Re: Essay on PGP as it is used today

On 17 Jul 2019, at 05:05, Robert J. Hansen wrote: > But all in all? It's a good criticism. Indeed. Backwards compatibility with the 1990s is an albatross. Anyone still using obsolete ciphers is screwed anyway, so why encourage it? Some nitpicking: * Modern PGP does encrypt subjects

Re: WKD: mutt integration status

hes valid in the MIME boundary charset? -- Andrew Gallagher signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: New keyserver at keys.openpgp.org - what's your take?

On 04/07/2019 03:29, Phil Pennock wrote: > Depends upon the implementation. I'm biased here, I wrote my own in > Go back in 2016: https://go.pennock.tech/fingerd/ Nice. I can't see corporate firewall admins buying it though. :-) -- Andrew Gallagher signature.asc Description: O

Re: SKS Keyserver Network Under Attack

> On 4 Jul 2019, at 03:23, Ángel wrote: > > A point I don't like about the design of hagrid is that verification is > performed by the server itself. > Thus, it seems that if there were a reconciliation protocol between > them, either entering into one of them would lead to all of them blindly

Re: New keyserver at keys.openpgp.org - what's your take?

ers' spiders are well behaved, it should be no worse than being indexed by Google. -- Andrew Gallagher signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: SKS and GnuPG related issues and possible workarounds

identity of the uploader (as hagrid and keybase do), but this then makes the SKS reconciliation protocol unviable - so it is SKS the protocol that has to be changed, not SKS the software. -- Andrew Gallagher signature.asc Description: OpenPGP digital signature ___

Re: SKS and GnuPG related issues and possible workarounds

your keyring, there's nothing wrong with continuing to use the keyservers (for now), so we shouldn't kill a service that's working just fine for those people, not until we have a replacement. -- Andrew Gallagher signature.asc Description: OpenPGP digit

Re: SKS and GnuPG related issues and possible workarounds

oblems. -- Andrew Gallagher signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: SKS and GnuPG related issues and possible workarounds

e build quality of the bookshelves, and to prove his point he pulls them to pieces. "Look at that, it's falling apart!" [1] Just because something is broken does not mean you are obliged to kick it over to prove the point. [1] https://vimeo.com/108169770 -- Andrew Gallagher signature.asc Des

Re:

tous individuals. But you're right, these subtleties are why WoT never took off. :-) -- Andrew Gallagher signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: New keyserver at keys.openpgp.org - what's your take?

On 03/07/2019 13:45, Kristian Fiskerstrand wrote: > There are various ways this can be used for other > attack vectors as well, so they are mostly just ignored. Any of those attack vectors applicable to keyservers attempting to refresh from it? -- Andrew Gallagher signature.asc Descr

Re: New keyserver at keys.openpgp.org - what's your take?

y to know! Opening a finger port may be a step too far for the security-conscious though... -- Andrew Gallagher signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Some thoughts on the future of OpenPGP and GnuPG

big IT companies. -- Andrew Gallagher signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: New keyserver at keys.openpgp.org - what's your take?

but distrust everyone else". This would only have to be done once in advance, and it could be made part of your new developer onboarding process. -- Andrew Gallagher signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing

Re: Some thoughts on the future of OpenPGP and GnuPG

oviders took email security seriously, we would never have got here in the first place. But the nature of email is that nobody owns it, therefore it is nobody's job to fix it. And the people who care have real jobs and mortgages. [1] https://www.quora.com/What-is-the-service-utility-and-

Re: New keyserver at keys.openpgp.org - what's your take?

