| 13 Nov 2022 |
 cyclick | thanks Aroop Roelofs | 20:21:08 |
| cyclick | it seems like that it should become a priority really soon | 20:21:36 |
 Aroop Roelofs | he main problem is also that we have things like XChacha20 which is already used in Wireguard... But there's still things missing (like signature alcorithms) and then we need to implement it...
I don't think the OpenPGP and GnuPG devs are ignoring it, I think the main issue is that well... It's kind of a very complex subject and will be a massive undertaking. | 20:33:48 |
 Wiktor | Actually this is a frequently raised subject on the mailing list, see eg https://mailarchive.ietf.org/arch/msg/openpgp/ZTPCQQ13OookbjmSNeyptR4ItcM/ | 20:34:21 |
| cyclick | That's great, because it seems like it is coming fast... who knows the government might already have it | 20:46:50 |
| 15 Nov 2022 |
 deknos82 | the governments do not have pq-cracking, i think, but NIST also now puts out a timetable until they want to have migrated completely til 2035. New software has to integrate pq-safe algorithms by 2025. so... gpg developers have kinda like.. two years to integrate it. i wonder what werner koch will do. just integrate liboqs? | 08:52:54 |
| deknos82 | i hope the sequoia guys also have a plan :( | 08:59:55 |
 heiko | The plan should be that the rfc process defines how pq support looks in openpgp, and then hopefully all implementions build support for it. | 10:22:33 |
 Lars Wirzenius | I hope and expect Sequoia to add pq to its interoperability test suite | 10:32:19 |
| cyclick | is Sequoia recommended over gpg? | 12:38:14 |
| heiko | Sequoia is not currently a drop in replacement for GnuPG, so this question is hard to answer. | 13:42:27 |
| Wiktor | In reply to @liw:matrix.org
I hope and expect Sequoia to add pq to its interoperability test suite for context: https://tests.sequoia-pgp.org/ (and also because I think this test suite is cool :D ) | 14:57:30 |
| 26 Nov 2022 |
 Florian | Hello there. First participation here and first participation on a matrix group. I hope to not make mistake with some presentation stuff somewhere. :-)
I have some questions about gpg keys where I didn't find clear answer.
I have two gpg key pairs, one with personal email addresses and another one for my github account to sign my commits. Recently the expired so I updated the expiration date by one year.
As I saved my private, public and subkeys in armored files and my revocation certificate, do I have to export again all that stuff or only some of it?
It looks like exporting then importing public key or private subkeys results in the same behavior... Do I miss something?
As you may expect, I'm kind of new on using gpg keys but I think I have a good overall comprehension, but one question at a time would ease comprehension for me and on this channel. ;-)
Thank you if you can help me to improve my understanding of that. 👍️ | 09:20:01 |
| Wiktor | Florian: changing anything on your key (like expiration) in reality creates new data in the key with updated values. When you export data you can choose if you want to export secret keys too (good for backups) or just public info (the default). | 11:36:39 |
| 27 Nov 2022 |
| Florian | Wiktor: as simple as that. Thank you.
Another question I have (not only for you, I try to minimize notifications ;-)). We can generate as many subkeys as we want if I understood correctly. So if I have to communicate one time with one person, is it a good practice to generate a subkey for encryption which expire quickly, cipher a particular message then remove this particular subkey? Or the practice is to have one encryption subkey, share the public one and use this one whenever we need?
After that I think I will have a better comprehension how to use gpg. :-) Thank you! | 08:23:03 |
| Lars Wirzenius | I don't do that, as it sounds like a very tedious thing to be doing a lot | 08:24:22 |
| Wiktor | Yeah, tho sounds like a nice idea but without proper tooling it would be extremely inconvenient. | 08:33:17 |
| Florian | Yes, I just wanted to add a subkey and the primary secret key is required so I can see the inconvenient.
Thank you for your answers. | 08:35:02 |
| 28 Nov 2022 |
| cyclick | What would be a good way to verify a GPG signature for someone that you can't talk directly to? I.E.: https://freenetproject.org/pages/download.html | 03:46:44 |
| Lars Wirzenius | what is a "good way" depends on what you want to protect against. unless there's a targeted attack against you or the Freenet project, it's probably enough to rely using HTTPS to download their public key from their website. | 07:15:31 |
| Aroop Roelofs | HTTPS is good enough yea.
Otherwise, you can probably download the signing keys from a keyserver you do trust and check the web of trust as well. | 11:47:12 |
| cyclick | I think that it is not impossible that Freenet would be a target of attacks... I will try to see if my Linux distribution has them in their web of trust. Thanks | 13:09:13 |
| Aroop Roelofs | In reply to @cccttt:matrix.org
I think that it is not impossible that Freenet would be a target of attacks... I will try to see if my Linux distribution has them in their web of trust. Thanks nothing is impossible no | 17:46:55 |
| cyclick | What I meant is that it is more likely for them to be under attack then the common joe | 17:53:42 |
|  h7x4 changed their profile picture. | 20:08:03 |
|  Tanush Topia joined the room. | 22:11:54 |
| 29 Nov 2022 |
| Aroop Roelofs | In reply to @cccttt:matrix.org
What I meant is that it is more likely for them to be under attack then the common joe ye fair | 00:12:45 |
|  whiteneon joined the room. | 01:06:46 |
| 1 Dec 2022 |
|  @sss123next:matrix.org left the room. | 08:01:58 |
| 3 Dec 2022 |
 ForeverNoob | Is there a way not to use any external pinentry app and just input into the terminal? Similar to how for example sudo asks me for the password. | 11:13:44 |
