Re: Ok this is a stupid questions
On February 25, 2019 5:13:32 AM AKST, Michael Holly wrote: > So I completely preface this question is not a valid use case for gpg. > I know, I get it. > > I have a potential issue that I'm trying to diagnose. I'm trying to > understand how gpg will react to the input file size changing during > the encrypt or decrypt step. > > Right now it appears that the gpg process goes a bit crazy and the 200 > MB file I am decrypting becomes 1.2 TB or greater. > > Here is the order of the events > > > 1. File lands on my system. > > 2. PGP decrypt is invoked on the file. > > 3. Since the file is not truly done being sent to me, the file > grows in size. > > 4. GPG seems to expand the decrypted file many times over. > > What I suspect is that instead of erroring out, GPG starts the decrypt > process over and appends the new output to the previous cycle.. I > have not tested this, but will soon. > > I just wanted to see if anyone else has seen this happen. > > Thanks > > Michael News media questions? Many times it is the case that large files are compresssed before being encrypted, and there are certain information-theoretical reasons to do so. Aside from efficiency and possibly a slightly better security, it is absolutely impossible to compress files after they are encrypted because the repetitive or redundant patterns, on which the compression is based, are precisely what is obfuscated and concealed by the encryption. In any case, if the file was compressed before encryption, then it will have to be expanded back to its original size after decryption. Then there is the base64 ASCII armor, which causes a ciphertext expansion to the tune of some 35% by using only 6 of the 8 bits of each byte plus extra formatting for new lines and such. So how did the Firstlook Media reporters from The Intercept come to give up their GPG keys and go so mainstream corporate? They never got along all that well with the military, and they're not even remotely "alternative" anymore if they ever were. It's all establishment Democrat party line mainstream media, and "Don't you dare try to get smart and buck the labor union!" Holed up in Brazil somewhere pushing that atrocious "7me" spyware app on my Android phone as if that gay male reporter is suddenly a good Christian sitting on the church pew keeping the Sabbath so obediently on the Seventh Day and circumcising his kids under the law of Moses. That's why I have to call foul play on proprietary operating systems. Encryption is theoretical only: in practice useless, moot, crippled, broken, and terminally back-doored with all the malware, adware, spyware, worms, viruses, trojans, keyloggers, and screenscrapers inherent to such systems as Google Android, Microsoft Windows, and Apple OS. The Democrats will stop at nothing to keep it that way at all costs, and the Republicans just don't care. -- Una Milicia bien regulada, estando necesaria a la seguridad de un Estado libre, el derecho del pueblo de tener y de portar Armas, no será infringido. https://www.colmena.biz/~justina/ signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: The "advanced" URL of openpgp-webkey-service-07, and l=
On February 11, 2019 4:04:31 AM AKST, Alessandro Vesely wrote: >Werner, > >I just saw version -07 today. The advanced method: > >WELLKNOWN := >https://openpgpkey.example.org/.well-known/example.org/openpgpkey > >doesn't seem to make much sense to me. I tried it with posteo.de, and >got: > >ale@pcale:~/tmp$ dig +short openpgp.posteo.de >89.146.220.134 > >ale@pcale:~/tmp$ curl --head >https://openpgp.posteo.de/.well-known/posteo.de/openpgpkey/submission-address >curl: (51) SSL: no alternative certificate subject name matches target >host name 'openpgp.posteo.de' > >The subdomain is probably a star (*) DNS record. However, their >certificate's Subject Alt Name doesn't have a star, but a list of >subdomains. Certificates cost, albeit not much, so the need to set up >a new subdomain may hamper implementation. > >I'm unable to get the "flexibility in setting up the Web Key Directory >in environments where more than one mail domain is hosted". Say I host >A.example and B.example. Then I need to set up both subdomains >openpgpkey.A.example and openpgpkey.B.example. Internally, they can be >redirected in a number of ways, but the server should hold the >HTTP_HOST anyway. To repeat tha mail domain between .well-known and >openpgpkey doesn't seem to help much. > >The openpgpkey folder can be implemented by plain files named after the >32 byte string and containing the key to be served. The l= parameter >would just be discarded in that case. Otherwise, if the server side >script is cute, should it verify whether the value of the parameter >interpreted as a local part matches the 32 byte string? What if they >don't match? To urlencode the local part might have been easier than >Z-encoding its SHA1, but what's the point of doing both? > > >Best >Ale > > >___ >Gnupg-users mailing list >Gnupg-users@gnupg.org >http://lists.gnupg.org/mailman/listinfo/gnupg-users Certificates COST, do they? Should a * star certificate COST so infinitely much, then? WELLKNOWN := Check the sex offender registry list, grab a guy by short and curlies, dig in with your fingernails, and give a sharp twist to the left, or something like that. Is that what those Russian ladies from NGINX call a "leftist" programming style? -- Una Milicia bien regulada, estando necesaria a la seguridad de un Estado libre, el derecho del pueblo de tener y de portar Armas, no será infringido. https://www.colmena.biz/~justina/ signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: [k9mail/k-9] Makes PGP sign-only mails very difficult (#2375)
On February 4, 2019 8:07:33 AM AKST, Citizen Kepler wrote: >I would like to say that I need to have a signature on all of the >emails that I send to authenticate me as the sender, but not encrypt >them. Often these messages are going back into bug tracking systems or >mailing lists, and manually signing each email is a bad solution. I >will need to allow a opt-in sign by default option. [[[Date: Tuesday, February 5, 2019, 12:45 PM AKST]]] PGP signatures do have a couple of rather severe and vicious limitations. THE DATE PROBLEM. Only the body of the email is signed, not the envelope headers, namely the subject and intended recipients, and probably most importantly, the date. It would be nice to have an option to automatically include some of these headers in the body of the signed message when composing a signed email message. THE STRIPPING PROBLEM. Currently, each attachment is signed separately and independently by the PGP-MIME standard. It would be preferable to digitally sign SHA hashes of the main message and all attachments in a single additional attachment. This would leave an indication of any attachments that may have been "stripped" from the email message, but without breaking the signatures of remaining attachments in such cases. Bust that 55+ EFF nightclub and do it right, folks, unless it's the youth wing spouting the exact same old fogies' party line. -- Una Milicia bien regulada, estando necesaria a la seguridad de un Estado libre, el derecho del pueblo de tener y de portar Armas, no será infringido. https://www.colmena.biz/~justina/contacto.php signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Gnupg-users Digest, Vol 184, Issue 22
