GPG and Mailinglists using IBCPRE
Hi, what is currently the recommended setup for running encrypted mailing lists. I am thinking about some IBCPRE mechanism. see also https://en.wikipedia.org/ wiki/Identity-based_conditional_proxy_re-encryption I think this would allow the mailing list software act as a proxy reencrypting without directly having the private key of the mailing list on the mailing list server. What do you think about IBCPRE. Regards --martin Mit freundlichen Grüßen --martin konold -- Dipl.-Physiker Martin Konold e r f r a k o n Erlewein, Frank, Konold & Partner - Beratende Ingenieure und Physiker Registergericht: Amtsgericht Stuttgart PR 126 Firmensitz: Adolfstraße 23, 70469 Stuttgart fon: 0711 67400963 fax: 0711 67400959 email: martin.kon...@erfrakon.de http://www.erfrakon.de ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Single GPG key and multiple yubikeys
Am Freitag, 26. Februar 2016, 12:43:54 CET schrieb Kristian Fiskerstrand: Hi Kristian, > > the two cards with the gpg -- homedir commandline option. > A workaround currently could be to remove the specific keygrip files > from private-keys-v1.d (for gnupg 2.1) for the known stubs and doing a > gpg-connect-agent learn /bye or gpg --card status during e.g smartcard > attachment in an udev rule etc. This looks really good though it does not allow to have multiple smartcards connected simultaneously. It is my understanding that 'gpg-connect-agent learn /bye' cannot deal with multiple cards visible simultaneously via scdaemon and pscd. Did I overlook something? I therefore would like to whish to be able to choose the smartcard (maybe indirectly via keyid) as I am today already able to achieve on the commandline using keyrings. Why should the commandline user interface of gpg be different if the private keys reside on smartcards compared to a keyring in the filesystem? What do you think? Kind Regards --martin konold -- Dipl.-Physiker Martin Konold e r f r a k o n Partnerschaftsgesellschaft Erlewein, Frank, Konold & Partner - Beratende Ingenieure und Physiker Registergericht: Amtsgericht Stuttgart PR 126 Firmensitz: Adolfstraße 23, 70469 Stuttgart fon: 0711 67400963 fax: 0711 67400959 email: martin.kon...@erfrakon.de http://www.erfrakon.com ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gnupg-pkcs11 status & future
Am Freitag, 26. Februar 2016, 15:18:55 CET schrieb Werner Koch: Hi, > In any case you need to load the keys onto the card and don't have the > card create the key. Smartcards may break and then you would not be > able to decrypt anything if you don't have an offline backup the key. Please allow me to mention that many smartcards disallow cleartext export of keys generated on the card while also don't allow to import cleartext private keys. But this is not a backup issue as most cards also allow for n-of-m threshold schemes and DKEK/key-wrapping e.g. http://www.smartcard-hsm.com/2014/09/25/ Desaster_Recovery_for_your_SmartCard-HSM.html IMHO there are additional legit use cases where having multiple private keys for decryption would be more than useful. Today I circumvent the limit by using multiple OpenPGP Cards and multiple GNUPGHOME directories each configured for a different USB device (scdaemon.conf) While imho pkcs#11 is ugly it really is a tool to gain interoperability while cleaning up a lot of mess (many people are confused with the current situation) and make encryption available to the masses. Kind Regards --martin konold -- Dipl.-Physiker Martin Konold e r f r a k o n Partnerschaftsgesellschaft Erlewein, Frank, Konold & Partner - Beratende Ingenieure und Physiker Registergericht: Amtsgericht Stuttgart PR 126 Firmensitz: Adolfstraße 23, 70469 Stuttgart fon: 0711 67400963 fax: 0711 67400959 email: martin.kon...@erfrakon.de http://www.erfrakon.com ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Single GPG key and multiple yubikeys
