On 2015-03-17 23:18, Doug Barton wrote:
I think you are asking way too much, and
giving near-zero value in return.
I'm not asking for anything. I suggested they check the plain SHA1
checksum or even not check at all! I'm merely opposed to making people
think the short key ID is any good for
On 15/03/15 23:24, Jose Castillo wrote:
I think it’s encouraging, in a perverse way, to hear that when GCHQ
sought to compromise SIM card encryption keys [4], they had to resort
to spying on the employees generating them.
Perhaps the SIM cards are relatively well protected from remote access;
On 13/03/15 22:33, Robert J. Hansen wrote:
And if you don't trust /dev/urandom, I'd suggest using a different
operating system, because that's a game-over compromise.
I trust both /dev/random and the sanity of the default settings of
GnuPG. And when I'm generating a key in GnuPG, I put my
On 2015-03-13 19:54, Doug Barton wrote:
But it is a
major source of frustration when folks take comments out of context
to
use the tiniest bit of leverage with which to forward an agenda.
WHAT?!?!
It is true, text is a truly god awful medium to communicate in.
We are apparently completely
On 12/03/15 20:17, Doug Barton wrote:
Further, the inconvenience of having to deal with generating and
socializing a new key if your smart card gets lost, becomes inoperable,
etc. is way too high a cost for near-zero benefit.
And what if your hard drive holding your on-disk key crashes? Do you
I interpreted Dougs message as saying that a disadvantage of
smartcards, as opposed to on-disk keys, is that you lose the key when
the smartcard stops functioning. I was replying to this statement by
Doug:
Further, the inconvenience of having to deal with generating and
socializing a new key
On 2015-03-13 15:31, Brian Minton wrote:
If a key is generated externally, a backup can be taken before the
key
is moved to the card. For a key generated on the card, there is (by
design), no way to extract the secret key, including for the purpose
of
backing it up
When you ask GnuPG to
On 11/03/15 18:55, Maricel Gregoraschko wrote:
One more question: Is there any standardization in output formats
between encryption programs and libraries, for example say you
encrypt with AES128 in CBC, with the same key (directly or via
passphrase), and since the output will have to have,
On 05/03/15 11:33, Paulo Lopes wrote:
as of today (March 5, 2015) ubuntu 14.04 LTS is still offering gnupg
1.4.16 even though there have been security issues fixed in 1.4.17,
1.4.18 and 1.4.19. In a way a uninformed user that is under the
impression that gnupg is secure due to the fact that
On 04/03/15 00:55, Hans of Guardian wrote:
[...] what I'm trying to say is that for programming environments
where GPGME does not make sense, there should be the ability to
easily make a native version of what GPGME is doing.
Couldn't this be achieved by writing a C program that, for instance,
On 03/03/15 14:29, Hans of Guardian wrote:
It is actually more difficult to wrap GPGME in Java than to have just
rewritten GPGME in Java.
In my opinion, if this is the case, then that is indeed the proper
solution: write a general-purpose library à la GPGME, but don't call gpg
directly from
On 03/03/15 18:29, Hans of Guardian wrote:
Android has an installed base of hundreds of millions. Desktop UNIX
is the exotic system here as compared to Windows, Android, etc.
I have no idea about how difficult it is to launch the gpg binary with a
few pipes attached to a few file descriptors
On 02/03/15 11:35, Stephan Beck wrote:
Sticking to that perfect position argument, in what kind of position are
(would be) the people that control (packaging of) your distro? (Just
curious.)
I think they basically completely control my system. For individual Debian
Developers, it might need
On 01/03/15 13:21, Jonathan Schleifer wrote:
You mean like BitMessage https://bitmessage.org/bitmessage.pdf?
It was Werner who floated the idea of replacing SMTP here on gnupg-users. After
thinking about it, it made a lot of sense to me. You could search gnupg-users
for his messages about this.
On 01/03/15 17:43, NdK wrote:
while I was talking of remote user auth (so using openpgp card instead of
~/.ssh/id_* keys -- something that's already doable).
No, I'm talking about that as well. And I don't think the fingerprint of
the host is part of the signed data or the signature. Why do you
On 28/02/15 14:06, Ralph Seichter wrote:
but PGP does not work for mass e-mail protection
Let me stress again that the proper course might be to replace SMTP (e-mail) and
then work from that. If you have a sieve and wish for something to hold liquids,
you could plug up all the holes or say Blow
On 28/02/15 13:28, Johan Wevers wrote:
I don't see even the NSA breaking that.
