tmsr - Search: from:mirc from:ascii gpg

700+ entries in 0.215s

asciilifeform: say how ? to lose the gpg clearsig ?

asciilifeform: some texts cannot be (!) vdiffed, for so long as we use unix diff; these appearently include gpg sigs

asciilifeform: ( patches themselves are never hashed , aside from by gpg when verifying sig )

asciilifeform: so far the only item i was able to crib was the gpg formatter.

asciilifeform: moral -- measure seven times, cut once, etc. ( asciilifeform for instance is stuck with a 2048b rsa, at least until we finally throw gpg ) ☟︎

asciilifeform: ( the correct way, ought to have been, to do it in individual tiny snips from gpg-1.4.10, so the pedigree can be authenticated . )

asciilifeform: ( she is using my sanitized gpg bignum. but i did not preserve koch's faux-rng atrocity ; so anything pertaining to entropy, is new )

mircea_popescu: the reason is that (in a translation of what koch-gpg does into sanity) you take 2045 bits of rng for each possible prime, stick 11 in front and 1 in the tail and THAT is your 2048 bit prime candidate.

mircea_popescu: in other news : it was established in teh minigame torture rooms that in point of fact 4096 bit keys contain only 4090 bits of entropy at the very most (minus whatever koch-gpg manages to shave off in other ways).

asciilifeform: ( gpg-mpi's mod exp doesnt do anything special with composite exponents, that would automatically speed the op )

mircea_popescu: http://btcbase.org/log/2017-11-08#1734650 << this is very much a koch-gpg problem in the vein of "lobbes warning people not to rely on the "control dials" as provided by koch-gpg, for being unreliable" and probably the most important example thereof. ☝︎

asciilifeform: v-on-gpg however is fucked.

mircea_popescu: well, at first it was about lobbes warning people not to rely on the "control dials" as provided by koch-gpg, for being unreliable ; then you wanted to talk about fps and then at some point and without warning anyone apparently pivoted to talking about pubkeys and signatures.

mircea_popescu: much like whether fps are or are not useful wasn't discussed by anyone but yourself. the original problem was that gpg unreliably reported "key doesn't expire" to lobbes , when in fact it did expire.

mircea_popescu: koch-gpg is an unreliable apparatus in the vein of random-shooting pistols etc.

mircea_popescu: at no point was this discussion about key identifiers. the fact that gpg reports "no expiration" FALSELY, as it reports all sorts of false or otherwise stupid, misleading etc non-facts is at issue

asciilifeform: davout: YOU CANNOT USE SANE HASH WITH GPG FP

asciilifeform: fwiw i never pushed my final gpg key to sks, and have nfi if it's there or not

mircea_popescu: notrly, no. koch-gpg iotself though.

asciilifeform: apeloyee: upstack, it becomes clear that koch put in crt strictly so that gpg can shit out your private key when uncorrected memory flip

asciilifeform: we weren't comparing gpgmpi to ffa ; but gpg.publicmodexp vs gpg.privatemodexp

asciilifeform: mod6: what diana_coman has is as close as fathomable to a virginal gpg where you can still make such a test

asciilifeform: >> http://wotpaste.cascadianhacker.com/pastes/DrA3R/?raw=true << for n00bs : rsa-cum-crt , as seen in koch's gpg-1.4.10

mircea_popescu: if you don't have the keys, !!key name and then gpg --import.

mircea_popescu: felipelalli BingoBoingo what are you two dicking about with already ? gpg -aer name ; put it in p.benvulpes.com and that is all you need.

asciilifeform: gpg typically won't use 'expired'

mircea_popescu: i expect ye olde "copy signature on anything, gpg is happy"

asciilifeform: it is exactly what i found when i cut open prb5.3; and gpg; etc

asciilifeform: a 2sec modexp is already a wholly fine replacement for koch's gpg, say.

