Re: Thoughts on GnuPG and automation

> And that is why this thread is going on, so hopefully we can come to > an agreement that there are many areas where GnuPG can be used but > GPGME is a bad solution to do it. Maybe I'm a little irritable here, but -- pretty much everyone who's ever hacked on GnuPG has found situations where GPG

Re: Thoughts on GnuPG and automation

On Mar 3, 2015, at 8:52 PM, Werner Koch wrote: > On Tue, 3 Mar 2015 14:29, h...@guardianproject.info said: > >> It is actually more difficult to wrap GPGME in Java than to have just >> rewritten GPGME in Java. GPGME is a fine API for C/C++, it is a bad > > Sorry, but that is not your problem.

RE: Thoughts on GnuPG and automation

Native to what? Processor, OS? I think Peter and the group already adequately answered this: If GPGME is not providing an interface that meets Android requirements, then look into how GPGME interfaces to GPG and emulate that interface. For you to request that the interface be changed can be liken

Re: Thoughts on GnuPG and automation

> If you are interested, you should read the details. Did. Have. > Because you are missing some key details here. In other words, "you're wrong, but I'm not going to present any evidence or reasoning, I'm just going to make vague statements about how you're missing details which I am privy to."

Re: Thoughts on GnuPG and automation

On Mar 3, 2015, at 7:09 PM, Peter Lebbing wrote: > On 03/03/15 18:29, Hans of Guardian wrote: >> Android has an installed base of hundreds of millions. Desktop UNIX >> is the exotic system here as compared to Windows, Android, etc. > > I have no idea about how difficult it is to launch the gpg

Re: Thoughts on GnuPG and automation

On Mar 3, 2015, at 7:31 PM, Robert J. Hansen wrote: >> This is definitely public information from the Snowden leaks. There >> is also quite a bit of information about other governments doing >> similar things. Here's one example article: > > If all encrypted traffic is deemed suspicious, the

Re: Thoughts on GnuPG and automation

On 4 Mar 2015 at 7:47, Sandeep Murthy wrote: [...] > Once such a data retention law is in place it is dangerous because > inevitably there is a "mission creep" that sets in - it is not > hard to imagine one day that encryption software users, maybe GPG > users, will be required to disclose informa

Re: Thoughts on GnuPG and automation

> On 4 Mar 2015, at 07:24, Ingo Klöcker wrote: > After the recent terrorist attacks in Paris and Brussels some German > politicians are again arguing that we need Vorratsdatenspeicherung (data > retention, i.e. storage of all communication meta data for 6 months) in > Germany to prevent such atta

Newspeek, (was: Re: Thoughts on GnuPG and automation)

On 3 Mar 2015 at 21:24, Ingo Klöcker wrote: [..] > After the recent terrorist attacks in Paris and Brussels some German > politicians are again arguing that we need Vorratsdatenspeicherung > (data retention, i.e. storage of all communication meta data for 6 > months) in Germany to prevent such att

Re: Thoughts on GnuPG and automation

On Tue, 3 Mar 2015 21:24:15 +0100 Ingo Klöcker wrote: Hello Ingo, >of terror. Still this completely pants-on-head absurd policy will >become reality if those German politicians get what they want. It's not just in Germany: Politicians across the world utilise similar scaremongering tactics to

Re: Thoughts on GnuPG and automation

On Tuesday 03 March 2015 19:31:14 Robert J. Hansen wrote: > > This is definitely public information from the Snowden leaks. There > > is also quite a bit of information about other governments doing > > > similar things. Here's one example article: > If all encrypted traffic is deemed suspicious

Duplicate copies of list messages when you are also addressed personally [Was: Re: Fwd: Re: German ct magazine postulates death of pgp encryption]

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On Tuesday 3 March 2015 at 3:02:43 PM, in , michaelquig...@theway.org wrote: > I believe if you are personally addressed, the list > management software doesn't send you a duplicate copy > of the message. The option is set at