Heh, famous last words ;).
Peter.
--
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at
I think a bit of opportunistic encryption without proper identity verification
can be a very good thing. I was just pointing out that you need to know the
limits of that way of working, and make a conscious decision whether you need
proper verification or not.
But I didn't indicate that clearly
On 28/02/15 16:25, Bjarni Runar Einarsson wrote:
E-mail is the *only* surviving decentralized free and open messaging
system with any clout today. Literally everything else in common use is
proprietary and centralized. We should all be deeply worried about this.
Well, I think it's a bit grim
On 21/02/15 19:54, NdK wrote:
4 - HOTP PINs for signature/certification keys
What generates the HOTP then? Do you type a PIN on the HOTP device to get
the HOTP?
No need. Just an applet on the phone could do. At least if you aren't
using the same phone to do the crypto.
I don't understand
On 27/02/15 21:12, Andreas Schwier wrote:
I'd rather start a communication
with a bogus key and establish trust in my genuine peer from the
conversation we are having.
But what about that Man in the Middle who does nothing more than receive
your message encrypted to their key and forward it to
On 27/02/15 21:59, NdK wrote:
For auth it should be the hash of the host's pub key, the same SSH shows
you the first time you connect to that host.
I think you're confusing /host/ authentication and /user/
authentication. I was talking about using the auth key on your OpenPGP
card to do user
On 27/02/15 09:45, gnupgpacker wrote:
German ct magazine has postulated [...] published mail addresses are
collected from keyservers
They are?
I can read German, but it is veeerr slooo. So I'll probably not do that.
But I have a honeypot key on the keyservers that has a
Oops, I realised I made a mistake.
On 24/02/15 19:49, Peter Lebbing wrote:
- [Optional] If string-to-key usage octet was 255 or 254, a
string-to-key specifier. The length of the string-to-key
specifier is implied by its type, as described above.
specifier 110
hash algo
On 25/02/15 06:49, NdK wrote:
Use a smartcard and generate on-card a new key that replaces the expired
one.
While I agree this could be a neat setup for OP, it might be overkill or even
impractical given the signing speed of a smartcard. I don't know what volume of
signatures will be issued.
On 24/02/15 09:34, Werner Koch wrote:
No, we can't error out on an arg which looks like an option because that
may actually be a valid argument.
However, if running interactively and --batch is not specified, might it
be useful to print Warning: --export-options did not match any key
with the
On 24/02/15 17:52, Werner Koch wrote:
for everything else you need to look at the code (parse-packet.c)
RFC 4880 specifies that for a string-to-key usage octet of 255, the final two
bytes are a checksum, but it /is/ part of the encrypted data for v4 keys. I was
curious and also had a look at the
On 24/02/15 23:16, Daniel Kahn Gillmor wrote:
So why are you keeping it around?
I suppose it depends on your definition of destroying...
I think you'd be fine with setting an expiry date and --delete-secret-key-ing
the subkey when the time comes.
If you asked me to /destroy/ the key, I would
On 20/02/15 09:32, NdK wrote:
1 - support for more keys (expired ENC keys, multiple signature keys)
Yes! This would be a great feature to keep expired encryption keys on a card. I
personally would have no use for more than 1 signature and 1 authentication key,
but I don't see a reason why you
On 2015-02-19 18:16, Jonathan Schleifer wrote:
I also like @ to hide useless output, but is downloading *and
executing* from a remote location really something you should hide?
Especially if everything else isn't hidden?
I can understand you're pretty darn pissed off that they executed
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 17/02/15 22:32, Lukas Pitschl wrote:
We’ve recently been accused again of knowlingly lowering the overall
security“ [1] by not allowing such a key size. We’re still not sure what
to do about it exactly.
There will always be people who think
On 18/02/15 18:07, Johan Wevers wrote:
Admit it, IPv6 has failed. It may get some uses, but the widespread
adaptation of carrier NAT has made it largely obsolete.
Tired as I may be of this discussion (what's your next argument, NAT provides
beneficial firewalling behaviour?), I still wish to
On 2015-02-13 15:07, Brian Minton wrote:
if you have a 4096 bit RSA key, please dont sign inline. The
signature block is
ridiculously long.
You'll find it is actually even an 8192 bit RSA key.
Peter.
--
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 11/02/15 20:40, Werner Koch wrote:
Since the start of the funding campaign in December several thousand people
have been kind enough to donate a total of 25 Euro to support this
project. In addition the Linux Foundation gave a grant of $
On 09/02/15 20:34, Daniel Kahn Gillmor wrote:
the *date* of your key was superceded revocation is relevant,
though. Any certifications that claim to have happened after the date
of the revocation *should* be considered invalid, whereas revocations
that happen before that date (but after the
On 10/02/15 12:52, Kristian Fiskerstrand wrote:
No, the signature is still valid:
$ gpg2 --verify test.gpg gpg: Signature made Tue 10 Feb 2015
11:53:47 CET using RSA key ID
B2F1C0D8
gpg: Good signature from Testkey 3 [unknown]
^^
In my opinion, the signature might be
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 10/02/15 13:30, Kristian Fiskerstrand wrote:
Unless you rely on a trusted third party to provide signature stamps,
signature dates can be forged. A key revocation should result in immediate
questioning of all aspects of the key, as it currently
On 10/02/15 13:24, Peter Lebbing wrote:
If you're convinced you're not mistaken, could you please take the time
to show me where this data signature from a revoked key is any different
than a signature from any random invalid key?
Quick correction:
If you're convinced you're not mistaken
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 09/02/15 10:27, Hugo Osvaldo Barrera wrote:
However, the issue at hand is another: even if I set a trust of 5
(ultimate), the next screen still shows it as unknown and that doesn't
change.
Also not when you quit and edit the key again? It
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 08/02/15 20:06, Hugo Osvaldo Barrera wrote:
Does this mean that if someone revokes their key today, *all past*
signatures become invalid?
I believe so, yes. You should probably have expired it instead, sorry.
Suppose it is revoked because
On 07/02/15 20:43, Hugo Osvaldo Barrera wrote:
I don't think I'm doing something wrong, but: Am I? Did I miss something?
Yes, you have interpreted it wrong. What you are doing now is this statement:
I trust Hugo Osvaldo Barrera checks identities carefully before signing keys.
However, I do not
On 07/02/15 21:45, Rainer Keller wrote:
Unfortunatly this seemed to brick the card.
gpg: OpenPGP card not available: Not supported
Gnupg does not detect the card anymore.
Fortunately, your card is not bricked. But GnuPG can't access it anymore. If you
have a recent enough version of GnuPG,
You know, if you had just said right from the start I know that a smartcard is
supposed to protect theft of the private key but what is the use of that given
that they can still sign and decrypt, the discussion might have progressed a
/lot/ quicker. Also, it doesn't help that you eloquently refute
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 06/02/15 00:32, Faramir wrote:
But I still have the impression about smartcards are supposed to prevent an
attacker from stealing the private keys from the cards, right?
Yes, I agree.
Peter.
- --
I use the GNU Privacy Guard (GnuPG) in
On 06/02/15 01:21, Matthias-Christian Ott wrote:
If they provably don't sign their firmware or incorrectly check the signature
and are not responsive, perhaps it would be helpful to talk to them through
third parties like BSI or S-CERT
Why?! Why would I do that?! I do like to think of myself
On 06/02/15 01:21, Matthias-Christian Ott wrote:
Yes, you /could/. However, we were talking about Rainer smartcard readers,
which /don't/.
Do you have evidence for this?
To st the record straight: no, I don't know this, I might myself have inferred a
bit too much from Werner stating that:
On 04/02/15 23:12, Matthias-Christian Ott wrote:
You could protect against this scenario by signing the firmware.
Yes, you /could/. However, we were talking about Rainer smartcard readers, which
/don't/.
I think we're really not having the same discussion here...
I didn't make this argument.
On 04/02/15 21:44, Matthias-Christian Ott wrote:
There are enough examples of vendors that introduced government backdoors in
their proprietary products to come to the conclusion that it is probably not
a good idea to use proprietary software or hardware if your threat model
includes
On 04/02/15 13:56, NIIBE Yutaka wrote:
I meant, something in a JTAG/SWD protocol layer (not by user
program), built-in _hardware_ feature by semiconductor manufacturer to
show hash of flash blocks.
But Gnuk is not secret, so the flash doesn't need to be read-protected. And if
you need a JTAG
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 25/01/15 11:48, Damien Goutte-Gattat wrote:
It looks like bug 1637 [1], which indeed affected gpa-0.9.4 but has been
fixed in gpa-0.9.5 and later versions.
So GPA never verified detached signatures in the first place? I read the
report by Philip
I was postulating that the breakage might be related to the fact that GnuPG in
batch mode no longer verifies a detached signature as valid when it is only
given the detached signature, instead of the pair of signed file and detached
signature. This security fix was backported to 2.0 and 1.4, so it
On 25/01/15 14:49, Philip Jackson wrote:
I'm sorry if I've wasted people's time with a worry from the past that no
longer exists.
It was totally reasonable to bring this to the list, so no need to apologise
as far as I'm concerned.
Peter.
--
I use the GNU Privacy Guard (GnuPG) in combination
On 25/01/15 17:31, Matthias-Christian Ott wrote:
[...] but I felt that I had to intervene to stop portraying the OpenPGP card
as a secure solution.
I suppose you and I read the following statement from that mail by Werner
quite differently:
On 23/01/15 21:31, Werner Koch wrote:
Granted,
On 23/01/15 22:53, Bob (Robert) Cavanaugh wrote:
Werner, What set would you recommend for us Linux types (Fedora 20 in my
case) ?
Werner has posted on this mailing list what he uses himself; I suppose a good
search term should turn it up rather quickly from the archives.
SCM is pretty okay; I
On 24/01/15 17:57, Andreas Schwier wrote:
Can you provide any evidence for that claim or is this just paranoia ?
One man's paranoia is another man's common sense, I suppose. Since those
smartcards are pretty much exclusively used for security purposes, i.e., private
key storage, they're a likely
On 24/01/15 20:05, Philip Jackson wrote:
Using GPA 0.9.4 in linux.
I downloaded a file and its signature as a .asc from a website that I have
used many times. While looking at the spelling of the filename, I
accidentally clicked on the signature file and launched GPA so decided to
use it
On 12/01/15 18:45, Rob Fries wrote:
I believe the proper way to do this would be through gpg-connect-agent.
You're mistaken; it's as Patrick said through gpgconf, the program to
programmatically query the configuration.
$ gpgconf --list-options gpg-agent|grep ^max-cache-ttl: |cut -d: -f 10
But
On 12/01/15 21:48, Rob Fries wrote:
But I am not looking for the value in the configuration, I am looking for
the time remaining until a passphrase expires.
Oh ah!
Have you considered these two options:
1) gpgconf says the ttl is a 32-bit unsigned number. Have you tried entering the
value
this is not much work.
$ gpg2 -k lebbing
pub 1024R/3E4FCA14 2006-03-31 [revoked: 2009-11-12]
uid [ revoked] Peter Lebbing pe...@digitalbrains.com
pub 2048R/DE500B3E 2009-11-12 [expires: 2015-10-27]
uid [ultimate] Peter Lebbing pe...@digitalbrains.com
sub 2048R/DE6CDCA1 2009-11-12
On 02/01/15 13:14, sben1783 wrote:
What I'd like to do is: create a public key so that the corresponding private
key equals my given password.
This is possible with elliptic curve cryptography, although you should realise
that a passphrase usually contains a lot less entropy than a private key
On 02/01/15 17:04, Ben Staude wrote:
Another thought would be to just paste the private key (encrypted by my
password) to the gpg'd files? Of course my private key would then be sort of
public, but still it is as secure as using symmetric encryption with that
password in the first place (but
On 16/12/14 13:26, Dave Pawson wrote:
What about:
https://en.wikipedia.org/wiki/OpenPGP_card
(IMHO) pure geekery copied from one of the other pages?
Hmmm, that article seems lacking. If you would have asked nicely, I might have
bothered to improve it. Now, I don't feel inclined to do it.
On 13/12/14 12:12, Tomo Ruby wrote:
But what does meaningful way mean?
That there may be theoretic methods to use signatures to learn information
about the private key, but that they are all so impractical that they can be
ignored.
HTH,
Peter.
--
I use the GNU Privacy Guard (GnuPG) in
On 28/11/14 11:41, NdK wrote:
Oh, I agree, I already thought that might close any 'r'-swapping security
issues, if there would be any; just like you can include the hash
algorithm in the signature to prevent swapping it out for a weaker one. But
when
swapping 'r''s does not actually create
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 11/12/14 15:15, Tomo Ruby wrote:
I really know only of this approach: The more encrypted/signed data I
spread over the web, the easier it might be for an attacker to calculate
the secret key.
If this was advice directly relating to OpenPGP: Do
On 11/12/14 11:39, Werner Koch wrote:
Hi!
Hi!
I will be at the 31C3 at Hamburg from the 28th (late afternoon) to the
30th. You may find me at the FSFE Assembly or ask there for my local
communication parameters.
I intend to organise a keysigning party if no one else does. I did one at 29C3
On 11/12/14 13:22, Peter Lebbing wrote:
Oh, and there's this 2D
barcode keysigning thing as well, should look it up. It was demonstrated to me
at the keysigning at OHM2013.
