Re: get OpenPGP pubkeys authenticated using German personal ID

On Wed, 14 Jun 2023 10:22:36 +0200, Andre Heinecke via Gnupg-users wrote: > And the link to the website how to get a PGP Software linking to that fishy > "openpgp.org" website which lists Gpg4win as "Outlook software" on the same > level with Gpg4o? And which links to Claws mail as PGP software

Re: --auto-key-retrieve fails for some keys

On Tue, 02 Nov 2021 18:35:01 +0100, Phil Pennock via Gnupg-users wrote: > On 2021-11-02 at 16:05 +0100, Tadeus Prastowo via Gnupg-users wrote: > > The signature on a Linux kernel can be verified successfully using > > `--auto-key-retrieve', but the signature on an Emacs cannot be > > verified in

Re: trust-model and federated lookups

Hi Phil, On Fri, 22 Oct 2021 17:00:11 +0200, Phil Pennock via Gnupg-users wrote: > When evaluating the trust we have in the identity attached to a key, I > often see "WARNING: We have NO indication whether the key belongs to the > person named as shown above"; at the same time,

Re: Best practices for obtaining a new GPG certificate

On Fri, 19 Mar 2021 08:33:17 +0100, Robert J. Hansen via Gnupg-users wrote: > > > The next default is ECC (ed25519+cv25519) which is supported by most > > OpenPGP implementations. Only if you have a need to communicate with > > some niche implementaions you need to use rsa3072. > > Last I

Re: WKD proper behavior on fetch error

On Fri, 22 Jan 2021 23:59:36 +0100, Andrew Gallagher via Gnupg-users wrote: > On 22/01/2021 17:29, Daniel Kahn Gillmor via Gnupg-users wrote: > > this is a non-backward-compatible change to the format, so i think > > that's probably not a great outcome. > > I can't help thinking that length

Re: WKD proper behavior on fetch error

On Thu, 21 Jan 2021 17:10:31 +0100, Daniel Kahn Gillmor wrote: > For WKD services which cannot control their webserver to disable > compression, and automate padding, a better approach would be to pad > each published key with an OpenPGP literal data packet, whose content is > filled with a

Re: WKD Checker

On Mon, 18 Jan 2021 17:12:56 +0100, Stefan Claas wrote: > I repeat here once again GitHub has a *valid* SSL cert. You're right. github has a valid TLS certificate. But that valid TLS certificate is not valid for openpgpkey.sac001.github.io. That's just the way it is, sorry. :) Neal

Re: WKD proper behavior on fetch error

On Mon, 18 Jan 2021 16:47:38 +0100, Ángel wrote: > So, while in the first case a bad certificate would be a critical > failure, in the second the right thing would be to fetch the key > *even if the certificate was invalid*, as it is used purely for > discovery. When you look up the

Re: WKD proper behavior on fetch error

On Mon, 18 Jan 2021 13:42:52 +0100, André Colomb wrote: > On 18/01/2021 10.14, Neal H. Walfield wrote: > > In short: I understand the motivation for the subdomain. I understand > > why one should first check there. But, I think we do our users a > > disservice by not falli

Re: WKD proper behavior on fetch error

Hi Angel, On Thu, 14 Jan 2021 01:47:12 +0100, Ángel wrote: > On 2021-01-13 at 10:12 +0100, Neal H. Walfield wrote: > As such, I do think sequoia is non-conformant, although I'm > more interested in determining the proper behaviour of a WKD client. > > ... > I think it wou

Re: WKD proper behavior on fetch error

Hi Stefan, On Sun, 17 Jan 2021 19:41:44 +0100, Stefan Claas via Gnupg-users wrote: > Please try to accept that GitHub (and maybe in the future others as well) > has *no* bad certificate! As others have tried to explain: the certificate that github uses for sub.sub.github.com is invalid for

