Re: ProtonMail and Anonymity

[Andrew Luke Nesbit]

[I am resending from my list-subscribed email address.]

On 06/05/2019 11:17, Mauricio Tavares wrote:

>   Another option is to buy a burner phone and SIM paying cash.
> I've seen both available in stores and supermarkets and street stands
> in at least 3 countries.

In which countries is this allowed?  In other words, is there a list
oublished online?

In Australia, where I am originally from, you can't do this.  But this
is hardly surprising because Australia is not a privacy-respecting nation.

Andrew
-- 
OpenPGP key: EB28 0338 28B7 19DA DAB0  B193 D21D 996E 883B E5B9

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Native OpenPGP integration with Alpine

[Andrew Luke Nesbit]

Hello,

I am gradually getting back into using Alpine for the times I need to
work with email on an interactive TTY.  I have written to the
Alpine-info list before, asking for recommendations for using OpenPGP
implementations, particularly GnuPG [1].

I received many useful responses.  However I would like to explore
options for native integration rather than using external filters.

Does anybody know of any efforts to integrate OpenPGP _natively_ into
Alpine?  Has anybody looked into this /at all/, or done anything like a
code review to see if this is even feasible?

I've been thinking about looking into this myself, although I have to
admit it's not very high on my list of priorities.  If there is existing
information that can give me a head start, or somebody with whom I can
compare notes then it's more likely I will be able to push through the
first hurdles.

Kind regards,

Andrew

[1]
https://mailman13.u.washington.edu/mailman/htdig/alpine-info/2018-May/007959.html

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: [Alpine-info] Native OpenPGP integration with Alpine

[Andrew Luke Nesbit]

On 27/03/2019 20:32, Eduardo Chappa wrote:
> On Wed, 27 Mar 2019, Andrew Luke Nesbit wrote:
> 
>> I received many useful responses.  However I would like to explore
>> options for native integration rather than using external filters.
>>
>> Does anybody know of any efforts to integrate OpenPGP _natively_ into
>> Alpine?  Has anybody looked into this /at all/, or done anything like a
>> code review to see if this is even feasible?
> 
> There was an effort to integrate OpenPGP into re-alpine. I know it was
> unfinished code, I think that most of what is needed is in place, so I
> would try to figure out what happened to that effort as a first approach
> into concluding that effort.
> 
> If you need my assistance while working on this project, let me know. I'll
> be glad to help.

Thank you, Eduardo.  I'll have a look.

Andrew

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Smart cards

[Andrew Luke Nesbit]

Hey Arthur, what makes you think that Yubikey is trustworthy?

Is it because you have assessed your threat model and you disbelieve
that any potential attacks via Yubikey would be not used against you?

Or have you done an independent audit of the Yubikey and satisfied
yourself that it's safe enough for your reasons?

Or is it a bit of both?

Or is it something completely different?

I'd love something as convenient as Yubikey but given how strictly I've
set up my workflow; and given that I want to make a habit best practices
wherever possible; I cannot use it because it will introduce a weak
link.  I saw a few different devices that look auditable and like I
might be able to trust them more.  I'll find them in my notes and make a
post later.


On 11/12/2018 18:27, Arthur Ulfeldt wrote:
> using openkeychain with a yubikey nfc is totally solid, and convenient.
> I've been using them for years. they also plug into the bottom of the
> phones which some people prefer. 
> 
> On Tue, Dec 11, 2018, 10:14 AM Damien Goutte-Gattat via Gnupg-users
> mailto:gnupg-users@gnupg.org> wrote:
> 
> On Tue, Dec 11, 2018 at 12:35:57PM +0100, Alessandro Vesely wrote:
> > Is it possible to get OpenPGP functionality on one of those
> > contactless cards?
> 
> I know of at least one NFC-enabled OpenPGP card, the "Fidesmo
> Card" [1].
> 
> I never tested it, but from what I remember when I delved into
> their site, the OpenPGP feature of that card is provided by the
> same JavaCard applet than the one used in the Yubikey NEO. Which
> means, among other things, that it does not implement version 3 of
> the OpenPGP Card specification (so, no ECC keys), and does not
> support RSA keys larger than 2048 bits.
> 
> Another provider of NFC-enabled OpenPGP cards was Sigilance [2],
> but they have since ceased all operations. Their cards were also
> based on the same JavaCard applet, with the same limitations.
> 
> I am not aware of an available implementation of the OpenPGP Card
> v3, with support for ECC keys and RSA 4096-bit, on a NFC-enabled
> support.
> 
> 
> - Damien
> 
> [1] http://shop.fidesmo.com/product/fidesmo-card
> [2] https://www.sigilance.com/ (warning: expired certificate)
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org 
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
> 
> 
> 
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
> 

-- 
OpenPGP key: EB28 0338 28B7 19DA DAB0  B193 D21D 996E 883B E5B9

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Keyserver access changes in GnuPG

[Andrew Luke Nesbit]

On 12/12/2018 21:43, Wiktor Kwapisiewicz wrote:
>> Should I issue and publish a revocation certificate?  Will this cause
>> problems considering that I'm still using the same master key?
> 
> I don't think revocation is necessary if the private subkeys are still safe.

Yes, they are still safe.  On thinking about it, issuing a revocation
certificate could be overkill.  It might even cause more confusion than
it is meant to solve.