Re: Thoughts on GnuPG and automation

On Mar 3, 2015, at 7:09 PM, Peter Lebbing wrote: > On 03/03/15 18:29, Hans of Guardian wrote: >> Android has an installed base of hundreds of millions. Desktop UNIX >> is the exotic system here as compared to Windows, Android, etc. > > I have no idea about how difficult it is to launch the gpg

Re: Thoughts on GnuPG and automation

On Tue, 3 Mar 2015 14:29, h...@guardianproject.info said: > It is actually more difficult to wrap GPGME in Java than to have just > rewritten GPGME in Java. GPGME is a fine API for C/C++, it is a bad Sorry, but that is not your problem. The problem on Android seems to be that it is not easy to

Re: Thoughts on GnuPG and automation

> Android has an installed base of hundreds of millions. So? GnuPG and GPGME are products of their birth, just like anything else. It was built for desktop operating systems. If you want to make it live in the mobile space, go with God and I wish you all the luck in the world -- but if GPGME isn

Re: Thoughts on GnuPG and automation

> This is definitely public information from the Snowden leaks. There > is also quite a bit of information about other governments doing > similar things. Here's one example article: If all encrypted traffic is deemed suspicious, then 99.999% of the suspicious set -- Amazon transactions, G

Re: Thoughts on GnuPG and automation

On 03/03/15 18:29, Hans of Guardian wrote: > Android has an installed base of hundreds of millions. Desktop UNIX > is the exotic system here as compared to Windows, Android, etc. I have no idea about how difficult it is to launch the gpg binary with a few pipes attached to a few file descriptors

Re: Thoughts on GnuPG and automation

On Mar 3, 2015, at 5:49 PM, Robert J. Hansen wrote: >> Different programming languages and operating systems can have very >> different ways of launching and handling external processes. > > Eh. Different operating systems, sure: that's the nature of kernels. > They provide different syscalls,

Re: Thoughts on GnuPG and automation

On Mar 3, 2015, at 5:01 PM, Robert J. Hansen wrote: > Hans, please trim your quoted material. > >> They would need to use a specialized system, and that specialized >> system might then be a marker of suspicion (for example, lots of >> governments, including the NSA, already mark all PGP message

Re: Thoughts on GnuPG and automation

> Different programming languages and operating systems can have very > different ways of launching and handling external processes. Eh. Different operating systems, sure: that's the nature of kernels. They provide different syscalls, and that's at root how you launch an external process -- by m

Re: Thoughts on GnuPG and automation

On Mar 3, 2015, at 4:43 PM, Peter Lebbing wrote: > On 03/03/15 14:29, Hans of Guardian wrote: >> It is actually more difficult to wrap GPGME in Java than to have just >> rewritten GPGME in Java. > > In my opinion, if this is the case, then that is indeed the proper > solution: write a general-pu

Re: Thoughts on GnuPG and automation

Yeah, mailpile has a very unusual architecture, so its no surprise it'll need some unusual tricks. Unusual tricks in software that aims to be secure generally make me nervous since it is important to keep code readable and understandable for both the core devs, but also contributors, auditors,

Re: Thoughts on GnuPG and automation

Hans, please trim your quoted material. > They would need to use a specialized system, and that specialized > system might then be a marker of suspicion (for example, lots of > governments, including the NSA, already mark all PGP messages as > suspicious). Unless you've got a desk somewhere deep

Re: German ct magazine postulates death of pgp encryption

>> Services like keybase.io with poor security practices... > > I fail to see how this is a failure on the side of the keyservers... I fully agree with Kristian. I further don't see how keybase.io amounts to "poor security practice". The Web of Trust is, itself, a poor practice because it's rar

Re: Thoughts on GnuPG and automation

On Feb 27, 2015, at 1:19 PM, Bjarni Runar Einarsson wrote: > Hi Hans-Christoph! > > Hans-Christoph Steiner wrote: >> With all the recent attention to GnuPG and Werner's work, I have begun to >> think about things differently. GnuPG has an amazing security track record. >> It has had few seriou