WKD Checker

On Sun, 17 Jan 2021 19:27:05 +0100, Ángel wrote: > I feel there is a need for a proper wkd test suite (as well as a > clarifying on the draft itself the things that are coming up). FWIW, there is Wiktor Kwapisiewicz's wkd checker: https://gitlab.com/wiktor-k/wkd-checker

Re: WKD & Sequoia

Hi Andre, On Tue, 12 Jan 2021 20:13:42 +0100, André Colomb wrote: > It has also been pointed out repeatedly in this thread that Sequoia > apparently does not properly check the TLS certificate, which you have > proven with your example setup. That could be called "modern" or > "insecure". It

Re: WKD for GitHub pages

Hi Stefan, On Fri, 08 Jan 2021 23:05:52 +0100, Stefan Claas via Gnupg-users wrote: > On Fri, Jan 8, 2021 at 10:21 PM Stefan Claas > wrote: > > > I guess the only way to fix it (for many people) would be > > that, as of my understanding (now) the WKD check > > and SSL cert check would be a bit

Re: Avoid recipient-compatibility SHA1

Hi Stefan, A chosen-prefix collision attack works as follows: an attacker chooses two message prefixes, and then uses near collisions blocks (in the SHA-1 is a Shambles paper they needed about 10 such 512-bit blocks) to align the internal state of the two hashes. Since SHA-1 is a streaming

Re: Show that an encrypted message was signed, without decrypting it

Hi Teemu, On Sun, 11 Oct 2020 11:02:00 +0200, Teemu Likonen wrote: > * 2020-10-11 02:40:28+02, Stefan Claas wrote: > > > I was reading old GnuPG threads were people were asking if it's > > possible to extract a signature from an encrypted message. > > It seems that there is a visible signature

Re: Which keyserver

Hi Andrew, On Sat, 19 Sep 2020 21:38:22 +0200, Andrew Gallagher wrote: > Hagrid “solves” the vandalism problem by abandoning > decentralisation. This is not strictly true. When we think about updating keys, there are two types of information that can be updated: - Identity Information (User

Re: Why Operating Systems don't always upgrade GnuPG

At Tue, 20 Feb 2018 16:08:35 +0100, Werner Koch wrote: > > Yet another complementary approach might be to aggressively police the > > ecosystem by finding other software that deends on GnuPG in any of the > > aforementioned brittle ways, and either ask those developers to stop > > That is what

Re: Expected behaviour setting TOFU policy

Hi, At Thu, 15 Feb 2018 17:20:14 -0500, Konstantin Ryabitsev wrote: > But wait, now I can omit --trust-model from the command line and I get the > same > TOFU-based result, implying that trust-model tofu+pgp now sticks, even though > I've modified no config files: If you don't explicitly set

Re: FAQ and GNU

At Wed, 11 Oct 2017 17:47:29 +0200, Werner Koch wrote: > On Wed, 11 Oct 2017 09:15, n...@walfield.org said: > > > I'm aware of an effort that tried to port GnuPG to Android. bionic > > was a source of several problems. As far as I know, the work is > > Actually we solved the Bionic problems a

Re: FAQ and GNU

At Wed, 11 Oct 2017 08:26:21 +0200, Werner Koch wrote: > On Tue, 10 Oct 2017 20:55, b...@adversary.org said: > > > Has anyone managed to get any part of the GPG libs to compile on > > Android/Linux? As far as I'm aware no one has and all OpenPGP > > There might be a problems with the current

Re: FAQ and GNU

At Tue, 10 Oct 2017 23:55:32 -0400, Robert J. Hansen wrote: > > > Amazing how much people want to comment on the color of this > > particular bikeshed! > > I agree. Bikeshedding frustrates me: I'll leave it at that. > > Reviewing the last forty-odd emails on the subject, there are a small >

Re: TOFU db corruption detected

Hi, Unfortunately, there isn't enough information in this report to reproduce your issue. If you feel comfortable sending me your TOFU db and your pubring.gpg / pubring.kbx per private mail, as well as telling me which key that is causing the problem, then I will take a look. Key: 8F17 7771

