Werner’s own blurbs
Blog moved
June 26th, 2012
I have moved my blog to my own site. This does not mean I will post articles more often than here, but who knows…. At least it is more fun to run a GIT based blog software.
Please point your browser to rem.eifzilla.de. Hint: There is only an AAAA record in the DNS.
Update: It has been reported that there are still sites without access to IPv6. Until they have managed to get back full connectivity, they may use this legacy ip gateway to access my blog.
On Facebook and privacy
April 12th, 2010
I was about to write a comment on facebook and other web 2.0 services with respect to privacy. Fortunately I can save my time and point you to Andy Wingo’s article
towards a gnu autonomous cloud
on just this topic. Actually his ideas are an outcome of our GNU Hackers Meating back in November. It is a call to think about extending the GNU project into the connected world where the boundaries between machines are vanishing and a computer user does not anymore know where his private data is stored or made available.
A computer user shall not only be in control of his box but also in control of his data – the user is the only one to decide which data shall be published, given only to friends or kept private.
ELSTER, Freie Software und der Überwachungswahn
January 11th, 2010
Neulich wurde in einer privaten Diskussion angeregt, die
Entwicklung von Freier Software für das ELSTER Verfahren zu
fördern. Ich habe hier einige Bedenken:
Prinzipiell ist die elektronische Abgabe von Steuererklärungen ja
eine praktische Sache; z.B. für die monatlichen Anmeldungen der
Lohn- und Umsatzsteuer. Für die jährliche
Einkommenssteuererklärung halte ich das Ganze zwar für
übertrieben, aber bitte, wer es unbedingt will soll es machen.
Probleme mit ELSTER sind zum einem technischer Natur: Die
Datensicherheit des gesamten Systems ist recht fragwürdig und hat
viele Schwachstellen. Insbesondere ist hier die zentralistische
Struktur zu nennen in der die Steuerdaten nicht mehr dezentral bei den
einzelnen Finanzämtern gehalten werden, sondern zentral in Bayern
eingehen. Zentralistische Sicherheitssysteme sollten aus vielen
Gründen vermieden werden. Ein Abgleich der Daten zwischen den
einzelnen Finanzämtern, OFDs und Ländern ist zwar notwendig, bedingt
aber nicht eine zentrale Datenhaltung oder Erfassung. Das Prinzip der
althergebrachten Kontrollmitteilungen kann auch elektronisch
implementiert werden.
Das zweite Problem ergibt sich direkt aus dem Ersten: Es werden
Unmengen von Daten an einer einzelnen Stelle zugreifbar und damit auch
für Dritte abgreifbar. Ob die Dritten nun das BKA, die CIA, oder
normale Mafiaorganisationen sind, ist mir gleich. Jedenfalls ist das
ganze System aus Datenschutzgründen sehr fraglich.
Noch wichtiger erscheint mir bei der Diskussion das ELSTER nicht
alleine dasteht. Vielmehr ist es nur ein kleiner Teil der Systeme die
momentan implementiert werden um damit eGov (aka Staat 84^W2.0) zu
realisieren. Wir müßen in diesem Zusammenhang auch weitere Strukturen
betrachten:
- Die bundeseinheitliche Steuernummer. Diese führt die eigentlich
verbotene Personenkennziffer nun klammheimlich ein. - Die Übermittlung immer mehr Daten an die Sozialversicherung über
eine zentrale stelle. Sowie die Zusammenführung der Daten der
Berufsgenossenschaften mit denen der Sozialversicherung. - Die Erfassung sämtlicher Arbeitnehmer und deren Arbeitslebens und
-verhaltens im Rahmen des ELENA Verfahrens. - Die Gesundheitskarte (Okay, die ist erstmals tot aber wird bestimmt
wiederbelebt werden). - Elektronische Signaturschlüssel auf Bankkarten, die damit
letztendlich Kontodaten und Verwaltungsakte verbinden. - Der elektronische Personalausweis mit seiner Identifikationsmöglich
im Netz.
sowie viele weitere Punkte (man denke nur an den PKW Maut).
