Re: FAQ and GNU

2017-10-10 Thread ankostis 
On 10 October 2017 at 20:46, Leo Gaspard  wrote:
> On 10/10/2017 06:45 PM, Daniel Kahn Gillmor wrote:> (where is the FAQ
> maintained, btw?  how is one expected to submit
>> patches?)
>
> I based my quotes on https://dev.gnupg.org/source/gnupg-doc.git ,
> directory web/faq, running `git grep Linux`.
>
>> I suspect that many minimal Linux-based operating systems (particularly
>> one that uses sbase instead of the GNU userland) will *not* feature a
>> suitable GnuPG tool.  So the statement above is probably more accurate
>> if you change it to GNU/Linux.
>>
>> Do you have a list of sbase+Linux distros that we can look at for
>> comparison?
>
> Hmm, I was thinking sta.li would have gnupg, but it looks like it
> doesn't come embedded. Thanks for noticing!
>
> I would thus like to withdraw this statement, as well as the other one
> you pointed out.
>
> That said, I wonder whether the sentence with “all GNU/Linux distros
> feature a suitable GnuPG tool” would make sense at all, given GnuPG is,
> as pointed out by Mike, part of the GNU operating system, which would,
> if I understand correctly, mean that as soon as the distribution
> includes GNU it must include GnuPG? (I may easily be wrong in my
> interpretation of “part of the GNU operating system”) If I'm correct and
> this would be a pleonasm, then maybe replacing it with “most Linux
> distros feature a suitable GnuPG tool, with the notable exception of
> Android” would make more sense? Then again maybe GNU/Linux would be both
> more precise and simpler indeed, despite the pleonasm.

Maybe start using "Gnu Variants"[1], because that is technically precise.
For instance, this name includes also `cygwin`, which requires the
typical configure-make-install procedure?

Those compiling GnuPG for other platform may clarify the situation.

[1] https://en.wikipedia.org/wiki/GNU_variants

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: FAQ and GNU

2017-10-10 Thread ankostis 
+1
The are very few references of "Linux" in the FAQ btw.

On Tue 10 Oct 2017, 16:42 Mike Gerwitz,  wrote:

> On Mon, Oct 09, 2017 at 22:06:17 -0400, Robert J. Hansen wrote:
> > A request has been made that each instance of "Linux" in the FAQ be
> > replaced with "GNU/Linux".
>
> GnuPG is part of the GNU operating system.  Anywhere "Linux" is used to
> describe the GNU/Linux operating system, "GNU/Linux" should be used.
>
> Please see:
>
>   https://www.gnu.org/prep/maintain/maintain.html#GNU-and-Linux
>
> --
> Mike Gerwitz
> Free Software Hacker+Activist | GNU Maintainer & Volunteer
> GPG: D6E9 B930 028A 6C38 F43B  2388 FEF6 3574 5E6F 6D05
> https://mikegerwitz.com
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>
-- 

thumbs on glass
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: PGP for official documents / eIDAS and ZertES

2017-10-10 Thread ankostis 
But it doesn't have to be XML!
Besides ETSI, the european organization implementing eIDAS has 3 "standards"
(e.g. [1]):
XADES(XML), PADES (pdf), CADES - the last one doubting if it has any modern use.

Why not push them for a new PGPADES standard?

Best,
  Kostis

[1] https://blogs.adobe.com/security/91014620_eusig_wp_ue.pdf

On 2 June 2017 at 22:37, Ben McGinnes  wrote:
> On Fri, Jun 02, 2017 at 09:39:51PM +0200, Werner Koch wrote:
>> On Wed, 31 May 2017 19:34, ankos...@gmail.com said:
>>
>> |  >>I have some questions related to XML-Dsig:
>> |  >
>> |  >Argghh!! Run away!
>> |
>> |  A near-universal reaction.
>>
>> XML crypto can be summarized as
>> we-repeat-all-bugs-the-other-two-protocols-meanwhile-fixed-and-add-extra-complexity-for-even-more-fun
>> See also 
>
> I like XML, it's very good at what it was originally intended for.  I
> like crypto, and specifically OpenPGP, too and for much the same
> reasons ...
>
> I am *not*, however, crazy enough to to even consider attempting this.
> That way lies only madness and ruin.  Or, to put it another way, I
> listened to Peter the first time around.  ;)
>
>> ps. I already have my share of grey hair from implementing X.509/CMS.
>> There is not enough left for an XML crypto endeavor.
>
> Mine's not expendable either and I didn't need to go anywhere near
> X.509 to know that.
>
> The closest anyone should get to that sort of thing is "I have foo.xml
> and I've signed it, I now also have foo.xml.sig" and that's it.
>
>
> Regards,
> Ben
>
> P.S.  You heard me say "no" right?  Just checking ...

