Re: out-of-key UIDs [was: ADK's]

2023-05-05 Thread Ineiev via Gnupg-users 
On Thu, May 04, 2023 at 11:01:36AM +0100, Andrew Gallagher wrote:
> > I tried something like this with my MUA, I believe that doesn't work:
> > it first looks for appropriate keys, probably using --list-keys;
> > in fact, it insists on choosing a single key when multiple ones
> > are available.
> 
> Which MUA is this?

Mutt.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: out-of-key UIDs [was: ADK's]

2023-05-04 Thread Ineiev via Gnupg-users 
On Thu, May 04, 2023 at 09:52:54AM +0100, Andrew Gallagher wrote:
> > $ gpg --group fn...@test.eu=BD9D4DEE7B2FF1CBEF2EE0C4E0ACD3E0CBE7874A 
> > --list-keys fn...@test.eu
> > gpg: error reading key: No public key
...
> —list-keys doesn’t expand groups. Try this instead:
> 
> 
> andrewg@serenity % gpg --group 
> fn...@test.eu=BD9D4DEE7B2FF1CBEF2EE0C4E0ACD3E0CBE7874A -r fn...@test.eu -e < 
> /etc/shells > shells.gpg
> gpg: 0x40F9B9601900E974: There is no assurance this key belongs to the named 
> user

I tried something like this with my MUA, I believe that doesn't work:
it first looks for appropriate keys, probably using --list-keys;
in fact, it insists on choosing a single key when multiple ones
are available.

...
> It is NOT certain that the key belongs to the person named
> in the user ID.  If you *really* know what you are doing,
> you may answer the next question with yes.
> 
> Use this key anyway? (y/N) y

This is another issue ADK might handle differently---if gpg skipped
validation of the donor keys (where ADK subkeys come from),
I wouldn't have to certify any UIDs in it.


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: out-of-key UIDs [was: ADK's]

2023-05-03 Thread Ineiev via Gnupg-users 
On Mon, May 01, 2023 at 03:16:12PM +0100, Andrew Gallagher wrote:
> On 1 May 2023, at 12:40, Ineiev via Gnupg-users  wrote:
> > now, I generate a key
> > for y...@guan.edu locally and add 0123456789ABCDEF as an ADK (BTW,
> > will GnuPG complain if the only encryption-capable subkey is ADK?
>
> Or you could just use an alias…?

I don't think I fully understand what you mean.

$ gpg --group fn...@test.eu=BD9D4DEE7B2FF1CBEF2EE0C4E0ACD3E0CBE7874A 
--list-keys fn...@test.eu
gpg: error reading key: No public key
$ gpg --list-keys BD9D4DEE7B2FF1CBEF2EE0C4E0ACD3E0CBE7874A | head -n1
pub   rsa2048 2014-10-21 [SC] [expires: 2024-10-17]
$ gpg --version | head -n2
gpg (GnuPG) 2.2.41
libgcrypt 1.8.10


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: ADK's

2023-05-01 Thread Ineiev via Gnupg-users 
On Sun, Apr 30, 2023 at 10:52:10PM -0500, Jacob Bachmeyer via Gnupg-users wrote:
> 
> That is an almost prototypical example.  In that case, the "archive" key
> would actually be the main subkey, and the list recipients' personal keys
> would be attached as ADKs.
> 
> Another example:  suppose I have multiple hardware tokens and wish to be
> able to use them interchangeably, but also want maximal security with this
> arrangement, so have generated an encryption keypair on each token.  I list
> all of the per-token subkeys as ADKs.  In this case, the ADKs really would
> all be /my/ keys.  Again, I would have to publish a new certificate every
> time my collection of live tokens changes, which may or may not leak useful
> information to an adversary.

It looks like the feature will allow for quite unexpected (if not
unintended) uses.

Another potential use is: I have reasons to believe that the holder
of the key 0123456789ABCDEF controls the email y...@guan.edu, but that
key has no user ID with such email, and I couldn't validate any other
emails in that key. when I'm writing to that email, my MUA will look
for keys with user IDs that match it. now, I generate a key
for y...@guan.edu locally and add 0123456789ABCDEF as an ADK (BTW,
will GnuPG complain if the only encryption-capable subkey is ADK?
can I make all self-signatures local in order to avoid sending
the key to keyservers?)


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: ADK's

2023-04-30 Thread Ineiev via Gnupg-users 
On Sun, Apr 30, 2023 at 05:41:31PM +0200, Johan Wevers via Gnupg-users wrote:
> 
> All I want is an option to ignore adk's - and it should not claim
> anything else than that.

Can't you remove ADK subkeys from your keyring?


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Key Management - BSI had send private key instead of public key

2021-11-18 Thread Ineiev via Gnupg-users 
On Thu, Nov 18, 2021 at 10:48:55AM +0100, Rainer Fiebig via Gnupg-users wrote:
> That's kind of a misconception: as English is a western germanic
> language it's not that German made its way into English but English is
> *based* on German.

To be precise, not on German---it's based on the common ancestor.
both English and German deviate considerably from it.


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: make check -> libgcrypt is too old

2021-11-10 Thread Ineiev via Gnupg-users 
On Wed, Nov 10, 2021 at 08:13:18AM +0100, Werner Koch via Gnupg-users wrote:
>
> Not a good idea.  That may break things.  It is better to install
> libgcrypt and the other libs to /user/local/lib and then set
> LD_LIBRARY_PATH accordingly (or fix search order in ld.so.conf).

make install usually says,

> Libraries have been installed in:
...
> If you ever happen to want to link against installed libraries
> in a given directory, LIBDIR, you must either use libtool, and
> specify the full pathname of the library, or use the `-LLIBDIR'
> flag during linking and do at least one of the following:
>- add LIBDIR to the `LD_LIBRARY_PATH' environment variable
>  during execution
>- add LIBDIR to the `LD_RUN_PATH' environment variable
>  during linking
>- use the `-Wl,-rpath -Wl,LIBDIR' linker flag
>- have your system administrator add LIBDIR to `/etc/ld.so.conf'
>
> See any operating system documentation about shared libraries for
> more information, such as the ld(1) and ld.so(8) manual pages.


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: [SOLVED] gpg doesn't import secret keys for me any more

2019-01-15 Thread Ineiev 
On Mon, Jan 14, 2019 at 03:06:22PM -0500, Daniel Kahn Gillmor wrote:
> On Sat 2019-01-12 14:25:02 -0500, Ineiev wrote:
> > On Sat, Jan 12, 2019 at 02:12:47PM -0500, Ineiev wrote:
> >> dti@manas:~$ gpg --home h1 --import  >
> > Sorry, this is what works:
> >
> > gpg --home h1 --import sec.asc
> 
> to be clear, i think the issue that you were having is that both
> commands use pinentry-tty, but the former command has stdin coming from
> the redirected file, not the tty.

Indeed, with pinentry-gtk-2, it works both ways.

> fwiw, if you use --batch with --import, there will be no attempt to use
> pinentry, ever, which should make both commands work without complaint.

Curiously, when I --export-secret-keys with --batch, it still requests
the password.


signature.asc
Description: Digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

gpg doesn't import secret keys for me any more

2019-01-12 Thread Ineiev 
Hello,

Does this reproduce for anyone else?

dti@manas:~$ uname -a
Linux manas 4.4.0-141-generic #167+8.0trisquel2 SMP Tue Jan 1 12:28:32 UTC 2019 
x86_64 x86_64 x86_64 GNU/Linux
dti@manas:~$ gpg --version
gpg (GnuPG) 2.2.12
libgcrypt 1.8.4
Copyright (C) 2018 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later 
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: /home/dti/.gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB
dti@manas:~$ pinentry-tty --version
pinentry-tty (pinentry) 1.1.0
Copyright (C) 2016 g10 Code GmbH
License GPLv2+: GNU GPL version 2 or later 
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
dti@manas:~$ rm -fr h0 h1;mkdir h0 h1;chmod og= h0 h1;echo "pinentry-program 
$prefix/bin/pinentry-tty" >h0/gpg-agent.conf;cp h{0,1}/gpg-agent.conf;gpg 
--home h0 --list-keys;gpg --home h1 --list-keys
gpg: keybox '/home/dti/h0/pubring.kbx' created
gpg: /home/dti/h0/trustdb.gpg: trustdb created
gpg: keybox '/home/dti/h1/pubring.kbx' created
gpg: /home/dti/h1/trustdb.gpg: trustdb created
dti@manas:~$ gpg --home h0 --quick-gen-key 'Вася Пушкин '
About to create a key for:
"Вася Пушкин "

Continue? (Y/n) y
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
Please enter the passphrase to
protect your new key
Passphrase:
Repeat:
Warning: You have entered an insecure passphrase.