On 2019/07/01 17:26, Werner Koch wrote: > p.s. > As stop-gap solution the next gpg release sports a > --keyserver-options self-sigs-only to allow importing of spammed keys. I think this deserves more than a P.S. ;-) -- Andrew Gallagher signature.asc Description: OpenPGP digital

Re: Your Thoughts

i > tools and they can be used with an extra written GUI program, if > someone likes to do so. Very handy! I agree that's the way user interfaces should be, but now I'm unclear what your complaint about GnuPG is, given that it's a CLI tool optionally wrapped in a GUI interface. -- Andrew Ga

Re: Your Thoughts

SKS has just proven an example of that. I think we're criticising the same thing. Yes, I'm calling Golang (and Rust) "exotic". :-) Interestingly, Rust was first implemented in OCaml... (!) -- Andrew Gallagher signature.asc Description: Ope

Re: Your Thoughts

ormation has its uses if you're maintaining any sort of PKI. [1] https://blog.cryptographyengineering.com/2015/10/22/a-riddle-wrapped-in-curve/ -- Andrew Gallagher signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list

Re: New keyserver at keys.openpgp.org - what's your take?

e don't run into potential issues re some systems being able to verify, a new algorithm and some not. Better to let the synchroniser just do its job, and move all the verification and caching stuff to a higher level. It need not be in the same binary. -- An

Re: New keyserver at keys.openpgp.org - what's your take?

> On 1 Jul 2019, at 13:36, Andrew Gallagher wrote: > > We start from hagrid or something like it, and carefully add the ability > to sync only the absolute minimum of data required to allow revocations > to propagate. This probably means primary keys, their self-sigs and &g

Re: New keyserver at keys.openpgp.org - what's your take?

On 2019/06/30 18:06, Daniel Kahn Gillmor wrote: > On Sun 2019-06-30 00:33:22 +0100, Andrew Gallagher wrote: >> Indeed, c) was exactly the killer use case I had in mind. > > so, how do we get there? We start from hagrid or something like it, and carefully add the ability to sync on

Re: Your Thoughts

> On 1 Jul 2019, at 00:36, Robert J. Hansen wrote: > > Would this be painful? Sure. But it doesn't involve throwing out > the OpenPGP spec, just overhauling how we implement it and the > supporting software ecosystem. That would be *hard*, don't get me > wrong, and I am *in no way* saying

Re: SKS Keyserver Network Under Attack

> On 30 Jun 2019, at 15:07, Erich Eckner via Gnupg-users > wrote: > > maybe I don't get the original idea - but I thought, it was to block > *uploads/updates* which would poisson a certificate - not to blackhole them > after they got poissoned? Hm, that’s not how I read it, although I could

Re: SKS Keyserver Network Under Attack

ll be looking over their shoulder wondering whether they'll be next. We solve this issue for *everyone*, or we all go home. -- Andrew Gallagher signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: SKS Keyserver Network Under Attack

> On 30 Jun 2019, at 11:01, Vincent Breitmoser wrote: > > The single biggest issue is > importing keys that don't have identity info on them. I submitted a patch to > GnuPG to fix this issue, but for some reason that is beyond me there seems to > be > resistance to merging it: Unfortunately

Re: SKS Keyserver Network Under Attack

> On 30 Jun 2019, at 10:21, Mirimir via Gnupg-users > wrote: > > This is undoubtedly a naive question. But anyway, would it be feasible > to test keys by importing them, and seeing which ones break OpenPGP? > Maybe do it in minimal Docker containers? And then somehow block access > to those

Re: SKS Keyserver Network Under Attack

>> Thankfully there is a practical - if drastic - solution for all >> OpenPGP users everywhere. Point pool.sks-keyservers.net (and its >> various aliases) somewhere else. The question is where to and how >> soon. > > (I am certain Andrew has already considered this: I am making explicit > what I

Re: SKS Keyserver Network Under Attack

> On 30 Jun 2019, at 09:19, Robert J. Hansen wrote: > > The next version of Enigmail will no longer use the SKS network by > default. Great! But what about existing Enigmail users? They'll see a > signature, click "Import Key", and ... bam. They're likely not going to > think that

Re: New keyserver at keys.openpgp.org - what's your take?

