Re: Houston, we have a problem

On Thu, 21 Sep 2017 21:59:26 +0200, Ralph Seichter wrote: > On 21.09.17 21:38, Stefan Claas wrote: > > > The thing is someone could issue a fake sig3 from Heise's CA key to > > someone else's pub key, without that that customers would detect it, > > nor Heise would know it, until of course they

Re: Houston, we have a problem

> I'm not certain what problem you see that has not been around for as > long as PGP/GPG exists? You can only ever be certain of a signature if > you have personally verified the signing key and the signer's identity. > That's why the default owner trust level is "unknown" (not trusted). About 25

Re: Houston, we have a problem

On Thu, 21 Sep 2017 17:05:35 -0400, Daniel Kahn Gillmor wrote: > If by "key-id" you mean the 32-bit long thing like "D21739E9", then > there's no way to cryptographically secure that -- it's just too > low-entropy. I've written elsewhere about why key ids are bad: > >

Re: OT: Which smartphone would you use

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On Thursday 21 September 2017 at 6:33:40 PM, in , Thomas Hejze wrote:- > I start to worry for the > future of Open Source. Isn't there a business case > for a FOSS smartphone? I think Fairphone

Re: Houston, we have a problem

On Thu, 21 Sep 2017 22:38:06 +0200, Ralph Seichter wrote: > On 21.09.17 22:11, Stefan Claas wrote: > > > > You can only ever be certain of a signature if you have personally > > > verified the signing key and the signer's identity. > > > > Well, call me a stupid Mac dummie, but how in the world

Re: Houston, we have a problem

On 21.09.17 22:13, Robert J. Hansen wrote: > About 25 years ago I first saw the suggestion that signatures from > unvalidated certificates should simply not be visible to the end-user > [...] Yeah, that would be one way to make these sigs less obvious. Of course it does not solve the underlying

Re: Houston, we have a problem

> Do i understand you right, i validate Werner's pub key and when > i get a signed email from Erika Mustermann the sig should be then > o.k. from her, because i signed Werner's key? No. When you see something claiming to be Werner's sig on Erika's certificate, ask yourself: * Is it

automatic conversion from keyring to keybox files?

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Now that the upgrade path for GnuPG 2.0.x users is to 2.2.x versions, will be there any automatic conversion from keyring to keybox files, either offered by the installer or available as a command? - -- Best regards MFPA

Re: Houston, we have a problem

On Thu 2017-09-21 22:37:38 +0200, Stefan Claas wrote: > I'm sorry! Let me say one last word. If i would be a programmer of > software like GnuPG, my software would not allow to receive unwanted > signatures on my pub key The way the universe works is that once data is public, other data might

Re: Houston, we have a problem

On 21.09.17 22:37, Stefan Claas wrote: > If i would be a programmer of software like GnuPG, my software would > not allow to receive unwanted signatures on my pub key, nor would it > allow that someone else can fake a sig on someone else's pub key with > my key-id. If you can solve the design

Re: Houston, we have a problem

On Thu, 21 Sep 2017 17:06:18 -0400, Robert J. Hansen wrote: > > Do i understand you right, i validate Werner's pub key and when > > i get a signed email from Erika Mustermann the sig should be then > > o.k. from her, because i signed Werner's key? > > No. When you see something claiming to be

Re: Houston, we have a problem

On Thu, 21 Sep 2017 23:11:23 +0200, Ralph Seichter wrote: > On 21.09.17 22:37, Stefan Claas wrote: > > > If i would be a programmer of software like GnuPG, my software would > > not allow to receive unwanted signatures on my pub key, nor would it > > allow that someone else can fake a sig on

Re: Houston, we have a problem

> If someone would issue a fake sig3 from Governikus to someone > else how could you, for example, verify that the sig3 is from > Governikus? By validating Governikus's certificate. You seem to be asking the same question (and getting the same answer) over and over again. Perhaps try a

Re: Houston, we have a problem

On 21.09.17 22:11, Stefan Claas wrote: > > You can only ever be certain of a signature if you have personally > > verified the signing key and the signer's identity. > > Well, call me a stupid Mac dummie, but how in the world could GnuPG > users , living in different areas verify that? They

Passphrases no longer found in keyring

Hello, Wanted to follow forward with the below topic here as Patrick from Enigmail suggested. Quick Summary: CentOS 7 1708 enigmail/pinetry now asks for passphrase all the time which was not the behavior prior to the recent update. Thanks, Brad Yeah just ran through all the troubleshooting

Re: Houston, we have a problem

On Thu, 21 Sep 2017 16:16:12 -0400, Robert J. Hansen wrote: > > If someone would issue a fake sig3 from Governikus to someone > > else how could you, for example, verify that the sig3 is from > > Governikus? > > By validating Governikus's certificate. Do i understand you right, i validate