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: FAQ and GNU

2017-10-10 Thread ankostis 
On 10 October 2017 at 08:46, Robert J. Hansen  wrote:
> ...
> In the FAQ, wherever "Linux" is used as a generic descriptor it is in a
> context where the presence of GNU utilities is irrelevant.  Example:
> "there is no single, consistent way to install GnuPG on Linux systems."
> The truth/validity of that statement is in no way dependent on whether
> one's talking about a system that uses the GNU userland or the BSD userland.

Is there Linux with BSD userland?

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: PGP for official documents / eIDAS and ZertES

2017-05-31 Thread ankostis 
On 31 May 2017 at 15:14, Daniel Pocock  wrote:
>
> Are the CMS, PDF or XML standards flexible enough that a PGP signature
> could be used within any of them and thereby satisfy the legislation?

IANAL, but I would agree with Reiner that the implementing acts are not
technology-neutral.
More detailed, from the three standards supported, only the last one,
XML-sig, supports PGP: https://www.w3.org/TR/xmldsig-core/#sec-PGPData



> > There are quite heavy
> > legal and organization layers on top of the technology that assure
> > security levels, notification (mutual acceptance) and cooperation
> > procedures.

Regarding organizational issues, there in nothing in eIDAS *in principal"
that forbids a company to use XML-sig with PGP.
But it would be interesting how the "national authorities" would react
in practice,
should they receive such a request from a company.
If it would work, for certain, these 2 German companies would have a head-start.



> Thanks for the feedback about that.  Are all users likely to depend on
> all of those things, or is it possible that a PGP signature would be
> sufficient in some use cases?

Check also the "closed systems" exception in the eIDAS regulation.
Search the legal-text for this term (e.g. Art 2.2) to get a rough
understanding of this.
http://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32014R0910=EN

Finally, I believe that a crucial point is whether the interpretation
of "assurance levels"
can also apply to PGP, and Art 16 hints that it does.
This may be the twisting-arm power for PGP to come on board eIDAS.


Thanks for bringing this subject up,
  Kostis

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: [Announce] GnuPG 2.1.19 released

2017-03-01 Thread ankostis 
Thank you for your efforts.
Would it be possible with the next release to build also the python-2
& 3 bindings for Windows?

