Re: [9fans] gnupg or pgp for plan9?

Re: [9fans] gnupg or pgp for plan9?

[erik quanstrom]

somehow you understood the opposite of what i ment.
the point is that using encrypted/signed s/mime with upas
should be transparent.  i would think the easiest way to do that would
be to do the translation as  close to the edges of the system as possible.
those edges would be upas/fs -- which presents a mail box as a filesystem
and upas/marshal which builds an rfc-2822 message for sending.

i had not thought of using s/mime for general encrypted storage.
mime is not a particularly friendly or easy-to-parse format.
i would think that using, say, blowfish in cbc mode would be
plenty compatable.  mcrypt/mhash (http://(mcrypt|mhash).sourceforge.net/),
for example, could decrypt this on a unix-like machine.
(not that either is svelt.)

what would be the advantage of using s/mime outside of email?

- erik

On Tue Mar 28 09:00:28 EST 2006, anothy@gmail.com wrote:
> Erik Quanstrom wrote:
> // i think a better route would be to build s/mime compatable signatures
> // and encryption into upas/fs and upas/marshal so applications without
> // a need to know would not have to know.
>
> i'm not really sure what you mean by that. certainly we shouldn't
> require the content-producing programs (like, say, 'cat') to know
> anything about encryption, but that idea's already totally foreign to
> plan 9 (cat --enable-encryption-with-aes-cbc?).
>
> having s/mime in upas would be wonderful, but doesn't fully address
> the needs being discussed. i want to be able to store files on disk
> securely, including across platforms. for that, i want a stand-alone
> program (hopefully, one which could then be used in upas).

Re: [9fans] gnupg or pgp for plan9?

[Taj Khattra]

> http://web.mit.edu/Saltzer/www/publications/Saltzerthumbnails.pdf

http://mit.edu/6.033/2004/wwwdocs/handouts/L26.2004.pdf for a more
recent set - although a couple of systems mentioned on slide 32
(conceptual integrity) are very suspect  :)

Re: [9fans] gnupg or pgp for plan9?

[uriel]

>> It happens because engineers are too lazy or scared to try to
>> understand the code they are modifying, and a layer seems safer.  My
>> case was 3 years of 2 code teams.  Imagine 10 years of open-source-
>> like distributed development :-(
>
> your experience tallies with slide 24 from jerome saltzer's "coping
> with complexity":
>
>     Why aren't abstraction, modularity, hierarchy, and layers enough?
>     - First, you must understand what you are doing.
>     - It is easy to create abstractions; it is hard to discover the
> *right* abstraction.
>     - It is hard to change the abstractions later.
>     (ditto for modularity, hierarchy, and layers)

Thanks for the pointer, this are the most interesting slides I have
read in a long time.  Here is the PDF version in case someone has not
read them yet:

http://web.mit.edu/Saltzer/www/publications/Saltzerthumbnails.pdf

I'm starting to suspect that the more resources a software project
has, worse are the result.

Maybe that means that there is hope for Plan 9; while we barely
survive, the rest of the world with 10000 times more resources invests
all those resources in shooting themselves in the foot...  with XML
bullets, of course.

uriel

Re: [9fans] gnupg or pgp for plan9?

[Taj Khattra]

> It happens because engineers are too lazy or scared to try to
> understand the code they are modifying, and a layer seems safer.  My
> case was 3 years of 2 code teams.  Imagine 10 years of open-source-
> like distributed development :-(

your experience tallies with slide 24 from jerome saltzer's "coping
with complexity":

    Why aren't abstraction, modularity, hierarchy, and layers enough?
    - First, you must understand what you are doing.
    - It is easy to create abstractions; it is hard to discover the
*right* abstraction.
    - It is hard to change the abstractions later.
    (ditto for modularity, hierarchy, and layers)

Re: [9fans] gnupg or pgp for plan9?

[geoff]

I took another run at pgp 6.5.1i and 6.5.8 and gave up again.  They've
taken what was a fairly simple source tree and smashed it up and
swizzled it around, then added the configure goo and makefiles and
shell scripts that helpfully rerun configure when it's already been
run.  This is self-inflicted brain damage and I'm not going to try to
deal with it.