asciilifeform: phun phakt, this calculation is taken from the gpg autopsies last summer, when asciilifeform was chasing imaginary rng boojum after somebody found a real one

mircea_popescu: the categorical alternative (literally what gpg does now) fell on the grounds of "at least we don't need aes" ; the obvious "cut R into bits and use each" seems to my eye weaker, tho who even knows.

asciilifeform: which any gpg-compatible pgptron ever released, will accept as valid, its signatures - as genuine, etc.

asciilifeform: just bignum. but if you add 20ln from rsa.c (in gpg 1.4 from mircea_popescu) in, it yes encrypts/keygens/etc

asciilifeform: trims down gpg into a quite small (relatively to original, not, e.g. ffa) c lib

asciilifeform: i won't put my signature on a leaking rsatron. but i also grasp 'go to war with the shovel you have', we're for instance still using rotten ol' gpg.

mircea_popescu: but basically, the only practical approach here is to actually import the gpg implementation, warts and all, but modularily, and see later maybe it can be swapped out.

asciilifeform: !#s gpg rng

asciilifeform: seems to be symmetrically-ciphered, like most people's gpg key, tho. so not esp. useful

asciilifeform: incidentally, if you're willing to leak the height of the last set bit in the exponent, you cut the cost even of naive method above, linearly ( e.g. the typical gpg exponent is 17 bits ) -- but i'd very much rather not

mircea_popescu: is it or is it not true a modular exponentiation in current gpg takes, on your chosen machine, 0.26 seconds.

asciilifeform: ( recall recent article re how to get gpg privkey out of the squeals. )

asciilifeform: rothbart: ( summary : we discovered that gpg is a turd, and is to be burned down, not encased in iron )

asciilifeform: Barbarossa_: see also http://qntra.net/2016/08/rng-whitening-bug-weakened-all-versions-of-gpg

asciilifeform: not so much from philanthropy, as from the fact of gpg being rather like the sarcophagus at chernobyl, times 9000

asciilifeform: Barbarossa_: in the process of prototyping that one, we found that gpg is a turd

mircea_popescu: gpg conceivable, tmsr not conceivable.

mircea_popescu: asciilifeform i believe the spawner is the same mother-of-idiocy, always pregnant, always knees spread, that spawned everythiong they do, from "voting" to "gpg"

mircea_popescu: meanwhile gpg was pretty much thrown in the prb pile.

asciilifeform: mircea_popescu: gpg?

mircea_popescu: (and in any case, this is also a major improvement over gpg, which realloy only uses 2^16, and worked ok in the field for many years)

mircea_popescu: asciilifeform gpg does teh same thing.

mircea_popescu: what gpg normally uses is called OAEP

mircea_popescu: http://btcbase.org/log/2017-07-22#1689243 << depends what you mean by "rsa encrypted message". a) current rsa "encryption" as implemented by koch-gpg et al consists of encrypting a symmetric key. trivial to test this against a number of rsa keys. b) conceivably item will include a courtesy key fp to help you know. ☝︎☟︎

asciilifeform: this is == to sina's 'you used gpg yesterday, why is using it tomorrow a problem'

asciilifeform: sina: the practicalities are - that every time you unholster your gpg key, you broadcast a few bits of it. ☟︎

asciilifeform: ditto gpg.

asciilifeform: sina: currently there is exactly 1 rsatron that anybody worth mentioning uses, gpg. which is a sad joke in 9,001 ways, and slated for replacement

mircea_popescu: our cook's thermometer clearly indicates that the fault in koch's gpg is located in the upper left cpu quadrant.

