Re: gpgsm and expired certificates
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi On Friday 8 November 2013 at 12:00:56 PM, in mid:87zjpfxfuv@gilgamesch.quim.ucm.es, Uwe Brauer wrote: It seems to me that the BAT does not support Comodo CA. Uwe Aside from the ones I have added, The Bat has about 120 root CA certificates. I guess it is a minority-use mailer and a lot of the CAs won't pay for their certificates to be included. But Microsoft Crypto-API has nearly 400 root CA certificates, and Comodo's were missing there too. In researching, I read (I think on a Comodo help forum) that their certificates are only included in relatively recent windows versions, and Microsoft tags root certificate updates as non-critical. - -- Best regards MFPAmailto:expires2...@ymail.com If you are afraid to speak against tyranny, then you are already a slave. -BEGIN PGP SIGNATURE- iPQEAQEKAF4FAlJ+ZshXFIAALgAgaXNzdWVyLWZwckBub3RhdGlvbnMub3Bl bnBncC5maWZ0aGhvcnNlbWFuLm5ldEJBMjM5QjQ2ODFGMUVGOTUxOEU2QkQ0NjQ0 N0VDQTAzAAoJEKipC46tDG5plCwD/3TjEnWaQpal4Urn3fMiF06NK93zBXCACV+C 1niL4DrS9E1dHJ3On+zEFRswk0/35UEhShMgTR7nfU+eys99xdXrDl0X0DWaIsji tFhqHUtov65CRSDC4PjaM4STc9daowvCdaWi+EvusV14MKGMW50XJIpsFxWDUWtR 8lHXOOLW =HeHs -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpgsm and expired certificates
On Thu, Nov 07, 2013 at 12:16:36PM +0100, Uwe Brauer wrote: MFPA == MFPA expires2...@ymail.com writes: [snip] However thunderbird refuses to use yoru public key claiming it cannot be trusted. I just searched and found [1] about Thunderbird, which says you can import a copy of other people's self-signed S/MIME certificate from a .cer file into your Authorities tab. So much for being easier because keys are automatically embedded in the signatures. Well I was referring to the following 10 years old bug https://bugzilla.mozilla.org/show_bug.cgi?id=209182 I have the feeling this is a design decision by philosophy: thunderbird/semonkey don't encourage the use of self-signed certificates (BTW I just learn that there is a add-on, key-manager which generates self-signed certificates, similar as it seems to me to the BAT. This bug seems to cry out for an add-on. Then people who (think they) know what they are doing can have the additional convenience, and the rest can do whatever it is they do now. I would guess there is resistance to putting this into the base product on the theory that 99.9% of users will just hit yes, meaning get rid of this unintelligible dialog and let me read the message, which is arguably a Bad Thing. Since we're getting offtopic anyway, I'll continue and opine that this add-on would only be doing for self-signed cert.s and other unknown CAs the same thing that the user *should* have done with those commercial root cert.s: evaluate and install them individually. (Of course hardly any of us have done this.) -- Mark H. Wood, Lead System Programmer mw...@iupui.edu Machines should not be friendly. Machines should be obedient. smime.p7s Description: S/MIME cryptographic signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpgsm and expired certificates
(Before I begin I should say I agree with Mark -- this is commentary, not disagreement.) This bug seems to cry out for an add-on. Then people who (think they) know what they are doing can have the additional convenience, and the rest can do whatever it is they do now. I would guess there is resistance to putting this into the base product on the theory that 99.9% of users will just hit yes, meaning get rid of this unintelligible dialog and let me read the message, which is arguably a Bad Thing. A detail oft-overlooked is that the question isn't whether the *sender* is part of the 0.1%; the question is whether the *recipient* is part of the 0.1%. If I use a self-signed S/MIME cert, will my recipient be savvy enough to understand the risks and take appropriate steps? I think 0.1% is a reasonable approximation: of all Thunderbird users, maybe one in a thousand has the skill necessary to safely and responsibly use a self-signed S/MIME cert, or to safely and responsibly check someone else's usage of a self-signed S/MIME cert. So one in a thousand senders, multiplied by one in a thousand recipients... What I'm getting at here is that this isn't just a case of 99.9% of users will just hit 'yes', which is arguably a Bad Thing. It's also a case of the user base for this being so small as to be indistinguishable from statistical noise. CAs the same thing that the user *should* have done with those commercial root cert.s: evaluate and install them individually. (Of course hardly any of us have done this.) Well, 'should' is a pretty strong word. So long as someone understands the risks involved in letting Mozilla define your list of trusted CAs rather than taking individual responsibility yourself, that's really all we can ask for. I do agree, though, that the default list of trusted CAs is eye-poppingly large. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpgsm and expired certificates
MFPA == MFPA expires2...@ymail.com writes: Hi On Thursday 7 November 2013 at 11:16:36 AM, in mid:87txfotqaz@gilgamesch.quim.ucm.es, Uwe Brauer wrote: I had to search for and import some more root certificates from the Comodo website before I could encrypt to you using my mailer's built-in s/mime. Microsoft Crypto-API no use, even after your and comodo's certificates imported into certmgr.msc. I'm probably doing something wrong there, but it's not clear what to do. For something that is supposed to be easier than OpenPGP, s/mime doesn't seem easy to me. That is really odd, I have successfully interchanged s/mime emails, with users using thunderbird or outlook + windows + Comodo certificates. None of them had to install the root certificates. It seems to me that the BAT does not support Comodo CA. Uwe smime.p7s Description: S/MIME cryptographic signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpgsm and expired certificates
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi On Thursday 7 November 2013 at 11:16:36 AM, in mid:87txfotqaz@gilgamesch.quim.ucm.es, Uwe Brauer wrote: BTW, I see you switched back to pgp, but why do you use old inline mode and not pgpmine? Because I prefer it. I like to see the pgp signature in the message body instead of hidden away. - -- Best regards MFPAmailto:expires2...@ymail.com Those who do not read are no better off than those who cannot. -BEGIN PGP SIGNATURE- iPQEAQEKAF4FAlJ8BO5XFIAALgAgaXNzdWVyLWZwckBub3RhdGlvbnMub3Bl bnBncC5maWZ0aGhvcnNlbWFuLm5ldEJBMjM5QjQ2ODFGMUVGOTUxOEU2QkQ0NjQ0 N0VDQTAzAAoJEKipC46tDG5psUsD/iQhZWfXfzbDmVs/8vNg4nFRIZ5IXTb3LRU9 MbiKAdH6V6p55PMQ8/z/qJHBXHbnhacnKUMXPvyK71w5kKAnWb2gZfJivJj36axI h0btBJjCA3d2899fuODBdON1y+q/VgZLfMA5Uj1ILN9AC8SnDrUHUqGDHzeH1xZm OMbGJVaC =5KUo -END PGP SIGNATURE- smime.p7s Description: S/MIME Cryptographic Signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpgsm and expired certificates