Re: German ct magazine postulates death of pgp encryption

On Tue, 2015-03-03 at 14:00 +0100, Hans of Guardian wrote: > The PGP keyservers need email validation no it's pretty useless from a security POV and they don't need it. > not as a way to provide any kind of "trusted" status of that key, but > rather so enable people to delete keys that should no l

Re: Thoughts on GnuPG and automation

On 03/03/15 14:29, Hans of Guardian wrote: > It is actually more difficult to wrap GPGME in Java than to have just > rewritten GPGME in Java. In my opinion, if this is the case, then that is indeed the proper solution: write a general-purpose library à la GPGME, but don't call gpg directly from yo

Re: Fwd: Re: German ct magazine postulates death of pgp encryption

"Gnupg-users" wrote on 03/03/2015 09:41:25 AM: > - Message from Stephan Beck on Tue, 03 Mar > 2015 15:40:45 +0100 - > > To: gnupg-users@gnupg.org > > Subject: Re: Fwd: Re: German ct magazine postulates death of pgp encryption > > Am 03.03.2015 um 14:00 schrieb Ville Määttä: > > On 0

Re: German ct magazine postulates death of pgp encryption

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 03/03/2015 02:00 PM, Hans of Guardian wrote: > > On Feb 27, 2015, at 8:56 PM, Werner Koch wrote: > ... > > Services like keybase.io with poor security practices are going to > rapidly take over from the PGP keyserver pool because they addre

Re: German ct magazine postulates death of pgp encryption

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 03/03/2015 04:20 PM, Kristian Fiskerstrand wrote: > On 03/03/2015 01:50 PM, Hans of Guardian wrote: > >> On Feb 27, 2015, at 1:11 PM, Kristian Fiskerstrand wrote: > ... > >>> The standard PGP keyserver pool is a mess with racist spam, >>> lo

Re: Thoughts on GnuPG and automation

It breaks mailpile because gpg-agent is not session aware. A user could be logged in locally, using mailpile, and a remote attacker could access the web interface of that locally running mailpile instance, which since it is talking to the same gpg-agent, would think the remote user is logged in (o

Re: Circumvention Tech Summit in Valencia

On Tue, 3 Mar 2015 12:51, r...@sixdemonbag.org said: > Admittedly, "the GnuPG dev people" is really a one-element list > containing Werner. But there are certainly people active in the GnuPG The web page lists more and several more have write access to git.gnupg.org. I considered to affend but

Re: German ct magazine postulates death of pgp encryption

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 03/03/2015 01:50 PM, Hans of Guardian wrote: > > On Feb 27, 2015, at 1:11 PM, Kristian Fiskerstrand wrote: > > On 02/27/2015 12:43 PM, Hauke Laging wrote: Am Fr 27.02.2015, 12:27:40 schrieb gnupgpacker: > Maybe implementation with

Re: Circumvention Tech Summit in Valencia

> It is in the constitution; if you are a FOSS developer the least I > can do is provide $beverage. I'm glad I contribute code to a couple of small FOSS digital forensics projects, then. Because I've never contributed a single line of code to GnuPG or Enigmail. :) signature.asc Description:

Re: German ct magazine postulates death of pgp encryption

On Feb 27, 2015, at 1:11 PM, Kristian Fiskerstrand wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA512 > > On 02/27/2015 12:43 PM, Hauke Laging wrote: >> Am Fr 27.02.2015, 12:27:40 schrieb gnupgpacker: >> >>> Maybe implementation with an opt-in could preserve publishing of >>> faked keys

Re: Circumvention Tech Summit in Valencia

On Tuesday, March 03, 2015 03:49:41 PM Robert J. Hansen wrote: > > Non developers are also here and happy to verify OpenPGP certificates > > as well. > > And happy to buy people beer. Thanks again, Samir. :) It is in the constitution; if you are a FOSS developer the least I can do is provide $