Best,
  Kostis Anagnostopoulos

On 1 March 2017 at 20:27, Werner Koch  wrote:
> Hello!
>
> The GnuPG team is pleased to announce the availability of a new release
> of GnuPG: version 2.1.19.  See below for a list of new features and bug
> fixes.
>
>
> About GnuPG
> =
>
> The GNU Privacy Guard (GnuPG) is a complete and free implementation
> of the OpenPGP standard which is commonly abbreviated as PGP.
>
> GnuPG allows to encrypt and sign data and communication, features a
> versatile key management system as well as access modules for public key
> directories.  GnuPG itself is a command line tool with features for easy
> integration with other applications.  A wealth of frontend applications
> and libraries making use of GnuPG are available.  As an Universal Crypto
> Engine GnuPG provides support for S/MIME and Secure Shell in addition to
> OpenPGP.
>
> There are two major flavours of GnuPG:
>
> - GnuPG 2.1 (dubbed "modern") comes with the latest features and is
>   suggested for most users.  This announcement is about this branch.
>
> - GnuPG 2.0 is an older but widely used branch which we will maintain
>   until 2017-12-31.
>
> GnuPG is Free Software (meaning that it respects your freedom). It can
> be freely used, modified and distributed under the terms of the GNU
> General Public License.
>
>
> Noteworthy changes in version 2.1.19
> 
>
>   * gpg: Print a warning if Tor mode is requested but the Tor daemon
> is not running.
>
>   * gpg: New status code DECRYPTION_KEY to print the actual private
> key used for decryption.
>
>   * gpgv: New options --log-file and --debug.
>
>   * gpg-agent: Revamp the prompts to ask for card PINs.
>
>   * scd: Support for multiple card readers.
>
>   * scd: Removed option --debug-disable-ticker.  Ticker is used
> only when it is required to watch removal of device/card.
>
>   * scd: Improved detection of card inserting and removal.
>
>   * dirmngr: New option --disable-ipv4.
>
>   * dirmngr: New option --no-use-tor to explicitly disable the use of
> Tor.
>
>   * dirmngr: The option --allow-version-check is now required even if
> the option --use-tor is also used.
>
>   * dirmngr: Handle a missing nsswitch.conf gracefully.
>
>   * dirmngr: Avoid PTR lookups for keyserver pools.  The are only done
> for the debug command "keyserver --hosttable".
>
>   * dirmngr: Rework the internal certificate cache to support classes
> of certificates.  Load system provided certificates on startup.
> Add options --tls, --no-crl, and --systrust to the "VALIDATE"
> command.
>
>   * dirmngr: Add support for the ntbtls library.
>
>   * wks: Create mails with a "WKS-Phase" header.  Fix detection of
> Draft-2 mode.
>
>   * The Windows installer is now build with limited TLS support.
>
>   * Many other bug fixes and new regression tests.
>
> A detailed description of the changes found in this 2.1 branch can be
> found at .
>
>
> Getting the Software
> 
>
> Please follow the instructions found at  or
> read on:
>
> GnuPG 2.1.19 may be downloaded from one of the GnuPG mirror sites or
> direct from its primary FTP server.  The list of mirrors can be found at
> .  Note that GnuPG is not
> available at ftp.gnu.org.
>
> The GnuPG source code compressed using BZIP2 and its OpenPGP signature
> are available here:
>
>  https://gnupg.org/ftp/gcrypt/gnupg/gnupg-2.1.19.tar.bz2 (6255k)
>  https://gnupg.org/ftp/gcrypt/gnupg/gnupg-2.1.19.tar.bz2.sig
> or here:
>  ftp://ftp.gnupg.org/gcrypt/gnupg/gnupg-2.1.19.tar.bz2
>  ftp://ftp.gnupg.org/gcrypt/gnupg/gnupg-2.1.19.tar.bz2.sig
>
> An installer for Windows without any graphical frontend except for a
> very minimal Pinentry tool is available here:
>
>  https://gnupg.org/ftp/gcrypt/binary/gnupg-w32-2.1.19_20170301.exe  (3670k)
>  https://gnupg.org/ftp/gcrypt/binary/gnupg-w32-2.1.19_20170301.exe.sig
> or here
>  ftp://ftp.gnupg.org/gcrypt/binary/gnupg-w32-2.1.19_20170301.exe
>  ftp://ftp.gnupg.org/gcrypt/binary/gnupg-w32-2.1.19_20170301.exe.sig
>
> The source used to build the Windows installer can be found in the same
> directory with a ".tar.xz" suffix.  The Windows installer now comes with
> TOFU support, many translations, support for Tor, and limited support
> for HKPS and Web Key Directory.
>
>
> Checking the Integrity
> ==
>
> In order to check that the version of GnuPG which you are going to
> install is an original and unmodified one, you can do it in one of
> the following ways:
>
>  * If you already have a version of GnuPG installed, you can simply
>verify the supplied signature.  For example to verify the signature
>of the file gnupg-2.1.19.tar.bz2 you would use this

Should we trust "MyMail-crypt for Gmail" Chrome extension?

2017-02-15 Thread ankostis 
Hi,

I'm wondering whether this open-source Chrome-extension for GPG on GMail[1]
is to be trusted; I mean, not to call home with my secret-key and passphrase.

I searched through the mailing-list archives and found only one
reference from 2014:
https://lists.gnupg.org/pipermail/gnupg-users/2014-April.txt

This extension is the only alternative to use GPG with gmail in
corporate environments where SMTP ports are blocked (unless we
consider as an "alternative" to manually clear-signing each message
text to be sent with cmd-line).

With kind regards,
  Kostis

[1] 
https://chrome.google.com/webstore/detail/mymail-crypt-for-gmail/jcaobjhdnlpmopmjhijplpjhlplfkhba

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Mail address to account conversion (keybase.io)

2017-01-25 Thread ankostis 
Maybe that's an opportunity to put to use "notations
, and self-sign the keybase-uidusing --cert-notation.

Of course, nobody would care to check that,
but would there be any other issue down this road?

Kind Regards,
  Kostis

On 25 January 2017 at 23:39, Felix Van der Jeugt <
felix.vanderje...@gmail.com> wrote:

> Excerpts from Andrew Gallagher's message of 2017-01-25 18:10:56 +:
> > True, people might try to email you on that ID, but the worst that
> > will happen is they get a bounce (and you have other, usable IDs on
> > the same pubkey I assume).
>
> I indeed do have those, but I'm not sure keybase will bounce. I tried
> mailing myself there earlier (with a third address) and all I got in
> return was silence.
>
> > If the ID still "belongs" to you (in some meaningful sense) then
> > there's no need to revoke it just because it is unusable for the
> > purposes of email. It is merely a convention that IDs correspond to
> > email addresses. If your keybase account still exists, has a 1-to-1
> > mapping with that ID, and is still under your control, then IMO it's
> > legitimate to keep the ID - particularly if it is used as a reference
> > point for other things. The presence of an ID on a public key makes no
> > claim as to whether the ID is usable for a particular purpose.
>
> Thanks for the opinion, I find myself agreeing. I should probably stop
> collecting signs on that uid on keysigning parties, though, I shouldn't
> bother people with sending signed keys an unconventional (and manual)
> method.
>
> Sincerely,
> Felix
>
>
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>
>
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: pyme3 for Windows

2017-01-24 Thread ankostis 
On 24 January 2017 at 11:46, Justus Winter <jus...@g10code.com> wrote:

> ankostis <ankos...@gmail.com> writes:
>
> > On 23 January 2017 at 16:28, Jerry <je...@seibercom.net> wrote:
> >
> >> On Mon, 23 Jan 2017 01:06:38 +0100, ankostis stated:
> >>
> >> >Has anybody managed to compile pyme3 on Windows?
> >> >
> >> >Thanks for all the Hard Work,
> >> >  Kostis
> >> >
> >>
> >> I don't know if this is what yo are looking for.
> >>
> >> https://sourceforge.net/projects/pyme/files/latest/
> download?source=files
> >>
> >>
> > Almost!
> > These are `pyme-0.8.1` win32-bindings for python-2.
> >
> > The latest bindings have been ported to python-3 and renamed to `pyme3`,
> > currently in version `1.7.1`,[1]  and are now part of `libgpgme`
> > project.[2]
>
> Actually, we renamed them to 'gpg', and the current version is 1.8.0.
>
> We cross-compile all our software for Windows using MinGW.  We don't
> build the Python bindings though.  If anyone manages to do that, please
> share your findings.
>
>
Ideally python bindings should be compiled and packaged as wheels
for  3 different "platforms":
- MinGW
- Cygwin (when GnuPG there upgrades from the old 1.x)
- Gpg4Win (32bit & 64bit, don't know what are they using.

Do these 3 make sense?
Are there more combinations?

Kostis

Justus
>
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: pyme3 for Windows

2017-01-23 Thread ankostis 
On 23 January 2017 at 16:28, Jerry <je...@seibercom.net> wrote:

> On Mon, 23 Jan 2017 01:06:38 +0100, ankostis stated:
>
> >Has anybody managed to compile pyme3 on Windows?
> >
> >Thanks for all the Hard Work,
> >  Kostis
> >
>
> I don't know if this is what yo are looking for.
>
> https://sourceforge.net/projects/pyme/files/latest/download?source=files
>
>
Almost!
These are `pyme-0.8.1` win32-bindings for python-2.

The latest bindings have been ported to python-3 and renamed to `pyme3`,
currently in version `1.7.1`,[1]  and are now part of `libgpgme` project.[2]

I need them compiled for python 3.5 & 3.6 (due to differences in MSVCR
Ithink).
- The easiest would be to be compatible with GPGvWin.[3]
- The optimal would be to include them in Gohlke's "Python Unofficial
binaries" [4],
  or upload them as a 32bit-wheel in PyPi.


So far I downloaded from GnuPG-downloads [5] and managed to compile
`Libgpg-error` and `Libassuan` dev-libraries using MinGW cross-compiler in
Debian.
But I do not know what to do next (or if this is the right path)?


Any more help appreciated, but thank you Jerry anyway,
  Kostis


[1] https://pypi.python.org/pypi/pyme3
[2] https://www.gnupg.org/blog/20160921-python-bindings-for-gpgme.html
[3] http://gpg4win.org/download.html
[4] http://www.lfd.uci.edu/~gohlke/pythonlibs/
[5] https://www.gnupg.org/download/index.html


--
> Jerry
>
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

pyme3 for Windows

2017-01-22 Thread ankostis 
Has anybody managed to compile pyme3 on Windows?

Thanks for all the Hard Work,
  Kostis
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users