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi On Thursday 7 November 2013 at 11:16:36 AM, in mid:87txfotqaz@gilgamesch.quim.ucm.es, Uwe Brauer wrote: However it is not necessary I just export our signature as a pem file and import in under authorities. Still this is very uncomfortable... I had to search for and import some more root certificates from the Comodo website before I could encrypt to you using my mailer's built-in s/mime. Microsoft Crypto-API no use, even after your and comodo's certificates imported into certmgr.msc. I'm probably doing something wrong there, but it's not clear what to do. For something that is supposed to be easier than OpenPGP, s/mime doesn't seem easy to me. - -- Best regards MFPAmailto:expires2...@ymail.com My mind works like lightning... one brilliant flash and it's gone -BEGIN PGP SIGNATURE- iPQEAQEKAF4FAlJ8IW9XFIAALgAgaXNzdWVyLWZwckBub3RhdGlvbnMub3Bl bnBncC5maWZ0aGhvcnNlbWFuLm5ldEJBMjM5QjQ2ODFGMUVGOTUxOEU2QkQ0NjQ0 N0VDQTAzAAoJEKipC46tDG5p2hIEAJuUrJYztL/8jLXZ525+nGHHzIkKtXDUOTDn o1DtWyAYMd0UDhAaJsK4aZl5KeiyP+AwjPSAtQExFwz8pg4ywhMx0SUC/3PcmmEs BlxHRXOhf31d71ndv0gTu1XFVi/2N1dfXZSlI4DO0iOICgnNqIWubwsxkuA8zzBd 3q/j95// =V2Ln -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpgsm and expired certificates
MFPA == MFPA expires2...@ymail.com writes: Hi Hi On Monday 4 November 2013 at 10:43:43 PM, in mid:87habrrdnk@mat.ucm.es, Uwe Brauer wrote: - from my own experience I am convinced that smime is much easierthan gpg[2] for reasons I am not going to repeat here. (I got 7out of 10 of my friends/colleagues to use smime, but 0 of 10 to use gpg.) Depending on the software people are using. I'm willing to accept that there are probably more people for whom S/MIME is easier to use. Well take for example iOs: using pgp is a sort of a nightmare. The reasons why I think smime is easier to use for the average user are: smime is already installed in most MUA (so no additional software+plugin) keypairs are generated and signed by the trust center. Public keys are automatically embedded in the signatures. The email app I am using to write this message can (almost trivially) generate and use self-signed certificates for the email accounts it has configured. The difficulty is getting other people to persuade their MUA to accept them. Aha I see you use the BAT, an email program I have not seen in use, for almost a decade. Good and bad news. Gpgsm allowed my to use your public keys after having fireing up a series of questions, iOs also, (if you don't mind I send you to test messages later privately) However thunderbird refuses to use yoru public key claiming it cannot be trusted. So I am afraid the issue is to persuade the not only the people but also the software. I think I mentioned in one of my other postings that I was using hyperbole to make my point. I'm not quite _that_ paranoid, but I believe in exercising a healthy skepticism. Ok I have seen this now. regards Uwe smime.p7s Description: S/MIME cryptographic signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpgsm and expired certificates
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi On Wednesday 6 November 2013 at 11:42:49 AM, in mid:87txfpg3ie@gilgamesch.quim.ucm.es, Uwe Brauer wrote: Well take for example iOs: using pgp is a sort of a nightmare. So I have heard. The reasons why I think smime is easier to use for the average user are: smime is already installed in most MUA (so no additional software+plugin) But all the hordes who use webmail are pretty-much still out of luck, though. (With certain exceptions, such as hushmail.) keypairs are generated and signed by the trust center. I don't know about the trust centre. The Bat! gives me the choice of its own internal implementation or Microsoft Crypto-API, which is part of Windows. (The Bat! and Windows are closed-source proprietary products that we probably shouldn't discuss too much on this list.) Public keys are automatically embedded in the signatures. That is simpler and avoids the web-bug-like effect you have if you choose to auto-retrieve OpenPGP keys from keyservers for new contacts. But must waste a lot of bandwidth between regular correspondents. Aha I see you use the BAT, an email program I have not seen in use, for almost a decade. I have used it myself for over nine years. Good and bad news. Gpgsm allowed my to use your public keys after having fireing up a series of questions, iOs also, Good. (if you don't mind I send you to test messages later privately) I don't mind. However thunderbird refuses to use yoru public key claiming it cannot be trusted. Fair enough. Using its internal implementation, The Bat! accepts signatures from the S/MIME certificate I created last night (because I added it to the trusted root CA address book) and does not accept your S/MIME signature (because Comodo's root certificate is not in the trusted root CA address book - but adding it would be just a few clicks). MS Crypto-API is fine with Comodo's root cert, but says my certificate has an invalid signature algorithm specified. I just searched and found [1] about Thunderbird, which says you can import a copy of other people's self-signed S/MIME certificate from a .cer file into your Authorities tab. So much for being easier because keys are automatically embedded in the signatures. So I am afraid the issue is to persuade the not only the people but also the software. As I said, getting other people to persuade their MUA to accept it. [1] http://kb.mozillazine.org/Installing_an_SMIME_certificate. - -- Best regards MFPAmailto:expires2...@ymail.com Courage is not the absence of fear, but the mastery of it. -BEGIN PGP SIGNATURE- iPQEAQEKAF4FAlJ60MxXFIAALgAgaXNzdWVyLWZwckBub3RhdGlvbnMub3Bl bnBncC5maWZ0aGhvcnNlbWFuLm5ldEJBMjM5QjQ2ODFGMUVGOTUxOEU2QkQ0NjQ0 N0VDQTAzAAoJEKipC46tDG5pfXkEALs5FK+Llmn4wqCq+GUO0+qJ+TjHyHoEFd2R 3RRCHLG1ZcwhP0tOAX9Xo5439N16M31x6FB5u6CglI4RNcMvHK/FwqE1Y6e0I3SR WLqUiX0Oq+JMKQnRBW1DaIGGCIB4uqPQ6DwFKikcA4p4fUSoXpRaKJA7Sar4Sj32 6o35st6x =AcqD -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpgsm and expired certificates
