Re: Practical use of gpgsm for verifying emails

2018-04-30 Thread Teemu Likonen 
Jens Lechtenboerger [2018-04-30 08:19:39+02] wrote:

> You don’t. You should not trust them if you don’t know anything about
> them.

> Personally, I try to verify CAs’ fingerprints. Afterwards, I express
> my “trust” in other people’s choices of CAs when verifying their
> signatures (so, pretend “Yes” when asked about trust) but prefer
> OpenPGP over S/MIME whenever possible.

As I requested a practical discussion I thought that there is some sort
of "practical trust" when verifying S/MIME messages like there usually
is for the web. For example I can point my web browser to my bank's web
site or your blog at fsfe.org and there is a friendly green lock symbol
in the browser. We normal people think that "this web site is safe"
without checking any fingerprints. Some people even know that the
browser automatically trusts certain authorities to make valid
certificates so that it's really my bank or fsfe.org. Somebody chose
that trust for us because we normal people can't judge.

So I thought that gpgsm would be the same: some root CA's would be
automatically valid and trusted to certify others and gpgsm would just
work like web browsers. I guess not. It forces me to judge and since I
can't judge CA's gpgsm is probably quite useless. I'm not complaining
about gpgsm. It's just that for a moment I thought it would be like web
browsers but for email.

OpenPGP is probably better for email because it's easier to track and
judge individuals separately with TOFU or web of trust model and assign
ownertrust.

-- 
/// Teemu Likonen   - .-..    //
// PGP: 4E10 55DC 84E9 DFF6 13D7 8557 719D 69D3 2453 9450 ///


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Can not decrypt and verify CD's

2018-04-30 Thread Andre Heinecke 
Hi,

On Thursday, April 26, 2018 4:36:59 PM CEST Liana Falchetti wrote:
> I work at a credit union that gets CD's with archived information on them
> that upon arrival need to be Decrypted and verified by the GnuPG software. 
> 
> I have to say that I have never used GnuPG software for anything except
> Decrypting and verifying these particular CD's. This past week I went to 
> 
> Tyr and decrypt one of the Cd's and now I can't get the Passphrase box to
> pop up in order the download the contents. I have tried absolutely
> 
> Everything and anything I can think of including googling the error messages
> I am getting.  I have no idea what I did to get this to not work properly.
> 
> We are actually on a Data center network or like a cloud environment, if you
> will, with our data processor and the first time the Kleopatra software
> 
> Needed to be re-installed if what installed on the terminal server but I can
> not run CD's on the DCN and therefore, it was then put on my desktop.
> 
> This is what it looks like, which looks normal to me.

Normal but outdated ;-) 

> But when I tried to Decrypt and verify the CD I always get this. I have
> tried to Certify and Import the keys and nothing is working.

This says (badly) that this file is not encrypted to the private key you have.
 
> Every time I try to Import keys:
> Could Not Determine the Certificate type of C:Program
> File/GNU/GnuPG/Kleopatra.exe.

Please update to Gpg4win-3.1.0 it's much better at detecting / importing 
certificates and allows you to import certificates by double click.

> I also have the private key, as well as, the passphrase. I did change the
> passphrase today to see if that would help but of course it didn't.

No, the error is that the file is not encrypted to your private key. Changing 
the passphrase won't help.

Kleopatra 3.1.0 should show an improved error and show you to which keys it is 
actually encrypted.

Alternatively you can open the command line (cmd.exe) and call
 "gpg --decrypt " this will definetly show to which keys it is 
encrypted.


Best Regards,
Andre Heinecke


-- 
Andre Heinecke |  ++49-541-335083-262  | http://www.intevation.de/
Intevation GmbH, Neuer Graben 17, 49074 Osnabrück | AG Osnabrück, HR B 18998
Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner

signature.asc
Description: This is a digitally signed message part.
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Practical use of gpgsm for verifying emails

2018-04-30 Thread Jens Lechtenboerger 
On 2018-04-28, Teemu Likonen wrote:

> When verifying an S/MIME message gpgsm (I think) asks whether I
> ultimately trust some certificate authority to certify others and then
> asks me to verify that a displayed fingerprint belongs to the authority.
> How do I know? (So far I have pressed the "Cancel" button.)

You don’t.  You should not trust them if you don’t know anything
about them.

> I went to the certificate authority's web page but couldn't find
> fingerprints.

That’s odd.  Maybe they publish their certificates over HTTPS,
from which you could extract the fingerprint.

> That's not how CA system usually works anyway. Usually we are not
> supposed to go searching the internet. Usually some experts have
> taught web browsers or operating systems to automatically trust
> certain authorities. So signature verification is transparent.

They added “trust,” not trust.  See [1] for my biased point of view
(still pretty accurate despite its age; nowadays, I would add a
pointer to Certificate Transparency [2]).

> Any suggestions or information for practically managing S/MIME messages?

Personally, I try to verify CAs’ fingerprints.  Afterwards, I
express my “trust” in other people’s choices of CAs when verifying
their signatures (so, pretend “Yes” when asked about trust) but
prefer OpenPGP over S/MIME whenever possible.

Best wishes
Jens

[1] https://blogs.fsfe.org/jens.lechtenboerger/2013/12/23/openpgp-and-smime/
[2] https://www.certificate-transparency.org/

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users