Re: [ANN] Enigmail v1.0 available

On Mon Nov 30 2009 22:46:40 GMT+0900, Patrick Brunschwig wrote:
> I'm very happy to announce after more than 8 years of development the
> availability of Enigmail version 1.0 for Thunderbird 3.0 and SeaMonkey
> 2.0.1 and newer.

Congratulations for great milestone!

I've posted many about Japanese specified issues, you've fixed them all.
I thanks you so much!

--

-- 
Kosuke Kaizuka <cai.0407 <at> gmail.com>

I'm thinking about updating my key - thoughts feedback ?

Hi guys,

I've been reading
http://www.debian-administration.org/users/dkg/weblog/48 and I'm
thinking about updating my key. I usually never encrypt and mostly use
my key for signing emails. Anythtoughts on the fact that I should do it
or it's not worth it ?

Ludovic

--

-- 
Ludovic Hirlimann MozillaMessaging QA lead
http://www.spreadthunderbird.com/aff/79/2

_______________________________________________
Enigmail mailing list
Enigmail <at> mozdev.org
https://www.mozdev.org/mailman/listinfo/enigmail

Re: [ANN] Enigmail v1.0 available

Patrick Brunschwig wrote the following on 11/30/09 8:46 AM:
> I'm very happy to announce after more than 8 years of development the
> availability of Enigmail version 1.0 for Thunderbird 3.0 and SeaMonkey
> 2.0.1 and newer.
> 
> I would like to take the opportunity to thank all those who have
> contributed during the past years and help improve Enigmail. My special
> thanks go to R. Saravanan, the original author who maintained Enigmail
> until 2003. I'm pretty sure he would still recognize the main
> architecture and quite many code fragments!
> 
> Changes
> =======
> This release is from a functionality point of view identical to v0.96.0.
> There are quite some improvements though:
> 
> * Compatibility with Thunderbird 3.0.
> * New icons on Windows and Linux themes for Thunderbird and SeaMonkey.
> * More than 30 fixed defects.
> 
> Obtaining Enigmail
> ==================
> Enigmail can be downloaded from:
> <http://enigmail.mozdev.org/download.html>
> 
> The changelog is available from
> <http://enigmail.mozdev.org/changelog.html>
> 
> -Patrick

Re: I'm thinking about updating my key - thoughts feedback ?

Ludovic Hirlimann wrote the following on 12/2/09 7:38 AM:
> Hi guys,
> 
> I've been reading
> http://www.debian-administration.org/users/dkg/weblog/48 and I'm
> thinking about updating my key. I usually never encrypt and mostly use
> my key for signing emails. Anythtoughts on the fact that I should do it
> or it's not worth it ?
> 
> Ludovic

Ludovic,

I think it is not necessary to create a new key, as suggested in the
site you pointed at (but you can do if you want).

This is what I did, on November 20, 2005, in order to use SHA256 instead
of SHA1

edit my existing key to add a RSA 2048 (at least) sign only key.
enable in ~/.gnupg/gpg.conf personal-digest-preferences SHA256

Charly
MacOSX 10.6.2 32bits MacBook5,1 - 0xA57A8EFA Gnupg 1.4.10 - MacGPG2
2.0.13 -  Running Enigmail version 1.0 (20091130-1008)  with Mozilla/5.0
(Macintosh; U; PPC Mac OS X 10.6; en-US; rv:1.9.1.5) Gecko/20091130
Thunderbird/3.0

Re: I'm thinking about updating my key - thoughts feedback ?

Ludovic Hirlimann wrote:
> Hi guys,
> 
> I've been reading
> http://www.debian-administration.org/users/dkg/weblog/48 and I'm
> thinking about updating my key. I usually never encrypt and mostly use
> my key for signing emails. Anythtoughts on the fact that I should do it
> or it's not worth it ?

If Signing is Your Primary purpose/reason then I see no urgency in
migration.

While I've got Your attention; what are You 'running'? 3.0 or 3.1?
Which is 'better' for Bleeding Edge folks; Shredder or Minefield?

JOHN ;)
Timestamp: Wednesday 02 Dec 2009, 08:23  --500 (Eastern Standard Time)

Re: I'm thinking about updating my key - thoughts feedback ?

Ludovic Hirlimann wrote:
> I've been reading
> http://www.debian-administration.org/users/dkg/weblog/48 and I'm
> thinking about updating my key. I usually never encrypt and mostly use
> my key for signing emails. Anythtoughts on the fact that I should do it
> or it's not worth it ?