On February 3, 2019 7:48:28 AM AKST, "Robert J. Hansen" wrote: >> What i liked about PGPfone was that you could directly connect to >your >> communications partner, without any servers involved and it was super >> easy to use. You simply put in the (current) IP Adress, connect and >then >> read some displayed letters to each other, to prevent MITM, and then >> communicated. There was no learning curve involved. > >In the era before NAT, this may have made sense. In today's >NAT-pervasive era, not so much. > >Under NAT, your IP address is hidden from the rest of the internet. >The >address my router gives me is not one the outside world can use to >route >information to me; and if I go to a website that lists my IP, that's >actually my router's IP, not mine. > >I won't go into how NAT works except to say that under NAT, connections >cannot[1] be made from one peer to another. You need a server that's >not NATted in order to facilitate connections between peers. > >So -- I hate to be the one to tell you this, but the architecture of >the >internet has changed dramatically since PGPfone was released in ... >what >was it, '94? Today, one of the major purposes of these servers is to >facilitate traversing NATs. > > >[1] It's technically possible to do peer to peer behind NAT, but beyond >the technical capabilities of the vast majority of users. > >___ >Gnupg-users mailing list >Gnupg-users@gnupg.org >http://lists.gnupg.org/mailman/listinfo/gnupg-users The official answer to NAT is IPv6. Works quite well, except for a few technology luddites. Other than that, my place was SWATted about 1:30am last night. The previous night the phone rang at 4:38am, caller ID from Washington, D.C. A strange car had been parked at my place, listening for the phone to ring. We've got to think outside the box on that one. There's a German pub down the street, the "West Berlin," just across from the local telephone office, GCI, yes, luddites, all NAT, no IPv6. Gotta go AT&T for that. So think reality: location, location, location. It's S.O.P. for the C.C.C., and no, we're not talking about the Civilian Conservation Corps. Young white male cops on the graveyard shift, amped up on adrenaline and testosterone, brash and eager to make their bones on a big bust. That color-of-law stuff from the feds is starting to get to them. Talk too much on the phone, and there's bound to be some girl or female operator pressing charges by the minute. "Get off my block, bitch, I'm listening!" she mutters in a sleepy voice. It's the Democratic boiler room Party line. The ladies have a stranglehold on the telephone surveillance business, yes, those ladies, meaning none other than Dianne Feinstein and friends on the Senate Intelligence Committee, Eve and Mallory listening to Alice and Bob. -- Una Milicia bien regulada, estando necesaria a la seguridad de un Estado libre, el derecho del pueblo de tener y de portar Armas, no será infringido. https://www.colmena.biz/~justina/contacto.php signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Gnupg-users Digest, Vol 184, Issue 22
On February 1, 2019 10:05:58 AM AKST, Stefan Claas wrote: >On Thu, 31 Jan 2019 19:43:35 -0900, justina colmena wrote: > >> With regards to PGPfone etc., all you need to do is run Asterisk on a >server somewhere, enable SIP with encryption. >> If you or your conversation partner don't have a public key, there is >a voice verification of endpoints, but do note >> that encrypted real-time voice conversations are extremely difficult >to protect from packet-timing and other >> side-channel attacks which often trivially reveal a muffled but clear >recording and transcript. > >Thanks for the info, but i do not want to install server software, for >encrypted communications, >where 3rd parties could have theoretically access to it. > >Maybe someone, in the future, can pick-up the idea of PGPfone and >develop it further >so that it can be used on Linux too or modern macOS. The old Windows >version still runs >fine, under Windows 7, for example. > >Regards >Stefan > >P.S. About my domain name, for the interested women or children, please >take >a look here: https://en.wikipedia.org/wiki/Baud I am definitely not asking anyone to install anything for my use. I'm just trying to explain AFAIK, what you need to do if you want to experiment with voice encryption. I don't want to be held responsible for it or arrested for it any more than anyone else, and I'm also trying to explain how some of these things come across to authorities who continually amd repeatedly insist on viewing all such matters in the worst possible light. Didn't Martin Luther say to place the best construction on all things? But no, we must submit to "parallel construction" and falsely sworn warrants by over-informed and under-educated law enforcement officers. "Thou shalt not bear false witness" and all that, and we just had a holiday, Dr. Martin Luther King Jr. day - and that's right, now that I think about it - not only a doctorate like his German namesake, but his father and grandfather and their wives must have been staunch Lutherans as well, in so far as to name one son after another after him. There is so much Catholic insistence on communist totalitarianism under a papal dictatorship of the proletariat, and opposition in the name of that religion to every precept of human rights and due process of law, that even the Finnish Protestants preach "oikeutta" & "lain oikeaa käyttöä" in church, because like us they have not attained to such rights and freedoms in this life on Earth, and so the struggle continues against Catholicism. The full name of "baud" is "Baudot," a Frenchman, if I recall correctly, a contemporary of Hartley or Shannon, definitely a co-worker on such matters. Living relatives? Is it another family feud? France is practically at war already with a migrant situation, the recent Europol or Interpol shake-up with China or Russia or South Korea, general E.U. upheaval, Brexit sympathies, and so on and so forth. -- Una Milicia bien regulada, estando necesaria a la seguridad de un Estado libre, el derecho del pueblo de tener y de portar Armas, no será infringido. https://www.colmena.biz/~justina/contacto.php signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Gnupg-users Digest, Vol 184, Issue 22