Wenn wir nun also fordern, daß diese Systeme auch mit Freier Software
bedienbar sind – oder auch nur das offene Standards benutzt werden, so
unterstützen wir die Verbreitung dieser Systeme.
Das hat dann viel mit Open Source zu tun aber wenig mit Freiheit.
Denn es geht hier nicht nur um die Freiheit, die Software ändern
zu können etc. sondern auch um die Freiheit, selbst bestimmen zu
können, was mit den eigenen Daten geschieht. Aus gutem Grund
gibt es bei Freier Software eben keine Publikationspflicht.
Ich halte deswegen eine Kampagne zur Förderung des Zugangs von
Freie Software zur Überwachungsinfrastrukur für nicht angebracht.
Es ist wichtiger, unsere Energien einzusetzen, die
gesellschaftlichen Probleme dieser Systemen aufzuzeigen.
Sicher, eine exakte Beschreibung der Verfahren sowie eine
Offenlegung, der von der öffentlichen Verwaltung eingesetzten
Software, ist dringend geboten. Nur so können wir detailliert
die Probleme beschreiben und bessere Systeme vorschlagen. Für
die angeblich von ELENA zu lösenden Probleme fallen mir auf
Anhieb brauchbare und datenschutzrechtlich einwandfreie Konzepte
ein.
GnuPG for CardMan 4040
February 8th, 2006
Nils Faerber was so kind to send me a CardMan 4040 PCMCIA reader and I instantly hacked GnuPG’s internal CCID driver to support this device. It basically worked but obviously I never tried decryption so when Georg complained today I took some time off to fix that. The result is now a better working driver for most readers.
It is in the SVN (trunk and 1.9) but you may simply replace the driver files of a released GnuPG by ftp://ftp.g10code.com/g10code/patches/ccid-driver.c and ftp://ftp.g10code.com/g10code/patches/ccid-driver.h.
To get the reader working, Linux 2.6.15.3 is required where you need to enable the low-level driver for that device (drivers/char/pcmcia). Don’t forget to create a /dev/cmx0 character device using a major number you figure out by looking at /proc/devices, a minor of 0 and write permissions for you.
Creating server certificates with GnuPG
October 28th, 2005
Tired of using OpenSSL and editing weird configuration files just to create a certificate?
Fortunately there is an easier way with the advantage of using an already used system: Since version 1.9.18, GnuPG is a able to create certificate requests for servers; due to a bug in the export command, it is however suggested to use version 1.9.19.
Here is a brief run up on how to create a server certificate. It has actually been done this way to get a certificate from CAcert to be used on a real server. It has only be tested with this CA, but there shouldn’t be any problem to run this against any other CA.
Before you start, make sure that gpg-agent is running; see the manual on how to do this (“info gnupg”). As there is no need for a configuration file, you may simply enter:
$ gpgsm-gencert.sh >a.p10 Key type [1] RSA [2] existing key Your selection: 1 You selected: RSA
I opted for creating a new RSA key. The other option is to use an already existing key, by selecting “2” and entering the so-called keygrip. Running "gpgsm --dump-secret-key USERID"
will show you this keygrip.
Let’s continue:
Key length [1] 1024 [2] 2048 Your selection: 1 You selected: 1024
The script offers just two common key sizes. With the current setup of CAcert, it does not make much sense to use a 2k key; their policies need to be revised anyway (a CA root key valid for 30 years is not really serious).
Key usage [1] sign, encrypt [2] sign [3] encrypt Your selection: 1 You selected: sign, encrypt
We want to sign and encrypt using this key. This is just a suggestion and the CA may actually assign other key capabilities.
Now for some real data:
Name (DN) > CN=kerckhoffs.g10code.com
This is the most important value for a server certificate. Enter here the canonical name of your server machine. You may add other virtual server names later.
E-Mail addresses (end with an empty line) >
We don’t need email addresses in a server certificate and CAcert would anyway ignore such a request. Thus just hit enter.