Re: [9fans] gnupg or pgp for plan9?

[Paul Lalonde]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I should have said "time-pressured" not lazy; but yes, bang on.

Paul

On 28-Mar-06, at 7:17 PM, quanstro@quanstro.net wrote:

> i don't personally know any lazy engineers, but i do know quite a
> few that are scared of
> being the scapegoat.
>
> i worked on a big full-text search project that never wrote its own
> search engine.  we used OpenText pat, pls/cpl (later bought by
> aol), excalibur,
> inktomi hosted search and probablly a few that have been
> forgotten.  these interfaces
> were very difficult to write because what we needed from a full-
> text search engine
> was never what was provided, they all had major bugs and performace
> was generally very
> poor.
>
> yet -- though i'm convinced it would have been easier, and the
> results better --
> nobody had the guts to write an engine.
>
> - erik
>
> On Tue Mar 28 20:08:59 CST 2006, plalonde@telus.net wrote:
>>
>> It happens because engineers are too lazy or scared to try to
>> understand the code they are modifying, and a layer seems safer.  My
>> case was 3 years of 2 code teams.  Imagine 10 years of open-source-
>> like distributed development :-(
>>
>> Paul
>>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)

iD8DBQFEKgV1pJeHo/Fbu1wRApWpAJ4hjUmIA+eZAdnq9cg11N0whyAS7ACgilM4
zmNi36AKWK0PjX6Xp+t2TuI=
=QSbC
-----END PGP SIGNATURE-----

Re: [9fans] gnupg or pgp for plan9?

[quanstro]

i don't personally know any lazy engineers, but i do know quite a few that are scared of
being the scapegoat.

i worked on a big full-text search project that never wrote its own
search engine.  we used OpenText pat, pls/cpl (later bought by aol), excalibur,
inktomi hosted search and probablly a few that have been forgotten.  these interfaces
were very difficult to write because what we needed from a full-text search engine
was never what was provided, they all had major bugs and performace was generally very
poor.

yet -- though i'm convinced it would have been easier, and the results better --
nobody had the guts to write an engine.

- erik

On Tue Mar 28 20:08:59 CST 2006, plalonde@telus.net wrote:
>
> It happens because engineers are too lazy or scared to try to
> understand the code they are modifying, and a layer seems safer.  My
> case was 3 years of 2 code teams.  Imagine 10 years of open-source-
> like distributed development :-(
>
> Paul
>

Re: [9fans] gnupg or pgp for plan9?

[geoff]

We ought to have a recent pgp or gpg both for mail and local
encryption.  I've just converted a cpu server to linux, so I should be
able to run configure there, once I decide which version to try.

Re: [9fans] gnupg or pgp for plan9?

[Paul Lalonde]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


On 28-Mar-06, at 9:29 AM, Charles Forsyth wrote:

>> ( gnupg and those
>> tools are really big,
>
> why are they so big?
> silly question, probably.
>

Some years ago I had to drop a new graphics engine into an existing
code base.  Their performance was hideous, using up something
ridiculous like 30% of the frame time between the calls to "draw
player" and the call into my library.

A little excavation found 15 (yes, 15) layers of inheritance goop -
everything from a player face manager to an rendering object manager,
to a directX-look-alike graphics layer that had all been glommed into
the code base over only 3 years of evolution.  One sharp razor later
it was down to (a still unacceptable) 5%, with the rest back for
graphics submission.  Most of the code goop was stuff that could have
been done statically once if not for trying to make it fit the
previous layer of wrappers.

It happens because engineers are too lazy or scared to try to
understand the code they are modifying, and a layer seems safer.  My
case was 3 years of 2 code teams.  Imagine 10 years of open-source-
like distributed development :-(

Paul

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)

iD8DBQFEKevvpJeHo/Fbu1wRAgv9AKCij0PwgoGL9uf669VmTtI+q/x40ACglJZd
NlTYcfCSPrhxIRozt6/r820=
=/kax
-----END PGP SIGNATURE-----

Re: [9fans] gnupg or pgp for plan9?

