Re: Configuring Enigmail, testing with Adele

Hi Jonas, hi Crow,

>> attempting to verify correct configuration with adele-en <at> gnupp.de.
>> It replies "I could not find a public key that matches your email address"
>> I have published my public key to a keyserver, and the public key is inline
>> with the email.
>
> I had the same problem when I tried to send my key in an encrypted
> message. I solved it by first sending a signed, unencrypted message with
> my key attached, and then a signed encrypted message.

Adele does not recursively decrypt/verify messages. If would have to decrypt
and then import the key from the resulting cleartext which it doesn't.

You can work around that by
1) first sending your key unencryptedly and then test encrypted mail
2) attach your key unencryptedly instead of pasting it inline
3) use PGP/MIME

>>  How do I ensure that Enigmail is configured correctly?

You sent an email to the mailing list instead of the robot. This is the best
way to achieve a solution quickly. However, your post was not even signed.

Please retry sending a signed email to the list, optionally with your public
key attached. You may test encrypted mails with me (NOT to the list!).

Olav

From offlist

David D-- contacted me off-list with a question.  He doesn't want to
post on the list for reasons known only to him.  This is his question,
with his email address and last name stripped, reposted with his permission.

My response will be following separately.

=====

I'm looking to start encrypting my emails, but I'm not sure whether to
use SSL or Gnu Private Guard (through Enigmal with Thunderbird). I'm
definitely not an expert on this, but am I right in understanding that
with SSL (using a server from trustmail or swissmail) you can send an
email to anyone whether they have a key or not, but with Enigmal the
recipient has to have a key for the email to be encrypted? Using SSL is
the email only encrypted up to the server where it is deciphered and
then passed onto the recipient? If this is the case it seems that using
Enigmail is more secure, but how would you send an encrypted email to
someone whose public key is not on any directory?

Re: From offlist

Robert J. Hansen wrote:
> David D-- contacted me off-list with a question.  He doesn't want to 
> post on the list for reasons known only to him.  This is his
> question, with his email address and last name stripped, reposted
> with his permission.

<reaches for the list moderator hat>

We generally prefer these questions to be posted to the list instead of
to themselves personally.  The reasons are both technical and cultural.

The technical reason is that other people may have this same question.
If this question is asked on-list and answers are posted on-list, then
Google can index them and future users can just Google instead of asking
us.  Taking questions to the list, instead of to private email, is a
kindness to future users.  We heartily recommend it for that reason.

The second technical reason is the list serves as a load balancer.  If
you throw the question on the list, then any of half-a-dozen very
knowledgeable people will speak up and give an answer.  Other people who
don't speak up as much but who have run into your problem before may
throw their two cents in, too.  But if people just look for someone who
posts a lot of answers and then email that person off-list, that person
will soon find themselves drowned; there's no load balancing.

Finally, the cultural reason is that we have generally decided this is
the forum we'd like to use to talk about Enigmail.  We try to keep a
pretty friendly list and we encourage people to make use of it.  If
people are just going to email us off-list, then why bother with the
list at all?

Re: From offlist

Robert J. Hansen wrote:
> You send them an email and ask for their key.  They email it back to
> you, and you import it to your local keyring.  It's possible for a
> malicious attacker to have replaced the public key your correspondent
> sent you with a public key of the attacker's choosing, though -- what we
> call a Man In The Middle attack -- so it's important to verify that you
> received the correct key.  The usual way to do this is to contact your
> friend by some method other than email and ask them for a fingerprint of
> their key.  If the fingerprint they give you matches the one you find by
> looking at your copy of their key, then you have the correct key.

Barring, of course, the extremely unlikely case of fingerprint
collisions, by chance or design.  If you're being attacked by someone
with enough savvy and processing power to engineer a by-design key
fingerprint collision more or less in real time, the odds are you're
already completely screwed anyway, so there's relatively little point in
worrying about it.

--
  Phil Stracchino, CDK#2     DoD#299792458     ICBM: 43.5607, -71.355
  alaric <at> caerllewys.net   alaric <at> metrocast.net   phil <at> co.ordinate.org
         Renaissance Man, Unix ronin, Perl hacker, Free Stater
                 It's not the years, it's the mileage.

Re: From offlist

Robert J. Hansen escribió:

> SSL and GnuPG provide two very different sets of capabilities.  They're
> really apples and oranges.  SSL will protect your email when you're
> sending your email to your email server.  However, once it leaves your
> email server it's in cleartext.  It travels the internet in cleartext,
> it arrives at your recipient's server in cleartext, it's put in your
> recipient's mailbox in cleartext.

  Maybe he was confusing SSL with S/MIME, after all, both use x.509
certificates...

  Best Regards

Re: From offlist

Faramir wrote:
>   Maybe he was confusing SSL with S/MIME, after all, both use x.509
> certificates...

He seemed to get the SSL capabilities correct, though, which makes me
think he really meant SSL.

S/MIME and GnuPG have effectively identical capabilities.

Signature test help request

I have used Enigmail to sign this email. I have also attached my public
key (I think). I haven't had any luck with Adele so I'm pretty sure I'm
doing something wrong. Just not sure what.

Thanx for any help.