> On 21 Jun 2019, at 21:49, Daniel Kahn Gillmor wrote: > > So if we decide we only want to address use case (c), then it doesn't > seem too crazy to imagine reconciliation among multiple installations of > all the distributed, cryptographically-validated *non-identity* data > that hagrid is

Re: New keyserver at keys.openpgp.org - what's your take?

f not having the one-and-only-distributor-of-all-keys and thus a > SPoFailure/Denial/Surveillance. If we want that it is easier to go with > S/MIME. If hagrid supported an SKS-like reconciliation protocol, would that mitigate your concerns? -- Andrew Gallagher signature.asc Descriptio

Re: New keyserver at keys.openpgp.org - what's your take?

> On 15 Jun 2019, at 22:41, Vincent Breitmoser wrote: > > >> For a start, it only supports email userids - so it is incompatible with >> monkeysphere. > > Indeed! This is a use case that would be interesting to explore though, feel > free to open an issue on our tracker if you want to help

Re: New keyserver at keys.openpgp.org - what's your take?

> On 16 Jun 2019, at 12:51, Vincent Breitmoser wrote: > > >> Maybe you can consider in the future at least to allow CA sigs. >> Those would be only one sig per key and the CA signing keys >> could be stored in your database as reference as well. >> >> Currently 3 CAs come to mind:

Re: New keyserver at keys.openpgp.org - what's your take?

resource, meaning it's not resilient enough for distributing revocations, which is the main use case for SKS these days (there are already several alternative systems for discovery). So it's not an SKS-killer (yet). -- Andrew Gallagher signature.asc Description: OpenPGP digital signature

Re: I've been hacked and now I only use a key pair on keybase.

drive, but development has stalled. If there is genuine interest out there, I will dedicate some more time to it. [0] https://tails.boum.org [1] https://github.com/andrewgdotcom/frith -- Andrew Gallagher signature.asc Description: OpenPGP digital signature __

Re: Johnny-You-Are-Fired

and display it to you without question. They prioritise Getting It Done over Doing It Right, and it's hard to fight against a baked-in paradigm. It's like the old proverb about the tourist asking for directions in Ireland and being told "If I was you, I wouldn't start from here" :-D

Re: card-sized 4 Kbit RSA Smartcard recommendation with 3 slots

g bits and pieces, but when using it heavily, e.g. as an ssh auth method over ansible, it can get *very* sluggish. -- Andrew Gallagher signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnu

Re: Question about the security of the GnuPG Agent with regard to cryptographic material scrubbing

cess to your device. An encrypted drive is a better way to prevent an attacker getting access to sensitive material on disk (not only passwords). So while the problem you identify is bad, it's not fatal. -- Andrew Gallagher signature.asc Description: OpenPGP digit

Re: Using Yubikey only to encrypt/sign

> On 18 Feb 2019, at 20:35, Farhan Khan wrote: > Hey Andrew, > I was given the message "gpg: decryption failed: No secret key". I ran this: > > mv .gnupg .gnupg.bak > gpg --card-status > cat encrypted_message | gpg --decrypt > > This gave me the warning message: > gpg: encrypted with 2048-bit

Re: Using Yubikey only to encrypt/sign

> On 18 Feb 2019, at 05:19, Farhan Khan via Gnupg-users > wrote: > > How does one utilize *just* the yubikey (or OpenPGP smartcard in general) to > encrypt, sign, or decrypt? This might be in a scenario where I only have the > keys on my card but not on disk such as while traveling. I can

Re: Yubikey keytocard: "Bad secret key"

> On 17 Feb 2019, at 07:20, Farhan Khan via Gnupg-users > wrote: > > Key attributes ...: rsa2048 rsa2048 rsa2048 But you’re trying to load an rsa1024 key onto it. Have you tried loading a 2048 bit key instead? A ___ Gnupg-users mailing list

Re: Discrepancies in extracted photo-id images from dumps

> On 21 Jan 2019, at 17:29, justina colmena via Gnupg-users > wrote: > > How can people be so insufferably rude? O_o A ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Utilizing facts of homedir organization (was: Exact definition of token S/N field for --with-colons)

