Re: How do you let your M.D. know about emailselfdefense.org and gnupg.org so that it's easier for folks unfamiliar to setup and use than having to go over the too long material, the too complicated m

2016-12-01 Thread vedaal 


On 12/1/2016 at 7:40 PM, "Don Saklad"  wrote:How do you let your M.D.
know about emailselfdefense.org and gnupg.org
so that it's easier for folks unfamiliar to setup and use than having
to
go over the too long material, the too complicated material?

=

Hushmail has a marketing pitch to Medical Personnel about compliance
with medical privacy laws, and allows hushmail users to send encrypted
e-mails to any email address even if the receiver does not use
hushmail.

The receiver gets a message that an encrypted e-mail has been sent,
and a link to a site where it is stored for only 72 hours. Upon
following the link, the receiver types in an answer to a pre-arranged
question between the doctor and the patient, and sees the plaintext,
and/or the file attachment.  The receiver is allowed only 3 tries, and
if all are wrong, the message is removed from the site.

So it's pretty simple to use,  (simple enough that busy doctors are
not interested in learning GnuPG  :-(  )

The doctor calls the patient, and arranges the question and answer,
and then can send files encrypted as attachments.

An MITM attack is not practical as the doctor and patient share the
secret over a different channel  (phone, person to person in the
office, etc.)
It is, however, very vulnerable to a DNS attack.  The MITM can simply
access the site, enter the wrong answer 3 times, and the message is
removed.

I pointed this out to a doctor who uses this, and his response was
basically that it's "not in his threat model", (although it was much
longer in ordinary language.)

The only suggestion I would have, is for a similar e-mail service that
uses GnuPG, without a backdoor for the government, which Hushmail has,
 and market this to the "Patients",  and have a link to an easy GnuPG
gui tutorial, once people think that encryption can be useful and
'fun'.
vedaal
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Proof for a creation date

2016-12-01 Thread Quan Zhou 
so GnuPG's timestamping isn't an option for this?
Even X509 has a timestamping feature for this kind of use.

On Fri, Dec 2, 2016 at 11:59 AM, Schlacta, Christ 
wrote:

> The easiest way is to publish your code to a publicly controlled source
> with a signature on or before your desired date. Not sure if there's a
> *better* way.
>
> On Dec 1, 2016 7:43 PM, "Bertram Scharpf" 
> wrote:
>
>> Hi,
>>
>> we all know that kidnappers do publish a picture of their
>> hostage holding up a todays newpaper. The purpose of this is
>> to proof that the victim was alive _after_ a certain point
>> of time. I want to do the opposite. I want to make evidence
>> that I created a document _before_ a certain point of time.
>>
>> I could use self-darkening ink but that won't be reflected
>> in a JPEG scan and my pen won't make the job that TeX does.
>> I could sign a newspapers home page but that cannot be
>> reproduced at a later point of time to verify the signature.
>>
>> Is there a standard way in GnuPG and in the keyholder
>> infrastructure to accomplish this task?
>>
>> Thanks in advance.
>>
>> Bertram
>>
>>
>> --
>> Bertram Scharpf
>> Stuttgart, Deutschland/Germany
>> http://www.bertram-scharpf.de
>>
>> ___
>> Gnupg-users mailing list
>> Gnupg-users@gnupg.org
>> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>>
>
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>
>


-- 
Regards,

Quan Zhou
++
|pub [expires 2019-05-04]|
|D7CF DCE8 2EBA 2766 499A|
|20DF 8273 6C6F ABCD 0A0F|
++
|pub [revoked 2016-04-16]|
|44D2 0307 1643 E80F 2E31|
|F081 FAFA 6643 7F9F D46F|
++
|quanzhou...@gmail.com   |
|https://keybase.io/qzhou|
++
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: How do you let your M.D. know about emailselfdefense.org and gnupg.org so that it's easier for folks unfamiliar to setup and use than having to go over the too long material, the too complicated m

2016-12-01 Thread Christian Heinrich 
Don,

S/MIME has a lower barrier to entry if it is just for e-mail in Outlook, etc

On Fri, Dec 2, 2016 at 10:54 AM, Don Saklad  wrote:
> How do you let your M.D. know about emailselfdefense.org and gnupg.org
> so that it's easier for folks unfamiliar to setup and use than having to
> go over the too long material, the too complicated material?


-- 
Regards,
Christian Heinrich

http://cmlh.id.au/contact

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

gpgme 1.8 build failure (again)

2016-12-01 Thread Robert J. Hansen 
Last month I had a build failure for GPGME 1.8 on macOS.  I reported it
to the list and received a useful answer about a custom preprocessor
define that should've been, but was apparently was not, used.

Unfortunately I didn't write this down, and the email thread is not in
the archive.  (Only one message seems to be:
https://lists.gnupg.org/pipermail/gnupg-users/2016-November/057047.html )

Can anyone give me once again the magic invocation needed?  Thanks.  :)

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Proof for a creation date

2016-12-01 Thread Schlacta, Christ 
The easiest way is to publish your code to a publicly controlled source
with a signature on or before your desired date. Not sure if there's a
*better* way.

