From sac at 300baud.de Sat Oct 3 16:39:20 2020 From: sac at 300baud.de (Stefan Claas) Date: Sat, 3 Oct 2020 16:39:20 +0200 Subject: On Becky! Internet Mail's GnuPG Plugin In-Reply-To: References: Message-ID: <20201003153920.00004ca3@300baud.de> Dieter Frye wrote: > Currently I use another free, anonymous e-mail service called TorBox which > does have SMTP/POP3 support for everyday communications, though that's > only viable for people operating within the TOR network as it's got no > clearweb support unlike secmail itself, which at the end of the day is > kind of a useless thing anyways given it's blacklisted status (and that > completely without justification) among most every big and small e-mail > provider out there. One more question, if you don't mind. Is this the proper URL for Torbox? https://torbox36ijlcevujx7mjb4oiusvwgvmue7jfn2cvutwa6kl6to3uyqad.onion If yes, is the operator aware that there are at least three more clear net Torbox services running, each under a different TLD? https://torbox36ijlcevujx7mjb4oiusvwgvmue7jfn2cvutwa6kl6to3uyqad.onion.ws/ https://torbox36ijlcevujx7mjb4oiusvwgvmue7jfn2cvutwa6kl6to3uyqad.onion.pet/ https://torbox36ijlcevujx7mjb4oiusvwgvmue7jfn2cvutwa6kl6to3uyqad.onion.sh/ Because I have never seen .onion service operators doing this. Regards Stefan From wk at gnupg.org Sun Oct 4 18:28:31 2020 From: wk at gnupg.org (Werner Koch) Date: Sun, 04 Oct 2020 18:28:31 +0200 Subject: gpg bug In-Reply-To: (Brian L. Matthews via Gnupg-users's message of "Tue, 23 Jun 2020 14:21:32 -0700") References: Message-ID: <87a6x2gdlc.fsf@wheatstone.g10code.de> On Tue, 23 Jun 2020 14:21, Brian L. Matthews said: > $ ./configure --prefix=$HOME/gnu > $ make > > successfully. However, on make check I found that it doesn't work if I > have a space in PATH. I do because VMWare Fusion adds Sure. That can't work. You need to quote the envvar: ./configure --prefix="$HOME"/gnu Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From wk at gnupg.org Sun Oct 4 20:42:21 2020 From: wk at gnupg.org (Werner Koch) Date: Sun, 04 Oct 2020 20:42:21 +0200 Subject: gpg bug In-Reply-To: <87a6x2gdlc.fsf@wheatstone.g10code.de> (Werner Koch via Gnupg-users's message of "Sun, 04 Oct 2020 18:28:31 +0200") References: <87a6x2gdlc.fsf@wheatstone.g10code.de> Message-ID: <871ridhlyq.fsf@wheatstone.g10code.de> On Sun, 4 Oct 2020 18:28, Werner Koch said: > On Tue, 23 Jun 2020 14:21, Brian L. Matthews said: > >> $ ./configure --prefix=$HOME/gnu >> $ make >> >> successfully. However, on make check I found that it doesn't work if I >> have a space in PATH. I do because VMWare Fusion adds > > Sure. That can't work. You need to quote the envvar: > > ./configure --prefix="$HOME"/gnu Oops. The problem was PATH and not HOME. Anyway this has been fixed in 2.2.23 with commit b2590f2e47fe8ab7352a9e3769b195ff9f398dd7 . (I need to port this fix to master, though.) Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From sac at 300baud.de Mon Oct 5 17:37:57 2020 From: sac at 300baud.de (Stefan Claas) Date: Mon, 5 Oct 2020 17:37:57 +0200 Subject: Five volunteers needed (EU only please) Message-ID: <20201005163757.0000391f@300baud.de> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hi all, while I did some JAB-Code experiments with MMS, to send GnuPG messages with a dumb phone, I came up now with a new idea. :-) For that I need five people who are willing to share with me their postal address. You can send me your address GnuPG encrypted. I will not store your address on my computer and will delete your email, once I received it. My new idea is to send encrypted postcards or letters, with an NFC tag attached, containing a GnuPG clearsigned test message. I like to see if the postcards will arrive in proper condition, so that the NFC tags are still readable. What you will get from me: A postcard with Berlin photos on, an address sticker from me, containing the MacPGP 2.6.2 icon with the little secret agent and a valid international postal stamp with a photo from me on. If you are a stamp/postcard collector, you will agree that this is IMHO a collectors item. :-) Why I came up with this idea? Well I thought of a way to send private content digitally, without Internet usage, so that 3rd parties outside the EU have it difficult to intercept such messages, in order to protect EU businesses and to show the young generation that local postal services should be supported, in favor of a globally surveilled Internet. A standard NFC tag can't store that much data, but there are different types available and one can use also modern encryption software which gives you more encrypted payload. Once I received your address (first come first serve) I will prepare the postcards (hopefully tomorrow) and send them to you. It would be nice if participants would share their experience, so that other GnuPG users could learn from it. Please note, NFC tags can be used multiple times, so that for example Alice and Bob use only on NFC tag with their letters, they exchange and those NFC tags can also be destroyed with special* hardware devices or bought in a form that they get destroyed if someone tries to take them off, from the carrier medium. *https://nfckill.com/ The consumer hardware device I purchased: https://www.nfc-tag-shop.de/en/nfc-hardware/147/acr1252u-nfc-forum-certified-reader/writer Software one can use on their Desktop: https://www.wakdev.com/en/apps/nfc-tools-pc-mac.html and for people, living in Germany, regarding postal stamps with photos: Regards Stefan NaClbox: cc5c5f846c661343745772156a7751a5eb34d3e83d84b7d6884e507e105fd675 The computer helps us to solve problems, we did not have without him. -----BEGIN PGP SIGNATURE----- iHUEARYIAB0WIQSrLUCq6cTfJ7mVKVa6FXdwLlPz5QUCX3s91gAKCRC6FXdwLlPz 5b/7AP9dAwbW5Hj4dW+eDKEK7abPjfhIonjV68Qbd3Uoi5cBywEApSjjqyUfXyXk c5VbQTeg7dlC/QcxLufE0ZK2BpThDAA= =yehG -----END PGP SIGNATURE----- From konstantin at linuxfoundation.org Mon Oct 5 18:01:48 2020 From: konstantin at linuxfoundation.org (Konstantin Ryabitsev) Date: Mon, 5 Oct 2020 12:01:48 -0400 Subject: Five volunteers needed (EU only please) In-Reply-To: <20201005163757.0000391f@300baud.de> References: <20201005163757.0000391f@300baud.de> Message-ID: <20201005160148.ohepiszdojxu53sj@chatter.i7.local> On Mon, Oct 05, 2020 at 05:37:57PM +0200, Stefan Claas wrote: > > Why I came up with this idea? Well I thought of a way to send private content digitally, > without Internet usage, so that 3rd parties outside the EU have it difficult to intercept > such messages, in order to protect EU businesses and to show the young generation that > local postal services should be supported, in favor of a globally surveilled Internet. Wouldn't using NFC chips be counter to this goal? It's extremely easy to identify the presence of NFC chips, such that an agency could easily scan entire bags of mail to identify if there are any present. As an aside, this reminded me of the "nonce encryption using two HOTP" devices scheme that I thought up a while back: https://paranoidbeavers.ca/spy-stuff.html (the title wrongly calls it "forward secrecy," so just ignore that bit) -K From sac at 300baud.de Mon Oct 5 18:17:30 2020 From: sac at 300baud.de (Stefan Claas) Date: Mon, 5 Oct 2020 18:17:30 +0200 Subject: Five volunteers needed (EU only please) In-Reply-To: <20201005160148.ohepiszdojxu53sj@chatter.i7.local> References: <20201005163757.0000391f@300baud.de> <20201005160148.ohepiszdojxu53sj@chatter.i7.local> Message-ID: <20201005171730.00000619@300baud.de> Konstantin Ryabitsev wrote: > On Mon, Oct 05, 2020 at 05:37:57PM +0200, Stefan Claas wrote: > > > > Why I came up with this idea? Well I thought of a way to send private content digitally, > > without Internet usage, so that 3rd parties outside the EU have it difficult to intercept > > such messages, in order to protect EU businesses and to show the young generation that > > local postal services should be supported, in favor of a globally surveilled Internet. > > Wouldn't using NFC chips be counter to this goal? It's extremely easy to > identify the presence of NFC chips, such that an agency could easily > scan entire bags of mail to identify if there are any present. Yes, it is possible. However we have in Germany for example additional postal services (PIN AG) one could use locally and I doubt (while I do not know) that TLAs or LEAs currently require them to collect such data. In case of letter usage, their are also RFID protection covers available, so I would guess that these do not show that a letter contains an NFC tag. https://www.getdigital.eu/RFID-Protection-Cover.html I also assume that for example local postal services, regardless where they are located have no deal yet with international TLAs, LEAs to hand over this date. Last but not least, they could also been used as dead drops, locally. > As an aside, this reminded me of the "nonce encryption using two HOTP" > devices scheme that I thought up a while back: > https://paranoidbeavers.ca/spy-stuff.html > > (the title wrongly calls it "forward secrecy," so just ignore that bit) > > -K Cool, thanks for the info! :-) Regards Stefan -- NaClbox: cc5c5f846c661343745772156a7751a5eb34d3e83d84b7d6884e507e105fd675 The computer helps us to solve problems, we did not have without him. From johndoe65534 at mail.com Mon Oct 5 18:29:26 2020 From: johndoe65534 at mail.com (john doe) Date: Mon, 5 Oct 2020 18:29:26 +0200 Subject: Five volunteers needed (EU only please) In-Reply-To: <20201005171730.00000619@300baud.de> References: <20201005163757.0000391f@300baud.de> <20201005160148.ohepiszdojxu53sj@chatter.i7.local> <20201005171730.00000619@300baud.de> Message-ID: On 10/5/2020 6:17 PM, Stefan Claas wrote: > Konstantin Ryabitsev wrote: > >> On Mon, Oct 05, 2020 at 05:37:57PM +0200, Stefan Claas wrote: >>> >>> Why I came up with this idea? Well I thought of a way to send private content digitally, >>> without Internet usage, so that 3rd parties outside the EU have it difficult to intercept >>> such messages, in order to protect EU businesses and to show the young generation that >>> local postal services should be supported, in favor of a globally surveilled Internet. >> >> Wouldn't using NFC chips be counter to this goal? It's extremely easy to >> identify the presence of NFC chips, such that an agency could easily >> scan entire bags of mail to identify if there are any present. > > Yes, it is possible. However we have in Germany for example additional postal > services (PIN AG) one could use locally and I doubt (while I do not know) > that TLAs or LEAs currently require them to collect such data. > You can't assume that this is also the case for other countries if you are looking for EU contributers. I must also say that I don't understand how this is related to this list. -- John Doe From sac at 300baud.de Mon Oct 5 20:06:34 2020 From: sac at 300baud.de (Stefan Claas) Date: Mon, 5 Oct 2020 20:06:34 +0200 Subject: Five volunteers needed (EU only please) In-Reply-To: References: <20201005163757.0000391f@300baud.de> <20201005160148.ohepiszdojxu53sj@chatter.i7.local> <20201005171730.00000619@300baud.de> Message-ID: <20201005190634.0000386e@300baud.de> john doe wrote: > On 10/5/2020 6:17 PM, Stefan Claas wrote: > > Konstantin Ryabitsev wrote: > > > >> On Mon, Oct 05, 2020 at 05:37:57PM +0200, Stefan Claas wrote: > >>> > >>> Why I came up with this idea? Well I thought of a way to send private content digitally, > >>> without Internet usage, so that 3rd parties outside the EU have it difficult to intercept > >>> such messages, in order to protect EU businesses and to show the young generation that > >>> local postal services should be supported, in favor of a globally surveilled Internet. > >> > >> Wouldn't using NFC chips be counter to this goal? It's extremely easy to > >> identify the presence of NFC chips, such that an agency could easily > >> scan entire bags of mail to identify if there are any present. > > > > Yes, it is possible. However we have in Germany for example additional postal > > services (PIN AG) one could use locally and I doubt (while I do not know) > > that TLAs or LEAs currently require them to collect such data. > > > > You can't assume that this is also the case for other countries if you > are looking for EU contributers. I guess we need to figure it out, so that future generations can learn from our experiences. > I must also say that I don't understand how this is related to this list. Well, this is debatable, but at least it shows GnuPG users, which rely on IMHO outdated Internet PGP tutorials that there are other forms of GnuPG communications available, besides classical email usage and it strengthens the usage of GnuPG, compared to those smartphone crypto Messengers, or S/MIME email usage etc. People using GnuPG should appreciated these tips, even if they don't use them. Regards Stefan -- NaClbox: cc5c5f846c661343745772156a7751a5eb34d3e83d84b7d6884e507e105fd675 The computer helps us to solve problems, we did not have without him. From sac at 300baud.de Mon Oct 5 23:44:17 2020 From: sac at 300baud.de (Stefan Claas) Date: Mon, 5 Oct 2020 23:44:17 +0200 Subject: Five volunteers needed (EU only please) In-Reply-To: <20201005163757.0000391f@300baud.de> References: <20201005163757.0000391f@300baud.de> Message-ID: <20201005224358.0000362a@300baud.de> Stefan Claas wrote: > Once I received your address (first come first serve) I will prepare the postcards > (hopefully tomorrow) and send them to you. It would be nice if participants would share > their experience, so that other GnuPG users could learn from it. Ok. closed. Thanks to all participants, I will reply here once I have been at the post office. (Hopefully tomorrow!) Best regards Stefan -- NaClbox: cc5c5f846c661343745772156a7751a5eb34d3e83d84b7d6884e507e105fd675 The computer helps us to solve problems, we did not have without him. From m.fernandes.business at gmail.com Tue Oct 6 08:00:00 2020 From: m.fernandes.business at gmail.com (Mark Fernandes) Date: Tue, 6 Oct 2020 07:00:00 +0100 Subject: Five volunteers needed (EU .... Are you sure that this is really advantageous? In-Reply-To: References: Message-ID: > > Date: Mon, 5 Oct 2020 17:37:57 +0200 > From: Stefan Claas > ... > Subject: Five volunteers needed (EU only please) > Message-ID: <20201005163757.0000391f at 300baud.de> > Content-Type: text/plain; charset=US-ASCII > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > Hi all, > > ... > My new idea is to send encrypted postcards or letters, with an NFC tag > attached, > containing a GnuPG clearsigned test message. ... > > Why I came up with this idea? Well I thought of a way to send private > content digitally, > without Internet usage, so that 3rd parties outside the EU have it > difficult to intercept > such messages, in order to protect EU businesses and to show the young > generation that > local postal services should be supported, in favor of a globally > surveilled Internet. > > A standard NFC tag can't store that much data, but there are different > types available > and one can use also modern encryption software which gives you more > encrypted payload. > > ...... those NFC tags can also be destroyed > with special* hardware devices or bought in a form that they get destroyed > if someone tries > to take them off, from the carrier medium. > > > Hello Stefan. Forgive my ignorance, but I'm failing to see the significant benefit of such a method. Is what you are proposing similar to sending an encrypted message on CD via the post, that the recipient then gets decrypted using the public key published on the internet? I don't consider postal systems, even those in the EU, to be generally secure or at least verifiable as being secure. Actually worked for a Christmas stint at Royal Mail, helping out with the extra mail--didn't convince me that mail was much secured. Postmen can be blackmailed, bribed, or succumb to other methods of attack. What's stopping someone working in the postal system from simply corruptly sending data to outside the EU? Thanks, Mark F P. S. I have an idea about how public-private key encryption can be used for detecting forged physical currency. But I suppose this is probably the wrong forum for such things? -------------- next part -------------- An HTML attachment was scrubbed... URL: From sac at 300baud.de Tue Oct 6 12:34:43 2020 From: sac at 300baud.de (Stefan Claas) Date: Tue, 6 Oct 2020 12:34:43 +0200 Subject: Five volunteers needed (EU .... Are you sure that this is really advantageous? In-Reply-To: References: Message-ID: <20201006113425.00007f72@300baud.de> Mark Fernandes wrote: Hello Mark, [...] > Hello Stefan. Forgive my ignorance, but I'm failing to see the significant > benefit of such a method. Is what you are proposing similar to sending an > encrypted message on CD via the post, that the recipient then gets > decrypted using the public key published on the internet? Yes, it is the same procedure, except that I used postcards. > I don't consider postal systems, even those in the EU, to be generally > secure or at least verifiable as being secure. Actually worked for a > Christmas stint at Royal Mail, helping out with the extra mail--didn't > convince me that mail was much secured. Postmen can be blackmailed, bribed, > or succumb to other methods of attack. What's stopping someone working in > the postal system from simply corruptly sending data to outside the EU? I strongly doubt that *hard working* postmen will do this, because sooner or later this will be detected and investigated and it would cost postmen IMHO valuable time (which they probably don't have) to copy and send my mail to 3rd parties outside the EU. IIRC, postal services scan mail for the addresses, for automatic sorting machines, but I have never read that they also scan letter content within a letter or from postcards, which would violate the confidentiality of letters, guaranteed by laws, in Germany and elsewhere. And if you think, or someone else thinks that *hard working* postmen could be not trusted, how about all the roots working at email providers? I am more concerned nowadays (remember Edward Snowden handling over electronic documents from his employer to third parties) that people (maybe part-time or intern etc.) can handle over such data to 3rd parties outside the EU, much much easier and without been detected. If all Interent citizens had to / or would run their own postfix server then this would be a different story IMHO. Last but not least encrypted postcards were popular among couples many many decades ago (if you google for encrypted postcards) and I think it is a valid option, which I trust much much more than encrypted email (and I have email since 1985). Regards Stefan -- NaClbox: cc5c5f846c661343745772156a7751a5eb34d3e83d84b7d6884e507e105fd675 The computer helps us to solve problems, we did not have without him. From sac at 300baud.de Tue Oct 6 12:44:13 2020 From: sac at 300baud.de (Stefan Claas) Date: Tue, 6 Oct 2020 12:44:13 +0200 Subject: Five volunteers needed (EU only please) In-Reply-To: <20201005224358.0000362a@300baud.de> References: <20201005163757.0000391f@300baud.de> <20201005224358.0000362a@300baud.de> Message-ID: <20201006114413.00000eb2@300baud.de> Stefan Claas wrote: > Stefan Claas wrote: > > > Once I received your address (first come first serve) I will prepare the postcards > > (hopefully tomorrow) and send them to you. It would be nice if participants would share > > their experience, so that other GnuPG users could learn from it. > > Ok. closed. Thanks to all participants, I will reply here once I have been at the post office. > (Hopefully tomorrow!) Okay. Postcards to all participants were thrown in the mailbox at the post office. Now lets see when they all arrive and if all works as expected. I have also checked twice, with the Desktop NFC Software, that all tags work after putting them on the postcards. Regards Stefan -- NaClbox: cc5c5f846c661343745772156a7751a5eb34d3e83d84b7d6884e507e105fd675 The computer helps us to solve problems, we did not have without him. From jc.gnupg18a at unser.net Tue Oct 6 13:04:30 2020 From: jc.gnupg18a at unser.net (Juergen Christoffel) Date: Tue, 6 Oct 2020 13:04:30 +0200 Subject: Five volunteers needed (EU only please) In-Reply-To: <20201005163757.0000391f@300baud.de> References: <20201005163757.0000391f@300baud.de> Message-ID: <20201006110430.GA28834@unser.net> On Mon, Oct 05, 2020 at 05:37:57PM +0200, Stefan Claas wrote: > >My new idea is to send encrypted postcards or letters, with an NFC tag attached, >containing a GnuPG clearsigned test message. I like to see if the postcards will >arrive in proper condition, so that the NFC tags are still readable. Looks like an over-engineered idea to me: why use NFC tags when simple QR codes printed on paper would be sufficient? And probably less prone to detection or damage, I expect. --jc -- I love deadlines. I love the whooshing sound they make as they fly by. -- Douglas Adams From sac at 300baud.de Tue Oct 6 16:49:15 2020 From: sac at 300baud.de (Stefan Claas) Date: Tue, 6 Oct 2020 16:49:15 +0200 Subject: Five volunteers needed (EU only please) In-Reply-To: <20201006110430.GA28834@unser.net> References: <20201005163757.0000391f@300baud.de> <20201006110430.GA28834@unser.net> Message-ID: <20201006154915.00002f6e@300baud.de> Juergen Christoffel wrote: > On Mon, Oct 05, 2020 at 05:37:57PM +0200, Stefan Claas wrote: > > > >My new idea is to send encrypted postcards or letters, with an NFC tag attached, > >containing a GnuPG clearsigned test message. I like to see if the postcards will > >arrive in proper condition, so that the NFC tags are still readable. > > Looks like an over-engineered idea to me: why use NFC tags when simple QR > codes printed on paper would be sufficient? And probably less prone to > detection or damage, I expect. Good question. QR codes needs for example a printer and stickers too, if not printed directly on postcards. My new Epson printer, for example, does not support feeding of postcards or other thick materials, only standard paper and photo paper. Maybe we should ask ourselves why NFC tags were invented if QR-code would be sufficient. Regards Stefan -- NaClbox: cc5c5f846c661343745772156a7751a5eb34d3e83d84b7d6884e507e105fd675 The computer helps us to solve problems, we did not have without him. From sac at 300baud.de Tue Oct 6 16:58:28 2020 From: sac at 300baud.de (Stefan Claas) Date: Tue, 6 Oct 2020 16:58:28 +0200 Subject: Five volunteers needed (EU only please) In-Reply-To: <20201006154915.00002f6e@300baud.de> References: <20201005163757.0000391f@300baud.de> <20201006110430.GA28834@unser.net> <20201006154915.00002f6e@300baud.de> Message-ID: <20201006155828.0000045d@300baud.de> Stefan Claas wrote: > Juergen Christoffel wrote: > > > On Mon, Oct 05, 2020 at 05:37:57PM +0200, Stefan Claas wrote: > > > > > >My new idea is to send encrypted postcards or letters, with an NFC tag attached, > > >containing a GnuPG clearsigned test message. I like to see if the postcards will > > >arrive in proper condition, so that the NFC tags are still readable. > > > > Looks like an over-engineered idea to me: why use NFC tags when simple QR > > codes printed on paper would be sufficient? And probably less prone to > > detection or damage, I expect. > > Good question. QR codes needs for example a printer and stickers too, if > not printed directly on postcards. My new Epson printer, for example, does > not support feeding of postcards or other thick materials, only standard > paper and photo paper. P.S. and NFC tags can be written multiple times to and not like QR-codes only written one time per sticker, so probably more useful for Alice's and Bob's letter exchanges, when using only one tag. And if one likes they can be also password protected, prior accessing the (encrypted) content. Regards Stefan -- NaClbox: cc5c5f846c661343745772156a7751a5eb34d3e83d84b7d6884e507e105fd675 The computer helps us to solve problems, we did not have without him. From jc.gnupg18a at unser.net Tue Oct 6 17:27:33 2020 From: jc.gnupg18a at