[Fernan Bolando]

On 3/29/06, Gabriel Diaz <gabidiaz@gmail.com> wrote:
> hello
>
> because those tools support a lot of algorithms / mime / certificates, etc, :-?
> if all you want is crypt a file and be able to read it between
> windows. lunix, plan9 :-?
>
> I doesn't mean those tools are big compared to ones with the same
> functionality, may be i choose a bad expression, sorry. What i mean is
> that those tools are bigger than one that just crypt a stream of bytes
> with one algorithm you choose.
> And compile that tool should not be too difficult in those three
> worlds. Only valid if those files will no be interchanged with people
> with other/incompatible crypt tools. May be i missed the point of the
> thread :-?
>
> gabi
>
>
> On 3A28/06, Charles Forsyth <forsyth@terzarima.net> wrote:
> > > ( gnupg and those
> > > tools are really big,
> >
> > why are they so big?
> > silly question, probably.

The reason I ask gnupg or pgp specifically is because it's the tool I
used when I was
still purely using linux. Now that I am in plan9 I am trying to
off-load most of my files
into plan9 and just access the file from linux, windows or plan9
itself. Some of those files
are a list of passwords which I use for online transactions and ATM
pins. Even though
plan9 was intended for distributed access, I still cant rely on my
plan9 administrative skills
or the lack thereof to trust plan9's security completely especially on
a public server like
9grid.jp. I would also like to take advantage of the 9grid where the
environment I work
in is the same where ever I go or at least I am trying to. Of course I
could use some sort of
thumb drive or something but the data in it should still be encrypted right?

I have used gpg+mutt in the past but not extensively so that capbility
is not that critical.
Some of the open source projects I contribute in uses it to make sure
I am really the one
sending those patches so it's not that critical but it's nice to have
the option.

,Fernan

--
Public PGP/GnuPG key (http://www.fernski.com)
pub 1024D/3576CA71 2006-02-02 Fernan Bolando
Key fingerprint = FDFE C9A8 FFED C1A5 2F5C EFEB D595 AF1C 3576 CA71

Re: [9fans] gnupg or pgp for plan9?

[Gabriel Diaz]

hello

because those tools support a lot of algorithms / mime / certificates, etc, :-?
if all you want is crypt a file and be able to read it between
windows. lunix, plan9 :-?

I doesn't mean those tools are big compared to ones with the same
functionality, may be i choose a bad expression, sorry. What i mean is
that those tools are bigger than one that just crypt a stream of bytes
with one algorithm you choose.
And compile that tool should not be too difficult in those three
worlds. Only valid if those files will no be interchanged with people
with other/incompatible crypt tools. May be i missed the point of the
thread :-?

gabi


On 3A28/06, Charles Forsyth <forsyth@terzarima.net> wrote:
> > ( gnupg and those
> > tools are really big,
>
> why are they so big?
> silly question, probably.
>
>

Re: [9fans] gnupg or pgp for plan9?

[Charles Forsyth]

> ( gnupg and those
> tools are really big,

why are they so big?
silly question, probably.

Re: [9fans] gnupg or pgp for plan9?

[Gabriel Diaz]

Hello

May be it is easy to make upas plumb the signatures and encription to
other tool.

About the files, i think there are tools that will "compile" on the
three environments and will crypt streams of bytes (cat | crypt >
file.crypt ), i think that is the easier way :-? ( gnupg and those
tools are really big, and if you only need to interact with yourself.
. . or others with the same tool. . .)

gabi


On 3/28/06, erik quanstrom <quanstro@quanstro.net> wrote:
> i think a better route would be to build s/mime compatable signatures
> and encryption into upas/fs and upas/marshal so applications without
> a need to know would not have to know.
>
> - erik
>
> On Mon Mar 27 18:39:14 CST 2006, anothy@gmail.com wrote:
> > Fernan wrote:
> > // I am trying to get some sort of encyption. Protability between p9, linux and
> > // windows is a bit critical for my application ( I am paranoid ).
> >
> > pgp or gpg would be nice for portability, as well as for other things,
> > like signing mail. in the mean time, inferno's 'idea' performs the
> > IDEA encryption, which i believe is still considered quite strong.
> > it's available natively on each platform inferno is (can someone
> > confirm windows?), as well as within inferno itself.
>

Re: [9fans] gnupg or pgp for plan9?