> On 10 Nov 2018, at 00:57, Dirk Gottschalk via Gnupg-users > wrote: > > I suggest using a Cron job, or a SystemD timer and service to do a > refresh on a regular base. I’ve found parcimonie to be useful. https://gaffer.ptitcanardnoir.org/intrigeri/code/parcimonie/

Re: First smartcard operation always fails

On 04/09/18 11:01, Peter Lebbing wrote: > On 04/09/18 10:17, Andrew Gallagher wrote: >> And I have just confirmed (by sending that mail) that both the first >> auth operation AND the first signing operation fail, separately. > > I have no idea, it's quite curious. As

Re: First smartcard operation always fails

On 04/09/18 09:11, Andrew Gallagher wrote: > Hi, all. > > I've had a pgp smartcard v2.1 for years now (two, actually), and I've > noticed that no matter what operation I perform, the first attempt after > inserting the card, or waking from sleep with the card inserted, fails.

First smartcard operation always fails

for as long as I can remember, across different machines, different software versions and OSes (Linux and Mac), and using both smartcards. Does anyone have any idea what's going on? -- Andrew Gallagher signature.asc Description: OpenPGP digital signature

Re: Forwarding both gpg and ssh agents

e written some (basic) documentation for internal use in my company. Let me know if you need any further help. -- Andrew Gallagher signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/m

Re: key distribution/verification/update mechanisms other than keyservers [was: Re: a step in the right direction]

ut the badness must not infect other servers automatically. -- Andrew Gallagher signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Forward gpg-agent to container

> On 4 Jun 2018, at 19:44, Benjamin Kircher wrote: > > Now inside the container I can see my socket > > # ls -l /gpg-agent > srwx-- 1 root root 0 Jun 4 17:45 /gpg-agent > > From here on, I am kind of stuck. I fail to somehow make gpg-agent inside the > container “use” the

Re: I just got an odd message

ed to confound bayesian analysis. YMMV -- Andrew Gallagher signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: AW: Break backwards compatibility already: it’s time. Ignore the haters. I trust you.

y crypto upgrades, particularly in an online setting such as a mail gateway. All this does is launder the obviously-dangerous bad ciphertext into an apparently-safe new ciphertext. -- Andrew Gallagher signature.asc Description: OpenPGP digital signature ___

Re: A postmortem on Efail

> On 20 May 2018, at 07:26, Robert J. Hansen wrote: > > Writing just for myself -- not for GnuPG and not for Enigmail and > definitely not for my employer -- I put together a postmortem on Efail. > You may find it worth reading. You may also not. Your mileage will >

Re: Efail or OpenPGP is safer than S/MIME

> On 17 May 2018, at 11:50, Patrick Brunschwig wrote: > >> On 17.05.18 10:07, Werner Koch wrote: >> On Thu, 17 May 2018 08:59, patr...@enigmail.net said: >> >>> Within 12 hours after the release I got 5 bug reports/support requests >> >> Kudos to Enigmail for acting as

Re: Breaking MIME concatenation

secure mail plugin(s). And since this has already been implemented in at least one plugin (see Patrick's earlier messages) I think it's best to leave it on that side of the fence. -- Andrew Gallagher signature.asc Description: OpenPGP digital sig

Re: Users GnuPG aims for? (Re: Breaking MIME concatenation)

2018. HTML mail is unfortunately going to be around for a long time. So mail clients (no more or less than web browsers) have a responsibility to sandbox untrusted content. Plaintext is a workaround, not a solution. -- Andrew Gallagher signature.asc Descr

Re: Users GnuPG aims for? (Re: Breaking MIME concatenation)

wiki markup language. Content-type: text/markdown ;-) -- Andrew Gallagher signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Efail or OpenPGP is safer than S/MIME

nt so far that this is limited to the expected breaking cases (pre-MDC ciphers) and not some unexpected side effect? -- Andrew Gallagher signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.or

Re: AW: AW: Efail or OpenPGP is safer than S/MIME

> On 16 May 2018, at 13:44, Fiedler Roman wrote: > > I am not sure, if gpg could support implementation/testing/life-cycle-efforts > to establish all those parameters and different process models for most of > the decryption processes gpg users envision to use gpg

Re: Breaking MIME concatenation

> On 16 May 2018, at 05:21, Patrick Brunschwig wrote: > > Content-Type: mutlipart/mixed; boundary="WRAPPER" > Content-Description: Efail protection wrapper > > --WRAPPER > Content-Type: text/html > > > > > > --WRAPPER > (result of PGP/MIME decryption) > --WRAPPER--

Re: Breaking MIME concatenation

ing to see if I could think up the quickest solution. ;-) -- Andrew Gallagher signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users

Breaking MIME concatenation

variable such as GNUPG_HTML_COUNTERMEASURES=true would certainly be sufficient, providing both users and MUA developers a convenient big red switch that can just be enabled. -- Andrew Gallagher signature.asc Description: OpenPGP digital signature

Re: Efail or OpenPGP is safer than S/MIME

you get garbage. BUT We should also be very careful to note that none of this discussion thread applies to the MIME concatenation vulnerability, which is a problem in Thunderbird and other mail clients, and which cannot be solved by gnupg. -- Andrew Gallagher signature.asc Description:

Re: Efail or OpenPGP is safer than S/MIME

On 14/05/18 14:44, Andrew Gallagher wrote: > I would humbly suggest that we stop worrying about which side of the > GPG/MUA fence the ball is on, and fix it on *both* sides. I have just opened tickets in both GnuPG and Enigmail for the respective integrity check mitigations.

Re: efail -> improvements (was: Efail or OpenPGP is safer than S/MIME)

On 15 May 2018, at 07:42, Bernhard Reiter wrote: >> Another thing we need to learn from this is that HTML elements may be a >> privacy concern in plaintext mail, but they are a *security* concern in >> encrypted mail. > > People clearly seem to want a way to send files

Re: Don't Panic.

> On 14 May 2018, at 14:47, Dan Kegel wrote: > > Anyway, if you have a checkbox for 'automatically decrypt', you might > consider unticking it.) This may not be sufficient. It’s not just automatic decryption but any decryption at all in the client that can trigger a callback.

Re: Efail or OpenPGP is safer than S/MIME

> On 14 May 2018, at 18:32, Werner Koch wrote: > > On Mon, 14 May 2018 15:44, andr...@andrewg.com said: > >> This all exposes one of the difficulties with trying to manage security >> software in a decentralised ecosystem. We end up in arguments over whose > > That is actually

Re: Efail or OpenPGP is safer than S/MIME

> On 14 May 2018, at 18:57, Lars Noodén wrote: > > How feasible would it be to strip or disable encryption in a fork of an > old version and just leave it capable of decryption? I’m sure it’s feasible, but it doesn’t address this issue or any other kind of oracle,

Re: Efail or OpenPGP is safer than S/MIME

capabilities of encrypted HTML mail are constrained, etc. The PGP ecosystem will survive this, because the tech is in place. The enforcement has just erred a little too far on the side of compatibility. It's all fixable. -- Andrew Gallagher signature.asc De

Re: Efail or OpenPGP is safer than S/MIME

s it's only a warning-level offence doesn't mean enigmail should agree... -- Andrew Gallagher signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Efail or OpenPGP is safer than S/MIME

ing fresh to the conversation: disabling the display of HTML email is *probably* a sufficient mitigation in either case. -- Andrew Gallagher signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg

Re: Efail or OpenPGP is safer than S/MIME

On 14/05/18 12:13, Andrew Gallagher wrote: > I tried again using CAST5 instead of MD5 to bypass the smartcard bug. Argh, I meant to say 3DES of course, not MD5. Sorry. -- Andrew Gallagher signature.asc Description: OpenPGP digital signat

Re: Efail or OpenPGP is safer than S/MIME

asc gpg: WARNING: no command supplied. Trying to guess what you mean ... gpg: encrypted with 4096-bit RSA key, ID 0x6B09069314549D4B, created 2013-07-02 "Andrew Gallagher <andr...@andrewg.com>" File 'reply.txt' exists. Overwrite? (y/N) Enter new filename: foo gpg: Signature made

Re: Efail or OpenPGP is safer than S/MIME

treat such warnings as fatal? Should mail clients *ever* treat mere warnings as fatal? I can't test here because I'm suffering from https://dev.gnupg.org/T3576 - guess that means I'm immune! ;-) -- Andrew Gallagher signature.asc Description: OpenPGP digital sig

Re: Efail or OpenPGP is safer than S/MIME

from Werner's link earlier: > We hesitate to require the MDC also for old algorithms (3DES, CAST5> > because a lot of data has been encrypted using them in the first > years of OpenPGP. So if someone sends me a 3DES-encrypted mail it won't check the MDC? Doesn't gpg still support readi

Re: Efail or OpenPGP is safer than S/MIME

ly that MDC *checking* is the default? If so, then all we would need to do is disable non-modern ciphers. Looks like S/MIME is pretty much buggered though... -- Andrew Gallagher signature.asc Description: OpenPGP digital signature ___ Gnupg-users mai

Re: Quick commands documentation

On 2018/05/03 09:14, Werner Koch wrote: > On Thu, 26 Apr 2018 11:05, andr...@andrewg.com said: > >> There's a suspiciously empty documentation page on the main site: > > I agree that it is pretty terse but it refers to another section with > the actual description of the commands. Aha, I was

Quick commands documentation

Hi, all. There's a suspiciously empty documentation page on the main site: https://www.gnupg.org/documentation/manuals/gnupg/The-quick-key-manipulation-interface.html Is this still WIP, or just an update/sync error? -- Andrew Gallagher signature.asc Description: OpenPGP digital signature

Re: Stupid Symantec

> On 16 Mar 2018, at 13:07, Phil Susi wrote: > > I believe you can enable EFS on the windows server and it will handle > decrypting the file before sending it over SMB. Then you don't need any > special software or configuration on the clients. How does that work when the

Re: Stupid Symantec

> On 16 Mar 2018, at 08:11, Steven Maddox wrote: > > Yeah this would be a cool approach that'd mean less reliance on the > kernel. However the files we (me and my colleagues) access (although > they're all using Windows PCs) are on SMB/Windows shares... so somehow >

Re: Stupid Symantec

ut the documentation is making my brain hurt: https://www.flam.de/issues/view.php?id=888 http://www.flam.de/en/technology/products/fluc/ -- Andrew Gallagher signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users

gpgsm as a CA

Hi, all. Is there any support for using gpgsm as a certificate authority? -- Andrew Gallagher signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg

Re: OpenPGP card && exporting secret keys

sk > plugged into the system I'm using to do this. I recommend using an offline system to do this; then you don't need to worry about leaving traces behind. Tails is a good solution, as it provides an encrypted persistent partition and comes with a recent gnupg preinstalled. -- Andrew Gallagher

Re: key distribution/verification/update mechanisms other than keyservers

y as 1, although more computationally intensive as it would need to be calculated per download (caching may help). Can be retrofitted to existing keyservers. -- Andrew Gallagher signature.asc Description: OpenPGP digital signature ___ Gnupg-users m

Re: key distribution/verification/update mechanisms other than keyservers [was: Re: a step in the right direction]

> On 16 Jan 2018, at 22:26, Leo Gaspard wrote: > > It could also help limit the impact of the nightmare scenario RJH has > described, by making sure all the data is “cryptographically valid and > matching”, thus making it harder to just propagate arbitrary data down >

Re: DRM?