On January 30, 2019 1:47:41 PM AKST, Stefan Claas wrote: >On Wed, 30 Jan 2019 12:46:26 -0800, Allen M. Juinio wrote: >> > Date: Wed, 30 Jan 2019 20:44:07 +0100 >> > From: Stefan Claas > >> > On the other side i wish PGPfone would have been further developed. >> > I found it, way back then, pretty cool and super easy to use, >compared >> > to PGP or GnuPG. > >> Have you tried using Signal from Open Whisper Systems? They have >both an Android and Apple version. > >Thanks, i am aware of Signal, but what i mean is to communicate >directly >and not via servers and also by not giving away phone numbers. > >With PGPfone one needed only the (current) IP address of its >communication >partner and then connected directly, without any servers involved. > >Regards >Stefan > >___ >Gnupg-users mailing list >Gnupg-users@gnupg.org >http://lists.gnupg.org/mailman/listinfo/gnupg-users I don't mean to sound rude or out of place, but there appear to be too many distractions to have a productive discussion on this list, and there are some critical issues, because GnuPG has become an essential part of many important systems throughout the free and open source software community. The weekly "digest" option for the mailing list should be no-reply. People who wish to participate in a pointed or on-topic discussion really need to receive each email message independently. I realize it's a German domain, but 300baud.de is just really obnoxious in English. The phrase "300 baud" itself is, of course, completely unobjectionable hacker lore, but baud+de = "bawdy" as in "bawdy house" which is extremely vulgar in English. Only for the gentlemen. That sort of "humor" is not friendly to women and children, and I know especially a lot of women and girls would otherwise be very interested in cryptography, PGP-encrypted email, etc. Let's lose the vulgarity and focus on Alice's secret message to Bob, something Eve or Mallory has no need to know, basic elements of what needs to be done right with respect to the core functionality of GnuPG. Not to advertise, but my own domain is the Spanish word "colmena" (hive, colony of bees, beehive in English) with the "biz" tld, slang for "business." Bees are busy, and they make that buzzing noise. Point being, it's entirely possible to avoid a lewd implication or double entendre. I can't let people take me for all honey and no sting with my domain. With regards to PGPfone etc., all you need to do is run Asterisk on a server somewhere, enable SIP with encryption. If you or your conversation partner don't have a public key, there is a voice verification of endpoints, but do note that encrypted real-time voice conversations are extremely difficult to protect from packet-timing and other side-channel attacks which often trivially reveal a muffled but clear recording and transcript. The human voice is in a certain sense "too rich" to hide or conceal, and the Bible tells of a "line" of every signal or sound that extends to be heard to the ends the earth, and of the ungodly that "the sound of his words shall come unto the Lord for the manifestation of his wicked deeds." -- Una Milicia bien regulada, estando necesaria a la seguridad de un Estado libre, el derecho del pueblo de tener y de portar Armas, no será infringido. https://www.colmena.biz/~justina/contacto.php signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Discrepancies in extracted photo-id images from dumps
On January 19, 2019 9:56:00 AM AKST, "Ingo Klöcker" wrote: >On Samstag, 19. Januar 2019 17:10:38 CET Stefan Claas wrote: >> Method used with GnuPG: >> >> In gpg.conf i put: photo-viewer "cat > %K.%t" >> >> and then i used this one liner: >> >> for filename in ./*.pgp; do gpg --list-keys --list-options show-photo >> --keyring "${filename}"; done > >This will result in at most 1 image per key because your fake >photo-viewer >overwrites photos for keys containing multiple photo-ids (%K.%t is >identical >for all photo-ids of a key). Using >photo-viewer "cat > %K.%U.%t" >instead should fix this. Yes, I agree it's about time somebody clocked the $#!+ out of some of these EFF f*ckers and called them out on their bull crap, because you're not one of them, as you have so excused yourself. Other than that, well, all we ever get from Gnu/EFF is, "Don't talk to the cops!" And come to find out they have already snitched on us, grossly misrepresented us to the aforementioned cops, and cooked up false police reports against us that go on permanent record without the due process of law, and without any communication to us of our loss of rights and representation. We would like to work with the cops and educate them on due process and civil rights, but the truth is, you're either a criminal or a snitch the minute you talk to a cop, they punish you just the same either way, all the dishonest lawyers, corrupt judges, and stacked juries on their side, and if you haven't "lost your gun rights" already, they just take you in for a mental evaluation and have a doctor declare you irrevocably incompetent to possess a firearm for the rest of your life of cop-calling victimhood. And it's actually ten times worse than that, because when you try to find employment or housing with that on your record, your potential employer sees an unfounded and unproven, but indefeasible accusation of murder on your permanent record. Add to that the off-duty *armed* lynch mob from the local PD, the local NSA neighborhood crime watch with the moms in tennis shoes screaming ch!ld pr0nogr4phy, and we have a full-blown East German DDR Stasi in the USA. Somehow I don't believe the situation in Europe is much if at all better, because that political garbage is all coming from somewhere in the EU. You've got email problems at KDE. X-Authenticated-User? Is KDE high on drugs to pimp out your private email address like that to the whole mailing list? Or is KDE (= "K" DEutscheland) the German equivalent of KKK in the United States? Right, right, right. It's all love and free software and it runs on Ubuntu in Africa, same as everywhere else. >On Samstag, 19. Januar 2019 17:10:38 CET Stefan Claas wrote: Look. I realize it's automatically generated by your email client "reply" function, but is that supposed to be an English-language sentence with a German-language locale time-zone date-stamp mashed into the middle of it? Some of you Germans drink so much beer you can't tell what time the sun is supposed to come up in the morning. Everything is either proprietary and locked down, or too broken and crippled to be usable, and there's no viable free software left anywhere, because of all the bull crap and the H1-B labor Mob from the East Indies. Microsoft is behind this, I'm telling you. They bought out GitHub. The Halloween Documents, the SCO fiasco, the whole Groklaw.net saga, nobody ever got fired for buying Apple, IBM, AT&T, and Cisco, either, and it's all coming back, closed source, slammed shut right in our faces. How can people be so insufferably rude? -- Una Milicia bien regulada, estando necesaria a la seguridad de un Estado libre, el derecho del pueblo de tener y de portar Armas, no será infringido. https://www.colmena.biz/~justina/ signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpg > addphoto