Re: Test symmetrically encrypted files for errors - make sure they can be decrypted

At Sat, 22 Jul 2017 00:01:45 +0200 (CEST), wrote: > I am using GnuPG 1.4.x to symmetrically encrypt files before I > transfer them to "the cloud" for backup reasons. > Is there any way to test these encrypted files for errors, i.e. to > make sure they can be decrypted

OpenPGP Notations

Hi, I'm collection examples of notations. If you somehow use notations, I'd love to hear how you are using them. (If you prefer to remain anonymous, please feel free to reply privately.) Also, I'm curious if anyone has a good use for unsigned ("unhashed") notations. Thanks! :) Neal Key:

Re: Are TOFU statistics used for validity or conflict resolution?

At Fri, 23 Jun 2017 13:45:39 +0300, Teemu Likonen wrote: > I don't know whether my thinking is common but perhaps it would be > helpful if gpg's man page made clear that on conflict situation both > keys go to "ask" mode. A quote from my gpg 2.1.18 manual: I tried to improve the documentation in

Re: Managing the WoT with GPG

At Tue, 27 Jun 2017 09:27:57 +0100, MFPA wrote: > On Monday 26 June 2017 at 10:31:04 AM, in > , > Goddess: Primal Chaos wrote:- > > > > Dear player, Thank you very much for contacting us > > by mail. > > > I've seen several of

Re: Managing the WoT with GPG

At Mon, 26 Jun 2017 11:27:30 +0200, martin f krafft wrote: > > Martin, I think --no-auto-check-trustdb and a cron job will > > already make it much more bearable, with the current state of > > things. That's what I'd suggest. > > I've been doing that for a long time already, and yes, it mitigates

Re: TOFU

At Fri, 23 Jun 2017 02:07:19 +0100, MFPA wrote: > On Wednesday 21 June 2017 at 7:49:42 PM, in > , Peter > Lebbing wrote:- > > > I think it's a bad UX choice to > > name an invalid > > signature "UNTRUSTED Good" and a valid signature > >

Re: Managing the WoT with GPG

At Fri, 23 Jun 2017 13:04:02 -0400, Brian Minton wrote: > > [1 ] > On Fri, Jun 23, 2017 at 03:50:27PM +0200, Neal H. Walfield wrote: > > > > Ensuring that a cache is consistent is *hard*. I don't think we want > > to add complexity (nevermind a cache!

Re: Managing the WoT with GPG

At Fri, 23 Jun 2017 15:35:05 +0200, martin f krafft wrote: > also sprach Werner Koch [2017-06-22 19:02 +0200]: > > For a key listing this means computing it for every listed key. And the > > majority of frontends first do a key listing and show the validity of > > the keys before

Re: Are TOFU statistics used for validity or conflict resolution?

At Fri, 23 Jun 2017 13:22:23 +0200, Peter Lebbing wrote: > On 23/06/17 12:56, Neal H. Walfield wrote: > > It's up to the GPG client to interpret it. This document (authored by > > Andre and me) has some recommendations for MUAs: > > Ah! Thanks for the information. > &g

Re: Are TOFU statistics used for validity or conflict resolution?

At Fri, 23 Jun 2017 12:52:48 +0200, Peter Lebbing wrote: > > [1 ] > On 23/06/17 11:14, Neal H. Walfield wrote: > > No, both keys are set to ask. The key with a lot of observed > > signatures could be bad. This could occur, if there is a MitM, but > > the MitM

Re: Are TOFU statistics used for validity or conflict resolution?

At Thu, 22 Jun 2017 20:32:48 +0300, Teemu Likonen wrote: > Teemu Likonen [2017-06-22 09:42:50+03] wrote: > > Does the SUMMARY field's value (0-4) have effect on how key's validity > > is calculated or how TOFU conflicts are resolved or presented to a > > user? > > I didn't get answers yet but

Re: Are TOFU statistics used for validity or conflict resolution?

