Re: a step in the right direction

[listo factor via Gnupg-users]

On 01/16/2018 01:17 AM, Robert J. Hansen - r...@sixdemonbag.org wrote:


The SKS community has been discussing a considerably worse nightmare
scenario for the past seven years.


Considering the possibility that this particular system will
be forced to conform to a more contemporary (and I would argue
more enlightened) legislative framework in respect to the right to
privacy (cf., https://en.wikipedia.org/wiki/Right_to_be_forgotten)
should not be viewed as "discussing a [...] nightmare scenario",
it should be considered as planning for demands that will be placed
on the system by developments outside of it, i.e., by developments
of the society that the system is supposed to serve.

If there is merit to the principle that an Internet server operator
can not keep publicly serving private data over the objections of
the owner (the same as today, after many battles, he can no longer
publicly serve data of commercial value over the objections of its
owner), then it is not unreasonable to assume that most enlightened
jurisdictions will sooner or later enact such legislation. Yes, it
is DRM, but in my view ethically much more justifiable than DRM over
the data of commercial value.

The fact that one large jurisdiction is well on its way with
enacting this, while another is not there yet, should be viewed
as a fortunate circumstance, one that buys us time to do what needs
to be done, not as an excuse to bury our heads in the sand.


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: a step in the right direction

[Robert J. Hansen]

> I would never allow my opinion of what are the "good places" and what
> are the "bad places" to enter into a technical discussion.
> (On immigration, or on security engineering).

I think you'll have a hard time convincing people that when speaking
about human rights activists in North Korea, it's somehow inappropriate
to say they're living in a bad place.  Repressive governments are real
threats to human rights, and it doesn't do anyone any good to pretend
otherwise.

> Burning it down is not what I was advocating. I am advocating orderly
> evacuation and replacement of a system that has clearly outlived its
> usefulnesses.

No, you're not.

Evacuation and replacement requires a replacement exists.  The moment
you present an alternative that's running and working and stable, *then*
we can have a discussion about moving to the exits.

> EU legislation, among other things, will see to that. The times are
> changing, and nobody is free to keep serving publicly someone else's
> private information over the objections of the owner.

US keyservers are.  The only thing EU regulations will do is end
keyservers in the EU.

The SKS community has been discussing a considerably worse nightmare
scenario for the past seven years.  There have been a number of flawed
proposals made in that time period.  Your time might be better spent
perusing the last seven years of sks-devel to learn what has already
been proposed and the flaws in each of them.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: a step in the right direction

[listo factor via Gnupg-users]

On 01/15/2018 10:45 PM, Robert J. Hansen - r...@sixdemonbag.org wrote:

Which would be step in the right direction when compared
with the current situation.



..> First, people in bad places like Syria and Iran lose the ability to...

I would never allow my opinion of what are the "good places" and what
are the "bad places" to enter into a technical discussion.
(On immigration, or on security engineering).

...

_Literally every major FOSS package manager breaks.  Updates become
impossible._

Let that sink in for a moment.

I don't think you understand anything about the ecosystem here.  You're
advocating burning down a _critically important part of the entire FOSS
landscape._


Burning it down is not what I was advocating. I am advocating orderly
evacuation and replacement of a system that has clearly outlived its
usefulnesses. If it is not replaced in time, it will, at some point,
burn ignited by forces we have no control over. ~Then~ it will have
to be abandoned in rather more painful manner - just as you are
alluding to.

EU legislation, among other things, will see to that. The times are 
changing, and nobody is free to keep serving publicly someone else's

private information over the objections of the owner. "This is the
way we always did it" is a poor response and it will not be a valid
one forever.


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Hide UID From Public Key Server By Poison Your Key?

[Robert J. Hansen]

> Just an idea, it might be more efficient if I just
> commit online suicide (throw away my current
> identity).

I should also add: in addition to being a dick move, this approach
doesn't work.  It's genuinely counterproductive.

If I were to see a certificate with a hundred different UIDs, I'd
immediately start digging around.  This is not what you want: in the
course of poisoning your cert you've made it odd, unusual, and interesting.

Next thing I'd do would be to start scouring the internet for these
usernames.  Most would simply not have any trail associated with them
whatsoever: I'd email them and get bounce messages to confirm it.  I've
now largely cured your attempt at poisoning your cert.  I'm down to a
handful of user IDs.

One of them will have a very carefully-curated digital trail.  The
others will not.  Congratulations: I've just found the identity you want
to keep secret.  Now I know there's some connection between this
identity and the small number of user IDs that are left after depoisoning.

Now it's just a matter of time until I figure out who you are and what
fake identity you're using... and here's the rub: until I saw over 100
UIDs on your cert, I wouldn't have given a damn and wouldn't have bothered.

The worst thing you can do in your situation is to draw attention to
your mistake.  Your poisoning attempt is genuinely counterproductive.
You're making yourself visible.

I cannot advise against this course of action strongly enough.  Burning
your current fake identity is probably far safer and more effective.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Remove public key from keyserver

[Robert J. Hansen]

(Responding here because Stefan's message hasn't hit my mail server yet)

>>> It's from 2003.  It doesn't need modernization.
>>
>> No? I for one would like to be sure that i am the only person who can
>> upload my public key to a key server directory.

Which is not a modernization issue.  It's a feature request, and the
feature you're asking for is DRM.  Literally.  You're asking that the
keyserver network be rewritten to give you the ability to manage how
information, which you think belongs to you, gets shared: that's DRM.
DRM schemes are awful and they don't work.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Remove public key from keyserver

[Andrew Gallagher]

> On 15 Jan 2018, at 21:13, Matthias Mansfeld 
>  wrote:
> 
> could this be implemented in a way that the _upload_ (not the 
> spreading between keyservers) requires signing? (unless it is a 
> revocation certificate)?

So long as there is one keyserver somewhere in the ecosystem that fails to 
enforce this, I don’t see the point...

A

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: a step in the right direction

[Robert J. Hansen]

> Which would be step in the right direction when compared
> with the current situation.

... shutting down a keyserver network relied on by literally tens of
thousands of people, to say nothing about OS distributions, is a "step
in the right direction"?

Okay.  Fine.  Let's say you wave a magic wand and you're able to make
the keyserver network go away.  What are the immediate, *predictable*,
consequences?

First, people in bad places like Syria and Iran lose the ability to
easily get public keys for journalists in free countries.  The neat
thing about the pool is nobody knows exactly who all is in it.  Years
ago for some months I ran a covert keyserver to see how practical it
would be for people in hostile regimes: my keyserver was not part of the
public pool, but synced with it.  That's useful because a regime might
firewall off the entire pool, but so long as covert nodes exist the
whole of the network is still accessible even in information-controlling
regimes.

Second, your operating system -- if you're running something like a
Linux distro, or macOS using Homebrew, or heck, even Windows with
msys2/mingw -- *BREAKS*.  You can't get updates any more.  Let's look at
why, using the package manager in msys2/mingw/Arch Linux.  It's called
pacman.

In pacman, each package is signed by the package maintainer.  The
package maintainer's certificate is in turn signed by at least three
other pacman maintainer certs.  E.g., if you manage a package called
"fooblitzsky", you sign the fooblitzsky packages with your cert, and
three msys2 maintainers sign your cert.  This way, end users can be
confident that you, the maintainer, personally authorized this release,
and that you're trusted by the msys2 team.

Now that you've taken down the keyserver network, you go to install
fooblitzsky, and ... uh ... wait.  You can get the package, but you have
no way of getting the maintainer's cert to verify the package.

_Literally every major FOSS package manager breaks.  Updates become
impossible._

Let that sink in for a moment.