> It may be just inconvenient for people that want to contact you / verify your
> signatures to see your subkeys expired and when they "gpg --refresh-keys" (as
> they always do) your key would still be expired with no apparent way of
> proceeding. If I saw something like that I'd think the key is abandoned.

Indeed, so would I.  But then there's also a pretty good chance that the
same person might write to me and ask, "Hey, what's up with your OpenPGP
keys?"  Then I could explain and point them to the right place.  Or, by
then, my website or my email signature might have enough information to
point them in the right direction before it even becomes an issue.

> If you had HTTPS on your site I'd recommend Web Key Directory as this 
> downloads
> keys from your site *and* refreshes expired keys from your site too 
> automatically.

I am coincidentally currently in the process of provisioning an Apache
server with HTTPS/443 enabled.  Not even HTTP/80 will be open, so HTTP
to HTTPS redirection won't be implemented either.

I've looked up Web Key Directory and had a quick browse, and this is
exactly the kind of thing I need.  Thank you!!

Kind regards,

Andrew
-- 
EB28 0338 28B7 19DA DAB0  B193 D21D 996E 883B E5B9



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Keyserver access changes in GnuPG

[Andrew Luke Nesbit]

On 12/12/2018 09:15, Wiktor Kwapisiewicz via Gnupg-users wrote:

>> Coming soon to Fedora30 (rawhide), gnupg v1.4.x renamed to gnupg1. Also 
>> dropping keyserver support at Werner's suggestion since upstream plans to 
>> disable that soon.
> 
> Source: https://infosec.exchange/@bcl/101195051788828345
> 
> Does anyone know anything about dropping keyserver support in GnuPG? That 
> seems
> a little bit radical but maybe I've missed something...

I feel that I've missed a memo too.

I've never liked public keyservers either.  Or, rather, the way they are
normally used.

I especially dislike how beginners' tutorials encourage their users to
upload just-made keys to public keyservers before they (the users) have
even learned how to use GPG with any degree of fluency... or even
confirmed that their new keys are appropriately made or configured.

Can somebody please point me to a more authoritative source of this
keyserver news?  Did Werner himself write anything about this?  If it's
true, then I welcome it too.

On a highly related topic...

My subkeys expired on Monday, 10/12/2018.  I've updated my subkeys with
a new expiration date (in one year).  I'm considering NOT uploading the
new public keys to the keyservers.  Rather, I will distribute them using
other channels, such as downloading from my personal website or sneakernet.

Should I issue and publish a revocation certificate?  Will this cause
problems considering that I'm still using the same master key?

Kind regards,

Andrew
-- 
EB28 0338 28B7 19DA DAB0  B193 D21D 996E 883B E5B9



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Most secure GPG combination for Mac OSX

[Andrew Luke Nesbit]

Please excuse any previous attempt at posting this, which was sent
"From: " the wrong address.

On 07/11/2018 20:50, Robert J. Hansen wrote:

> GPGTools has some problems in that they can't see the source for
Mail.app, and as a result they've sometimes been slower to patch things
than Enigmail.  Enigmail has excellent relations with Thunderbird, which
really helps when there's a serious bug which needs addressing.

So I may confirm my understanding...

-   Enigmail and GPGTools are orthogonal components re: Thunderbird.
Enigmail is something like the interface to the underlying GPG
implementation.  In many cases on Mac OS X, including mine, this
underlying implementation is indeed GPGTools (which I use not only for
Thunderbird but for most/all OpenPGP operations).

-   Also, you are not suggesting that the choice is Enigmail vs
GPGTools.  But rather that they have different levels of specificity re:
and integration into Thunderbird.

Are these notions correct?  Thanks!!

Kind regards,

Andrew
-- 
OpenPGP key: EB28 0338 28B7 19DA DAB0  B193 D21D 996E 883B E5B9

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Utilizing facts of homedir organization (was: Exact definition of token S/N field for --with-colons)

[Andrew Luke Nesbit]

On 23/09/2018 21:19, Daniel Kahn Gillmor wrote:
> On Sun 2018-09-23 18:18:13 +0200, Peter Lebbing wrote:
>> The intent of this mail is not to ask whether something works. This can
>> be easily verified. It's asking whether it is a supported way of doing
>> things. I hope I can get some guidance on this!
> 
> I appreciate that you're asking for clarification about what is the
> scope of GnuPG's "API", such as it is.  We do need more clarity here.
> 
> i don't have the authority to answer your questions about the contents
> of ~/.gnupg/private-keys-v1.d/, but i'd always thought that the
> internals of ~/.gnupg/ were *not* part of the "API", and generally
> should not be relied upon.  I hope that Werner or someone else more
> closely related to the project can clarify here.

This raises interesting questions regarding subkeys.

For example, earlier this month there was a short thread with "Subject:
Subkeys" where OP was asking about generating subkeys.  The advice was
to consult https://wiki.debian.org/Subkeys .  That page contains the
following instructions:

> [...] delete the file `$HOME/.gnupg/private-keys-v1.d/KEYGRIP.key`,
where `KEYGRIP` is the "keygrip" of the master key which can be found by
running `gpg2 --with-keygrip --list-key YOURMASTERKEYID.`"

All other sources of information for generating subkeys that I have seen
contain similar instructions.

This is using the contents of `~/.gnupg/private-keys-v1.d/` as an API.
If this is *not* part of the API, then what *is* the official
recommendation for generating subkeys?

Andrew
-- 
OpenPGP key: EB28 0338 28B7 19DA DAB0  B193 D21D 996E 883B E5B9

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users