Mailing List Archive: Second OpenPGP-card

Re: Second OpenPGP-card [ In reply to ]

Feb 28, 2024, 1:32 AM

Post #26 of 34 (101 views)

On Tue, 27 Feb 2024 20:52, Jacob Bachmeyer said:

> Therefore, pass(1) almost certainly has its own list of keys stored

pass stores the fingerprints of the keys in a .gpg-id file and allows to
set different ones per directories.

> logarithm problem and /vice versa/. Accordingly, RSA1024 is now
> considered sufficiently dubious that some implementations no longer
> support it, such as the go-crypto/openpgp library used by the newer

Which is a Bad Idea because it is up to the user or their implementation
to decide which keys are trustworthy. Being able to revoke rsa1024 keys
is a useful feature. Although MD5 (PGP2) can be considered as fully
broken, rsa1024 is not in general broken.

But ist is pretty fashionable to use an easy to exploit OS (e.g. not
using the latest Linux kernel) and musing about RSA key strength. Keep
Shamir's law in mind.

Salam-Shalom,

Werner

--
The pioneers of a warless world are the youth that
refuse military service. - A. Einstein

Re: Second OpenPGP-card [ In reply to ]

guru at unixarea

Feb 28, 2024, 1:55 AM

Post #27 of 34 (101 views)

Permalink

El día miércoles, febrero 28, 2024 a las 10:32:43 +0100, Werner Koch via Gnupg-users escribió:

> On Tue, 27 Feb 2024 20:52, Jacob Bachmeyer said:
>
> > Therefore, pass(1) almost certainly has its own list of keys stored
>
> pass stores the fingerprints of the keys in a .gpg-id file and allows to
> set different ones per directories.

Werner,

I have only one .gpg-id file on my L5 mobile in my password-store:

purism@pureos:~$ find .password-store/ -name .gpg-id
.password-store/.gpg-id

purism@pureos:~$ cat .password-store/.gpg-id
CCID L5

matthias
--
Matthias Apitz, ? guru@unixarea.de, http://www.unixarea.de/ +49-176-38902045
Public GnuPG key: http://www.unixarea.de/key.pub

I am not at war with Russia. ? ?? ???? ? ???????.
Ich bin nicht im Krieg mit Russland.

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Second OpenPGP-card [ In reply to ]

gnupg-users at gnupg

Feb 28, 2024, 8:30 AM

Post #28 of 34 (94 views)

Permalink

On Wed, 28 Feb 2024 10:55, Matthias Apitz said:
> purism@pureos:~$ cat .password-store/.gpg-id
> CCID L5

Which means that it encrypts to "CCID L5". pass parses this using

while read -r gpg_id; do
gpg_id="${gpg_id%%#*}" # strip comment
[[ -n $gpg_id ]] || continue
GPG_RECIPIENT_ARGS+=( "-r" "$gpg_id" )
GPG_RECIPIENTS+=( "$gpg_id" )
done

The good thing with pass is that it is easy to read.

Shalom-Salam,

Werner

--
The pioneers of a warless world are the youth that
refuse military service. - A. Einstein

Re: Second OpenPGP-card [ In reply to ]

gnupg-users at gnupg

Feb 28, 2024, 3:40 PM

Post #29 of 34 (94 views)

Permalink

Werner Koch wrote:
> On Tue, 27 Feb 2024 20:52, Jacob Bachmeyer said:
>
> [...]
>> logarithm problem and /vice versa/. Accordingly, RSA1024 is now
>> considered sufficiently dubious that some implementations no longer
>> support it, such as the go-crypto/openpgp library used by the newer
>>
>
> Which is a Bad Idea because it is up to the user or their implementation
> to decide which keys are trustworthy. Being able to revoke rsa1024 keys
> is a useful feature. Although MD5 (PGP2) can be considered as fully
> broken, rsa1024 is not in general broken.
>

Agreed; I was not endorsing that position, but I see that I should have
said "apparently considered" to make that a bit more clear. I trust
that GPG will continue to support the shorter RSA keys for the
foreseeable future.

> But ist is pretty fashionable to use an easy to exploit OS (e.g. not
> using the latest Linux kernel) and musing about RSA key strength. Keep
> Shamir's law in mind.

Or even Windows, which remains disturbingly common in applications that
probably need far less attack surface, like industrial control
systems... (Is the stupidity of management a main driver of Shamir's law?)

-- Jacob

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Second OpenPGP-card [ In reply to ]

gnupg-users at gnupg

Feb 28, 2024, 3:41 PM

Post #30 of 34 (94 views)

Permalink

Matthias Apitz wrote:
> El día miércoles, febrero 28, 2024 a las 10:32:43 +0100, Werner Koch via Gnupg-users escribió:
>
>> On Tue, 27 Feb 2024 20:52, Jacob Bachmeyer said:
>>
>>
>>> Therefore, pass(1) almost certainly has its own list of keys stored
>>>
>> pass stores the fingerprints of the keys in a .gpg-id file and allows to
>> set different ones per directories.
>>
>
> Werner,
>
> I have only one .gpg-id file on my L5 mobile in my password-store:
>
> purism@pureos:~$ find .password-store/ -name .gpg-id
> .password-store/.gpg-id
>
> purism@pureos:~$ cat .password-store/.gpg-id
> CCID L5
>

That .gpg-id file would be the list I was talking about. It seems that
pass(1) stores the actual keys on your main GPG keyring, but keeps a
list of /which/ keys should be able to decrypt passwords separately.
(Also ensure that there is never a rogue PASSWORD_STORE_KEY variable in
your environment: if set, it overrides the search for a .gpg-id file.)
There is also a facility for maintaining GPG signatures on those .gpg-id
files, which would make sneaking in Mallory's key far more difficult if
you were to use it. I suspect that the pass(1) manpage has more
information and may be interesting reading. Overall, this seems to be a
good design.