asciilifeform: there is no, for instance, useful reason to read gmp ( unless you're van-ecking gpg users, in which case you gotta )

asciilifeform: aactually bug in my gpg torturetron, so :

asciilifeform: sooo a 4096b rsa key takes about a dozen modexp's, on avg, on gpg 1.4.10 ☟︎

asciilifeform: i just counted gpg 1.4.10 : 156,436 loc -- and that ain't counting the autoconf liquishit, or the libs it pulls in ☟︎☟︎☟︎

asciilifeform: ( unlike, e.g., gpg, ssl, the rest of the shit soup )

asciilifeform: see also gpg's '-' idiocy

asciilifeform: mp-en-managua: spoiler: it's a python skin on (yes, via shell, per packet..!) koch gpg

asciilifeform: supposing you were using gpg ( or pretty much any other rsatron )

mircea_popescu: gpg is slated for a rewrite, actually, since it became obvious koch's a dedicated saboteur.

asciilifeform: ergo eats what gpg eats.

asciilifeform: doesn't it run on gpg..?

asciilifeform: http://btcbase.org/log/2017-06-03#1664879 << v is -- properly considered -- an abstract concept, quite divorceable from the abominations of gnudiff/patch and gpg ☝︎

asciilifeform: erlehmann: gnudiff, gpg, etc are liquishit, and currently operator is expected to review all inputs and outputs. by. hand.

mircea_popescu: you can not promise gpg is just aes. neither can they.

mircea_popescu: no. gpg.

mircea_popescu: you don't know what stupid shit gpg does to it while encrypting.

asciilifeform: ( after this, we can plug in gpg-on-winblowsrng and enumerate the set, then bust these... )

asciilifeform: BingoBoingo: do me a favour plox : load mod6 comment from my last blogpost and gpg verify

asciilifeform: ( and gpg )

mircea_popescu: aaron toponce (goes by eightyeight in that chat) has possibly the lulziest "gpg key signing" item i saw : https://pthree.org/my-pgp-key-signing-policy/

mircea_popescu: oh those. believe me, http://trilema.com/2012/gpg-contracts/

asciilifeform: shinohai: 'he was unable to sign either an early Bitcoin transaction or a statement with his original GPG key because “A sequence of events unfolded in 2010 that caused me the loss of all my keys.”' << lol, gold

mircea_popescu: it is deliberately constructed to weaken rsa ; take the recent http://btcbase.org/log-search?q=%22sha%22+gpg "sha fails, koch-gpg fingerprints are meaningless", which had been foretold here for... years.

mircea_popescu: got a gpg key ?

asciilifeform: (immediate linkability of newly-pasted-in gpg key.)

asciilifeform: understand, if i paste a gpg key into phuctor, and cannot then ~immediately~ link to it in-chan -- phuctor is broken!! ☟︎

asciilifeform: the job where it takes you from a base64 gpg key you found on some godforsaken usenet post, to a permanent link in phuctor

asciilifeform: what happens when a user submits a gpg key ?

asciilifeform: trinque: you wanna write gpg parser ? that handles all cases ?

asciilifeform: the use of python for frontend was a mistake. i did it to avoid having to write gpg disasmer from 0, and www liquishit from 0

mircea_popescu: yes gpg can generate key. so can you. keep that in mind.

asciilifeform: alternatively, say i find that gpg only ever was able to generate 100,000,000 different keys.

asciilifeform: hey i deautoconfed gpg's mpi lib 100% ☟︎

mircea_popescu: this is trivially true and directly verified with eg irc, or gpg, or any other item we deigned to use.

mircea_popescu: <mircea_popescu> you can extract packets but basically end up re=implementing gpg.

mircea_popescu: you can extract packets but basically end up re=implementing gpg.

asciilifeform: natively gpg doesn't even ~carry~ the notion of 'for this set, Message, Signature, Pubkey, say if well-formed'

asciilifeform: trinque: phuctor is not simply about gpg, recall

asciilifeform: there was gpg parse library.

asciilifeform: also the recipe is pretty simple. gpg over the pubkey and you're golden.

asciilifeform: http://btcbase.org/log/2017-02-25#1618203 << if the only gpg op in your thing is verification, you can lift code from any of the vtrons, verbatim ☝︎

asciilifeform: mircea_popescu: to defang gpg, must prevent it from writing to ANYWHERE on disk other than stdout