Ed

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.9 (MingW32)

mQGiBEmzrsMRBADWREh8vMqxW+mtCjiP5XM7a2iO0cyXM7rW5enZ2/CmJ3p+OpJx
rIHUEu5hcpL54P/5dQNBY7ZGnU3nPcUUR55cz7Bbs6/L7q+HfxZtFcIBhJhK2JGB
oNKG+30I/cuZpI6+dPAPwVDG+/qIcm9Nze3qIJ7lwNEWgGiEIfaFaj3IiwCggNPx
u2SbunsXIxQrbPlD4I4FFSMEALsfsXGJz142KbCpU8NG88jZMg6DllRX9cP00ZKq
bVKdmoZYzPH5jE23hbOLQOezkWgoeUyP/5NvltsbBFnz8vpOFxwsUA++W2dgF49Z
aT2UOUyqi1cRUmtO8yACaiHzS1B0cp1JeCSfdLikWhoRvb3rA/98/NQ+doznu8pH
utkDA/4vrel0mI2AhDlX1RG1Q1QxVrTnh2drh4gDagtdUc0NJ4YhO+Ouq+/B0x0i
wNA6it2dp55+W+o8x8jBYs5a7vqcN6J2CLf1pIzlqb4khHv+PfIfVfKfVRe3lqu6
1dm8B4TVGMgWWKODzgOS5xspNzmNELGbhpqTUJww6nmsA4O1AbQlRWQgSm9obnNv
biA8Y2Vqb2huc29uc3JAY2FibGVvbmUubmV0PohmBBMRAgAmBQJJs67DAhsjBQkJ
ZgGABgsJCAcDAgQVAggDBBYCAwECHgECF4AACgkQylXUVp3mRTv77ACeNtzW9BP/
PuIDr5TzpwkbeHbm6xUAnA5BdlueUmV0uVugfAZqorGaJKVCuQINBEmzrsMQCACm
33jP9HiMU6Y2ZxsfoJsDLowFyaZSwYbjM1AHM2lpBLmpBRjrpGEdnzQ4hvqAw8Xx
lmsd0ev6hrW4e+tJz2LSEzsCNGUjkCud+cq4LBqRRKzEOG5tSZZ7ZK3Q9u8Ii8CJ
AG5BqMiiZU4GCcVEwpAiltoPLTdNmVoaNPZ+LEN1O7qHqbhNUz5sWAgn8TaPeZQ+
snGQkcLkskzJTBa7MTjP2Aqo8sBK2HGgWuPNp0UVdKb+9XzPVdnngcsgxYOvVSWn
IXfzQIMb28sqBN+nNg96R7lx4ecAXVhP6aFX3Rcin+2k72Eg6rGwz0JSkST68Pi8

Re: Signature test help request

Ed Johnson wrote:
> I have used Enigmail to sign this email. I have also attached my public
> key (I think). I haven't had any luck with Adele so I'm pretty sure I'm
> doing something wrong. Just not sure what.

OpenPGP Security Info

UNTRUSTED Good signature from Ed Johnson <cejohnsonsr <at> cableone.net>
Key ID: 0x9DE6453B / Signed on: 3/8/2009 8:40 AM
Key fingerprint: 8EA3 642C 3300 6948 035F 6ED4 CA55 D456 9DE6 453B

"UNTRUSTED" just indicates that I have not Signed Your Key nor do We
have any 'Trust Paths' in common.

> Thanx for any help.

There is nothing 'wrong' with attaching a copy of Your Key to messages
but a far more efficient method would be to Upload Your Key to a
Keyserver. [I endorse hkp://pool.sks-keyservers.net]; this will allow
You to simply Sign messages and the recipient can easily retrieve Your
Key from the Server(s).

JOHN ;)
Timestamp: Sunday 08 Mar 2009, 08:52  --400 (Eastern Daylight Time)

Re: Signature test help request

Thank you, John. I'm assuming you were able to read the message & verify
the signature. I uploaded my public key to the server you suggested
during Enigmail setup. I downloaded your key from the same server. I've
been trying to follow the Quick Start guide from the Enigmail website.
There are a couple of differences between the guide & what I actually
see on Thunderbird, but I think I have the "signature only" part
completed. Would you mind terribly if I use you for a test of "signed &
encrypted"? If not I'll send a short, signed, encrypted message for you
to judge.

Thank you again,

Ed

Re: Signature test help request

Ed Johnson wrote the following on 3/8/09 8:40 AM:
> I have used Enigmail to sign this email. I have also attached my public
> key (I think). I haven't had any luck with Adele so I'm pretty sure I'm
> doing something wrong. Just not sure what.
> 
> Thanx for any help.
> 
> Ed

Hi Ed,

You did attach your public key.

OpenPGP Security Info
Good signature from Ed Johnson <cejohnsonsr <at> cableone.net>
Key ID: 0x9DE6453B / Signed on: 3/8/09 8:40 AM
Key fingerprint: 8EA3 642C 3300 6948 035F 6ED4 CA55 D456 9DE6 453B

Welcome.
Charly
MacOS 10.5.6 - MacBook Intel C2Duo "Aluminum Late 2008"- GnuPG 1.4.9 -
GPG2 2.0.11 - Thunderbird 2.0.0.19 +Enigmail 0.95.7 - Apple's
Mail+GPGMail 1.2.0 (v56), PGP key: 0xA57A8EFA