MFPA == MFPA expires2...@ymail.com writes: Hello There are already several private sector CAs who provide free S/MIME certificates in the hope that punters may take one of their paid products instead or in addition. Potential sales is their incentive to provide some products free. What would be a government's incentive to provide them free of charge instead of charging for the admin? And what would a government based CA bring to the party that is not already available? If all we are talking about is email encryption to protect people's email from being read in transit, a self-signed certificate takes care of the encryption without the need for a CA. The only value in using a recognised CA rather than a self-signed certificate is convenience for the recipient, whose MUA is likely to automatically trust a recognised CA but would need to be told to accept a self-signed certificate. Ok let me try to answer this point by point. Before doing I want to emphasise that I am taking a very pragmatic point of view here.[1] - NSA (among others) has abused its resource to read email worldwide at a very large scale. - so if a lot of people, say 30 % of all users would encrypt their email, then NSA statistical approach would *not* work that smooth and this is a good thing. - so encrypting email should be easy and look trustful for a majority of users - usually public/private key based methods are considered relative secure (Even Snowden claimed that you could rely on them), this does not mean that the NSA could not read your email. They would usually try to enter your machine installing a keylogger or something like this. But this is beyond the statistical method I mentioned above. - if I understand correctly the real problem is not security of the the cipher but the authenticity of the sender and so the most common attack is a man in the middle attack. This is true for both smime and gpg. So comparing fingerprints of public key is a good thing, which most of us, I presume, don't do. - from my own experience I am convinced that smime is much easier than gpg[2] for reasons I am not going to repeat here. (I got 7 out of 10 of my friends/colleagues to use smime, but 0 of 10 to use gpg.) - one of the reasons some of them hesitated was the fact that the certificates were offered by some commercial company they did not know and trust.[3] They would have had installed it from a government based organisation, say the ministry of justice though. - so if some government based organisation would do what say commodo does it would send a signal to the public that it takes privacy seriously and I think it would encourage more people to use smime. - Private certificates, are unfortunately no solution. Yes it is possible with openssl to generate them, I have done that myself. However it is very difficult till impossible to convince the main email programs, such as outlook, thunderbird or Apple mail to use them or to use public keys sent by such certificates. [4] Uwe Brauer Footnotes: [1] I must add that I don't share your general view about government based organisations. I still hope that abuse is the exception not the rule.. [2] although pgp seems technically better, since some implementations of smime allow a relative short symmetric key [3] (Besides these companies have a certain business model and their free certificates last short and expire usually after one year.) [4] I finally managed to use them in thunderbird, but is was complicated not something the regular user would like to do. smime.p7s Description: S/MIME cryptographic signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpgsm and expired certificates
Hi On Monday 4 November 2013 at 10:43:43 PM, in mid:87habrrdnk@mat.ucm.es, Uwe Brauer wrote: - NSA (among others) has abused its resource to read emailworldwide at a very large scale. Indeed. - so if a lot of people, say 30 % of all users would encrypt theiremail, then NSA statistical approach would *not* work that smoothand this is a good thing. Why do you describe it as a statistical approach? I guess 30% was plucked out of the air. It would seem self-evident that if a sizeable proportion of emails travelled encrypted, the NSA etc. would have to do more work to read them. - so encrypting email should be easy and look trustful for amajority of users I like the idea, but have a bit of an issue with security made too easy. Security has to be inconvenient; just a lot more so for a would-be attacker than for the person using the security. - usually public/private key based methods are considered relativesecure (Even Snowden claimed that you could rely on them), thisdoes not mean that the NSA could not read your email. They would usually try to enter your machine installing a keylogger orsomething like this. But this is beyond the statistical method Imentioned above. Hopefully, if it was more effort and more cost to read an individual's mail, that individual might be left alone unless they are a suspect. But what about an individual two or three communication hops from a suspect? - if I understand correctly the real problem is not security of thethe cipher but the authenticity of the sender and so the most common attack is a man in the middle attack. This is true forboth smime and gpg. So comparing fingerprints of public key is agood thing, which most of us, I presume, don't do. For most people's communication, it is not encrypted so the main problem is simply being read in transit, and/or stored. Once you start encrypting, even without putting the effort in for sender authentication, it takes more effort to snoop on your mail than on the majority of people's. - from my own experience I am convinced that smime is much easierthan gpg[2] for reasons I am not going to repeat here. (I got 7out of 10 of my friends/colleagues to use smime, but 0 of 10 to use gpg.) Depending on the software people are using. I'm willing to accept that there are probably more people for whom S/MIME is easier to use. - one of the reasons some of them hesitated was the fact that thecertificates were offered by some commercial company they did notknow and trust.[3]They would have had installed it from a government basedorganisation, say the ministry of justice though. I think know is the key factor, but know and trust is even better. I suspect a whole lot of people would also be perfectly comfortable if a certificate were available from the company that supplied their operating system, or their email application or webmail account. Or maybe from their bank or ISP. - so if some government based organisation would do what say commododoes it would send a signal to the public that it takes privacyseriously and I think it would encourage more people to use smime. The actions of governments and government organisations in so many countries send signals that they are anti-privacy, or at least not pro-privacy. I think this small contradictory signal would be in severe danger of being drowned out. But now I understand what you meant. - Private certificates, are unfortunately no solution. Yes it ispossible with openssl to generate them, I have done thatmyself. However it is very difficult till impossible to convince the main email programs, such as outlook, thunderbird or Applemail to use them or to use public keys sent by suchcertificates. [4] The email app I am using to write this message can (almost trivially) generate and use self-signed certificates for the email accounts it has configured. The difficulty is getting other people to persuade their MUA to accept them. Footnotes: [1] I must add that I don't share your general view about government based organisations. I still hope that abuse is the exception not the rule.. I think I mentioned in one of my other postings that I was using hyperbole to make my point. I'm not quite _that_ paranoid, but I believe in exercising a healthy skepticism. -- Best regards MFPAmailto:expires2...@ymail.com Experience is the name everyone gives to their mistakes smime.p7s Description: S/MIME Cryptographic Signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpgsm and expired certificates