[Bruce Ellis]

ozinferno is based on an encrypted filesystem - the last work
i did with boyd.  i'll try and get a release together when i'm
less ill.

brucee

On 3/29/06, Anthony Sorace <anothy@gmail.com> wrote:
> Erik Quanstrom wrote:
> // i think a better route would be to build s/mime compatable signatures
> // and encryption into upas/fs and upas/marshal so applications without
> // a need to know would not have to know.
>
> i'm not really sure what you mean by that. certainly we shouldn't
> require the content-producing programs (like, say, 'cat') to know
> anything about encryption, but that idea's already totally foreign to
> plan 9 (cat --enable-encryption-with-aes-cbc?).
>
> having s/mime in upas would be wonderful, but doesn't fully address
> the needs being discussed. i want to be able to store files on disk
> securely, including across platforms. for that, i want a stand-alone
> program (hopefully, one which could then be used in upas).
>

Re: [9fans] gnupg or pgp for plan9?

[Anthony Sorace]

Erik Quanstrom wrote:
// i think a better route would be to build s/mime compatable signatures
// and encryption into upas/fs and upas/marshal so applications without
// a need to know would not have to know.

i'm not really sure what you mean by that. certainly we shouldn't
require the content-producing programs (like, say, 'cat') to know
anything about encryption, but that idea's already totally foreign to
plan 9 (cat --enable-encryption-with-aes-cbc?).

having s/mime in upas would be wonderful, but doesn't fully address
the needs being discussed. i want to be able to store files on disk
securely, including across platforms. for that, i want a stand-alone
program (hopefully, one which could then be used in upas).

Re: [9fans] gnupg or pgp for plan9?

[Eric Grosse]

auth/aescbc already includes anti-tampering checks,
based on SHA1 which is better than MD5.

But aescbc was never intended to last this long;  it was a
temporary measure until NIST settled on a common mode of
operation, presumably CTR rather than CBC.  It's not clear
yet if mode (or the hash function) is settled.

Also, aescbc was intended mainly for secstore.  We wanted
something small enough to audit.    For exchange with others,
or even yourself on other systems, I agree that PGP or S/MIME
is the way to go.

Eric

Re: [9fans] gnupg or pgp for plan9?

[erik quanstrom]

i think a better route would be to build s/mime compatable signatures
and encryption into upas/fs and upas/marshal so applications without
a need to know would not have to know.

- erik

On Mon Mar 27 18:39:14 CST 2006, anothy@gmail.com wrote:
> Fernan wrote:
> // I am trying to get some sort of encyption. Protability between p9, linux and
> // windows is a bit critical for my application ( I am paranoid ).
>
> pgp or gpg would be nice for portability, as well as for other things,
> like signing mail. in the mean time, inferno's 'idea' performs the
> IDEA encryption, which i believe is still considered quite strong.
> it's available natively on each platform inferno is (can someone
> confirm windows?), as well as within inferno itself.

Re: [9fans] gnupg or pgp for plan9?

[Anthony Sorace]

Fernan wrote:
// I am trying to get some sort of encyption. Protability between p9, linux and
// windows is a bit critical for my application ( I am paranoid ).

pgp or gpg would be nice for portability, as well as for other things,
like signing mail. in the mean time, inferno's 'idea' performs the
IDEA encryption, which i believe is still considered quite strong.
it's available natively on each platform inferno is (can someone
confirm windows?), as well as within inferno itself.

Re: [9fans] gnupg or pgp for plan9?