On January 8, 2019 11:23:40 AM AKST, dirk1980ac via Gnupg-users wrote: >Hello. > >Am Dienstag, den 08.01.2019, 20:16 +0100 schrieb Stefan Claas: > >> Yes, agreed! However, as it currently is there is no need for bad >> actors because people have plenty of image space in a key. > >Uh, I think you have found a new place where the guys can hide their >porn collections so there wifes don't find it. > >Sorry, could not resist. > >Regards, >Dirk It's a peculiar problem with which law enforcement is of little or no assistance. There's a gun and a badge and a gang of dicks with flashlights all over town, and a heavy-breathing warrant to bust your door in on that stuff. Neither the law enforcement credentials nor the color of law excuse the base human desire of cops to indulge their own flesh. A related problem is "image phreaking." People make a game of digitally altering images and obscuring their source. Others make a game of deobfuscating the images and tracking them down. There is a very close-knit community of this sort of thing among disreputable hangers-on to Interpol, Europol, US FBI, Russian FSB, etc. Several times I have been forced to permanently dissociate myself from all images and photos ever to have been associated with me, whether photos I have taken myself or which were found on my computer. Those people were hunting me, and they were led astray by their false assumptions, because *I* usually assume when foreign cops are hunting me that they are hunting to kill, and not to bring criminal or civil charges in court. Wherever there is a photo or image of any sort, cops as well as a certain low-class security apparatchik always _assume_ an unhealthy obsession or morbid desire to memorialize something or someone. I mean, if you're not a professional photographer, you are _assumed_ to be trespassing on their intellectual property in some way or another, however they can twist it around in court to make it appear so. It's all part and parcel of the artsy-fartsy red-light district with the FBI warnings on all the Hollywood movies, actresses accusing male fans of stalking, etc. So digital photos and images become a cop-calling feminists' emotional space where men in general and less privileged women are prohibited by law, but professional necktied gentlemen are perfectly welcome. -- Una Milicia bien regulada, estando necesaria a la seguridad de un Estado libre, el derecho del pueblo de tener y de portar Armas, no será infringido. https://www.colmena.biz/~justina/ ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpg - difference --encrypt-to and --recipient
On January 1, 2019 4:13:43 PM AKST, MFPA <2017-r3sgs86x8e-lists-gro...@riseup.net> wrote: >Hi > > >On Monday 31 December 2018 at 9:06:39 PM, in >, justina >colmena via Gnupg-users wrote:- > > >> Shouldn't an email message (for example) be encrypted >> separately to >> each BCC recipient, > >My opinion is that should be the case. However, most MUAs I've used >include the BCC recipients' keys in the encryption along with the To >and CC recipients' keys, so any email addresses in the user-IDs of >these keys are visible to all recipients. > >As an exception, one MAU I used with an OpenPGP add-on would instead >send an individual copy of the message to each BCC recipient, >encrypted only to their key. This seems like better practice. Also I would want to encrypt the transmitted email message only to the intended recipient, and the copy stored in my "Sent" folder only to myself. >> or is this an intended all-in-one >> multiple-recipient encryption which cannot conceal >> from the >> cryptanalyst the fact that the same message, >> encrypted only once, is >> being sent to more than one receiving party? > >With hidden-recipient or hidden-encrypt-to or throw-keyids, it is >clear how many keys were encrypted to, but the key IDs and user-IDs >are not present. I am not terribly comfortable with this situation. It almost seems rather creepy to me to receive an encrypted message that is also encrypted for the benefit or verification of one or more unknown and unidentified third parties. I start suspecting things like a foreign government mandated key escrow or secret government backdoor on behalf of some foreign spy or law enforcement agency. > >-- >Best regards > >MFPA <mailto:2017-r3sgs86x8e-lists-gro...@riseup.net> > >Never trust a dog with orange eyebrows -- A well regulated Militia, being necessary to the security of a free State, the right of the people to keep and bear Arms, shall not be infringed. https://www.colmena.biz/~justina/ signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpg - difference --encrypt-to and --recipient
On December 31, 2018 5:38:10 AM AKST, Dirk Gottschalk via Gnupg-users wrote: >Hello Damien. > >Am Montag, den 31.12.2018, 12:45 + schrieb Damien Goutte-Gattat: >> On Mon, Dec 31, 2018 at 07:17:21AM +0100, Dirk Gottschalk via Gnupg- >> users wrote: >> > Yes, that's correct. Anyways, I prefer using the --hidden-recipient > >> > for this purpose. That prevents the disclosure of the communication >> > paths with pure GPG-Packet analysis. > >> You do realize that, in the case of e-mail, the communication paths >> are already disclosed by the SMTP protocol (command "RCPT TO") and >> the mail headers ("From", "To", and the like), which both are outside >> the scope of OpenPGP protection? > >Yes, sure I do. But referencing the command line options, I thought he >was speaking about encryption of files. In this case, it could be of >(even if small) benefits to avoid the disclosure of the path. > > >> Using --hidden-recipient only protects against an hypothetic attacker >> who is somehow only able to obtain the email body (the OpenPGP >> message itself) without the