If you want to create a client certificate for email encryption, this would be the place to enter your mail address (e.g. joe@example.org). You may enter as many addresses as you like, however the CA may not accept them all or reject the entire request.
DNS Names (optional; end with an empty line) > www.g10code.com DNS Names (optional; end with an empty line) > ftp.g10code.com DNS Names (optional; end with an empty line) >
Here I entered the names of the servers which actually run on the machine given in the DN above. The browser will accept a certificate for any of these names. As usual the CA must approve all of these names.
URIs (optional; end with an empty line) >
It is possible to insert arbitrary URIs into a certificate; for a server certificate this does not make sense.
We have now entered all required information and gpgsm will display what it has gathered and ask whether to create the certificate request:
Parameters for certificate request to create: 1 Key-Type: RSA 2 Key-Length: 1024 3 Key-Usage: sign, encrypt 4 Name-DN: CN=kerckhoffs.g10code.com 5 Name-DNS: www.g10code.com 6 Name-DNS: ftp.g10code.com Really create such a CSR? [1] yes [2] no Your selection: 1 You selected: yes
gpgsm will now start working on creating the request. As this includes the creation of an RSA key, it may take a while. During this time you will be asked 3 times for a passphrase to protect the created private key on your system. A pop up window will appear to ask for it. The first two prompts are for the new passphrase and to re-enter it; the third one is required to actually create the certificate request.
When it is ready, you should see the final notice:
gpgsm: certificate request created
Now, you may look at the created request:
$ cat a.p10 -----BEGIN CERTIFICATE REQUEST----- MIIBnzCCAQgCAQAwITEfMB0GA1UEAxMWa2VyY2tob2Zmcy5nMTBjb2RlLmNvbTCB nzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA5h+uKRenpvbe+BnMY6siPO50LVyg HtB7kr+YISlPJ5JAFO12yQFz9Y0sBLHbjR+V+TOawwP1dZhGjlgnEBkMdWKuEBlS wFTALLX78GAyvAYAmPqSPDEYXkMECyUXVX/bbGI1bY8Y2OGy4w4D+v7e+xD2NBkm Bj5cNy+YMbGVldECAwEAAaA+MDwGCSqGSIb3DQEJDjEvMC0wKwYDVR0RBCQwIoIP d3d3LmcxMGNvZGUuY29tgg9mdHAuZzEwY29kZS5jb20wDQYJKoZIhvcNAQEFBQAD gYEAzBRIi8KTfKyebOlMtDN6oDYBOv+r9A4w3u/Z1ikjffaiN1Bmd2o9Ez9KXKHA IezLeSEA/rGUPN5Ur5qIJnRNQ8xrS+iLftr8msWQSZppVnA/vnqMrtqBUpitqAr0 eYBmt1Uem2Y3UFABrKPglv2xzgGkrKX6AqmFoOnJWQ0QcTw= -----END CERTIFICATE REQUEST----- $
You may now proceed by logging into your account at the CAcert website, choose “Server Certificates – New”, check “sign by class 3 root certificate”, paste the above request block into the text field and click on “Submit”.
