!GpMMBTUuJduUZAAKXM:matrix.org

OpenPGP/GPG

237 Members
OpenPGP/GnuPG related questions, discussions and  projects | Sharing your public keys | Key Signing (at own risk) | NO NSFW OR OTHER QUESTIONABLE STUFF 58 Servers

Load older messages


SenderMessageTime
15 Feb 2024
@deknos82:matrix.orgdeknos82i agree.. there are many attacks on cryptographic systems when the RNG is broken in some special ways.13:32:04
@heiko:mtrx.hkos.cloudheikoindeed, bad entropy can definitely be a fatal problem13:34:13
@aheinecke:kde.orgaheineckeBtw. Valodim can you send me an encrypted/signed mail from android (aheinecke@gnupg.org) I would like to check if our new Mailviewer is compatible with the attachment naming. We have a whitelist for filenames which we treat as mails since not everyone uses the "is mime" indicator (which was also dropped from crypto refresh for some reason)13:40:02
@aheinecke:kde.orgaheineckeRegarding the entropy, one of my next projects is to go for reproducible windows builds. Since we publish binaries there it is too easy for Werner and me to be forced to manipulate the binaries. 😑13:42:20
16 Feb 2024
@andrewg:nitro.chatandrewg
In reply to @Valodim:stratum0.org
signing emails by default is a terrible idea, and making it a requirement for key distribution to work severely limits how universal it can be
I don't think it's such a terrible idea. It has been implemented badly in the past, but I don't see how in principle it is any different from DKIM.
14:02:16
@Valodim:stratum0.orgValodimit's a terrible idea because, while it's not universally known or supported, it adds weird attachments to your emails that confuse and unsettle recipients14:03:55
@andrewg:nitro.chatandrewgThat's an implementation detail14:04:10
@Valodim:stratum0.orgValodimyou can say that, but for users it's a very much real problem14:04:25
@andrewg:nitro.chatandrewgIt's a problem right now, but it doesn't have to be14:04:36
@andrewg:nitro.chatandrewgWe do need to rethink how we sign mails in practice, because MUAs are stupid.14:05:13
@Valodim:stratum0.orgValodimyes well, if things were different then it wouldn't be a problem. goes for a lot of things 🤷14:05:20
@andrewg:nitro.chatandrewgOne thing I noticed is that in pgp/mime, the signature parts have content-disposition: attachment, which is already misleading14:05:54
@andrewg:nitro.chatandrewgOK, we're on slightly different wavelengths here14:06:24
@Valodim:stratum0.orgValodimin practice, it is unthinkable for e.g. thunderbird to decide to just start adding weird attachments to all outgoing emails to bootstrap an ecosystem via key distribution first14:07:06
@andrewg:nitro.chatandrewgbut if it wasn't an attachment?14:08:07
@Valodim:stratum0.orgValodimless terrible then, and I never implied otherwise :) (though I'm personally not particularly convinced of the usefulness of signed-only mails)14:09:51
@kaie:mozilla.orgKai E (EU) I think signed-only emails are useful. I agree with the concern about attachment. I think we should introduce attachment-less signatures. I like Andrew's latest suggestion on the IETF list. 14:20:31
@Valodim:stratum0.orgValodimwhether they are or are not useful, piggybacking key distribution on them imo severely hampers the ability to do that15:02:08
17 Feb 2024
@neill:tomesh.net@neill:tomesh.net left the room.08:10:55
19 Feb 2024
@andrewg:nitro.chatandrewgOne disadvantage of attachment-less signatures will probably be that they won't be parseable in a plugin-based-security MUA, such as Apple Mail. It's already difficult to manipulate MIME metadata in such a scenario.11:08:52
@andrewg:nitro.chatandrewg It is notable that many signed emails add a MIME header along the lines of Content-Disposition: attachment; filename="signature.asc" to all signatures, which reinforces the idea that the signature is an attachment rather than metadata. But I suspect that this is due to limitations in the API available to security plugins. 11:30:08
21 Feb 2024
@joerg:alea.gnuu.deJörg Sommer Did anyone know there's a service to sign a PGP key with the eID of the German ID card? Authentication OpenPGP key Did someone try it? 04:26:17
@dvzrv:matrix.orgDavid Runge
In reply to @joerg:alea.gnuu.de
Did anyone know there's a service to sign a PGP key with the eID of the German ID card? Authentication OpenPGP key Did someone try it?
that's wild. I was not aware! :)
07:33:11
@kaie:mozilla.orgKai E (EU) I tried it. Do they verify the email address? I forgot. From what I vaguely remember, I had the impression, they compare the "real name" field, maybe only that. Would be good to get a reminder. 09:11:28
@dvzrv:matrix.orgDavid Rungeyeah, they validate your real name in a User ID against the data in the eID09:17:39
@wiktor:stratum0.orgWiktor
In reply to @joerg:alea.gnuu.de
Did anyone know there's a service to sign a PGP key with the eID of the German ID card? Authentication OpenPGP key Did someone try it?
I knew about it and know one person that used that... but I guess this is really niche use. For the record it seems in EU newly issued ID documents have signing keys so in theory it's possible to build something like this.
11:37:10
@jan.christian:gruenhage.xyzJC
In reply to @wiktor:stratum0.org
I knew about it and know one person that used that... but I guess this is really niche use. For the record it seems in EU newly issued ID documents have signing keys so in theory it's possible to build something like this.
Well the signature using the German ID card is very different, because it's a provider signing your key after you've authenticated against their system using your ID card
13:33:56
@jan.christian:gruenhage.xyzJCit's not a direct signature using the ID card contained cryptographic material istself13:34:15
@wiktor:stratum0.orgWiktorI mean it's possible to setup a business like that and automate it using X.509 infra that already exists13:34:40
@wiktor:stratum0.orgWiktorbasically a X.509 to OpenPGP signature transformer... (not technically though, just in operation)13:35:08

Show newer messages


Back to Room ListRoom Version: 1