Forschungsfrage:
Wenn ich alles mit KI ändern, generieren, anpassen, entfernen kann?
A) Wie sieht das mit #Beweismitteln bei z.B. #Behörden aus?

Ja, wir leben schon in Zeiten v. Photoshop, KI kann hier aber deutlich mehr. Die Tools müssen dann auch für Privatpersonen ohne IT-Skills verwendbar/validierbar sein und wenn ich eine Anzeige erstatten müsste, will ich nich erst n' #DAW lernen müssen, um z.B. 'ne Tonspur validieren zu können. Ebenfalls wird "mach ein Screenshot mit der Website v. d. Atomuhr" nich´ mehr lange halten/bestand haben.

Klar könnte ich mit meinen #Openpgp key eine "Echtheit" beglaubigen, dass wäre aber allein von der Struktur falsch. Die PGP-Keys verifizieren nur, dass ich das Dokument signiert habe, nicht was ich signiert habe.

"CVE-2025-47934 – Spoofing OpenPGP.js signature verification"

https://codeanlabs.com/blog/research/cve-2025-47934-spoofing-openpgp-js-signatures/

Comparing #XMPP against #email protocols is too limited. What sets #deltachat apart is *vertical integration* and being driven by UI/UX considerations. Cross-platform Apps and Bots use the Rust core library which connects with #chatmail relays and classic email servers based on a higher level API -- abstracting over SMTP, MIME, #OpenPGP etc. See https://chatmail.at

#webxdc apps in turn use an even higher level stable API abstracting over email/xmpp/... see https://webxdc.org/docs/

The PGP Problem

https://www.latacora.com/blog/2019/07/16/the-pgp-problem/

#OpenPGP #GnuPG #PGP #GPG #PublicKey #Email

#AgeEncryption https://age-encryption.org
#Minisign https://jedisct1.github.io/minisign/

#AgePublicKey
age1s3n5ehvm8h3xjkc985hzjznw9cv0lk9ezj5heyy4m7l654rkzslq07ylps

#MinisignPublicKey
RWRK8XFYuCHjYX1J/7cKCUy6eQKNYVAurb/70Q6pK8kjGHALVORZGJ+o

I just released version 0.1.2 of rsop-oct, a stateless #OpenPGP ("SOP") CLI tool for use with OpenPGP card hardware devices:

https://crates.io/crates/rsop-oct/

Like its sibling project #rsop, rsop-oct is based on @rpgp

This update makes integration with https://crates.io/crates/openpgp-card-state optional.

rsop-oct can now implicitly use persisted PINs via openpgp-card-state, or explicitly provided ones via the standard SOP CLI parameter '--with-key-password'.

For more on #SOP, see https://datatracker.ietf.org/doc/draft-dkg-openpgp-stateless-cli/

I just released version 0.7.0 of #rsop, a stateless #OpenPGP ("SOP") CLI tool based on @rpgp:

https://crates.io/crates/rsop/

This version uses the new rPGP 0.16.0, with streaming message support.
It also comes with a number of bugfixes.

For more on #SOP, see https://datatracker.ietf.org/doc/draft-dkg-openpgp-stateless-cli/

New release: #rPGP version 0.16.0

https://github.com/rpgp/rpgp/releases/tag/v0.16.0

#OpenPGP implemented in pure #Rust, permissively licensed

This release features streaming message support: Now rPGP can process arbitrarily large messages, with modest memory requirements.

It adds experimental support for the upcoming OpenPGP #PQC IETF standard https://datatracker.ietf.org/doc/html/draft-ietf-openpgp-pqc

This release also brings various improvements for key generation, support for X448/Ed448, and many minor fixes.

our friends over at @rpgp just published a monster milestone, humbly tagged 0.16 with

- streaming decryption and encryption

- post-quantum-cryptography

- API streamlining.

#rPGP is a full Rust implementation of #openpgp which counts among the fastest and most compliant implementations today, and includes security audits. Note: #deltachat uses a restricted subset of OpenPGP, and follows best practices (eg using the same ed25519 keys implementation as #signal) https://github.com/rpgp/rpgp/

Don't use PGP with emails.