> On 16 Jan 2018, at 18:15, Kristian Fiskerstrand > <kristian.fiskerstr...@sumptuouscapital.com> wrote: > >> On 01/16/2018 07:12 PM, Andrew Gallagher wrote: >>> On 16/01/18 17:19, Leo Gaspard wrote: >>> “on 2018-04-01, please expose only the master k

Re: DRM?

to be forgotten, then this could be a defensible fallback position. But it is not a solution to many of the *practical* problems in privacy protection. Ultimately, the PGP ecosystem prioritises security over privacy. They are not the same thing, and in some cases they are in conflict. -- Andrew Gallag

Re: a step in the right direction

t called USENET? -- Andrew Gallagher signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: a step in the right direction

users. The vandalism problem is solved by clients not displaying unverified content. Whereas the "nightmare scenario" happens entirely out of view of the average user, but has more serious consequences. Let's not mix them up. -- Andrew Gallagher signature.asc Description: OpenPGP d

Re: Remove public key from keyserver

> On 15 Jan 2018, at 21:13, Matthias Mansfeld > wrote: > > could this be implemented in a way that the _upload_ (not the > spreading between keyservers) requires signing? (unless it is a > revocation certificate)? So long as there is one keyserver

Re: Remove public key from keyserver (was: Hide UID From Public Key Server By Poison Your Key?)

> On 15 Jan 2018, at 16:39, Stefan Claas wrote: > > Maybe we need (a court) case were a PGP user requests the removal > of his / her keys until the operators and code maintainers wake up? You also need to prove that removal is technically possible. Otherwise all that

Re: Modernizing Web-of-trust for Organizations

> On 5 Jan 2018, at 08:41, Lou Wynn wrote: > > The only need for an > organization to access their data is decrypting the encrypted data, > which is satisfied by the auditing key. The standard way of doing this without allowing for impersonation is escrow of the encryption

Re: Modernizing Web-of-trust for Organizations

> On 4 Jan 2018, at 04:42, Lou Wynn wrote: > > It has a client key and uses it to log into the server, which is > similar to SSH key authentication, to retrieve the private key after > authentication. This bit confuses me. If you already store a private key locally, why use

Re: Impact of ROCA (CVE-2017-15361) in subkey vs. private key?

> On 29 Oct 2017, at 19:18, Shannon C wrote: > > I can't find anyone talking about this particular issue. Assuming that the > secret key was generated outside of an Infineon chip, but that subsequently > subkeys were generated by a chip with the ROCA vulnerability, does

Re: Working with an Online and Offline Computer when using GnuPG - Best Practice?

can understand. Point a webcam at the local console. ;-) -- Andrew Gallagher signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: FAQ and GNU

On 10/10/17 17:33, Mike Gerwitz wrote: > Not promoting its own ideals is working contrary to its goals. There is nothing in the GPL that requires one to be an evangelist. If the FAQ is incorrect or misleading, let's change it. But "insufficient fervour" is not sufficient grounds

Re: FAQ and GNU

y.html -- Andrew Gallagher signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: preferring --check-sigs over --list-sigs [was: Re: Houston, we have a problem]

Importing the governikus key gives me the same result. -- Andrew Gallagher signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: preferring --check-sigs over --list-sigs [was: Re: Houston, we have a problem]

cause IDs don't have an intrinsic order. -- Andrew Gallagher signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: preferring --check-sigs over --list-sigs [was: Re: Houston, we have a problem]

On 2017/09/28 10:57, Stefan Claas wrote: > > Now i have a problem lol... with my new pub key and --check-sigs. > > My new pub key 3BB27531899F06EA4582B2E9D68B6EAC6ECF3AB6 was signed > by Governikus 864E8B951ECFC04AF2BB233E5E5CCCB4A4BF43D7 and when doing > a --check-sigs i get an error...under

Re: Houston, we have a problem

On 26/09/17 14:39, Kristian Fiskerstrand wrote: > On 09/26/2017 03:38 PM, Andrew Gallagher wrote: >> Yes. Unfortunately it's tricky to implement that on a smartphone. We >> don't have card+phone working in gnupg yet either. We *barely* have >> gnupg working on phones at all. B

<    1   2   3   4   5   >