Re: wanted: educate us please on key dongles

Hello, On Wed, Aug 30 2017, Marc Haber wrote: > People keep mentioning to store the private key on a LUKS-encrypted > device. Why? Is the private key encryption that happens inside GnuPG > itself when you protect your private key with a passphrase not > sufficient? You can pass the --iter-time

Re: wanted: educate us please on key dongles

On Wed, 30 Aug 2017 10:09:38 +0100, Jonathan McDowell writes: >I think NIIBE was selling them for about €30 at DebConf, so that's a >reasonable mark up. He said Seeed are currently changing business model >to move away from low volume devices, but despite what their website >says they do still

Re: Reasons for having DPL election terms 1 year

shirish शिरीष writes ("Reasons for having DPL election terms 1 year"): > My query how did the idea of having yearly elections for choosing DPL > come in place. This was my doing. And, TBH, I don't think I considered other options very seriously, although I haven't searched my email archives. (I

Re: Reasons for having DPL election terms 1 year

at bottom :- On 30/08/2017, shirish शिरीष wrote: > Dear all, > > Please CC me if somebody puts a reply . > > I had put up the query on debian-devel but was informed that probably > debian-project would be much better place to have discussions like > thees. > > I did try

Reasons for having DPL election terms 1 year

Dear all, Please CC me if somebody puts a reply . I had put up the query on debian-devel but was informed that probably debian-project would be much better place to have discussions like thees. I did try various terms like 'why is Debian Project leader choosen yearly' and similar queries on

Re: wanted: educate us please on key dongles

On Wed, 2017-08-30 at 12:50 +0200, Marc Haber wrote: > That's a point, but I cannot validate whether the free hardware > design running the free software crypto app isn't backdoored anyway due > to lack of knowledge and expertise. Some large fraction of the world could/would make the same

Re: wanted: educate us please on key dongles

Am 2017-08-30 14:45, schrieb Marc Haber: On Wed, Aug 30, 2017 at 01:52:54PM +0200, Christian Seiler wrote: Well, you could create a completely separate key pair (with a separate master key) for Debian purposes only. That would double the effort of obtaining signatures and also double the

Re: wanted: educate us please on key dongles

Ian, thanks for your level-headed response and your solid reasoning. On Wed, Aug 30, 2017 at 12:10:34PM +0100, Ian Jackson wrote: > How far down the paranoia road you want to go is up to you, but buying > an open hardware / libre firmware security device, rather than a > proprietary one, has

Re: wanted: educate us please on key dongles

On Wed, Aug 30, 2017 at 01:52:54PM +0200, Christian Seiler wrote: > Am 2017-08-30 09:01, schrieb Marc Haber: > > On Tue, Aug 29, 2017 at 04:07:45PM -0300, Henrique de Moraes Holschuh > > wrote: > > > The **public** portion of *every* key (master and all subkeys) go into > > > the public keyrings

Re: wanted: educate us please on key dongles

Marc Haber [2017-08-30 09:01:09+02] wrote: > People keep mentioning to store the private key on a LUKS-encrypted > device. Why? Is the private key encryption that happens inside GnuPG > itself when you protect your private key with a passphrase not > sufficient? A strong passphrase for the key

Re: wanted: educate us please on key dongles

Am 2017-08-30 09:01, schrieb Marc Haber: On Tue, Aug 29, 2017 at 04:07:45PM -0300, Henrique de Moraes Holschuh wrote: The **public** portion of *every* key (master and all subkeys) go into the public keyrings and also in the Debian keyring. gnupg will handle this automatically if you use

Re: wanted: educate us please on key dongles

I seem to have offended people by trying to make up my mind and introducing arguments into the discussion that might not be wanted. I can only lose by continuing this thread. No offense was ever intended, and neither was an attack. Greetings Marc --

Re: wanted: educate us please on key dongles

On Wed, Aug 30, 2017 at 12:50:53PM +0200, Marc Haber wrote: > On Wed, Aug 30, 2017 at 12:42:13PM +0200, Adam Borowski wrote: > > * with Yubikey 4 (suspected): they send the secret handshake, get a > > copy of the key, and you don't even know anything happened > > That's a point, but I cannot

Re: wanted: educate us please on key dongles

Marc Haber writes ("Re: wanted: educate us please on key dongles"): > That's a point, but I cannot validate whether the free hardware > design running the free software crypto app isn't backdoored anyway due > to lack of knowledge and expertise. You don't need to be able to validate it

Re: wanted: educate us please on key dongles

On Wed, Aug 30, 2017 at 12:42:13PM +0200, Adam Borowski wrote: > On Wed, Aug 30, 2017 at 12:17:33PM +0200, Marc Haber wrote: > > On Wed, Aug 30, 2017 at 10:09:38AM +0100, Jonathan McDowell wrote: > > > The Start is based on the GnuK and I think should be upgradable to do 4K > > > keys. The Pro

Re: wanted: educate us please on key dongles

On Wed, Aug 30, 2017 at 12:17:33PM +0200, Marc Haber wrote: > On Wed, Aug 30, 2017 at 10:09:38AM +0100, Jonathan McDowell wrote: > > The Start is based on the GnuK and I think should be upgradable to do 4K > > keys. The Pro uses a non-free smartcard internally for the RSA > > operations. I believe

Re: wanted: educate us please on key dongles

On Wed, Aug 30, 2017 at 10:09:38AM +0100, Jonathan McDowell wrote: > On Tue, Aug 29, 2017 at 07:34:35PM +0200, Marc Haber wrote: > > Their web page says that it will only suppor 2048 bit RSA keys, which is > > the limitation of most USB crypto tokens on the market today. The > > Nitrokey Pro will

Re: wanted: educate us please on key dongles

On Tue, Aug 29, 2017 at 07:34:35PM +0200, Marc Haber wrote: > On Fri, Aug 11, 2017 at 01:41:39PM +0100, Jonathan McDowell wrote: > > * GnuK: My favourite choice. It's slow with RSA4096, but does > > support it. The hardware is open. The software is open (you can > > compile and

Re: wanted: educate us please on key dongles

On Tue, Aug 29, 2017 at 04:07:45PM -0300, Henrique de Moraes Holschuh wrote: > On Tue, 29 Aug 2017, Marc Haber wrote: > > - Which key goes on the paper slab that everybody uses to collect > > signatures? The certification only master key? > > The main key fingerprint. Which happens to be the