On 2021-01-17 at 23:43 +, Stefan Claas via Gnupg-users wrote:
> I encountered only one MITM attack a couple of years ago so far, from an
> SKS user. He was a retired police officer from Austria, who contacted me.
> But what you say I was thinking about as well. My proposal was to include
> in
On 2021-01-18 at 17:12 +0100, Stefan Claas via Gnupg-users wrote:
> Neal, maybe you and your team, as professionals, can explain
> what the .well-kown folder in a Web root is good for, because
> it is not only used for WKD and it is also used by many many
> apps, for verification purposes, like
On Mon, Jan 18, 2021 at 01:42:52PM +0100, André Colomb wrote:
> We need to remember that WKD is only a convenience mechanism for
> discovery, not any kind of authentication.
>
> Kind regards
> André
And it's discovery that begins with an email address. I
still can't work out what functionality
@Stefan, are you aware that in your scheme involving sac001.github.io,whoever
convinces GitHub to give them control over that subdomain, cansilently replace
those public keys and start a man-in-the-middle attack?You could not even rely
on the TLS layer, because GitHub probably willnot revoke
Hi Stefan,
On 18/01/2021 17.12, Stefan Claas via Gnupg-users wrote:
> I repeat here once again GitHub has a *valid* SSL cert.
You are right on that point. Absolutely right, seriously. It's
actually their web server configuration which is suboptimal. Those two
statements are universally true,
On Mon, Jan 18, 2021 at 8:43 AM Neal H. Walfield wrote:
>
> On Sun, 17 Jan 2021 19:27:05 +0100,
> Ángel wrote:
> > I feel there is a need for a proper wkd test suite (as well as a
> > clarifying on the draft itself the things that are coming up).
>
> FWIW, there is Wiktor Kwapisiewicz's wkd
On 2021-01-18 at 10:14 +0100, Neal H. Walfield wrote:
> I've given this issue some more thought.
>
> First, I don't think WKD is a strong authentication method. It is
> sufficient for doing key discovery for opportunistic encryption (i.e.,
> it's a reasonable guess), but I wouldn't want someone
On Mon, 18 Jan 2021 13:42:52 +0100,
André Colomb wrote:
> On 18/01/2021 10.14, Neal H. Walfield wrote:
> > In short: I understand the motivation for the subdomain. I understand
> > why one should first check there. But, I think we do our users a
> > disservice by not falling back to the direct
On 1/18/21 3:46 PM, Werner Koch wrote:
> On Mon, 18 Jan 2021 14:16, Lars Noodén said:
>
>> Euro Payments Area credit transfers [1] ought to have the address [2]
>> as the address is required when making payments to other countries
>> within the Union.
>
> The idea of SEPA is that the account
On Mon, 18 Jan 2021 14:16, Lars Noodén said:
> Euro Payments Area credit transfers [1] ought to have the address [2]
> as the address is required when making payments to other countries
> within the Union.
The idea of SEPA is that the account number is sufficient; even the BIC
is not anymore
On 1/17/21 10:35 PM, Robert J. Hansen via Gnupg-users wrote:
> ... And if you missed out, why not consider making a recurring
> monthly contribution of your own?
The text on the donation page could be tweaked to include the business
address. That would save a few steps because the web form for
Hi Neal,
On 18/01/2021 10.14, Neal H. Walfield wrote:
> First, I don't think WKD is a strong authentication method. It is
> sufficient for doing key discovery for opportunistic encryption (i.e.,
> it's a reasonable guess), but I wouldn't want someone to rely on it to
> protect them from an
Hello Andrew,
Am 18.01.21 um 13:17 schrieb Andrew Gallagher via Gnupg-users:
On 18/01/2021 11:33, Juergen Bruckner via Gnupg-users wrote:
Hello Andrew,
Am 18.01.21 um 12:17 schrieb Andrew Gallagher via Gnupg-users:
On 18/01/2021 11:07, Juergen Bruckner via Gnupg-users wrote:
Sequoia accepts
On 18/01/2021 11:33, Juergen Bruckner via Gnupg-users wrote:
Hello Andrew,
Am 18.01.21 um 12:17 schrieb Andrew Gallagher via Gnupg-users:
On 18/01/2021 11:07, Juergen Bruckner via Gnupg-users wrote:
Sequoia accepts an *invalid* certificate for the host
'foo.abc.github.io' and that is "failure
Hello André,
Am 18.01.21 um 00:03 schrieb André Colomb:
On 17/01/2021 21.39, Juergen Bruckner via Gnupg-users wrote:
And as far as Sequoia is concerned, Stefen's explanations only confirmed
that this is software that I definitely don't want to use.
Software that accepts an invalid digital
Hello Andrew,
Am 18.01.21 um 12:17 schrieb Andrew Gallagher via Gnupg-users:
On 18/01/2021 11:07, Juergen Bruckner via Gnupg-users wrote:
Sequoia accepts an *invalid* certificate for the host
'foo.abc.github.io' and that is "failure by design".
This is incorrect. Sequoia *does not* accept
On 18/01/2021 11:07, Juergen Bruckner via Gnupg-users wrote:
Sequoia accepts an *invalid* certificate for the host
'foo.abc.github.io' and that is "failure by design".
This is incorrect. Sequoia *does not* accept this invalid certificate.
Sequoia and gnupg only differ in their fallback
Hello again Stefan
Am 17.01.21 um 22:27 schrieb Stefan Claas:
On Sun, Jan 17, 2021 at 10:16 PM Juergen Bruckner via Gnupg-users
wrote:
Hi Juergen.
Your showcase with github.io also says nothing else than that Sequoia
considers an invalid certificate to be correct. That this happens in
Hi Angel,
On Thu, 14 Jan 2021 01:47:12 +0100,
Ángel wrote:
> On 2021-01-13 at 10:12 +0100, Neal H. Walfield wrote:
> As such, I do think sequoia is non-conformant, although I'm
> more interested in determining the proper behaviour of a WKD client.
>
> ...
> I think it would be good that sq
On Fri, 15 Jan 2021 15:43, Ayoub Misherghi said:
> a@b:c$ gpg -s -e -b -r Mike data.file
>
> gpg: conflicting commands
You can use the combined method of signing (-s) and encryption (-e) with
a detached signatures (-b).
Salam-Shalom,
Werner
--
Die Gedanken sind frei. Ausnahmen regelt
20 matches
Mail list logo