I don't think you understand anything about the ecosystem here.  You're
advocating burning down a _critically important part of the entire FOSS
landscape._

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Remove public key from keyserver

[Matthias Mansfeld]

On 15 Jan 2018 at 21:23, Stefan Claas wrote:

> On Mon, 15 Jan 2018 15:00:34 -0500, Robert J. Hansen wrote:
> > > How long do we have now those old fashioned key servers  
> > 
> > SKS came out in 2003.  It largely replaced PKS, which was widely
> > considered old and broken.  SKS was Yaron Minsky's Ph.D thesis,
> > wherein he developed some really cutting-edge math to make key sync
> > fast and reliable.
> > 
> > "Old-fashioned" is not the phrase I'd use to describe something
> > considerably newer than GnuPG.
> > 
> > >, and was
> > > there ever been made attempts by the software maintainers to
> > > modernize the code  
> > 
> > It's from 2003.  It doesn't need modernization.
> 
> No? I for one would like to be sure that i am the only person who can
> upload my public key to a key server directory.
> 

could this be implemented in a way that the _upload_ (not the 
spreading between keyservers) requires signing? (unless it is a 
revocation certificate)?

> Example: Bob does some nasty things with Alice her key which she
> don't like, or better said hate. Since there is no key removal
> currently implemented how should she  deal with that?

Or it may be desirable/necessary not to disclose connections between 
specific persons, User IDs etc., thus to remove critical signatures.

Regards
Matthias
--
OpenPGP: http://www.mansfeld-elektronik.de/gnupgkey/mansfeld.asc
Fingerprint: 6563 057D E6B8 9105 1CE4 18D0 4056 1F54 8B59 40EF


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

a step in the right direction

[listo factor via Gnupg-users]

On 01/15/2018 06:53 PM, Andrew Gallagher wrote:



On 15 Jan 2018, at 16:39, Stefan Claas  wrote:

Maybe we need (a court) case were a PGP user requests the removal
of his / her keys until the operators and code maintainers wake up?


You also need to prove that removal is technically possible. Otherwise all that 
such a court case will achieve is to shut down the keyservers.


Which would be step in the right direction when compared
with the current situation.


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Remove public key from keyserver (was: Hide UID From Public Key Server By Poison Your Key?)

[Matthias Mansfeld]

On 15 Jan 2018 at 18:53, Andrew Gallagher wrote:

> 
> > On 15 Jan 2018, at 16:39, Stefan Claas 
> > wrote:
> > 
> > Maybe we need (a court) case were a PGP user requests the removal of
> > his / her keys until the operators and code maintainers wake up?
> 
> You also need to prove that removal is technically possible. Otherwise
> all that such a court case will achieve is to shut down the
> keyservers.

OK, THIS should be basically possible to implement, in the same way 
like a new or updated key propagates itself. Not now but would be a 
good idea. And with no warranty however that this key  is not 
anywhere else backbackbackupped and eventually loaded up again

Exists any flag for pubkeys "please do never ever store this key on a 
keyserver", if not, would be a good idea, too. There are many reasons 
NOT to want a key on the keyservers.

Regards
Matthias
--
OpenPGP: http://www.mansfeld-elektronik.de/gnupgkey/mansfeld.asc
Fingerprint: 6563 057D E6B8 9105 1CE4 18D0 4056 1F54 8B59 40EF


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Hide UID From Public Key Server By Poison Your Key?

[Jason Lawrence]

> Uh -- how? 

Because I have associate not only my real name,
but also my working email, and it is listed in my
company's home page. If people are trying to
follow you, they are not going with presumption of
innocence, and too many things can help them
justify their doubt -- such as your Timezone,
language style, grammar and spell error. To make
is worse, I was working in a very small industry
and there is only 3 company provide such service,
and I talked a lot about it in the past with my
online identity.

> This is a total dick move. Don't do this. You'll 
> make yourself a lot of enemies

I do not have to pick any real name, at least not
from any pgp user. I can just use a fake name
generator, put those names under my company's
domain, or just add my colleague's email to it --
they will never notice. Even if they do, they can
only see their UID under a revoked key, and it
looks just like other ancient garbage keys in the
server. I will try to make it as harmless as
possible. 

The only problem is how the pgp key server 
handles 2 public keys with duplicated
timestamp. If I can not insert some fake UIDs
before my real one, the whole thing will be 
pointless.
 

Sent: Monday, January 15, 2018 at 3:13 PM
From: "Robert J. Hansen" 
To: gnupg-users@gnupg.org
Subject: Re: Hide UID From Public Key Server By Poison Your Key?

> Let's say, you have accidentally associated your
> real name to the key under your online name and
> upload it to public key server, which allows
> anyone to connect your online identity to the
> person in real life.

Uh -- how?

There is no mechanism in the keyserver to do this. That's why you have
to validate certificates you receive from the keyserver. The fact
there's a UID named "Robert J. Hansen " on key
0xB44427C7 provides you with precisely *zero* evidence that I'm Rob
Hansen or that Rob Hansen even exists. For all you know my name is
Maurice Micklethorpe.

> Since you can never remove
> anything from the public key server, You are
> wondering if you can add something to it -- for
> example, add another 100 of UIDs with other
> people's real name and emails so people can not
> find out which one is yours, and append another
> 100 of digital signature so people get tired
> before figure out which one is from valid user.

I rarely use language like this, but this time I think it's warranted:

This is a total dick move. Don't do this. You'll make yourself a lot
of enemies, and if you pick the wrong real names and emails, some of
those people are pretty damn good at figuring out what's going on.

Don't put real names and emails belonging to other people on your cert.
It's *rude*. If someone goes looking for "Robert J. Hansen
" I want them to see one cert is newest and I want
them to use that one. If you go about putting my name and email address
on your cert, I'm going to get cross.

Again: this is a total dick move. Don't do this.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users




___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Remove public key from keyserver

[Stefan Claas]

On Mon, 15 Jan 2018 15:00:34 -0500, Robert J. Hansen wrote:
> > How long do we have now those old fashioned key servers  
> 
> SKS came out in 2003.  It largely replaced PKS, which was widely
> considered old and broken.  SKS was Yaron Minsky's Ph.D thesis,
> wherein he developed some really cutting-edge math to make key sync
> fast and reliable.
> 
> "Old-fashioned" is not the phrase I'd use to describe something
> considerably newer than GnuPG.
> 
> >, and was
> > there ever been made attempts by the software maintainers to
> > modernize the code  
> 
> It's from 2003.  It doesn't need modernization.

No? I for one would like to be sure that i am the only person who
can upload my public key to a key server directory.

Example: Bob does some nasty things with Alice her key which she
don't like, or better said hate. Since there is no key removal
currently implemented how should she  deal with that?

> Keyservers are designed the way they are for a reason.  If keyservers
> *never ever discard or modify existing data*, then you can easily
> identify any code which theoretically might be able to discard data
> as a bug, a vulnerability, or tampering with it by a malicious
> actor.  It makes code review easier and it makes it difficult for
> repressive regimes to surreptitiously take down certificates
> belonging to dissidents.
> 
> This "we never discard or modify existing data, we only ever add new
> data" rule has some *really really nice* properties for information
> security.  However, it also comes with a downside: we can't discard or
> modify existing data.
> 
> It's a package deal.  When SKS was being built in the early 2000s
> there were vigorous discussions about what properties we wanted in a
> keyserver.  We knew exactly what we were getting into.
> 
> Please, learn why it was built before you go about saying it was built
> badly.
> 
> > The old pgp.com key server solved those problems also nicely, if i
> > remember correctly.  
> 
> I worked at PGP Security during that time period.  It really didn't.
> If we'd received a court order compelling us to remove a cert from the
> keyserver and not tell anyone, we could have complied.  That gave the
> flaming heebie-jeebies to at least three engineers on the floor,
> including the keyserver admin, a guy named Randy Harmon.
> 
> Whether you embrace a "our keyserver can delete things" or "our
> keyserver is delete-free" model, that decision has immediate
> consequences you will not like.

Well, i personally liked the option that i could delete my key.

https://support.symantec.com/en_US/article.TECH148870.html

Regards
Stefan


-- 
https://www.behance.net/futagoza
https://keybase.io/stefan_claas

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Remove public key from keyserver

[Robert J. Hansen]

> Correct, but would it be really a big loss if we would loose all the
> old fashioned key servers  tomorrow? For me not.

I personally know Syrians and Iranians who have given me bear hugs at
conferences when they hear I'm involved with GnuPG, Enigmail, and am on
the periphery of SKS.  A common theme with these people is they believe,
on the basis of reasonable evidence, that their governments are involved
in active campaigns to intercept and/or degrade communications,
including by CNO means.

I have been asked probably ten times in the past five years by
dissidents, "Can I trust the keyservers?  Is there any way to tamper
with the data on them?"

I have always told them the keyservers are trustworthy, and that they
are designed to never delete or modify existing data.  This seems to be
a great relief to those dissidents.  If the keyserver network were to go
away tomorrow, it would definitely impact people in repressive regimes.


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Remove public key from keyserver

[Robert J. Hansen]

> How long do we have now those old fashioned key servers

SKS came out in 2003.  It largely replaced PKS, which was widely
considered old and broken.  SKS was Yaron Minsky's Ph.D thesis, wherein
he developed some really cutting-edge math to make key sync fast and
reliable.

"Old-fashioned" is not the phrase I'd use to describe something
considerably newer than GnuPG.

>, and was
> there ever been made attempts by the software maintainers to
> modernize the code

It's from 2003.  It doesn't need modernization.

Keyservers are designed the way they are for a reason.  If keyservers
*never ever discard or modify existing data*, then you can easily
identify any code which theoretically might be able to discard data as a
bug, a vulnerability, or tampering with it by a malicious actor.  It
makes code review easier and it makes it difficult for repressive
regimes to surreptitiously take down certificates belonging to dissidents.

This "we never discard or modify existing data, we only ever add new
data" rule has some *really really nice* properties for information
security.  However, it also comes with a downside: we can't discard or
modify existing data.

It's a package deal.  When SKS was being built in the early 2000s there
were vigorous discussions about what properties we wanted in a
keyserver.  We knew exactly what we were getting into.

Please, learn why it was built before you go about saying it was built
badly.

> The old pgp.com key server solved those problems also nicely, if i
> remember correctly.

I worked at PGP Security during that time period.  It really didn't.  If
we'd received a court order compelling us to remove a cert from the
keyserver and not tell anyone, we could have complied.  That gave the
flaming heebie-jeebies to at least three engineers on the floor,
including the keyserver admin, a guy named Randy Harmon.

Whether you embrace a "our keyserver can delete things" or "our
keyserver is delete-free" model, that decision has immediate
consequences you will not like.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Remove public key from keyserver

[Robert J. Hansen]

> Maybe we need (a court) case were a PGP user requests the removal
> of his / her keys until the operators and code maintainers wake up?

Already happened back in 2010.

https://lists.nongnu.org/archive/html/sks-devel/2010-09/msg9.html

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Remove public key from keyserver

[Robert J. Hansen]

> I was just thinking, would it be possible to have a tag (a UID with
> special meaning, like “please-remove...@srs-keyservers.net”?) for which
> the signature would be verified by the keyserver, and that would cause
> it to drop everything from its storage apart from this tag?

Nope.  SKS has no cryptographic code in it.  It does no evaluation of
certificates or signatures.

Adding this feature would require a vast amount of effort to add RFC4880
signature verification into the core of SKS.  And it would also destroy
one of the design goals of SKS, which is "the keyserver never discards
data".

To implement this would require a completely new keyserver
implementation, one with considerably more code, which would *by design*
drop certificates.  I'd say it would take about five years for such a
re-work to come to maturity and be trusted.  So yes, it can be done, but
it's not something to be done lightly, nor without a ton of buy-in from
the existing keyserver community.

> That said I guess ideas like this have already likely been discussed before?

Many times.  There appears to be no easy fix.


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Remove public key from keyserver

[Stefan Claas]

On Mon, 15 Jan 2018 18:53:26 +, Andrew Gallagher wrote:
> > On 15 Jan 2018, at 16:39, Stefan Claas 
> > wrote:
> > 
> > Maybe we need (a court) case were a PGP user requests the removal
> > of his / her keys until the operators and code maintainers wake
> > up?  
> 
> You also need to prove that removal is technically possible.
> Otherwise all that such a court case will achieve is to shut down the
> keyservers.

Correct, but would it be really a big loss if we would loose all the
old fashioned key servers  tomorrow? For me not.