unser.net (Juergen Christoffel) Date: Tue, 6 Oct 2020 17:27:33 +0200 Subject: Five volunteers needed (EU only please) In-Reply-To: <20201006154915.00002f6e@300baud.de> References: <20201005163757.0000391f@300baud.de> <20201006110430.GA28834@unser.net> <20201006154915.00002f6e@300baud.de> Message-ID: <20201006152733.GA30610@unser.net> On Tue, Oct 06, 2020 at 04:49:15PM +0200, Stefan Claas wrote: > >Good question. QR codes needs for example a printer and stickers too, if >not printed directly on postcards. My new Epson printer, for example, does >not support feeding of postcards or other thick materials, only standard >paper and photo paper. We are moving a bit far away from GnuPG issues, but ... ;-) a) you'll neither need stickers nor postcards, just a standard sheet of plain paper. b) you can generate QR codes without using a smartphone (e.g. qrencode on Linux systems) but easly on smartphones without NFC hardware too. >maybe we should ask ourselves why NFC tags were invented if QR-code would >be sufficient. c) NFC capable smartphones still are less common than smartphones with cameras to scan QR codes, so if you want to expand the set of possible recipients and senders, you should think about the least common denominator instead. d) NFC tags have their uses, but weren't invented to replace or augment QR codes. And besides being cheaper to produce, QR codes are much more resilient. Finally: using password protected NFC tags to carry encrypted content seems a bit of overkill or over engineering too. But one could read a tag without opening the letter that would be used to ship it, which obviously would be a bit harder with QR codes ... --jc P.S. Last but not least, we could send QR codes via email! ;-0 -- Never underestimate the bandwidth of a station wagon full of tapes hurtling down the highway. -- Andrew S. Tanenbaum From sac at 300baud.de Tue Oct 6 18:23:40 2020 From: sac at 300baud.de (Stefan Claas) Date: Tue, 6 Oct 2020 18:23:40 +0200 Subject: Five volunteers needed (EU only please) In-Reply-To: <20201006152733.GA30610@unser.net> References: <20201005163757.0000391f@300baud.de> <20201006110430.GA28834@unser.net> <20201006154915.00002f6e@300baud.de> <20201006152733.GA30610@unser.net> Message-ID: <20201006172340.00002618@300baud.de> Juergen Christoffel wrote: > On Tue, Oct 06, 2020 at 04:49:15PM +0200, Stefan Claas wrote: > > > >Good question. QR codes needs for example a printer and stickers too, if > >not printed directly on postcards. My new Epson printer, for example, does > >not support feeding of postcards or other thick materials, only standard > >paper and photo paper. > > We are moving a bit far away from GnuPG issues, but ... ;-) > > a) you'll neither need stickers nor postcards, just a standard sheet of > plain paper. I like to promote the postcards option because the postage is cheaper than letters if not done regularly. > b) you can generate QR codes without using a smartphone (e.g. qrencode > on Linux systems) but easly on smartphones without NFC hardware too. Yes, but like I said, can be written to only once. > >maybe we should ask ourselves why NFC tags were invented if QR-code would > >be sufficient. > > c) NFC capable smartphones still are less common than smartphones with > cameras to scan QR codes, so if you want to expand the set of possible > recipients and senders, you should think about the least common denominator > instead. I think if people have the funds to buy a more or less expensive smartphone they can probably invest in an additional consumer grade reader/writer (for offline usage) too. > P.S. Last but not least, we could send QR codes via email! ;-0 Which my idea avoids, i.e. using super ?ber mega cool local postal services, to support our *hard working* local postmen, instead of globally supporting people with root privileges etc! :-D Remember even Russian authorities, according to reports from 2013, are using German typewriters now, which means, at least to me, that the smart Russians are using their postal service too, or couriers, instead of email. ;-) Regards Stefan -- NaClbox: cc5c5f846c661343745772156a7751a5eb34d3e83d84b7d6884e507e105fd675 The computer helps us to solve problems, we did not have without him. From ryan at digicana.com Tue Oct 6 23:58:40 2020 From: ryan at digicana.com (Ryan McGinnis) Date: Tue, 06 Oct 2020 21:58:40 +0000 Subject: Five volunteers needed (EU only please) In-Reply-To: <20201005163757.0000391f@300baud.de> References: <20201005163757.0000391f@300baud.de> Message-ID: <454d08f4-2eb6-8942-41bd-e16bcd296241@digicana.com> Perhaps just use QR codes?? Easily scanned and imported by a digital device.? Message size is limited, but probably enough.? If not, you can maybe use multiple QR codes.? This reply, encrypted to you, is contained in the linked QR below: https://imgur.com/a/JoPjgGH On 10/5/20 10:37 AM, Stefan Claas wrote: > Hi all, > > while I did some JAB-Code experiments with MMS, to send GnuPG messages with a dumb > phone, I came up now with a new idea. :-) > > For that I need five people who are willing to share with me their postal address. > You can send me your address GnuPG encrypted. I will not store your address on my > computer and will delete your email, once I received it. > > My new idea is to send encrypted postcards or letters, with an NFC tag attached, > containing a GnuPG clearsigned test message. I like to see if the postcards will > arrive in proper condition, so that the NFC tags are still readable. > > What you will get from me: > > A postcard with Berlin photos on, an address sticker from me, containing the MacPGP > 2.6.2 icon with the little secret agent and a valid international postal stamp with > a photo from me on. If you are a stamp/postcard collector, you will agree that this > is IMHO a collectors item. :-) > > Why I came up with this idea? Well I thought of a way to send private content digitally, > without Internet usage, so that 3rd parties outside the EU have it difficult to intercept > such messages, in order to protect EU businesses and to show the young generation that > local postal services should be supported, in favor of a globally surveilled Internet. > > A standard NFC tag can't store that much data, but there are different types available > and one can use also modern encryption software which gives you more encrypted payload. > > Once I received your address (first come first serve) I will prepare the postcards > (hopefully tomorrow) and send them to you. It would be nice if participants would share > their experience, so that other GnuPG users could learn from it. > > Please note, NFC tags can be used multiple times, so that for example Alice and Bob use > only on NFC tag with their letters, they exchange and those NFC tags can also be destroyed > with special* hardware devices or bought in a form that they get destroyed if someone tries > to take them off, from the carrier medium. > > *https://nfckill.com/ > > The consumer hardware device I purchased: > > https://www.nfc-tag-shop.de/en/nfc-hardware/147/acr1252u-nfc-forum-certified-reader/writer > > Software one can use on their Desktop: > > https://www.wakdev.com/en/apps/nfc-tools-pc-mac.html > > and for people, living in Germany, regarding postal stamps with photos: > > > > Regards > Stefan > > NaClbox: cc5c5f846c661343745772156a7751a5eb34d3e83d84b7d6884e507e105fd675 > The computer helps us to solve problems, we did not have without him. -- -Ryan McGinnis http://bigstormpicture.com PGP Fingerprint: 5C73 8727 EE58 786A 777C 4F1D B5AA 3FA3 486E D7AD -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 839 bytes Desc: OpenPGP digital signature URL: From ryan at digicana.com Wed Oct 7 00:20:23 2020 From: ryan at digicana.com (Ryan McGinnis) Date: Tue, 06 Oct 2020 22:20:23 +0000 Subject: Five volunteers needed (EU only please) In-Reply-To: <20201006152733.GA30610@unser.net> References: <20201005163757.0000391f@300baud.de> <20201006110430.GA28834@unser.net> <20201006154915.00002f6e@300baud.de> <20201006152733.GA30610@unser.net> Message-ID: <57fc08e0-dca2-45b6-6065-ab7c12602a91@digicana.com> Yeah, though if you wanted to be sneaky-do you could encrypt a message, put it on a QR sticker, slap the sticker on some traffic pole as a dead drop, and let it hide in plain sight until your intended recipient came by and snapped a shot of it.? My guess is that if the world ever gets to the crazy point where people feel they need to send GPG messages through non-electronic means, you're just as likely to get the rubber hose and time-out-in-the-little-box treatment for sending paper mail to someone with GPG'd QR codes or RFID tags as you are for sending GPG'd emails. Some of this stuff is just silly, of course, we're nerds not spies, but if you're going to dial the paranoia to 11 you may as well be consistent about it.? On 10/6/20 10:27 AM, Juergen Christoffel wrote: > On Tue, Oct 06, 2020 at 04:49:15PM +0200, Stefan Claas wrote: > > Finally: using password protected NFC tags to carry encrypted content seems > a bit of overkill or over engineering too. But one could read a tag without > opening the letter that would be used to ship it, which obviously would be > a bit harder with QR codes ... > > --jc > > P.S. Last but not least, we could send QR codes via email! ;-0 > > -- > Never underestimate the bandwidth of a station wagon full of tapes hurtling down > the highway. -- Andrew S. Tanenbaum > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users -- -Ryan McGinnis http://bigstormpicture.com PGP Fingerprint: 5C73 8727 EE58 786A 777C 4F1D B5AA 3FA3 486E D7AD -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 839 bytes Desc: OpenPGP digital signature URL: From sac at 300baud.de Wed Oct 7 00:43:29 2020 From: sac at 300baud.de (Stefan Claas) Date: Wed, 7 Oct 2020 00:43:29 +0200 Subject: Five volunteers needed (EU only please) In-Reply-To: <454d08f4-2eb6-8942-41bd-e16bcd296241@digicana.com> References: <20201005163757.0000391f@300baud.de> <454d08f4-2eb6-8942-41bd-e16bcd296241@digicana.com> Message-ID: <20201006234227.00004302@300baud.de> Ryan McGinnis via Gnupg-users wrote: > Perhaps just use QR codes?? Easily scanned and imported by a digital > device.? Message size is limited, but probably enough.? If not, you can > maybe use multiple QR codes.? This reply, encrypted to you, is contained > in the linked QR below: Well, I currently have no QR-Code Software installed and I need to do then some test with your fairly large image (2000x2000 pixels in size, 72 dpi). Regards Stefan -- NaClbox: cc5c5f846c661343745772156a7751a5eb34d3e83d84b7d6884e507e105fd675 The computer helps us to solve problems, we did not have without him. From ryan at digicana.com Wed Oct 7 01:04:06 2020 From: ryan at digicana.com (Ryan McGinnis) Date: Tue, 06 Oct 2020 23:04:06 +0000 Subject: Five volunteers needed (EU only please) In-Reply-To: <20201006234227.00004302@300baud.de> References: <20201005163757.0000391f@300baud.de> <454d08f4-2eb6-8942-41bd-e16bcd296241@digicana.com> <20201006234227.00004302@300baud.de> Message-ID: An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 839 bytes Desc: OpenPGP digital signature URL: From sac at 300baud.de Wed Oct 7 01:09:38 2020 From: sac at 300baud.de (Stefan Claas) Date: Wed, 7 Oct 2020 01:09:38 +0200 Subject: Five volunteers needed (EU only please) In-Reply-To: <57fc08e0-dca2-45b6-6065-ab7c12602a91@digicana.com> References: <20201005163757.0000391f@300baud.de> <20201006110430.GA28834@unser.net> <20201006154915.00002f6e@300baud.de> <20201006152733.GA30610@unser.net> <57fc08e0-dca2-45b6-6065-ab7c12602a91@digicana.com> Message-ID: <20201007000910.00004b82@300baud.de> Ryan McGinnis via Gnupg-users wrote: > Yeah, though if you wanted to be sneaky-do you could encrypt a message, > put it on a QR sticker, slap the sticker on some traffic pole as a dead > drop, and let it hide in plain sight until your intended recipient came > by and snapped a shot of it.? My guess is that if the world ever gets to > the crazy point where people feel they need to send GPG messages through > non-electronic means, you're just as likely to get the rubber hose and > time-out-in-the-little-box treatment for sending paper mail to someone > with GPG'd QR codes or RFID tags as you are for sending GPG'd emails. [...] Why would people been treated in that way, once they decide to switch from (free (guess why...)) electronic mail back to good old (paid) postal mail? Regards Stefan -- NaClbox: cc5c5f846c661343745772156a7751a5eb34d3e83d84b7d6884e507e105fd675 The computer helps us to solve problems, we did not have without him. From sac at 300baud.de Wed Oct 7 01:44:06 2020 From: sac at 300baud.de (Stefan Claas) Date: Wed, 7 Oct 2020 01:44:06 +0200 Subject: Five volunteers needed (EU only please) In-Reply-To: References: <20201005163757.0000391f@300baud.de> <454d08f4-2eb6-8942-41bd-e16bcd296241@digicana.com> <20201006234227.00004302@300baud.de> Message-ID: <20201007004356.00005939@300baud.de> Ryan McGinnis via Gnupg-users wrote: > Sure, but you gotta admit that you?re an extreme edge case of a group of users that are already kinda edge cases. ?Most > people have QR readers and just don?t realize it. ?Very few people would need this kind of offline method anyhow, and those > that would probably have much better spycraft than we can dream up here, stuff far beyond putting RFIDs on postcards or QR > codes on traffic poles. Yes, I admit this and I think it is good to show these possibilities to people grown up in an Internet regulated world. > The size BTW is arbitrary and can be changed within reason in software, but you want fairly high resolution if you plan to > print it. ?300 ppi at 2K res would give you around 6 inches size printed. ? A 1,000 by 1,000 file would make a nice 3x3 inch > sticker or back of a postcard. ? I am aware of this and if you mean 6x6 inches, if understood correctly, this would be to large for a postcard. Well, anyways I will check your example out tomorrow. Regards Stefan -- NaClbox: cc5c5f846c661343745772156a7751a5eb34d3e83d84b7d6884e507e105fd675 The computer helps us to solve problems, we did not have without him. From guru at unixarea.de Wed Oct 7 08:53:26 2020 From: guru at unixarea.de (Matthias Apitz) Date: Wed, 7 Oct 2020 08:53:26 +0200 Subject: Five volunteers needed (EU only please) In-Reply-To: <20201005163757.0000391f@300baud.de> References: <20201005163757.0000391f@300baud.de> Message-ID: <20201007065326.GA3658@r314251-amd64> El d?a lunes, octubre 05, 2020 a las 05:37:57p. m. +0200, Stefan Claas escribi?: > ... > > Why I came up with this idea? Well I thought of a way to send private content digitally, > without Internet usage, so that 3rd parties outside the EU have it difficult to intercept > such messages, in order to protect EU businesses and to show the young generation that > local postal services should be supported, in favor of a globally surveilled Internet. > I think, even 3rd parties inside the EU will (and should) have it difficult to intercept messages in order to protect communication in the EU (and not only businesses). Why do you underlined outside only? matthias -- Matthias Apitz, ? guru at unixarea.de, http://www.unixarea.de/ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub ??? ????? ??? ??????, ??? ?????? ??? ?????????? (??a????? ????? ?????) Without books no knowledge - without knowledge no communism (Vladimir Ilyich Lenin) Sin libros no hay saber - sin saber no hay comunismo. (Vladimir Ilich Lenin) From 2017-r3sgs86x8e-lists-groups at riseup.net Wed Oct 7 09:14:31 2020 From: 2017-r3sgs86x8e-lists-groups at riseup.net (MFPA) Date: Wed, 7 Oct 2020 08:14:31 +0100 Subject: Five volunteers needed (EU only please) In-Reply-To: <20201006172340.00002618@300baud.de> References: <20201005163757.0000391f@300baud.de> <20201006110430.GA28834@unser.net> <20201006154915.00002f6e@300baud.de> <20201006152733.GA30610@unser.net> <20201006172340.00002618@300baud.de> Message-ID: <357513605.20201007081404@mail.riseup.net> Hi On Tuesday 6 October 2020 at 5:23:40 PM, in , Stefan Claas wrote:- > I like to promote the postcards option because the > postage is cheaper than > letters if not done regularly. Only in some countries. Always been exactly the same price where I live. -- Best regards MFPA Live your life as though every day it was your last. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 1207 bytes Desc: not available URL: From wk at gnupg.org Wed Oct 7 09:11:52 2020 From: wk at gnupg.org (Werner Koch) Date: Wed, 07 Oct 2020 09:11:52 +0200 Subject: No single-page manual on gnupg.org In-Reply-To: <5za9q0yh.dag@gnui.org> (Dmitry Alexandrov's message of "Mon, 27 Jul 2020 03:02:46 +0300") References: <5za9q0yh.dag@gnui.org> Message-ID: <878scifr2f.fsf@wheatstone.g10code.de> On Mon, 27 Jul 2020 03:02, Dmitry Alexandrov said: > it would really help those, who do not use Emacs (it?s odd, but there > are such people!), if there would be single-page version of the manual > (makeinfo --html --no-split ...) ? just like all software on gnu.org Please use the PDF version instead. It is easy to search in PDF files. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From sac at 300baud.de Wed Oct 7 09:52:50 2020 From: sac at 300baud.de (Stefan Claas) Date: Wed, 7 Oct 2020 09:52:50 +0200 Subject: Five volunteers needed (EU only please) In-Reply-To: <20201007065326.GA3658@r314251-amd64> References: <20201005163757.0000391f@300baud.de> <20201007065326.GA3658@r314251-amd64> Message-ID: <20201007085250.00001807@300baud.de> Matthias Apitz wrote: > El d?a lunes, octubre 05, 2020 a las 05:37:57p. m. +0200, Stefan Claas escribi?: > > > ... > > > > Why I came up with this idea? Well I thought of a way to send private content digitally, > > without Internet usage, so that 3rd parties outside the EU have it difficult to intercept > > such messages, in order to protect EU businesses and to show the young generation that > > local postal services should be supported, in favor of a globally surveilled Internet. > > > > I think, even 3rd parties inside the EU will (and should) have it > difficult to intercept messages in order to protect communication in the > EU (and not only businesses). Why do you underlined outside only? I think when it comes to mass surveillance or cyber threats these things usually originate from regions outside the EU but unfortunately affects citizens or businesses in the EU too. Regards Stefan -- NaClbox: cc5c5f846c661343745772156a7751a5eb34d3e83d84b7d6884e507e105fd675 The computer helps us to solve problems, we did not have without him. From m.fernandes.business at gmail.com Wed Oct 7 10:26:15 2020 From: m.fernandes.business at gmail.com (Mark Fernandes) Date: Wed, 7 Oct 2020 09:26:15 +0100 Subject: Five volunteers needed (EU .... Are you sure that this is really advantageous? In-Reply-To: References: Message-ID: > > Date: Tue, 6 Oct 2020 12:34:43 +0200 > From: Stefan Claas > To: Mark Fernandes , > gnupg-users at gnupg.org > Subject: Re: Five volunteers needed (EU .... Are you sure that this is > really advantageous? > Message-ID: <20201006113425.00007f72 at 300baud.de> > Content-Type: text/plain; charset=US-ASCII > > ... I strongly doubt that *hard working* postmen will do this, because sooner or > later this will be detected and investigated and it would cost postmen IMHO > valuable time (which they probably don't have) to copy and send my mail to > 3rd parties outside the EU. IIRC, postal services scan mail for the > addresses, > for automatic sorting machines, but I have never read that they also scan > letter content within a letter or from postcards, which would violate > the confidentiality of letters, guaranteed by laws, in Germany and > elsewhere. > > And if you think, or someone else thinks that *hard working* postmen could > be not trusted, how about all the roots working at email providers? I am > more concerned nowadays (remember Edward Snowden handling over electronic > documents from his employer to third parties) that people (maybe part-time > or intern etc.) can handle over such data to 3rd parties outside the EU, > much much easier and without been detected. > > Hello Stefan. I'm not saying hard-working, honest postmen would do this, but not all postmen are necessarily hard-working and honest. How difficult is it to steam-open an envelope, take a photo of the contents with your smartphone, send it abroad, and then reseal the envelope? And that's just the obvious form of corruption... My father lived through a revolution in the country of his birth, and ended-up leaving the country. The people who caused the revolution likely didn't all of a sudden organise; probably through clandestine, and partly corrupt practices, they organised and planned their attacks. Believing that the postal systems are definitely secure just seems unwarranted. I tend to think (perhaps you might say wrongly), that the internet represents a more secure form of communication, partly because of its history of origin and development being based in the US military. Concerning the roots of email providers, I was under the belief that often internet services were encrypted such that employees of a provider basically couldn't see user assets in unencrypted form. I would be surprised if Google employees could read my emails without somehow getting the password from me. I know email isn't necessarily secure, but so far as employees and company resources at the provider's end, I don't think they can do much really. Extra efforts would have to be made to intercept unencrypted traffic. If I just sent a GMAIL email to another GMAIL address, because such emails are not at all sent unencrypted (as far as I know), it would be impossible to read the email unless they somehow hacked my user environment, eg. if they did something like capturing my password using hidden cameras in my room. Perhaps I'm wrong? I'm definitely not saying that the postal system can't be used. But I'm just saying that perhaps it doesn't represent more than a little more security than certain digital forms of communication. The good thing about cryptography algorithms, is that you can study the mathematics behind them, and convince yourself that they work. Whereas with the postal system, it's more based simply on reputation and the word of other people. The algorithms can be verified by users, but the same doesn't seem much true with the postal system. Your idea though, of using both digital comms and the postal system together, is probably a good one, but just not sure you have the right form yet. Thanks, Mark F -------------- next part -------------- An HTML attachment was scrubbed... URL: From sac at 300baud.de Wed Oct 7 14:33:04 2020 From: sac at 300baud.de (Stefan Claas) Date: Wed, 7 Oct 2020 14:33:04 +0200 Subject: Five volunteers needed (EU .... Are you sure that this is really advantageous? In-Reply-To: References: Message-ID: <20201007133304.00003f4d@300baud.de> Mark Fernandes wrote: [...] Hello Mark, > Hello Stefan. I'm not saying hard-working, honest postmen would do this, > but not all postmen are necessarily hard-working and honest. How difficult > is it to steam-open an envelope, take a photo of the contents with your > smartphone, send it abroad, and then reseal the envelope? And that's just > the obvious form of corruption... My father lived through a revolution in > the country of his birth, and ended-up leaving the country. The people who > caused the revolution likely didn't all of a sudden organise; probably > through clandestine, and partly corrupt practices, they organised and > planned their attacks. Believing that the postal systems are definitely > secure just seems unwarranted. Yes, understand, but people who are sending (encrypted) sensitive things with postal mail can also use security envelopes, which does not let light shine through, can use covers for NFC tags and additionally tamper evident bags so that a bribed postman could not photograph the content of the letter. This is all available for purchase online. > I tend to think (perhaps you might say wrongly), that the internet > represents a more secure form of communication, partly because of its > history of origin and development being based in the US military. I like to say it this way, when the ARPANET and later the relatively small Internet, compared to other global networks came up people did not rely on encryption and their communications were somewhat more secure, because of how OSs for the computers and the used software was designed, compared with nowadays hardware / software components. > Concerning the roots of email providers, I was under the belief that often > internet services were encrypted such that employees of a provider > basically couldn't see user assets in unencrypted form. I would be > surprised if Google employees could read my emails without somehow getting > the password from me. I know email isn't necessarily secure, but so far as > employees and company resources at the provider's end, I don't think they > can do much really. Extra efforts would have to be made to intercept > unencrypted traffic. If I just sent a GMAIL email to another GMAIL address, > because such emails are not at all sent unencrypted (as far as I know), it > would be impossible to read the email unless they somehow hacked my user > environment, eg. if they did something like capturing my password using > hidden cameras in my room. Perhaps I'm wrong? Well, first of all, we should ask ourselves why in the world do people get so many many services on the Internet for *free* ...? I think it has to do with the U.S. Supremacy & Leadership role. Normally when you or me would start a business you would need a lot of money, then secure your business, and finally charge users, so that you can make an income for you and your employees and cover the monthly network traffic/hardware/maintenance costs. Regarding Google Mail etc. These services are run on multi-user systems and people with super-user privileges, which a root user assigned to them, can control the whole system and does not need your encrypted and salted password to access your account. However, your email is encrypted in transient when it leaves the servers or arrives at servers. Modern and privacy oriented email services like Tutanota or ProtonMail do not allow this, because their servers encrypt you email, while it rests on the servers. Hence probably why these modern services receive often heavily DDOS attacks... What a lot of people probably don't know, when we had global (and local) Online Services decades ago, like CompuServe, AOL etc, where you could also chat, write email and had forums. users have *been charged monthly* for using these Online Services, besides, the access points they used! And these business were successful and had millions of users. Later when Al Gore 'invented' the Internet all these cool and good Networks, Online Services etc. disappeared. In case you have access to a good library, with computer books, or can get old computer books from sellers, I highly recommend the book "The Matrix", from John S. Quarterman. The Book is from the late 80's and shows people that we had plenty of global computer networks and which are all no longer exists. > I'm definitely not saying that the postal system can't be used. But I'm > just saying that perhaps it doesn't represent more than a little more > security than certain digital forms of communication. The good thing about > cryptography algorithms, is that you can study the mathematics behind them, > and convince yourself that they work. Whereas with the postal system, it's > more based simply on reputation and the word of other people. The > algorithms can be verified by users, but the same doesn't seem much true > with the postal system. Correct, but my idea is based on that people can use the postal system with encryption too. > Your idea though, of using both digital comms and the postal system > together, is probably a good one, but just not sure you have the right form > yet. Well, I think, in 2020 and ongoing it is a good and valid option and let's see how this will pan out, i.e. hearing later politicians and LEA saying the same thing what they say about encryption on the Internet ... Once this will happen than we see that they need, for what ever reason, full control of peoples digital content. Regards Stefan -- NaClbox: cc5c5f846c661343745772156a7751a5eb34d3e83d84b7d6884e507e105fd675 The computer helps us to solve problems, we did not have without him. From sac at 300baud.de Wed Oct 7 15:36:53 2020 From: sac at 300baud.de (Stefan Claas) Date: Wed, 7 Oct 2020 15:36:53 +0200 Subject: Five volunteers needed (EU only please) In-Reply-To: <454d08f4-2eb6-8942-41bd-e16bcd296241@digicana.com> References: <20201005163757.0000391f@300baud.de> <454d08f4-2eb6-8942-41bd-e16bcd296241@digicana.com> Message-ID: <20201007143644.0000146a@300baud.de> Ryan McGinnis via Gnupg-users wrote: > Perhaps just use QR codes?? Easily scanned and imported by a digital > device.? Message size is limited, but probably enough.? If not, you can > maybe use multiple QR codes.? This reply, encrypted to you, is contained > in the linked QR below: I just downloaded a free QR-Code app from Microsoft's Store and I was able to decode and decrypt the message. It ends with '...linked QR below:' but does not contain the link. I must say that for me and the provide content, the image size is to big for my taste. I will feed now the message into JAB-code and see how big the image size is there. A user reported to me that with his QR-Code software he was not able to decode the message. He usually had always good results with QR-code in the past. Maybe you can tell me what QR-Code software you used, so that the user can try with a different or the same software. Regards Stefan -- NaClbox: cc5c5f846c661343745772156a7751a5eb34d3e83d84b7d6884e507e105fd675 The computer helps us to solve problems, we did not have without him. From sac at 300baud.de Wed Oct 7 15:45:30 2020 From: sac at 300baud.de (Stefan Claas) Date: Wed, 7 Oct 2020 15:45:30 +0200 Subject: Five volunteers needed (EU only please) In-Reply-To: <20201007143644.0000146a@300baud.de> References: <20201005163757.0000391f@300baud.de> <454d08f4-2eb6-8942-41bd-e16bcd296241@digicana.com> <20201007143644.0000146a@300baud.de> Message-ID: <20201007144530.00003a0b@300baud.de> Stefan Claas wrote: > Ryan McGinnis via Gnupg-users wrote: > > > Perhaps just use QR codes?? Easily scanned and imported by a digital > > device.? Message size is limited, but probably enough.? If not, you can > > maybe use multiple QR codes.? This reply, encrypted to you, is contained > > in the linked QR below: > > I just downloaded a free QR-Code app from Microsoft's Store and I was able > to decode and decrypt the message. It ends with '...linked QR below:' > but does not contain the link. I must say that for me and the provide > content, the image size is to big for my taste. I will feed now the message > into JAB-code and see how big the image size is there. Ok. the message from you is with a JAB-Code generated .png image: 396x396 pixels with 72 dpi, compared to your 2000x2000 pixels with 72 dpi. P.S. I do have for Windows users jabcodeReader.exe and jabcodeWriter.exe available, if someone likes to play with Fraunhofer's JABcode offline. https://jabcode.org/ Regards Stefan -- NaClbox: cc5c5f846c661343745772156a7751a5eb34d3e83d84b7d6884e507e105fd675 The computer helps us to solve problems, we did not have without him. From sac at 300baud.de Wed Oct 7 16:13:09 2020 From: sac at 300baud.de (Stefan Claas) Date: Wed, 7 Oct 2020 16:13:09 +0200 Subject: Five volunteers needed (EU only please) In-Reply-To: <20201007144530.00003a0b@300baud.de> References: <20201005163757.0000391f@300baud.de> <454d08f4-2eb6-8942-41bd-e16bcd296241@digicana.com> <20201007143644.0000146a@300baud.de> <20201007144530.00003a0b@300baud.de> Message-ID: <20201007151309.00003120@300baud.de> Stefan Claas wrote: > Stefan Claas wrote: > > > Ryan McGinnis via Gnupg-users wrote: > > > > > Perhaps just use QR codes?? Easily scanned and imported by a digital > > > device.? Message size is limited, but probably enough.? If not, you can > > > maybe use multiple QR codes.? This reply, encrypted to you, is contained > > > in the linked QR below: > > > > I just downloaded a free QR-Code app from Microsoft's Store and I was able > > to decode and decrypt the message. It ends with '...linked QR below:' > > but does not contain the link. I must say that for me and the provide > > content, the image size is to big for my taste. I will feed now the message > > into JAB-code and see how big the image size is there. > > Ok. the message from you is with a JAB-Code generated .png image: > > 396x396 pixels with 72 dpi, compared to your 2000x2000 pixels with 72 dpi. SORRY!!! I accidentely encoded the plain text and not the PGP message. The correct result is 1020x1020 pixels! Regards Stefan -- NaClbox: cc5c5f846c661343745772156a7751a5eb34d3e83d84b7d6884e507e105fd675 The computer helps us to solve problems, we did not have without him. From remco at webconquest.com Wed Oct 7 15:54:33 2020 From: remco at webconquest.com (Remco =?utf-8?Q?R=C4=B3nders?=) Date: Wed, 7 Oct 2020 09:54:33 -0400 Subject: Five volunteers needed (EU only please) In-Reply-To: <20201007144530.00003a0b@300baud.de> References: <20201005163757.0000391f@300baud.de> <454d08f4-2eb6-8942-41bd-e16bcd296241@digicana.com> <20201007143644.0000146a@300baud.de> <20201007144530.00003a0b@300baud.de> Message-ID: Hi Stefan, I feel (speaking only for myself), that this subject has ventured off far enough to no longer be on topic for this list, if it ever was to begin with. While it might make for interesting reading, other forums might be more suitable for it, or even a postal only remailing club or something, I don't know. Thanks, Remco From sac at 300baud.de Wed Oct 7 18:59:35 2020 From: sac at 300baud.de (Stefan Claas) Date: Wed, 7 Oct 2020 18:59:35 +0200 Subject: Five volunteers needed (EU only please) In-Reply-To: References: <20201005163757.0000391f@300baud.de> <454d08f4-2eb6-8942-41bd-e16bcd296241@digicana.com> <20201007143644.0000146a@300baud.de> <20201007144530.00003a0b@300baud.de> Message-ID: <20201007175935.000033f3@300baud.de> Remco R?nders wrote: > Hi Stefan, > > I feel (speaking only for myself), that this subject has ventured off far enough > to no longer be on topic for this list, if it ever was to begin with. While it > might make for interesting reading, other forums might be more suitable for it, > or even a postal only remailing club or something, I don't know. Hi Remco, sorry about that, but at least this tread is intended for GnuPG users and an IMHO new way for GnuPG users to communicate and due to this subject it can get quite a bit off-topic. But since this is relatively small ASCII text only and not the same as HTML spam email, with pictures, I desperately hope that the majority of GnuPG users can handle this. Or maybe people could put such threads and me into killfiles etc. Regards Stefan -- NaClbox: cc5c5f846c661343745772156a7751a5eb34d3e83d84b7d6884e507e105fd675 The computer helps us to solve problems, we did not have without him. From 2017-r3sgs86x8e-lists-groups at riseup.net Wed Oct 7 22:17:59 2020 From: 2017-r3sgs86x8e-lists-groups at riseup.net (MFPA) Date: Wed, 7 Oct 2020 21:17:59 +0100 Subject: Five volunteers needed (EU .... Are you sure that this is really advantageous? In-Reply-To: <20201007133304.00003f4d@300baud.de> References: <20201007133304.00003f4d@300baud.de> Message-ID: <441282078.20201007211733@mail.riseup.net> Hi On Wednesday 7 October 2020 at 1:33:04 PM, in , Stefan Claas wrote:- > Later when Al Gore 'invented' the Internet I thought Tim Berners-Lee invented the internet in 1989. -- Best regards MFPA I miss civilisation and I want it back. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 1207 bytes Desc: not available URL: From sac at 300baud.de Wed Oct 7 22:21:09 2020 From: sac at 300baud.de (Stefan Claas) Date: Wed, 7 Oct 2020 22:21:09 +0200 Subject: Five volunteers needed (EU .... Are you sure that this is really advantageous? In-Reply-To: <441282078.20201007211733@mail.riseup.net> References: <20201007133304.00003f4d@300baud.de> <441282078.20201007211733@mail.riseup.net> Message-ID: <20201007212011.000069f8@300baud.de> MFPA wrote: > Hi > > > On Wednesday 7 October 2020 at 1:33:04 PM, in > , Stefan Claas wrote:- > > > > > Later when Al Gore 'invented' the Internet > > I thought Tim Berners-Lee invented the internet in 1989. He was the inventor of the World Wide Web. And I had put the word invented in quotes. Regards Stefan -- NaClbox: cc5c5f846c661343745772156a7751a5eb34d3e83d84b7d6884e507e105fd675 The computer helps us to solve problems, we did not have without him. From sac at 300baud.de Wed Oct 7 22:25:44 2020 From: sac at 300baud.de (Stefan Claas) Date: Wed, 7 Oct 2020 22:25:44 +0200 Subject: Five volunteers needed (EU .... Are you sure that this is really advantageous? In-Reply-To: <20201007212011.000069f8@300baud.de> References: <20201007133304.00003f4d@300baud.de> <441282078.20201007211733@mail.riseup.net> <20201007212011.000069f8@300baud.de> Message-ID: <20201007212544.00004d42@300baud.de> Stefan Claas wrote: > MFPA wrote: > > > Hi > > > > > > On Wednesday 7 October 2020 at 1:33:04 PM, in > > , Stefan Claas wrote:- > > > > > > > > > Later when Al Gore 'invented' the Internet > > > > I thought Tim Berners-Lee invented the internet in 1989. > > He was the inventor of the World Wide Web. And I had put the > word invented in quotes. Better should have said that Tim Berners-Lee was the inventor of the World Wide Web ... Regards Stefan -- NaClbox: cc5c5f846c661343745772156a7751a5eb34d3e83d84b7d6884e507e105fd675 The computer helps us to solve problems, we did not have without him. From sac at 300baud.de Thu Oct 8 00:27:24 2020 From: sac at 300baud.de (Stefan Claas) Date: Thu, 8 Oct 2020 00:27:24 +0200 Subject: Five volunteers needed (EU .... Are you sure that this is really advantageous? In-Reply-To: <20201007133304.00003f4d@300baud.de> References: <20201007133304.00003f4d@300baud.de> Message-ID: <20201007232724.0000683e@300baud.de> Stefan Claas wrote: [...] > Well, first of all, we should ask ourselves why in the world do people get > so many many services on the Internet for *free* ...? I think it has to do > with the U.S. Supremacy & Leadership role. Normally when you or me would > start a business you would need a lot of money, then secure your business, > and finally charge users, so that you can make an income for you and your > employees and cover the monthly network traffic/hardware/maintenance costs. [...] Regarding the Internet as of today and Al Gores vision and the Internet commerce etc. I always wondered why it is not possible for me and probably many other people to not get a *static* IPv6 address additionally when you sign up as private individual at an ISP of your choice? People could use as usual still common IPv4 for their regular surfing etc. but had then the ability, with a static IPv6 address to run their own email server and other services from home with a little Raspberry Pi etc., without purchasing a VPS plan, thus one would only need to register a domain of choice and the records management could also bee done a) with the Domain Registrar or your local ISP, instead of the VPS hosting provider. Interesting ... isn't it? (Or would that make to much work for TLAs to conduct mass surveillance and what is the position of EU politician when they speak about digitalization of the EU etc? I ask this, because when one looks at Wikipedia: https://en.wikipedia.org/wiki/IPv6 people may wonder why it takes sooooo loooong that every citizen on this planet could get a static IPv6 address for *free* when they sign up for an ISP of their choice. Regards and good night, Stefan -- NaClbox: cc5c5f846c661343745772156a7751a5eb34d3e83d84b7d6884e507e105fd675 The computer helps us to solve problems, we did not have without him. From andrewg at andrewg.com Thu Oct 8 17:53:35 2020 From: andrewg at andrewg.com (Andrew Gallagher) Date: Thu, 8 Oct 2020 16:53:35 +0100 Subject: Five volunteers needed (EU .... Are you sure that this is really advantageous? In-Reply-To: <20201007232724.0000683e@300baud.de> References: <20201007133304.00003f4d@300baud.de> <20201007232724.0000683e@300baud.de> Message-ID: <5f1ddd25-6bb3-b1ea-c5d1-9887a4fea78e@andrewg.com> On 07/10/2020 23:27, Stefan Claas wrote: > I always wondered why it is not possible for me and probably many other > people to not get a *static* IPv6 address additionally when you sign up > as private individual at an ISP of your choice? There isn't much consumer demand for it (most people don't even know what IPv6 is), so ISPs aren't going to spend time on it unless there's something in it for them. Eventually yes, they'll have to move to IPv6 because the world will run out of IPv4 addresses, but while that event is looming on the horizon there's no due date for it. Also, IPv6 is only critical if you don't already own a huge block of IPv4 (which most established ISPs do). And since they'll have to support IPv4 indefinitely so as not to cut off access to the millions of websites that will never migrate to IPv6, they've probably calculated that NAT4 is sufficient. My ISP does offer IPv6 though - just not on all of its network segments. Yet. -- Andrew Gallagher -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: OpenPGP digital signature URL: From rjh at sixdemonbag.org Thu Oct 8 18:00:37 2020 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Thu, 8 Oct 2020 12:00:37 -0400 Subject: Five volunteers needed (EU .... Are you sure that this is really advantageous? In-Reply-To: <5f1ddd25-6bb3-b1ea-c5d1-9887a4fea78e@andrewg.com> References: <20201007133304.00003f4d@300baud.de> <20201007232724.0000683e@300baud.de> <5f1ddd25-6bb3-b1ea-c5d1-9887a4fea78e@andrewg.com> Message-ID: <4a2f86a5-0577-4ff3-13e3-f1398ec68580@sixdemonbag.org> > There isn't much consumer demand for it (most people don't even know > what IPv6 is), so ISPs aren't going to spend time on it unless > there's something in it for them. Here in the United States, it is generally quite difficult for consumers to get -anything- except the bog-standard that their ISP offers. Doesn't matter what it is: if it's not part of the bog-standard consumer-grade package your only recourse is to upgrade to a commercial-grade package. There are some exceptions to this rule, but by and large it holds true. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 821 bytes Desc: OpenPGP digital signature URL: From sac at 300baud.de Thu Oct 8 18:16:37 2020 From: sac at 300baud.de (Stefan Claas) Date: Thu, 8 Oct 2020 18:16:37 +0200 Subject: Five volunteers needed (EU .... Are you sure that this is really advantageous? In-Reply-To: <5f1ddd25-6bb3-b1ea-c5d1-9887a4fea78e@andrewg.com> References: <20201007133304.00003f4d@300baud.de> <20201007232724.0000683e@300baud.de> <5f1ddd25-6bb3-b1ea-c5d1-9887a4fea78e@andrewg.com> Message-ID: <20201008171623.00004f79@300baud.de> Andrew Gallagher wrote: > On 07/10/2020 23:27, Stefan Claas wrote: > > I always wondered why it is not possible for me and probably many other > > people to not get a *static* IPv6 address additionally when you sign up > > as private individual at an ISP of your choice? > > There isn't much consumer demand for it (most people don't even know > what IPv6 is), so ISPs aren't going to spend time on it unless there's > something in it for them. Eventually yes, they'll have to move to IPv6 > because the world will run out of IPv4 addresses, but while that event > is looming on the horizon there's no due date for it. Also, IPv6 is only > critical if you don't already own a huge block of IPv4 (which most > established ISPs do). And since they'll have to support IPv4 > indefinitely so as not to cut off access to the millions of websites > that will never migrate to IPv6, they've probably calculated that NAT4 > is sufficient. > > My ISP does offer IPv6 though - just not on all of its network segments. > Yet. Mine offers this only for business customers, same with others in Germany. Technically there should be no differences been made between businesses and private individuals IMHO, because their is not shortage of them. Regards Stefan -- NaClbox: cc5c5f846c661343745772156a7751a5eb34d3e83d84b7d6884e507e105fd675 The computer helps us to solve problems, we did not have without him. From azbigdogs at gmx.com Thu Oct 8 23:00:20 2020 From: azbigdogs at gmx.com (Mark) Date: Thu, 8 Oct 2020 14:00:20 -0700 Subject: Five volunteers needed (EU .... Are you sure that this is really advantageous? In-Reply-To: <4a2f86a5-0577-4ff3-13e3-f1398ec68580@sixdemonbag.org> References: <20201007133304.00003f4d@300baud.de> <20201007232724.0000683e@300baud.de> <5f1ddd25-6bb3-b1ea-c5d1-9887a4fea78e@andrewg.com> <4a2f86a5-0577-4ff3-13e3-f1398ec68580@sixdemonbag.org> Message-ID: Back in the old days of the internet there was ISP called Primenet (no longer around) that did give static IPs. I had one at that time.? Nowadays it seems like only possible with business accounts at at least with Cox, those are 2-3x the cost of residential ones. So unless you want to spend the coin you are stuck with the dynamic IPv4 and IPv6 addresses. On 10/8/2020 9:00 AM, Robert J. Hansen via Gnupg-users wrote: >> There isn't much consumer demand for it (most people don't even know >> what IPv6 is), so ISPs aren't going to spend time on it unless >> there's something in it for them. > Here in the United States, it is generally quite difficult for consumers > to get -anything- except the bog-standard that their ISP offers. > Doesn't matter what it is: if it's not part of the bog-standard > consumer-grade package your only recourse is to upgrade to a > commercial-grade package. > > There are some exceptions to this rule, but by and large it holds true. > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users -- PGP Key Upon Request -------------- next part -------------- An HTML attachment was scrubbed... URL: From angel at pgp.16bits.net Fri Oct 9 01:04:44 2020 From: angel at pgp.16bits.net (=?ISO-8859-1?Q?=C1ngel?=) Date: Fri, 09 Oct 2020 01:04:44 +0200 Subject: Five volunteers needed (EU .... Are you sure that this is really advantageous? In-Reply-To: <20201006113425.00007f72@300baud.de> References: <20201006113425.00007f72@300baud.de> Message-ID: <86788f713f0742f5a20adef5d96e0760710766d0.camel@16bits.net> On 2020-10-06 at 12:34 +0200, Stefan Claas wrote: > Mark Fernandes wrote: > > Hello Mark, > > [...] > > > Hello Stefan. Forgive my ignorance, but I'm failing to see the > > significant > > benefit of such a method. Is what you are proposing similar to > > sending an > > encrypted message on CD via the post, that the recipient then gets > > decrypted using the public key published on the internet? > > Yes, it is the same procedure, except that I used postcards. > > > I don't consider postal systems, even those in the EU, to be > > generally secure or at least verifiable as being secure. Actually > > worked for a Christmas stint at Royal Mail, helping out with the > > extra mail --didn't convince me that mail was much secured. Postmen > > can be blackmailed, bribed, or succumb to other methods of attack. > > What's stopping someone working in the postal system from simply > > corruptly sending data to outside the EU? > > I strongly doubt that *hard working* postmen will do this, because > sooner or later this will be detected and investigated and it would > cost postmen IMHO valuable time (which they probably don't have) to > copy and send my mail to 3rd parties outside the EU. IIRC, postal > services scan mail for the addresses, for automatic sorting machines, > but I have never read that they also scan letter content within a > letter or from postcards, which would violate the confidentiality of > letters, guaranteed by laws, in Germany and elsewhere. > > And if you think, or someone else thinks that *hard working* postmen > could be not trusted, how about all the roots working at email > providers? I am more concerned nowadays (remember Edward Snowden > handling over electronic documents from his employer to third > parties) that people (maybe part-time or intern etc.) can handle over > such data to 3rd parties outside the EU, much much easier and without > been detected. First of all, postcards are fine for a proof of concept. They are more 'fun' to send and receive. However, for a serious encrypted conversation Alice and Bob should use enveloped mail. Using a postcard you have pretty much weakened the letter confidentiality, imho. And if rather than writing text you are sending some electronics, a QR, etc. you will be attracting even more attention ("Hey, John, see this weird postcard that is being sent"). The real contents themselves are encrypted, but they would typically want to blend with other messages, not to stand out. The NFC tags are out of the way, since they can easily be found amidst all the mail. A more subtle approach would be to have their armored pgp message with spaces inserted, then sent inside an envelope, so that even if looked against the light it seemed like filled with "normal word". To consider postmen harder to bribe seems naive. Plus, there are many hardworking sysadmins that would be offended by your words. If you want to compare postal mail and electronic mail, you should focus on the benefits of each medium. For example, a letter sent to its final destination but not yet received could be read by the admin of the email mailbox. A postman could not "recall" the letter from your mailbox to read it after it has been delivered (or, if it is possible to extract a delivered letter from your mailbox, that's possible not only for your postman but also for your neighbours). Once you pick your physical mail, it's no longer in the mailbox. Nowadays, most people keep a copy of their emails stored on their providers' mailbox. Most postmen will never open your mail to read it, nor will they maliciously hand it over to a third party. However, if you were framed. Maybe you were considered a person of interest by a Government, or a competitor wanted to spy your mail (even though it'd be illegal), that would not be complex. If they managed to bribe the postman that delivers your mail would simply keep mail directed to you on their bag. Then they would hand it out to to their spymaster (or process it themselves on reaching home), and actually deliver it the next day.? That would require them some effort. But whoever is paying the bribe should offer one that compensates for that. Remember that while you may encrypt and sign the message to ensure confidentiality and integrity, the postmen control the medium, and thus availabilty. You might want to send a canary token encoded ina QR and see if anyone triggers that. Postmen is not expected and should not scan or read it, just as the NSA is full of professional people that should not peek into content unrelated to their assigned work, yet might end up sharing your nude photos with their colleagues.? (using a QR would have the interesting issue that I think some postal systems do use a QR internally to encode the addressing, so could a user-level message QR be confused -and thus scanned- with a transport- level QR?) As a coded letter is likely to bring attention to it (few people if any send encrypted messages that way), they would ideally hide it into something less conspicuous. They could use invisible ink over a normal- looking text or, a pretty clever way to sneak your QR would be to provide an ad of he products from a company, with the real data hidden on different QR attached to the magazine. ? A postcard would be even simpler, just the time of taking a smartphone picture and send to their contact. ? https://www.huffpost.com/entry/nsa-nude-photos_n_5597472 Best From sac at 300baud.de Fri Oct 9 03:41:08 2020 From: sac at 300baud.de (Stefan Claas) Date: Fri, 9 Oct 2020 03:41:08 +0200 Subject: Five volunteers needed (EU .... Are you sure that this is really advantageous? In-Reply-To: <86788f713f0742f5a20adef5d96e0760710766d0.camel@16bits.net> References: <20201006113425.00007f72@300baud.de> <86788f713f0742f5a20adef5d96e0760710766d0.camel@16bits.net> Message-ID: <20201009024108.00007f6a@300baud.de> ?ngel wrote: [...] Apologies for not quoting your message content and deleting it. We all can probably discuss many more things about postal mail versus email, postman, Internet etc. and what not. For me the Internet spans, as a closed net/mesh, around the globe and therefore I do not see it as decentralized places, which can, as we know, technically remotely easier been digitally controlled than decentralized analog postal systems, which can function independently when delivery in each country is mostly done within it's borders, while the nature of the Internet has no borders. Since I have started the thread publicity to let GnuPG users know other communication forms and which can be be read everywhere, without access restrictions, it will be interesting to see if all postcards will arrive ... ;-) Regards Stefan -- NaClbox: cc5c5f846c661343745772156a7751a5eb34d3e83d84b7d6884e507e105fd675 The computer helps us to solve problems, we did not have without him. From includestdioh at secmail.pro Sat Oct 10 11:32:43 2020 From: includestdioh at secmail.pro (Dieter Frye) Date: Sat, 10 Oct 2020 02:32:43 -0700 Subject: Why is Blowfish's key size limited to 128 bits in RFC 4880? Message-ID: <6f31242e21d5fa5b94e9eb6ca4fcd717.squirrel@giyzk7o6dcunb2ry.onion> What's the rationale behind not going full 448 or at least 256 like AES and Twofish? Best regards. From rjh at sixdemonbag.org Sat Oct 10 11:42:17 2020 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Sat, 10 Oct 2020 05:42:17 -0400 Subject: Why is Blowfish's key size limited to 128 bits in RFC 4880? In-Reply-To: <6f31242e21d5fa5b94e9eb6ca4fcd717.squirrel@giyzk7o6dcunb2ry.onion> References: <6f31242e21d5fa5b94e9eb6ca4fcd717.squirrel@giyzk7o6dcunb2ry.onion> Message-ID: <6c265970-b0c7-3408-690e-2d93d7be7a10@sixdemonbag.org> > What's the rationale behind not going full 448 or at least 256 like > AES and Twofish? Age. At the time Blowfish was adopted there were literally no 256-bit ciphers in the RFC2440 suite. Symmetric ciphers were all 128-bit (except arguably for 3DES, where the size is wonky[*]). The first 256-bit cipher to be added was Twofish in mid-2000 in PGP 7, followed soon by AES in PGP 7.1. [*] 3DES can credibly be claimed to have a 192-bit key, a 168-bit key, or a 112-bit key, depending on how the speaker defines "key". From includestdioh at secmail.pro Sat Oct 10 11:56:02 2020 From: includestdioh at secmail.pro (Dieter Frye) Date: Sat, 10 Oct 2020 02:56:02 -0700 Subject: On Becky! Internet Mail's GnuPG Plugin In-Reply-To: <20201003153920.00004ca3@300baud.de> References: <20201003153920.00004ca3@300baud.de> Message-ID: <6147f3d1b6da7c2e913e2c21e108d1f2.squirrel@giyzk7o6dcunb2ry.onion> > Dieter Frye wrote: > >> Currently I use another free, anonymous e-mail service called TorBox >> which >> does have SMTP/POP3 support for everyday communications, though that's >> only viable for people operating within the TOR network as it's got no >> clearweb support unlike secmail itself, which at the end of the day is >> kind of a useless thing anyways given it's blacklisted status (and that >> completely without justification) among most every big and small e-mail >> provider out there. > > One more question, if you don't mind. > > Is this the proper URL for Torbox? > > https://torbox36ijlcevujx7mjb4oiusvwgvmue7jfn2cvutwa6kl6to3uyqad.onion > > If yes, is the operator aware that there are at least three more clear net > Torbox services running, each under a different TLD? > > https://torbox36ijlcevujx7mjb4oiusvwgvmue7jfn2cvutwa6kl6to3uyqad.onion.ws/ > https://torbox36ijlcevujx7mjb4oiusvwgvmue7jfn2cvutwa6kl6to3uyqad.onion.pet/ > https://torbox36ijlcevujx7mjb4oiusvwgvmue7jfn2cvutwa6kl6to3uyqad.onion.sh/ > > Because I have never seen .onion service operators doing this. > > Regards > Stefan > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > Sorry about the delay; I've been experiencing some serious connectivity issues that are yet to be fully resolved, and sure, love talking online, which I rarely get to do anymore. Unfortunately I can't check out those url's right now because of the aforementioned problem, but I myself am using torbox3uiot6wchz.onion for both pop3 and smtp if you need to know. Best regards. From includestdioh at secmail.pro Sat Oct 10 12:00:56 2020 From: includestdioh at secmail.pro (Dieter Frye) Date: Sat, 10 Oct 2020 03:00:56 -0700 Subject: Why is Blowfish's key size limited to 128 bits in RFC 4880? In-Reply-To: <6c265970-b0c7-3408-690e-2d93d7be7a10@sixdemonbag.org> References: <6f31242e21d5fa5b94e9eb6ca4fcd717.squirrel@giyzk7o6dcunb2ry.onion> <6c265970-b0c7-3408-690e-2d93d7be7a10@sixdemonbag.org> Message-ID: <3cadd1a47d1f4b7f289ae43b6ffeaea6.squirrel@giyzk7o6dcunb2ry.onion> >> What's the rationale behind not going full 448 or at least 256 like >> AES and Twofish? > > Age. At the time Blowfish was adopted there were literally no 256-bit > ciphers in the RFC2440 suite. Symmetric ciphers were all 128-bit > (except arguably for 3DES, where the size is wonky[*]). The first > 256-bit cipher to be added was Twofish in mid-2000 in PGP 7, followed > soon by AES in PGP 7.1. > > > [*] 3DES can credibly be claimed to have a 192-bit key, a 168-bit key, > or a 112-bit key, depending on how the speaker defines "key". > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > Thanks, I appreciate the quick response. I've been using Blowfish on older machines for years now without issue and I always wondered if this is one of those things that could possibly benefit from an update. Best regards. From sac at 300baud.de Sat Oct 10 12:25:48 2020 From: sac at 300baud.de (Stefan Claas) Date: Sat, 10 Oct 2020 12:25:48 +0200 Subject: On Becky! Internet Mail's GnuPG Plugin In-Reply-To: <6147f3d1b6da7c2e913e2c21e108d1f2.squirrel@giyzk7o6dcunb2ry.onion> References: <20201003153920.00004ca3@300baud.de> <6147f3d1b6da7c2e913e2c21e108d1f2.squirrel@giyzk7o6dcunb2ry.onion> Message-ID: <20201010112548.0000321e@300baud.de> Dieter Frye wrote: [...] > Sorry about the delay; I've been experiencing some serious connectivity > issues that are yet to be fully resolved, and sure, love talking online, > which I rarely get to do anymore. No problem and I hope you can fix your connectivity issues. > > Unfortunately I can't check out those url's right now because of the > aforementioned problem, but I myself am using torbox3uiot6wchz.onion for > both pop3 and smtp if you need to know. Thanks for the URL, but unfortunately the connection times out. :-( Best regards Stefan -- NaClbox: cc5c5f846c661343745772156a7751a5eb34d3e83d84b7d6884e507e105fd675 The computer helps us to solve problems, we did not have without him. From sac at 300baud.de Sat Oct 10 15:57:39 2020 From: sac at 300baud.de (Stefan Claas) Date: Sat, 10 Oct 2020 15:57:39 +0200 Subject: Five volunteers needed (EU .... Are you sure that this is really advantageous? In-Reply-To: <20201009024108.00007f6a@300baud.de> References: <20201006113425.00007f72@300baud.de> <86788f713f0742f5a20adef5d96e0760710766d0.camel@16bits.net> <20201009024108.00007f6a@300baud.de> Message-ID: <20201010145739.0000453d@300baud.de> Stefan Claas wrote: > Since I have started the thread publicity to let GnuPG users know > other communication forms and which can be be read everywhere, > without access restrictions, it will be interesting to see if all > postcards will arrive ... ;-) Update. I received feedback from (not all*) participants and they had no problems to read the NFC tags, with smart phones or an external reader, so they were in proper condition, as expected. As of my understanding, iOS users will probably need iOS 14 in order to read NFC tags natively, while iOS 13 users and below most likely need and NFC app from the AppStore. Regarding Android, reports were also good and people used apps from their store(s). *since I have not stored the email conversations, as I wrote in my initial posting, I can not ask if they had success or not, because I don't remember their email addresses. Regards Stefan -- NaClbox: cc5c5f846c661343745772156a7751a5eb34d3e83d84b7d6884e507e105fd675 The computer helps us to solve problems, we did not have without him. From guru at unixarea.de Sat Oct 10 19:40:57 2020 From: guru at unixarea.de (Matthias Apitz) Date: Sat, 10 Oct 2020 19:40:57 +0200 Subject: Five volunteers needed (EU .... Are you sure that this is really advantageous? In-Reply-To: <20201010145739.0000453d@300baud.de> References: <20201006113425.00007f72@300baud.de> <86788f713f0742f5a20adef5d96e0760710766d0.camel@16bits.net> <20201009024108.00007f6a@300baud.de> <20201010145739.0000453d@300baud.de> Message-ID: <20201010174057.GB10695@r314251-amd64> El d?a s?bado, octubre 10, 2020 a las 03:57:39p. m. +0200, Stefan Claas escribi?: > Stefan Claas wrote: > > > Since I have started the thread publicity to let GnuPG users know > > other communication forms and which can be be read everywhere, > > without access restrictions, it will be interesting to see if all > > postcards will arrive ... ;-) > > Update. > > I received feedback from (not all*) participants and they had no > problems to read the NFC tags, with smart phones or an external > reader, so they were in proper condition, as expected. As of my > understanding, iOS users will probably need iOS 14 in order to > read NFC tags natively, while iOS 13 users and below most likely > need and NFC app from the AppStore. Regarding Android, reports > were also good and people used apps from their store(s). As one of the testers: Using an iOS system is not a real world option for me because the iOS can execute commands stored on the NFC tag and getting a plain file out of the tag over to some UNIX laptop is tricky. A real world option for me would only be a Linux based mobile, like the UBports.com ones or a Purism L5, both have no NFC hardware at the moment and would need an additional reader gadget. matthias -- Matthias Apitz, ? guru at unixarea.de, http://www.unixarea.de/ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub ??? ????? ??? ??????, ??? ?????? ??? ?????????? (??a????? ????? ?????) Without books no knowledge - without knowledge no communism (Vladimir Ilyich Lenin) Sin libros no hay saber - sin saber no hay comunismo. (Vladimir Ilich Lenin) From sac at 300baud.de Sat Oct 10 21:04:18 2020 From: sac at 300baud.de (Stefan Claas) Date: Sat, 10 Oct 2020 21:04:18 +0200 Subject: Five volunteers needed (EU .... Are you sure that this is really advantageous? In-Reply-To: <20201010174057.GB10695@r314251-amd64> References: <20201006113425.00007f72@300baud.de> <86788f713f0742f5a20adef5d96e0760710766d0.camel@16bits.net> <20201009024108.00007f6a@300baud.de> <20201010145739.0000453d@300baud.de> <20201010174057.GB10695@r314251-amd64> Message-ID: <20201010200418.00006902@300baud.de> Matthias Apitz wrote: > El d?a s?bado, octubre 10, 2020 a las 03:57:39p. m. +0200, Stefan Claas escribi?: > > > Stefan Claas wrote: > > > > > Since I have started the thread publicity to let GnuPG users know > > > other communication forms and which can be be read everywhere, > > > without access restrictions, it will be interesting to see if all > > > postcards will arrive ... ;-) > > > > Update. > > > > I received feedback from (not all*) participants and they had no > > problems to read the NFC tags, with smart phones or an external > > reader, so they were in proper condition, as expected. As of my > > understanding, iOS users will probably need iOS 14 in order to > > read NFC tags natively, while iOS 13 users and below most likely > > need and NFC app from the AppStore. Regarding Android, reports > > were also good and people used apps from their store(s). > > As one of the testers: Using an iOS system is not a real world option for me > because the iOS can execute commands stored on the NFC tag and getting a > plain file out of the tag over to some UNIX laptop is tricky. A real > world option for me would only be a Linux based mobile, like the UBports.com > ones or a Purism L5, both have no NFC hardware at the moment and would > need an additional reader gadget. Thanks for pointing this out. Could you elaborate a bit on how this works? I ask because a standard tag I used stores only roughly 800 bytes. In case raw binary data would be stored instead of links, for example, how does iOS automatically executes this data, once the tag is noticed by the iOS device? Regards Stefan -- NaClbox: cc5c5f846c661343745772156a7751a5eb34d3e83d84b7d6884e507e105fd675 The computer helps us to solve problems, we did not have without him. From sac at 300baud.de Sun Oct 11 02:40:28 2020 From: sac at 300baud.de (Stefan Claas) Date: Sun, 11 Oct 2020 02:40:28 +0200 Subject: Show that an encrypted message was signed, without decrypting it Message-ID: <20201011014028.000020c0@300baud.de> Hi Werner and all, I was reading old GnuPG threads were people were asking if it's possible to extract a signature from an encrypted message. I would like to ask, I don't know if this is already possible or if it's planned, if Alice would request from Bob that he always signs his messages and Bob, lazy as he is, often forgets this, can Alice check if Bob's encrypted message(s) have signed byte(s) set, without actually decrypting or revealing Bob's identity? If the encrypted messages would not be signed then Alice can simply discard the message(s). And is this optional in GnuPG, in case it is already implemented? Regards Stefan -- NaClbox: cc5c5f846c661343745772156a7751a5eb34d3e83d84b7d6884e507e105fd675 The computer helps us to solve problems, we did not have without him. From john+gnupg-users at zlima12.com Sun Oct 11 04:12:11 2020 From: john+gnupg-users at zlima12.com (John A. Leuenhagen) Date: Sat, 10 Oct 2020 22:12:11 -0400 Subject: Five volunteers needed (EU .... Are you sure that this is really advantageous? In-Reply-To: <20201007232724.0000683e@300baud.de> References: <20201007133304.00003f4d@300baud.de> <20201007232724.0000683e@300baud.de> Message-ID: <20201011021211.kl64dpoph53jykeq@Lima-X2> On Thu, Oct 08, 2020 at 12:27:24AM +0200, Stefan Claas wrote: > Regarding the Internet as of today and Al Gores vision and the Internet > commerce etc. > > I always wondered why it is not possible for me and probably many other > people to not get a *static* IPv6 address additionally when you sign up > as private individual at an ISP of your choice? > > People could use as usual still common IPv4 for their regular surfing etc. > but had then the ability, with a static IPv6 address to run their own > email server and other services from home with a little Raspberry Pi etc., > without purchasing a VPS plan, thus one would only need to register a > domain of choice and the records management could also bee done a) with > the Domain Registrar or your local ISP, instead of the VPS hosting provider. Certainly it would be preferable to have a static IPv6 address for that sort of thing, but it's still quite simple to run services from home by using dynamic DNS. I'm able to have ddclient run on my router, which will inform my DNS provider (Cloudflare) of any changes to my dynamic IPv4 address. Sure, during the occasional change to my address, my services might go down for a minute or two. For me at least, that's not the end of the world. From sac at 300baud.de Sun Oct 11 09:48:37 2020 From: sac at 300baud.de (Stefan Claas) Date: Sun, 11 Oct 2020 09:48:37 +0200 Subject: Five volunteers needed (EU .... Are you sure that this is really advantageous? In-Reply-To: <20201011021211.kl64dpoph53jykeq@Lima-X2> References: <20201007133304.00003f4d@300baud.de> <20201007232724.0000683e@300baud.de> <20201011021211.kl64dpoph53jykeq@Lima-X2> Message-ID: <20201011084837.00005ee4@300baud.de> John A. Leuenhagen via Gnupg-users wrote: > On Thu, Oct 08, 2020 at 12:27:24AM +0200, Stefan Claas wrote: > > Regarding the Internet as of today and Al Gores vision and the Internet > > commerce etc. > > > > I always wondered why it is not possible for me and probably many other > > people to not get a *static* IPv6 address additionally when you sign up > > as private individual at an ISP of your choice? > > > > People could use as usual still common IPv4 for their regular surfing etc. > > but had then the ability, with a static IPv6 address to run their own > > email server and other services from home with a little Raspberry Pi etc., > > without purchasing a VPS plan, thus one would only need to register a > > domain of choice and the records management could also bee done a) with > > the Domain Registrar or your local ISP, instead of the VPS hosting provider. > > Certainly it would be preferable to have a static IPv6 address for that > sort of thing, but it's still quite simple to run services from home by > using dynamic DNS. I'm able to have ddclient run on my router, which > will inform my DNS provider (Cloudflare) of any changes to my dynamic > IPv4 address. Sure, during the occasional change to my address, my > services might go down for a minute or two. For me at least, that's not > the end of the world. Well, yes and no. I run many years ago with a dynamic IP address services too and had a domain with no-ip.com. But nowadays if you like to run a mail server you will need a static IP address, because if it would be dynamic your are considered as spammer, due to black listing of dynamic IP address ranges. Regards Stefan -- NaClbox: cc5c5f846c661343745772156a7751a5eb34d3e83d84b7d6884e507e105fd675 The computer helps us to solve problems, we did not have without him. From john+gnupg-users at zlima12.com Sun Oct 11 09:56:08 2020 From: john+gnupg-users at zlima12.com (John A. Leuenhagen) Date: Sun, 11 Oct 2020 03:56:08 -0400 Subject: Five volunteers needed (EU .... Are you sure that this is really advantageous? In-Reply-To: <20201011084837.00005ee4@300baud.de> References: <20201007133304.00003f4d@300baud.de> <20201007232724.0000683e@300baud.de> <20201011021211.kl64dpoph53jykeq@Lima-X2> <20201011084837.00005ee4@300baud.de> Message-ID: <20201011075608.sbp7qccfdmp2k67q@Lima-X2> On Sun, Oct 11, 2020 at 09:48:37AM +0200, Stefan Claas wrote: > John A. Leuenhagen via Gnupg-users wrote: > > > On Thu, Oct 08, 2020 at 12:27:24AM +0200, Stefan Claas wrote: > > > Regarding the Internet as of today and Al Gores vision and the Internet > > > commerce etc. > > > > > > I always wondered why it is not possible for me and probably many other > > > people to not get a *static* IPv6 address additionally when you sign up > > > as private individual at an ISP of your choice? > > > > > > People could use as usual still common IPv4 for their regular surfing etc. > > > but had then the ability, with a static IPv6 address to run their own > > > email server and other services from home with a little Raspberry Pi etc., > > > without purchasing a VPS plan, thus one would only need to register a > > > domain of choice and the records management could also bee done a) with > > > the Domain Registrar or your local ISP, instead of the VPS hosting provider. > > > > Certainly it would be preferable to have a static IPv6 address for that > > sort of thing, but it's still quite simple to run services from home by > > using dynamic DNS. I'm able to have ddclient run on my router, which > > will inform my DNS provider (Cloudflare) of any changes to my dynamic > > IPv4 address. Sure, during the occasional change to my address, my > > services might go down for a minute or two. For me at least, that's not > > the end of the world. > > Well, yes and no. I run many years ago with a dynamic IP address services > too and had a domain with no-ip.com. But nowadays if you like to run a mail > server you will need a static IP address, because if it would be dynamic > your are considered as spammer, due to black listing of dynamic IP address > ranges. That is true, you definitely need a static IP address to run a mail server. For many other things though, I've managed to get by with a dynamic address. From v_a-brxx.throttle at xoxy.net Sun Oct 11 05:27:43 2020 From: v_a-brxx.throttle at xoxy.net (Helmut Waitzmann Anti-Spam-Ticket.b.qc3c) Date: Sun, 11 Oct 2020 05:27:43 +0200 Subject: Show that an encrypted message was signed, without decrypting it In-Reply-To: <20201011014028.000020c0@300baud.de> (Stefan Claas's message of "Sun, 11 Oct 2020 02:40:28 +0200") References: <20201011014028.000020c0@300baud.de> Message-ID: <83o8l9wifk.fsf@helmutwaitzmann.news.arcor.de> Stefan Claas : >I was reading old GnuPG threads were people were asking if it's >possible to extract a signature from an encrypted message. > >I would like to ask, I don't know if this is already possible or >if it's planned, if Alice would request from Bob that he always >signs his messages and Bob, lazy as he is, often forgets this, >can Alice check if Bob's encrypted message(s) have signed byte(s) >set, without actually decrypting or revealing Bob's identity? As far as I know this is impossible, because messages are first signed and then encrypted, i.?e.?the signature is encrypted, too.? Therefore there is no access to the signature unless the message is decrypted.? >If the encrypted messages would not be signed then Alice can >simply discard the message(s). Yes, but why should she want to be able to do that?? She could decrypt the message and, if it turns out that the message is not signed, discard the message.? >And is this optional in GnuPG, in case it is already implemented? As far as I know the order ?first sign, then encrypt? is mandatory, so there is no way for GnuPG to deviate from it.? And this is a good thing, as it thwarts Eve eavesdropping on the originator's identity (i.?e.?Bob) of a message sent to Alice.? Helmut -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 489 bytes Desc: not available URL: From sac at 300baud.de Sun Oct 11 09:59:12 2020 From: sac at 300baud.de (Stefan Claas) Date: Sun, 11 Oct 2020 09:59:12 +0200 Subject: Show that an encrypted message was signed, without decrypting it In-Reply-To: <83o8l9wifk.fsf@helmutwaitzmann.news.arcor.de> References: <20201011014028.000020c0@300baud.de> <83o8l9wifk.fsf@helmutwaitzmann.news.arcor.de> Message-ID: <20201011085813.00007638@300baud.de> Helmut Waitzmann Anti-Spam-Ticket.b.qc3c wrote: > Stefan Claas : > > >I was reading old GnuPG threads were people were asking if it's > >possible to extract a signature from an encrypted message. > > > >I would like to ask, I don't know if this is already possible or > >if it's planned, if Alice would request from Bob that he always > >signs his messages and Bob, lazy as he is, often forgets this, > >can Alice check if Bob's encrypted message(s) have signed byte(s) > >set, without actually decrypting or revealing Bob's identity? > > As far as I know this is impossible, because messages are first > signed and then encrypted, i.?e.?the signature is encrypted, > too.? Therefore there is no access to the signature unless the > message is decrypted.? > > >If the encrypted messages would not be signed then Alice can > >simply discard the message(s). > > Yes, but why should she want to be able to do that?? She could > decrypt the message and, if it turns out that the message is not > signed, discard the message. It would allow Alice (in her organization), or others, to do a pre-check, with procmail etc., to set-up an auto-responder, informing Bob that he did not signed his message and that his message will be discarded. > >And is this optional in GnuPG, in case it is already implemented? > > > As far as I know the order ?first sign, then encrypt? is > mandatory, so there is no way for GnuPG to deviate from it.? > > And this is a good thing, as it thwarts Eve eavesdropping on the > originator's identity (i.?e.?Bob) of a message sent to Alice.? It should be not a mandatory feature and it should only append secured bytes, which are stating that Bob's message contains a signature (yes|no bytes), without revealing his identity. Assuming the would technically possible. Regards Stefan -- NaClbox: cc5c5f846c661343745772156a7751a5eb34d3e83d84b7d6884e507e105fd675 The computer helps us to solve problems, we did not have without him. From tlikonen at iki.fi Sun Oct 11 11:02:00 2020 From: tlikonen at iki.fi (Teemu Likonen) Date: Sun, 11 Oct 2020 12:02:00 +0300 Subject: Show that an encrypted message was signed, without decrypting it In-Reply-To: <20201011014028.000020c0@300baud.de> References: <20201011014028.000020c0@300baud.de> Message-ID: <875z7h3zlj.fsf@iki.fi> * 2020-10-11 02:40:28+02, Stefan Claas wrote: > I was reading old GnuPG threads were people were asking if it's > possible to extract a signature from an encrypted message. It seems that there is a visible signature packet in encrypted and signed messages. See the output of this command: echo message | gpg --encrypt --sign --default-recipient-self | \ gpg --list-packets -- /// Teemu Likonen - .-.. http://www.iki.fi/tlikonen/ // OpenPGP: 4E1055DC84E9DFF613D78557719D69D324539450 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 251 bytes Desc: not available URL: From guru at unixarea.de Sun Oct 11 15:08:21 2020 From: guru at unixarea.de (Matthias Apitz) Date: Sun, 11 Oct 2020 15:08:21 +0200 Subject: Five volunteers needed (EU .... Are you sure that this is really advantageous? In-Reply-To: <20201010200418.00006902@300baud.de> References: <20201006113425.00007f72@300baud.de> <86788f713f0742f5a20adef5d96e0760710766d0.camel@16bits.net> <20201009024108.00007f6a@300baud.de> <20201010145739.0000453d@300baud.de> <20201010174057.GB10695@r314251-amd64> <20201010200418.00006902@300baud.de> Message-ID: <20201011130821.GA13489@r314251-amd64> El d?a s?bado, octubre 10, 2020 a las 09:04:18p. m. +0200, Stefan Claas escribi?: > > As one of the testers: Using an iOS system is not a real world option for me > > because the iOS can execute commands stored on the NFC tag and getting a > > plain file out of the tag over to some UNIX laptop is tricky. A real > > world option for me would only be a Linux based mobile, like the UBports.com > > ones or a Purism L5, both have no NFC hardware at the moment and would > > need an additional reader gadget. > > Thanks for pointing this out. Could you elaborate a bit on how this works? I haven't tested it, but it is wiely known, for example: https://gototags.com/blog/understanding-nfc-shortcuts-iphone matthias -- Matthias Apitz, ? guru at unixarea.de, http://www.unixarea.de/ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub ??? ????? ??? ??????, ??? ?????? ??? ?????????? (??a????? ????? ?????) Without books no knowledge - without knowledge no communism (Vladimir Ilyich Lenin) Sin libros no hay saber - sin saber no hay comunismo. (Vladimir Ilich Lenin) From sac at 300baud.de Sun Oct 11 15:55:25 2020 From: sac at 300baud.de (Stefan Claas) Date: Sun, 11 Oct 2020 15:55:25 +0200 Subject: Five volunteers needed (EU .... Are you sure that this is really advantageous? In-Reply-To: <20201011130821.GA13489@r314251-amd64> References: <20201006113425.00007f72@300baud.de> <86788f713f0742f5a20adef5d96e0760710766d0.camel@16bits.net> <20201009024108.00007f6a@300baud.de> <20201010145739.0000453d@300baud.de> <20201010174057.GB10695@r314251-amd64> <20201010200418.00006902@300baud.de> <20201011130821.GA13489@r314251-amd64> Message-ID: <20201011145525.00004588@300baud.de> Matthias Apitz wrote: > El d?a s?bado, octubre 10, 2020 a las 09:04:18p. m. +0200, Stefan Claas escribi?: > > > > As one of the testers: Using an iOS system is not a real world option for me > > > because the iOS can execute commands stored on the NFC tag and getting a > > > plain file out of the tag over to some UNIX laptop is tricky. A real > > > world option for me would only be a Linux based mobile, like the UBports.com > > > ones or a Purism L5, both have no NFC hardware at the moment and would > > > need an additional reader gadget. > > > > Thanks for pointing this out. Could you elaborate a bit on how this works? > > I haven't tested it, but it is wiely known, for example: > > https://gototags.com/blog/understanding-nfc-shortcuts-iphone Thanks, nice way to automate things with iOS. Regards Stefan -- NaClbox: cc5c5f846c661343745772156a7751a5eb34d3e83d84b7d6884e507e105fd675 The computer helps us to solve problems, we did not have without him. From sac at 300baud.de Sun Oct 11 17:09:23 2020 From: sac at 300baud.de (Stefan Claas) Date: Sun, 11 Oct 2020 17:09:23 +0200 Subject: Show that an encrypted message was signed, without decrypting it In-Reply-To: <20201011085813.00007638@300baud.de> References: <20201011014028.000020c0@300baud.de> <83o8l9wifk.fsf@helmutwaitzmann.news.arcor.de> <20201011085813.00007638@300baud.de> Message-ID: <20201011160923.00004f24@300baud.de> Stefan Claas wrote: > Helmut Waitzmann Anti-Spam-Ticket.b.qc3c wrote: > > > Stefan Claas : > > > > >I was reading old GnuPG threads were people were asking if it's > > >possible to extract a signature from an encrypted message. > > > > > >I would like to ask, I don't know if this is already possible or > > >if it's planned, if Alice would request from Bob that he always > > >signs his messages and Bob, lazy as he is, often forgets this, > > >can Alice check if Bob's encrypted message(s) have signed byte(s) > > >set, without actually decrypting or revealing Bob's identity? > > > > As far as I know this is impossible, because messages are first > > signed and then encrypted, i.?e.?the signature is encrypted, > > too.? Therefore there is no access to the signature unless the > > message is decrypted.? > > > > >If the encrypted messages would not be signed then Alice can > > >simply discard the message(s). > > > > Yes, but why should she want to be able to do that?? She could > > decrypt the message and, if it turns out that the message is not > > signed, discard the message. > > It would allow Alice (in her organization), or others, to do a > pre-check, with procmail etc., to set-up an auto-responder, informing > Bob that he did not signed his message and that his message will be > discarded. > > > >And is this optional in GnuPG, in case it is already implemented? > > > > > > As far as I know the order ?first sign, then encrypt? is > > mandatory, so there is no way for GnuPG to deviate from it.? > > > > And this is a good thing, as it thwarts Eve eavesdropping on the > > originator's identity (i.?e.?Bob) of a message sent to Alice.? > > It should be not a mandatory feature and it should only append > secured bytes, which are stating that Bob's message contains a > signature (yes|no bytes), without revealing his identity. > Assuming the would technically possible. I think something along the lines like Zero Knowledge Proof Encryption. Regards Stefan -- NaClbox: cc5c5f846c661343745772156a7751a5eb34d3e83d84b7d6884e507e105fd675 The computer helps us to solve problems, we did not have without him. From guru at unixarea.de Sun Oct 11 17:34:30 2020 From: guru at unixarea.de (Matthias Apitz) Date: Sun, 11 Oct 2020 17:34:30 +0200 Subject: Five volunteers needed (EU .... Are you sure that this is really advantageous? In-Reply-To: <20201011145525.00004588@300baud.de> References: <20201006113425.00007f72@300baud.de> <86788f713f0742f5a20adef5d96e0760710766d0.camel@16bits.net> <20201009024108.00007f6a@300baud.de> <20201010145739.0000453d@300baud.de> <20201010174057.GB10695@r314251-amd64> <20201010200418.00006902@300baud.de> <20201011130821.GA13489@r314251-amd64> <20201011145525.00004588@300baud.de> Message-ID: <20201011153430.GA14081@r314251-amd64> El d?a domingo, octubre 11, 2020 a las 03:55:25p. m. +0200, Stefan Claas escribi?: > > I haven't tested it, but it is wiely known, for example: > > > > https://gototags.com/blog/understanding-nfc-shortcuts-iphone > > Thanks, nice way to automate things with iOS. Hmm, nice that others can rewrite your NFC tag (the UID matters) with bad shortcut commands, only having loosely access to a NFC tag you tabbed, for example, in your car. Maybe we have different opinions about 'nice'. matthias -- Matthias Apitz, ? guru at unixarea.de, http://www.unixarea.de/ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub ??? ????? ??? ??????, ??? ?????? ??? ?????????? (??a????? ????? ?????) Without books no knowledge - without knowledge no communism (Vladimir Ilyich Lenin) Sin libros no hay saber - sin saber no hay comunismo. (Vladimir Ilich Lenin) From sac at 300baud.de Sun Oct 11 17:41:38 2020 From: sac at 300baud.de (Stefan Claas) Date: Sun, 11 Oct 2020 17:41:38 +0200 Subject: Five volunteers needed (EU .... Are you sure that this is really advantageous? In-Reply-To: <20201011153430.GA14081@r314251-amd64> References: <20201006113425.00007f72@300baud.de> <86788f713f0742f5a20adef5d96e0760710766d0.camel@16bits.net> <20201009024108.00007f6a@300baud.de> <20201010145739.0000453d@300baud.de> <20201010174057.GB10695@r314251-amd64> <20201010200418.00006902@300baud.de> <20201011130821.GA13489@r314251-amd64> <20201011145525.00004588@300baud.de> <20201011153430.GA14081@r314251-amd64> Message-ID: <20201011164138.000020c1@300baud.de> Matthias Apitz wrote: > El d?a domingo, octubre 11, 2020 a las 03:55:25p. m. +0200, Stefan Claas escribi?: > > > > I haven't tested it, but it is wiely known, for example: > > > > > > https://gototags.com/blog/understanding-nfc-shortcuts-iphone > > > > Thanks, nice way to automate things with iOS. > > Hmm, nice that others can rewrite your NFC tag (the UID matters) with > bad shortcut commands, only having loosely access to a NFC tag you > tabbed, for example, in your car. Maybe we have different opinions about > 'nice'. I had not set a password, so that the recipients can play with it. With a password set the NFC tag can not be written to. Regards Stefan -- NaClbox: cc5c5f846c661343745772156a7751a5eb34d3e83d84b7d6884e507e105fd675 The computer helps us to solve problems, we did not have without him. From wk at gnupg.org Sun Oct 11 17:40:47 2020 From: wk at gnupg.org (Werner Koch) Date: Sun, 11 Oct 2020 17:40:47 +0200 Subject: Why is Blowfish's key size limited to 128 bits in RFC 4880? In-Reply-To: <3cadd1a47d1f4b7f289ae43b6ffeaea6.squirrel@giyzk7o6dcunb2ry.onion> (Dieter Frye's message of "Sat, 10 Oct 2020 03:00:56 -0700") References: <6f31242e21d5fa5b94e9eb6ca4fcd717.squirrel@giyzk7o6dcunb2ry.onion> <6c265970-b0c7-3408-690e-2d93d7be7a10@sixdemonbag.org> <3cadd1a47d1f4b7f289ae43b6ffeaea6.squirrel@giyzk7o6dcunb2ry.onion> Message-ID: <87362kdb40.fsf@wheatstone.g10code.de> On Sat, 10 Oct 2020 03:00, Dieter Frye said: > I've been using Blowfish on older machines for years now without issue and > I always wondered if this is one of those things that could possibly > benefit from an update. Nope. I used Blowfish back then because it was the only free and modern algorithm. PGP didn't support it. Later, in 1998 we added Twofish and had to do a clean room implementation (kudos to Matthew Skala) because it was not clear whether the implementaion was in the PD or compatible with the GPL. I asked Bruce Schneier during this period several times on whether he would suggest to use Twofish for OpenPGP and his answer depended a bit on his current mood. Anyway, all these cipher algorithm competition is mood since everyone has agreed to use AES; formerly known Rijndael which may have even been preferred over Twofish because of its non-US origin. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From neal at walfield.org Sun Oct 11 22:47:01 2020 From: neal at walfield.org (Neal H. Walfield) Date: Sun, 11 Oct 2020 22:47:01 +0200 Subject: Show that an encrypted message was signed, without decrypting it In-Reply-To: <875z7h3zlj.fsf@iki.fi> References: <20201011014028.000020c0@300baud.de> <875z7h3zlj.fsf@iki.fi> Message-ID: <875z7g32yi.wl-neal@walfield.org> Hi Teemu, On Sun, 11 Oct 2020 11:02:00 +0200, Teemu Likonen wrote: > * 2020-10-11 02:40:28+02, Stefan Claas wrote: > > > I was reading old GnuPG threads were people were asking if it's > > possible to extract a signature from an encrypted message. > > It seems that there is a visible signature packet in encrypted and > signed messages. See the output of this command: > > echo message | gpg --encrypt --sign --default-recipient-self | \ > gpg --list-packets The signature information is normally (that is, when doing sign then encrypt) completely encapsulated by the encryption container. What I think you are seeing is gpg caching something. If you replace 'gpg --list-packets' with 'pgpdump', then you probably won't see any signature information. :) Neal From tlikonen at iki.fi Mon Oct 12 08:28:35 2020 From: tlikonen at iki.fi (Teemu Likonen) Date: Mon, 12 Oct 2020 09:28:35 +0300 Subject: Show that an encrypted message was signed, without decrypting it In-Reply-To: <875z7g32yi.wl-neal@walfield.org> References: <20201011014028.000020c0@300baud.de> <875z7h3zlj.fsf@iki.fi> <875z7g32yi.wl-neal@walfield.org> Message-ID: <87r1q45564.fsf@iki.fi> * 2020-10-11 22:47:01+02, Neal H. Walfield wrote: > On Sun, 11 Oct 2020 11:02:00 +0200, > Teemu Likonen wrote: >> It seems that there is a visible signature packet in encrypted and >> signed messages. See the output of this command: >> >> echo message | gpg --encrypt --sign --default-recipient-self | \ >> gpg --list-packets > > The signature information is normally (that is, when doing sign then > encrypt) completely encapsulated by the encryption container. What I > think you are seeing is gpg caching something. If you replace 'gpg > --list-packets' with 'pgpdump', then you probably won't see any > signature information. Thank you. I was surprised to see all the packets listed with "gpg --list-packets" but trusted its output. It seems that my "gpg --list-packets" command (see above) decrypts the message using the cached secret key and then shows all the packets. As you said "pgpdump" don't show any signature information. There is just a public key encrypted session key packet and a symmetrically encrypted message packet. -- /// Teemu Likonen - .-.. http://www.iki.fi/tlikonen/ // OpenPGP: 4E1055DC84E9DFF613D78557719D69D324539450 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 251 bytes Desc: not available URL: From ryan at digicana.com Mon Oct 12 16:08:50 2020 From: ryan at digicana.com (Ryan McGinnis) Date: Mon, 12 Oct 2020 14:08:50 +0000 Subject: Five volunteers needed (EU .... Are you sure that this is really advantageous? In-Reply-To: <20201011075608.sbp7qccfdmp2k67q@Lima-X2> References: <20201007133304.00003f4d@300baud.de> <20201007232724.0000683e@300baud.de> <20201011021211.kl64dpoph53jykeq@Lima-X2> <20201011084837.00005ee4@300baud.de> <20201011075608.sbp7qccfdmp2k67q@Lima-X2> Message-ID: <044b023e-c7de-5bee-7567-cbfbcec284fe@digicana.com> Probably a bit outside the scope of the list, but in my experience most users underestimate the risks involved in running their own servers.? Probably not anyone reading a GPG mailing list, but I only mention it because of the discussion of no-ip and DDNS stuff -- usually only tools used by non-commercial, non professional entities.? I run into this a lot with people who buy cheap camera systems for their homes, put it on the same LAN as everything else in the house,? open up port 80 right into their NVR, give the default NVR user an easy password, and then proceed to run that thing for years without ever patching the NVR server. There are so many IP6 addresses available that everyone in the world could be given a trillion of them to use and it wouldn't make an appreciable dent in the total left available.? I suspect in the future your NAT gateway will live in the cloud and every device will have it's own static IP.? On 10/11/20 2:56 AM, John A. Leuenhagen via Gnupg-users wrote: > On Sun, Oct 11, 2020 at 09:48:37AM +0200, Stefan Claas wrote: >> John A. Leuenhagen via Gnupg-users wrote: >> >>> On Thu, Oct 08, 2020 at 12:27:24AM +0200, Stefan Claas wrote: >>>> Regarding the Internet as of today and Al Gores vision and the Internet >>>> commerce etc. >>>> >>>> I always wondered why it is not possible for me and probably many other >>>> people to not get a *static* IPv6 address additionally when you sign up >>>> as private individual at an ISP of your choice? >>>> >>>> People could use as usual still common IPv4 for their regular surfing etc. >>>> but had then the ability, with a static IPv6 address to run their own >>>> email server and other services from home with a little Raspberry Pi etc., >>>> without purchasing a VPS plan, thus one would only need to register a >>>> domain of choice and the records management could also bee done a) with >>>> the Domain Registrar or your local ISP, instead of the VPS hosting provider. >>> Certainly it would be preferable to have a static IPv6 address for that >>> sort of thing, but it's still quite simple to run services from home by >>> using dynamic DNS. I'm able to have ddclient run on my router, which >>> will inform my DNS provider (Cloudflare) of any changes to my dynamic >>> IPv4 address. Sure, during the occasional change to my address, my >>> services might go down for a minute or two. For me at least, that's not >>> the end of the world. >> Well, yes and no. I run many years ago with a dynamic IP address services >> too and had a domain with no-ip.com. But nowadays if you like to run a mail >> server you will need a static IP address, because if it would be dynamic >> your are considered as spammer, due to black listing of dynamic IP address >> ranges. > That is true, you definitely need a static IP address to run a mail > server. For many other things though, I've managed to get by with a > dynamic address. > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users -- -Ryan McGinnis http://bigstormpicture.com PGP Fingerprint: 5C73 8727 EE58 786A 777C 4F1D B5AA 3FA3 486E D7AD -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 839 bytes Desc: OpenPGP digital signature URL: From guru at unixarea.de Tue Oct 13 15:11:04 2020 From: guru at unixarea.de (Matthias Apitz) Date: Tue, 13 Oct 2020 15:11:04 +0200 Subject: binary distribution of GnuPG for SuSE Linux SLES 15 Message-ID: <20201013131104.GA3399@r314251-amd64> Hello, Is there any provider for a binary RPM for this OS: # cat /etc/os-release NAME="SLES" VERSION="15-SP1" VERSION_ID="15.1" PRETTY_NAME="SUSE Linux Enterprise Server 15 SP1" ID="sles" ID_LIKE="suse" ANSI_COLOR="0;32" CPE_NAME="cpe:/o:suse:sles:15:sp1" Or do we have to compile it from source? Thanks matthias -- Matthias Apitz, ? guru at unixarea.de, http://www.unixarea.de/ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub ??? ????? ??? ??????, ??? ?????? ??? ?????????? (??a????? ????? ?????) Without books no knowledge - without knowledge no communism (Vladimir Ilyich Lenin) Sin libros no hay saber - sin saber no hay comunismo. (Vladimir Ilich Lenin) From includestdioh at secmail.pro Tue Oct 13 16:46:02 2020 From: includestdioh at secmail.pro (Dieter Frye) Date: Tue, 13 Oct 2020 07:46:02 -0700 Subject: Why is Blowfish's key size limited to 128 bits in RFC 4880? In-Reply-To: <87362kdb40.fsf@wheatstone.g10code.de> References: <6f31242e21d5fa5b94e9eb6ca4fcd717.squirrel@giyzk7o6dcunb2ry.onion> <6c265970-b0c7-3408-690e-2d93d7be7a10@sixdemonbag.org> <3cadd1a47d1f4b7f289ae43b6ffeaea6.squirrel@giyzk7o6dcunb2ry.onion> <87362kdb40.fsf@wheatstone.g10code.de> Message-ID: <41c5db76f7c5fea59b2211ce655b4aec.squirrel@giyzk7o6dcunb2ry.onion> > On Sat, 10 Oct 2020 03:00, Dieter Frye said: > >> I've been using Blowfish on older machines for years now without issue >> and >> I always wondered if this is one of those things that could possibly >> benefit from an update. > > Nope. I used Blowfish back then because it was the only free and modern > algorithm. PGP didn't support it. Later, in 1998 we added Twofish and > had to do a clean room implementation (kudos to Matthew Skala) because > it was not clear whether the implementaion was in the PD or compatible > with the GPL. I asked Bruce Schneier during this period several times > on whether he would suggest to use Twofish for OpenPGP and his answer > depended a bit on his current mood. > > Anyway, all these cipher algorithm competition is mood