On Dec 1, 2016 7:43 PM, "Bertram Scharpf"  wrote:

> Hi,
>
> we all know that kidnappers do publish a picture of their
> hostage holding up a todays newpaper. The purpose of this is
> to proof that the victim was alive _after_ a certain point
> of time. I want to do the opposite. I want to make evidence
> that I created a document _before_ a certain point of time.
>
> I could use self-darkening ink but that won't be reflected
> in a JPEG scan and my pen won't make the job that TeX does.
> I could sign a newspapers home page but that cannot be
> reproduced at a later point of time to verify the signature.
>
> Is there a standard way in GnuPG and in the keyholder
> infrastructure to accomplish this task?
>
> Thanks in advance.
>
> Bertram
>
>
> --
> Bertram Scharpf
> Stuttgart, Deutschland/Germany
> http://www.bertram-scharpf.de
>
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Proof for a creation date

2016-12-01 Thread Daniel Kahn Gillmor 
On Thu 2016-12-01 21:12:50 -0500, Bertram Scharpf wrote:
> I want to make evidence that I created a document _before_ a certain
> point of time.

One approach i've seen recommended is to create a
cryptographically-strong digest of the signed document in question and
then post it to a public, append-only log somewhere.

For example, take the SHA256 digest of the document, pretend that value
is the address of a bitcoin wallet, and throw a little bit of bitcoin
into it (this value will never be recoverable because no one knows the
corresponding secret key). This puts the digest into the blockchain at a
acertain date for anyone to see.

Your subsequent argument is that one of the two possibilities must hold:

 (a) you have some ability to perform a collision attack against
 SHA-256, or

 (b) the signed document existed at some point before the bitcoin
 transaction was publicly logged.

since most people won't believe (a), (b) looks pretty likely.

You could use any other globally-visible log that allows for injection
of a bitstring long enough for a strong digest (32 octets is probably
sufficient), it doesn't have to be the bitcoin blockchain.  for example,
if you can get something into a public X.509 certificate, you could post
it to one of the certificate transparency logs.

Regards,

--dkg


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Proof for a creation date

2016-12-01 Thread Bertram Scharpf 
Hi,

we all know that kidnappers do publish a picture of their
hostage holding up a todays newpaper. The purpose of this is
to proof that the victim was alive _after_ a certain point
of time. I want to do the opposite. I want to make evidence
that I created a document _before_ a certain point of time.

I could use self-darkening ink but that won't be reflected
in a JPEG scan and my pen won't make the job that TeX does.
I could sign a newspapers home page but that cannot be
reproduced at a later point of time to verify the signature.

Is there a standard way in GnuPG and in the keyholder
infrastructure to accomplish this task?

Thanks in advance.

Bertram


-- 
Bertram Scharpf
Stuttgart, Deutschland/Germany
http://www.bertram-scharpf.de

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

How do you let your M.D. know about emailselfdefense.org and gnupg.org so that it's easier for folks unfamiliar to setup and use than having to go over the too long material, the too complicated mater

2016-12-01 Thread Don Saklad 
How do you let your M.D. know about emailselfdefense.org and gnupg.org
so that it's easier for folks unfamiliar to setup and use than having to
go over the too long material, the too complicated material?

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: libgpgme-11.dll

2016-12-01 Thread Robert J. Hansen 
> Did you install gpgme-w32spawn.exe alongside gpgme-11.dll ?  This 
> wrapper is required due to pecularities of Windows' CreateProcess
> API.

I did not, and this was the problem.  Thank you, Werner.  :)


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: libgpgme-11.dll

2016-12-01 Thread Werner Koch 
On Thu,  1 Dec 2016 03:54, r...@sixdemonbag.org said:
> For long and boring reasons I need to be able to call GPGME from
> Microsoft Visual C++.  The MSVC linker requires .lib files, which are
> not shipped with GnuPG.  That's okay: the procedure to make them is

The gnupg 2.1 installer actually installs all header files as well as
the the .lib files (look for *.imp).  Note that the -11 suffix is not
used with the imp files.  If you are using glib or gtk+ make sure to
link against libgpgme-glib.imp. 

> My sample code runs just fine on OS X and Linux, incidentally, so I
> doubt the problem is with it.  (If people want to see it just to make

  set GPGME_DEBUG=9;c:/temp/gpgme.log
  mygpgmebasedtool

and then look at the log file.  It will show you where it looks for
gnupg.  The code in gpgme works even for gnupg 1.4 but it prefers gnupg
2.x. 

Did you install gpgme-w32spawn.exe alongside gpgme-11.dll ?  This
wrapper is required due to pecularities of Windows' CreateProcess API.


Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


pgp_QjIVPbaWn.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Is there a “ground-up” explanation of PGP/GnuPG?

2016-12-01 Thread Werner Koch 
On Wed, 30 Nov 2016 17:33, k...@rdw.se said:

> Is there a "from the ground up" good guide to PGP that allows me to
> break out of this pattern?

You may watch Neal's "An Advanced Intro to GnuPG":




Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


pgpZPXcx09E8Y.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users