Regards
Stefan

-- 
https://www.behance.net/futagoza
https://keybase.io/stefan_claas

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Remove public key from keyserver

[Stefan Claas]

On Mon, 15 Jan 2018 19:47:39 +0100, Peter Lebbing wrote:
> On 15/01/18 17:39, Stefan Claas wrote:
> > Maybe we need (a court) case were a PGP user requests the removal
> > of his / her keys until the operators and code maintainers wake
> > up?  
> 
> Wow, you're entertaining an interesting notion of what is "needed"!
> 
> Let's hope most people will just let keyserver operators alone while
> they offer their kind service for free to the world.
> 
> What is "needed" if you must, is someone thinking of a way to
> incorporate cryptographic validation into the whole gossip and what
> not process. Not turning loose the lawyers on people offering a free
> service. I can't believe what I'm hearing here. Just, wow.

How long do we have now those old fashioned key servers, and was
there ever been made attempts by the software maintainers to
modernize the code, like you are saying incorporating crypto
validation?

O.k. Werner invented WKD which solves those problems, if i'm not
mistaken, but is it besides keybase.io widely deployed?

The old pgp.com key server solved those problems also nicely, if i
remember correctly.

Regards
Stefan

-- 
https://www.behance.net/futagoza
https://keybase.io/stefan_claas

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Remove public key from keyserver (was: Hide UID From Public Key Server By Poison Your Key?)

[Andrew Gallagher]

> On 15 Jan 2018, at 16:39, Stefan Claas  wrote:
> 
> Maybe we need (a court) case were a PGP user requests the removal
> of his / her keys until the operators and code maintainers wake up?

You also need to prove that removal is technically possible. Otherwise all that 
such a court case will achieve is to shut down the keyservers.

A

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Remove public key from keyserver

[Peter Lebbing]

On 15/01/18 17:39, Stefan Claas wrote:
> Maybe we need (a court) case were a PGP user requests the removal
> of his / her keys until the operators and code maintainers wake up?

Wow, you're entertaining an interesting notion of what is "needed"!

Let's hope most people will just let keyserver operators alone while
they offer their kind service for free to the world.

What is "needed" if you must, is someone thinking of a way to
incorporate cryptographic validation into the whole gossip and what not
process. Not turning loose the lawyers on people offering a free
service. I can't believe what I'm hearing here. Just, wow.

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Remove public key from keyserver (was: Hide UID From Public Key Server By Poison Your Key?)

[Stefan Claas]

On Mon, 15 Jan 2018 17:14:40 +0100, Jason Lawrence wrote:
> > That said I guess ideas like this have already
> > likely been discussed before?  
> 
> Good luck with that, the similar discussing has
> been hold years and nothing ever changed. Last
> time I checked, a discussing in 2005 was labeled
> as "Remove public key from keyserver No.74"
>  
> 
> Sent: Monday, January 15, 2018 at 4:14 PM
> From: "Leo Gaspard" 
> To: gnupg-users@gnupg.org
> Subject: Remove public key from keyserver (was: Re: Hide UID From
> Public Key Server By Poison Your Key?) On 01/15/2018 08:13 AM, Robert
> J. Hansen wrote:>> Since you can never remove
> >> anything from the public key server, You are
> >> wondering if you can add something to it -- for
> >> example, add another 100 of UIDs with other
> >> people's real name and emails so people can not
> >> find out which one is yours, and append another
> >> 100 of digital signature so people get tired
> >> before figure out which one is from valid user.  
> >
> > I rarely use language like this, but this time I think it's
> > warranted:
> >
> > This is a total dick move. Don't do this. You'll make yourself a lot
> > of enemies, and if you pick the wrong real names and emails, some of
> > those people are pretty damn good at figuring out what's going on.
> >
> > Don't put real names and emails belonging to other people on your
> > cert. It's *rude*. If someone goes looking for "Robert J. Hansen
> > " I want them to see one cert is newest and I
> > want them to use that one. If you go about putting my name and
> > email address on your cert, I'm going to get cross.
> >
> > Again: this is a total dick move. Don't do this.  
> 
> That said, it raises the interesting question of revocation of data on
> keyservers (and the associated legal issues in operating keyservers,
> as the operator is supposed to comply with requests to remove
> personally-identifiable information from it).
> 
> I was just thinking, would it be possible to have a tag (a UID with
> special meaning, like “please-remove...@srs-keyservers.net”?) for
> which the signature would be verified by the keyserver, and that
> would cause it to drop everything from its storage apart from this
> tag? This way the “please remove me” tag would just naturally
> propagate across keyservers, and all up-to-date-enough keyservers
> will drop all the data associated with the key except the tag and the
> master public key (basically, the strict minimum to check the said
> tag).
> 
> That said I guess ideas like this have already
> lhttps://en.wikipedia.org/wiki/Right_to_be_forgottenikely been
> discussed before?