since everyone > has agreed to use AES; formerly known Rijndael which may have even been > preferred over Twofish because of its non-US origin. > > > Salam-Shalom, > > Werner > > -- > Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. > Interesting. My current understanding of the situation is that there are no known effective attacks against Blowfish so long as it's adequately implemented according to the suggested specifications and it's relatively limited block size accounted for, and I naturally tend to gravitate towards tested-and-tried, reliable things with a more or less impeccable record. Now if any of this remains true today, I cannot tell (I did the research a number of years ago so it's possible something changed along the way), but even if not, it would still make sense to me to allow for greater (or better yet, full) key size to be utilized specially for situations when performance is extremely critical and something like Twofish just won't do. Personally I use Twofish on my P4 and Blowfish on all of my P3's. As for AES, while there doesn't seem to be anything fundamentally wrong with it, the fact that it was pushed so extensively by the powers that be and the fact that it's considerably easier on the hardware (as compared to say, Twofish), makes it a candidate for large-scale, targeted cryptanalysis, so I wouldn't put it past me that the NSA's onto something already. Best regards. From johanw at vulcan.xs4all.nl Tue Oct 13 17:59:00 2020 From: johanw at vulcan.xs4all.nl (Johan Wevers) Date: Tue, 13 Oct 2020 17:59:00 +0200 Subject: Why is Blowfish's key size limited to 128 bits in RFC 4880? In-Reply-To: <41c5db76f7c5fea59b2211ce655b4aec.squirrel@giyzk7o6dcunb2ry.onion> References: <6f31242e21d5fa5b94e9eb6ca4fcd717.squirrel@giyzk7o6dcunb2ry.onion> <6c265970-b0c7-3408-690e-2d93d7be7a10@sixdemonbag.org> <3cadd1a47d1f4b7f289ae43b6ffeaea6.squirrel@giyzk7o6dcunb2ry.onion> <87362kdb40.fsf@wheatstone.g10code.de> <41c5db76f7c5fea59b2211ce655b4aec.squirrel@giyzk7o6dcunb2ry.onion> Message-ID: On 13-10-2020 16:46, Dieter Frye wrote: > Now if any of this remains true today, I cannot tell (I did the research a > number of years ago so it's possible something changed along the way), but > even if not, it would still make sense to me to allow for greater (or > better yet, full) key size to be utilized specially for situations when > performance is extremely critical and something like Twofish just won't > do. Be careful though, there are ciphers known where extra keybits don't increase security. If there are situations where they actually reduce security I don't know, but the cipher would have to be re-investigated after such a change. Having said that, 128 bits is really enough, 256 is overkill "just because we can". > As for AES, while there doesn't seem to be anything fundamentally wrong > with it, the fact that it was pushed so extensively by the powers that be > and the fact that it's considerably easier on the hardware (as compared to > say, Twofish), makes it a candidate for large-scale, targeted > cryptanalysis, so I wouldn't put it past me that the NSA's onto something > already. Brute-forcing a 128 bits keyspace and certainly a 256 bit one is still limited by the laws of physics, like in: - It takes more time than the age of the universe, - It requires more energy than the stars in the milky way emit during their life, - If you try to seriously paralellize it, there is not enough matter in the known universe to build all those computers. As long as the above are the limits I feel secure enough with the keysize. Quantum computers with enough qubits reduce the workload to brute force symmetric ciphers typical by a factor of a square root, so for those 256 bits is sufficient. But then the public keys become the weak point, the short-keyed elliptic curve algorithms long before RSA and Elgamal (but when elliptic curve gets into trouble you know it's only a matter of time before the others will be too so they do need replacement then). -- ir. J.C.A. Wevers PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From dkg at fifthhorseman.net Tue Oct 13 19:02:24 2020 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Tue, 13 Oct 2020 13:02:24 -0400 Subject: Show that an encrypted message was signed, without decrypting it In-Reply-To: <20201011085813.00007638@300baud.de> References: <20201011014028.000020c0@300baud.de> <83o8l9wifk.fsf@helmutwaitzmann.news.arcor.de> <20201011085813.00007638@300baud.de> Message-ID: <87362ixdnj.fsf@fifthhorseman.net> On Sun 2020-10-11 09:59:12 +0200, Stefan Claas wrote: > Helmut Waitzmann Anti-Spam-Ticket.b.qc3c wrote: >> Yes, but why should she want to be able to do that?? She could >> decrypt the message and, if it turns out that the message is not >> signed, discard the message. > > It would allow Alice (in her organization), or others, to do a > pre-check, with procmail etc., to set-up an auto-responder, informing > Bob that he did not signed his message and that his message will be > discarded. The traditional answer for supporting this kind of workflow for e-mail is called "triple-wrapping" -- see RFC 2634. That is, there is an inner signature, then a layer of encryption, and an outer signature that is intended to be visible to the transport agents handling the encrypted message. Those transport agents (or procmail, or autoresponders, or whatever) may may routing or handling decisions based on the outer signature without any knowledge of the inner signature. However, i have not seen triple-wrapping in wide-spread, interoperable use. Most MUAs i have experience with do not generate triple-wrapped messages, and i've found very few transport agents that interpret using them. IIUC, the only triple-wrapping implementations out there use S/MIME cryptographic e-mail, not PGP/MIME. More common on today's e-mail interactions is "Domain-keyed Internet Mail" or DKIM -- see RFC 6376. This is a cryptographic signature over the entire message that is typically added by the sender's relaying transport agent -- the first transport agent that handles the e-mail message. Subsequent transport agents can verify the DKIM signature using the DNS as a form of proof-of-origin (typically, this is managed at the domain level, though domain operators may carve up the "selector" space for outsourced transports, or may also permit users to manage their own selectors [0]). This isn't exactly the same as an individual sending a message that is signed by the message origin, because DKIM signing tends to happen away from the originating endpoint. But for spam abatement and reputational systems, knowing that a message is signed by the domain itself is often good enough in practice. [0] https://tools.ietf.org/html/rfc6376#section-3.1 https://www.giovannimascellani.eu/dkim-for-debian-developers.html So there isn't really a good (or reasonable) way to do what you're asking for with OpenPGP directly. Given that mail is a complicated interoperability space, you're probably better off conditioning your procmail filters or autoresponder based on DKIM signature validity (though i advise reading and understanding the associated DMARC specifications before choosing to aggressively reject mail). Hope this helps, --dkg -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From angel at pgp.16bits.net Wed Oct 14 00:22:33 2020 From: angel at pgp.16bits.net (=?ISO-8859-1?Q?=C1ngel?=) Date: Wed, 14 Oct 2020 00:22:33 +0200 Subject: Five volunteers needed (EU .... Are you sure that this is really advantageous? In-Reply-To: <20201011164138.000020c1@300baud.de> References: <20201006113425.00007f72@300baud.de> <86788f713f0742f5a20adef5d96e0760710766d0.camel@16bits.net> <20201009024108.00007f6a@300baud.de> <20201010145739.0000453d@300baud.de> <20201010174057.GB10695@r314251-amd64> <20201010200418.00006902@300baud.de> <20201011130821.GA13489@r314251-amd64> <20201011145525.00004588@300baud.de> <20201011153430.GA14081@r314251-amd64> <20201011164138.000020c1@300baud.de> Message-ID: On 2020-10-11 at 17:41 +0200, Stefan Claas wrote: > > I had not set a password, so that the recipients can play with it. > With a password set the NFC tag can not be written to. > Bob may be expecting to receive the safe, read-only NFC tag from Alice, but Eve might have replaced it with a malicious one. From sac at 300baud.de Wed Oct 14 09:09:56 2020 From: sac at 300baud.de (Stefan Claas) Date: Wed, 14 Oct 2020 09:09:56 +0200 Subject: Five volunteers needed (EU .... Are you sure that this is really advantageous? In-Reply-To: References: <20201006113425.00007f72@300baud.de> <86788f713f0742f5a20adef5d96e0760710766d0.camel@16bits.net> <20201009024108.00007f6a@300baud.de> <20201010145739.0000453d@300baud.de> <20201010174057.GB10695@r314251-amd64> <20201010200418.00006902@300baud.de> <20201011130821.GA13489@r314251-amd64> <20201011145525.00004588@300baud.de> <20201011153430.GA14081@r314251-amd64> <20201011164138.000020c1@300baud.de> Message-ID: <20201014080956.00002daa@300baud.de> ?ngel wrote: > On 2020-10-11 at 17:41 +0200, Stefan Claas wrote: > > > > I had not set a password, so that the recipients can play with it. > > With a password set the NFC tag can not be written to. > > > > Bob may be expecting to receive the safe, read-only NFC tag from Alice, > but Eve might have replaced it with a malicious one. Alice can purchase tamper proof NFC stickers which when stripped off get destroyed. :-) Regards Stefan -- NaClbox: cc5c5f846c661343745772156a7751a5eb34d3e83d84b7d6884e507e105fd675 The computer helps us to solve problems, we did not have without him. From rjh at sixdemonbag.org Wed Oct 14 09:20:56 2020 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Wed, 14 Oct 2020 03:20:56 -0400 Subject: Why is Blowfish's key size limited to 128 bits in RFC 4880? In-Reply-To: <41c5db76f7c5fea59b2211ce655b4aec.squirrel@giyzk7o6dcunb2ry.onion> References: <6f31242e21d5fa5b94e9eb6ca4fcd717.squirrel@giyzk7o6dcunb2ry.onion> <6c265970-b0c7-3408-690e-2d93d7be7a10@sixdemonbag.org> <3cadd1a47d1f4b7f289ae43b6ffeaea6.squirrel@giyzk7o6dcunb2ry.onion> <87362kdb40.fsf@wheatstone.g10code.de> <41c5db76f7c5fea59b2211ce655b4aec.squirrel@giyzk7o6dcunb2ry.onion> Message-ID: <4769215a-28ff-d8a3-397f-15f36f14f9a4@sixdemonbag.org> > My current understanding of the situation is that there are no known > effective attacks against Blowfish so long as it's adequately > implemented according to the suggested specifications and it's > relatively limited block size accounted for, and I naturally tend to > gravitate towards tested-and-tried, reliable things with a more or > less impeccable record. Then you really ought be using 3DES, which is the most heavily scrutinized symmetric algorithm in OpenPGP. AES is a close second. > even if not, it would still make sense to me to allow for greater (or > better yet, full) key size to be utilized specially for situations > when performance is extremely critical and something like Twofish > just won't do. Which situations are those? > As for AES, while there doesn't seem to be anything fundamentally > wrong with it, the fact that it was pushed so extensively by the > powers that be and the fact that it's considerably easier on the > hardware (as compared to say, Twofish), makes it a candidate for > large-scale, targeted cryptanalysis, so I wouldn't put it past me > that the NSA's onto something already. In a word, 'no'. In three, 'oh *hell* no'. The best attack on 3DES, after more than 40 years of academic research, requires ~10^17 bytes of RAM and ~10^34 encryptions. That's 100 petabytes of RAM, which is silly enough already. 10^34 encryptions, each of which requires a minimum of erasing ~10^3 bits of data during its evolution through S- and P-boxes, and the laws of physics flat *require* losing about 10**-22 joules per erasure... you're talking about liberating 10**15 joules as heat. That's about what a nuclear bomb puts out. And that's for 3DES, which is generally believed to be by far the *worst* cipher in OpenPGP. Why would anybody break ciphers the hard way with cryptanalysis, when real-world systems are so easily exploitable and the human beings behind them even moreso? From 2017-r3sgs86x8e-lists-groups at riseup.net Wed Oct 14 09:25:57 2020 From: 2017-r3sgs86x8e-lists-groups at riseup.net (MFPA) Date: Wed, 14 Oct 2020 08:25:57 +0100 Subject: Five volunteers needed (EU .... Are you sure that this is really advantageous? In-Reply-To: <20201014080956.00002daa@300baud.de> References: <20201006113425.00007f72@300baud.de> <86788f713f0742f5a20adef5d96e0760710766d0.camel@16bits.net> <20201009024108.00007f6a@300baud.de> <20201010145739.0000453d@300baud.de> <20201010174057.GB10695@r314251-amd64> <20201010200418.00006902@300baud.de> <20201011130821.GA13489@r314251-amd64> <20201011145525.00004588@300baud.de> <20201011153430.GA14081@r314251-amd64> <20201011164138.000020c1@300baud.de> <20201014080956.00002daa@300baud.de> Message-ID: <952893056.20201014082536@mail.riseup.net> Hi On Wednesday 14 October 2020 at 8:09:56 AM, in , Stefan Claas wrote:- > Alice can purchase tamper proof NFC stickers which > when stripped off get > destroyed. :-) And Eve's replacement sticker added over the top of the destroyed sticker. -- Best regards MFPA COMMITTEE: A body that keeps minutes and wastes hours. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 1207 bytes Desc: not available URL: From sac at 300baud.de Wed Oct 14 09:31:08 2020 From: sac at 300baud.de (Stefan Claas) Date: Wed, 14 Oct 2020 09:31:08 +0200 Subject: Five volunteers needed (EU .... Are you sure that this is really advantageous? In-Reply-To: <952893056.20201014082536@mail.riseup.net> References: <20201006113425.00007f72@300baud.de> <86788f713f0742f5a20adef5d96e0760710766d0.camel@16bits.net> <20201009024108.00007f6a@300baud.de> <20201010145739.0000453d@300baud.de> <20201010174057.GB10695@r314251-amd64> <20201010200418.00006902@300baud.de> <20201011130821.GA13489@r314251-amd64> <20201011145525.00004588@300baud.de> <20201011153430.GA14081@r314251-amd64> <20201011164138.000020c1@300baud.de> <20201014080956.00002daa@300baud.de> <952893056.20201014082536@mail.riseup.net> Message-ID: <20201014083058.00004c1e@300baud.de> MFPA wrote: > Hi > > > On Wednesday 14 October 2020 at 8:09:56 AM, in > , Stefan Claas wrote:- > > > > Alice can purchase tamper proof NFC stickers which > > when stripped off get > > destroyed. :-) > > And Eve's replacement sticker added over the top of the destroyed sticker. But this would mean that Eve is in possession of the secret key or pass phrase used with their encryption software. Regards Stefan -- NaClbox: cc5c5f846c661343745772156a7751a5eb34d3e83d84b7d6884e507e105fd675 The computer helps us to solve problems, we did not have without him. From ryan at digicana.com Wed Oct 14 20:15:58 2020 From: ryan at digicana.com (Ryan McGinnis) Date: Wed, 14 Oct 2020 18:15:58 +0000 Subject: Five volunteers needed (EU .... Are you sure that this is really advantageous? In-Reply-To: <20201014080956.00002daa@300baud.de> References: <20201010174057.GB10695@r314251-amd64> <20201010200418.00006902@300baud.de> <20201011130821.GA13489@r314251-amd64> <20201011145525.00004588@300baud.de> <20201011153430.GA14081@r314251-amd64> <20201011164138.000020c1@300baud.de> <20201014080956.00002daa@300baud.de> Message-ID: <674b8c9a-b746-f1e0-e16e-c300ff968615@digicana.com> CIA Agent 1: Swap out that NFC tag with the malicious one. CIA Agent 2: But he put a little sticker on it! CIA Agent 1: My God, all hope is lost On 10/14/20 2:09 AM, Stefan Claas wrote: > ?ngel wrote: > >> On 2020-10-11 at 17:41 +0200, Stefan Claas wrote: >>> I had not set a password, so that the recipients can play with it. >>> With a password set the NFC tag can not be written to. >>> >> Bob may be expecting to receive the safe, read-only NFC tag from Alice, >> but Eve might have replaced it with a malicious one. > Alice can purchase tamper proof NFC stickers which when stripped off get > destroyed. :-) > > Regards > Stefan > > -- > NaClbox: cc5c5f846c661343745772156a7751a5eb34d3e83d84b7d6884e507e105fd675 > The computer helps us to solve problems, we did not have without him. > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users -- -Ryan McGinnis http://bigstormpicture.com PGP Fingerprint: 5C73 8727 EE58 786A 777C 4F1D B5AA 3FA3 486E D7AD -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 839 bytes Desc: OpenPGP digital signature URL: From stefanclaas at riseup.net Wed Oct 14 18:21:27 2020 From: stefanclaas at riseup.net (Stefan Claas) Date: Wed, 14 Oct 2020 09:21:27 -0700 Subject: Show that an encrypted message was signed, without decrypting it In-Reply-To: <87362ixdnj.fsf@fifthhorseman.net> References: <20201011014028.000020c0@300baud.de> <83o8l9wifk.fsf@helmutwaitzmann.news.arcor.de> <20201011085813.00007638@300baud.de> <87362ixdnj.fsf@fifthhorseman.net> Message-ID: On 2020-10-13 17:02, Daniel Kahn Gillmor via Gnupg-users wrote: > On Sun 2020-10-11 09:59:12 +0200, Stefan Claas wrote: >> Helmut Waitzmann Anti-Spam-Ticket.b.qc3c wrote: >>> Yes, but why should she want to be able to do that?? She could >>> decrypt the message and, if it turns out that the message is not >>> signed, discard the message. >> >> It would allow Alice (in her organization), or others, to do a >> pre-check, with procmail etc., to set-up an auto-responder, informing >> Bob that he did not signed his message and that his message will be >> discarded. > > The traditional answer for supporting this kind of workflow for e-mail > is called "triple-wrapping" -- see RFC 2634. That is, there is an inner > signature, then a layer of encryption, and an outer signature that is > intended to be visible to the transport agents handling the encrypted > message. Those transport agents (or procmail, or autoresponders, or > whatever) may may routing or handling decisions based on the outer > signature without any knowledge of the inner signature. However, i have > not seen triple-wrapping in wide-spread, interoperable use. Most MUAs i > have experience with do not generate triple-wrapped messages, and i've > found very few transport agents that interpret using them. IIUC, the > only triple-wrapping implementations out there use S/MIME cryptographic > e-mail, not PGP/MIME. > > More common on today's e-mail interactions is "Domain-keyed Internet > Mail" or DKIM -- see RFC 6376. This is a cryptographic signature over > the entire message that is typically added by the sender's relaying > transport agent -- the first transport agent that handles the e-mail > message. > > Subsequent transport agents can verify the DKIM signature using the DNS > as a form of proof-of-origin (typically, this is managed at the domain > level, though domain operators may carve up the "selector" space for > outsourced transports, or may also permit users to manage their own > selectors [0]). This isn't exactly the same as an individual sending a > message that is signed by the message origin, because DKIM signing tends > to happen away from the originating endpoint. But for spam abatement > and reputational systems, knowing that a message is signed by the domain > itself is often good enough in practice. > > [0] https://tools.ietf.org/html/rfc6376#section-3.1 > https://www.giovannimascellani.eu/dkim-for-debian-developers.html > > So there isn't really a good (or reasonable) way to do what you're > asking for with OpenPGP directly. Given that mail is a complicated > interoperability space, you're probably better off conditioning your > procmail filters or autoresponder based on DKIM signature validity > (though i advise reading and understanding the associated DMARC > specifications before choosing to aggressively reject mail). > > Hope this helps, Thank you very much for your detailed reply, much appreciated! P.S. already replied yesterday off-list and had deleted the message, hence my short reply here. Best regards Stefan From sac at 300baud.de Wed Oct 14 20:59:02 2020 From: sac at 300baud.de (Stefan Claas) Date: Wed, 14 Oct 2020 20:59:02 +0200 Subject: In case you use OpenPGP on a smartphone ... In-Reply-To: <20200812135118.00007271@300baud.de> References: <20200811181543.000066c6@300baud.de> <46849457-D0B0-4BC4-98CF-BAC8EE8317BE@andrewg.com> <20200811205757.000005ec@300baud.de> <2eec830c-95a6-bd79-d56e-d942bdcfec8d@andrewg.com> <20200812135118.00007271@300baud.de> Message-ID: <20201014195902.00001e09@300baud.de> Stefan Claas wrote: > While I personally stopped using online encryption, long ago, after my > Linux system was hacked, [...] https://thehackernews.com/2020/10/finfisher-spyware-raid.html Regards Stefan -- NaClbox: cc5c5f846c661343745772156a7751a5eb34d3e83d84b7d6884e507e105fd675 The computer helps us to solve problems, we did not have without him. From sac at 300baud.de Wed Oct 14 21:41:02 2020 From: sac at 300baud.de (Stefan Claas) Date: Wed, 14 Oct 2020 21:41:02 +0200 Subject: Five volunteers needed (EU .... Are you sure that this is really advantageous? In-Reply-To: <674b8c9a-b746-f1e0-e16e-c300ff968615@digicana.com> References: <20201010174057.GB10695@r314251-amd64> <20201010200418.00006902@300baud.de> <20201011130821.GA13489@r314251-amd64> <20201011145525.00004588@300baud.de> <20201011153430.GA14081@r314251-amd64> <20201011164138.000020c1@300baud.de> <20201014080956.00002daa@300baud.de> <674b8c9a-b746-f1e0-e16e-c300ff968615@digicana.com> Message-ID: <20201014204053.00007002@300baud.de> Ryan McGinnis via Gnupg-users wrote: > CIA Agent 1: Swap out that NFC tag with the malicious one. > CIA Agent 2: But he put a little sticker on it! > CIA Agent 1: My God, all hope is lost Slightly OT, Germany's BSI just send out a couple of days ago *postal* mail to companies and organisations about a threat and *not* email. :-) I also released today an English version, along with a German version of my binary to 5-letter word encoder/decoder, thus allowing people low on budget to create small binary encrypted blobs and encode them, so that they don't have to purchase NFC tags and a reader/writer for their offline computer and they can then also avoid purchasing a printer for QR-Codes and are then able to write down the 5-letter words from the screen on a piece of paper and put it in a security envelope. :-) https://github.com/sac001/b2w/ This procedure is a bit time consuming, but it is an option. Regards Stefan -- NaClbox: cc5c5f846c661343745772156a7751a5eb34d3e83d84b7d6884e507e105fd675 The computer helps us to solve problems, we did not have without him. From ml.throttle at xoxy.net Wed Oct 14 23:44:04 2020 From: ml.throttle at xoxy.net (Helmut Waitzmann Anti-Spam-Ticket.b.qc3c) Date: Wed, 14 Oct 2020 23:44:04 +0200 Subject: Show that an encrypted message was signed, without decrypting it In-Reply-To: <20201011085813.00007638@300baud.de> (Stefan Claas's message of "Sun, 11 Oct 2020 09:59:12 +0200") References: <20201011014028.000020c0@300baud.de> <83o8l9wifk.fsf@helmutwaitzmann.news.arcor.de> <20201011085813.00007638@300baud.de> Message-ID: <83mu0olbyz.fsf@helmutwaitzmann.news.arcor.de> Stefan Claas : >Helmut Waitzmann Anti-Spam-Ticket.b.qc3c wrote: >> Stefan Claas : [The ability to check that an encrypted message has been signed.]? >It would allow Alice (in her organization), or others, to do a >pre-check, with procmail etc., to set-up an auto-responder, >informing Bob that he did not signed his message and that his >message will be discarded. >>> And is this optional in GnuPG, in case it is already >>> implemented? >> >> As far as I know the order ?first sign, then encrypt? is >> mandatory, so there is no way for GnuPG to deviate from it.? >> >> And this is a good thing, as it thwarts Eve eavesdropping on the >> originator's identity (i.?e.?Bob) of a message sent to Alice.? > >It should be not a mandatory feature and it should only append >secured bytes, which are stating that Bob's message contains a >signature (yes|no bytes), without revealing his identity. What do you mean by the term ?secured bytes?? To check, whether a message pretends to have been signed by Bob, one could check, that the ?content-type? message header field has got the value ?multipart/signed? (look at my message, for example).? I say ?pretends to have been signed? rather than ?has been signed?, because Mallory could grab the (unencrypted) message, remove the signature (if present), either put it into a ?multipart/signed? structure, attaching an (of course then) bad signature of one of Bob's signed messages or just sign it by herhelf.? Then she would send the result to Alice.? To be sure, whether the message has actually been signed by Bob, Alice would of course have to check the signature.? But this would reveal the identity of the signing key, and, if (the owner of) the signing key is known to the recipient, the identity of the signer.? (After all, proving the identity of the signer and the authenticity of the signed message is the purpose of signing a message.)