If everything works out fine, a certificate will be shown. Now run
$ gpgsm --import
and paste the certificate from the CAcert page into your terminal followed by a Ctrl-D
-----BEGIN CERTIFICATE----- MIIEIjCCAgqgAwIBAgIBTDANBgkqhkiG9w0BAQQFADBUMRQwEgYDVQQKEwtDQWNl cnQgSW5jLjEeMBwGA1UECxMVaHR0cDovL3d3dy5DQWNlcnQub3JnMRwwGgYDVQQD ExNDQWNlcnQgQ2xhc3MgMyBSb290MB4XDTA1MTAyODE2MjA1MVoXDTA3MTAyODE2 MjA1MVowITEfMB0GA1UEAxMWa2VyY2tob2Zmcy5nMTBjb2RlLmNvbTCBnzANBgkq hkiG9w0BAQEFAAOBjQAwgYkCgYEA5h+uKRenpvbe+BnMY6siPO50LVygHtB7kr+Y ISlPJ5JAFO12yQFz9Y0sBLHbjR+V+TOawwP1dZhGjlgnEBkMdWKuEBlSwFTALLX7 8GAyvAYAmPqSPDEYXkMECyUXVX/bbGI1bY8Y2OGy4w4D+v7e+xD2NBkmBj5cNy+Y MbGVldECAwEAAaOBtTCBsjAMBgNVHRMBAf8EAjAAMDQGA1UdJQQtMCsGCCsGAQUF BwMCBggrBgEFBQcDAQYJYIZIAYb4QgQBBgorBgEEAYI3CgMDMAsGA1UdDwQEAwIF oDAyBggrBgEFBQcBAQQmMCQwIgYIKwYBBQUHMAGGFmh0dHA6Ly9vY3NwLmNhY2Vy dC5vcmcwKwYDVR0RBCQwIoIPd3d3LmcxMGNvZGUuY29tgg9mdHAuZzEwY29kZS5j b20wDQYJKoZIhvcNAQEEBQADggIBAAj5XAHCtzQR8PV6PkQBgZqUCbcfxGO/ZIp9 aIT6J2z0Jo1OZI6KmConbqnZG9WyDlV5P7msQXW/Z9nBfoj4KSmNR8G/wtb8ClJn W8s75+K3ZLq1UgEyxBDrS7GjtbVaj7gsfZsuiQzxmk9lbl1gbkpJ3VEMjwVCTMlM fpjp8etyPhUZqOZaoKVaq//KTOsjhPMwz7TcfOkHvXketPrWTcefJQU7NKLH16D3 mZAwnBxp3P51H6E6VG8AoJO8xCBuVwsbXKEf/FW+tmKG9pog6CaZQ9WibROTtnKj NJjSBsrUk5C+JowO/EyZRGm6R1tlok8iFXj+2aimyeBqDcxozNmFgh9F3S5u0wK0 6cfYgkPVMHxgwV3f3Qh+tJkgLExN7KfO9hvpZqAh+CLQtxVmvpxEVEXKR6nwBI5U BaseulvVy3wUfg2daPkG17kDDBzQlsWC0BRF8anH+FWSrvseC3nS0a9g3sXF1Ic3 gIqeAMhkant1Ac3RR6YCWtJKr2rcQNdDAxXK35/gUSQNCi9dclEzoOgjziuA1Mha 94jYcvGKcwThn0iITVS5hOsCfaySBLxTzfIruLbPxXlpWuCW/6I/7YyivppKgEZU rUTFlNElRXCwIl0YcJkIaYYqWf7+A/aqYJCi8+51usZwMy3Jsq3hJ6MA3h1BgwZs Rtct3tIX -----END CERTIFICATE----- gpgsm: issuer certificate (#/CN=CAcert Class 3 Root,OU=http://www.CAcert.org,O=CAcert Inc.) not found gpgsm: certificate imported gpgsm: total number processed: 1 gpgsm: imported: 1
gpgsm tells you that it has imported the certificate. It is now associated with the key you used when creating the request. The root certificate has not been found, so you may want to import it from the CACert website.
To see the content of your certificate, you may now enter:
$ gpgsm -K kerckhoffs.g10code.com /home/foo/.gnupg/pubring.kbx --------------------------- Serial number: 4C Issuer: /CN=CAcert Class 3 Root/OU=http:\x2f\x2fwww.CAcert.org/O=CAcert Inc. Subject: /CN=kerckhoffs.g10code.com aka: (dns-name www.g10code.com) aka: (dns-name ftp.g10code.com) validity: 2005-10-28 16:20:51 through 2007-10-28 16:20:51 key type: 1024 bit RSA key usage: digitalSignature keyEncipherment ext key usage: clientAuth (suggested), serverAuth (suggested), serverGatedCrypto.ns (suggested), serverGatedCrypto.ms (suggested) fingerprint: 0F:9C:27:B2:DA:05:5F:CB:33:19:D8:E9:65:B9:BD:4F:B1:98:CC:57
I used “-K” above because this will only list certificates for which a private key is available. To see more details, you may use “–dump-secret-keys” instead of “-K”. The output has been created using the current CVS version of GnuPG 1.9; older versions won’t show the dns-names.