Maybe we need (a court) case were a PGP user requests the removal
of his / her keys until the operators and code maintainers wake up?

Or PGP users simply forget those old fashioned geek key servers
and use modern solutions like keybase.io for example.

https://en.wikipedia.org/wiki/Right_to_be_forgotten

Regards
Stefan

-- 
https://www.behance.net/futagoza
https://keybase.io/stefan_claas

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Remove public key from keyserver (was: Hide UID From Public Key Server By Poison Your Key?)

[Jason Lawrence]

> That said I guess ideas like this have already
> likely been discussed before?

Good luck with that, the similar discussing has
been hold years and nothing ever changed. Last
time I checked, a discussing in 2005 was labeled
as "Remove public key from keyserver No.74"
 

Sent: Monday, January 15, 2018 at 4:14 PM
From: "Leo Gaspard" 
To: gnupg-users@gnupg.org
Subject: Remove public key from keyserver (was: Re: Hide UID From Public Key 
Server By Poison Your Key?)
On 01/15/2018 08:13 AM, Robert J. Hansen wrote:>> Since you can never remove
>> anything from the public key server, You are
>> wondering if you can add something to it -- for
>> example, add another 100 of UIDs with other
>> people's real name and emails so people can not
>> find out which one is yours, and append another
>> 100 of digital signature so people get tired
>> before figure out which one is from valid user.
>
> I rarely use language like this, but this time I think it's warranted:
>
> This is a total dick move. Don't do this. You'll make yourself a lot
> of enemies, and if you pick the wrong real names and emails, some of
> those people are pretty damn good at figuring out what's going on.
>
> Don't put real names and emails belonging to other people on your cert.
> It's *rude*. If someone goes looking for "Robert J. Hansen
> " I want them to see one cert is newest and I want
> them to use that one. If you go about putting my name and email address
> on your cert, I'm going to get cross.
>
> Again: this is a total dick move. Don't do this.

That said, it raises the interesting question of revocation of data on
keyservers (and the associated legal issues in operating keyservers, as
the operator is supposed to comply with requests to remove
personally-identifiable information from it).

I was just thinking, would it be possible to have a tag (a UID with
special meaning, like “please-remove...@srs-keyservers.net”?) for which
the signature would be verified by the keyserver, and that would cause
it to drop everything from its storage apart from this tag? This way the
“please remove me” tag would just naturally propagate across keyservers,
and all up-to-date-enough keyservers will drop all the data associated
with the key except the tag and the master public key (basically, the
strict minimum to check the said tag).

That said I guess ideas like this have already likely been discussed before?

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

LWN 'Future directions for PGP' 2018-01-03

[Bernhard Reiter]

LWN has an article that mentions
NetPGP, NeoPG, GnuPG and key distribution idea.

January 3, 2018 contributed by J. B. Crawford
https://lwn.net/Articles/742542/

I've added some comments about recent advancements of concepts,
especially WKD.

Also I've added Netpgp and NeoPG to 
  https://wiki.gnupg.org/OtherFreeSoftwareOpenPGP
to keep track of whats out there.