The author of that blog entry is a frequent poster here, so he'll
undoubtedly give his own two cents worth.  (Dan, please consider that an
engraved invitation. :) )

That said, I think that blog entry is a pretty good example of how one
size does *not* fit all.  Dan's advice is certainly on-target and
appropriate for some users.  In general, though, you can get most of the
benefits of that blog entry just by adding these lines to your gpg.conf
file:

enable-dsa2
personal-digest-preferences SHA256 RIPEMD160 SHA1

... Bam, done, Bob's your uncle.

The longer the instructions become, the less likely it is anyone will
follow them.  For those who do follow them, the longer the instructions,
the more likely it is they'll screw it up.  Short, easy instructions
that address 80% of the problem are almost always better than long,
comprehensive instructions that address 95% of the problem.

Re: I'm thinking about updating my key - thoughts feedback ?

Hi,

On Wed, Dec 02, 2009 at 01:38:14PM +0100, Ludovic Hirlimann wrote:

> I've been reading
> http://www.debian-administration.org/users/dkg/weblog/48 and I'm
> thinking about updating my key. I usually never encrypt and mostly use
> my key for signing emails. Anythtoughts on the fact that I should do it
> or it's not worth it ?

In the long term. The current stance within Debian is that we should
start the transition now in order to have a strong web of trust in two
years' time, but to not panic since SHA1 has not been really broken yet.

In essence, our use case is that we need strong signatures on source
packages and uploads, so we can identify who is responsible for a
particular package found in the archive, which requires both a good
signature algorithm and a tightly meshed web of trust.

As the data segments we sign are short and have tight validity
constraints (RFC822 format with ASCII headers and UTF-8 data), the
chance of a hash collision actually being a valid document are rather
small, so the "tight web of trust" is given precedence here.

During the transition phase, each of us is introducing a second key
(4096 bit RSA) into the web of trust and uses that to sign people's old
and new keys with SHA256 or stronger hash algorithms, with the eventual
goal that we end up with everyone still strongly connected if we start
ignoring signatures using SHA1, and old keys hanging off as leaves (as
they cannot generate signatures with any other algorithm).

Re: I'm thinking about updating my key - thoughts feedback ?

Simon Richter wrote:
> To summarize: yes, you should establish a second, stronger key

Without knowing the specific use case, this advice is overreaching.
It's quite possible we'll have a new key standard by 2012 or so; for
people who can realistically expect to be able to use their existing
keys for another two years, it is probably better advice to hold off
until then.

_______________________________________________
Enigmail mailing list
Enigmail <at> mozdev.org
https://www.mozdev.org/mailman/listinfo/enigmail

Re: I'm thinking about updating my key - thoughts feedback ?

Hi,

On Wed, Dec 02, 2009 at 09:13:25AM -0500, Robert J. Hansen wrote:

> > To summarize: yes, you should establish a second, stronger key

> It's quite possible we'll have a new key standard by 2012 or so; for
> people who can realistically expect to be able to use their existing
> keys for another two years, it is probably better advice to hold off
> until then.

Nothing stops people from again transitioning to an even stronger
standard then. In order for PGP keys to be usable in any scenario where
no direct trust relationship between communication partners exists, the
keys should have been around for some time and many signatures gathered,
in order to not only establish the binding in a verifiable way but also
allow a person to know if a key in their name is generated by someone
else.

I'm not suggesting people actually *use* their new keys in the next two
years except for building a new layer of the web of trust that will hold
if the SHA1 based WoT crumbles. My new key has "certify" as its only
usage, and the only reason I've already generated subkeys is to allow
people to send me signatures for my key in encrypted emails.

   Simon

Re: I'm thinking about updating my key - thoughts feedback ?

Ludovic Hirlimann escribió:
> Hi guys,

  Hello!

> I've been reading
> http://www.debian-administration.org/users/dkg/weblog/48 and I'm
> thinking about updating my key. I usually never encrypt and mostly use
> my key for signing emails. Anythtoughts on the fact that I should do it
> or it's not worth it ?

  AFAIK (and please keep in mind I'm not an expert), when you sign
something, you actually calculate the hash value of the thing you are
signing, and then encrypt it with your private key, so if you are using
a weak hash algorithm, like MD5, somebody can create another message
with the same hash value, and then he would just copy your signature and
make it look as if you had signed the crafted message. So yes, it makes
sense to update your key to be able to use stronger hash algorithms.

  For encryption, I don't know if the strength of hashing algorithms has
any impact on the strength of the encryption.

  Best Regards