A passphrase should be at least 8 characters long.
A passphrase should contain at least 1 digit or
special character.
  Take this one anyway
  Enter new passphrase
[te]? t
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: key A81CA20F9A70E47B marked as ultimately trusted
gpg: directory '/home/dti/h0/openpgp-revocs.d' created
gpg: revocation certificate stored as 
'/home/dti/h0/openpgp-revocs.d/94DCB4A36F4EEDC1A68E95ABA81CA20F9A70E47B.rev'
public and secret key created and signed.

pub   rsa2048 2019-01-12 [SC] [expires: 2021-01-11]
  94DCB4A36F4EEDC1A68E95ABA81CA20F9A70E47B
uid  Вася Пушкин 
sub   rsa2048 2019-01-12 [E]

dti@manas:~$ gpg --home h0 -a --export >pub.asc
dti@manas:~$ gpg --home h0 -a --export-secret-key >sec.asc
Please enter the passphrase to export the OpenPGP secret key:
"Вася Пушкин "
2048-bit RSA key, ID A81CA20F9A70E47B,
created 2019-01-12.

Passphrase:
dti@manas:~$ gpg --home h1 --import " imported
gpg: Total number processed: 1
gpg:   imported: 1
dti@manas:~$ gpg --home h1 --import " not changed
gpg: key A81CA20F9A70E47B/A81CA20F9A70E47B: error sending to agent: Invalid IPC 
response
gpg: error building skey array: Invalid IPC response
gpg: Total number processed: 1
gpg:  unchanged: 1
gpg:   secret keys read: 1


signature.asc
Description: Digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re:[SOLVED] gpg doesn't import secret keys for me any more

2019-01-12 Thread Ineiev 
On Sat, Jan 12, 2019 at 02:12:47PM -0500, Ineiev wrote:
> dti@manas:~$ gpg --home h1 --import 

signature.asc
Description: Digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: [Announce] GnuPG 2.1.23 released

2017-08-10 Thread Ineiev 
Hello,

On Wed, Aug 09, 2017 at 05:12:58PM +0200, Werner Koch wrote:
> Internationalization
> 
>
> This version of GnuPG has support for 26 languages with Chinese, Czech,
> French, German, Japanese, Norwegian, Russian, and Ukrainian being almost
> completely translated.  We are now in string freeze for 2.2 and updated
> translations are very welcome.

I submitted a Russian update on 2017-08-05 to gnupg-i...@gnupg.org,
but it looks like it was ignored; did I do anything wrong?


signature.asc
Description: Digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Don't send encrypted messages to random users

2017-05-29 Thread Ineiev 
On Mon, May 29, 2017 at 11:52:27PM +, Konstantin Gribov wrote:
> 
> As an example, many open source devs are publishing their keys which they
> use for signing software releases but rarely for encrypted communication.

On the other hand, they could publish certificates without encrypting
subkeys.


signature.asc
Description: Digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: "general purpose OS is fundamentally inadequate for trusted operations"

2017-04-24 Thread Ineiev 
On Mon, Apr 24, 2017 at 07:50:15AM +, listo factor via Gnupg-users wrote:
> "...the general purpose
> operating system is fundamentally inadequate for trusted
> operations."
...
> The use of smartcards is to me only a welcome sign that a
> growing segment of gpg users appears to agree with that
> proposition.

They may have different reasons to use smartcards. for isntance,
I considered using them because it seemed more convenient
to enter a 6 digits long PIN than a 40+ characters long
passphrase --- rather than because I thought it would be
inherently more secure.


signature.asc
Description: Digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: [admin] postings from non-subscribers

2016-11-08 Thread Ineiev 
On Mon, Nov 07, 2016 at 03:19:41PM -0600, Anthony Papillion wrote:
> 
> Most mailing list I belong to would never do this.

Just for the record: English-speaking Savannah mailing lists do this
unless the owners explicitly request otherwise.


signature.asc
Description: Digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Terminology - certificate or key ?