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi On Saturday 2 November 2013 at 6:48:39 PM, in mid:87fvreprlk@mat.ucm.es, Uwe Brauer wrote: Your point being? I presume it goes like this: NSA is a government based organisation doing, among other things, violations of civil rights. So any other government based organisation cannot be trust, end of argument. Exactly. Well I just talked about a service, which provides certificates to its citizen. That means it signs a public/private key pair, which is generated by the, hopefully open source, crypto module of your browser. So either you claim to have evidence that this modules have been hacked and the key pair is transferred to some of these evil organisations or I really don't see your point. Simply stated, it is established that government based organisations sometimes act in a nefarious manner, contrary to the law and contrary to the interests of the population. I view that as a reason not to trust government based organisations. And if I don't trust government based organisations, I cannot trust a certification issued by one. Of course, private companies or individuals who issue certifications are susceptible to coercion. Whether issued by government or by private sector, a single certification on a public key represents a single point of failure. It does not provide any great level of assurance the corresponding private key is controlled by the identity it claims. Such assurance could potentially be derived from numerous certifications that are independent from each other, but how do you tell which are truly independent? Where actual identity is not required, just continuity of communication, I see no value in obtaining any certification at all. - -- Best regards MFPAmailto:expires2...@ymail.com Can you imagine a world with no hypothetical situations? -BEGIN PGP SIGNATURE- iPQEAQEKAF4FAlJ3qQVXFIAALgAgaXNzdWVyLWZwckBub3RhdGlvbnMub3Bl bnBncC5maWZ0aGhvcnNlbWFuLm5ldEJBMjM5QjQ2ODFGMUVGOTUxOEU2QkQ0NjQ0 N0VDQTAzAAoJEKipC46tDG5pFGMD/3YXsKuEtEf9+H4qiQckLlEkv+ulrQnuepRn PlDE6rsbzdIaa3aU9eRCwa9mydwwIByadgI1YhrdXlnxRk2Aa6mfuoFPkg5MEa8c 3ysvmrVY5DHPkSELkEeUZe6Nk1lcJz1JUUd2vT6cNpks68kYG1Zb/VaLoKbC4sW2 ypuROxWl =1Moi -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpgsm and expired certificates
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi On Sunday 3 November 2013 at 10:02:14 PM, in mid:87habtnnyx@mat.ucm.es, Uwe Brauer wrote: Ingo == Ingo Klöcker kloec...@kde.org writes: So, your point/hope probably was that a government based CA wouldn't have such a business model and would instead offer this service gratis to the people (so that more people would be protected from the NSA reading their mail). If this was your point then apparently I didn't see it when I first read your message. That was *precisely* my point, thanks for clarifying it There are already several private sector CAs who provide free S/MIME certificates in the hope that punters may take one of their paid products instead or in addition. Potential sales is their incentive to provide some products free. What would be a government's incentive to provide them free of charge instead of charging for the admin? And what would a government based CA bring to the party that is not already available? If all we are talking about is email encryption to protect people's email from being read in transit, a self-signed certificate takes care of the encryption without the need for a CA. The only value in using a recognised CA rather than a self-signed certificate is convenience for the recipient, whose MUA is likely to automatically trust a recognised CA but would need to be told to accept a self-signed certificate. - -- Best regards MFPAmailto:expires2...@ymail.com CAUTION! - Beware of Warnings! -BEGIN PGP SIGNATURE- iPQEAQEKAF4FAlJ3sFNXFIAALgAgaXNzdWVyLWZwckBub3RhdGlvbnMub3Bl bnBncC5maWZ0aGhvcnNlbWFuLm5ldEJBMjM5QjQ2ODFGMUVGOTUxOEU2QkQ0NjQ0 N0VDQTAzAAoJEKipC46tDG5ptlAD/jWuP+IpjL+RRBH1CazALnqMcKfb0M4pyBoe +9SSDpPAR3CLFKBNi9/ThnVR28BAW3DWqILMq7n+5D+0Vu3jT4nC4Tvpz2tt2YfI rTUV37E2U62tpydkIhsHuuD9auqjtS3nwxd3db6jfTf+yzz+1LY4+pXtAipdwKQr JUKD0Rnl =Kt8y -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpgsm and expired certificates
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi On Monday 4 November 2013 at 2:02:30 PM, in mid:563460450.20131104140230@my_localhost, MFPA wrote: Where actual identity is not required, just continuity of communication, I see no value in obtaining any certification at all. Or, indeed, where encryption is required but not actual identity. - -- Best regards MFPAmailto:expires2...@ymail.com The best way to destroy your enemy is to make him your friend. -BEGIN PGP SIGNATURE- iPQEAQEKAF4FAlJ3y/JXFIAALgAgaXNzdWVyLWZwckBub3RhdGlvbnMub3Bl bnBncC5maWZ0aGhvcnNlbWFuLm5ldEJBMjM5QjQ2ODFGMUVGOTUxOEU2QkQ0NjQ0 N0VDQTAzAAoJEKipC46tDG5pVJoD/i5/w+wDB4bqbDdRD1N0vNFAhOA5tP/nVP5P pXfZV8U3XE3igNz6Y3NCrH4/kSnNyEwXUtPmo0I60TMIOJaPvJn8dkuUeaiNiERS PGNPg4K0EIgng2OqPiUvU67feqdMCByEh1OfdZS0sbsfW7NQ0LhrcFO9gKdAllWO +yufHrcY =+o2F -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpgsm and expired certificates
Ingo == Ingo Klöcker kloec...@kde.org writes: I interpreted especially because of all which was lately revealed about the NSA No it was more of a general remark, concerning NSA malpractice of reading everybody's (uncrypted) email unconditionally. So, your point/hope probably was that a government based CA wouldn't have such a business model and would instead offer this service gratis to the people (so that more people would be protected from the NSA reading their mail). If this was your point then apparently I didn't see it when I first read your message. That was *precisely* my point, thanks for clarifying it Uwe Brauer smime.p7s Description: S/MIME cryptographic signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpgsm and expired certificates
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi On Friday 1 November 2013 at 7:25:30 PM, in mid:20131101122530.horde.l0bejumqv5vfmfmqhbr7...@mail.sixdemonbag.org, Robert J. Hansen wrote: But since some of my RD funding comes from the government, I'm just as nefarious as the NSA. [...] John Moore III, who hasn't been seen on this list in [...] Apparently John's contributions to the GnuPG community mean nothing, because he's just as nefarious as the NSA. [...] Werner has taken money from the German government to do crypto-related software development. Apparently Werner is just as nefarious as the NSA. There are a lot of people on this list who have some kind of connection to the government. [...] You owe all of us an apology. I wish to extend my sincere and unreserved apologies to all the people I unintentionally offended. - -- Best regards MFPAmailto:expires2...@ymail.com Wise men learn many things from their enemies. -BEGIN PGP SIGNATURE- iPQEAQEKAF4FAlJ1CrBXFIAALgAgaXNzdWVyLWZwckBub3RhdGlvbnMub3Bl bnBncC5maWZ0aGhvcnNlbWFuLm5ldEJBMjM5QjQ2ODFGMUVGOTUxOEU2QkQ0NjQ0 N0VDQTAzAAoJEKipC46tDG5pbWgD/R8Te7PplXFDJE0Y6TfxOCC5WYQfSqsZTuxO uXzaASDkYC2LuzhaW9T5cCcMxuXWuYLVGUpe3BbyR3ZquTZE0MlRhYDzaSycIDfr EQr3YchjgybnXrvXZL2DOEv66BiHtSxwps4A6+NpV4NH/Rlvkf6i6Smrp1Z42j/N 4PLSP81B =rUME -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpgsm and expired certificates
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi On Friday 1 November 2013 at 6:47:56 PM, in mid:20131101114756.horde.f5rbb0pjwmqx-chco0km...@mail.sixdemonbag.org, Robert J. Hansen wrote: Isn't the NSA a government based organisation? Surely guilt-by-association renders every government based organisation just as nefarious as the NSA. This is why grown-ups don't believe in guilt by association. Which would mean police who interview people who had contact with a suspect, in order to eliminate them from their enquiries, are either not grown-ups or are practising something in which they do not believe. Do you really think a bunch of graduate students obsessing over _La Chanson du Roland_ are just as nefarious as the NSA? If you do, then I think your paranoia is so out of hand you really ought consider seeking professional help. And no, I'm not kidding. I was merely making use of hyperbole to challenge the previous poster's assertion that a government based organisation would be preferable to the current CA service providers, especially because of all which was lately revealed about the NSA. What I was trying to convey, was my opinion that the revelation of unpalatable/nefarious behaviour on the part of a government organisation seems a pretty odd reason to call for services, currently provided by private-sector CAs, to instead be provided by a government organisation. - -- Best regards MFPAmailto:expires2...@ymail.com ETHERNET(n): device used to catch the Ether bunny -BEGIN PGP SIGNATURE- iPQEAQEKAF4FAlJ1CDJXFIAALgAgaXNzdWVyLWZwckBub3RhdGlvbnMub3Bl bnBncC5maWZ0aGhvcnNlbWFuLm5ldEJBMjM5QjQ2ODFGMUVGOTUxOEU2QkQ0NjQ0 N0VDQTAzAAoJEKipC46tDG5psMYD/0oWmmq62IUWF3LIDqxtUyzlbNKwwX2iisIU wdqYDeh5K2ha+sZ7kcIHyDLiGy0qRzoHe+S0LudBWLVk2nuZhpOfGRQj2qh+eCSk bhIp2BHNbb9j6AyHWFOPLnUrCdiH68iLFa3v+S47BptNwlHx+fHvSw4GqGXaISLc t5TWlDEZ =lO5E -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpgsm and expired certificates
I wish to extend my sincere and unreserved apologies to all the people I unintentionally offended. Thank you for this. (Seriously.) There's an American movie that probably hasn't been seen much in Europe. _High Noon_, starring Gary Cooper, which may be the finest Western ever made. In a nutshell, the Frank Miller Gang comes to town intent on bloodshed and violence, and to protect the town the retired police officer, Marshal Will Kane, puts on the tin star once more. The Frank Miller Gang does something violent and Kane gets in the way -- the gang retaliates and does something else violent, and Kane gets in the way and stops that, too. After a while the townsfolk, who were begging Marshal Kane to come out of retirement at the beginning of the movie, are screaming their outrage at him. If you'd just quit, the Frank Miller Gang would leave us alone! Can't you see that your meddling is just making them angry and making the problems worse? In a climactic showdown Marshal Kane shatters the Miller Gang. All the townsfolk, who had begged him to save them and then screamed at him that he was the problem, come around to praise him for his courage and valor. Marshal Kane looks them over in disgust, then tears off his badge, throws it in the dirt, and rides off into the sunset with his girlfriend. The townspeople have finally done what the Frank Miller Gang couldn't do: they've made a good and decent policeman stop caring about his town. I can't help but think, as I see the tenor of the discussion about the NSA, that there are probably thousands of good and decent people in that agency who are concerned with following the law and respecting civil liberties -- and they probably feel an awful lot like Marshal Kane right now, wondering whether it's even worth it. Which would mean police who interview people who had contact with a suspect, in order to eliminate them from their enquiries, are either not grown-ups or are practising something in which they do not believe. They are not practicing guilt by suspicion. They are practicing, hey, let's collect as much information as possible on this crime so that we can find the truly guilty person. Police do not determine guilt. Courts determine guilt. Police are in the business of collecting information. In a very real sense, police are a domestic intelligence agency. signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpgsm and expired certificates
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi On Saturday 2 November 2013 at 2:36:27 PM, in mid:52750deb.6090...@sixdemonbag.org, Robert J. Hansen wrote: They are not practicing guilt by suspicion. They are practicing, hey, let's collect as much information as possible on this crime so that we can find the truly guilty person. Experiences of people I know, together with footage broadcast on the reality TV programmes where TV crews follow real police going about their business, lead me to the conclusion they routinely practice guilt by suspicion/guilt by association. If that approach fails to find somebody the circumstantial evidence doesn't rule out, they will switch to a genuine investigation if the matter is serious enough to warrant the man-hours, or if it affects high-profile individuals. No slur intended on any individual police personnel, just public perception of the police forces' corporate approach. (And for the record, I know many people who have formed a similar impression as well as plenty who have formed a very different impression.) Police do not determine guilt. Courts determine guilt. Police are in the business of collecting information. In a very real sense, police are a domestic intelligence agency. Unfortunately, police sometimes influence the determination of guilt by being selective in their presentation of information to the courts. In the UK any withholding of evidence by the police has constituted grounds for appeal since R v Fellows in July 1985.[1] [1] The very short quote at http://www.criminalsolicitor.net/forum/forum_posts.asp?TID=5833PN=1get=last is the only reference I can find at the moment. - -- Best regards MFPAmailto:expires2...@ymail.com The second mouse gets the cheese -BEGIN PGP SIGNATURE- iPQEAQEKAF4FAlJ1IEtXFIAALgAgaXNzdWVyLWZwckBub3RhdGlvbnMub3Bl bnBncC5maWZ0aGhvcnNlbWFuLm5ldEJBMjM5QjQ2ODFGMUVGOTUxOEU2QkQ0NjQ0 N0VDQTAzAAoJEKipC46tDG5pZtwEAKgF9/mzcsvrFECNNGivhHcu+LEBtZMJMN8C 7ZLuEE//enmKy4OCW34pwJQEtTOQJCaA4UjiscrwE2EP+hSQ3Txgq32kf0uZSYY+ 8ZwenQJoX3hai7sU4j9KVJ/nzFuDiKOpVBP+OXs5z40+Zt1Da2cWXHiUZOC81riQ PeE1jeWu =aTqy -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpgsm and expired certificates
MFPA == MFPA expires2...@ymail.com writes: Hi On Sunday 27 October 2013 at 2:46:05 PM, in mid:8761si4vrm@mat.ucm.es, Uwe Brauer wrote: Isn't the NSA a government based organisation? Surely guilt-by-association renders every government based organisation just as nefarious as the NSA. Your point being? I presume it goes like this: NSA is a government based organisation doing, among other things, violations of civil rights. So any other government based organisation cannot be trust, end of argument. Well I just talked about a service, which provides certificates to its citizen. That means it signs a public/private key pair, which is generated by the, hopefully open source, crypto module of your browser. So either you claim to have evidence that this modules have been hacked and the key pair is transferred to some of these evil organisations or I really don't see your point. Uwe Brauer smime.p7s Description: S/MIME cryptographic signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpgsm and expired certificates
On 02/11/13 19:48, Uwe Brauer wrote: So either you claim to have evidence that this modules have been hacked and the key pair is transferred to some of these evil organisations or I really don't see your point. I think the most common way for an X.509 CA to be deceitful is by giving someone else a certificate with your name on it, not by stealing your key. Then I would be under the impression I was holding an encrypted and signed conversation with /you/, but I would be talking to the well-funded attacker that got the false certificate. That attacker could then re-encrypt and send it on to you, to be a man in the middle. HTH, Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at http://digitalbrains.com/2012/openpgp-key-peter ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpgsm and expired certificates
On 02.11.2013 20:20, Peter Lebbing wrote: On 02/11/13 19:48, Uwe Brauer wrote: So either you claim to have evidence that this modules have been hacked and the key pair is transferred to some of these evil organisations or I really don't see your point. I think the most common way for an X.509 CA to be deceitful is by giving someone else a certificate with your name on it, not by stealing your key. (...) Not mentioning giving away (actually signing) intermediate CA keys. Cheers, Filip ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpgsm and expired certificates
On Saturday 02 November 2013 19:48:39 Uwe Brauer wrote: MFPA == MFPA expires2...@ymail.com writes: Hi On Sunday 27 October 2013 at 2:46:05 PM, in mid:8761si4vrm@mat.ucm.es, Uwe Brauer wrote: Isn't the NSA a government based organisation? Surely guilt-by-association renders every government based organisation just as nefarious as the NSA. Your point being? I presume it goes like this: NSA is a government based organisation doing, among other things, violations of civil rights. So any other government based organisation cannot be trust, end of argument. Well I just talked about a service, which provides certificates to its citizen. That means it signs a public/private key pair, which is generated by the, hopefully open source, crypto module of your browser. So either you claim to have evidence that this modules have been hacked and the key pair is transferred to some of these evil organisations or I really don't see your point. Since I had exactly the same thought as MFPA (namely that the NSA is a goverment based organization), I'll explain my thoughts (which could be different from MFPA's point). You, Uwe Brauer, wrote: I would prefer a government based organisation which provides this service to its citizen (especially because of all which was lately revealed about the NSA) where this service refers to the service a commercial, not goverment based CA like comodo offers. I interpreted especially because of all which was lately revealed about the NSA to refer to the NSA's ability to forge certificates issued by commercial CAs (e.g. by forcing the CAs to provide such a certificate). Now my thinking was that the NSA (or some other country's secret agency, e.g. the German BND) probably wouldn't have more problems to get forged certificates if they were issued by a government based CA. OTOH, you wrote the above in reply to Werner's The business model of most CAs is to sell you a subscription by setting the expiration time very low so that they can ask after a year for another fee to create a new certificate. Here it does not make sense to create a new private key every year. So, your point/hope probably was that a government based CA wouldn't have such a business model and would instead offer this service gratis to the people (so that more people would be protected from the NSA reading their mail). If this was your point then apparently I didn't see it when I first read your message. Regards, Ingo signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpgsm and expired certificates
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi On Sunday 27 October 2013 at 2:46:05 PM, in mid:8761si4vrm@mat.ucm.es, Uwe Brauer wrote: I would prefer a government based organisation which provides this service to its citizen (especially because of all which was lately revealed about the NSA) Isn't the NSA a government based organisation? Surely guilt-by-association renders every government based organisation just as nefarious as the NSA. - -- Best regards MFPAmailto:expires2...@ymail.com Free advice costs nothing until you act upon it -BEGIN PGP SIGNATURE- iPQEAQEKAF4FAlJzusxXFIAALgAgaXNzdWVyLWZwckBub3RhdGlvbnMub3Bl bnBncC5maWZ0aGhvcnNlbWFuLm5ldEJBMjM5QjQ2ODFGMUVGOTUxOEU2QkQ0NjQ0 N0VDQTAzAAoJEKipC46tDG5pit0EAIiKQnBVsZmESaFATJVSGJ5NHCkKAQ3JzvO1 Qnqy6fV+bF1dKbI6fiymsZpRsx1jppnR5lBNGzFWqXsSTfrp3h99k2YzAYnPi67C /XAC3D665XDz0ty3vNKx5p+bO4/BaBHbp7deQcLkNwortGS70Gx1zKRH02IJi+I5 fVjbyLyJ =rXTe -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpgsm and expired certificates
Isn't the NSA a government based organisation? Surely guilt-by-association renders every government based organisation just as nefarious as the NSA. This is why grown-ups don't believe in guilt by association. To take an example: the graduate students at the University of Iowa who teach undergraduate courses on classical French literature are University employees. (Unionized ones at that: United Electicalworkers/Committee to Organize Graduate Students, *represent*! [1]) As University employees, they are officially also government employees, since the University is funded by the State. Do you really think a bunch of graduate students obsessing over _La Chanson du Roland_ are just as nefarious as the NSA? If you do, then I think your paranoia is so out of hand you really ought consider seeking professional help. And no, I'm not kidding. If you don't, then let's dial back the rhetoric. Governments are *big* *big* things with lots of employees, and they deserve better treatment than this. [1] Yes, I was a card-carrying union man and served as a union officer. Try not to keel over from the shock. ;) ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpgsm and expired certificates
My previous email was pretty dry and impersonal. This one is very personal. Isn't the NSA a government based organisation? Surely guilt-by-association renders every government based organisation just as nefarious as the NSA. My current job is in software forensics -- discovering new ways to pull information off electronic media. Most of the people funding research in this area are connected to the government somehow. I would describe what a typical week for me entails but I'm pretty sure I would terrify and traumatize a good portion of the list. (A great week for me is one in which I don't have to see, hear, or even think about, the three words, Daddy, no, stop!) But since some of my RD funding comes from the government, I'm just as nefarious as the NSA. John Moore III, who hasn't been seen on this list in ages, was always quite open about the fact he served in the Marine Corps attached to a signals intelligence unit at Fort Meade. I'll let you do the math and figure out what three letter agency at Fort Meade does signals intelligence. Apparently John's contributions to the GnuPG community mean nothing, because he's just as nefarious as the NSA. Werner has taken money from the German government to do crypto-related software development. Apparently Werner is just as nefarious as the NSA. There are a lot of people on this list who have some kind of connection to the government. Many of them -- us -- are deeply concerned about civil liberties, surveillance, and the future of liberty. We are not your enemies and we do not deserve to be tarred with that brush. You owe all of us an apology. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpgsm and expired certificates
On Sat, 26 Oct 2013 22:03, o...@mat.ucm.es said: know by the date of the certificate which certificate to use for which message? - old for old messages Note, that there is no need for a certificate for decryption - only the private key is required. The certificate is only used to show some meta information. - the new for the new messages Expired certificates are not used and thus a now valid one will be used. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpgsm and expired certificates
Werner == Werner Koch w...@gnupg.org writes: On Sat, 26 Oct 2013 22:03, o...@mat.ucm.es said: know by the date of the certificate which certificate to use for which message? - old for old messages Note, that there is no need for a certificate for decryption - only the private key is required. The certificate is only used to show some meta information. Now I am confused. Most likely my knowledge of certificates is not correct. (I played around with openssl to generate my own, useless, certificates). I thought a certificate consists of a key pair (private/public) which is signed by the Authority (here comodo). When I apply for a certificate, the keypair is generated by the crypto module of the browser and then signed. So I thought when I apply for a new certificate a new key pair is generated which gets signed again. But your comment above seems to indicate that the old pair gets a new signature. Is this correct? But what if I apply with a different browser I applied the last time. thanks Uwe Brauer smime.p7s Description: S/MIME cryptographic signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpgsm and expired certificates
On Sun, Oct 27, 2013 at 9:53 AM, Uwe Brauer o...@mat.ucm.es wrote: Werner == Werner Koch w...@gnupg.org writes: On Sat, 26 Oct 2013 22:03, o...@mat.ucm.es said: know by the date of the certificate which certificate to use for which message? - old for old messages Note, that there is no need for a certificate for decryption - only the private key is required. The certificate is only used to show some meta information. Now I am confused. Most likely my knowledge of certificates is not correct. (I played around with openssl to generate my own, useless, certificates). I thought a certificate consists of a key pair (private/public) which is signed by the Authority (here comodo). Mostly correct. All that is needed to encrypt/decrypt/sign/verify messages is the public/private keys themselves. The certificate is a signed, structured format that binds a particular public key to an identity (be it an email address, a name, a website, etc.). The certificate is for public consumption: Comodo is asserting to the world that this particular public key (and it's corresponding private key, which only you know) belongs to you (or your website, email, etc.). On your end, all you need is the private key to decrypt messages encrypted to your public key. You don't need a certificate to decrypt messages that had already been encrypted to that public key -- a certificate may expire at a certain time, but the private key has no baked-in expiration date. When I apply for a certificate, the keypair is generated by the crypto module of the browser and then signed. Correct. So I thought when I apply for a new certificate a new key pair is generated which gets signed again. Correct, though it is possible (but usually recommend against) to create a new certificate using the same private keypair as before. In general, you should create a new keypair when applying for a new certificate. But your comment above seems to indicate that the old pair gets a new signature. Is this correct? But what if I apply with a different browser I applied the last time. I interpreted Werner's comment to mean In order to decrypt messages encrypted to you, you only need a private key. You don't need a valid certificate to decrypt old messages that were encrypted to a now-expired certificate. If you generate a new keypair for the new certificate (which is probably a good idea) then gpgsm (and presumably any other certificate-using software) will figure out what private key will be needed to decrypt a particular message and, so long as you still have the private key on your system, will use it as needed even if the corresponding certificate has expired. Cheers! -Pete -- Pete Stephenson ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpgsm and expired certificates