To make actual use of the certificate you need to install it on your server. Server software usally expects a PKCS#12 file with key and certificate. To create such a file, run:
$ gpgsm --export-secret-key-p12 -a >kerckhoffs-cert.pem
You will be asked for the passphrase as well as for a new passphrase to be used to protect the pkcs#12 file. The file now contains the certificate as well as the private key:
$ cat kerckhoffs-cert.pem Issuer ...: /CN=CAcert Class 3 Root/OU=http:\x2f\x2fwww.CAcert.org/O=CAcert Inc. Serial ...: 4C Subject ..: /CN=kerckhoffs.g10code.com aka ..: (dns-name www.g10code.com) aka ..: (dns-name ftp.g10code.com) -----BEGIN PKCS12----- MIIHlwIBAzCCB5AGCSqGSIb3DQEHAaCCB4EEggd9MIIHeTCCBJ8GCSqGSIb3DQEH [...many more lines...] -----END PKCS12----- $
Copy this file in a secure way to the server, install it there and delete the file then. You may export the file again at any time as long as its is available in GnuPG’s private key database.
Running chess on a smart card
October 26th, 2005
Due to my work with smart cards I recently came across a little pet project named SmartChess which succeeded to implement chess software on a smart card. If you are interested in chess and very small CPUs you might want to have a look at it.
It is not pure coincedence that I noticed this project: Achim actually helped me to get the smart card support for GnuPG going by writing up a spec, answering numerous questions of mine, testing and actually providing cards.
gpg4win
October 24th, 2005
Some may wonder why there is not much progress on GnuPG. Well, David is working a lot on it and I am working on a related project: gpg4win – which eventualy will be a win for folks required to use that proprietary OS from Microsoft.
Frankly, it is not a big deal as it merely collects existing applications and provides a framework for easy building a complete and easy to use installer with parts like gpg, WinPT, GPA, GPGee, GPGol and so on. The goal is that you will be able to run a
./configure --host=i586-mingw32msvc && make
and 2 NSIS based installer packages are generated: One to get the whole thing onto your Windows box and the other one just for installing the source package to comply with the terms of the GPL. We will also overhaul the 2 German manuals from the unmaintained GnuPP project.
If you are interested in the development process, checkout this Gforge site.
freenigma
June 28th, 2005
Last Thursday the freenigma project was announced during a presentation at the LinuxTag. Freenigma is build completely on Free Software and will be available in September as a Live-CD as well as on separate Debian packages. We are currently doing internal testing, cleanups and preparing a release.
It is a successor of the old GEAM project which was a bit complicated to setup and configure. freenigma comes with a nice web interface, roles, backup and key generation and is fully integrated with an MTA (Postfix). It may be used as a plugin replacement for an existing MTA or integrated into an existing MTA structure to start using it.
As of now it supports OpenPGP. On demand we will add S/MIME encryption and signatures too. Appliances based on this software will be available soon to further simply the deployment of email encryption and signatures.
gnupg 1.4.2rc1 released
May 30th, 2005
We hope that people try this release candidate out so that we will soon be able to do the 1.4.2 thing.
Most important for the fellows are some bug fixes related to the card. There is now also support for running it alongside with the gpg-agent – given that gnupg 1.9 from CVS is beeing used. A new release of 1.9 is due this week.
http://lists.gnupg.org/pipermail/gnupg-announce/2005q2/000195.html
GnuPG 1.4.1
March 14th, 2005
After 2 release candidates and 3 months work we have today released version 1.4.1 of GnuPG.
This is mainly a bug fixing release but comes with a souple of minor changes and for the first time with a graphical installer for Windows. Working on the latter took quite some of my time but I believe it was worth the time. That installer will be improved over time.
We still have a couple of other things in the queue and will start working on them right now to pepare for a 1.4.2 release.