data or a signed message openpgp://sigmsg;hash:SHA1;sig:base64;!::percent encoded message *# Potential Usage ###* * Embedded in NFC or 2D barcode for physical messages in posters that is able store encrypted messages, public keys, or signed messages. Other than posters, it also allows for easier transferring of openpgp messages via NFC or 2D barcodes between a webbrowser in a cybercafe to a smartphone. * Easier handling of messages in webrowsers via webrowsers plugins that can recognise the uri handler calls. E.g. Clicking on a url will automatically open up a openpgp program that automatically processes the message. *# Uri Mockups * Pubkey:
Re: [Enigmail] Popescu and keys
On Wed 2015-05-20 20:13:32 -0400, Robert J. Hansen wrote: In the last couple of days a few different people have pointed me to Mircea Popescu's blog, where he's claimed he's broken ~150 keys that are in common circulation among the keyservers. At least one of the keys he claimed to have broken is a degraded copy of one of H. Peter Anvin's actual subkeys, as Hanno Böck pointed out here: https://blog.hboeck.de/archives/872-About-the-supposed-factoring-of-a-4096-bit-RSA-key.html To my knowledge, Mircea (cc'ed here) has not retracted this particular claim, despite having issued at least three updates to his initial report about this key (which is not behind a paywall at the moment): http://trilema.com/2015/full-disclosure-4096-rsa-key-in-the-strongset-factored/ Unfortunately, his blog post is rather difficult to read: it's full of rude political asides that have no bearing on anything cryptological. I regret that, because it obscures what I think is a fascinating question: has he actually managed to recover private keys given just the public key? He claims to already have broken my key. If so, proving it is straightforward: sign a 256-bit value with my private key and upload it somewhere the world can see it. I'm going to be fascinated by the results, one way or another. If he can successfully do this it's going to lead to a lot of very interesting questions. For those people who are concerned about this, relax and remember to breathe. :) The 256-bit value, in base64 encoding: * anr8HIZZ1hRjeaXDxJ71qBNpw5s9r+42CqF+Bpk9vU4= Which key does he claim to have broken? If Mircea has broken your encryption-capable subkey (0xB8A6B74C001892C2) then he might only be able to decrypt messages sent to you, but not sign them. To provide him with an opportunity to demonstrate this (Hi Mircea!), i've produced this message, encrypted to rjh's encryption-capable subkey. Mircea, if you can decrypt it, you should find a secret message, signed by me, which includes within it the message-id of the e-mail i'm replying to. You can either produce the session-key (e.g. with gpg --show-session-key) or produce the signed message to demonstrate that you have control of Robert's secret key material: -BEGIN PGP MESSAGE- Version: GnuPG v2 hQIOA7imt0wAGJLCEAf/f8YJHSum4fhlU6o54747oW76E2wGPotvIU3g7kfpOBWa kjPB/x1VLrwYbCvJX2c7EmvshTwzZ2v4mqVfQ4d5shRqVCgtMiJlvxjrtQB9Rs29 6Im16cQeMNWSVT51HltoSkt5ZaA2Rx/19UEdFIRz9NR4kkXvGd3W3ZIj8FUBMHHy tLCCkaUI+9xZjQu32IVyhkUSrdSPvXMdHd0s2iaecUJxSuHeWeumTxkXZtX/ajlB VIy8Tc0zOPCK+FNhGKqasVvGhAABRxzXBLCgXu5v68hs3fv72JLdt2nbBVxG SjCN9v4FiPf5+dH+5rsKsDoEL7sIgHgiQX+m5vfs+wf/diBQW55yisHtfneQeTe4 DQc2Zl/dsOIMF5ZnouyZgW2ha2h1MG/6nYlnbrauBUYNSP19XI4YO3yt33Z4RjmD tsl92ENrio37hsOmjFOB54ail57tmkL7VoNYqBhbOnNcPK9FSPoPVsIT4t7TZm9Z uCVHa2P5/IZmUT2G9MfoZZuJDg/b4QhWOWNPEQc+qWgxB6GbEfFLSENO74xb7NN/ x6PbM7qRLqE8/rPBzm29zYBmWHKLBli4ibAuEHtXPN7pHBZiLdQ26uRl2mB+FOJy oCbgPdY+SDYKrLmi4/fL7d+kgJuWL5ox+0ZukV0vPax+ouXH/TsPN1NfMYO8t+R7 I9LpAeXFD2dTf25g8nnnC+pZK0gRgkaBHJ8YJQ3rkuL3Zn223KyAaXyIFMU18+Cc 7UiHPjNdA9imcFm0Bwu7rs0+Xu/+C/JOQf1pwhZb5/6f5BqqZAw1nhKi/lXrP4Ei mLHw5Yn1VDRBnyqtKM4EBmrSye8q+qdd5kVARyr5Rsl8NFi4PC8eM09C29h4JfFy yNZJEmJ7kqUiN/Lh1UegjaBbu0Zq1LASfAvcL040HHeMaswqEI+SZG2dI9tQcPws cqJvT/+Jx18PWOPo/sB6ITkyoeuGAUh0o+6UJ7bIxIMCNRluy8UBGxGgqi7jqPTs oXiHaf7GkMXcjZJUiYiCJH6G1GuS+mUwiIgzedCibm8TUGpLETW7hW7R4d3bcWon d6gZr/avBHNLqIWsWtaDi05x2MyBTiYqJuc2g2VRUCiXqU5ME1OoYC8KBtanQ+zj YO0bWVaDfCkbI6M8yLZ6u7glXLYLUOYhZ9/vlBgD8xbpiBo9AhUBejheqMOM55Fm AAVV7HYG78iz2tx8kv+HyC1e7Rg3AtjtphOw5tSfFMgIE9jTQZGDBE4GCyZtddQy edjX+a6MlWGN7DBttAentgFDXraKjD4zQszRNa4r0G8YiGWxTElBV1JPOrLbr8uA 9qc3Rt6cdM5Vd4AApoAxHf4L/josR0Cowm1wav6tRQxKKrXA/OYjnBDBfF2t+hAG zwikEoCrxERMF6fxvN+ovytsmvSFfMRulStl/L4i3kR/blfvZOp0FfjL5vdtboIA iGXqj7khAg5B47x3o31WgHAe0ZuzK+Vosdj5fpBk/Oo8oeHbQjPg6KOUNhOQuhey M4CDo1EJwjPbRhQNUGhK21hCHaShWS3rCCO5t/yYNEI1tdqIjpurUyxr1SlNcoqz AB+djexxxR8WZa4Mno9WVrLFDMOkcKFrWCILjL+AoGHAP0oc8jpyjiOlyWq7xvDn T4y5b9Lj0gJ1AbdOhRpymvq2WaXeZNWBlVCUFIXcHrhQLxvCPmbE56Bclt8C2cx0 +pICppn4mSMCsUhgEwGeAwl+9+lZjcbRo7au0817lXsk+BWJ1DpMBG5nO/c8ljDa +9ZgHjvN3iyb9fCsA9NngQic8o3NOYH90rFP0M+cS7HOY016UdOjF7Mk4tjjGJfJ Liv4s2+UtZA3zcodTMjeecEu421wDHp7Nj2NG9DacloVf6ZgRGKbRRLKY+59prIx hcxxCZJDZV3BooVDIkDyWhG4ztPEMBlZFw+qnyGcm1IJciWXjshfNiTQxONZQKxb jQ== =ED52 -END PGP MESSAGE- Given the poor communication patterns and lack of retraction of unfounded claims, i'm not currently worried that this is a real attack. I am prepared to take it seriously if Mircea can follow up effectively on either of the challenges here, though. Regards, --dkg ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: OPENPGP URI PROPOSAL
On 22/05/2015 1:59 am, mofo syne wrote: You might see a few copies around. This one is edited and streamlined with some advice from Hasimir to help keep this proposal focused. For the benefit of the rest of the list, Hasimir is my IRC handle on freenode and a few other places. An /ns info command on freenode will show the key ID for the key I'm signing this message with too should anyone care. Regards, Ben P.S. Yes, the handle is a reference to Dune. signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users