At Thu, 22 Jun 2017 09:42:50 +0300, Teemu Likonen wrote: > It _seems_ to me that > > - Field 3 :: validity - A number with validity code. > > is the same thing as SUMMARY in TOFU_STATS. Am I right? > > And here's my question again: Does the SUMMARY field's value (0-4) have > effect on how

Re: Managing the WoT with GPG

to be revoked. In that case, if 0xdeadbeef is marginally trusted, we now need to identify keys that were considered valid because of 0xdeadbeef, but no longer are. :) Neal At Thu, 22 Jun 2017 15:00:52 +0200, martin f krafft wrote: > > [1 ] > also sprach Neal H. Walfield <n...@walfield.o

Re: Managing the WoT with GPG

At Wed, 21 Jun 2017 13:55:52 +0200, martin f krafft wrote: > > also sprach Neal H. Walfield <n...@walfield.org> [2017-06-21 11:53 +0200]: > > > 3. Is there a way to run --check-trustdb or --update-trustdb not > > >over the entire key graph, but only

Re: Managing the WoT with GPG

Hi, At Tue, 20 Jun 2017 15:34:44 +0200, martin f krafft wrote: > I've spent some time trying to figure out how to make actual use of > the web-of-trust (the "pgp" trust-model), and I am turning to this > list for some advice, related to a couple of questions: > > 1. My public keyring has several

Re: some beginner questions

Hi, At Sun, 2 Apr 2017 18:23:14 -0500, Will Senn wrote: > but at the end of > the day, I don't seem to be able to sign anything with the signing > subkey if the master key is not present (with sec instead of sec#). Do > you know how I get it to use the subkey (the manual says it will default > to

Re: some beginner questions

At Sun, 2 Apr 2017 11:20:16 -0700, Doug Barton wrote: > On 04/01/2017 07:10 AM, Will Senn wrote: > > 3. I've read > > https://superuser.com/questions/466396/how-to-manage-gpg-keys-across-multiple-systems > > and other such pieces proclaiming the value of having the master key in > > a safe place

Re: GnuPG 2.1.19 crashing when listing keys, if tofu-default-policy is "ask"

Hi, At Wed, 15 Mar 2017 00:38:45 +, MFPA wrote: > I have been having GnuPG crash with the following message when listing > keys:- > > gpg --list-keys > gpg: O j: Assertion "conflict_set" in get_trust failed > (/home/wk/b-w32/speedo/PLAY-release/gnupg-w32-2.1.19/g10/tofu.c:2787) >

Re: GPG and Mailinglists using IBCPRE

On Sun, 17 Jul 2016 15:53:47 +0200, Richard Höchenberger wrote: > we've been using Schleuder2 for many years now, and it has always > worked flawlessly on a medium-traffic mailing list as long as everyone > used OpenPGP/MIME. Inline PGP will cause trouble from time to time. Scleuder requires that

Re: GPG and Mailinglists using IBCPRE

Hi, On Sat, 16 Jul 2016 16:38:27 +0200, Martin Konold wrote: > what is currently the recommended setup for running encrypted mailing lists. > > I am thinking about some IBCPRE mechanism. see also https://en.wikipedia.org/ > wiki/Identity-based_conditional_proxy_re-encryption > > I think this

Re: Decrypting multiple encrypted blocks on one stream using GPG

On Thu, 07 Jul 2016 11:32:30 +0200, Fiedler Roman wrote: > I'm trying to use gnupg to solve a usecase similar to the one depicted in > [1], but the workaround from [1] is not suitable, because: > > * Each file I have is larger than the machine holding the keys > * The keys cannot be moved > * The

Re: Perform only asymmetric encryption/decryption

On Mon, 11 Apr 2016 10:49:32 +0200, Erik Nellessen wrote: > > If I understand it correctly, --override-session-key does not allow me to set > the session key before encryption. It allows me to set the session key when > decrypting, so I can do it without using the private key. The option is

Re: Perform only asymmetric encryption/decryption

On Sun, 10 Apr 2016 12:56:09 +0200, Erik Nellessen wrote: > No, this is not about encrypting large amounts of data with asymmetric > encryption. ;) It is about encrypting and decrypting small strings, which are > still way smaller than the public/private key. So I guess this could be > possible

Re: pubring.kbx, no secring?