2016-09-30 Thread Ineiev 
On Fri, Sep 30, 2016 at 04:22:39PM +0200, Werner Koch wrote:
> 
> The root of the problem might be the concept of "public key" and
> "private key".  You need to educate users that these are very different
> things but still belong together.

There is one more: "secret key".


signature.asc
Description: Digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Translate to dutch

2016-04-01 Thread Ineiev 
On Sat, Apr 02, 2016 at 12:33:59AM +0200, Julian H. Stacey wrote:
> & as gpg runs on various bsd & linux etc, any work done on translating 
> generic 
> gpg to Dutch could be available via OS dependent ports wrappers,
> in case of freebsd:
>   http://www.freebsd.org/cgi/ports.cgi?query=gnupg=all
>   http://svnweb.freebsd.org/ports/head/security/gnupg/
> & I assume linux has similar.

I wonder why to do the same work multiple times (once for every OS)
rather than to maintain a single translation upstream.


signature.asc
Description: Digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Minor FAQ updates

2016-02-10 Thread Ineiev 
On Sat, Feb 06, 2016 at 06:51:35AM -0500, Robert J. Hansen wrote:
> Ineiev of the Free Software Foundation sent me some typos

I feel I ought to disclaim: I do volunteer for the GNU project
(including some unimpressive but prominent tasks) and take part
in a few FSF's campaigns, however, technically I'm but FSF's volunteer
like you.


signature.asc
Description: Digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: FAQ maintenance

2016-02-03 Thread Ineiev 
On Wed, Feb 03, 2016 at 03:12:59PM -0500, Robert J. Hansen wrote:
> Time for my semi-regular FAQ perusing and updating.

Gorgeous!

> I plan on updating
> the FAQ to include a link to the FSF's email security guide,

Out of curiosity - have you reviewed the latest version of ESD?


signature.asc
Description: Digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: about cartoon in FAQ 10.1. 'Correct, horse! Battery staple!'

2015-12-25 Thread Ineiev 
On Fri, Dec 25, 2015 at 10:57:06AM +0100, Peter Lebbing wrote:
> On 25/12/15 06:19, Ineiev wrote:
> Let's assume one in four words in the dictionary fits the grammar. I
> hope this concurs broadly with what you assumed. Rather than pick four
> random words of the full list, and then pick one of those, you pick one
> out of a quarter of the wordlist size.

Agreed.

> So that's 2 bits per word you're losing, a lot more than if you were
> free to pick one of four random words.

6/4 is more than 13 bits; 2 bits is not a lot compared to 13,
but the result may be much easier to remember.

> And there is a lot more structure
> to the sentence given by Matthias than just its grammatical soundness.

I see; it's a different issue.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: about cartoon in FAQ 10.1. 'Correct, horse! Battery staple!'

2015-12-24 Thread Ineiev 
Hello,

On Thu, Dec 24, 2015 at 05:50:47PM +0100, Peter Lebbing wrote:
>
> > Und allein dieser Mangel und nichts anderes führte zum Tod.
>
> This is grammatical. There is a subject (or two), a verb, an.. well
> whatever those things are like "zum Tod", I don't often discuss grammar
> in any other language than Dutch so I forgot the technical terms.
> Furthermore, the phrase actually makes sense semantically. I don't know
> if somebody ever said or wrote it; that would make it even worse, since
> a passphrase cracker could try sentences from a corpus of likely texts
> it has scoured from the internet.
>
> It has grammar, it has semantics, it has a proper meaning. All these
> things go at the expense of its entropy.

I assume the amount of entropy is what really matters. for instance,
if on every next step you are free to choose any of 4 random words
taken from 6-word dictionary, you may put it in a grammatically
correct form[*], then you must get a certain entropy per step.

* Depending on the language, there may be more than one correct form
(past, future, plural, first or second person, modified with
a preposition...), but this randomness is hard to ensure.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: GPG API: Open Crypto Engine

2014-11-17 Thread Ineiev 
On Mon, Nov 17, 2014 at 02:55:50PM +0100, Werner Koch wrote:
 On Mon, 17 Nov 2014 13:33, n...@goodcrypto.com said:
 
  GoodCrypto warning: Anyone could have read this message. Use encryption, it 
  works.
 
 That does not make any sense on a public mailling liost.  We write here
 for the public - it is non-encrypted for a purpose.

Would it make any sense on a private mailing list?

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users