[Fernan Bolando]

On 3/27/06, Lluís Batlle <viriketo@gmail.com> wrote:
> You can take a look at ccrypt (ccrypt.sf.net) if it's about file encryption,
> but I don't know if it wil work on plan9. I've only compiled it with the
> called "gnu configure machinery".
>
> 2006/3/27, Fernan Bolando <fernanbolando@mailc.net>:
> > On 3/27/06, Steve Simon <steve@quintile.net> wrote:
> > > If you are just looking for file encryption then
> > > auth/aescbc will do that for you. A little script
> > > would allow you to validate a locally held md5sum
> > > digest of the file to inform you of any tampering.
> > > Aescbc is not portable outside of plan9 - p9p not
> > > withstanding.
> > >
> > > -Steve
> > >
> >
> > I am trying to get some sort of encyption. Protability between p9, linux
> and
> > windows is a bit critical for my application ( I am paranoid ).
> > I am currently considering blowfish because it's available on most
> machines.
> > Of course gnupg would be best.
> >


I will just use auth/aescbc+md5sum.

thanks
,Fernan

--
Public PGP/GnuPG key (http://www.fernski.com)
pub 1024D/3576CA71 2006-02-02 Fernan Bolando
Key fingerprint = FDFE C9A8 FFED C1A5 2F5C EFEB D595 AF1C 3576 CA71

Re: [9fans] gnupg or pgp for plan9?

[Lluís Batlle]

[-- Attachment #1: Type: text/plain, Size: 1084 bytes --]

You can take a look at ccrypt (ccrypt.sf.net) if it's about file encryption,
but I don't know if it wil work on plan9. I've only compiled it with the
called "gnu configure machinery".

2006/3/27, Fernan Bolando <fernanbolando@mailc.net>:
>
> On 3/27/06, Steve Simon <steve@quintile.net> wrote:
> > If you are just looking for file encryption then
> > auth/aescbc will do that for you. A little script
> > would allow you to validate a locally held md5sum
> > digest of the file to inform you of any tampering.
> > Aescbc is not portable outside of plan9 - p9p not
> > withstanding.
> >
> > -Steve
> >
>
> I am trying to get some sort of encyption. Protability between p9, linux
> and
> windows is a bit critical for my application ( I am paranoid ).
>
> I am currently considering blowfish because it's available on most
> machines.
>
> Of course gnupg would be best.
>
> ,Fernan
> --
> Public PGP/GnuPG key (http://www.fernski.com)
> pub 1024D/3576CA71 2006-02-02 Fernan Bolando
> Key fingerprint = FDFE C9A8 FFED C1A5 2F5C EFEB D595 AF1C 3576 CA71
>

[-- Attachment #2: Type: text/html, Size: 1484 bytes --]

Re: [9fans] gnupg or pgp for plan9?

[Fernan Bolando]

On 3/27/06, Steve Simon <steve@quintile.net> wrote:
> If you are just looking for file encryption then
> auth/aescbc will do that for you. A little script
> would allow you to validate a locally held md5sum
> digest of the file to inform you of any tampering.
> Aescbc is not portable outside of plan9 - p9p not
> withstanding.
>
> -Steve
>

I am trying to get some sort of encyption. Protability between p9, linux and
windows is a bit critical for my application ( I am paranoid ).

I am currently considering blowfish because it's available on most machines.

Of course gnupg would be best.

,Fernan
--
Public PGP/GnuPG key (http://www.fernski.com)
pub 1024D/3576CA71 2006-02-02 Fernan Bolando
Key fingerprint = FDFE C9A8 FFED C1A5 2F5C EFEB D595 AF1C 3576 CA71

Re: [9fans] gnupg or pgp for plan9?

[Steve Simon]

If you are just looking for file encryption then
auth/aescbc will do that for you. A little script
would allow you to validate a locally held md5sum
digest of the file to inform you of any tampering.
Aescbc is not portable outside of plan9 - p9p not
withstanding.

-Steve

Re: [9fans] gnupg or pgp for plan9?

[geoff]

I got pgp 2.6.2 running under APE without much trouble years ago.  The
newer g?pgp?s all seem to rely on the gnu configure machinery, so I
haven't made the effort.  It would be helpful if somebody got a
version of g?pgp? running that understood all the key formats, if
such a version exists.

[9fans] gnupg or pgp for plan9?

[Fernan Bolando]

Hi all

Anybody working on a port of gnupg. I would like to use it store
sensitive files to public servers
like mordor etc.


,Fernan

--
Public PGP/GnuPG key (http://www.fernski.com)
pub 1024D/3576CA71 2006-02-02 Fernan Bolando
Key fingerprint = FDFE C9A8 FFED C1A5 2F5C EFEB D595 AF1C 3576 CA71