On Tue, 22 Dec 2015 14:45:59 +0100, Matthias Apitz wrote: > El día Tuesday, December 22, 2015 a las 02:41:24PM +0100, Neal H. Walfield > escribió: > > > Hi Matthias, > > > > On Tue, 22 Dec 2015 13:28:28 +0100, > > Matthias Apitz wrote: > > > Question: W

Re: pubring.kbx, no secring?

On Tue, 22 Dec 2015 15:08:46 +0100, Matthias Apitz wrote: > > El día Tuesday, December 22, 2015 a las 03:03:39PM +0100, Neal H. Walfield > escribió: > > > > Just to make sure: there have been no v1.x keys (I move away the old > > > .gnupg dir), why are

Re: gpgkey2ssh and Ed25519 key

Hi, On Mon, 21 Dec 2015 10:28:47 +0100, perillamint wrote: > I'm having trouble setting up ssh auth using Ed25519 key. > > I tries to convert it using gpgkey2ssh and it returns > > Unsupported algorithm: 22 > > Is there any version of gpgkey2ssh or other tool which allows converting > ed25519

Re: GPA - unsupported certificate

On Tue, 08 Dec 2015 13:16:29 +0100, Peter Lebbing wrote: > Again, no. Lots of programs get vague problems. It's just that it used > to be that GNOME Keyring said "those problems are in GnuPG", whereas the > GnuPG project said "those problems are caused by GNOME Keyring breaking > our software".

Re: [Announce] GnuPG 2.1.10 released

On Mon, 07 Dec 2015 01:05:51 +0100, MFPA wrote: > > * gpg: New trust models "tofu" and "tofu+pgp". > > > * gpg: New command --tofu-policy. New options > > --tofu-default-policy and --tofu-db-format. > > Should these be available in the Windows version? I get:- > > gpg: unknown trust

Re: gpg-agent prompt slow to show up

Hi, At Fri, 27 Nov 2015 16:43:09 +0800, Charlie Brown wrote: > I'm new to gpg, and I'm trying the agent. > > I noticed that when gpg needs to prompt me for pass phrase, the prompt > shows up about 15 seconds after I issue the command (e.g. gpg > --decrypt or git commit -S). The problem exists

Re: TOFU for GnuPG

At Thu, 5 Nov 2015 17:29:22 +, MFPA wrote: > On Thursday 29 October 2015 at 2:06:51 PM, in > <mid:878u6l93b8.wl-n...@walfield.org>, Neal H. Walfield wrote: > > Note: GpgME has not yet been extended to support TOFU > > so these messages might not be shown. > >

Re: TOFU for GnuPG

At Tue, 3 Nov 2015 15:37:06 +, MFPA wrote: > On Tuesday 3 November 2015 at 3:29:02 PM, in > <mid:87d1vr6r0h.wl-n...@walfield.org>, Neal H. Walfield wrote: > > > > The bindings are between user id and key. So, a new > > binding will be created. &g

Re: TOFU for GnuPG

At Tue, 3 Nov 2015 15:18:57 +, MFPA wrote: > On Tuesday 3 November 2015 at 2:38:04 PM, in > <mid:87fv0n6tdf.wl-n...@walfield.org>, Neal H. Walfield wrote: > > > > In this case, we store the whole user id (lower cased). > > Only if the user id is the empty string

Re: TOFU for GnuPG

At Tue, 03 Nov 2015 16:10:24 +0100, Andre Heinecke wrote: > Don't we need to lookup the new key anyway to make validity decisions? Until > then we assume "Unknown" trust. In the verify case, yes. But what about the sign case? We just see that the old key has been revoked, but we don't know

