Re: In case you use OpenPGP on a smartphone ...

2020-08-12 Thread Felix Winterhalter 
That's a good article and I think it makes a lot of sense in the
context. I still think PGP is valid for sending encrypted emails if you
exchange public keys beforehand (as he also states he still uses it in
that manner). The web of trust also never did anything for me sadly.

On 12/08/2020 20:29, Ryan McGinnis via Gnupg-users wrote:
> The reasons to abandon PGP for secure communications have been
> accepted in the security community for years.  Here’s one security
> researcher explaining why (there are many others out there with
> similar sentiments): 
>
> https://arstechnica.com/information-technology/2016/12/op-ed-im-giving-up-on-pgp/
>
> -Ryan McGinnis
> http://www.bigstormpicture.com
> PGP Fingerprint: 5C73 8727 EE58 786A 777C 4F1D B5AA 3FA3 486E D7AD
>
>
> Sent from ProtonMail Mobile
>
>
> On Wed, Aug 12, 2020 at 13:07, Felix  > wrote:
>>
>> I'm not sure that there are solutions orders of magnitude more secure
>> that are available readily.
>>
>> Also people tend to get emails on the go as well that might be
>> encrypted. It's convenient to decrypt emails on a smartphone and not
>> really that insecure if you're using an external device for actual
>> keystorage (such as a Yubikey).
>>
>> I don't actually see what's so silly about the whole thing.
>>
>> On 2020-08-12 18:57, Ryan McGinnis via Gnupg-users wrote:
>>> Well yes I realize that it exists, what I'm saying is why would anyone
>>> use it for secure communications on a smartphone when there are
>>> solutions orders of magnitude more secure and simple to use.  It'd be
>>> like buying a helicopter but deciding you'd still fly only 2 feet off
>>> the ground and stick to paved roads. 
>>>
>>>
>>>
>>> On 8/12/20 11:46 AM, Stefan Claas wrote:
 Ryan McGinnis via Gnupg-users wrote:

> I guess the real question is: what are people using PGP for on mobile
> devices?  If it's for communication, that's silly.  There are at least a
> half dozen far, far, far better ways to securely communicate on a
> smartphone. 
 Well, it is listed by the OpenPGP experts:

 https://www.openpgp.org/software/openkeychain/

 Regards
 Stefan

 --
 my 'hidden' service gopherhole:
 gopher://iria2xobffovwr6h.onion
>>>
>>> ___
>>> Gnupg-users mailing list
>>> Gnupg-users@gnupg.org
>>> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>
>
>
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Selecting SSH Key in gpg-agent ssh-agent mode

2017-07-17 Thread Felix Winterhalter 

Hey there fellow gpg-users,

I've been using gpg-agent for a while with my Yubikey and its working 
fine. Asking me the pin once on each plugin and then silently working in 
the background.


For various reasons I also have on-disk ssh-keys with passphrases that I 
added with ssh-add to the gpg-agents keystore.


However on servers where those keys are present gpg-agent will always 
ask me to unlock these keys first even if the Yubikey is already 
unlocked. On declining pinentry it will then continue to use the 
Yubikey's keys.


Is there any setting to reorder the order in which SSH-Keys are tried 
against a server? Or rather is there also a way to specifiy to first try 
unlocked keys?


Cheers,

Felix


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: suspicious key found

2017-05-16 Thread Felix Winterhalter 
There was a proof of concept attack on the fingerprints a couple of 
years ago. The keys were revoked afterwards.


TL;DR short key fingerprints are not secure at all. Also the web of 
trust is your friend here.


Cheers,

Felix


On 16/05/17 15:47, Janne Inkilä wrote:

I made a key search with my name and found something suspicious.

The search:

https://pgp.mit.edu/pks/lookup?search=janne+inkila=index=on 



I have used my old key since 2007. Fingerprint F4DB 40F8 BF22 8B9D 
9B8F  F679 A482 4C9A 033E 22A2. I know this is quite old key and maybe 
I should revoke it.


BUT

I also found another key with fingerprint 87C4 F4C8 16D1 3CC3 03E0 
7977 1A9C 6259 033E 22A2. The key ID is the same 033E 22A2 on both 
keys. There's also signatures in this key. Looks like same persons and 
same key ID's but fingerprints doesn't match. For some reason this key 
has been revoked.


Did someone really generated same looking key? And why? Any ideas? 
Someone tries to capture my emails? I would like to see some sort of 
theory what is going on, thanks :)


Janne Inkilä

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users



___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Using GPGAgent as SSHAgent on Windows with cygwin/mingw

2016-09-24 Thread Felix Winterhalter 
So I am currently trying to get gpg-agent to play nice with ssh on
Windows. I'm running gpg version 2.1.15.

Using Linux I was able to get everything to run the way I want by adding

enable-ssh-support to the agent config

and setting the environment variable
SSH_AUTH_SOCK to the gpg agents ssh socket.

However on Windows I now get the error:

 ssh-add -L
Error connecting to agent: Bad file descriptor

Same for simple ssh during the public key lookup stage.

I can read the socket file using cat or less however and I get:

52655
▒

Creating key stubs from smartcard without public key

2016-07-25 Thread Felix Winterhalter 

So I've recently started experimenting with a Yubikey.

I started off by creating an encryption subkey from my master key and 
moving that to the Yubikey.


This worked fine until I moved to a different computer and tried using 
it there.
It didn't automatically recognize the key on the card until I imported 
my publickey as well.


As far as I understand public key encryption regenerating the public key 
should always be possible

using the private key (which should be stored on the card).

My expected result would have been that gpg --card-status reads the card 
and then imports all keys on the card

generating the public key associated on the fly for local use.

The situation gets even more complicated if I want to have an 
authentication subkey on my Yubikey and not have it bound
to any specific master key (and certainly not publish it on any 
keyservers).
How can I export the ssh key (using gpg --export-ssh-key) when trying to 
do so using the key id yields:


gpg2 --export-ssh-key 0x5FECDB8C8311CB07!
gpg: key "0x5FECDB8C8311CB07!" not found: No public key
gpg: export as ssh key failed: No public key

Is there any way those public keys or key stubs can be created from the 
keys stored on the Yubikey or any smartcard itself?


Best regards,
Felix



___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users