gpg-split, what am I signing/encrypting

32 views
Skip to first unread message

scurge1tl

unread,
Jun 7, 2019, 11:04:35 AM6/7/19
to qubes-users
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

I have been playing with the gpg-split and would like to know, if
there is an option to see precisely for what specific task the
work-email AppVM is connecting to the work-gpg AppVM.

Currently I let the work-email to have a blank access to the work-gpg
for a defined time (300sec by default). During this time, the
communication between the qubes is unrestricted (is it?).

Is there an option to set the gpg-split to approve a specific task
only? Lets say I write an email to J...@email.ok. I click Send and I
get a message asking me "would you like to encrypt/sign the message
for J...@email.ok with your key ABC....?" In this way I am restricting
the comms in between the AppVMs for a single, specific task only.

I am reacting to the Trezor-T where you can see on the Trezor-T
display what precisely you are signing. Can this be applied to the
pass split as well https://github.com/Rudd-O/qubes-pass too?

-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEExlmPb5HoPUTt+CQT44JZDAWK6UwFAlz6fPdfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEM2
NTk4RjZGOTFFODNENDRFREY4MjQxM0UzODI1OTBDMDU4QUU5NEMACgkQ44JZDAWK
6Uw1+BAAm7Vw5ilKzpR+Z38k35ElkS8GhLe5QVrEyfcRsePcWHV97O/Z0GD6GJAw
Ffmh/RYv9i4jBGfpwoPCVjC7KezqS2rpeAnDAkwOyFnmdBvJZtyMwnKT65N5cxUI
npuC9j6D+6AVyWwn8YCUr2P9yiNHFAgmRqXEHfoTPK12WJdeOgmoGfSaPhZiAilI
jQh7bYrxEm6dK6u4BWVZKYYHH9dCoCORPc7Yj3K+P+mRQEugkEqk4ysZsYwqZo+v
WuPwWKO67LeBkv2CJ1Dl5bPq+OhtNAtH8os05ZqvGSQEo28za77rKY8pgJuNIelx
5Cqi8BbKAmBUaqy+2iKHK8tHN2KakRTrvbkbgOnfXBK90eboPDEskjkZT2g/Ahd+
iL/kRk4YKIU1oxGzyorAYd2Kbh5s+MY1tcUWj/m98f4ZzVDr5f5ZyJQz+GXCpc+7
3Z4ZeaGz2rMQHL8SQx7ZQ74M71pECcGdyLp+5IbTCUA9JOYXEQo7vrjfZpI7KIkV
RvRJ15fh56OF07smhE4/jxioEAYsTWDTrfswOOlLYDBdwgIIg3qGeVVEMf81PcfI
AAGuGp1kqyldYPvjUflc5VFZXelpqq556z4IkX0D1juwGwOWpZ29PNEl74KwwV2w
fPV2B8z8SlXAz9PKEj7r+Q7+MsWYmnEVRJJOKwOLz0d27Hb32jU=
=lbJ0
-----END PGP SIGNATURE-----
0xC1F4E83AF470A4ED.asc

Andrew David Wong

unread,
Jun 7, 2019, 11:54:33 PM6/7/19
to scurge1tl, qubes-users
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 07/06/2019 10.04 AM, scurge1tl wrote:
> I have been playing with the gpg-split and would like to know, if
> there is an option to see precisely for what specific task the
> work-email AppVM is connecting to the work-gpg AppVM.
>
> Currently I let the work-email to have a blank access to the
> work-gpg for a defined time (300sec by default). During this time,
> the communication between the qubes is unrestricted (is it?).
>
> Is there an option to set the gpg-split to approve a specific task
> only? Lets say I write an email to J...@email.ok. I click Send and
> I get a message asking me "would you like to encrypt/sign the
> message for J...@email.ok with your key ABC....?" In this way I am
> restricting the comms in between the AppVMs for a single, specific
> task only.
>
> I am reacting to the Trezor-T where you can see on the Trezor-T
> display what precisely you are signing. Can this be applied to the
> pass split as well https://github.com/Rudd-O/qubes-pass too?
>

Please file a feature request for this. I thought we already had one,
but I wasn't able to find one. All I found was these two somewhat
related issues:

https://github.com/QubesOS/qubes-issues/issues/1835
https://github.com/QubesOS/qubes-issues/issues/2443

- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEZQ7rCYX0j3henGH1203TvDlQMDAFAlz7MWMACgkQ203TvDlQ
MDC9lA/+PlHzSESXJKRFo0WmzI031KfLVOcg69vpq8ZpmYE5g9lFtZ2U8T+VUobb
h+yKuHvctKNeKIabKAJINtz3G7Yj/5S7KIHdIjgzvGQ2BjXjd8GfbzzXvK9qUeWD
hqrdn2qWhIdv7+Rjl/Q+KEy6ubV4hnHv53Yklbyyyg88q5y9C0vmNDBOZKtdeIg6
YbopgN9BknZ0p0NGbK1uj2O+VKSEsUvVZeLrouQ7g99YCTOXe6jDf7j4LAvGRi9y
jmequT0wiJ4DLExfDhxYHRf+oGJmrYd3iXoJn4HsonqNXgVqFDAlsDphrP1I6TWK
0D3NxSAqm2KzF+7HjpvnEEUt6a3YYxSgTzJnbPc2/vEN/rFo4HRGnwy8zeNCy4ly
YH/3Sxv+w4/JJbNhHrZOBsgJDop7oOGlt8Ij4VT4bMeE9pcnCQDCArggk/RPsX9/
TukaSABYTgfKnOBQHxiqwFKpKMkToJzc6erVUB+IBkOJOl8kCuu/uGlgjUATVkqL
K09E3BwH9Gnh4KdwIBy3BeCF6mgz1HuH11e0gG+jIKHQFEYj84ICQUTq/Ijm0yd/
EchydVd0apjrlcJ1f1dFCsTQJZOrZ9q9DqrBuSQtftqYSV7qt3Yc4BkqFzSSx0sU
mQJ0GXM3GMxH6DD56JcExVG/xfX8a2KC6ByUj0HtdcDPj/QrgAo=
=OTXA
-----END PGP SIGNATURE-----

scurge1tl

unread,
Jun 13, 2019, 3:13:28 AM6/13/19
to qubes...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

> On 07/06/2019 10.04 AM, scurge1tl wrote:
>> I have been playing with the gpg-split and would like to know,
>> if there is an option to see precisely for what specific task the
>> work-email AppVM is connecting to the work-gpg AppVM.
>
>> Currently I let the work-email to have a blank access to the
>> work-gpg for a defined time (300sec by default). During this
>> time, the communication between the qubes is unrestricted (is
>> it?).
>
>> Is there an option to set the gpg-split to approve a specific
>> task only? Lets say I write an email to J...@email.ok. I click
>> Send and I get a message asking me "would you like to
>> encrypt/sign the message for J...@email.ok with your key
>> ABC....?" In this way I am restricting the comms in between the
>> AppVMs for a single, specific task only.
>
>> I am reacting to the Trezor-T where you can see on the Trezor-T
>> display what precisely you are signing. Can this be applied to
>> the pass split as well https://github.com/Rudd-O/qubes-pass too?
>
>
> Please file a feature request for this. I thought we already had
> one, but I wasn't able to find one. All I found was these two
> somewhat related issues:
>
> https://github.com/QubesOS/qubes-issues/issues/1835
> https://github.com/QubesOS/qubes-issues/issues/2443
>
>


Hi, I try to start a new issue but github doesnt like my email
provider cock.li or even newly created vfemail.net and tells me it
cant be verified. (Is the new github owner progressing so fast with BS?)

May I ask you humbly to start this new feature request? Thank you!!



-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEExlmPb5HoPUTt+CQT44JZDAWK6UwFAl0B94BfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEM2
NTk4RjZGOTFFODNENDRFREY4MjQxM0UzODI1OTBDMDU4QUU5NEMACgkQ44JZDAWK
6UxZdBAAsk53uDrMRL7xUjRXQwG+tCFGmSBJuvq/RswRL/z8c+4J8jM+7ZOHkbhg
y4jrYrlp2OFKXWb4sXdIabXmKCLPQRA0N1WS8MWzWgCgiPMQfVc+I/u4/Qd/Hw5G
TY375VBr9u/vb29h/7eM878R5Wo0MPNn1xY1A7a4iHLKzslTpRrtwvuIJr03prdc
2QB/qW69tD3DmsLs+Ps92II2R1hOhedqBJLR+sgbvn6O5DyGgVFKW4Qzvs7LZFxq
P1Qb9zSGEqcakkZ9y++sGAEx8nROrLRKnUVEtMc9vgOj4C75w0dszlGTNHVZoszn
Mfv/fvk7tYjOq3AxqNOj/mF0urlovadw37YRf1AuJKqtLrdgKBvsQBFKnYlY2D/C
qFBxJq2Jq77PqEXYqBSVbjTuvO5gosxRRsZfJ9F4dAPjNYflmzabWJtpph76hrO8
IrIduRfrVIdPU0fQbJmTn2chpthyMDC+wrH8W6vAbUDaG+LaOVFflcOsYJKMyKl4
vQTnlj46dIP80+PHDk/SrU3XnLRt16/L4GcT+LWhGqnGaMJdxgPCMmlqM9fyom3y
refRmmCP8QdlgLSbZQIeIeYdB+LI6z3KFTAvUAYhB3Rob/d9vHRBVfUakhlPTHRE
Cd6H/Fl3QQBtL/Hb+u+uH7J6g/o2+9ubWIkt17p3jGIhb69S3hg=
=fGZC
-----END PGP SIGNATURE-----
0xC1F4E83AF470A4ED.asc

unman

unread,
Jun 13, 2019, 10:21:01 AM6/13/19
to qubes...@googlegroups.com
Opened feature request and due credit given.
https://github.com/QubesOS/qubes-issues/issues/5098
Reply all
Reply to author
Forward
0 new messages