Re: TOFU for GnuPG

Hi, At Tue, 03 Nov 2015 16:56:27 +0100, Andre Heinecke wrote: > On Tuesday 03 November 2015 16:34:39 you wrote: > > At Tue, 03 Nov 2015 16:10:24 +0100, > > > > Andre Heinecke wrote: > > > Don't we need to lookup the new key anyway to make validity decisions? > > > Until then we assume "Unknown"

Re: TOFU for GnuPG

Hi Andre, At Fri, 30 Oct 2015 13:23:14 +0100, Andre Heinecke wrote: > On Thursday 29 October 2015 22:28:54 Neal H. Walfield wrote: > > At Thu, 29 Oct 2015 18:48:43 +0100, > > > > Johannes Zarl-Zierl wrote: > > > Out of curiosity: Does the TOFU implementation for g

Re: TOFU for GnuPG

Hi, At Sun, 1 Nov 2015 10:50:33 +, MFPA wrote: > Another thought. New signatures from a key that has long been inactive > may arouse suspicion. Perhaps it would be useful to output how long > ago was the last message verified. For example:- > > "66 messages signed over the past 3 years. The

Re: TOFU for GnuPG

At Sat, 31 Oct 2015 11:57:05 +, MFPA wrote: > > First, some statistics are displayed, namely, that > > we've verified 5 messages signed by this key in the > > past last hour. > > > Would it say the same if it were not five unique messages? For > example, we read the same email five times and

Re: TOFU for GnuPG

At Fri, 30 Oct 2015 14:32:07 +, MFPA wrote: > On Friday 30 October 2015 at 11:51:27 AM, in > <mid:871tcc8thc.wl-n...@walfield.org>, Neal H. Walfield wrote: > > > > Sure. But your point is a red herring. There is > > *currently* no way to do this.

Re: TOFU for GnuPG

At Fri, 30 Oct 2015 12:06:14 +, MFPA wrote: > On Thursday 29 October 2015 at 2:06:51 PM, in > <mid:878u6l93b8.wl-n...@walfield.org>, Neal H. Walfield wrote: > > > > When you verify a > > message from some user for the first time, GnuPG saves > > the b

Re: TOFU for GnuPG

At Fri, 30 Oct 2015 11:43:28 +, MFPA wrote: > On Thursday 29 October 2015 at 9:28:54 PM, in > <mid:87611p8iuh.wl-n...@walfield.org>, Neal H. Walfield wrote: > > > > > Unfortunately, it doesn't. This is because there is > > currently no standard way to comm

TOFU for GnuPG

Hi, Last week, I checked in the TOFU code for GnuPG. This code will be part of the next release. It would be great to get some additional testing before this happens! Background -- TOFU stands for Trust on First Use and is a concept that will be familiar to anyone who regularly uses

Re: TOFU for GnuPG

At Thu, 29 Oct 2015 18:48:43 +0100, Johannes Zarl-Zierl wrote: > Out of curiosity: Does the TOFU implementation for gpg already allow for key > transition statements / is this planned for some point in the future? Unfortunately, it doesn't. This is because there is currently no standard way to

Re: TOFU for GnuPG

Hi Peter, At Thu, 29 Oct 2015 19:57:29 +0100, Peter Lebbing wrote: > > On 29/10/15 17:23, Daniel Baur wrote: > > isn’t it a little bit problematic that GPG now logs how often I received > > emails by someone else? > > I would think that in most situations, that is not a problem. If you >

Re: Direct signatures

Hi Lachlan, At Fri, 23 Oct 2015 10:58:22 +0200, Lachlan Gunn wrote: > Is there any way make GNUPG or libgpgme generate a signature from an > externally-computed hash? My justifications for this are twofold: In theory yes, in practice no. To generate an OpenPGP signature, the OpenPGP

Re: Portable version of modern GnuOG

At Mon, 5 Oct 2015 14:22:30 -0500, Anthony Papillion wrote: > I'm working on a project that requires a portable version of GnuPG and > I'd like to use a modern version of it. As far as I can tell from > searching, GnuPG stopped being portable somewhere in the 1.4.x branch. GnuPG 2.x is still

Re: default-ttl not honoured

Hi, At Tue, 22 Sep 2015 11:07:22 -0400, SGT. Garcia wrote: > > hello, > this is my gpg-agent.conf: > > allow-preset-passphrase > default-cache-ttl 31536000 > > this has stopped working! i'm getting asked for password every 20 minutes or > so. > anyone else hitting this bug? hopefully i don't

Re: Proposal of OpenPGP Email Validation

At Wed, 29 Jul 2015 02:30:47 +0100, MFPA wrote: On Monday 27 July 2015 at 1:15:57 PM, in mid:874mkpokxu.wl-n...@walfield.org, Neal H. Walfield wrote: Regarding the design: personally, I wouldn't have the user follow a link that includes a swiss number, but have the user reply

Re: Proposal of OpenPGP Email Validation

At Wed, 29 Jul 2015 15:14:07 +0200, Ingo Klöcker wrote: If you replace validation server with keysigning party participant then you get one of the ways participants of keysigning parties get their signatures to the key owners. So, it's already done and people do upload their signed keys.

Re: Proposal of OpenPGP Email Validation

At Wed, 29 Jul 2015 01:03:53 +0100, MFPA wrote: On Tuesday 28 July 2015 at 11:46:10 PM, in mid:87vbd3nbnx.wl-n...@walfield.org, Neal H. Walfield wrote: At Tue, 28 Jul 2015 19:22:29 +0100, MFPA wrote: It also eliminates any attempt to to establish a link between the key and the email

Re: Proposal of OpenPGP Email Validation

At Wed, 29 Jul 2015 14:05:49 +0100, MFPA wrote: On Wednesday 29 July 2015 at 1:09:54 PM, in mid:87lhdzmagd.wl-n...@walfield.org, Neal H. Walfield wrote: Personally, I think c is the killer in this plan: people aren't going to bother to upload it (assuming they even get that far

Re: Proposal of OpenPGP Email Validation

Hi, Did you consider user a proof-of-work scheme? For instance, the user does a 1 week PoW, signs the result and attackes it to the key. These would be refreshed about once a year. This eliminates the verification servers and the problems associated with them (namely, people need to trust them

Re: Proposal of OpenPGP Email Validation

At Tue, 28 Jul 2015 19:22:29 +0100, MFPA wrote: On Tuesday 28 July 2015 at 8:22:23 AM, in mid:87y4i0n3v4.wl-n...@walfield.org, Neal H. Walfield wrote: Did you consider user a proof-of-work scheme? For instance, the user does a 1 week PoW, signs the result and attackes it to the key

Re: Proposal of OpenPGP Email Validation

Hi, I guess you mean this: The idea I have in mind is roughly as follows: if you upload a key to a keyserver, the keyserver would send an encrypted email to every UID in the key. Each encrypted mail contains a unique link to confirm the email address. Once all email addresses are

Re: Proposal of OpenPGP Email Validation

Hi Nico, At Mon, 27 Jul 2015 19:21:10 +0200, n...@enigmail.net wrote: Thanks, Neal for the feedback. I will try to answer. Am 27.07.2015 um 14:15 schrieb Neal H. Walfield: Hi, I guess you mean this: The idea I have in mind is roughly as follows: if you upload a key

Re: Proposal of OpenPGP Email Validation

At Mon, 27 Jul 2015 17:51:56 +0200, Patrick Brunschwig wrote: On 27.07.15 14:15, Neal H. Walfield wrote: Hi, I guess you mean this: The idea I have in mind is roughly as follows: if you upload a key to a keyserver, the keyserver would send an encrypted email to every UID