Houston, we have a problem

Hi all, http://pgp.zdv.uni-mainz.de:11371/pks/lookup?op=vindex=Erika+Mustermann Question for the experts, how can a casual or new GnuPG user, like Alice and Bob, detect a Signature forgery on a pub key, when using Web based key servers? Note for native English speakers, Erika Mustermann is

Re: Automating and integrating GPG

On Thu, 21 Sep 2017 11:03, aheinl...@gmx.com said: > Interesting. I haven't found anything smartcard related in the GPGME > docs. I am really not good at C, but I took a look at the sources of Yes, it is a generic interface to make a core libassuan function (which is already used by gpgme)

Re: Houston, we have a problem

> Question for the experts, how can a casual or new GnuPG user, like Alice > and Bob, detect a Signature forgery on a pub key, when using Web based > key servers? By remembering that anyone can create a key claiming to be anyone, and that seeing a signature allegedly from Werner (or anyone) means

Re: Houston, we have a problem

On Thu, 21 Sep 2017 10:55:26 -0400, Robert J. Hansen wrote: > > Question for the experts, how can a casual or new GnuPG user, like > > Alice and Bob, detect a Signature forgery on a pub key, when using > > Web based key servers? > > By remembering that anyone can create a key claiming to be

Re: Houston, we have a problem

On 21.09.17 20:49, Stefan Claas wrote: > How could customers, not pros like all you guys here on the list, > could verify that we both are the persons the keys/signatures are > claiming? Legal identification is required. Since you are German, you can use

Re: Houston, we have a problem

On 2017-09-21 at 23:37 +0200, Stefan Claas wrote: > Long ago when we had a discussion here on the Mailing List on > how to prevent unwanted signatures i made a proposal that > signing someone's public key should work similar to revocation > certificates. If you would like to sign my pub key you

Prince Jones v US

Good news for US citizens: _Prince Jones v US_ was decided Thursday. The important text from the opinion is recreated here, and the implications for encrypted email follow. * * * * * But in addition to the fact that people reasonably value and hope to protect the privacy of their location

Re: Houston, we have a problem

On Thu, 21 Sep 2017 21:11:17 +0200, Ralph Seichter wrote: > On 21.09.17 20:49, Stefan Claas wrote: > > > How could customers, not pros like all you guys here on the list, > > could verify that we both are the persons the keys/signatures are > > claiming? > > Legal identification is required.

Re: OT: Which smartphone would you use

Am Dienstag, 19. September 2017, 13:44:53 CEST schrieb Andreas Ronnquist: > > If I had the money, I would pledge for one of these: > > https://puri.sm/shop/librem-5/ > That project looks promising, however, I fear I am not able to spend $924.000 for my smartphone ;-) Anyway that is what I

Re: OT: Which smartphone would you use

El día jueves, septiembre 21, 2017 a las 06:54:43p. m. +0200, Thomas Hejze escribió: > Hi Dotan, > > > Am Montag, 18. September 2017, 19:55:49 CEST schrieb Dotan Cohen: > > The answer pretty much depends on what smartphone features you are > > looking for. Do you need to run a web browser?

Re: OT: Which smartphone would you use

Am Montag, 18. September 2017, 20:13:14 CEST schrieb Matthias Apitz: > >> I'm using for more than two years an Ubuntu phone BQ E4.5. The > >> project was > >> driven by Canonical and BQ as the hardware OEM. The project > >> died in March of > >> this year, but is now moved to a community of

Re: OT: Which smartphone would you use

El día jueves, septiembre 21, 2017 a las 07:09:01p. m. +0200, Thomas Hejze escribió: > Am Montag, 18. September 2017, 20:13:14 CEST schrieb Matthias Apitz: > > >> I'm using for more than two years an Ubuntu phone BQ E4.5. The > > >> project was > > >> driven by Canonical and BQ as the hardware

Re: OT: Which smartphone would you use

Hi Dotan, Am Montag, 18. September 2017, 19:55:49 CEST schrieb Dotan Cohen: > The answer pretty much depends on what smartphone features you are > looking for. Do you need to run a web browser? Email integration? well first of all I would like to make phone calls. I use kdepim for contacts,

Re: Automating and integrating GPG

Am 20.09.2017 um 09:02 schrieb Werner Koch: > On Mon, 18 Sep 2017 23:45, d...@fifthhorseman.net said: > >> I don't know how much smartcard interaction gpgme supports, though. > Everything you need. Have a look at GPA's smartcard features. I assume > it is the most advanced GUI to handle the