surrounding metadata. > >That's correct. As told, I was talking about encrypted files. If you >upload en encrypted file to a cloud service, for example, it could be a >good idea to encrypt only to hidden recipients. Security my obscurity >is not everytime a bad thing. ;) > >Regards, >Dirk For some reason I'm not getting a "Reply-To:" for the whole list here... Hidden recipients are normally given in the BCC (Blind Carbon Copy) field in the case of email, and the communication paths are not disclosed to other recipients. Shouldn't an email message (for example) be encrypted separately to each BCC recipient, or is this an intended all-in-one multiple-recipient encryption which cannot conceal from the cryptanalyst the fact that the same message, encrypted only once, is being sent to more than one receiving party? I hate to see the vast number of gpg command-line options get so carried away that we lose grip of the basic cryptography that we want to use GnuPG for. And now the *secret* keys are going in "~/.gnupg/pubring.gpg" with the false implication by its name that the file contains only public keys which need not be so carefully guarded against disclosure. -- A well regulated Militia, being necessary to the security of a free State, the right of the people to keep and bear Arms, shall not be infringed. https://www.colmena.biz/~justina/ signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Importing keys into GnuPG 2.2 series
This e-mail is signed with a key generated by OpenKeychain on a smartphone. I am able to verify the signatures on other signed e-mails I get on this mailing list, with the exception of the footer added by the mailing list software. I was able to back up the key, import it into GnuPG 1.4.23 and sign some old papers which I had sitting around, with the same key, which ironically is now newer than any of the papers. I have made both attached and detached signatures. https://www.colmena.biz/~justina/bor/bor.pdf https://www.colmena.biz/~justina/bor/bor.pdf.gpg https://www.colmena.biz/~justina/bor/bor.pdf.sig https://www.colmena.biz/~justina/doi/doi.pdf https://www.colmena.biz/~justina/doi/doi.pdf.gpg https://www.colmena.biz/~justina/doi/doi.pdf.sig https://www.colmena.biz/~justina/pnp/pnp.pdf https://www.colmena.biz/~justina/pnp/pnp.pdf.gpg https://www.colmena.biz/~justina/pnp/pnp.pdf.sig https://www.colmena.biz/~justina/Rab/Rab.pdf https://www.colmena.biz/~justina/Rab/Rab.pdf.gpg https://www.colmena.biz/~justina/Rab/Rab.pdf.sig OpenKeychain on my smartphone is able to verify the attached signatures .gpg, but not the detached .sig files. For some reason I cannot get GnuPG 2.2.11 to recognize the passphrase for the secret key, which I am only able to set, use, or change in GnuPG 1.4.23. MAIN QUESTION: Is this a pinentry-curses problem with the tty over ssh, or is it an actual key incompatibility issue? If for some reason the key is not actually compatible with GnuPG 2, then shouldn't I just generate a new key in GnuPG 2, and then sign it with my old key in GnuPG 1 and also import it back into the OpenKeychain app if I want to use it on my phone? Thank you. There is quite a discussion going on about other matters, and I am not sure I asked the right question for what I wanted to know. -- A well regulated Militia, being necessary to the security of a free State, the right of the people to keep and bear Arms, shall not be infringed. https://www.colmena.biz/~justina/justina.colmena.asc signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Smart cards
On December 12, 2018 10:13:58 PM AKST, Werner Koch wrote: >On Tue, 11 Dec 2018 19:27, art...@ulfeldt.com said: >> using openkeychain with a yubikey nfc is totally solid, and >convenient. >> I've been using them for years. they also plug into the bottom of the >> phones which some people prefer. > >You should keep in mind that you can eavesdrop on NFC communication >within several meters. Right, it is required that the card is niot >more >than about 10cm away from the reader but that is only to convey the >power to the card, the HF is readable from several meters as soon as >the >card is powered up. > >If you care about side channel attacks, NFC communication is a bad idea >because the decrypted session key can easily be picked up. To avoid >this, /secure communication/ needs to be used but that is cumbersome >because this requires a shared secret between host and card. But well, >smartphones are not a safe device anyway. > > >Shalom-Salam, > > Werner I agree that smartphones are not safe, but I am not particularly in favor of smartcards, dongles, and security tokens like yubikeys, either. Any kind of special-purpose cryptographic *hardware* is essentially proprietary, and too attractive and soft a target for various nations' spy agencies to covertly backdoor. "Don't look at me! I've got something to hide, and nowhere to protect it!" There's a secure phone on the President's desk, and not even the Secret Service can say it's all that "secure." Open-source cryptographic software that runs on general purpose computer hardware is generally much more difficult to backdoor. If you plug some little doohickey or thingamagig into your computer to do *crypto*, of all things, your computer is liable to become infected with spyware over the USB bus via BadUSB and various firmware- and device-related security vulnerabilities. -- A well regulated Militia, being necessary to the security of a free State, the right of the people to keep and bear Arms, shall not be infringed. https://www.colmena.biz/~justina/justina.colmena.asc ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Keyserver access changes in GnuPG
On December 12, 2018 2:00:18 PM AKST, Todd Zullinger wrote: > > the keyserver and photoviewer helpers > A permanent record and a mug shot for the cops and every thief, hooker, and pickpocket on the block, respectively. And they all just help themselves to the secret key. Someone puts out a little bit of money for secret keys and passphrases, they know your real name and where you live, and it just all goes to hell in a handbasket. -- A well regulated Militia, being necessary to the security of a free State, the right of the people to keep and bear Arms, shall not be infringed. https://www.colmena.biz/~justina/justina.colmena.asc signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Keyserver access changes in GnuPG
On December 12, 2018 2:35:43 AM AKST, Stefan Claas wrote: >On Wed, 12 Dec 2018 10:15:33 +0100, Wiktor Kwapisiewicz via Gnupg-users >wrote: >> Hello all, >> >> I recently saw a message from one of Fedora's maintainers: >> >> > Coming soon to Fedora30 (rawhide), gnupg v1.4.x renamed to gnupg1. >Also dropping keyserver support at Werner's >> > suggestion since upstream plans to disable that soon. >> >> Source: https://infosec.exchange/@bcl/101195051788828345 >> >> Does anyone know anything about dropping keyserver support in GnuPG? >That seems >> a little bit radical but maybe I've missed something... > >If so, I see it as a consequent move from past discussions on ML's and >that Werner shows >responsibility, while everybody else defended the old system or put >their head in the sand. > >Bravo! > >Regards >Stefan > >-- >https://www.behance.net/futagoza >https://keybase.io/stefan_claas One disadvantage of "keyservers" in general is that the automated queries to them leak "too much information" on the parties with whom one is communicating - even the fact that one is using PGP at all. One of the original goals of PGP, and later on, GnuPG, was to avoid the reliance on a central point of failure such as a "server." It was to be a most explicitly *decentralized* system. *Probably nothing wrong* with a keyserver if the key is tied to one's everyday real-life identity, but that is not always the use case of public key cryptography. Not everyone wants his or her phone number, email address, and residence address published in a database accessible to the public. The big advantage, of course, to the keyservers is that they make it convenient for people to use PGP and GnuPG who might not otherwise bother with encryption at all. In any case, I am sure that the keyserver support functionality could easily be split off into a separate program if it is being dropped from GnuPG, which to be honest is getting rather bloated and could do well to focus on its core competencies. Right now the OpenKeychain app on my phone is configured to search OpenPGP keyservers: hkps://keyserver.ubuntu.com hkps://hkps.pool.sks-keyservers.net (hkp://jirk5u4osbsr34t5.onion) hkps://pgp.mit.edu hkps://keys.fedoraproject.org (which I added because I use Fedora.) There is also a "keybase.io" and a "Web Key Directory" search. It might seem a bit much, but the general goal here is not "absolute privacy" but to enable the dumb user of a smart phone to make use of PGP encryption. This whole debate, I seem to recall, took place many, many years ago, and of course different groups have different goals and find different technical solutions for their respective situations. -- A well regulated Militia, being necessary to the security of a free State, the right of the people to keep and bear Arms, shall not be infringed. https://www.colmena.biz/~justina/justina.colmena.asc signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Garbled data in keyservers
On December 9, 2018 11:17:34 AM AKST, Stefan Claas wrote: >On Sun, 9 Dec 2018 21:11:12 +0100, Juergen Bruckner wrote: >> Am 09.12.18 um 18:24 schrieb Dirk Gottschalk via Gnupg-users: >> > And further, why should anyone run something like a ca CA for free. >> > Sure, CAcert does it. But that's the onlöy organisation I know who >> > does this. >> >> Also WPIA [1] plans to do this and started a audit process for their >> CA. >> >> regards >> Juergen >> >> [1] https://wpia.club > >Very cool Juergen! > >Regards >Stefan > >-- >https://www.behance.net/futagoza >https://keybase.io/stefan_claas What was that German company, StartSSL or something, that offered free certs for a while, big on S/MIME, (almost deprecated PGP/GPG,) and personal client certificates on the browser, that sort of thing? Then there was a big kerfuffle because the Chinese allegedly bought them out. Then EFF / certbot / letsencrypt started offering them. It's a "gentleman's agreement" of sorts. One and only one CA will offer "free" certs, and they're "well-known," basically for development and not for e-commerce. I'm rather upset with EFF at the moment, by the way. They're always pushing "adult content" like a bunch of porno addicts and they have acquired almost a Salesforce- or SAP-like CRM system in their back office, collecting lot of personal information on political dissidents and precisely the privacy-minded individuals who would rather not have such possibly derogatory information collected about them. -- A well regulated Militia, being necessary to the security of a free State, the right of the people to keep and bear Arms, shall not be infringed. https://www.colmena.biz/~justina/justina.colmena.asc signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Garbled data in keyservers
On December 9, 2018 7:54:01 AM EST, Stefan Claas wrote:: > >Get a sig from a CA and then upload your key via email. > That's a bit steep, and was never the original goal of PGP or GPG. If the goal is to eliminate the bulk of bad keys and junk from key servers, an account creation with basic email verification for adding or removing keys should suffice. Let's be honest: no one really wants an infrastructure of legally valid or enforceable GPG signatures, either. It's a technical verification that something is very unlikely to be altered if the signature is valid. Any particular overriding legal significance beyond that is unnecessary. Don't overdo it, please. PGP key servers are not supposed to be "authoritative." They are a convenience to extend an informal web of trust. Let's resist that German urge toward authoritarianism and absolutism, shall we? Bosses and bullies do not help with privacy, personal digital signatures, or cryptography for personal use. The CA stuff is mostly for business, not personal. The adversaries in that case are pickpockets and credit card skimmers, not major governments and political enemies. -- A well regulated Militia, being necessary to the security of a free State, the right of the people to keep and bear Arms, shall not be infringed. https://www.colmena.biz/~justina/justina.colmena.asc ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
gpg2: unable to use secret key from OpenKeychain
This is the error message I get in gpg2 with (my own) key. GnuPG 2.2.9~11 gives me no indication that anything is wrong with the key until I am prompted for the passphrase, and then even the correct passphrase is rejected. Please enter the passphrase to unlock the OpenPGP secret key: "justina colmena " 3072-bit RSA key, ID D514FB3FDF44BDA4, created 2018-10-27 (main key ID 6B4FF696F20E3CC5). Bad Passphrase (try 2 of 3) Passphrase: ___ I have no problem unlocking the secret key or setting or changing its passphrase in gpg1, but I have no idea how to import or use the secret key in gpg2. -- A well regulated Militia, being necessary to the security of a free State, the right of the people to keep and bear Arms, shall not be infringed. https://www.colmena.biz/~justina/justina.colmena.asc signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