Re: Parse LISTKEYS output

Hi, At Thu, 04 Jun 2015 12:06:42 +0300, Dmitry Falko wrote: Is there a common way to parse data returned from LISTKEYS command. Callback function receives buffer with colon-separated information about certificate, i need fingerprint to use it with IMPORT --re-import command. Are you running:

Re: Notes from the first OpenPGP Summit

Hi Simon, We've documented the problem at http://wiki.gnupg.org/GnomeKeyring . At Tue, 28 Apr 2015 14:45:22 +0200, Simon Josefsson wrote: Werner Koch w...@gnupg.org writes: I appreciated the opportunity to meet the GPG Tools developers, who are very dedicated to make GnuPG working

Re: Notes from the first OpenPGP Summit

At Tue, 28 Apr 2015 10:26:05 -0400, Robert J. Hansen wrote: The solution is to fix Gnome Keyring :). I've spoken with Stef, the main developer of GKR, and he confirmed that the only reason GKR MITMs GPG Agent is so that it can intercept prompts for the password to supply any cached

Re: Notes from the first OpenPGP Summit

At Tue, 28 Apr 2015 17:38:53 +0200, Werner Koch wrote: On Tue, 28 Apr 2015 17:02, n...@walfield.org said: I've added a checkbox to pinentry that asks: Cache password with GKR and it is only shown if GKR is present. So it's opt-in. Good. While you are at it: Please also add a checkbox

Re: wiki.gnupg.org (Re: LDAP-based Keyserver)

At Mon, 2 Mar 2015 12:35:30 +0100, Bernhard Reiter wrote: On Saturday 28 February 2015 at 12:27:05, Neal H. Walfield wrote:   http://wiki.gnupg.org/LDAPKeyserver and while you were at it, you have also went through a number of wiki pages correcting and improving the format and language

LDAP-based Keyserver

Hi, Nearly a decade ago, Walter Haidinger posted a how to describing how to setup an OpenLDAP PGP keyserver. http://lists.gnupg.org/pipermail/gnupg-users/2006-February/028058.html In that time, OpenLDAP configuration has gotten a lot more complicated. I've modernized and significantly

Re: GNUPG 2.* and AIX - questions

At Sun, 15 Feb 2015 12:16:58 +0100, Michael Felt wrote: My key question is about the difference between v1.X and v2.X - are there security elements in v2 that are missing/weaker in v1 - or are the differences mainly that v2 supports/is always GUI while v1 is always CLI. gpg2 is a more

Re: Analogien um das Prinzip von PGP zu erklären

At Thu, 03 Jul 2014 12:50:50 +0200, Daniel Krebs wrote: da ich das gerade mit Matthias von der FSFE im Rahmen von #EmailSelfDefense diskutiere, mal eine Frage: Welche Analogien benutzt ihr, wenn ihr Menschen das Prinzip von PGP/GPG erklärt? Ich verwende ich meistens folgende Version: Es

Re: mascot_p

At Tue, 17 Jun 2014 11:36:11 +0200, Werner Koch wrote: the guy I am working with on a new website, recently asked why we do not have a mascot like many other projects. What's your opinion on that? How about an Octopus? As I understand it, they like to try and open locks. Neal

Re: mascot_p

At Tue, 17 Jun 2014 09:00:52 -0400, Mark H. Wood wrote: On Tue, Jun 17, 2014 at 12:04:20PM +0200, Neal H. Walfield wrote: At Tue, 17 Jun 2014 11:36:11 +0200, Werner Koch wrote: the guy I am working with on a new website, recently asked why we do not have a mascot like many other

Re: mascot_p

FWIW, I was thinking of a stylized version of something like this: http://i76.photobucket.com/albums/j24/joebnfran/blog%20pics2/octopus.jpg (Found here: http://hideousseacreatures.tumblr.com/post/61030684038/octopi-will-keep-trying-to-kill-you-after-theyre-dead) Neal