> Security researchers are sounding the alarm over a fresh flaw in the JavaScript implementation of OpenPGP (OpenPGP.js) that allows both signed and encrypted messages to be spoofed.

> Discovered by Codean Labs' Edoardo Geraci and Thomas Rinsma, the vulnerability essentially undermines the core purpose of using public key cryptography to secure communications.

**OpenPGP.js bug enables encrypted message spoofing**

https://www.theregister.com/2025/05/20/openpgp_js_flaw/

A critical flaw in #OpenPGP.js lets attackers spoof message signatures
https://securityaffairs.com/178131/uncategorized/a-openpgp-js-flaw-lets-attackers-spoof-message-signatures.html
#securityaffairs #hacking

»OpenPGP.js bug enables encrypted message spoofing:
Security researchers are sounding the alarm over a fresh flaw in the JavaScript implementation of OpenPGP (OpenPGP.js) that allows both signed and encrypted messages to be spoofed.«

I hope this will be resolved as soon as possible and the web email hosters will then also use the current version.

https://www.theregister.com/2025/05/20/openpgp_js_flaw/

Somewhat concerning for anyone who uses Proton Mail: there is a flaw in the OpenPGP javascript library that they use (and are the maintainers for) which means that it's possible for spoofed authentication signatures to be created.

https://www.theregister.com/2025/05/20/openpgp_js_flaw/

New blog article on "Post-quantum cryptography in #OpenPGP":

https://openpgp.foo/posts/2025-05-pqc/

I'm launching a new site about #OpenPGP:

https://openpgp.foo/

This site is a personal writing project with a focus on learning OpenPGP's concepts by playful hands-on use.

My goal is to empower readers to make sense of more advanced material (including https://openpgp.dev/), and become proficient in whatever subset of OpenPGP they are interested in.

The site is far from complete, I hope to continue writing on it. Let me know what you think, and what additional content you'd like to see!

Wenn ihr neuen code schreiben würdet wo crypto signaturen und encryption von objekten/nachichten vorkommen soll, sowie authentication von hierarichischen Personen/Organisationen mit web of trust - also ugf. alles was openpgp auch machen will, euch aber #openpgp zu kompliziert ist ... was nimmt man da? s/mime + x509 oder gibts da schlankeres?

@delta

Did you see this (german) presentation about openPGP and that it should not be used. What is your take on this?

https://youtu.be/1Og17xy4wlM?si=bgHUmBFaufQ5MXvq

When Code Became a Weapon

It's easy to take strong encryption for granted, but that hasn't always been the case. This week we're diving into the "Crypto Wars," covering historical attempts by the US government to restrict strong encryption being exported internationally.

https://www.privacyguides.org/videos/2025/05/08/when-code-became-a-weapon/

Let us know what you think of this style of video! We're trying something different, and this is the first in a planned series lined up

First steps towards more robust sync!

#Hockeypuck’s dataset normalisation rules (or “filters”) were updated between v2.1 and v2.2, meaning that #SKS recon did not work between #openpgp #keyservers running the older and newer versions. The keyservers could not all be updated simultaneously, and a few keyservers still run v2.1 today for compatibility reasons, so we had to find a way to prevent the network from split-braining.

The quick and dirty solution was a small script that runs on each side of the filter discontinuity, polls for local changes, and submits them to the other side over HKP (the protocol your #PGP client uses). But this is effectively the same idea as the old PKS sync model, just over HTTP(S) instead of email. And sks-keyserver used to support PKS-over-email, so shouldn’t hockeypuck be able to do PKS-over-HTTP natively?

The short answer is, it can! It was long intended for hockeypuck to support PKS email, but only a fraction of the necessary code was written, and there were no tests. Today, the pgpkeys test swarm has just performed its first sync using the completed PKS code, which supports *both* HTTP and email transport.

It’s not ready for production yet though. Further testing is required, and then the second part of the PKS code can be written: automatic failover from SKS to PKS when filter mismatch is detected (and just as importantly, automatic fail*back*).

This will mean that keyserver operators will be able in the future to upgrade across filter discontinuities without risking a split brain scenario. It should also mean that key updates submitted to the hockeypuck network could be automatically synced to @keys_openpgp_org … watch this space!

(Hockeypuck v2.3 development is kindly supported by @NGIZero Core)