I would also suggest using the key fingerprints instead of names when
you reencrypt your password store, as I suspect that your new and old
smartcard keys may have similar names.

As Werner mentioned, you can also have different .gpg-id files for
different parts of your password store, if you wanted some passwords to
only be available with certain smartcards.

-- Jacob

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Second OpenPGP-card [ In reply to ]

gnupg-users at gnupg

Feb 29, 2024, 2:06 AM

Post #31 of 34 (94 views)

Permalink

On Wed, 28 Feb 2024 17:40, Jacob Bachmeyer said:

> Or even Windows, which remains disturbingly common in applications
> that probably need far less attack surface, like industrial control
> systems... (Is the stupidity of management a main driver of Shamir's
> law?)

Often true but the real problem is software complexity. Also:
developers are being paid for their work and thus they tend to keep
themself in business by requiring software changes all the time.

Salam-Shalom,

Werner

--
The pioneers of a warless world are the youth that
refuse military service. - A. Einstein

Re: Second OpenPGP-card [ In reply to ]

gnupg-users at gnupg

Feb 29, 2024, 2:16 AM

Post #32 of 34 (94 views)

Permalink

On Wed, 28 Feb 2024 17:41, Jacob Bachmeyer said:

> As Werner mentioned, you can also have different .gpg-id files for
> different parts of your password store, if you wanted some passwords
> to only be available with certain smartcards.

FWIW: The C3S uses pass for their teams and meik wrote a script to
manage such a password store: https://github.com/C3S/passtore

Shalom-Salam,

Werner

--
The pioneers of a warless world are the youth that
refuse military service. - A. Einstein

Re: Second OpenPGP-card [ In reply to ]

kloecker at kde

Feb 29, 2024, 4:40 AM

Post #33 of 34 (93 views)

Permalink

On Mittwoch, 28. Februar 2024 17:30:21 CET Werner Koch via Gnupg-users wrote:
> On Wed, 28 Feb 2024 10:55, Matthias Apitz said:
> > purism@pureos:~$ cat .password-store/.gpg-id
> > CCID L5
>
> Which means that it encrypts to "CCID L5". pass parses this using
>
> while read -r gpg_id; do
> gpg_id="${gpg_id%%#*}" # strip comment
> [[ -n $gpg_id ]] || continue
> GPG_RECIPIENT_ARGS+=( "-r" "$gpg_id" )
> GPG_RECIPIENTS+=( "$gpg_id" )
> done
>
> The good thing with pass is that it is easy to read.

"CCID L5" doesn't strike me as a sufficiently unique identifier for a key. If I
add a (secondary) user ID "CCID L5" to my key and trick Matthias into
importing it won't pass start encrypting their passwords for my key?

My ~/.password-store/.gpg-id contains the fingerprint of my password encryption
key.

Regards,
Ingo

Re: Second OpenPGP-card [ In reply to ]

guru at unixarea

Feb 29, 2024, 5:07 AM

Post #34 of 34 (93 views)

Permalink

El día jueves, febrero 29, 2024 a las 01:40:53 +0100, Ingo Klöcker escribió:

> "CCID L5" doesn't strike me as a sufficiently unique identifier for a key. If I
> add a (secondary) user ID "CCID L5" to my key and trick Matthias into
> importing it won't pass start encrypting their passwords for my key?
>
> My ~/.password-store/.gpg-id contains the fingerprint of my password encryption
> key.

Mine too now:

purism@pureos:~$ gpg --list-keys --fingerprint
/home/purism/.gnupg/pubring.kbx
-------------------------------
pub rsa2048 2021-10-30 [SC]
336E B968 92FE 9FE7 F6AD 01D6 529B 7423 F360 8141
uid [ultimate] Matthias Apitz (GnuPG CCID L5) <guru@unixarea.de>
sub rsa2048 2021-10-30 [A]
sub rsa2048 2021-10-30 [E]

purism@pureos:~$ cat .password-store/.gpg-id
336E B968 92FE 9FE7 F6AD 01D6 529B 7423 F360 8141

Thanks for this hint.

matthias
--
Matthias Apitz, ? guru@unixarea.de, http://www.unixarea.de/ +49-176-38902045
Public GnuPG key: http://www.unixarea.de/key.pub

I am not at war with Russia. ? ?? ???? ? ???????.
Ich bin nicht im Krieg mit Russland.

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Mailing List Archive

Attached Files:

Attached Files:

Attached Files:

Attached Files:

Attached Files: