Re: Download of public keys
Am 17.02.2017 um 21:57 schrieb Kristian Fiskerstrand: > On 02/17/2017 09:46 PM, si...@web.de wrote: >> Am 17.02.2017 um 20:43 schrieb Kristian Fiskerstrand: >>> On 02/17/2017 07:17 PM, Kristian Fiskerstrand wrote: > > >>> >>> That change would also be consistent with >>> https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=8fb482252436b3b4b0b33663d95d1d17188ad1d9 >>> >> >>> >> Not quite sure I get this. >> >> So what this means is that effectively gnupg still uses plaintext >> connections to update public keys by default, does it not? > > Yes (if not a tor configuration locally) > >> If the >> change I suggested is not correct, shouldn't we find another way to >> use secure connection by default whenever possible? > > Probably nitpick, but it would likely increase privacy - not security. > That was the goal all along, as mentioned in the initial post some weeks ago. Especially when the complete keyring is updated, this leaks the complete contact list to the network, which is kinda bad. And privacy is kinda also somthing people use gnupg for isn't it. So I don't know the best way to change this but I would like to suggest that future versions use https only by default, e.g. by changing the skel file. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Download of public keys
On 02/17/2017 09:46 PM, si...@web.de wrote: > Am 17.02.2017 um 20:43 schrieb Kristian Fiskerstrand: >> On 02/17/2017 07:17 PM, Kristian Fiskerstrand wrote: >> >> That change would also be consistent with >> https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=8fb482252436b3b4b0b33663d95d1d17188ad1d9 >> > >> > Not quite sure I get this. > > So what this means is that effectively gnupg still uses plaintext > connections to update public keys by default, does it not? Yes (if not a tor configuration locally) > If the > change I suggested is not correct, shouldn't we find another way to > use secure connection by default whenever possible? Probably nitpick, but it would likely increase privacy - not security. > > As it is now, the default fallback mentioned in the referenced commit > never takes effect as long as the skel file is used. > Never would be inaccurate; kristianf@ares ~/workspace $ mkdir abc kristianf@ares ~/workspace $ gpg --homedir abc --recv-key 94CBAFDD30345109561835AA0B7F8B60E3EDFAE3 -- Kristian Fiskerstrand Blog: https://blog.sumptuouscapital.com Twitter: @krifisk Public OpenPGP keyblock at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 Qui audet vincit Who dares wins signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Download of public keys
Am 17.02.2017 um 20:43 schrieb Kristian Fiskerstrand: > On 02/17/2017 07:17 PM, Kristian Fiskerstrand wrote: >> On 02/17/2017 07:00 PM, si...@web.de wrote: >>> keyserver hkps://jirk5u4osbsr34t5.onion >>> keyserver hkps://keys.gnupg.net >>> >>> would solve this I guess. >> >> No, that'd result in certificate errors and non-responsive servers >> > > That said, you are indeed correct, and skel file is used to create > dirmngr.conf on other systems as well (it has been a while since > starting with a fresh homedir :) ) ... if wanting hkps the latter should > be switched to hkps://hkps.pool.sks-keyservers.net ,the former is > protected already as tor usage would be to an endpoint running a tor > hidden service. > > That change would also be consistent with > https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=8fb482252436b3b4b0b33663d95d1d17188ad1d9 > Not quite sure I get this. So what this means is that effectively gnupg still uses plaintext connections to update public keys by default, does it not? If the change I suggested is not correct, shouldn't we find another way to use secure connection by default whenever possible? As it is now, the default fallback mentioned in the referenced commit never takes effect as long as the skel file is used. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Download of public keys
On 02/17/2017 07:17 PM, Kristian Fiskerstrand wrote: > On 02/17/2017 07:00 PM, si...@web.de wrote: >> keyserver hkps://jirk5u4osbsr34t5.onion >> keyserver hkps://keys.gnupg.net >> >> would solve this I guess. > > No, that'd result in certificate errors and non-responsive servers > That said, you are indeed correct, and skel file is used to create dirmngr.conf on other systems as well (it has been a while since starting with a fresh homedir :) ) ... if wanting hkps the latter should be switched to hkps://hkps.pool.sks-keyservers.net ,the former is protected already as tor usage would be to an endpoint running a tor hidden service. That change would also be consistent with https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=8fb482252436b3b4b0b33663d95d1d17188ad1d9 -- Kristian Fiskerstrand Blog: https://blog.sumptuouscapital.com Twitter: @krifisk Public OpenPGP keyblock at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 Qui audet vincit Who dares wins signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Download of public keys
On 02/17/2017 07:00 PM, si...@web.de wrote: > keyserver hkps://jirk5u4osbsr34t5.onion > keyserver hkps://keys.gnupg.net > > would solve this I guess. No, that'd result in certificate errors and non-responsive servers -- Kristian Fiskerstrand Blog: https://blog.sumptuouscapital.com Twitter: @krifisk Public OpenPGP keyblock at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 Qui audet vincit Who dares wins signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Download of public keys
Am 17.02.2017 um 17:31 schrieb Kristian Fiskerstrand: > On 02/17/2017 01:37 PM, si...@web.de wrote: >> Is there something I missed or is this unintended? > > gnupg does not ship an installed dirmngr.conf, when no keyserver is > specified it defaults to hkps://hkps.pool.sks-keyservers.net, the > existence of a (I presume) arch installed dirmngr.conf changes this > behavior. > > Whether that is intended or not is a question for your distribution's > package maintainer. > Arch does not ship a dirmngr.conf either as far as I can see. When running the gpg command for the first time on a new system, the dirmngr.conf file is creates together with some other files. I just tested it again on ubuntu 16.04.2 and the same file appear in the gnupg directory, so it does not seem to be a distribution issue. It seems that gnupg does ship this template file as dirmngr-conf.skel although I am not sure if the distributions have anything to do with it being copied to the user directory. In any case, it might be a good idea to change the template gnupg ships Changing the lines: keyserver hkp://jirk5u4osbsr34t5.onion keyserver hkp://keys.gnupg.net to keyserver hkps://jirk5u4osbsr34t5.onion keyserver hkps://keys.gnupg.net would solve this I guess. I will although check with the arch maintainer about this to be sure but I do not think this is a distro issue ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Download of public keys
On 02/17/2017 01:37 PM, si...@web.de wrote: > Is there something I missed or is this unintended? gnupg does not ship an installed dirmngr.conf, when no keyserver is specified it defaults to hkps://hkps.pool.sks-keyservers.net, the existence of a (I presume) arch installed dirmngr.conf changes this behavior. Whether that is intended or not is a question for your distribution's package maintainer. -- Kristian Fiskerstrand Blog: https://blog.sumptuouscapital.com Twitter: @krifisk Public OpenPGP keyblock at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 Qui audet vincit Who dares wins signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users