gpg2: unable to use secret key from OpenKeychain
Garbled again! Encrypted by mistake, apparently only to myself. The attachment is the part starting "BEGIN PGP MESSAGE". Copy & paste that part into a text editor and save as backup_2018-12-07.sec.pgp Original Message ---- From: justina colmena via Gnupg-users Sent: December 7, 2018 9:14:25 AM AKST To: gnupg-users@gnupg.org Subject: Re: gpg2: unable to use secret key from OpenKeychain On December 7, 2018 7:28:19 AM AKST, justina colmena via Gnupg-users wrote: >Subject: secret key data (test key) >Date: 2018-12-07 > >This attachment is an encrypted backup I made from the OpenKeychain app >of a test key I made for the purpose. The passphrase for this one is > >5101-2272-0596-2716-2013-3210-0535-7592-9890 > >but it looks like the whole thing is encrypted by symmetric-key >(AES-256) cipher because it is not encrypted to any particular public >key, and furthermore, once decrypted and imported, the secret key is no >longer protected by a passphrase, until I explicitly create one for it >with "gpg --edit-key". > >For some odd reason I am unable to use the secret key in gpg2 >(~2.2.11), even though I can still encrypt to the imported key or >verify signatures with it in gpg2. > >There does not seem to be any problem with using the secret key in >"gpg" = GnuPG 1.4.23. > >$ gpg --decrypt backup_2018-12-07.sec.pgp | gpg --import >gpg: unknown armor header: Passphrase-Format: numeric9x4 >gpg: unknown armor header: Passphrase-Begin: 51 >gpg: AES256 encrypted data >gpg: encrypted with 1 passphrase >gpg: key CAC8E3E7: public key "Test Key 1 " >imported >gpg: key CAC8E3E7: secret key imported >gpg: key CAC8E3E7: "Test Key 1 " not changed >gpg: Total number processed: 2 >gpg: imported: 1 (RSA: 1) >gpg: unchanged: 1 >gpg: secret keys read: 1 >gpg: secret keys imported: 1 >$ > >-BEGIN PGP PUBLIC KEY BLOCK- > >mQGNBFwKeG8BDAClaZu5lcIM12biCt7tyoddrwFl/UwERhfVMqZccMXrF+puP+0I >FsVvV/EqI+tOhYLepOmCj9KfGQ0KFi/UtElbMZma7WFuDu/mVh+Hrl2wVbqSjR8u >coHKJ4Wr2ocROWmxFxdMy2acIhGKpmbvXXFsFrsTiJxM/C4YTGmktAI20qxk8QX1 >+006xPEUUL8vFc/CppekpgQzff3505iPJ0fvYK+Q2D9NUCvCy4vFWR1jTu8MK1pp >0ftp9IR/WUVQwdA7GE6z6VlCEMtJsYxkCco3FgfuYr0hiSDSLZ75e7FuRGVwrrWp >GswqH9a8TIJHVfKSJ4hukmGt02UMR/L03nRCgaLyIrI6GxMzbI59di/jKmH0F6py >gP7s17DI2FlXrL/Cby8KJosMnRqeFOBFySbGxJVIZEb2vGXHpCI/Zy1rEu4mLel1 >7eKdZauucwAnoomIh5WQzw+lMVGbS1RteL4nwmKdCRGZ4hWj8nToIYzyK5ekB2dk >x2VX71ywh5hNo7MAEQEAAbQjVGVzdCBLZXkgMSA8dGVzdC1rZXktMUBleGFtcGxl >LmNvbT6JAbAEEwEKABoECwkIBwIVCgIWAQIZAQWCXAp4bwKeAQKbAwAKCRAbJcGU >ysjj5/q+C/9jpyCYgqvlgY37g6uMdumjeMlQPJQ/xNH4De0GGuMESby4HEUs67oP >qEP2kImWBp4fhL4zqjyYRb4U6NH6H+u8eWhUpLU7W98/6xv5qRruOl4lhnnDzM10 >g2q5Ew+xwbM0MwS3zeE8lEPmTh0LPVRGwHuhiUY1pFuePOBGvI8BQRni+dMz78Hz >5kU+Fz0uD2b9ZoG9j1VV26/EjbM3EZVG8hRpKEnitlflbSG8454kLwx0KnG62/il >ONWl6wkR0llAhuVWywB26jYhC561tKROMWz/BaSeJoEUyprAvNsFirojwDnT63vt >IhMOqnMB3Vzk2d8CtNHChPYkRO7RjYwX4Z/1hzS6iM9k7RbjaTsrDkIbSiXYYhFy >63kIIu0Q7m5EJnOxEgUEJqPMJv6hlnHRM5q5vMlksLKFOoldOKxKOJXhcvXE3aYz >gWve/l127jdDrjny6AyS7d6wD7eLaWs/pm/mWywtc1JBFU4mC/NtfRhI+4q8QAFd >Sv64hbrD8va5AY0EXAp4bwEMAL4k6ahXxvGwQ+dQf8qPjxBn5DCuDuA013+vds36 >GDhsoJk4N9xiYaY9PjgnBpvPnwp+Moa6ahNJqw+qm+Wb++1pcNz5iTKs0YOtZ6Q8 >9DlD9CgTTOYNnmdZvd6WpRAaiSaxgmx6bTZklL5x6icahI5vna7F8tBvr3BuzOBa >dHdQD6JuroOkLsF1J39jw1zwdilIwbKLO3tlu51IsCxv682Fi3oe1hyLCXU5Evuy >LA8FQXpNQnaDm5XnMQNxQMPoXVwL/cHBszqyKmETm6Q0hJhKDF3GZ8vRPY25xeWv >GStZAPo5MWTBP31pwXs27lvFPKlOEadDD7X9n5M5CZ3e2NpdL+2Pwg8HN/edwJQd >IeKK1yhNU11PN9s46qUC1vvAqJnr6a2VCSQ9EaleCTDrMoLGFVkHfNLTh9b0gJFo >jeZKeqJxwdSmqzzUKWTZmTO0xIEJ3dDs+ZsYnALzkLgpRC9GXNbY5nv3RQagZTDa >soIDAO/TAH5r/0DipdfKQ1xKiQARAQABiQGfBBgBCgAJBYJcCnhvApsMAAoJEBsl >wZTKyOPnoa4MAJScUzpCjHwAFxhyUTpSTfIoA9Og2wIkMuqfqrzDRr9LnqR0Fao/ >0VjDv0H2kpGNk1B1pr8IFY9UwSBpyk+cvoteFvjeSh1L3JHbKJXQ+22nQNA4ucG1 >9Kb4BTak74Q6BPTZ1v735TNNkRCTVP8oC1mSDoDrST5KgRSM3C3LqT+bDcqgjW6M >vkRQDr2Tx9aFKuRfU5mQLJdVoEL3c1O7unhmnm8SiWqSQCaztFZ+3DT8tlmTtgXi >6WHNj5R//PsHiKpBKtSijBEI49M/q/yOFD9j/QGxlYAa1xQXnMPuTlVbNG9Mbd5s >LHwdk7is1Cxjn5qz7mdk1HK8x1dTVhPjj7caEcOEvFAbbpTpba1tktcjDB6l/zkZ >woXm4YgoKcYo08JyW7pMR6P1F5f31DO48Tng8IRh55OaLIW6M+FCEHrZEL/BfMeY >dK0sveGAy2sn7V7uWyqeSIRPpg6MZ2UbhU7S1akjYcelucURYnfsx+0kXdLgzEpw >ThlRvnZJ/htBWA== >=rOgB >-END PGP PUBLIC KEY BLOCK- > >-- >A well regulated Militia, being necessary to the security of a free >State, the right of the people to keep and bear Arms, shall not be >infringed. > >https://www.colmena.biz/~justina/justina.colmena.asc The "PGP MESSAGE" attachment at the bottom of this email looks like it was stripped by the mailing list. I have included it inline below, but now it will have to be copied and pasted into a text editor if anyone wan
Re: gpg2: unable to use secret key from OpenKeychain
binoc22_9r__X.bin Description: application/pgp-encrypted encrypted.asc Description: Binary data ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
gpg2: unable to use secret key from OpenKeychain
Subject: secret key data (test key) Date: 2018-12-07 This attachment is an encrypted backup I made from the OpenKeychain app of a test key I made for the purpose. The passphrase for this one is 5101-2272-0596-2716-2013-3210-0535-7592-9890 but it looks like the whole thing is encrypted by symmetric-key (AES-256) cipher because it is not encrypted to any particular public key, and furthermore, once decrypted and imported, the secret key is no longer protected by a passphrase, until I explicitly create one for it with "gpg --edit-key". For some odd reason I am unable to use the secret key in gpg2 (~2.2.11), even though I can still encrypt to the imported key or verify signatures with it in gpg2. There does not seem to be any problem with using the secret key in "gpg" = GnuPG 1.4.23. $ gpg --decrypt backup_2018-12-07.sec.pgp | gpg --import gpg: unknown armor header: Passphrase-Format: numeric9x4 gpg: unknown armor header: Passphrase-Begin: 51 gpg: AES256 encrypted data gpg: encrypted with 1 passphrase gpg: key CAC8E3E7: public key "Test Key 1 " imported gpg: key CAC8E3E7: secret key imported gpg: key CAC8E3E7: "Test Key 1 " not changed gpg: Total number processed: 2 gpg: imported: 1 (RSA: 1) gpg: unchanged: 1 gpg: secret keys read: 1 gpg: secret keys imported: 1 $ -BEGIN PGP PUBLIC KEY BLOCK- mQGNBFwKeG8BDAClaZu5lcIM12biCt7tyoddrwFl/UwERhfVMqZccMXrF+puP+0I FsVvV/EqI+tOhYLepOmCj9KfGQ0KFi/UtElbMZma7WFuDu/mVh+Hrl2wVbqSjR8u coHKJ4Wr2ocROWmxFxdMy2acIhGKpmbvXXFsFrsTiJxM/C4YTGmktAI20qxk8QX1 +006xPEUUL8vFc/CppekpgQzff3505iPJ0fvYK+Q2D9NUCvCy4vFWR1jTu8MK1pp 0ftp9IR/WUVQwdA7GE6z6VlCEMtJsYxkCco3FgfuYr0hiSDSLZ75e7FuRGVwrrWp GswqH9a8TIJHVfKSJ4hukmGt02UMR/L03nRCgaLyIrI6GxMzbI59di/jKmH0F6py