Re: use text pinentry in the console

2022-02-22 Thread Keine Eile 

It's not ncurses, but you can use 'gpg --pinentry-mode loopback' to get the 
text mode.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Translation: Key Management - BSI had send private key instead of public key

2021-11-18 Thread Keine Eile 

**Translated by Google**

BSI sends private PGP keys
Public and private keys apparently also confused the BSI. That sent a private 
key, but with password protection.

An exclusive message from Hanno Böck will be published on November 15, 2021, 
2:30 p.m.

Is it a public key or a private key? Public key encryption is confusing.
The use of mail encryption by means of the OpenPGP standard is often considered 
to be complicated, which is one of the reasons why it has so far not been able 
to gain broad acceptance. This was apparently also confusing for the Federal 
Office for Information Security (BSI): It accidentally sent a private PGP key.

Someone had asked the BSI's contact e-mail address for product approval to send 
them a PGP key in order to be able to communicate with the authorities in 
encrypted form. In response, however, the person received a private PGP key 
rather than a public PGP key, as expected.

The BSI confirmed the incident to Golem.de: "In fact, a file was sent that contained 
a corresponding private key."

Luck in misfortune: a hopefully secure password
PGP-based encryption works with so-called public key cryptography. Different 
keys are used for encryption and decryption. The public key can be sent to 
communication partners who can use it to encrypt. You have to keep the private 
key to yourself, it is used for decryption.

Bad luck for the BSI: The private key sent was password-protected. The severity 
of the incident therefore depends on how secure the password is. 
Password-protected private keys can sometimes be cracked with a brute force 
attack, but this is only practicable with rather weak passwords.

The BSI informed Golem.de "that the mentioned password protection fulfills a very 
high level. In addition, attachments requiring protection are also encrypted with 
chiasmus. The BSI is therefore currently assuming that there is no specific risk to 
information security."

BSI was still using keys months after the incident
At first, the incident was not taken seriously at the BSI. The person to whom 
the key was sent immediately informed the authorities. But the BSI continued to 
use the key for several months.

It was only after a request from Golem.de to the BSI's press office that the key was replaced. 
"A new PGP key was immediately generated for the mailbox mentioned," replied the BSI. 
"The associated public key and a revocation certificate for the old PGP key will now be 
successively distributed to the respective contact person."

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Key Management - BSI had send private key instead of public key

2021-11-17 Thread Keine Eile 

Actually, there is a post in the forum Golem article, how this really happened: 
t.ly/1n0V

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Key Management - BSI had send private key instead of public key

2021-11-17 Thread Keine Eile 

Am 17.11.21 um 00:17 schrieb Стефан Васильев via Gnupg-users:
[...]

My question is what can cause this, let's say if you
have a busy and stressful day and would accidentally
carry out such operation, as security professional
knowing such a cryptographic tool for a long time,
I assume.

If this can happen to professionals then it would
tell me that there is a design flaw in the software
used.

[...]
The folks working at the BSI are -for the most- not professional technicians, 
they are administrative officers. Don't believe there are a lot of people 
working, who know much about cryptography. Or how a command line gnupg works.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gpg: Note: secret key [...] expired...

2021-11-10 Thread Keine Eile 

Thanks for pointing that out


As far as I could see in the source code, this is always printed when you
decrypt something that was encrypted for this key.[...]

Some times is is so simple, just own stupidity.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

gpg: Note: secret key [...] expired...

2021-11-09 Thread Keine Eile 

Hi list members,

I have a revoked private key in my key ring, which I replaced with new one. I 
really do not want to discard this old key, for what I think good reasons. Is 
there a way to let gpg ignore this key or suppress this this¹ notification?

1)

gpg: Note: secret key [KeyID] expired at [Some day in September]
gpg: Note: key has been revoked


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users