Probably monkeyscan from monkeysign... the latter has been mentioned numerous
times on this list, btw.
Peter.
--
I use
On 11/12/14 14:46, Tobias Mueller wrote:
FWIW: A tool with a similar goal is GNOME Keysign:
Thanks for the pointer!
Contrasting caff or monkeysign, it does not rely on keyservers.
Neither does caff, if the organiser of the keyparty simply collects all keys
(sent by the participants) and sends
On 11/12/14 17:58, Guilhem Moulin wrote:
There is one advertized already:
steeples fingers Excellent!
And thank you for pointing it out, especially since they expect you to sign up
/way before/ the event. I hope they'll allow people in who didn't sign up (who
will bring their own slips of paper
On 27/11/14 06:55, NdK wrote:
1) who guarantees that the 'r' seen by the receiving party is the same
generated by the signer? Since it's usually trivially combined with
source text, I feel it's a huge attack vector
The purpose of the signature is to ascertain that the OpenPGP message has not
Perhaps I should add that it takes real research and formal proof to show that
this randomized hashing doesn't add attack vectors, and I have been glossing
over that. But that is because at a glance it looks like such research has been
done. That doesn't mean it's a fact that there are no
On 27/11/14 13:04, NdK wrote:
(note that r is not signed, as the rhash scheme suggests and the paper
confirms!)
In contrast to a previous proposal by the same authors, the salt r does not
need to be included under the signature.
I read this quite differently. I read it as that 'r' is not
My proposal doesn't have this problem. I want the manifest to summarize the
entire content of the message, including sha256 (or whatever is considered
good) fingerprints of each part.
1) What does a checksum add beyond the OpenPGP Modification Detection Code
(MDC)?
2) Why doesn't an attacker
(By the way, how did the topic
- gpg.conf: settings for security and compatibility
ever get confused with the topic
- Setpref is not working or is it a bug or something?
because this definitely is the former but is called the latter. Also, @g, as you
apparently call yourself, you seem to start a
On 22/11/14 10:23, Dave Pawson wrote:
https://launchpad.net/ubuntu/+source/keepass2
Looks like Ubuntu only?
Not found for Fedora.
If I look at the KeePass website, specifically at [1], I see:
8 -- 8
In addition to Windows, KeePass 2.x runs
On 22/11/14 11:11, Peter Lebbing wrote:
If I look at the KeePass website, specifically at [1], I see:
Whoops!
[1] http://keepass.info/help/v2/setup.html#mono
--
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key
On 19/11/14 01:31, Robert J. Hansen wrote:
No. Client-side, you get to inspect (fully) only your data, and you
have to develop a statistical model of spam based on only your data.
When Gmail filters, it inspects (fully) traffic to *millions* of users,
and uses that to create a model no
On 19/11/14 09:54, Nan wrote:
First, charlatan and snake oil imply deceit.
They often do, don't they? I doubt that is what is meant, though. If I look in
the Oxford online dictionary:
Definition of charlatan in English:
noun
A person falsely claiming to have a special knowledge or skill
On 10/11/14 17:31, Werner Koch wrote:
Which is used in 2.1:
That's great to hear, just like it is in general pretty great you got to
release a major new version! Congratulations!
After browsing a bit in the source, I conclude that RFC 6979 is used for
both classic DSA and ECDSA; something not
On 11/11/14 09:52, Werner Koch wrote:
I think this is what I will implement.
How would the warning be triggered? By the extension of the signature
file or by existence of a file without the .sig extension, or even some
other way?
That is an entire different thing and not a problem of gpg.
If
On 10/11/14 12:02, Nicholas Cole wrote:
So the confusion is
that you have one single command that deals with verifying both a
detached signature and with a file that contains a signature?
Yes.
Is the best fix for this to introduce two new commands
That seems extreme. Although you could add
On 10/11/14 13:03, Nicholas Cole wrote:
But in fact, it is the fact that scripts depend on this that made me
think that this might be a case where things *should* get broken,
because this is actually a serious security flaw, and the scripts in
question need fixing. In many cases, no one is
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 07/11/14 22:21, Simon Nicolussi wrote:
Invoking GnuPG that way is insecure without knowing the contents of the
signature file. An attacker could have replaced it by something that's not,
in fact, a detached signature.
Oops! Very nice find,
On 07/11/14 03:24, Kristian Fiskerstrand wrote:
See https://lists.gnupg.org/pipermail/gnupg-devel/2014-August/028697.html
Right, thanks for the pointer!
Peter.
--
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key
On 05/11/14 22:09, Werner Koch wrote:
It might be worth to check whether there is an interest in running gpg on
the server via Putty and have Putty forward the communication of gpg to
a gpg-agent+pinentry running on Windows.
I think this certainly has its upsides, running the agent on the
Hello Werner and list,
While reading that FAQ top to bottom, I encountered some typo's which I
fixed. I'm only used to git in a non-distributed fashion, so I'm not
accustomed to it's patch submission features and simply attach a
git-generated diff against 0968808. I hope that suffises.
And
On 06/11/14 15:40, Werner Koch wrote:
OpenSSH has socket forwarding and that is what I was thinking about.
Sockets other than TCP you mean? Is this something generic that can be
invoked by using the command-line OpenSSH client? I can't find it.
To avoid that other users connect to a listening
so I'm not accustomed to it's patch submission features
Ah, I'm glad to see Muphry's Law is still in effect. The world works the
way it's supposed to.
;)
Peter.
--
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My
On 06/11/14 17:45, Werner Koch wrote:
In case your problem is the pinentry: The agent now provides a
loopback pinentry option which basically brings back the version 1
Pinentry prompts.
Perhaps this warrants a mention on the what's new FAQ page, for people
that are using 1.4 for that specific
Sorry, it was not the intention to advertise the Phrase or using a
Famous Passphrase. I wanted to show after giving the Passphrase it
was
hanging. So I showed that in the Screen Shot. We wanted the
Resolution
for this.
You weren't entering a passhprase there. If it were asking for a
On 2014-11-05 16:56, Robert J. Hansen wrote:
Not to harp, but it bears repeating: use GnuPG 1.4 and this entire
problem goes away. Given all the emails that have gone back and
forth
on this subject, I think it's probably time to make the switch to
1.4. :)
Right, yes, I agree. I focussed
On 05/11/14 20:52, SubramaniaRao, ravikumar wrote:
Thank for your Input. Please help me where I will get the tar File for
Qt pinentry, so that I can install it. If QT Pinetry is not required,
Is it perhaps possible that you only notice the contributions to this
thread that are explicitly
On 02/11/14 09:42, Cpp wrote:
I see that command will print out the passphrase in clear text. Is
this secure to use just like that?
This is the same channel as where session keys are exchanged. With a
session key, you can decrypt an encrypted message: very sensitive
information. So the channel
It is a bit unclear to me where you should report broken mirrors or
whether you should do so at all; I thought I'd best just post it here.
ftp://ftp.surfnet.nl/pub/security/gnupg/ seems to only hold directories,
no files.
ftp://ftp.demon.nl/pub/mirrors/gnupg/ - that directory doesn't even exist.
Why is brute force even mentioned in something about RSA? You couldn't
brute-force a 128 bit RSA key. I'd say 2048 bit quite covers it 8-)
Peter.
--
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at
On 2014-10-29 21:49, ved...@nym.hush.com wrote:
Surely Peter knows this too ;-)
More likely 128 was a typo for the more common older RSA key of 1028
...
No, I'm using a strict definition of brute force.
For p = 2^63 to 2^64-1
For q = 2^63 to 2^64-1
If p * q == n:
Break
Next
On 2014-10-29 22:30, Robert J. Hansen wrote:
Technically, brute force is testing every *possible* value... not
values
that you know aren't going to work. Why test those?
Well, why not restrict ourselves to primes whose product equal the
modulus? I could solve any key in constant time that
I have gpg-agent cache passphrase. When I run gpg -c text.txt it asks for
passphrase twice like it normally would but Kgpg or KMail don't.
-c is symmetric encryption, encryption with a passphrase. It is
prompting you what the passphrase should be.
If it were to ask you for your passphrase for
On 26/10/14 11:32, MFPA wrote:
I couldn't come up with search terms to
find it with a search engine.
After several tries I finally had luck. I also forgot the name :). But it's
parcimonie. It seems to live at https://github.com/EtiennePerot/parcimonie.sh .
HTH,
Peter.
--
I use the GNU
On 26/10/14 12:44, Peter Lebbing wrote:
After several tries I finally had luck.
By the way, my search string was keyserver lookup exposes keyring
It seems to live at https://github.com/EtiennePerot/parcimonie.sh .
But this e-mail is to correct this bit: this is actually a reimplementation
701 - 800 of 1316 matches
Mail list logo