gP7s17DI2FlXrL/Cby8KJosMnRqeFOBFySbGxJVIZEb2vGXHpCI/Zy1rEu4mLel1 7eKdZauucwAnoomIh5WQzw+lMVGbS1RteL4nwmKdCRGZ4hWj8nToIYzyK5ekB2dk x2VX71ywh5hNo7MAEQEAAbQjVGVzdCBLZXkgMSA8dGVzdC1rZXktMUBleGFtcGxl LmNvbT6JAbAEEwEKABoECwkIBwIVCgIWAQIZAQWCXAp4bwKeAQKbAwAKCRAbJcGU ysjj5/q+C/9jpyCYgqvlgY37g6uMdumjeMlQPJQ/xNH4De0GGuMESby4HEUs67oP qEP2kImWBp4fhL4zqjyYRb4U6NH6H+u8eWhUpLU7W98/6xv5qRruOl4lhnnDzM10 g2q5Ew+xwbM0MwS3zeE8lEPmTh0LPVRGwHuhiUY1pFuePOBGvI8BQRni+dMz78Hz 5kU+Fz0uD2b9ZoG9j1VV26/EjbM3EZVG8hRpKEnitlflbSG8454kLwx0KnG62/il ONWl6wkR0llAhuVWywB26jYhC561tKROMWz/BaSeJoEUyprAvNsFirojwDnT63vt IhMOqnMB3Vzk2d8CtNHChPYkRO7RjYwX4Z/1hzS6iM9k7RbjaTsrDkIbSiXYYhFy 63kIIu0Q7m5EJnOxEgUEJqPMJv6hlnHRM5q5vMlksLKFOoldOKxKOJXhcvXE3aYz gWve/l127jdDrjny6AyS7d6wD7eLaWs/pm/mWywtc1JBFU4mC/NtfRhI+4q8QAFd Sv64hbrD8va5AY0EXAp4bwEMAL4k6ahXxvGwQ+dQf8qPjxBn5DCuDuA013+vds36 GDhsoJk4N9xiYaY9PjgnBpvPnwp+Moa6ahNJqw+qm+Wb++1pcNz5iTKs0YOtZ6Q8 9DlD9CgTTOYNnmdZvd6WpRAaiSaxgmx6bTZklL5x6icahI5vna7F8tBvr3BuzOBa dHdQD6JuroOkLsF1J39jw1zwdilIwbKLO3tlu51IsCxv682Fi3oe1hyLCXU5Evuy LA8FQXpNQnaDm5XnMQNxQMPoXVwL/cHBszqyKmETm6Q0hJhKDF3GZ8vRPY25xeWv GStZAPo5MWTBP31pwXs27lvFPKlOEadDD7X9n5M5CZ3e2NpdL+2Pwg8HN/edwJQd IeKK1yhNU11PN9s46qUC1vvAqJnr6a2VCSQ9EaleCTDrMoLGFVkHfNLTh9b0gJFo jeZKeqJxwdSmqzzUKWTZmTO0xIEJ3dDs+ZsYnALzkLgpRC9GXNbY5nv3RQagZTDa soIDAO/TAH5r/0DipdfKQ1xKiQARAQABiQGfBBgBCgAJBYJcCnhvApsMAAoJEBsl wZTKyOPnoa4MAJScUzpCjHwAFxhyUTpSTfIoA9Og2wIkMuqfqrzDRr9LnqR0Fao/ 0VjDv0H2kpGNk1B1pr8IFY9UwSBpyk+cvoteFvjeSh1L3JHbKJXQ+22nQNA4ucG1 9Kb4BTak74Q6BPTZ1v735TNNkRCTVP8oC1mSDoDrST5KgRSM3C3LqT+bDcqgjW6M vkRQDr2Tx9aFKuRfU5mQLJdVoEL3c1O7unhmnm8SiWqSQCaztFZ+3DT8tlmTtgXi 6WHNj5R//PsHiKpBKtSijBEI49M/q/yOFD9j/QGxlYAa1xQXnMPuTlVbNG9Mbd5s LHwdk7is1Cxjn5qz7mdk1HK8x1dTVhPjj7caEcOEvFAbbpTpba1tktcjDB6l/zkZ woXm4YgoKcYo08JyW7pMR6P1F5f31DO48Tng8IRh55OaLIW6M+FCEHrZEL/BfMeY dK0sveGAy2sn7V7uWyqeSIRPpg6MZ2UbhU7S1akjYcelucURYnfsx+0kXdLgzEpw ThlRvnZJ/htBWA== =rOgB -END PGP PUBLIC KEY BLOCK- -- A well regulated Militia, being necessary to the security of a free State, the right of the people to keep and bear Arms, shall not be infringed. https://www.colmena.biz/~justina/justina.colmena.asc backup_2018-12-07.sec.pgp Description: PGP signature signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Garbled data in keyservers
A keyserver is a convenience. Of course it's not magic. Right now I am using K-9 Mail and OpenKeychain on Android. When I received the above message from the list, K-9 Mail informed me that it was signed with a key with fingerprint "0xff80ae9d1dec358d", and referred me to the OpenKeychain app, which searched keyservers and found a matching public key, which I was allowed to import to verify the signature, which I did so successfully. The fingerprints are some collision-resistant secure hashes, and in theory it is extraordinarily difficult to create another public key with the same fingerprint. I have never met "Werner Koch" personally, but I am about as certain as I can be (under the present scheme of things) that that is the key fingerprint of the person from GnuPG.org who posts to the mailing list, and that there would be quite a bit of noise on the list in case of a mistaken identity. There is a certain "reputation effect" with a public key which in theory obviates the need for in-person verification and secret handshakes. The major difficulties and points of weakness to the whole scheme, in my opinion, are, (a) retaining possession of the private key, and (b) denying others illicit access to the private key. Point (b) is a long-term, seemingly irremediable, problem. The long key lifetimes and the general lack of *Perfect Forward Secrecy* greatly aggravate the risk of a catastrophic total compromise of all data signed with or encrypted to the private key. -- A well regulated Militia, being necessary to the security of a free State, the right of the people to keep and bear Arms, shall not be infringed. https://www.colmena.biz/~justina/justina.colmena.asc signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
GnuPG on Android
Hello GnuPG users! This is somewhat related to a discussion from last month. https://lists.gnupg.org/pipermail/gnupg-users/2018-November/061122.html To answer the question about GnuPG on Android, the most useful application I have found so far is called OpenKeychain. https://www.openkeychain.org The K-9 Mail client, which I am using now, and a password store utility both make good use of OpenKeychain on Android. https://k9mail.github.io https://github.com/zeapo/Android-Password-Store I was able to create a key (see URL at the bottom of this email signature for public key), back it up, import it into GnuPG 1.4.23 and use it successfully, but I am unable to use the private key in GnuPG 2.2.9, because I cannot verify the pass phrase for the private key on gpg2 no matter what I do. I have signed this email with the key in question, for reference. -- A well regulated Militia, being necessary to the security of a free State, the right of the people to keep and bear Arms, shall not be infringed. https://www.colmena.biz/~justina/justina.colmena.asc___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
GnuPG on Android
Sorry. Missing signature. Hit send too soon. Original Message From: justina colmena Sent: December 4, 2018 10:56:27 AM AKST To: gnupg-users@gnupg.org Subject: GnuPG on Android Hello GnuPG users! This is somewhat related to a discussion from last month. https://lists.gnupg.org/pipermail/gnupg-users/2018-November/061122.html To answer the question about GnuPG on Android, the most useful application I have found so far is called OpenKeychain. https://www.openkeychain.org The K-9 Mail client, which I am using now, and a password store utility both make good use of OpenKeychain on Android. https://k9mail.github.io https://github.com/zeapo/Android-Password-Store I was able to create a key (see URL at the bottom of this email signature for public key), back it up, import it into GnuPG 1.4.23 and use it successfully, but I am unable to use the private key in GnuPG 2.2.9, because I cannot verify the pass phrase for the private key on gpg2 no matter what I do. I have signed this email with the key in question, for reference. -- A well regulated Militia, being necessary to the security of a free State, the right of the people to keep and bear Arms, shall not be infringed. https://www.colmena.biz/~justina/justina.colmena.asc -- A well regulated Militia, being necessary to the security of a free State, the right of the people to keep and bear Arms, shall not be infringed. https://www.colmena.biz/~justina/justina.colmena.asc signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users