? Helmut -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 489 bytes Desc: not available URL: From sac at 300baud.de Thu Oct 15 00:20:57 2020 From: sac at 300baud.de (Stefan Claas) Date: Thu, 15 Oct 2020 00:20:57 +0200 Subject: Show that an encrypted message was signed, without decrypting it In-Reply-To: <83mu0olbyz.fsf@helmutwaitzmann.news.arcor.de> References: <20201011014028.000020c0@300baud.de> <83o8l9wifk.fsf@helmutwaitzmann.news.arcor.de> <20201011085813.00007638@300baud.de> <83mu0olbyz.fsf@helmutwaitzmann.news.arcor.de> Message-ID: <20201014231924.00001293@300baud.de> Helmut Waitzmann Anti-Spam-Ticket.b.qc3c wrote: > Stefan Claas : > >Helmut Waitzmann Anti-Spam-Ticket.b.qc3c wrote: > >> Stefan Claas : > > [The ability to check that an encrypted message has been signed.]? > > > >It would allow Alice (in her organization), or others, to do a > >pre-check, with procmail etc., to set-up an auto-responder, > >informing Bob that he did not signed his message and that his > >message will be discarded. > > >>> And is this optional in GnuPG, in case it is already > >>> implemented? > >> > >> As far as I know the order ?first sign, then encrypt? is > >> mandatory, so there is no way for GnuPG to deviate from it.? > >> > >> And this is a good thing, as it thwarts Eve eavesdropping on the > >> originator's identity (i.?e.?Bob) of a message sent to Alice.? > > > >It should be not a mandatory feature and it should only append > >secured bytes, which are stating that Bob's message contains a > >signature (yes|no bytes), without revealing his identity. > > What do you mean by the term ?secured bytes?? Well, there should be a way that appended bytes to a signed and encrypted message could not be exchanged by third parties, to allow a pre-check (procmail etc.), like I explained, without the need that Alice has to decrypt the message manually and then check if the message was signed. While not being off-topic, how does for example Zero Knowledge Proof Encryption does a check that the identity of a user is proven, while the user does not have to reveal his actual age? He only proves with that, that he his over 18 years of age. While I am no programmer or cryptographer, I think if this is possible than something that I asked for should be somehow possible too, or not? Regards Stefan -- NaClbox: cc5c5f846c661343745772156a7751a5eb34d3e83d84b7d6884e507e105fd675 The computer helps us to solve problems, we did not have without him. From john at johnbyrnes.info Thu Oct 15 19:25:44 2020 From: john at johnbyrnes.info (John Byrnes) Date: Thu, 15 Oct 2020 13:25:44 -0400 Subject: binary distribution of GnuPG for SuSE Linux SLES 15 In-Reply-To: <20201013131104.GA3399@r314251-amd64> References: <20201013131104.GA3399@r314251-amd64> Message-ID: On 10/13/20 9:11 AM, Matthias Apitz wrote: > Is there any provider for a binary RPM for this OS: > > # cat /etc/os-release > NAME="SLES" > VERSION="15-SP1" > VERSION_ID="15.1" > PRETTY_NAME="SUSE Linux Enterprise Server 15 SP1" > ID="sles" > ID_LIKE="suse" > ANSI_COLOR="0;32" > CPE_NAME="cpe:/o:suse:sles:15:sp1" > > Or do we have to compile it from source? Hi Mattias, GnuPG is packaged for OpenSuse: https://software.opensuse.org/package/gpg2 Best regards, John From chrisbcoutinho at gmail.com Thu Oct 15 22:48:27 2020 From: chrisbcoutinho at gmail.com (Chris Coutinho) Date: Thu, 15 Oct 2020 22:48:27 +0200 Subject: binary distribution of GnuPG for SuSE Linux SLES 15 In-Reply-To: <20201013131104.GA3399@r314251-amd64> References: <20201013131104.GA3399@r314251-amd64> Message-ID: <9d92d670cb4b2b6b58dbb1d4d2833ae04d8e80a5.camel@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On Tue, 2020-10-13 at 15:11 +0200, Matthias Apitz wrote: > > Hello, > > Is there any provider for a binary RPM for this OS: > > # cat /etc/os-release > NAME="SLES" > VERSION="15-SP1" > VERSION_ID="15.1" > PRETTY_NAME="SUSE Linux Enterprise Server 15 SP1" > ID="sles" > ID_LIKE="suse" > ANSI_COLOR="0;32" > CPE_NAME="cpe:/o:suse:sles:15:sp1" > > Or do we have to compile it from source? > > Thanks > > matthias > Hi Matthias, There appear to be a few different repositoris related to SLES 15, and to be honest I'm not sure what the difference between them actually is. - From my initial investigation it that gpg2 is available in either one of the following two repositories (original SLE 15) https://build.opensuse.org/package/show/SUSE:SLE-15:GA/gpg2 https://build.opensuse.org/package/show/SUSE:SLE-15:Update/gpg2 yet is missing from SLE SP1 and SP2 https://build.opensuse.org/project/show/SUSE:SLE-15-SP1:GA https://build.opensuse.org/project/show/SUSE:SLE-15-SP1:Update https://build.opensuse.org/project/show/SUSE:SLE-15-SP2:GA https://build.opensuse.org/project/show/SUSE:SLE-15-SP2:Update I would try to get it from one of the original SLE repos, or ask on a SUSE mailing list about why it's missing from SP1. Cheers, Chris -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEss2dENO/PTuA9NTTOdNgxkl4+QMFAl+ItZsACgkQOdNgxkl4 +QOESBAAhkpR/b8mMiG8HMPDLy831IRfoDrv9dC1r0ZpfaqgKSELkGh7LBQ4Ch6o daCBAv+zjOkBjohQ0mLpAJEWShBeE76mRYWGNBYycWjV1ZoxOiP3kTIK7WH0lCkL LpzSFG7BDbtGqUsP1SZbq0hL6WT7WQI+OTuqSjXrYOrOZQLQxCSs66w3HBEOzfvI RKw28bCvFCcxY89Gr8gj//gns7b2yk6qOCO0pFlRARvVA1iV6MT9CNoyMZjJZFiv +OgksA4y50QOWAY11XtJg93gGffLEXcwauNoyAln2CQmDKTmGu7/ed19TGxw0rFF kIy8abJXtHr2MZ2xunOxK2Kx84aTD+0riMq0+PWVrZe02szOO0JQzk+OMb21wOKQ 7QJPt6rVvELRmUEeNT+/Td279+lbLGh6kYdw3ur4kjUNnft8xKWBTYRlzEwBHJYN jpWID+LTxWCdeC4w4/NSSE7Du3fIOWu5gUyxyWxQuXQbcmPn/HAo8v6g9/TotfkR CTUSS4YBXZCR7s3SUnRpaVnJfg+lkEw1dMwE0baeNi8kx1jrolX2+miRqvU5R9DE Gm6cE8ObQS/n9x/nEd0gTORhCDZ1T5gqr8/BL4jzeKnzpK9hRAv9BeLPAtFTXY8P cOx1GeEqhPjPhmBa9jGrmNRTXOShghGwdPEd+dnTbuBcSyl41Ac= =ogQv -----END PGP SIGNATURE----- From dharav_patel at outlook.com Thu Oct 15 21:20:45 2020 From: dharav_patel at outlook.com (DHARAV PATEL) Date: Thu, 15 Oct 2020 19:20:45 +0000 Subject: How to set up GPG4win to run from local system account? Message-ID: Hi, I have installed gpg4win on windows server. I have admin rights and when i installed, i run exe as administrator. i created keys in kleopatra. When i run batch files by double clicking on it, it works fine. If same batch file execute by other user then it does not work. It seems exe search for public or private key here => C:\Users\dharav\AppData\Roaming\gnupg If any user import this public keys through kleopatra then it works for that user as well. Is there a way that we can install ones and system account (service runs on system account) and other user can access this? I export both public and private keys and stored in the E:\Test\ folder. My gpg exe file stored in E:\Software\PGPWin\GnuPG\bin\ location code in batch file: set path=%path%;"E:\Software\PGPWin\GnuPG\bin\" gpg --logger-file "D:\gpglog.log" --pinentry-mode loopback --batch --no --force-mdc --passphrase-file "D:\PassCode.txt" -d -o "D:\ERP_Export.txt" "D:\Encrypt_ERP.txt" Being a new bee, i am not able to understand the workflow of the GPG4WIN and its set up. Please Advise. Thank You Dharav Regards, DHARAV PATEL TM1Developer at outlook.com 347-652-6310 [cid:35eb8383-41cb-4a5c-8714-f4c278756c70] -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: Outlook-fmkltpru.png Type: image/png Size: 1038 bytes Desc: Outlook-fmkltpru.png URL: From pankaj at codeisgreat.org Fri Oct 16 12:08:16 2020 From: pankaj at codeisgreat.org (Pankaj Jangid) Date: Fri, 16 Oct 2020 15:38:16 +0530 Subject: How to set up GPG4win to run from local system account? In-Reply-To: (DHARAV PATEL via Gnupg-users's message of "Thu, 15 Oct 2020 19:20:45 +0000") References: Message-ID: DHARAV PATEL via Gnupg-users writes: > I have installed gpg4win on windows server. I have admin rights and > when i installed, i run exe as administrator. > Being a new bee, i am not able to understand the workflow of the > GPG4WIN and its set up. The best place start with is /The GNU Privacy Handbook/. Refer specifically to the section [[https://gnupg.org/gph/en/manual.html#INTRO][Getting Started]] For your case, that is if you want to use shared key encryption, then look for symmetric ciphers in section~2. Private keys are not meant to be shared among users. -- Pankaj Jangid GnuPG Fingerprint => 0B62 7424 3B26 A911 052A DDE6 7C95 6E6F F858 7689 From includestdioh at secmail.pro Sat Oct 17 03:41:14 2020 From: includestdioh at secmail.pro (Dieter Frye) Date: Fri, 16 Oct 2020 18:41:14 -0700 Subject: Why is Blowfish's key size limited to 128 bits in RFC 4880? In-Reply-To: References: <6f31242e21d5fa5b94e9eb6ca4fcd717.squirrel@giyzk7o6dcunb2ry.onion> <6c265970-b0c7-3408-690e-2d93d7be7a10@sixdemonbag.org> <3cadd1a47d1f4b7f289ae43b6ffeaea6.squirrel@giyzk7o6dcunb2ry.onion> <87362kdb40.fsf@wheatstone.g10code.de> <41c5db76f7c5fea59b2211ce655b4aec.squirrel@giyzk7o6dcunb2ry.onion> Message-ID: <450bee4138b9cf09c880c76676497200.squirrel@giyzk7o6dcunb2ry.onion> > On 13-10-2020 16:46, Dieter Frye wrote: > >> Now if any of this remains true today, I cannot tell (I did the research >> a >> number of years ago so it's possible something changed along the way), >> but >> even if not, it would still make sense to me to allow for greater (or >> better yet, full) key size to be utilized specially for situations when >> performance is extremely critical and something like Twofish just won't >> do. > > Be careful though, there are ciphers known where extra keybits don't > increase security. If there are situations where they actually reduce > security I don't know, but the cipher would have to be re-investigated > after such a change. > > Having said that, 128 bits is really enough, 256 is overkill "just > because we can". > >> As for AES, while there doesn't seem to be anything fundamentally wrong >> with it, the fact that it was pushed so extensively by the powers that >> be >> and the fact that it's considerably easier on the hardware (as compared >> to >> say, Twofish), makes it a candidate for large-scale, targeted >> cryptanalysis, so I wouldn't put it past me that the NSA's onto >> something >> already. > > Brute-forcing a 128 bits keyspace and certainly a 256 bit one is still > limited by the laws of physics, like in: > > - It takes more time than the age of the universe, > - It requires more energy than the stars in the milky way emit during > their life, > - If you try to seriously paralellize it, there is not enough matter in > the known universe to build all those computers. > > As long as the above are the limits I feel secure enough with the keysize. > > Quantum computers with enough qubits reduce the workload to brute force > symmetric ciphers typical by a factor of a square root, so for those 256 > bits is sufficient. But then the public keys become the weak point, the > short-keyed elliptic curve algorithms long before RSA and Elgamal (but > when elliptic curve gets into trouble you know it's only a matter of > time before the others will be too so they do need replacement then). > > -- > ir. J.C.A. Wevers > PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > Ultimately it comes down to what the goal of the OpenPGP standard is supposed to be. It's pretty obvious they don't rush into new things just because, and are generally conservative when it comes to considering allegedly stronger ciphers such as Serpent simply because preserving interoperability with less powerful hardware is non-negotiable to a degree. But Blowfish is a different animal: It's already in and stands remarkably efficient irrespective of key size. To me, allowing for Blowfish to be implemented at full strength would simply extend it's utility (particularly when it comes to legacy systems) throughout the steadily approaching quantum era. From includestdioh at secmail.pro Sat Oct 17 04:18:10 2020 From: includestdioh at secmail.pro (Dieter Frye) Date: Fri, 16 Oct 2020 19:18:10 -0700 Subject: Why is Blowfish's key size limited to 128 bits in RFC 4880? In-Reply-To: <4769215a-28ff-d8a3-397f-15f36f14f9a4@sixdemonbag.org> References: <6f31242e21d5fa5b94e9eb6ca4fcd717.squirrel@giyzk7o6dcunb2ry.onion> <6c265970-b0c7-3408-690e-2d93d7be7a10@sixdemonbag.org> <3cadd1a47d1f4b7f289ae43b6ffeaea6.squirrel@giyzk7o6dcunb2ry.onion> <87362kdb40.fsf@wheatstone.g10code.de> <41c5db76f7c5fea59b2211ce655b4aec.squirrel@giyzk7o6dcunb2ry.onion> <4769215a-28ff-d8a3-397f-15f36f14f9a4@sixdemonbag.org> Message-ID: <8f1cbbb52d153ed62e62355c5455848f.squirrel@giyzk7o6dcunb2ry.onion> >> My current understanding of the situation is that there are no known >> effective attacks against Blowfish so long as it's adequately >> implemented according to the suggested specifications and it's >> relatively limited block size accounted for, and I naturally tend to >> gravitate towards tested-and-tried, reliable things with a more or >> less impeccable record. > > Then you really ought be using 3DES, which is the most heavily > scrutinized symmetric algorithm in OpenPGP. AES is a close second. > Unfortunately 3DES did not survive said scrutiny in the end, thus it's being phased out as we speak, and while far from broken, it could theoretically be weakened to such an extent it would not longer be safe in the foreseeable future. >> even if not, it would still make sense to me to allow for greater (or >> better yet, full) key size to be utilized specially for situations >> when performance is extremely critical and something like Twofish >> just won't do. > > Which situations are those? > My P3 class-powered servers performing a variety of cryptographic operations on relatively large files (we get anything from 30 to 60 MiB pdf's on a regular basis and if I were to use Twofish for any of it... not practical) >> As for AES, while there doesn't seem to be anything fundamentally >> wrong with it, the fact that it was pushed so extensively by the >> powers that be and the fact that it's considerably easier on the >> hardware (as compared to say, Twofish), makes it a candidate for >> large-scale, targeted cryptanalysis, so I wouldn't put it past me >> that the NSA's onto something already. > > In a word, 'no'. In three, 'oh *hell* no'. > > The best attack on 3DES, after more than 40 years of academic research, > requires ~10^17 bytes of RAM and ~10^34 encryptions. That's 100 > petabytes of RAM, which is silly enough already. 10^34 encryptions, > each of which requires a minimum of erasing ~10^3 bits of data during > its evolution through S- and P-boxes, and the laws of physics flat > *require* losing about 10**-22 joules per erasure... you're talking > about liberating 10**15 joules as heat. That's about what a nuclear > bomb puts out. > > And that's for 3DES, which is generally believed to be by far the > *worst* cipher in OpenPGP. > Sooner or later something's bound to happen that could render current technology obsolete, so it's better to err on the safer side. > Why would anybody break ciphers the hard way with cryptanalysis, when > real-world systems are so easily exploitable and the human beings behind > them even moreso? > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > Convenience. If you break one, you've broken them all. From sac at 300baud.de Sat Oct 17 17:58:25 2020 From: sac at 300baud.de (Stefan Claas) Date: Sat, 17 Oct 2020 17:58:25 +0200 Subject: Five volunteers needed (EU only please) In-Reply-To: <20201007143644.0000146a@300baud.de> References: <20201005163757.0000391f@300baud.de> <454d08f4-2eb6-8942-41bd-e16bcd296241@digicana.com> <20201007143644.0000146a@300baud.de> Message-ID: <20201017165825.00002ba6@300baud.de> Stefan Claas wrote: > Ryan McGinnis via Gnupg-users wrote: > > > Perhaps just use QR codes?? Easily scanned and imported by a digital > > device.? Message size is limited, but probably enough.? If not, you can > > maybe use multiple QR codes.? This reply, encrypted to you, is contained > > in the linked QR below: > > I just downloaded a free QR-Code app from Microsoft's Store and I was able > to decode and decrypt the message. It ends with '...linked QR below:' > but does not contain the link. I must say that for me and the provide > content, the image size is to big for my taste. I will feed now the message > into JAB-code and see how big the image size is there. > > A user reported to me that with his QR-Code software he was not able to > decode the message. He usually had always good results with QR-code in the > past. Maybe you can tell me what QR-Code software you used, so that the > user can try with a different or the same software. I received an encrypted postcard today, which included an NFC tag and a QR-code. While decrypting the message from the NFC tag was no problem, the very dense QR-code I was not able to decode. And I used a high dpi setting for scanning. Regards Stefan -- NaClbox: cc5c5f846c661343745772156a7751a5eb34d3e83d84b7d6884e507e105fd675 The computer helps us to solve problems, we did not have without him. From rjh at sixdemonbag.org Sat Oct 17 18:36:49 2020 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Sat, 17 Oct 2020 12:36:49 -0400 Subject: Why is Blowfish's key size limited to 128 bits in RFC 4880? In-Reply-To: <8f1cbbb52d153ed62e62355c5455848f.squirrel@giyzk7o6dcunb2ry.onion> References: <6f31242e21d5fa5b94e9eb6ca4fcd717.squirrel@giyzk7o6dcunb2ry.onion> <6c265970-b0c7-3408-690e-2d93d7be7a10@sixdemonbag.org> <3cadd1a47d1f4b7f289ae43b6ffeaea6.squirrel@giyzk7o6dcunb2ry.onion> <87362kdb40.fsf@wheatstone.g10code.de> <41c5db76f7c5fea59b2211ce655b4aec.squirrel@giyzk7o6dcunb2ry.onion> <4769215a-28ff-d8a3-397f-15f36f14f9a4@sixdemonbag.org> <8f1cbbb52d153ed62e62355c5455848f.squirrel@giyzk7o6dcunb2ry.onion> Message-ID: <505458f7-eb8a-90d2-b731-5408d502dc37@sixdemonbag.org> > Unfortunately 3DES did not survive said scrutiny in the end... It absolutely *has* survived scrutiny. I don't know where you're getting your information. 3DES is being phased out because its 64-bit block size makes it dicey for modern bulk encryption, and because its spectacular overdesign makes it very slow. That's it. Nobody has come up with any kind of meaningful cryptanalytic attack against it. It simply doesn't exist. > My P3 class-powered servers performing a variety of cryptographic > operations on relatively large files (we get anything from 30 to 60 MiB > pdf's on a regular basis and if I were to use Twofish for any of it... not > practical) Very practical. You could practically use 3DES on these files. 60MB is nothing: you're going to experience more slowdown writing to disk. > Sooner or later something's bound to happen that could render current > technology obsolete, so it's better to err on the safer side. In that case, why not also work on defending against time travel, psychic phenomena, or aliens from Zarbnulax? The moment you say "it doesn't matter what the science says," you open the door to some very reasonable questions about why you're defending against one not-rooted-in-science attack and not others. >> Why would anybody break ciphers the hard way with cryptanalysis, when >> real-world systems are so easily exploitable and the human beings behind >> them even moreso? > > Convenience. If you break one, you've broken them all. No, that's not how cryptanalysis works, either. Cryptanalysis works by reducing the amount of work to be done: only in rare cases will it totally erase the work factor. A massively profound cryptanalytic attack on AES128 would reduce the work factor to, oh, call it 2**80; that result would be *seismic*. But 2**80 ain't easy, either. You still have to do an awful lot of hard work and pay a really huge utility bill. Why do it this way? Why not go after the data in a non-cryptanalytic way, where the work factor is so much less? From ludo at gnu.org Wed Oct 21 23:52:08 2020 From: ludo at gnu.org (=?utf-8?Q?Ludovic_Court=C3=A8s?=) Date: Wed, 21 Oct 2020 23:52:08 +0200 Subject: Dealing with duplicate keys Message-ID: <87pn5bw8l3.fsf@gnu.org> Hello, For some reason (perhaps a bug in a previous version of GnuPG I used long ago?), my public key ring had come to contain my own public key twice, with the same fingerprint and all. Consequently, ?gpg --list-keys? would show it twice and ?gpg --list-secret-keys? as well. Even ?gpg --export-secret-key? would export it twice (two secret key packets). I didn?t notice until I upgraded to Emacs 27.1, where epg bails out if ?--list-secret-keys? returns more than one key. To recover from it, I deleted my public key with ?--delete-key? twice, ?--delete-secret-key? once for the corresponding secret key, and then re-imported both the public key and the secret key, which I had previously exported. Now everything is back to normal. I?m not sure what could be done in gpg itself, but I thought I?d share my experience in case that rings a bell or there?s something obvious I missed. Cheers, Ludo?. From wrktalive at gmail.com Thu Oct 22 00:59:03 2020 From: wrktalive at gmail.com (Mike) Date: Wed, 21 Oct 2020 18:59:03 -0400 Subject: Seeking help. Message-ID: I have an issue with my keys being separated and unable to access. I had to recover gnupg file from a corrupted os. The contents of the gnupg file are encrypted and are not in openpgp data. So when I try to import my keys from 'private-keys-v1.d' nothing happens. Output says no openpgp data found and 0 items processed. Same goes for the keyring.kbx files... nothing imports. I've gone through everything I can find online.. somebody please help me... -------------- next part -------------- An HTML attachment was scrubbed... URL: From wk at gnupg.org Thu Oct 22 15:22:33 2020 From: wk at gnupg.org (Werner Koch) Date: Thu, 22 Oct 2020 15:22:33 +0200 Subject: Dealing with duplicate keys In-Reply-To: <87pn5bw8l3.fsf@gnu.org> ("Ludovic =?utf-8?Q?Court=C3=A8s?= via Gnupg-users"'s message of "Wed, 21 Oct 2020 23:52:08 +0200") References: <87pn5bw8l3.fsf@gnu.org> Message-ID: <87pn5a9yzq.fsf@wheatstone.g10code.de> On Wed, 21 Oct 2020 23:52, Ludovic Court?s said: > For some reason (perhaps a bug in a previous version of GnuPG I used > long ago?), my public key ring had come to contain my own public key > twice, with the same fingerprint and all. Should not happen because we use on Unix a copy-to-temp/update/rename strategy. There are bugs of course and so there is no guarantee that it does not happen. Eventually this will go away because 2.3 will come with the optional keyboxd daemon which uses sqlite and keeps a unique index on the primary key's fingerprint. It will also makes things faster and more robust related to changes when running several gpg processes. Drawback is that we have yet another format to store keys. > To recover from it, I deleted my public key with ?--delete-key? twice, > ?--delete-secret-key? once for the corresponding secret key, and then > re-imported both the public key and the secret key, which I had > previously exported. Now everything is back to normal. That is sound fix. I am not aware of other reports but ppl might not have considered this a bug. kbxutil --find-dups pubring.kbx should print a list of duplicate records. Take care: kbxutil is more of a debugging aid than a real tool. While you spoke about easypg: I often have problems with it and it would be nice if we could find a maintainer for it. With the Emacs' new FFI a move to GPGME might also be an idea. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From wk at gnupg.org Thu Oct 22 15:27:29 2020 From: wk at gnupg.org (Werner Koch) Date: Thu, 22 Oct 2020 15:27:29 +0200 Subject: Seeking help. In-Reply-To: (Mike via Gnupg-users's message of "Wed, 21 Oct 2020 18:59:03 -0400") References: Message-ID: <87lffy9yri.fsf@wheatstone.g10code.de> On Wed, 21 Oct 2020 18:59, Mike said: > I had to recover gnupg file from a corrupted os. The contents of the gnupg > file are encrypted and are not in openpgp data. So when I try to import my > keys from 'private-keys-v1.d' nothing happens. Output says no openpgp data > found and 0 items processed. You simply restore the files from private-keys-v1. These are internal to gnupg and it is not possible or needed to importat them. The format of the private key files is well specified and we take care to keep them compatible with all GnuPG 2 versions. To make the restored private keys actually work you also need the public keys. Ask someone else or a keyserver to send you your public key if you don't have a backup. With the private keys in place gpg will be able list them and be able to decrypt or sign data. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From bernhard at intevation.de Fri Oct 23 11:14:55 2020 From: bernhard at intevation.de (Bernhard Reiter) Date: Fri, 23 Oct 2020 11:14:55 +0200 Subject: Preserving public keyserver network (Re: Which keyserver) In-Reply-To: <20200919233432.00007f82@300baud.de> References: <20200919220421.00000c23@300baud.de> <0F7A336D-ED58-4BF8-91BA-730635A358DA@andrewg.com> <20200919233432.00007f82@300baud.de> Message-ID: <202010231115.02807.bernhard@intevation.de> Am Samstag 19 September 2020 23:34:32 schrieb Stefan Claas: > I stand by my points that hockeypuck can solve the issues To me it makes sense to preserve a decentalised network of public keyservers [1]. In my post Preserving non-central and privacy with a "permission recording keyserver" [Reiter 2019-07 a] https://lists.gnupg.org/pipermail/gnupg-devel/2019-July/034399.html there is a concept allowing for compatibility with strong privacy laws. Some ideas how we could conceptually preserve third party signature information on public servers: Preserving third party signatures distribution [Reiter 2019-07 b] https://lists.gnupg.org/pipermail/gnupg-devel/2019-July/034394.html So yes, I also believe that improvements to hockeypuck or a fresh implementation could step by step get the public keyserver network up again. Best Regards, Bernhard ps.: Because I believe funding more qualified dev time is part of the solution: You can become a sponsor for hockeypuck development, see https://github.com/sponsors/cmars (my company Intevation is one, we also gave a small donation to KF Web running https://sks-keyservers.net/). [1] Web of Trust's usefulness [Reiter 2019-07 c] https://lists.gnupg.org/pipermail/gnupg-devel/2019-July/034412.html | as additional source of trust and history. | Abandoning the web of trust common infrastructure works against usage | models where there is anonymous usage, several identities, non-email use | and offline usage. All those maybe not the majority case, they may even be | niche models, but I think they are important to add diversity and | resiliance against manipulations of mainstream players. (spelling improved) -- www.intevation.de/~bernhard ? +49 541 33 508 3-3 Intevation GmbH, Osnabr?ck, DE; Amtsgericht Osnabr?ck, HRB 18998 Gesch?ftsf?hrer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 659 bytes Desc: This is a digitally signed message part. URL: From andrewg at andrewg.com Fri Oct 23 14:23:07 2020 From: andrewg at andrewg.com (Andrew Gallagher) Date: Fri, 23 Oct 2020 13:23:07 +0100 Subject: Preserving public keyserver network (Re: Which keyserver) In-Reply-To: <202010231115.02807.bernhard@intevation.de> References: <20200919220421.00000c23@300baud.de> <0F7A336D-ED58-4BF8-91BA-730635A358DA@andrewg.com> <20200919233432.00007f82@300baud.de> <202010231115.02807.bernhard@intevation.de> Message-ID: <125285d2-4167-634b-11e3-1fa2c3dd74a8@andrewg.com> On 23/10/2020 10:14, Bernhard Reiter wrote: > So yes, I also believe that improvements to hockeypuck or a fresh > implementation could step by step get the public keyserver network up again. I've thought about this quite a bit after my previous attempts to reconcile recon with selective retention. I believe the solution is to segregate the "recon" part of the process from the "retention" part. Our current recon model requires that all packets that exist in the keyserver network be reconned via the same method. This causes problems when trying to apply retention policies to certain packets and not others. For example, we almost always want revocation packets to recon, almost *never* want user-attribute packets, and other packets such as user-id fall somewhere in between. If we segregate the recon and retention components, we can recon an agreed bare minimum of packet types, without needing to apply per-key filters and thereby avoiding any split-brain or sync-storm failures. This minimal list of packet types would have to include primary keys and revocation keys, but little (perhaps nothing?) else. Along with these packets each keyserver would gossip a list of associated hints from other keyservers. These hints would declare that an "authoritative keyserver" exists that is serving the full key, presumably having performed validation. The full set of packets would not be advertised for recon, but would be available through hkp(s) as normal (for the purposes of this section, the existence of an entry in WKD would count as an "authoritative keyserver"). Other keyservers would gossip that they have recently been able to download the full key from one or more authoritative locations. Such hints would not be cryptographically part of the key in question, so they should have an expiration date in order to prevent stale info accumulating in the network. A keyserver that is not willing to retain the full set of packets for a given key could instead choose to serve them via a caching proxy or an HTTP redirect to a server that is willing. This would allow for the full public key to be discovered and refreshed by the usual methods, but without every keyserver in the network having to retain its own copy. It would still be advisable for a user to upload their full key to more than one validating keyserver, in order to guard against service outages, but even in the case where the only copy of the full key becomes unavailable indefinitely, primary and revocation packets associated with it would continue to recon. This model also has the advantage of significantly reducing the number of packets in the recon database. Some other initial ideas: * The new pool would have to be completely separate from the old pool, because the deltas would be astronomical. * Existing validating keyservers could cheaply "join the new pool" by setting up a separate reconning keyserver in the pool that a) advertises the appropriate hints on behalf of the validating keyserver and b) submits any newly-synced packets into the validating keyserver. * Hints could take the form of fake preferred-keyserver subpackets, in a similar manner to fake "fpr:DEADBEEF" user-id packets that have been previously discussed to support UID-less key refresh on legacy systems (could both be combined in a single fake BIND sig?). These would be amenable to recon, and naturally come with a timestamp that could be used to expire them from the cache. Cryptographic non-verification should ensure that real preferred-keyserver subpackets would override such hints in client applications. Thoughts? -- Andrew Gallagher -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: OpenPGP digital signature URL: From andrewg at andrewg.com Fri Oct 23 15:05:26 2020 From: andrewg at andrewg.com (Andrew Gallagher) Date: Fri, 23 Oct 2020 14:05:26 +0100 Subject: Preserving public keyserver network (Re: Which keyserver) In-Reply-To: <125285d2-4167-634b-11e3-1fa2c3dd74a8@andrewg.com> References: <20200919220421.00000c23@300baud.de> <0F7A336D-ED58-4BF8-91BA-730635A358DA@andrewg.com> <20200919233432.00007f82@300baud.de> <202010231115.02807.bernhard@intevation.de> <125285d2-4167-634b-11e3-1fa2c3dd74a8@andrewg.com> Message-ID: <6628798d-f59d-8a43-f73b-d1475a7934e6@andrewg.com> On 23/10/2020 13:23, Andrew Gallagher wrote: > * Hints could take the form of fake preferred-keyserver subpackets, in a > similar manner to fake "fpr:DEADBEEF" user-id packets that have been > previously discussed to support UID-less key refresh on legacy systems > (could both be combined in a single fake BIND sig?). After a little further thought, such a combined-bind is wrongheaded. The entire point of fake userids is that userids are (potentially) personal data and therefore can't sync. ;-) So we'd have to bind the fake preferred-keyserver subpacket separately. -- Andrew Gallagher -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: OpenPGP digital signature URL: From ludo at gnu.org Fri Oct 23 14:25:43 2020 From: ludo at gnu.org (=?utf-8?Q?Ludovic_Court=C3=A8s?=) Date: Fri, 23 Oct 2020 14:25:43 +0200 Subject: Dealing with duplicate keys In-Reply-To: <87pn5a9yzq.fsf@wheatstone.g10code.de> (Werner Koch's message of "Thu, 22 Oct 2020 15:22:33 +0200") References: <87pn5bw8l3.fsf@gnu.org> <87pn5a9yzq.fsf@wheatstone.g10code.de> Message-ID: <87r1ppp1rs.fsf@gnu.org> Hi Werner, Werner Koch skribis: > On Wed, 21 Oct 2020 23:52, Ludovic Court?s said: > >> For some reason (perhaps a bug in a previous version of GnuPG I used >> long ago?), my public key ring had come to contain my own public key >> twice, with the same fingerprint and all. > > Should not happen because we use on Unix a copy-to-temp/update/rename > strategy. There are bugs of course and so there is no guarantee that it > does not happen. I?ve been carrying this keyring for years, so it could be that there was once a bug that led to this inconsistency. > Eventually this will go away because 2.3 will come with the optional > keyboxd daemon which uses sqlite and keeps a unique index on the > primary key's fingerprint. It will also makes things faster and more > robust related to changes when running several gpg processes. > Drawback is that we have yet another format to store keys. Nice. >> To recover from it, I deleted my public key with ?--delete-key? twice, >> ?--delete-secret-key? once for the corresponding secret key, and then >> re-imported both the public key and the secret key, which I had >> previously exported. Now everything is back to normal. > > That is sound fix. I am not aware of other reports but ppl might not > have considered this a bug. > > kbxutil --find-dups pubring.kbx > > should print a list of duplicate records. Take care: kbxutil is more of > a debugging aid than a real tool. Interesting! Good news: I don?t have other duplicate keys. > While you spoke about easypg: I often have problems with it and it would > be nice if we could find a maintainer for it. With the Emacs' new FFI a > move to GPGME might also be an idea. Yeah. EPG seems to be actively maintained though; this recent change I mentioned is what led me to discover this issue. Thanks for your feedback! Ludo?. From rich.hammett at warnermedia.com Fri Oct 23 21:48:49 2020 From: rich.hammett at warnermedia.com (Hammett, Rich) Date: Fri, 23 Oct 2020 19:48:49 +0000 Subject: GPGME (for python) questions Message-ID: Is there a guide anywhere for what versions of GnuPG are supported by what versions of GPGME? I only need encryption and decryption as part of an automated software framework, and I?m trying to migrate from an existing toolset that uses GnuPG v1.4 and python-gnupg. We need to be able to pgp encrypt and decrypt without human interaction. I?m working through the various ways to move up to more current software, and latest GPGME with latest GnuPG is probably the best, if I can figure out the python bindings and if GnuPG works with pinentry for automated decryption. Any tips, any good documents out there? Are there archives of this list somewhere, or is that private for the same reason the subscribers? list is? Thanks! Rich Hammett -------------- next part -------------- An HTML attachment was scrubbed... URL: From wrktalive at gmail.com Sat Oct 24 01:42:41 2020 From: wrktalive at gmail.com (Mike) Date: Fri, 23 Oct 2020 19:42:41 -0400 Subject: Seeking help. In-Reply-To: <87lffy9yri.fsf@wheatstone.g10code.de> References: <87lffy9yri.fsf@wheatstone.g10code.de> Message-ID: Ok, thank you. On Thu, Oct 22, 2020, 9:30 AM Werner Koch wrote: > On Wed, 21 Oct 2020 18:59, Mike said: > > I had to recover gnupg file from a corrupted os. The contents of the > gnupg > > file are encrypted and are not in openpgp data. So when I try to import > my > > keys from 'private-keys-v1.d' nothing happens. Output says no openpgp > data > > found and 0 items processed. > > You simply restore the files from private-keys-v1. These are internal to > gnupg and it is not possible or needed to importat them. The format of > the private key files is well specified and we take care to keep them > compatible with all GnuPG 2 versions. > > To make the restored private keys actually work you also need the public > keys. Ask someone else or a keyserver to send you your public key if > you don't have a backup. With the private keys in place gpg will be > able list them and be able to decrypt or sign data. > > > Salam-Shalom, > > Werner > > -- > Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. > -------------- next part -------------- An HTML attachment was scrubbed... URL: From spam.trap.mailing.lists at gmail.com Sat Oct 24 10:44:20 2020 From: spam.trap.mailing.lists at gmail.com (Stefan Claas) Date: Sat, 24 Oct 2020 10:44:20 +0200 Subject: Preserving public keyserver network (Re: Which keyserver) In-Reply-To: <202010231115.02807.bernhard@intevation.de> References: <20200919220421.00000c23@300baud.de> <0F7A336D-ED58-4BF8-91BA-730635A358DA@andrewg.com> <20200919233432.00007f82@300baud.de> <202010231115.02807.bernhard@intevation.de> Message-ID: I can only speak for myself and see that when it comes to SKS that there can be no consensus achieved between privacy loving EU citizens and (US based) SKS operators, while Mailvelope and Hagrid respect the users wishes. With that being said I am out and better let Mr Barr and Mr de Kerchove decide what the SKS future will bring. Last but not least I no longer need public SKS key servers. Best regards Stefan On Fri, Oct 23, 2020 at 12:55 PM Bernhard Reiter wrote: > > Am Samstag 19 September 2020 23:34:32 schrieb Stefan Claas: > > I stand by my points that hockeypuck can solve the issues > > To me > it makes sense to preserve a decentalised network of public keyservers [1]. > > In my post > Preserving non-central and privacy with a "permission recording keyserver" > [Reiter 2019-07 a] > https://lists.gnupg.org/pipermail/gnupg-devel/2019-July/034399.html > there is a concept allowing for compatibility with strong privacy laws. > > Some ideas how we could conceptually preserve third party > signature information on public servers: > Preserving third party signatures distribution [Reiter 2019-07 b] > https://lists.gnupg.org/pipermail/gnupg-devel/2019-July/034394.html > > So yes, I also believe that improvements to hockeypuck or a fresh > implementation could step by step get the public keyserver network up again. > > > Best Regards, > Bernhard > ps.: Because I believe funding more qualified dev time is part of the > solution: You can become a sponsor for hockeypuck development, see > https://github.com/sponsors/cmars > (my company Intevation is one, we also gave a small donation to KF Web running > https://sks-keyservers.net/). > > > [1] > Web of Trust's usefulness [Reiter 2019-07 c] > https://lists.gnupg.org/pipermail/gnupg-devel/2019-July/034412.html > > | as additional source of trust and history. > > | Abandoning the web of trust common infrastructure works against usage > | models where there is anonymous usage, several identities, non-email use > | and offline usage. All those maybe not the majority case, they may even be > | niche models, but I think they are important to add diversity and > | resiliance against manipulations of mainstream players. > (spelling improved) > > -- > www.intevation.de/~bernhard +49 541 33 508 3-3 > Intevation GmbH, Osnabr?ck, DE; Amtsgericht Osnabr?ck, HRB 18998 > Gesch?ftsf?hrer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users From andrewg at andrewg.com Sat Oct 24 13:04:06 2020 From: andrewg at andrewg.com (Andrew Gallagher) Date: Sat, 24 Oct 2020 12:04:06 +0100 Subject: Preserving public keyserver network (Re: Which keyserver) In-Reply-To: References: Message-ID: > On 24 Oct 2020, at 10:41, Stefan Claas via Gnupg-users wrote: > > there can > be no consensus achieved between privacy loving EU citizens and (US > based) SKS operators Most SKS operators are (were?) based outside the US. This is primarily a technical challenge, not a political one. A From spam.trap.mailing.lists at gmail.com Sat Oct 24 17:47:31 2020 From: spam.trap.mailing.lists at gmail.com (Stefan Claas) Date: Sat, 24 Oct 2020 17:47:31 +0200 Subject: Preserving public keyserver network (Re: Which keyserver) In-Reply-To: References: Message-ID: If it is a technical challenge and Kristian as head (pool maintainer), why does he not ask publicity the hockeypuck author, dkg and the sequoia-team, for help? As an example, if I would be Kristian I would do so, set-up with my pool gang a hockeypuck test-net (bootstrapped with a handful of pub keys) and work with the programmer(s) on long standing issues. Secondly I would give my gang a timeframe of a couple of months to gracefully shut down their SKS servers. Would that have any disadvantages for GnuPG users worldwide, while we also have Mailvelope and Hagrid? On Sat, Oct 24, 2020 at 1:39 PM Andrew Gallagher wrote: > > > > On 24 Oct 2020, at 10:41, Stefan Claas via Gnupg-users wrote: > > > > there can > > be no consensus achieved between privacy loving EU citizens and (US > > based) SKS operators > > Most SKS operators are (were?) based outside the US. This is primarily a technical challenge, not a political one. Regards Stefan From kloecker at kde.org Sat Oct 24 19:34:44 2020 From: kloecker at kde.org (Ingo =?ISO-8859-1?Q?Kl=F6cker?=) Date: Sat, 24 Oct 2020 19:34:44 +0200 Subject: GPGME (for python) questions In-Reply-To: References: Message-ID: <3101203.NYCvVsWPJ4@breq> On Freitag, 23. Oktober 2020 21:48:49 CEST Hammett, Rich via Gnupg-users wrote: > Is there a guide anywhere for what versions of GnuPG are supported by what > versions of GPGME? Check the documentation of gpgme. The README of the current version reads "For support of the OpenPGP and the CMS protocols, you should use the latest version of GnuPG (>= 2.1.18) , available at: https://gnupg.org/ftp/gcrypt/gnupg/." Note that GnuPG 2.1.x is no longer supported (even if it might still work with gpgme). In general, old functionality in gpgme that worked with an old version of GnuPG should still work with the latest version of gpgme, but there are no guarantees. New functionality of gpgme usually is only developed to work with the current GnuPG release (because often the new gpgme API needs new internal API in GnuPG and its helpers). So, if possible, use the most recent GnuPG 2.2 release with the most recent release of gpgme. > I only need encryption and decryption as part of an automated software > framework, and I?m trying to migrate from an existing toolset that uses > GnuPG v1.4 and python-gnupg. Note that gpgme now includes the Python bindings. > We need to be able to pgp encrypt and decrypt > without human interaction. I?m working through the various ways to move up > to more current software, and latest GPGME with latest GnuPG is probably > the best, if I can figure out the python bindings and if GnuPG works with > pinentry for automated decryption. I suggest to check out the tests of the Python bindings, in particular, t-decrypt.py and t-callbacks.py (for passphrase callbacks). A common recommendation on this list is to use a passphrase-less secret key for automated decryption because this isn't really less secure than storing the passphrase in cleartext in some script file next to the secret key. Another approach is to inject the passphrase into gpg-agent's passphrase cache with an unlimited (or near unlimited) expiration time. The latter approach requires human interaction (or scripted interaction from another system) for entering the passphrase into the cache after every restart of gpg-agent (e.g. after a system reboot) and is obviously much more error-prone than a passphrase-less key. > Any tips, any good documents out there? Are there archives of this list > somewhere, or is that private for the same reason the subscribers? list > is? The archive of this list is available via the link at the bottom of this message (which is added automatically by the mailing list). Regards, Ingo -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 195 bytes Desc: This is a digitally signed message part. URL: From gnupg-users at spodhuis.org Fri Oct 30 05:10:54 2020 From: gnupg-users at spodhuis.org (Phil Pennock) Date: Fri, 30 Oct 2020 00:10:54 -0400 Subject: Avoid recipient-compatibility SHA1 Message-ID: <20201030041054.GA959448@fullerene.field.pennock-tech.net> Folks, Normally everything I do with GnuPG is using SHA256 digests, and I normally keep "weak-digest SHA1" in my gpg.conf file. I just sent a message to N recipients, and I think one of them probably has some preference algorithm in their key details, because this one mail was signed using SHA1, not my defaults. Is there any way to say "ignore weak digests when trying to find a compatible hash algorithm" please? I accept that such a mode might make the message unreadable for that recipient. That's fine. I'd rather create pressure for people to fix their systems to use modern cryptography than cater to their brokenness with sensitive messages. Thanks, -Phil From spam.trap.mailing.lists at gmail.com Sat Oct 31 19:43:20 2020 From: spam.trap.mailing.lists at gmail.com (Stefan Claas) Date: Sat, 31 Oct 2020 18:43:20 +0000 Subject: ping - Governikus Message-ID: Dear Governikus team, I hope that some of your OpenPGP public key certification team members are subscribed to this list as well or people who might know you. I would like to make the following proposal that users using your certification service have the ability to upload pub keys for signing, which do not require an email address in the UID and that such public keys can be mailed on digital media to the (in a provided submission form) postal address. The reason for my suggestion is that users wishing to use only one public key, without many email addresses for each account should have the ability IMHO to use only one public key for all accounts and other services without having a lot of extra UIDs attached to their certified public key and it should not been obvious to 3rd parties to which email address a public key belongs to. Since your certification procedure does rely on our nPA with a (certified) card reader and not an email address this should be possible. Because this would be extra work for you I would not mind paying a fee for this extra feature. Best regards Stefan Claas, Berlin, Germany From andrewg at andrewg.com Sat Oct 31 23:27:30 2020 From: andrewg at andrewg.com (Andrew Gallagher) Date: Sat, 31 Oct 2020 22:27:30 +0000 Subject: ping - Governikus In-Reply-To: References: Message-ID: <5ACDAF2A-02CE-4337-852C-DDCFA76D9793@andrewg.com> > On 31 Oct 2020, at 18:46, Stefan Claas via Gnupg-users wrote: > > I would like to make the following proposal that users using > your certification service have the ability to upload pub keys > for signing, which do not require an email address in the UID > and that such public keys can be mailed on digital media > to the (in a provided submission form) postal address. What is governikus certifying if there?s nothing identifiable in the user id? What use is it to a third party to see such a signature on a key? A