If you generate a new keypair for the new certificate (which is probably a good idea) then gpgsm (and presumably any other certificate-using software) will figure out what private key will be needed to decrypt a particular message and, so long as you still have the private key on your system, will use it as needed even if the corresponding certificate has expired. So gpgsm (and others) will also figure out which private key to use for signing: that is the new one, once the old certificate is expired? Which means in the case of smime, also to embedd the corresponding new public key in the signature. thanks Uwe smime.p7s Description: S/MIME cryptographic signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpgsm and expired certificates
On Sun, Oct 27, 2013 at 11:01 AM, Uwe Brauer o...@mat.ucm.es wrote: If you generate a new keypair for the new certificate (which is probably a good idea) then gpgsm (and presumably any other certificate-using software) will figure out what private key will be needed to decrypt a particular message and, so long as you still have the private key on your system, will use it as needed even if the corresponding certificate has expired. So gpgsm (and others) will also figure out which private key to use for signing: that is the new one, once the old certificate is expired? Which means in the case of smime, also to embedd the corresponding new public key in the signature. I can't speak specifically for gpgsm, as I only use GPG with OpenPGP keys and not x.509 certs, but I would venture that the answer to your question is yes, gpgsm will select the correct private key for signing as that's standard behavior for such software. Werner or others could answer authoritatively. -- Pete Stephenson ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpgsm and expired certificates
On Sun, 27 Oct 2013 10:23, p...@heypete.com said: Correct, though it is possible (but usually recommend against) to create a new certificate using the same private keypair as before. In The business model of most CAs is to sell you a subscription by setting the expiration time very low so that they can ask after a year for another fee to create a new certificate. Here it does not make sense to create a new private key every year. GnuPG basically does the same by allowing you to prolong the expiration time. I interpreted Werner's comment to mean In order to decrypt messages encrypted to you, you only need a private key. You don't need a valid certificate to decrypt old messages that were encrypted to a now-expired certificate. Correct. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpgsm and expired certificates
Werner == Werner Koch w...@gnupg.org writes: On Sun, 27 Oct 2013 10:23, p...@heypete.com said: Correct, though it is possible (but usually recommend against) to create a new certificate using the same private keypair as before. In The business model of most CAs is to sell you a subscription by setting the expiration time very low so that they can ask after a year for another fee to create a new certificate. Here it does not make sense to create a new private key every year. Well comodo is free (still) and to prolong the certificate seems free to for the moment, but I agree I would prefer a government based organisation which provides this service to its citizen (especially because of all which was lately revealed about the NSA) GnuPG basically does the same by allowing you to prolong the expiration time. I don't want to enter a flame war here and in principle I'd prefer gpg over smime but in reality I have to use smime, because - it is implemented in almost all MUA while gpg is not[1] - it is so much easier to install for the people I communicate with than gpg. I recall that I tried to convince gpg and after some hours he almost yelled at me, while he was able to set up smime in 5 minutes. The reasons for this are the following. - As I said smime is already installed in almost all MUA, so no need to install gpg and to install a plugin for the MUA - the user does not have to generate a keypair. Well this is not entirely true, as we mentioned earlier, but the user applies for a certificate picks it up and he is set. - the user does not have to exchange public keys, he just sends a signed message which includes his public key. So if the big MUAS and not only thunderbird, but at least outlook apple mail, and iOS mail, would - support gpg natively - when use gpg in the mailreader for the first time, it would silently generate a key pair - when sending a signed message it would always embed the public key in the signature Then a think gpg would be as easy to use as smime, but till then Uwe Brauer Footnotes: [1] I tried to use gpg on a non jailbroken iPhone and it is honestly a hassle. smime.p7s Description: S/MIME cryptographic signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
gpgsm and expired certificates
Hello I use gpgsm, via gnus+Xemacs and I have installed a free certificate from Comodo. This certificate expires in a couple of weeks and I have to apply for a new one. However I need the old one to read old messages. Can gpgsm deal with this situation? thanks Uwe Brauer smime.p7s Description: S/MIME cryptographic signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpgsm and expired certificates
On Sat, 26 Oct 2013 12:02, o...@mat.ucm.es said: Can gpgsm deal with this situation? Sure. That is a very common situation. Although I am myself not using gpgsm for mail encryption, I use it to maintain all kind of X.509 certificates. FWIW, gpgsm passed several conformance tests with quite good results [1] and was recently approved for secret communication (at the Germany's entry level VS/NfD). Salam-Shalom, Werner [1] Watch out for Aegypten, which included GnuPG, in https://www.bsi.bund.de/DE/Themen/weitereThemen/VerwaltungsPKIVPKI/Interoperabilitaetstest/Testberichte/testberichte_node.html -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpgsm and expired certificates
Werner == Werner Koch w...@gnupg.org writes: On Sat, 26 Oct 2013 12:02, o...@mat.ucm.es said: Can gpgsm deal with this situation? Sure. That is a very common situation. Although I am myself not using gpgsm for mail encryption, I use it to maintain all kind of X.509 certificates. FWIW, gpgsm passed several conformance tests with quite good results [1] and was recently approved for secret communication (at the Germany's entry level VS/NfD). Good, so if I understand that correctly once I have the new certificate then I only have to import it into gpgsm and gpgsm will know by the date of the certificate which certificate to use for which message? - old for old messages - the new for the new messages thanks Uwe Brauer smime.p7s Description: S/MIME cryptographic signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users