Am Donnerstag, 25. Februar 2016, 15:56:32 CET schrieb Peter Lebbing: Hi, > Note that it is very impractical to regularly use two smartcards on the > same computer because of all this. You should probably stick to using a > single smartcard on any single computer. In case there is an urgent need to use two smartcards on the same computer and account I recommend to make use of scdaemon.conf and seperate GNUHOME directories. You may then differentiate between the two cards with the gpg -- homedir commandline option. Kind Regards --martin konold -- Dipl.-Physiker Martin Konold e r f r a k o n Partnerschaftsgesellschaft Erlewein, Frank, Konold & Partner - Beratende Ingenieure und Physiker Registergericht: Amtsgericht Stuttgart PR 126 Firmensitz: Adolfstraße 23, 70469 Stuttgart fon: 0711 67400963 fax: 0711 67400959 email: martin.kon...@erfrakon.de http://www.erfrakon.com ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Decrypt without importing key to keyring
Am Donnerstag, 25. Februar 2016, 08:35:28 CET schrieb Werner Koch: Hi, > On Wed, 24 Feb 2016 11:34, thecisso...@hotmail.fr said: > > Hi, is there a way to use a private key (PGP) to decrypt a message > > without adding it to the keyring. There is of course the option to leave the private key exclusivly on an OpenPGP Smartcard. This only requires a stub in the keyring which can be recreated on demand. Kind Regards --martin konold -- Dipl.-Physiker Martin Konold e r f r a k o n Partnerschaftsgesellschaft Erlewein, Frank, Konold & Partner - Beratende Ingenieure und Physiker Registergericht: Amtsgericht Stuttgart PR 126 Firmensitz: Adolfstraße 23, 70469 Stuttgart fon: 0711 67400963 fax: 0711 67400959 email: martin.kon...@erfrakon.de http://www.erfrakon.com ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Nitrokey HSM and GPG
Am Mittwoch, 24. Februar 2016, 20:12:13 CET schrieb Andreas Schwier: Dear Andreas, > the Nitrokey HSM has an embedded SmartCard-HSM which is only supported > by gpgsm. Unfortunately you can not use a key on the device as gpg key, > but only for S/MIME. GPG only supports cards that conform to the OpenPGP > Card Specification, which the SmartCard-HSM doesn't. Thanks for enlightening me. I assume if I simply want to encrypt / decrypt files gpgsm should be sufficient?! I read the man page but still fail using the Nitrokey HSM with gpgsm. Can you provide me a hint how to instruct gpgsm to use a specific SmardCard-HSM device? I successully used openssl with this card but fail with gpgsm sofar using engine -t dynamic -pre SO_PATH:/usr/lib64/engines/libpkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/usr/lib64/opensc-pkcs11.so req -engine pkcs11 -new -key 0:10 -keyform engine -out cert.pem -text -x509 - days 3640 Kind Regards --martin konold -- Dipl.-Physiker Martin Konold e r f r a k o n Partnerschaftsgesellschaft Erlewein, Frank, Konold & Partner - Beratende Ingenieure und Physiker Registergericht: Amtsgericht Stuttgart PR 126 Firmensitz: Adolfstraße 23, 70469 Stuttgart fon: 0711 67400963 fax: 0711 67400959 email: martin.kon...@erfrakon.de http://www.erfrakon.com ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Nitrokey HSM and GPG
Hi, I am successfully using Nitrokey Pro with GnuPG 2.1.11. On the otherhand I have a need to support more than 3 RSA subkeys and therefore I am testing with Nitrokey HSM which is supposed to be able to deal with up to 48 RSA-2048 keys. On an uptodate openSUSE I verfied that Nitrokey Pro fully works as expected but Nitrokey HSM fails with OpenPGgpg2 --card-status gpg: selecting openpgp failed: Card error gpg: OpenPGP card not available: Card error Kind Regards --martin konold -- Dipl.-Physiker Martin Konold e r f r a k o n Partnerschaftsgesellschaft Erlewein, Frank, Konold & Partner - Beratende Ingenieure und Physiker Registergericht: Amtsgericht Stuttgart PR 126 Firmensitz: Adolfstraße 23, 70469 Stuttgart fon: 0711 67400963 fax: 0711 67400959 email: martin.kon...@erfrakon.de http://www.erfrakon.com ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