Best Regards,
Bernhard

-- 
www.intevation.de/~bernhard   +49 541 33 508 3-3
Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998
Geschäftsführer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner


signature.asc
Description: This is a digitally signed message part.
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: skipped: Unusable public key error

[Bernhard Reiter]

Am Mittwoch 10 Januar 2018 14:51:24 schrieb Rajireddy Saddi (OSV):
> I used below command for encryption but I am getting below error
> skipped: Unusable public key error

Try the same command with more verbosity, e.g. by adding
the following options, try to get more verbose if you do not see the reason
 -v
 -vv
 -vvv
 --debug-all

Bernhard

-- 
www.intevation.de/~bernhard   +49 541 33 508 3-3
Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998
Geschäftsführer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner


signature.asc
Description: This is a digitally signed message part.
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: GPG public key HELP

[dirk1980ac via Gnupg-users]

Hi.

What are you trying to do?

Do you just want to transfer you public key via email or anything like
that?

Then try:

gpg2 -a --eyport  > filename.asc

This gives you an ascii armored key that you can transfer in any way
you want.

Regards,
Dirk


Am Sonntag, den 14.01.2018, 22:57 + schrieb Ryan Scarr:
> I#m trying to convert it into an alrogrithim by opening it with the
> note pad so I can purchase, but it doesn’t change it into the correct
> one so that other people know my certification? How do I change my
> public file into a format that I can ive to other users?
> 
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
-- 
Dirk Gottschalk
Paulusstrasse 6-8
52064 Aachen
Tel.: +49 1573 1152350

signature.asc
Description: This is a digitally signed message part
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Remove public key from keyserver (was: Re: Hide UID From Public Key Server By Poison Your Key?)

[Leo Gaspard]

On 01/15/2018 08:13 AM, Robert J. Hansen wrote:>> Since you can never remove
>> anything from the public key server, You are
>> wondering if you can add something to it -- for
>> example, add another 100 of UIDs with other
>> people's real name and emails so people can not
>> find out which one is yours, and append another
>> 100 of digital signature so people get tired
>> before figure out which one is from valid user.
> 
> I rarely use language like this, but this time I think it's warranted:
> 
> This is a total dick move.  Don't do this.  You'll make yourself a lot
> of enemies, and if you pick the wrong real names and emails, some of
> those people are pretty damn good at figuring out what's going on.
> 
> Don't put real names and emails belonging to other people on your cert.
> It's *rude*.  If someone goes looking for "Robert J. Hansen
> " I want them to see one cert is newest and I want
> them to use that one.  If you go about putting my name and email address
> on your cert, I'm going to get cross.
> 
> Again: this is a total dick move.  Don't do this.

That said, it raises the interesting question of revocation of data on
keyservers (and the associated legal issues in operating keyservers, as
the operator is supposed to comply with requests to remove
personally-identifiable information from it).

I was just thinking, would it be possible to have a tag (a UID with
special meaning, like “please-remove...@srs-keyservers.net”?) for which
the signature would be verified by the keyserver, and that would cause
it to drop everything from its storage apart from this tag? This way the
“please remove me” tag would just naturally propagate across keyservers,
and all up-to-date-enough keyservers will drop all the data associated
with the key except the tag and the master public key (basically, the
strict minimum to check the said tag).

That said I guess ideas like this have already likely been discussed before?

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

GPG public key HELP

[Ryan Scarr]

I#m trying to convert it into an alrogrithim by opening it with the note pad so 
I can purchase, but it doesn’t change it into the correct one so that other 
people know my certification? How do I change my public file into a format that 
I can ive to other users?

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Hide UID From Public Key Server By Poison Your Key?

[Jason Lawrence]

Hi all,

For of all, I am sorry for using a temporary email
address.

Let's say, you have accidentally associated your
real name to the key under your online name and
upload it to public key server, which allows
anyone to connect your online identity to the
person in real life. Since you can never remove
anything from the public key server, You are
wondering if you can add something to it -- for
example, add another 100 of UIDs with other
people's real name and emails so people can not
find out which one is yours, and append another
100 of digital signature so people get tired
before figure out which one is from valid user.
Since it is easy to fake system time for PGP, you
can mix my real UID in middle of all these.

The problem is, how will the public key server
handle 2 keys with duplicated timestamp?

Just an idea, it might be more efficient if I just
commit online suicide (throw away my current
identity).

Best regret

Jason

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users