Re: GPG on Android

[Arthur Ulfeldt]

for years I've been using openkeychain and keeping a signing and encryption
subkey on an nfc yubikey.  when I went to use encrypted email on the phone
(which is basically only from Facebook) I tap the key to the back of the
phone. if I want to read the same email on my laptop I plug out in there.
it's been smooth and solid for years.

recently I got a yubikey 4 which i plug into the USB port on the phone. it
works just as well. I slightly preferred the NFC version.

On Thu, Nov 8, 2018, 7:40 AM amuza 
>
> john doe:
> > On 11/4/2018 10:55 PM, Roland wrote:
> >> Hello list,
> >>
> >> I share the wish for encrypted email on Android, but I am afraid of
> storing a secret key on my android phone. (theft, hacking, loss, etc)
> >
> > In case of theft/lost using subkey is somewhat easier because you can
> > revoke that subkey only.
> >
>
> An encrypted Replicant phone [0] + K-9 Mail + Openkeychain using subkeys
>
> [0] https://replicant.us/
>
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Update FAQ about revocation certificates?

[Stefan Claas]

On Thu, 8 Nov 2018 15:21:58 +, Damien Goutte-Gattat via Gnupg-users
wrote:
> Hi GnuPG folks,
> 
> The current version of the FAQ recommends creating a revocation
> certificate at several places.
> 
> 
> § 7.17
> 
>   "We recommend you create a revocation certificate immediately
>after generating a new GnuPG certificate."
> 
> 
> § 8.5
> 
>   "What should I do after making my certificate?
>Generate a revocation certificate"
> 
> 
> § 10
> 
>   "What are some common best practices?
>[...] Generate a revocation certificate"

O.k. i have an example, which happened a while
ago to me... [stupid me]

I forgot the passphrase of my key but had a revocation
certificate stored in a save place. I renovated my
apartment and accidentally threw away the box
in which the revocation cert was stored... :-(

How would you procede now?

Regards
Stefan

-- 
https://www.behance.net/futagoza
https://keybase.io/stefan_claas


pgpFFUnlAbfMc.pgp
Description: Digitale Signatur von OpenPGP
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: OpenPGP Card V3.3 keytocard error invalid value

[Antony Vennard via Gnupg-users]

Hi Gerd,

>> I was previously able to move all three keys to a card. I'm now
>> repeating the exercise on a fresh card.
>> 
>> I'm unable to do proceed without getting an error "invalid value" from
>> keytocard. The key type is set correctly on the card in card status (for
>> the key that was selected), but the key is not moved. Sometimes I can
>> move one of my three keys and the others stubbornly refuse to move.
> 
> what driver do you use to connect GnuPG to your card reader?

> I experienced several weird communication problems when using the pcsc driver.
> They all went away after I switched to the ccid driver from GnuPG.

PCSC, as you guessed. Interesting that this should cause issues. I've never had 
a problem moving RSA keys with pcsc.

I can also report that I was able to move both an S and E key to the card last 
night, but not an authentication subkey. I am also able to generate an 
authentication subkey on the card. For my uses, this is sufficient - I want to 
be able to recover the encryption key should the card be lost or damaged - 
authentication keys can just be regenerated. 

Unfortunately I'm not sure if this would work if I tried again.

I'll have a more detailed look in the next few weeks when I have time to poke 
at scdaemon logs, change configs etc. 

> Kind regards,
> 
> Gerd

--

Kind regards,

Antony

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: GPG on Android

[amuza]

john doe:
> On 11/4/2018 10:55 PM, Roland wrote:
>> Hello list,
>>
>> I share the wish for encrypted email on Android, but I am afraid of storing 
>> a secret key on my android phone. (theft, hacking, loss, etc) 
> 
> In case of theft/lost using subkey is somewhat easier because you can
> revoke that subkey only.
> 

An encrypted Replicant phone [0] + K-9 Mail + Openkeychain using subkeys

[0] https://replicant.us/

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Slightly OT - i need the proper wording for a signed document

[Stefan Claas]

On Sun, 4 Nov 2018 21:51:00 +0100, Stefan Claas wrote:
> On Sat, 3 Nov 2018 17:48:41 +0100, Stefan Claas wrote:

> 
> 
> First i signed the document with my qualified certificate and then
> gave it a qualified time stamp. Finally i detached signed the .pdf
> with my current key and after this i time stamped the detached sig
> with the opentimestamp.org service.
> 
> Please note the attestation on opentimestamp.org is currently pending.
> 
> Maybe this example could be useful for other people too.
> 
> Critics and comments are welcome!

And a declaration of ownership.



Regards
Stefan

-- 
https://www.behance.net/futagoza
https://keybase.io/stefan_claas


pgpOI3J18EPG_.pgp
Description: Digitale Signatur von OpenPGP
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Update FAQ about revocation certificates?

[Damien Goutte-Gattat via Gnupg-users]

Hi GnuPG folks,

The current version of the FAQ recommends creating a revocation
certificate at several places.


§ 7.17

  "We recommend you create a revocation certificate immediately
   after generating a new GnuPG certificate."


§ 8.5

  "What should I do after making my certificate?
   Generate a revocation certificate"


§ 10

  "What are some common best practices?
   [...] Generate a revocation certificate"


However, since GnuPG 2.1 a revocation certificate is now
automatically generated by GnuPG at the same time a new key pair
is created, and stored in $GNUPGHOME/openpgp-revocs.d.

Therefore the above recommendations should either be removed or at
the very least amended to explain that they are only necessary
with GnuPG < 2.1.

FWIW, I believe they should be removed completely. Rationale: It
has already been decided three years ago not to mention GnuPG 1.4
in the FAQ [1]. Since then, GnuPG 2.0 has been end-of-lifed and so
in my opinion should not be mentioned either.  Thus the FAQ should
only focus on "modern" GnuPG (>= 2.1). And with modern GnuPG there
is no need to recommend to generate a revocation certificate.

On the same topic, the answer to the question "How do I generate a
revocation certificate?" (§ 8.5) should be amended to explain that
such a revocation certificate may already have been generated.
("May", because it is possible the user asking this question has
generated his or her key a long time ago, using an older version
of GnuPG.)

Comments are welcome.

Cheers,

Damien


[1] https://lists.gnupg.org/pipermail/gnupg-users/2015-August/054172.html


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: OpenPGP Card V3.3 keytocard error invalid value

[Gerd v. Egidy]

Hi Antony,

> I was previously able to move all three keys to a card. I'm now
> repeating the exercise on a fresh card.
> 
> I'm unable to do proceed without getting an error "invalid value" from
> keytocard. The key type is set correctly on the card in card status (for
> the key that was selected), but the key is not moved. Sometimes I can
> move one of my three keys and the others stubbornly refuse to move.

what driver do you use to connect GnuPG to your card reader?

I experienced several weird communication problems when using the pcsc driver. 
They all went away after I switched to the ccid driver from GnuPG.

Kind regards,

Gerd




___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Most secure GPG combination for Mac OSX

[Ralph Seichter]

* Andrew Luke Nesbit:

> Enigmail and GPGTools are orthogonal components re: Thunderbird.
> Enigmail is something like the interface to the underlying GPG
> implementation.

Enigmail needs any one PGP/GPG binary. GPG Suite includes a binary that
is based on the official GnuPG sources. Other options to get such a
binary include using packages available via MacPorts, Homebrew or
compiling GPG yourself. In the end, all is based on the work of Werner
et al.

-Ralph

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users