Re: Thoughts on GnuPG and automation

On Feb 27, 2015, at 3:09 PM, Peter Lebbing wrote: > On 27/02/15 12:02, Hans-Christoph Steiner wrote: >> For example, I think that >> `gpg --json` is great idea. I ended up using a Java wrapper of GPGME, which >> is in turn a wrapper of GnuPG. I think it makes a lot more sense to have >> `gpg >

Re: German ct magazine postulates death of pgp encryption

On Feb 27, 2015, at 8:56 PM, Werner Koch wrote: > On Fri, 27 Feb 2015 17:26, patr...@enigmail.net said: > >> that anyone can upload _every_ key to a keyserver is an issue. If >> keyservers would do some sort of verification (e.g. confirmation of >> the email addresses) then this would lead to mu

Re: Circumvention Tech Summit in Valencia

> Non developers are also here and happy to verify OpenPGP certificates > as well. And happy to buy people beer. Thanks again, Samir. :) signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://l

Re: Circumvention Tech Summit in Valencia

On Tuesday, March 03, 2015 01:34:01 PM Kristian Fiskerstrand wrote: > On 03/03/2015 12:51 PM, Robert J. Hansen wrote: > > Daniel Kahn Gillmor and I are both here. (And in fact, we met > > briefly, and much to the surprise of many people here but not to > > either dkg or myself, there was mutual re

Re: Fwd: Re: German ct magazine postulates death of pgp encryption

Am 03.03.2015 um 14:00 schrieb Ville Määttä: > On 03.03.15 14:54, Stephan Beck wrote: >> as your message hasn't reached the list inspite of being addressed to it > > It did :). > Strange, I did only receive the PM, not the listmail, so I thought it might be useful to resend it. In that case, sorr

Re: Decrypting PGP/MIME on the command line

Mailpile may be useful. https://mailpile.is It lets you scan in a bunch of messages, and decrypt them, and indexes them, keeping the index and message store encrypted. It has command line as well as a gui. On Sun, Mar 1, 2015 at 9:32 AM, René Puls wrote: > Hi, > > is there a command line utili

Re: Fwd: Re: German ct magazine postulates death of pgp encryption

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 03/03/2015 01:54 PM, Stephan Beck wrote: > Hi Peter, > > as your message hasn't reached the list inspite of being addressed > to it, I resend it. Fwiw, it reached the list just fine: http://lists.gnupg.org/pipermail/gnupg-users/2015-March/05293

Re: Fwd: Re: German ct magazine postulates death of pgp encryption

On 03.03.15 14:54, Stephan Beck wrote: > as your message hasn't reached the list inspite of being addressed to it It did :). -- Ville signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://list

Fwd: Re: German ct magazine postulates death of pgp encryption

Hi Peter, as your message hasn't reached the list inspite of being addressed to it, I resend it. Thanks Stephan Weitergeleitete Nachricht Betreff: Re: German ct magazine postulates death of pgp encryption Datum: Mon, 02 Mar 2015 18:53:57 +0100 Von: Peter Lebbing An: Stephan

Re: Circumvention Tech Summit in Valencia

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 03/03/2015 12:51 PM, Robert J. Hansen wrote: >> Are any GnuPG dev people at the Circumvention Tech Summit in >> Valencia, that is now until Saturaday? I'm arriving today. It >> could be useful to have a little GnuPG chat in person. > > Daniel K

Re: Circumvention Tech Summit in Valencia

> Are any GnuPG dev people at the Circumvention Tech Summit in > Valencia, that is now until Saturaday? I'm arriving today. It could > be useful to have a little GnuPG chat in person. Daniel Kahn Gillmor and I are both here. (And in fact, we met briefly, and much to the surprise of many people h

Circumvention Tech Summit in Valencia

Are any GnuPG dev people at the Circumvention Tech Summit in Valencia, that is now until Saturaday? I'm arriving today. It could be useful to have a little GnuPG chat in person. .hc ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnup