From t.schorpp at gmx.de Thu Jul 1 05:41:17 2004 From: t.schorpp at gmx.de (Thomas Schorpp) Date: Tue Jul 6 16:42:23 2004 Subject: OpenPGP card tests 1.3.6 In-Reply-To: <87fz8y77ir.fsf@vigenere.g10code.de> References: <8765jlvzd5.fsf@alberti.g10code.de> <400EF569.9070603@gmx.de> <1074799935.29019.4.camel@simulacron> <4010A24E.8070803@gmx.de> <87d69bx8ix.fsf@alberti.g10code.de> <40C4B8AC.9000201@gmx.de> <87fz8y77ir.fsf@vigenere.g10code.de> Message-ID: <40E387DD.5000405@gmx.de> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 OOps, late but not lost. got it today. Werner Koch wrote: | On Mon, 07 Jun 2004 20:49:16 +0200, Thomas Schorpp said: | | |>C001-L1: "No typing verification on pin entries in --edit-card >passwd, |>dangerous..." | | | Well, it makes sense to have a verification for a new PIN. | bad enghlish from me, it should be "confirm"... and i fsck'd up the diff, more practice needed ;) | |>C002-L3: "gpg needs to be restarted to verify unblocked pin retry |>counter - >list shows false count 0 instead of 3 without" | | | Okay, will fix this. | | |>i could fix that, if im allowed(?) | | | Sure you are allowed. However, we need a copyright assignment for | inclusion into the main line. That takes a while and thus it might be | better when I fix this. its your code anyway so far, just did a little fast copy and paste. | | Thanks, | | Werner y tom -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.3.6 (GNU/Linux) Comment: Using GnuPG with Debian - http://enigmail.mozdev.org iD8DBQFA44fc1L8Hg/0A/fwRAqVkAJ4hGIAcs9zeYeFeXEX8nYCVlp9r5QCfYsZX laI/akE0FZUUVAOwEabk4Ag= =HhTt -----END PGP SIGNATURE----- From npcole at yahoo.co.uk Thu Jul 1 17:24:52 2004 From: npcole at yahoo.co.uk (=?iso-8859-1?q?Nicholas=20Cole?=) Date: Tue Jul 6 16:43:26 2004 Subject: identical fingerprints Message-ID: <20040701152452.24119.qmail@web25405.mail.ukl.yahoo.com> RFC 2440 says that: "Note that there is a much smaller, but still non-zero probability that two different keys have the same fingerprint." How well does gpg handle this possibility? What would break, and would there be any way to specify one key over another? If anyone does have an example of two keys with identical fingerprints, I'd be interested to have a look.... Best, N. ___________________________________________________________ALL-NEW Yahoo! Messenger - sooooo many all-new ways to express yourself http://uk.messenger.yahoo.com From dshaw at jabberwocky.com Thu Jul 1 17:24:22 2004 From: dshaw at jabberwocky.com (David Shaw) Date: Tue Jul 6 16:43:28 2004 Subject: gpg --gen-key and empty passphrase In-Reply-To: <200405310516.BAA10940@houston.candd.org> References: <200405310516.BAA10940@houston.candd.org> Message-ID: <20040701152421.GA17991@jabberwocky.com> On Mon, May 31, 2004 at 01:16:19AM -0400, David Taylor wrote: > I ran > > gpg --gen-key > > and took the defaults for questions that had defaults. > > When it asked for a pass phrase, I didn't have one pre-selected, so I > figured what-they-heck, it's a laptop, no one has access but me, I'll > make it empty and set it to something better in a day or two. > > So, I pressed twice. And everything appeared to be successful > -- until I tried to change the passphrase few days later. All > operations that I have tried that require the passphrase fail. > > I have tried control-j, control-m, and control-@ (null), and a couple > of other possibilities. But, alas, none worked. > > So, when asked for a passphrase by gpg --gen-key if you press , > what passphrase does it use? It uses no passphrase at all. David From JPClizbe at comcast.net Fri Jul 2 17:04:57 2004 From: JPClizbe at comcast.net (John Clizbe) Date: Tue Jul 6 16:44:17 2004 Subject: Aw: Re: OpenPGP SMTP headers In-Reply-To: <40B2EC77.8070407@smgwtest.aachen.utimaco.de> References: <6865142.1084948896626.JavaMail.ngmail@webmail06.arcor-online.net><200405190958.43693@fortytwo.ch><20040522041951.GA13121@jabberwocky.com><007c01c44197$8acf8720$6401a8c0@Windows> <87d64tspt2.fsf@vigenere.g10code.de> <004901c441c3$771c7b80$6401a8c0@Windows> <40B2EC77.8070407@smgwtest.aachen.utimaco.de> Message-ID: <40E57999.7030905@comcast.net> Holger Sesterhenn wrote: > Hi, Hi Holger, > There are two things to mention: > > First, David uses PGP/MIME (RFC 3156) instead of the old (but most > widespread) PGP/INLINE signatures (CLASSIC). All known OpenPGP plugins > for OE just support the latter. Even the original PGP 8.x. The lack of RFC 3156 support in some OpenPGP plugins is often used as the reason to continue with inline signatures. Aside from PGP's work with their plugin, I don't think there is any work being done to maintain/evolve the OpenPGP OE & Outlook plugins. > Second, the mailing list software creates an envelope around the > PGP/MIME message so it looks like "multipart/mixed" instead of > "multipart/signed". There are some OpenPGP clients (like Enigmail) which > try to detect this but its just experimental. I'm not sure how 'experimental' Enigmail's support still is at this point. It works without issue for myself and many others and has been in the code since 0.83.0 which was released mid-January. > I wouldn't call it a bug in the mailing list software ;-) Nor would I -- John P. Clizbe Inet: JPClizbe(a)comcast DOT nyet Golden Bear Networks PGP/GPG KeyID: 0x608D2A10 "Most men take the straight and narrow. A few take the road less traveled. I chose to cut through the woods." -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 312 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20040702/064d134c/signature.bin From wk at gnupg.org Fri Jul 2 10:12:15 2004 From: wk at gnupg.org (Werner Koch) Date: Tue Jul 6 16:44:31 2004 Subject: --list-only and symmetric encryption (fwd) In-Reply-To: <20040629234329.N92142@willy_wonka> (atom@suspicious.org's message of "Tue, 29 Jun 2004 23:46:53 -0400 (EDT)") References: <20040628045923.U92142@willy_wonka> <20040628224857.GA6406@jabberwocky.com> <20040629234329.N92142@willy_wonka> Message-ID: <873c4avnds.fsf@wheatstone.g10code.de> On Tue, 29 Jun 2004 23:46:53 -0400 (EDT), Atom 'Smasher' said: > done using one key. i don't understand how a message can be > efficiently ("efficiently", meaning that the message is only encrypted > once) encrypted to multiple symmetric keys. Very similar: The session key is symmetrically encrypted usign a passpharse. Obviously you can have more than one such packet and encrypt the session key to several passphrases or with public keys. Shalom-Salam, Werner From wk at gnupg.org Fri Jul 2 20:35:17 2004 From: wk at gnupg.org (Werner Koch) Date: Tue Jul 6 16:44:44 2004 Subject: multiple file signing oddness In-Reply-To: <20040523165329.44494.qmail@web25006.mail.ukl.yahoo.com> (Nicholas Cole's message of "Sun, 23 May 2004 17:53:29 +0100 (BST)") References: <20040523165329.44494.qmail@web25006.mail.ukl.yahoo.com> Message-ID: <87r7taubuh.fsf@vigenere.g10code.de> On Sun, 23 May 2004 17:53:29 +0100 (BST), Nicholas Cole said: > in which order the files were signed, am I? In that > case should gpg 'search' for an order in which the > files verify, or would that add too much overhead? Yes, this is too much overhead becuase we need to hash all files two times. That is not reasonable for large files. I agree that this cat feature in gnupg was a bad design because /bin/cat is theexpert in doing this kind of stuff. Given that this is the first bug reported related to the feature, I doubt that it is in wide use and it is a proper solution to fix it in 1.3. It would be even better to drop it entirely; but I guess it is too late for this. Salam-Shalom, Werner From abognupg at redtenbacher.de Fri Jul 2 23:51:35 2004 From: abognupg at redtenbacher.de (abognupg@redtenbacher.de) Date: Tue Jul 6 16:45:07 2004 Subject: GnuPG feature request: Step-wise decryption Message-ID: Hi David, >Subject: [Announce] GnuPG 1.3.6 released (development) >[...] >This release brings development even closer to a good point for 1.4. >If there is something that you do not like here, be it a missing >feature, a UI choice, or, well, anything, now is the time to speak up. On 27 Feb 2004, I requested an interoperability feature for stepwise decryption to permit mail gateways that use GnuPG, to interoperate with "PGP-like" programs (e.g. "CryptoEx" which has a very unusual way of interpreting RFC 2440, to say the least), without having to re-invent GnuPG core functionality like compress/uncompress or encrypt/decrypt. At that time, you suggested a potential solution: >What do you think about a general "--unwrap" command, which would peel >off the outermost layer (whether it is encryption or compression) and >stop there. Callers could re-submit the output back in for another >round of --unwrap if they want to go further. Such a general "--unwrap" command would be really great and permit the solving of all gateway interoperability problems via small utility software, while leaving the bulk of the work with GnuPG. Therefore, I wanted to ask you if this feature is (still?) on the planning list for GnuPG 1.4 ? - Wolfgang Redtenbacher From cbiere at TechFak.Uni-Bielefeld.DE Sun Jul 4 17:01:26 2004 From: cbiere at TechFak.Uni-Bielefeld.DE (Christian Biere) Date: Tue Jul 6 16:45:13 2004 Subject: Hokki =) In-Reply-To: <20040522163747.GF11833@northernsecurity.net> References: <20040519124700.GA25653@quetrupillan.TechFak.Uni-Bielefeld.DE> <02ae01c43dde$8bc7d5e0$6401a8c0@Windows> <20040520230126.GA5418@kilauea.TechFak.Uni-Bielefeld.DE> <20040522161855.GA11731@kilauea.TechFak.Uni-Bielefeld.DE> <20040522163747.GF11833@northernsecurity.net> Message-ID: <20040704150126.GA15687@anathema.TechFak.Uni-Bielefeld.DE> Thomas Sj?gren wrote: > On Sat, May 22, 2004 at 06:18:55PM +0200, Christian Biere wrote: > > However, I like the idea of subscribing with a key *instead* of an email > > address so that I could easily post from diverse accounts without having > > to register different addresses. > This would work on this list but what about gnupg-users or similar where > people usually joins because they either havent start using gpg, dont > know how to use it or its broken? Those options don't need to be mutually-exclusive. Once it's used by most subscribers you could decrease spam threshold of your filters for unsigned int^Wmail. AFAIK, the list maintainers check the filtered mail at least occasionally anyway so it wouldn't cause (significant) mail lossage. However, it wasn't me who suggested this as a spam filter and the spammers would surely catch up after awhile considering the huge zombie farms they own, it would probably not cause a performance problem except a little more initial work. I was rather thinking about the comfort of using a meta ID instead of a plain (fixed) mail address which is also nice for people who use generated addresses which have a small time window of validity. -- Christian -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 303 bytes Desc: not available Url : /pipermail/attachments/20040704/1e591b2d/attachment-0001.bin From wk at gnupg.org Tue Jul 6 15:37:32 2004 From: wk at gnupg.org (Werner Koch) Date: Tue Jul 6 16:45:36 2004 Subject: Aw: Re: OpenPGP SMTP headers In-Reply-To: <40B2EC77.8070407@smgwtest.aachen.utimaco.de> (Holger Sesterhenn's message of "Tue, 25 May 2004 08:49:27 +0200") References: <6865142.1084948896626.JavaMail.ngmail@webmail06.arcor-online.net> <200405190958.43693@fortytwo.ch> <20040522041951.GA13121@jabberwocky.com> <007c01c44197$8acf8720$6401a8c0@Windows> <87d64tspt2.fsf@vigenere.g10code.de> <004901c441c3$771c7b80$6401a8c0@Windows> <40B2EC77.8070407@smgwtest.aachen.utimaco.de> Message-ID: <87r7rpjlyb.fsf@wheatstone.g10code.de> On Tue, 25 May 2004 08:49:27 +0200, Holger Sesterhenn said: > Second, the mailing list software creates an envelope around the > PGP/MIME message so it looks like "multipart/mixed" instead of > "multipart/signed". There are some OpenPGP clients (like Enigmail) which Well this is required and perfectly fine with any MIME object. The reason Mailman does this is to be able to append a footer to the orginal message with information about the list. Obviously this would break the signature unless the orginal posted message is put into an inner MIME container. > try to detect this but its just experimental. With a proper MIME implementaion this will work without any problems. Werner From jdwhite at jdwhite.org Mon Jul 5 01:45:35 2004 From: jdwhite at jdwhite.org (Jason White) Date: Wed Jul 14 18:13:05 2004 Subject: GnuPG 1.3.6 released Message-ID: <20040704234535.GC20468@jdwhite.org> On Sat May 22 15:45:40 CEST 2004, David Shaw wrote: [...] >This release brings development even closer to a good point for 1.4. >If there is something that you do not like here, be it a missing >feature, a UI choice, or, well, anything, now is the time to speak up. >Once 1.3.x becomes the new stable, large changes will be unlikely. >While we obviously cannot guarantee that every suggestion will be >included, they will all be looked at. One feature I would like to see included is libreadline support for the key editing menu prompts. Thank you. -- Jason White (jdwhite@jdwhite.org) http://www.jdwhite.org/~jdwhite Jabber:jdwhite(jabber.org) IRC:irc.netbsd.org/{jdwhite,jdw} PGP KeyID: 0x5290E477/A8A2 3FDB AB33 98EB ED74 EDAA F538 9A30 5290 E477 From atom at suspicious.org Tue Jul 6 17:31:17 2004 From: atom at suspicious.org (Atom 'Smasher') Date: Wed Jul 14 18:13:34 2004 Subject: --list-only and symmetric encryption (fwd) In-Reply-To: <20040630184657.GB362@daredevil.joesixpack.net> References: <20040628045923.U92142@willy_wonka> <20040628224857.GA6406@jabberwocky.com> <20040629234329.N92142@willy_wonka> <20040630184657.GB362@daredevil.joesixpack.net> Message-ID: On Wed, 30 Jun 2004, Timo Schulz wrote: > On Tue Jun 29 2004; 23:46, Atom 'Smasher' wrote: > > > key. i don't understand how a message can be efficiently ("efficiently", > > meaning that the message is only encrypted once) encrypted to multiple > > symmetric keys. > > That's not difficult, but I've to admit you need to know the OpenPGP > format in detail to see it without thinking too much. > > Tag 3 "Symmetric-Key Encrypted Session Key Packets" has an optional > field to hold the encrypted session key. This key is used to encrypt > the message. The session key itself is encrypted via the S2K key > derrived from a passphrase. If you have more passphrases, the same > session key is encrypted with different passphrases (S2Ks). > > Tag3 (- Optionally, the encrypted session key itself, which is decrypted > with the string-to-key object.) > > > You see the key for the _message_ is always the same, while the key > to protect the session key itself is different for each passphrase. > If you know one passphrase, you can decipher the message. > > > Hope my achievement is clear to you. ====================== so, if i understand this correctly, the message is still encrypted with a random session key; multiple packets can each encrypt that session key to a different symmetric key; any of those symmetric keys can be used to decrypt the message. that's it? sounds cool.... ...atom _________________________________________ PGP key - http://atom.smasher.org/pgp.txt 762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808 ------------------------------------------------- "Beware, a record of the books you borrow may end up in the hands of the FBI. And if the FBI requests your records, librarians are prohibited by law from telling you about it. Questions about this policy should be directed to Attorney General John Ashcroft, Department of Justice, Washington, D.C. 20530." -- Sign greeting patrons entering all 10 of the county libraries in Santa Cruz, California From atom at suspicious.org Tue Jul 6 17:41:15 2004 From: atom at suspicious.org (Atom 'Smasher') Date: Wed Jul 14 18:13:38 2004 Subject: --list-only and symmetric encryption (fwd) In-Reply-To: <20040630183117.GC7180@jabberwocky.com> References: <20040628045923.U92142@willy_wonka> <20040628224857.GA6406@jabberwocky.com> <20040629234329.N92142@willy_wonka> <20040630183117.GC7180@jabberwocky.com> Message-ID: On Wed, 30 Jun 2004, David Shaw wrote: > On Tue, Jun 29, 2004 at 11:46:53PM -0400, Atom 'Smasher' wrote: > > i'm curious how that works... i understand how a message can be encrypted > > to multiple public keys, since the bulk encryption is only done using one > > key. i don't understand how a message can be efficiently ("efficiently", > > meaning that the message is only encrypted once) encrypted to multiple > > symmetric keys. > > It works the same way that it does with public keys. The data is > encrypted using a random session key, then that session key is > encrypted using the passphrase. If you want to use multiple > passphrases, just encrypt the random session key to as many > passphrases as you like. =================== so, GnuPG can read, but not create these messages? are there plans handle creation? or would it have to be done by performing packet-surgery with gpgsplit? if only a single symmetric passphrase is used, is there still a session key encrypted with the symmetric key? (i only have text access right now, and can't get to a copy of the RFC). ...atom _________________________________________ PGP key - http://atom.smasher.org/pgp.txt 762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808 ------------------------------------------------- "We don't know if lobsters feel pain... [but] since pain is a perception, we often don't know whether people feel it either" -- Prof. Edward Kravitz, Harvard Medical School From alex at bofh.net.pl Wed Jul 7 00:02:33 2004 From: alex at bofh.net.pl (Janusz A. Urbanowicz) Date: Wed Jul 14 18:14:56 2004 Subject: block vs stream ciphers In-Reply-To: References: Message-ID: <40EB2179.3030808@bofh.net.pl> Atom 'Smasher' wrote: > curious... why doesn't OpenPGP (or GnuPG) include any stream ciphers? I guess because there any 'enough good' and well (comparably to block ciphers) researched stream ciphers out there. And especially free to use ones. alex -- ANDREA: Norville, why don't you drop this? This could get you dead in a single car accident. If the history books say Oswald, then let it be Oswald. You said they were old - outlive them. It's the only revenge worth having. -- Mark McFadden in http://42.pl/url/4N0 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20040707/e40e41fd/signature.bin From mail at joachim-breitner.de Thu Jul 8 17:08:03 2004 From: mail at joachim-breitner.de (Joachim Breitner) Date: Wed Jul 14 18:15:07 2004 Subject: Signature-Subkey on GnuPG-Card Message-ID: <1089299283.749.24.camel@barney.ehbuehl.net> Hi, I managed to create a encryption-subkey on my gnupg-card (serial number 100 - cool) for an existing key in my keyring and that works for en-/ decryption (not yet without the primary secret key in the keyring, though). But my daily work is mostly signing e-mails and files, so I'd want to have a signature (as in mails and files, not keys) subkey on my gpg card. Is that possible at all with the current layout, or is slot 1 only meant for primary keys? thx, nomeata -- Joachim "nomeata" Breitner mail: mail@joachim-breitner.de | ICQ# 74513189 | GPG-Key: 4743206C JID: joachimbreitner@amessage.de | http://www.joachim-breitner.de/ Debian Developer: nomeata@debian.org Please avoid sending me Word or PowerPoint attachments. See http://www.fsf.org/philosophy/no-word-attachments.html -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Dies ist ein digital signierter Nachrichtenteil Url : /pipermail/attachments/20040708/24e47c6a/attachment.bin From albrecht.dress at arcor.de Thu Jul 8 23:01:59 2004 From: albrecht.dress at arcor.de (=?iso-8859-1?q?Albrecht_Dre=DF?=) Date: Wed Jul 14 18:15:17 2004 Subject: [BUG?] gpgme 0.9.0 & passphrase oddity Message-ID: <1089320527l.26965l.0l@antares.localdomain> Gpgme 0.9.0 seems to behave differently if the passphrase is entered directly or through gpg-agent/pinentry. If I do not have an egent running, the passphrase callback is called, and if I cancel there, gpgme_op_sign() correctly returns with an error. With the agent running, it pops up pinentry. When I select cancel there, gpgme_op_sign() returns with no error, and all subsequent operations on the signature of course will fail. Is this the intended behaviour? IMHO, it would be nicer if gpgme_op_sign (and friends) would return ERR_CANCEL in *both* cases. I use gpg-agent (GnuPG) 1.9.8, gpg 1.2.4, and pinentry 0.7.0. TIA, Cheers, Albrecht. -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Albrecht Dre? - Johanna-Kirchner-Stra?e 13 - D-53123 Bonn (Germany) Phone (+49) 228 6199571 - mailto:albrecht.dress@arcor.de _________________________________________________________________________ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20040708/deb89309/signature.bin From mail at joachim-breitner.de Tue Jul 13 13:05:25 2004 From: mail at joachim-breitner.de (Joachim Breitner) Date: Wed Jul 14 18:15:56 2004 Subject: Signature-Subkey on GnuPG-Card Message-ID: <1089716725.7146.1.camel@barney.ehbuehl.net> Hi, I managed to create a encryption-subkey on my gnupg-card for an existing key in my keyring and that works for en-/decryption (not yet without the primary secret key in the keyring, though). But my daily work is mostly signing e-mails and files, so I'd want to have a signature (as in mails and files, not keys) subkey on my gpg card. Is that possible at all with the current layout, or is slot 1 only meant for primary keys? thx, nomeata -- Joachim "nomeata" Breitner mail: mail@joachim-breitner.de | ICQ# 74513189 | GPG-Key: 4743206C JID: joachimbreitner@amessage.de | http://www.joachim-breitner.de/ Debian Developer: nomeata@debian.org Please avoid sending me Word or PowerPoint attachments. See http://www.fsf.org/philosophy/no-word-attachments.html From mail at joachim-breitner.de Tue Jul 13 21:14:49 2004 From: mail at joachim-breitner.de (Joachim Breitner) Date: Wed Jul 14 18:16:07 2004 Subject: Encryption and Signature Subkeys on Card Message-ID: <1089746089.7153.24.camel@barney.ehbuehl.net> Hi, finally I arrived where I want to be. I hacked a little bit on gnupg (v1.3.6) and now I can create subkeys for my already existing key on a gnupg card and can remove all private keys from my disk (my current primay key would be saved on a offline medium or computer). To do this, I had to change a bit of the code. Unified diff appended. * in genkey.c I added the function generate_card_subkeypair, using generate_subkeypair as a template. The most relevant lines of code are: algo = ask_algo( 2, &use ); // extra addmode for subkey on card assert(algo); expire = ask_expire_interval(0); if( !cpr_enabled() && !cpr_get_answer_is_yes("keygen.sub.okay", _("Really create? ") ) ) goto leave; if( passphrase ) { [..] } // set the serialno in "para" agent_learn(&info); para = xcalloc(1,sizeof *para + strlen(info.serialno)); para->key = pSERIALNO; strcpy(para->u.value, info.serialno); rc = gen_card_key (1, algo, use == PUBKEY_USAGE_SIG ? 1 : 2, pub_keyblock, sec_keyblock, expire, para); As you can see, I added a new parameter to gen_card_key (the first one) to tell the function to create a subkey. (The current magic - encryption key is alway primary key - did not work here). I also had to define a new addmode (2) for ask_algo, since only 4 and 5 are valid options here. * In keyedit.c I added the command addcardkey to do this stuff. Note that you have to call gpg with --allow-admin to create keys on the card. * In keyedit.c I also made sure that if you set a password for a key, it is not set for any subkeys with special mode 1002 (which seems to mean "key is on card"). Please have a look at the code and comment it, and use it if you with. I'd really like to see this feature in a release soon :-) nomeata -- Joachim "nomeata" Breitner mail: mail@joachim-breitner.de | ICQ# 74513189 | GPG-Key: 4743206C JID: joachimbreitner@amessage.de | http://www.joachim-breitner.de/ Debian Developer: nomeata@debian.org Please avoid sending me Word or PowerPoint attachments. See http://www.fsf.org/philosophy/no-word-attachments.html -------------- next part -------------- A non-text attachment was scrubbed... Name: diff-subkeys-on-card.diff Type: text/x-patch Size: 10190 bytes Desc: not available Url : /pipermail/attachments/20040713/129f1def/diff-subkeys-on-card-0001.bin From skquinn at xevious.kicks-ass.net Wed Jul 14 18:49:17 2004 From: skquinn at xevious.kicks-ass.net (Shawn K. Quinn) Date: Fri Jul 16 11:08:15 2004 Subject: [Announce] GnuPG 1.3.6 released (development) In-Reply-To: <20040522134540.GB13121@jabberwocky.com> References: <20040522134540.GB13121@jabberwocky.com> Message-ID: <200407141149.32837.skquinn@xevious.kicks-ass.net> On 2004 May 22, Saturday 08:45, David Shaw wrote: > This release brings development even closer to a good point for 1.4. > If there is something that you do not like here, be it a missing > feature, a UI choice, or, well, anything, now is the time to speak > up. Once 1.3.x becomes the new stable, large changes will be > unlikely. While we obviously cannot guarantee that every suggestion > will be included, they will all be looked at. I would like to see some kind of mode for practicing typing in a passphrase (as an aid to remembering it). However, it's possible that GnuPG isn't the best place for it. -- Shawn K. Quinn -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 187 bytes Desc: signature Url : /pipermail/attachments/20040714/cfff80ab/attachment.bin From wk at gnupg.org Wed Jul 14 22:04:31 2004 From: wk at gnupg.org (Werner Koch) Date: Fri Jul 16 11:08:47 2004 Subject: Signature-Subkey on GnuPG-Card In-Reply-To: <1089716725.7146.1.camel@barney.ehbuehl.net> (Joachim Breitner's message of "Tue, 13 Jul 2004 13:05:25 +0200") References: <1089716725.7146.1.camel@barney.ehbuehl.net> Message-ID: <877jt69wz4.fsf@wheatstone.g10code.de> On Tue, 13 Jul 2004 13:05:25 +0200, Joachim Breitner said: > and files, not keys) subkey on my gpg card. Is that possible at all with > the current layout, or is slot 1 only meant for primary keys? The first key on the card may by used for any kind of signing - it can't be used for decryption, though. So technically there is no reason to use it for a signing subkey. Werner From atom at suspicious.org Thu Jul 15 07:42:52 2004 From: atom at suspicious.org (Atom 'Smasher') Date: Fri Jul 16 11:09:04 2004 Subject: --digest-algo (feature request) Message-ID: <20040715012459.Q26762@willy_wonka> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 if i set "digest-algo" to "SHA256" and try to sign something with a DSS key, it fails (after typing a password, which makes it even more annoying). should signing with a DSS key ignore --digest-algo (and always use SHA1)?? is there (or should there be) a better way to match larger hashes with larger (non-DSS) signing keys? if i have a 4096 RSA primary key and a DSS subkey (oh, wait a minute, i *do* have that ;) should there be a way to specify (in the configuration file) that i want to use a larger hash if i'm signing with my 4096 RSA key, while not causing problems for my DSS key? what if i generate a 2048 RSA signing subkey... let's say i want to specify (in my config) that i want to use SHA-512 if i'm signing something with my 4096 key; and SHA-256 if i'm signing something with a 2048 key... and of course, DSS still needs SHA-1. ...atom _________________________________________ PGP key - http://atom.smasher.org/pgp.txt 762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808 ------------------------------------------------- "Today every inhabitant of this planet must contemplate the day when this planet may no longer be habitable. Every man, woman and child lives under a nuclear sword of Damocles, hanging by the slenderest of threads, capable of being cut at any moment by accident or miscalculation or madness." -- John F. Kennedy -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.3.6 (FreeBSD) Comment: What is this gibberish? Comment: http://atom.smasher.org/links/#digital_signatures iEYEARECAAYFAkD2GWIACgkQnCgLvz19QeOFIgCdGRrXt2rzSVGc6cAzAoYAfkt2 q7MAnj8Hy/sXsftvt/86gqOpjaaDgGlh =5xKh -----END PGP SIGNATURE----- From avbidder at fortytwo.ch Fri Jul 16 11:45:47 2004 From: avbidder at fortytwo.ch (Adrian 'Dagurashibanipal' von Bidder) Date: Fri Jul 16 11:43:06 2004 Subject: --digest-algo (feature request) In-Reply-To: <20040715012459.Q26762@willy_wonka> References: <20040715012459.Q26762@willy_wonka> Message-ID: <200407161145.48285@fortytwo.ch> On Thursday 15 July 2004 07.42, Atom 'Smasher' wrote: > what if i generate a 2048 RSA signing subkey... let's say i want to > specify (in my config) that i want to use SHA-512 if i'm signing > something with my 4096 key; and SHA-256 if i'm signing something with > a 2048 key... and of course, DSS still needs SHA-1. Isn't this covered by the self-signature of the subkey? (not a rethorical question - I thought it should be but I didn't verify) -- Today is Boomtime, the 51st day of Confusion in the YOLD 3170 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 331 bytes Desc: signature Url : /pipermail/attachments/20040716/43040ac2/attachment.bin From dshaw at jabberwocky.com Fri Jul 16 14:18:18 2004 From: dshaw at jabberwocky.com (David Shaw) Date: Fri Jul 16 14:15:15 2004 Subject: --digest-algo (feature request) In-Reply-To: <20040715012459.Q26762@willy_wonka> References: <20040715012459.Q26762@willy_wonka> Message-ID: <20040716121818.GA7775@jabberwocky.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thu, Jul 15, 2004 at 01:42:52AM -0400, Atom 'Smasher' wrote: > if i set "digest-algo" to "SHA256" and try to sign something with a DSS > key, it fails (after typing a password, which makes it even more > annoying). > > should signing with a DSS key ignore --digest-algo (and always use SHA1)?? > > is there (or should there be) a better way to match larger hashes with > larger (non-DSS) signing keys? > > if i have a 4096 RSA primary key and a DSS subkey (oh, wait a minute, i > *do* have that ;) should there be a way to specify (in the configuration > file) that i want to use a larger hash if i'm signing with my 4096 RSA > key, while not causing problems for my DSS key? personal-digest-preferences sha256 sha1 That means "use SHA256 if possible, SHA1 otherwise". Actually, you could even leave off the "sha1" and it would still work since SHA1 is the default algorithm. This list of preferences also comes into play when you sign and encrypt a message to other people: only algorithms on this list are considered, and ranked in that order. Note that this is only a 1.3.x feature. > what if i generate a 2048 RSA signing subkey... let's say i want to > specify (in my config) that i want to use SHA-512 if i'm signing something > with my 4096 key; and SHA-256 if i'm signing something with a 2048 key... > and of course, DSS still needs SHA-1. That isn't possible with the current system. GnuPG will pick the first algorithm that is possible to use, so both RSA keys would pick the highest ranked digest. David -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.3.6-cvs (GNU/Linux) iGoEARECACoFAkD3x4ojGGh0dHA6Ly93d3cuamFiYmVyd29ja3kuY29tL2tleS5h c2MACgkQ4mZch0nhy8k8kACfWtrVwW/3OKqFXEgfCAYVD3oAY2gAn1uUwceuWpyD wrl50fhj4BKtKGm+ =fqCw -----END PGP SIGNATURE----- From dshaw at jabberwocky.com Fri Jul 16 14:18:56 2004 From: dshaw at jabberwocky.com (David Shaw) Date: Fri Jul 16 14:15:53 2004 Subject: --digest-algo (feature request) In-Reply-To: <200407161145.48285@fortytwo.ch> References: <20040715012459.Q26762@willy_wonka> <200407161145.48285@fortytwo.ch> Message-ID: <20040716121856.GB7775@jabberwocky.com> On Fri, Jul 16, 2004 at 11:45:47AM +0200, Adrian 'Dagurashibanipal' von Bidder wrote: > On Thursday 15 July 2004 07.42, Atom 'Smasher' wrote: > > > what if i generate a 2048 RSA signing subkey... let's say i want to > > specify (in my config) that i want to use SHA-512 if i'm signing > > something with my 4096 key; and SHA-256 if i'm signing something with > > a 2048 key... and of course, DSS still needs SHA-1. > > Isn't this covered by the self-signature of the subkey? (not a > rethorical question - I thought it should be but I didn't verify) No, the preferences in the selfsig handle signatured TO that person (i.e. in an encrypt+sign operation by someone else). David -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 250 bytes Desc: not available Url : /pipermail/attachments/20040716/2a536dac/attachment.bin From mail at joachim-breitner.de Fri Jul 16 14:49:49 2004 From: mail at joachim-breitner.de (Joachim Breitner) Date: Fri Jul 16 14:46:43 2004 Subject: Signature-Subkey on GnuPG-Card In-Reply-To: <877jt69wz4.fsf@wheatstone.g10code.de> References: <1089716725.7146.1.camel@barney.ehbuehl.net> <877jt69wz4.fsf@wheatstone.g10code.de> Message-ID: <1089982189.793.3.camel@barney.ehbuehl.net> Hi, Am Mi, den 14.07.2004 schrieb Werner Koch um 22:04: > On Tue, 13 Jul 2004 13:05:25 +0200, Joachim Breitner said: > > and files, not keys) subkey on my gpg card. Is that possible at all with > > the current layout, or is slot 1 only meant for primary keys? > > The first key on the card may by used for any kind of signing - it > can't be used for decryption, though. So technically there is no > reason to use it for a signing subkey. Thx for clearing this up for me. Actually, I managed to use it, as you can see in my last mail's patch. Joachim -- Joachim Breitner e-Mail: mail@joachim-breitner.de Homepage: http://www.joachim-breitner.de ICQ#: 74513189 Bitte senden Sie mir keine Word- oder PowerPoint-Anh?nge. Siehe http://www.fsf.org/philosophy/no-word-attachments.de.html From t.schorpp at gmx.de Fri Jul 16 17:30:45 2004 From: t.schorpp at gmx.de (Thomas Schorpp) Date: Fri Jul 16 17:28:28 2004 Subject: [FEATURE REQ, RFC], improving ergonomic HMI fingerprint cross verification Message-ID: <40F7F4A5.4000109@gmx.de> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 hello @all, since its little hard to cross-verify fingerprints on websites and especially over telephone calls with human voice conversation due to the long hexidecimal printouts of gpg --fingerprint, this could be a significant issue to the whole openpgp trust verification system impliing failure on human error. in short: its good reason therefore to have the old pgp way of option to print out the fingerprint the "military style", eg. "alpha, delta" easier and more securely human processable substitutes for "0abc, cd ef" in gnupg, kgpg and enigmail, maybe interesting for the ?gypten projects too. request for comments and analysis. (?) y tom -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.3.6 (GNU/Linux) Comment: Using GnuPG with Debian - http://enigmail.mozdev.org iQCVAwUBQPf0o2qsze5HSzyoAQL14gQAqrVE9YrAVBgYtp2K0Lpj4Y5cKGGHTP6k PoqjlLDGkyU/iUovSe4jY03ypFtaumw6occNEWZLtAAGt18GVXJbQVw6YRVUIaZF pAR86k2I/r0QJHKG6DEO1M4lhdGd4HR0DierjPucHK2t0FJJVmXqjSS1WwK5+ugx XEjcqiP56k8= =EnBd -----END PGP SIGNATURE----- From atom at suspicious.org Fri Jul 16 17:52:14 2004 From: atom at suspicious.org (Atom 'Smasher') Date: Fri Jul 16 17:49:17 2004 Subject: --digest-algo (feature request) In-Reply-To: <20040715012459.Q26762@willy_wonka> References: <20040715012459.Q26762@willy_wonka> Message-ID: (responding to self) i just "discovered" --personal-digest-preferences, which seems to mostly do what i need. > if i set "digest-algo" to "SHA256" and try to sign something with a DSS > key, it fails (after typing a password, which makes it even more > annoying). > > should signing with a DSS key ignore --digest-algo (and always use SHA1)?? > > is there (or should there be) a better way to match larger hashes with > larger (non-DSS) signing keys? > > if i have a 4096 RSA primary key and a DSS subkey (oh, wait a minute, i > *do* have that ;) should there be a way to specify (in the configuration > file) that i want to use a larger hash if i'm signing with my 4096 RSA > key, while not causing problems for my DSS key? > > what if i generate a 2048 RSA signing subkey... let's say i want to > specify (in my config) that i want to use SHA-512 if i'm signing something > with my 4096 key; and SHA-256 if i'm signing something with a 2048 key... > and of course, DSS still needs SHA-1. ...atom _________________________________________ PGP key - http://atom.smasher.org/pgp.txt 762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808 ------------------------------------------------- "In nature there are neither rewards nor punishments - there are consequences." -- Robert G. Ingersoll From dshaw at jabberwocky.com Fri Jul 16 17:52:49 2004 From: dshaw at jabberwocky.com (David Shaw) Date: Fri Jul 16 17:49:47 2004 Subject: [FEATURE REQ, RFC], improving ergonomic HMI fingerprint cross verification In-Reply-To: <40F7F4A5.4000109@gmx.de> References: <40F7F4A5.4000109@gmx.de> Message-ID: <20040716155249.GC13525@jabberwocky.com> On Fri, Jul 16, 2004 at 05:30:45PM +0200, Thomas Schorpp wrote: > hello @all, > > since its little hard to cross-verify fingerprints on websites and > especially over telephone calls with human voice conversation due to > the long hexidecimal printouts of gpg --fingerprint, this could be a > significant issue to the whole openpgp trust verification system > impliing failure on human error. > > in short: its good reason therefore to have the old pgp way of > option to print out the fingerprint the "military style", > eg. "alpha, delta" easier and more securely human processable > substitutes for "0abc, cd ef" in gnupg, kgpg and enigmail, maybe > interesting for the ?gypten projects too. The problem with this sort of thing is translation. I don't know what "Alpha Bravo Charlie Delta Echo Foxtrot" would be in other languages, or even if it would be pronounced the same way. Still, this is an ITU standard, so perhaps it would be familiar enough. http://www.columbia.edu/~fuat/cuarc/phonetic.html has a lot of phonetic alphabets. Incidentally, PGP has what their marketing calls "biometric" fingerprints. This is just a word list so people don't have to read out the hex fingerprint. For example, my key fingerprint is: 7D92 FD31 3AB6 F373 4CC5 9CA1 DB69 8D71 9924 2560 But in "biometric" form, it is: klaxon misnomer willow company cleanup potato upset hurricane drainage resistor python outfielder suspense guitarist optic hideaway prowler Capricorn bombast fortitude This would be a really big problem for translators. David From t.schorpp at gmx.de Fri Jul 16 18:58:28 2004 From: t.schorpp at gmx.de (Thomas Schorpp) Date: Fri Jul 16 18:56:15 2004 Subject: [FEATURE REQ, RFC], improving ergonomic HMI fingerprint cross verification In-Reply-To: <20040716155249.GC13525@jabberwocky.com> References: <40F7F4A5.4000109@gmx.de> <20040716155249.GC13525@jabberwocky.com> Message-ID: <40F80934.5030904@gmx.de> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 David Shaw wrote: | On Fri, Jul 16, 2004 at 05:30:45PM +0200, Thomas Schorpp wrote: | |>hello @all, |> |>since its little hard to cross-verify fingerprints on websites and |>especially over telephone calls with human voice conversation due to |>the long hexidecimal printouts of gpg --fingerprint, this could be a |>significant issue to the whole openpgp trust verification system |>impliing failure on human error. |> |>in short: its good reason therefore to have the old pgp way of |>option to print out the fingerprint the "military style", |>eg. "alpha, delta" easier and more securely human processable |>substitutes for "0abc, cd ef" in gnupg, kgpg and enigmail, maybe |>interesting for the ?gypten projects too. | | | The problem with this sort of thing is translation. I don't know what | "Alpha Bravo Charlie Delta Echo Foxtrot" would be in other languages, | or even if it would be pronounced the same way. Still, this is an ITU | standard, so perhaps it would be familiar enough. | | http://www.columbia.edu/~fuat/cuarc/phonetic.html has a lot of | phonetic alphabets. | | Incidentally, PGP has what their marketing calls "biometric" | fingerprints. This is just a word list so people don't have to read | out the hex fingerprint. For example, my key fingerprint is: | | 7D92 FD31 3AB6 F373 4CC5 9CA1 DB69 8D71 9924 2560 | | But in "biometric" form, it is: | | klaxon misnomer willow company | cleanup potato upset hurricane | drainage resistor python outfielder | suspense guitarist optic hideaway | prowler Capricorn bombast fortitude | | This would be a really big problem for translators. | | David yes, agreed, additional comms translation stages, expecially human language trans, must be out then, cos itll imply errors and endanger the system, too risky. and since the most people due to my surveys got most problems using cryptographic systems apps and only few problems communicating a little set of english words correctly, a us-english default for this held out of gnupgs localisation translations should be acceptable(?). security: the process of this fingerprint translation should be done only within gnupgs secure core, respectively, kgpg, etc, should only display the result. are there any security analysises done about that "biometric trans" so far? law question: will i violate nai's and patents rights in implementing this or other usuable "biometric form" in gnupg? tom -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.3.6 (GNU/Linux) Comment: Using GnuPG with Debian - http://enigmail.mozdev.org iQCVAwUBQPgJMWqsze5HSzyoAQL2ZgP/eHORDR/ah3Asm1SCtiEM7FIdUeZfhqfb 1bmXtJGgzzr+mdt93dhlZcXQCo6wNfJqpHPCJjWapJNExBPIovWwnnSZIqA+5/Ks 6ttU6Y4lHbAIqpYvO6MPH5DdjCMQAhJ30LM5KELMaiwqcjM3UIY1cwp8K6EJnkm2 yk5S5uii2N8= =F+fC -----END PGP SIGNATURE----- From wk at gnupg.org Fri Jul 16 18:55:51 2004 From: wk at gnupg.org (Werner Koch) Date: Fri Jul 16 18:58:20 2004 Subject: [FEATURE REQ, RFC], improving ergonomic HMI fingerprint cross verification In-Reply-To: <20040716155249.GC13525@jabberwocky.com> (David Shaw's message of "Fri, 16 Jul 2004 11:52:49 -0400") References: <40F7F4A5.4000109@gmx.de> <20040716155249.GC13525@jabberwocky.com> Message-ID: <87u0w728o8.fsf@wheatstone.g10code.de> On Fri, 16 Jul 2004 11:52:49 -0400, David Shaw said: > The problem with this sort of thing is translation. I don't know what > "Alpha Bravo Charlie Delta Echo Foxtrot" would be in other languages, It is the standard in all wireless communications. For example all radio amateurs are required to know this phonetic alphabet. AFAIK, it has been choosen so that all terms are easily distinguishable even by most non-english speakers. However, I don't think that printing these works will help much and it makes visible comparison of a printout to a screen displayed fingerprint even harder. > This would be a really big problem for translators. Not only this. Such an alphabet is highly dependent on a good understanding of the language and thus every language would need its own alphabet - making it even harder to exchange fingerprints across borders. Thus better learn the Alpha..Zulu alphabet and just use it when reading fingerprints to someone. Werner From mooney at dogbert.cc.ndsu.NoDak.edu Fri Jul 16 19:39:03 2004 From: mooney at dogbert.cc.ndsu.NoDak.edu (Tim Mooney) Date: Fri Jul 16 19:35:58 2004 Subject: [FEATURE REQ, RFC], improving ergonomic HMI fingerprint cross verification In-Reply-To: <87u0w728o8.fsf@wheatstone.g10code.de> References: <40F7F4A5.4000109@gmx.de> <20040716155249.GC13525@jabberwocky.com> <87u0w728o8.fsf@wheatstone.g10code.de> Message-ID: In regard to: Re: [FEATURE REQ, RFC], improving ergonomic HMI fingerprint...: > Thus better learn the Alpha..Zulu alphabet and just use it when > reading fingerprints to someone. I was never in the military so I have a hard time remembering the "international" call signs. Hence the perl script I use (I call it `callsign'): #!/local/bin/perl -w # # Author: Tim Mooney # Copyright: GPL # # TVM: convert a letter to its call-sign equivalent # %signs = ( 'a' => 'alpha', 'A' => 'Alpha', 'b' => 'bravo', 'B' => 'Bravo', 'c' => 'charlie', 'C' => 'Charlie', 'd' => 'delta', 'D' => 'Delta', 'e' => 'echo', 'E' => 'Echo', 'f' => 'foxtrot', 'F' => 'Foxtrot', 'g' => 'golf', 'G' => 'Golf', 'h' => 'hotel', 'H' => 'Hotel', 'i' => 'india', 'I' => 'India', 'j' => 'juliet', 'J' => 'Juliet', 'k' => 'kilo', 'K' => 'Kilo', 'l' => 'lima', 'L' => 'Lima', 'm' => 'mike', 'M' => 'Mike', 'n' => 'november', 'N' => 'November', 'o' => 'oscar', 'O' => 'Oscar', 'p' => 'papa', 'P' => 'Papa', 'q' => 'quebec', 'Q' => 'Quebec', 'r' => 'romeo', 'R' => 'Romeo', 's' => 'sierra', 'S' => 'Sierra', 't' => 'tango', 'T' => 'Tango', 'u' => 'uniform', 'U' => 'Uniform', 'v' => 'victor', 'V' => 'Victor', 'w' => 'whiskey', 'W' => 'Whiskey', 'x' => 'xray', 'X' => 'Xray', 'y' => 'yankee', 'Y' => 'Yankee', 'z' => 'zulu', 'Z' => 'Zulu', '9' => '9er', ); while (<>) { chomp($line=$_); for ($i=0; $i< length($line); $i++) { $l=substr($line,$i,1); if (exists($signs{$l})) { print " ", $signs{$l}, " "; } else { print "$l"; } } print "\n"; } exit(0); As an example of use, I would do something like: gpg --fingerprint mooney and then cut and paste (or sed out) the fingerprint and echo it into the program, like echo "4A21 BFC1 E902 4518 968A 55A9 015F 6BA4 4757 6386" | callsign which results in 4 Alpha 21 Bravo Foxtrot Charlie 1 Echo 9er 02 4518 9er 68 Alpha 55 Alpha 9er 015 Foxtrot 6 Bravo Alpha 4 4757 6386 It would be simple to extend so that it always (or optionally) "spelled out" the numbers (one, two, etc.) and other characters (dash, space, etc.). Tim -- Tim Mooney mooney@dogbert.cc.ndsu.NoDak.edu Information Technology Services (701) 231-1076 (Voice) Room 242-J6, IACC Building (701) 231-8541 (Fax) North Dakota State University, Fargo, ND 58105-5164 From t.schorpp at gmx.de Fri Jul 16 19:57:32 2004 From: t.schorpp at gmx.de (Thomas Schorpp) Date: Fri Jul 16 19:55:15 2004 Subject: [FEATURE REQ, RFC], improving ergonomic HMI fingerprint cross verification In-Reply-To: <87u0w728o8.fsf@wheatstone.g10code.de> References: <40F7F4A5.4000109@gmx.de> <20040716155249.GC13525@jabberwocky.com> <87u0w728o8.fsf@wheatstone.g10code.de> Message-ID: <40F8170C.9090904@gmx.de> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Werner Koch wrote: | On Fri, 16 Jul 2004 11:52:49 -0400, David Shaw said: | | |>The problem with this sort of thing is translation. I don't know what |>"Alpha Bravo Charlie Delta Echo Foxtrot" would be in other languages, | | | It is the standard in all wireless communications. For example all | radio amateurs are required to know this phonetic alphabet. AFAIK, it | has been choosen so that all terms are easily distinguishable even by | most non-english speakers. full agree. | | However, I don't think that printing these works will help much and it | makes visible comparison of a printout to a screen displayed | fingerprint even harder. | taking that. but maybe to an assembler coder..., i have got feedback from professional HMI ergonomists (friends), they disagree. anyway, ive asked not for change, it could be just an add. option. | |>This would be a really big problem for translators. | | | Not only this. Such an alphabet is highly dependent on a good | understanding of the language and thus every language would need its | own alphabet - making it even harder to exchange fingerprints across | borders. disagreed in my last post. | | Thus better learn the Alpha..Zulu alphabet and just use it when | reading fingerprints to someone. you mean it? absolutely inacceptable cause human error impliable by an additional uncontrolled comms/trans layer outside the controlled system, if ever, its to be done by inside the system and a machine. . . . y tom -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.3.6 (GNU/Linux) Comment: Using GnuPG with Debian - http://enigmail.mozdev.org iQCVAwUBQPgXCWqsze5HSzyoAQLLUgQAhOL21zfBeRPY6R+NQyLtBbInUJlZ1KDo C7dEsUNjJveYN8Jo2PTCq4q8xCIg0T8+vuO3U6mYyamB3wm0aKOCIbVzSxRW+Jhv Rnp4Ru0xW4xJFJpRQ2/fDJGDP4XKpk8J9uvIWPJac4hAUdIFr3yicxY1Rxk7svdx pbFsn9R4OdQ= =eO2z -----END PGP SIGNATURE----- From t.schorpp at gmx.de Fri Jul 16 20:38:34 2004 From: t.schorpp at gmx.de (Thomas Schorpp) Date: Fri Jul 16 20:36:18 2004 Subject: [FEATURE REQ, RFC], improving ergonomic HMI fingerprint cross verification In-Reply-To: References: <40F7F4A5.4000109@gmx.de> <20040716155249.GC13525@jabberwocky.com> <87u0w728o8.fsf@wheatstone.g10code.de> Message-ID: <40F820AA.7040206@gmx.de> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Tim Mooney wrote: | In regard to: Re: [FEATURE REQ, RFC], improving ergonomic HMI | fingerprint...: | | As an example of use, I would do something like: | | gpg --fingerprint mooney | | and then cut and paste (or sed out) the fingerprint and echo it into | the program, like | | echo "4A21 BFC1 E902 4518 968A 55A9 015F 6BA4 4757 6386" | callsign | | which results in | | 4 Alpha 21 Bravo Foxtrot Charlie 1 Echo 9er 02 4518 9er 68 Alpha | 55 Alpha 9er 015 Foxtrot 6 Bravo Alpha 4 4757 6386 | hmmm, looks complicated, wee need to substitute numbers, too and it must be done in C inside gnupg, all other should be considered easily attackable. | | It would be simple to extend so that it always (or optionally) "spelled | out" | the numbers (one, two, etc.) and other characters (dash, space, etc.). | | Tim im on the pgpfones source code now for analysis, and other resources. i like to have an agree to an extended callsign abc, then. agree, pgps biometrics is too much words for a chinese, etc ;) ... tom -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.3.6 (GNU/Linux) Comment: Using GnuPG with Debian - http://enigmail.mozdev.org iQCVAwUBQPggp2qsze5HSzyoAQJF9wQAkhUI/g55KJMiLF4PC8ULgKZ2gj5YPIRr sXm/fbl3sAedWPnjjVhevxXmFjew+EN+X3hlqraVY4XAKVlcA8HFZnQdoDYbxO6h 2z/BPFJ1InImtUGMYiiaK2ntZxUgFHGUfMVnMzsLQfpisHQou6bKVVcOUsQXmqp5 haLdrqPGLv4= =TVT7 -----END PGP SIGNATURE----- From dshaw at jabberwocky.com Fri Jul 16 21:22:18 2004 From: dshaw at jabberwocky.com (David Shaw) Date: Fri Jul 16 21:19:14 2004 Subject: [FEATURE REQ, RFC], improving ergonomic HMI fingerprint cross verification In-Reply-To: References: <40F7F4A5.4000109@gmx.de> <20040716155249.GC13525@jabberwocky.com> <87u0w728o8.fsf@wheatstone.g10code.de> Message-ID: <20040716192218.GC15672@jabberwocky.com> On Fri, Jul 16, 2004 at 12:39:03PM -0500, Tim Mooney wrote: > In regard to: Re: [FEATURE REQ, RFC], improving ergonomic HMI > fingerprint...: > > >Thus better learn the Alpha..Zulu alphabet and just use it when > >reading fingerprints to someone. > > I was never in the military so I have a hard time remembering the > "international" call signs. For fingerprints, you only actually need to remember 6 signs: alpha, bravo, charlie, delta, echo, foxtrot. All the other letters cannot occur in hex output. > As an example of use, I would do something like: > > gpg --fingerprint mooney > > and then cut and paste (or sed out) the fingerprint and echo it into > the program, like > > echo "4A21 BFC1 E902 4518 968A 55A9 015F 6BA4 4757 6386" | callsign Try this: gpg --with-colons --fingerprint 99242560 | egrep '^fpr' | cut -d: -f10 | callsign David From dshaw at jabberwocky.com Fri Jul 16 21:35:50 2004 From: dshaw at jabberwocky.com (David Shaw) Date: Fri Jul 16 21:32:47 2004 Subject: [FEATURE REQ, RFC], improving ergonomic HMI fingerprint cross verification In-Reply-To: <40F80934.5030904@gmx.de> References: <40F7F4A5.4000109@gmx.de> <20040716155249.GC13525@jabberwocky.com> <40F80934.5030904@gmx.de> Message-ID: <20040716193550.GD15672@jabberwocky.com> On Fri, Jul 16, 2004 at 06:58:28PM +0200, Thomas Schorpp wrote: > and since the most people due to my surveys got most problems using > cryptographic systems apps and only few problems communicating a > little set of english words correctly, a us-english default for this > held out of gnupgs localisation translations should be > acceptable(?). I don't think this would work. The whole point of using a word list instead of hex letters is to make things easier and more secure. A non-English speaker is going to have some serious problems reading a word list like that. I'd argue that this is actually harder and less secure than just reading the hex fingerprint. Even people who don't speak a word of English can read hex. > law question: will i violate nai's and patents rights in > implementing this or other usuable "biometric form" in gnupg? Maybe. I expect that the word list was purchased by the pgp.com folks when the bought the rights to PGP a few years back. I do not know if they have any restrictions on the list (trademark or copyright, since I doubt a list of words is patentable, though the technique of word lookup might be, despite the s/key prior art). David From mooney at dogbert.cc.ndsu.NoDak.edu Fri Jul 16 21:53:21 2004 From: mooney at dogbert.cc.ndsu.NoDak.edu (Tim Mooney) Date: Fri Jul 16 21:50:12 2004 Subject: [FEATURE REQ, RFC], improving ergonomic HMI fingerprint cross verification In-Reply-To: <20040716193550.GD15672@jabberwocky.com> References: <40F7F4A5.4000109@gmx.de> <20040716155249.GC13525@jabberwocky.com> <40F80934.5030904@gmx.de> <20040716193550.GD15672@jabberwocky.com> Message-ID: In regard to: Re: [FEATURE REQ, RFC], improving ergonomic HMI fingerprint...: > Even people who don't speak a word of English can read hex. True, and as long both the reader and the listener speak the same language it shouldn't be a problem, but there's still some room for misinterpretation. Assuming I remember my German, when I say something that sounds like "ay", English-speakers will think "a" but German-speakers will think "e". Tim -- Tim Mooney mooney@dogbert.cc.ndsu.NoDak.edu Information Technology Services (701) 231-1076 (Voice) Room 242-J6, IACC Building (701) 231-8541 (Fax) North Dakota State University, Fargo, ND 58105-5164 From mooney at dogbert.cc.ndsu.NoDak.edu Fri Jul 16 21:56:48 2004 From: mooney at dogbert.cc.ndsu.NoDak.edu (Tim Mooney) Date: Fri Jul 16 21:53:41 2004 Subject: [FEATURE REQ, RFC], improving ergonomic HMI fingerprint cross verification In-Reply-To: <20040716192218.GC15672@jabberwocky.com> References: <40F7F4A5.4000109@gmx.de> <20040716155249.GC13525@jabberwocky.com> <87u0w728o8.fsf@wheatstone.g10code.de> <20040716192218.GC15672@jabberwocky.com> Message-ID: In regard to: Re: [FEATURE REQ, RFC], improving ergonomic HMI fingerprint...: >> As an example of use, I would do something like: >> >> gpg --fingerprint mooney >> >> and then cut and paste (or sed out) the fingerprint and echo it into >> the program, like >> >> echo "4A21 BFC1 E902 4518 968A 55A9 015F 6BA4 4757 6386" | callsign > > Try this: > > gpg --with-colons --fingerprint 99242560 | egrep '^fpr' | cut -d: -f10 | callsign Thanks, my preferred method would actually be: gpg --fingerprint mooney | sed -ne 's/^.*Key fingerprint = //p' | callsign but I showed the "easy and straightforward" method for the masses. Tim -- Tim Mooney mooney@dogbert.cc.ndsu.NoDak.edu Information Technology Services (701) 231-1076 (Voice) Room 242-J6, IACC Building (701) 231-8541 (Fax) North Dakota State University, Fargo, ND 58105-5164 From dshaw at jabberwocky.com Fri Jul 16 21:59:41 2004 From: dshaw at jabberwocky.com (David Shaw) Date: Fri Jul 16 21:56:36 2004 Subject: [FEATURE REQ, RFC], improving ergonomic HMI fingerprint cross verification In-Reply-To: References: <40F7F4A5.4000109@gmx.de> <20040716155249.GC13525@jabberwocky.com> <40F80934.5030904@gmx.de> <20040716193550.GD15672@jabberwocky.com> Message-ID: <20040716195940.GB16179@jabberwocky.com> On Fri, Jul 16, 2004 at 02:53:21PM -0500, Tim Mooney wrote: > In regard to: Re: [FEATURE REQ, RFC], improving ergonomic HMI > fingerprint...: > > >Even people who don't speak a word of English can read hex. > > True, and as long both the reader and the listener speak the > same language it shouldn't be a problem, but there's still > some room for misinterpretation. Assuming I remember my > German, when I say something that sounds like "ay", > English-speakers will think "a" but German-speakers will > think "e". So say "alpha" when you read "A", etc. David From alex at syjon.fantastyka.net Fri Jul 16 22:04:36 2004 From: alex at syjon.fantastyka.net (Janusz A. Urbanowicz) Date: Fri Jul 16 22:03:12 2004 Subject: [FEATURE REQ, RFC], improving ergonomic HMI fingerprint cross verification In-Reply-To: References: <40F7F4A5.4000109@gmx.de> <20040716155249.GC13525@jabberwocky.com> <40F80934.5030904@gmx.de> <20040716193550.GD15672@jabberwocky.com> Message-ID: <20040716200436.GH10649@syjon.fantastyka.net> On Fri, Jul 16, 2004 at 02:53:21PM -0500, Tim Mooney wrote: > >Even people who don't speak a word of English can read hex. > > True, and as long both the reader and the listener speak the > same language it shouldn't be a problem, but there's still > some room for misinterpretation. Assuming I remember my > German, when I say something that sounds like "ay", > English-speakers will think "a" but German-speakers will > think "e". I've actually had this problem while exchanging fingerprints with rms. I think that using standard phonetic alphabet would be a good idea. To make it shorter, convert the fingerprint to base-36 system before displaying. Alex -- 0x46399138 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20040716/cac79062/attachment.bin From dshaw at jabberwocky.com Fri Jul 16 22:07:54 2004 From: dshaw at jabberwocky.com (David Shaw) Date: Fri Jul 16 22:04:51 2004 Subject: [FEATURE REQ, RFC], improving ergonomic HMI fingerprint cross verification In-Reply-To: References: <40F7F4A5.4000109@gmx.de> <20040716155249.GC13525@jabberwocky.com> <87u0w728o8.fsf@wheatstone.g10code.de> <20040716192218.GC15672@jabberwocky.com> Message-ID: <20040716200754.GC16179@jabberwocky.com> On Fri, Jul 16, 2004 at 02:56:48PM -0500, Tim Mooney wrote: > In regard to: Re: [FEATURE REQ, RFC], improving ergonomic HMI > fingerprint...: > > >>As an example of use, I would do something like: > >> > >> gpg --fingerprint mooney > >> > >>and then cut and paste (or sed out) the fingerprint and echo it into > >>the program, like > >> > >> echo "4A21 BFC1 E902 4518 968A 55A9 015F 6BA4 4757 6386" | callsign > > > >Try this: > > > > gpg --with-colons --fingerprint 99242560 | egrep '^fpr' | cut -d: -f10 | > > callsign > > Thanks, my preferred method would actually be: > > gpg --fingerprint mooney | sed -ne 's/^.*Key fingerprint = //p' | callsign > > but I showed the "easy and straightforward" method for the masses. Be careful with parsing gpg output. It is guaranteed to change eventually and break your code (plus matching on the string "Key fingerprint" only works if the language is English). The only output that will not change its format is --with-colons. David From mooney at dogbert.cc.ndsu.NoDak.edu Fri Jul 16 22:13:12 2004 From: mooney at dogbert.cc.ndsu.NoDak.edu (Tim Mooney) Date: Fri Jul 16 22:10:04 2004 Subject: [FEATURE REQ, RFC], improving ergonomic HMI fingerprint cross verification In-Reply-To: <20040716200754.GC16179@jabberwocky.com> References: <40F7F4A5.4000109@gmx.de> <20040716155249.GC13525@jabberwocky.com> <87u0w728o8.fsf@wheatstone.g10code.de> <20040716192218.GC15672@jabberwocky.com> <20040716200754.GC16179@jabberwocky.com> Message-ID: In regard to: Re: [FEATURE REQ, RFC], improving ergonomic HMI fingerprint...: >> Thanks, my preferred method would actually be: >> >> gpg --fingerprint mooney | sed -ne 's/^.*Key fingerprint = //p' | callsign >> >> but I showed the "easy and straightforward" method for the masses. > > Be careful with parsing gpg output. It is guaranteed to change > eventually and break your code (plus matching on the string "Key > fingerprint" only works if the language is English). The only output > that will not change its format is --with-colons. :-) You win, your method is better. Tim -- Tim Mooney mooney@dogbert.cc.ndsu.NoDak.edu Information Technology Services (701) 231-1076 (Voice) Room 242-J6, IACC Building (701) 231-8541 (Fax) North Dakota State University, Fargo, ND 58105-5164 From fw at deneb.enyo.de Sat Jul 17 00:14:34 2004 From: fw at deneb.enyo.de (Florian Weimer) Date: Sat Jul 17 00:11:30 2004 Subject: [FEATURE REQ, RFC], improving ergonomic HMI fingerprint cross verification In-Reply-To: (Tim Mooney's message of "Fri, 16 Jul 2004 14:53:21 -0500 (CDT)") References: <40F7F4A5.4000109@gmx.de> <20040716155249.GC13525@jabberwocky.com> <40F80934.5030904@gmx.de> <20040716193550.GD15672@jabberwocky.com> Message-ID: <878ydjeh11.fsf@deneb.enyo.de> * Tim Mooney: > True, and as long both the reader and the listener speak the > same language it shouldn't be a problem, but there's still > some room for misinterpretation. Assuming I remember my > German, when I say something that sounds like "ay", > English-speakers will think "a" but German-speakers will > think "e". I don't think such ambiguities matter much because they don't really make finding collisions easier. From atom at suspicious.org Sat Jul 17 06:49:04 2004 From: atom at suspicious.org (Atom 'Smasher') Date: Sat Jul 17 06:46:14 2004 Subject: [FEATURE REQ, RFC], improving ergonomic HMI fingerprint cross verification In-Reply-To: <20040716155249.GC13525@jabberwocky.com> References: <40F7F4A5.4000109@gmx.de> <20040716155249.GC13525@jabberwocky.com> Message-ID: <20040717004649.M26762@willy_wonka> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Fri, 16 Jul 2004, David Shaw wrote: > Incidentally, PGP has what their marketing calls "biometric" > fingerprints. This is just a word list so people don't have to read > out the hex fingerprint. For example, my key fingerprint is: > > 7D92 FD31 3AB6 F373 4CC5 9CA1 DB69 8D71 9924 2560 > > But in "biometric" form, it is: > > klaxon misnomer willow company > cleanup potato upset hurricane > drainage resistor python outfielder > suspense guitarist optic hideaway > prowler Capricorn bombast fortitude ========================== is that intended to solve a problem? or create new problems? maybe it's a good thing the gpg team doesn't have a marketing dept ;) ...atom _________________________________________ PGP key - http://atom.smasher.org/pgp.txt 762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808 ------------------------------------------------- "Not a single war has been fought by vegetarians." -- Akbarali Jetha -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.3.6 (FreeBSD) Comment: What is this gibberish? Comment: http://atom.smasher.org/links/#digital_signatures iEYEARECAAYFAkD4r8UACgkQnCgLvz19QePjBwCfRoooUV2rrOcpDD8M8KMUhSql A0oAnAzEA0Ye+oMv9FdutDUmezabR4eP =zZpO -----END PGP SIGNATURE----- From atom at suspicious.org Sat Jul 17 07:13:49 2004 From: atom at suspicious.org (Atom 'Smasher') Date: Sat Jul 17 07:10:48 2004 Subject: 1.3.6 - hashes on 0x18 signatures Message-ID: <20040717010156.N26762@willy_wonka> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 1.3.6 can create keybinding signatures with SHA-256 hashes. this is cool. but it doesn't seem possible (with 1.3.6) to change to an SHA-256 hash when a new keybinding signature is generated over a subkey that was previously signed with an SHA-1 hash. when updating a previously generated signature, shouldn't the hash be updated, if "--cert-digest-algo" is specified? ...atom _________________________________________ PGP key - http://atom.smasher.org/pgp.txt 762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808 ------------------------------------------------- "The wireless telegraph is not difficult to understand. The ordinary telegraph is like a very long cat. You pull the tail in New York, and it meows in Los Angeles. The wireless is the same, only without the cat." -- Albert Einstein -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.3.6 (FreeBSD) Comment: What is this gibberish? Comment: http://atom.smasher.org/links/#digital_signatures iEYEARECAAYFAkD4tZIACgkQnCgLvz19QePr+gCdGsQkjAhzD04Vc/SgiC+DmRld CiAAn1Ks8phsX0bIvk1SHNdvAqyIRNtd =BEJN -----END PGP SIGNATURE----- From t.schorpp at gmx.de Sat Jul 17 16:03:26 2004 From: t.schorpp at gmx.de (Thomas Schorpp) Date: Sat Jul 17 16:01:02 2004 Subject: [FEATURE REQ, RFC], improving ergonomic HMI fingerprint cross verification In-Reply-To: <20040717004649.M26762@willy_wonka> References: <40F7F4A5.4000109@gmx.de> <20040716155249.GC13525@jabberwocky.com> <20040717004649.M26762@willy_wonka> Message-ID: <40F931AE.9000208@gmx.de> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Atom 'Smasher' wrote: | is that intended to solve a problem? or create new problems? please analyze and report. | | maybe it's a good thing the gpg team doesn't have a marketing dept ;) | but it HAS ! ;]] "... lets create and sell a new instance of GOD, guys!" | | ...atom | | _________________________________________ | PGP key - http://atom.smasher.org/pgp.txt | 762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808 | ------------------------------------------------- | | "Not a single war has been fought by vegetarians." | -- Akbarali Jetha ... cause theyre WEAK ;] tom -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.3.6 (GNU/Linux) Comment: Using GnuPG with Debian - http://enigmail.mozdev.org iQCVAwUBQPkxq2qsze5HSzyoAQKylAQA2tRtKuZ2lJCUSGoc/jdI4UbktN/49NBQ aXysRtIgptGcrroq/0GLGZ4Bgv/gnKG8rnfBxXdZB7soGM/1DQN3xPyBmPJ5Z9EV gbmwV5x36KDVTc7hkttXeBQyJnU4tVpM1CAcL+1O8iXxY4WbEjOWe7GwlIYXSztr SvPFhnuGduk= =MnaP -----END PGP SIGNATURE----- From atom at suspicious.org Sun Jul 18 07:14:45 2004 From: atom at suspicious.org (Atom 'Smasher') Date: Sun Jul 18 07:11:59 2004 Subject: some "--list-options" not working? Message-ID: <20040718010422.Q26762@willy_wonka> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 trying this with 1.3.6: $ gpg --list-options show-long-keyids --list-keys smasher gpg: unknown option `show-long-keyids' gpg: invalid list options "show-policy-urls" seems to be silently ignored. i'm pretty sure i'm using "--list-options" correctly, because this: $ gpg --list-options show-sig-expire,show-validity --list-keys smasher seems to work fine, showing both expirations and validity. ...atom _________________________________________ PGP key - http://atom.smasher.org/pgp.txt 762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808 ------------------------------------------------- "America will never be destroyed from the outside. If we falter,and lose our freedoms, it will be because we destroyed ourselves." -- Abraham Lincoln -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.3.6 (FreeBSD) Comment: What is this gibberish? Comment: http://atom.smasher.org/links/#digital_signatures iQEcBAEBCAAGBQJA+gdMAAoJEAx/d+cTpVcibnMH/2yt+JtZqRBgY860xfr2Ah9E ppsFCLRWZv0meCm1vRN8BADancGeVo/amfpC/KehdvSAOp3dWNZ6ieiaAauwtVYJ dpGMoPq18/r93OfKPA/kecty8ytiZOzU8tPA9vu+iO+5VOKKBXb49Rh676KKDLDr kGePEhfaW9EnJIKFJDbyrS9OI27Z99jBIkS6aVD792+Q8xvs4q+v/bKR4x7ixEDM 0yKKbsNVApy+zWEp8KAO18mwOejClvGARlR+u3rO+hzNtx8ytf4CUVXGMOgEtP7x pEpAriL+DD92jLZWbu/4KJwOhz7JBo1Wlc7UYObCv9Gg8Iijtrucac+J+7ZwzEk= =F7Vy -----END PGP SIGNATURE----- From atom at suspicious.org Sun Jul 18 11:23:02 2004 From: atom at suspicious.org (Atom 'Smasher') Date: Sun Jul 18 11:20:11 2004 Subject: compression info & "--verbose" Message-ID: <20040718050614.O26762@willy_wonka> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 when processing a message, why doesn't "--verbose" display information about the compression algorithm and level? the information about the algorithm (but not the level) seems to only be available if verbose is specified twice, which turns on the "historical feature" of "--list-packets" sending info to STDOUT instead of STDERR. ...atom _________________________________________ PGP key - http://atom.smasher.org/pgp.txt 762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808 ------------------------------------------------- "Microsoft shouldn't be broken up. It should be shut down." -- Bruce Schneier, 15 May 2000 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.3.6 (FreeBSD) Comment: What is this gibberish? Comment: http://atom.smasher.org/links/#digital_signatures iQEcBAEBCAAGBQJA+kGCAAoJEAx/d+cTpVciSswH/RWGUyEoAyLFK2cAM1I81DRF IHumCB/PXPn9HNpGRFOCnRoi/NY2VXM0dALS9CPCCVFbw82XJ6l/yUGA+LvBqigF YYf0mf6OjPVHR+MGDlfnQg7U3m9KHRWNUGrvav6mZLUkIktEd6/av4+t3Q8cRuwp TaZ4OKuCbLBwerUQyJWhptRDRKIEPxF+YtoBJFMvZJyVDC+NGIlpPAd4jaCCsRwJ pDaN+BYE80iMDy7hr/NrrP71XUYM0aPFiZoa6XoLRtYoV95GvgezHWaBgcyn/Jix NlhKUA0TRYO4uZespc8C/5qlfJGbbXia6Pjbjg0/Trc19Vn2iFgP5YPX15m8AGs= =QDjv -----END PGP SIGNATURE----- From dshaw at jabberwocky.com Sun Jul 18 15:21:52 2004 From: dshaw at jabberwocky.com (David Shaw) Date: Sun Jul 18 15:18:49 2004 Subject: some "--list-options" not working? In-Reply-To: <20040718010422.Q26762@willy_wonka> References: <20040718010422.Q26762@willy_wonka> Message-ID: <20040718132152.GC18366@jabberwocky.com> On Sun, Jul 18, 2004 at 01:14:45AM -0400, Atom 'Smasher' wrote: > trying this with 1.3.6: > $ gpg --list-options show-long-keyids --list-keys smasher > gpg: unknown option `show-long-keyids' > gpg: invalid list options > > "show-policy-urls" seems to be silently ignored. Having trouble parsing this - you gave the show-long-keyids list option (which no longer exists), but really wanted show-policy-urls? David From dshaw at jabberwocky.com Sun Jul 18 16:00:12 2004 From: dshaw at jabberwocky.com (David Shaw) Date: Sun Jul 18 15:57:09 2004 Subject: compression info & "--verbose" In-Reply-To: <20040718050614.O26762@willy_wonka> References: <20040718050614.O26762@willy_wonka> Message-ID: <20040718140012.GD18366@jabberwocky.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sun, Jul 18, 2004 at 05:23:02AM -0400, Atom 'Smasher' wrote: > when processing a message, why doesn't "--verbose" display information > about the compression algorithm and level? No major reason, except that the compression algorithm isn't that relevant to the security of the message. > the information about the algorithm (but not the level) seems to > only be available if verbose is specified twice, which turns on the > "historical feature" of "--list-packets" sending info to STDOUT > instead of STDERR. The level is not available. That is internal data from the compression algorithm and is not visible from the OpenPGP level. David -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.3.6-cvs (GNU/Linux) iGoEARECACoFAkD6gmwjGGh0dHA6Ly93d3cuamFiYmVyd29ja3kuY29tL2tleS5h c2MACgkQ4mZch0nhy8n2UQCgq6uKo4CC8IaLHhEoLtMYx9Nv+acAniwgqDSXQiDP kV/R4ohL7VhvdeWW =B3Go -----END PGP SIGNATURE----- From dshaw at jabberwocky.com Sun Jul 18 16:06:14 2004 From: dshaw at jabberwocky.com (David Shaw) Date: Sun Jul 18 16:03:14 2004 Subject: [FEATURE REQ, RFC], improving ergonomic HMI fingerprint cross verification In-Reply-To: <20040717004649.M26762@willy_wonka> References: <40F7F4A5.4000109@gmx.de> <20040716155249.GC13525@jabberwocky.com> <20040717004649.M26762@willy_wonka> Message-ID: <20040718140614.GE18366@jabberwocky.com> On Sat, Jul 17, 2004 at 12:49:04AM -0400, Atom 'Smasher' wrote: > On Fri, 16 Jul 2004, David Shaw wrote: > > > Incidentally, PGP has what their marketing calls "biometric" > > fingerprints. This is just a word list so people don't have to read > > out the hex fingerprint. For example, my key fingerprint is: > > > > 7D92 FD31 3AB6 F373 4CC5 9CA1 DB69 8D71 9924 2560 > > > > But in "biometric" form, it is: > > > > klaxon misnomer willow company > > cleanup potato upset hurricane > > drainage resistor python outfielder > > suspense guitarist optic hideaway > > prowler Capricorn bombast fortitude > ========================== > > is that intended to solve a problem? or create new problems? Clearly it's useful to someone, or it wouldn't be in the product. Just because it is inappropriate for GnuPG, doesn't mean that it's useless everywhere. I think the history of the word list originated in pgpfone, where reading word lists via a somewhat-iffy voice connection was considered safer than reading hex. David From atom at suspicious.org Sun Jul 18 20:41:14 2004 From: atom at suspicious.org (Atom 'Smasher') Date: Sun Jul 18 20:38:20 2004 Subject: some "--list-options" not working? In-Reply-To: <20040718132152.GC18366@jabberwocky.com> References: <20040718010422.Q26762@willy_wonka> <20040718132152.GC18366@jabberwocky.com> Message-ID: <20040718143130.X26762@willy_wonka> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On Sun, 18 Jul 2004, David Shaw wrote: > On Sun, Jul 18, 2004 at 01:14:45AM -0400, Atom 'Smasher' wrote: >> trying this with 1.3.6: >> $ gpg --list-options show-long-keyids --list-keys smasher >> gpg: unknown option `show-long-keyids' >> gpg: invalid list options >> >> "show-policy-urls" seems to be silently ignored. > > Having trouble parsing this - you gave the show-long-keyids list > option (which no longer exists), but really wanted show-policy-urls? ==================== according to the 1.3.6 man page, "show-long-keyids" is valid. i was wondering if that was superseded by "--keyid-format", which seems more versatile... that would make sense then, that "show-long-keyids" is not a recognized list option, and produces an error. i was thinking that this command (1.3.6): $ gpg --list-options show-policy-url --list-keys 0xD9F57808 would show some policy urls, but it doesn't. ...atom _________________________________________ PGP key - http://atom.smasher.org/pgp.txt 762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808 ------------------------------------------------- "The more corrupt the state, the more numerous the laws." -- Tacitus (A.D. 55?-130?) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.3.6 (FreeBSD) Comment: What is this gibberish? Comment: http://atom.smasher.org/links/#digital_signatures iQEcBAEBCAAGBQJA+sRQAAoJEAx/d+cTpVciqn0H/ieHccmjUyLqHhhMGQF+mqbq DEW4sdSfccVZiIlb/Q0aeGWD81plUqnVxJ+pZG2x3jZ863TdtaGqTnJgKKDB8Kxf ytws7nmskPdYKuso+pSyBdBmCY0Fssd3Zr8TsWlCZN5S2sz8B+xlUfpke/evC4xK cpiHdA48Q3uFixJ0XmlJ1hbD1N3puqcLX5QJe3BkxlKyscyeCzFfix40F54jDqCi UeMn3hNCwxdb/wfdlRzYlluKFgCfy/LkYbH8k7wGD5IzrqK/G/bO5pVK9fgvSpy8 s30uSTf6yhk6xAzSu3IYkOfyghsDxtjffkTkTgqszJ3R3cAnlYRUhOhuHMWcpfQ= =Ux3I -----END PGP SIGNATURE----- From atom at suspicious.org Sun Jul 18 20:50:20 2004 From: atom at suspicious.org (Atom 'Smasher') Date: Sun Jul 18 20:47:20 2004 Subject: compression info & "--verbose" In-Reply-To: <20040718140012.GD18366@jabberwocky.com> References: <20040718050614.O26762@willy_wonka> <20040718140012.GD18366@jabberwocky.com> Message-ID: <20040718144203.W26762@willy_wonka> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On Sun, 18 Jul 2004, David Shaw wrote: > On Sun, Jul 18, 2004 at 05:23:02AM -0400, Atom 'Smasher' wrote: >> when processing a message, why doesn't "--verbose" display information >> about the compression algorithm and level? > > No major reason, except that the compression algorithm isn't that > relevant to the security of the message. ======================= but whether or not the message is compressed ~does~ impact the security of the message , and in the same amount of space it takes to display if it's compressed, the compression type (or "0/uncompressed") can be displayed. also, this can help determine that a senders implementation is working... if one receives a message that's bzip2 compressed, but that's not listed in their preferences, there's likely a problem on the sender's side. as a practical matter, if one receives a message that's not compressed then something weird is going on. ...atom _________________________________________ PGP key - http://atom.smasher.org/pgp.txt 762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808 ------------------------------------------------- "Politics is the art of preventing people from taking part in affairs which properly concern them." -- Paul Valery -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.3.6 (FreeBSD) Comment: What is this gibberish? Comment: http://atom.smasher.org/links/#digital_signatures iQEcBAEBCAAGBQJA+sZyAAoJEAx/d+cTpVcirXkH/A002bzPBRN2ZIxx6vKTBdnd pdLGDJyEQQ+pTGeH5oPg6swqvdHWeBcVsoPWitqRelxIHVmd2mUodILhznLCuIM8 CEL4rWKYVkcvgHAtViK8B3L6yH3lkU5u3LHmx+POGCAP/9dRHANgHyURZvrnAs2z A8ySjr6hXVHL6/Y+M0ygSMX5uglC04elmFpz46zV2BNgKcw8rV9d0fGylVCI7E33 99hkCVsSV5L9nJ2wZ9onNbbzc5NN71kmY78IQ/LT8y+ZxhMe8y2W4jbCUFHCXf1r lthfIiPMEuw0Z1147EQi661bYX1Wh7bqBZ+c0rNIpEGSEgmpxYbjdHKLkGvwxrg= =nuXA -----END PGP SIGNATURE----- From wk at gnupg.org Sun Jul 18 22:24:59 2004 From: wk at gnupg.org (Werner Koch) Date: Sun Jul 18 22:23:24 2004 Subject: [FEATURE REQ, RFC], improving ergonomic HMI fingerprint cross verification In-Reply-To: <40F8170C.9090904@gmx.de> (Thomas Schorpp's message of "Fri, 16 Jul 2004 19:57:32 +0200") References: <40F7F4A5.4000109@gmx.de> <20040716155249.GC13525@jabberwocky.com> <87u0w728o8.fsf@wheatstone.g10code.de> <40F8170C.9090904@gmx.de> Message-ID: <87zn5xxdus.fsf@wheatstone.g10code.de> On Fri, 16 Jul 2004 19:57:32 +0200, Thomas Schorpp said: > taking that. but maybe to an assembler coder..., i have got feedback > from professional HMI ergonomists (friends), they disagree. They probably never signed a key. The fastest method I use work if someone uses a printout in a standard size. I then take that the paper slip, put it directly onto the display surface, just below the displayed fingerprint, and I am able to find a mismatch at a glance. Nowadays that everyone has a business card with a fingerprint, this doesn't work very well anymore ;-). > | Thus better learn the Alpha..Zulu alphabet and just use it when > | reading fingerprints to someone. > you mean it? absolutely inacceptable cause human error impliable by an Yes, that are just 6 words. And well it does'nt matter mutch if you accidently use Berta instead of Bravo. Werner From wk at gnupg.org Sun Jul 18 22:31:04 2004 From: wk at gnupg.org (Werner Koch) Date: Sun Jul 18 22:33:23 2004 Subject: compression info & "--verbose" In-Reply-To: <20040718144203.W26762@willy_wonka> (atom@suspicious.org's message of "Sun, 18 Jul 2004 14:50:20 -0400 (EDT)") References: <20040718050614.O26762@willy_wonka> <20040718140012.GD18366@jabberwocky.com> <20040718144203.W26762@willy_wonka> Message-ID: <87smbpxdkn.fsf@wheatstone.g10code.de> On Sun, 18 Jul 2004 14:50:20 -0400 (EDT), Atom 'Smasher' said: > the sender's side. as a practical matter, if one receives a message > that's not compressed then something weird is going on. You will receive such a message if the data fed to gpg has already been compressed; i.e. the compression was done outside of gpg. Werner From atom at suspicious.org Sun Jul 18 22:58:56 2004 From: atom at suspicious.org (Atom 'Smasher') Date: Sun Jul 18 22:56:07 2004 Subject: compression info & "--verbose" In-Reply-To: <87smbpxdkn.fsf@wheatstone.g10code.de> References: <20040718050614.O26762@willy_wonka> <20040718140012.GD18366@jabberwocky.com> <20040718144203.W26762@willy_wonka> <87smbpxdkn.fsf@wheatstone.g10code.de> Message-ID: <20040718165500.M26762@willy_wonka> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On Sun, 18 Jul 2004, Werner Koch wrote: > On Sun, 18 Jul 2004 14:50:20 -0400 (EDT), Atom 'Smasher' said: > >> the sender's side. as a practical matter, if one receives a message >> that's not compressed then something weird is going on. > > You will receive such a message if the data fed to gpg has already > been compressed; i.e. the compression was done outside of gpg. ======================= or just get gibberish when decrypting. what i want to know (when using --verbose) is what compression algorithm (currently 0-3) the application used to compress the encrypted data... ...atom _________________________________________ PGP key - http://atom.smasher.org/pgp.txt 762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808 ------------------------------------------------- "I recognize that a class of criminals and juvenile delinquents has taken to calling themselves 'hackers', but I consider them irrelevant to the true meaning of the word; just as the Mafia calls themselves 'businessmen' but nobody pays that fact any attention." -- Robert Bickford -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.3.6 (FreeBSD) Comment: What is this gibberish? Comment: http://atom.smasher.org/links/#digital_signatures iQEcBAEBCAAGBQJA+uSYAAoJEAx/d+cTpVciCGgIAKNxWS+FkZh6/wR7PEwU8Yls 4Ynl54ZyVM+29mQwq7QTFAxKFYyGKXnTLiSMIf3Us4qbLXQGUbB58iH015ZMQh8i R95IJl57AwFO69HPxqMZhhAA0U7nLaVz2hK5S6MDAJeSZTksJJUslNKBdVr2/5ch gS9il1K9rvoaTS0odWXOVlI3n7mPZyCrGPIPtSIF3biiyY1GhCmK7yhzfMet/+iM 3rGLNypPBh42Izr26R1JryRqmIRy/HkuklsT5GWniPL2eGD3w3/llQL49XCcgSFe kcGJb33RTsenT79WCCftil2FG3Wu2/lLqOF2t80YaNhDfInkXLxAYYG/feTcD6g= =emiW -----END PGP SIGNATURE----- From dshaw at jabberwocky.com Mon Jul 19 01:48:52 2004 From: dshaw at jabberwocky.com (David Shaw) Date: Mon Jul 19 01:45:53 2004 Subject: some "--list-options" not working? In-Reply-To: <20040718143130.X26762@willy_wonka> References: <20040718010422.Q26762@willy_wonka> <20040718132152.GC18366@jabberwocky.com> <20040718143130.X26762@willy_wonka> Message-ID: <20040718234852.GA19620@jabberwocky.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sun, Jul 18, 2004 at 02:41:14PM -0400, Atom 'Smasher' wrote: > On Sun, 18 Jul 2004, David Shaw wrote: > > > On Sun, Jul 18, 2004 at 01:14:45AM -0400, Atom 'Smasher' wrote: > >> trying this with 1.3.6: > >> $ gpg --list-options show-long-keyids --list-keys smasher > >> gpg: unknown option `show-long-keyids' > >> gpg: invalid list options > >> > >> "show-policy-urls" seems to be silently ignored. > > > > Having trouble parsing this - you gave the show-long-keyids list > > option (which no longer exists), but really wanted show-policy-urls? > ==================== > > according to the 1.3.6 man page, "show-long-keyids" is valid. i was > wondering if that was superseded by "--keyid-format", which seems more > versatile... that would make sense then, that "show-long-keyids" is not a > recognized list option, and produces an error. Yes, documentation bug. I forgot to remove show-long-keyids when keyid-format was added. > i was thinking that this command (1.3.6): > $ gpg --list-options show-policy-url --list-keys 0xD9F57808 > would show some policy urls, but it doesn't. No. You'd need to do --list-sigs. Policy URLs live on the signature, not the key. It's not out of the question to show self-sig policy URLs during a - --list-keys, but it does not do that now. David -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.3.6-cvs (GNU/Linux) iGoEARECACoFAkD7DGQjGGh0dHA6Ly93d3cuamFiYmVyd29ja3kuY29tL2tleS5h c2MACgkQ4mZch0nhy8k81ACfY3gSKmuetRmfW++0I7XSFvQ/4Y0AoMEnwP5Fa9fe DIG93HH/p4UVdrxP =XwxA -----END PGP SIGNATURE----- From dshaw at jabberwocky.com Mon Jul 19 02:44:15 2004 From: dshaw at jabberwocky.com (David Shaw) Date: Mon Jul 19 02:41:11 2004 Subject: 1.3.6 - hashes on 0x18 signatures In-Reply-To: <20040717010156.N26762@willy_wonka> References: <20040717010156.N26762@willy_wonka> Message-ID: <20040719004415.GB19620@jabberwocky.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sat, Jul 17, 2004 at 01:13:49AM -0400, Atom 'Smasher' wrote: > 1.3.6 can create keybinding signatures with SHA-256 hashes. this is cool. > but it doesn't seem possible (with 1.3.6) to change to an SHA-256 hash > when a new keybinding signature is generated over a subkey that was > previously signed with an SHA-1 hash. > > when updating a previously generated signature, shouldn't the hash be > updated, if "--cert-digest-algo" is specified? No. The signature update should only perform the action specifically requested by the user (change expiration, change preferences, etc). Doing anything in addition violates that expectation. It's possible to have a function that remakes signatures with whatever parameters are desired, but it is not appropriate to do this silently during a function that happens to rewrite the signature for other purposes. David -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.3.6-cvs (GNU/Linux) iGoEARECACoFAkD7GV8jGGh0dHA6Ly93d3cuamFiYmVyd29ja3kuY29tL2tleS5h c2MACgkQ4mZch0nhy8lUaQCgseIOyL53Ee2bJ/X9+0EdE4ZC9HEAoL9/QicgSBY2 rIay+O+nSDS+B025 =Y4Ic -----END PGP SIGNATURE----- From dshaw at jabberwocky.com Mon Jul 19 03:02:42 2004 From: dshaw at jabberwocky.com (David Shaw) Date: Mon Jul 19 02:59:38 2004 Subject: --list-only and symmetric encryption (fwd) In-Reply-To: References: <20040628045923.U92142@willy_wonka> <20040628224857.GA6406@jabberwocky.com> <20040629234329.N92142@willy_wonka> <20040630183117.GC7180@jabberwocky.com> Message-ID: <20040719010242.GC19620@jabberwocky.com> On Tue, Jul 06, 2004 at 11:41:15AM -0400, Atom 'Smasher' wrote: > On Wed, 30 Jun 2004, David Shaw wrote: > > On Tue, Jun 29, 2004 at 11:46:53PM -0400, Atom 'Smasher' wrote: > > > > i'm curious how that works... i understand how a message can be encrypted > > > to multiple public keys, since the bulk encryption is only done using one > > > key. i don't understand how a message can be efficiently ("efficiently", > > > meaning that the message is only encrypted once) encrypted to multiple > > > symmetric keys. > > > > It works the same way that it does with public keys. The data is > > encrypted using a random session key, then that session key is > > encrypted using the passphrase. If you want to use multiple > > passphrases, just encrypt the random session key to as many > > passphrases as you like. > =================== > > so, GnuPG can read, but not create these messages? are there plans handle > creation? or would it have to be done by performing packet-surgery with > gpgsplit? I'm sure eventually it will make it into GnuPG. It's unfortunately not possible to do packet surgery with gpgsplit to do this since it requires the session key to be the same for all passphrases. > if only a single symmetric passphrase is used, is there still a session > key encrypted with the symmetric key? (i only have text access right now, > and can't get to a copy of the RFC). Yes and no. If you have a message with multiple passphrases or a message that can be decrypted via a passphrase or the public key system then yes. Otherwise, the mangled passphrase *is* the session key. David -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 250 bytes Desc: not available Url : /pipermail/attachments/20040718/ef2c5736/attachment.bin From dshaw at jabberwocky.com Mon Jul 19 05:10:10 2004 From: dshaw at jabberwocky.com (David Shaw) Date: Mon Jul 19 05:07:07 2004 Subject: compression info & "--verbose" In-Reply-To: <20040718165500.M26762@willy_wonka> References: <20040718050614.O26762@willy_wonka> <20040718140012.GD18366@jabberwocky.com> <20040718144203.W26762@willy_wonka> <87smbpxdkn.fsf@wheatstone.g10code.de> <20040718165500.M26762@willy_wonka> Message-ID: <20040719031010.GD19620@jabberwocky.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sun, Jul 18, 2004 at 04:58:56PM -0400, Atom 'Smasher' wrote: > On Sun, 18 Jul 2004, Werner Koch wrote: > > > On Sun, 18 Jul 2004 14:50:20 -0400 (EDT), Atom 'Smasher' said: > > > >> the sender's side. as a practical matter, if one receives a message > >> that's not compressed then something weird is going on. > > > > You will receive such a message if the data fed to gpg has already > > been compressed; i.e. the compression was done outside of gpg. > ======================= > > or just get gibberish when decrypting. No. The compression algorithm is stored within the message. If it can be handled, it is. It if cannot be handled because the message uses a compression algorithm that GnuPG does not have, GnuPG stops. It will not give you gibberish back since it cannot even get to that part of the decryption process. David -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.3.6-cvs (GNU/Linux) iGoEARECACoFAkD7O5IjGGh0dHA6Ly93d3cuamFiYmVyd29ja3kuY29tL2tleS5h c2MACgkQ4mZch0nhy8kzvgCgznCHmlUN6OB8OlX5PoZ9sHYAq0IAn3YDdDq05RAZ wMkTedJeshjQOOv1 =4Xz2 -----END PGP SIGNATURE----- From atom at suspicious.org Mon Jul 19 06:23:53 2004 From: atom at suspicious.org (Atom 'Smasher') Date: Mon Jul 19 06:21:02 2004 Subject: compression info & "--verbose" In-Reply-To: <20040719031010.GD19620@jabberwocky.com> References: <20040718050614.O26762@willy_wonka> <20040718140012.GD18366@jabberwocky.com> <20040718144203.W26762@willy_wonka> <87smbpxdkn.fsf@wheatstone.g10code.de> <20040718165500.M26762@willy_wonka> <20040719031010.GD19620@jabberwocky.com> Message-ID: <20040719000926.B26762@willy_wonka> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On Sun, 18 Jul 2004, David Shaw wrote: > On Sun, Jul 18, 2004 at 04:58:56PM -0400, Atom 'Smasher' wrote: >>> You will receive such a message if the data fed to gpg has already >>> been compressed; i.e. the compression was done outside of gpg. >> ======================= >> >> or just get gibberish when decrypting. > > No. The compression algorithm is stored within the message. If it > can be handled, it is. It if cannot be handled because the message > uses a compression algorithm that GnuPG does not have, GnuPG stops. > It will not give you gibberish back since it cannot even get to that > part of the decryption process. ==================== i must've not made myself clear.... i mean that if compression is done outside of gpg like this: $ date | gzip | gpg -ear {key_id} or $ date | gzip | gpg --compress-algo 0 -ear {key_id} it will produce a message that, when decrypted, will produce gibberish. gibberish in, gibberish out. still, my desire is to see what algorithm gpg is using to de/encrypt the message by use of the "--verbose" flag. ...atom _________________________________________ PGP key - http://atom.smasher.org/pgp.txt 762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808 ------------------------------------------------- "I disapprove of what you say, but I will defend to the death your right to say it." -- widely attributed to Voltaire, but written by Evelyn Beatrice Hall under the pseudonym S[tephen] G. Tallentyre. The Friends of Voltaire, 1906 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.3.6 (FreeBSD) Comment: What is this gibberish? Comment: http://atom.smasher.org/links/#digital_signatures iQEcBAEBCAAGBQJA+0zfAAoJEAx/d+cTpVci63cIALaZF0PKJmyInk1Y086RvhFj pJIZ9X0nLDKU1D9vHejvGlpZmMA+25qFg6dDa6i2w8ZbdiKD9lkddUcBtNxaK1Jb 2CPUIMBMFQJP6PEPesQcMy9Pd6W2iofCBfxNZD+UoqX81WVkUu4heSAi/UOFBrkc Ukvc9t2r3tczfSkgngOQbFGuvYRI6wDPHU6e5oNupvzHnkt0kV0XR84SyEDIWovg Qxr9IWmeiEir6RbFoNL03to1WLUjxTUvJOk7T2Z9BFwWyFQzZ/9vGhq/SATTS8QH K+xGdi/QPZZ7RPd+SNvc2dPR4UKBhWXrdIKEyZE94t1Zp0NQL7HmHRFLrNC+wCQ= =PM6Z -----END PGP SIGNATURE----- From marcus.brinkmann at ruhr-uni-bochum.de Tue Jul 20 21:54:30 2004 From: marcus.brinkmann at ruhr-uni-bochum.de (Marcus Brinkmann) Date: Tue Jul 20 21:51:23 2004 Subject: [BUG?] gpgme 0.9.0 & passphrase oddity In-Reply-To: <1089320527l.26965l.0l@antares.localdomain> References: <1089320527l.26965l.0l@antares.localdomain> Message-ID: <873c3m78uh.wl@ulysses.g10code.de> At Thu, 08 Jul 2004 21:01:59 +0000, Albrecht Dre? wrote: > Is this the intended behaviour? IMHO, it would be nicer if gpgme_op_sign > (and friends) would return ERR_CANCEL in *both* cases. I agree :) This does not seem to be a GPGME issue, though. Some versions of gpg-agent swallow the cancel from pinentry. I have to take a closer look at which versions are affected. Marcus From atom at suspicious.org Wed Jul 21 06:11:14 2004 From: atom at suspicious.org (Atom 'Smasher') Date: Wed Jul 21 06:08:27 2004 Subject: gpg: conflicting commands Message-ID: <20040721000909.K326@willy_wonka> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 why are "--store" and "--sign" conflicting? (1.3.6) ...atom _________________________________________ PGP key - http://atom.smasher.org/pgp.txt 762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808 ------------------------------------------------- "For every dollar the boss has and didn't work for, one of us worked for a dollar and didn't get it." -- William 'Big Bill' Haywood -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.3.6 (FreeBSD) Comment: What is this gibberish? Comment: http://atom.smasher.org/links/#digital_signatures iQEcBAEBCAAGBQJA/ezoAAoJEAx/d+cTpVci1dwH/07hMoyOn9OPifB3ZWuNtCWL LSUkRzgQBFPHXEjH1YjtUg4NXVguTiZtUAUbVvtMN/KC/XoG7rXbK9zeETofbbWH woT8xcCn7rfS3iIldQUCYfWp4YzP9UAJ1IJxRNW1DumqfWGsRCUL2X40Qig0Oala 6SdZzCSs2CTkvju4g8l1QvCqdQxxmxNYuS3Y9Bo1Fnb6Y2dyOBD4YoR3O8+KxR1G I9dofJiGP2NjbTSLKBJFBdtAHdT7evVB5GSb3xhcWpdb+n+FEbDRsni4qHEovSrt 4hEHaZ4AXRkgOno4cwbt5Wgy+1TbqDkjPMozsXcEygYLyaAi3i4le+GGw2w4yR4= =F0nW -----END PGP SIGNATURE----- From dshaw at jabberwocky.com Wed Jul 21 06:29:54 2004 From: dshaw at jabberwocky.com (David Shaw) Date: Wed Jul 21 06:27:00 2004 Subject: gpg: conflicting commands In-Reply-To: <20040721000909.K326@willy_wonka> References: <20040721000909.K326@willy_wonka> Message-ID: <20040721042954.GA4266@jabberwocky.com> On Wed, Jul 21, 2004 at 12:11:14AM -0400, Atom 'Smasher' wrote: > why are "--store" and "--sign" conflicting? --store takes a file and makes it into an OpenPGP literal message. --sign takes a file, makes it into an OpenPGP literal message and then signs it. You can't make something into a literal message twice. David From atom at suspicious.org Wed Jul 21 06:38:34 2004 From: atom at suspicious.org (Atom 'Smasher') Date: Wed Jul 21 06:35:35 2004 Subject: gpg: conflicting commands In-Reply-To: <20040721042954.GA4266@jabberwocky.com> References: <20040721000909.K326@willy_wonka> <20040721042954.GA4266@jabberwocky.com> Message-ID: <20040721003328.J326@willy_wonka> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On Wed, 21 Jul 2004, David Shaw wrote: > On Wed, Jul 21, 2004 at 12:11:14AM -0400, Atom 'Smasher' wrote: >> why are "--store" and "--sign" conflicting? > > --store takes a file and makes it into an OpenPGP literal message. > > --sign takes a file, makes it into an OpenPGP literal message and then > signs it. > > You can't make something into a literal message twice. ===================== cool... it's been so long since i used --sign i forgot about that. i'm always using -ba or --clearsign. error code "ID-10-T" thanks... ...atom _________________________________________ PGP key - http://atom.smasher.org/pgp.txt 762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808 ------------------------------------------------- "The whole aim of practical politics is to keep the populace alarmed (and hence clamorous to be led to safety) by menacing it with an endless series of hobgoblins, all of them imaginary." -- H.L. Mencken -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.3.6 (FreeBSD) Comment: What is this gibberish? Comment: http://atom.smasher.org/links/#digital_signatures iQEcBAEBCAAGBQJA/fNPAAoJEAx/d+cTpVciCMoIAJFGGzEEz7tTdvqRzucI0ljE AY08qRwJwMGWNMnq189iDaZGS1RWgIl94iixPIzJow0ou/a9VBga/30bU0G/D8fH ioDgThPaPU33KqoLqPvTMtAQPE0tr7qoMPIxa3x4Zt9Ey7cWdraVAugG3QsHYyuk a3xq5aXfvAqyoi1m8oKHEaokrCgpJwRET+KeDCrAuZ/nERsdWTNO/AYXDJLjziuz srtA9esP2UurqxN+u6QGFuYA00xQs5dzac6eLbQbbNxdL5u8LWAKnNQ82cbpSH+8 PiDfGT4aQcgorZVu8RnYzwaAKA7fmmDn1XX9/0RbhswAl4nAOxYIPu6IwOFHU24= =GbwA -----END PGP SIGNATURE----- From atom at suspicious.org Fri Jul 23 06:08:30 2004 From: atom at suspicious.org (Atom 'Smasher') Date: Fri Jul 23 10:03:04 2004 Subject: Cryptographers and U.S. Immigration Message-ID: <20040723000559.L326@willy_wonka> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ...atom _________________________________________ PGP key - http://atom.smasher.org/pgp.txt 762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808 ------------------------------------------------- "When the government fears the people, you have liberty. When the people fear the government, you have tyranny." --Thomas Jefferson <<<<<<<<<<<<<<<<<<<<<<<<<< http://www.schneier.com/crypto-gram-0407.html#3 Cryptographers and U.S. Immigration Seems like cryptographers are being questioned when they enter the U.S. these days. Recently I received this (anonymous) comment: "It seems that the U.S. State Department has a keen interest in foreign cryptographers: Yesterday I tried to renew my visa to the States, and after standing in line and getting fingerprinted, my interviewer, upon hearing that my company sells [a cryptography product], informed me that "due to new regulations," Washington needs to approve my visa application, and that to do so, they need to know exactly which companies I plan to visit in the States, points of contact, etc. etc. Quite a change from my last visa application, for which I didn't even have to show up." I'm curious if any of my foreign readers have similar stories. There are international cryptography conferences held in the United States all the time. It would be a shame if they lost much of their value because of visa regulations. #### -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.3.6 (FreeBSD) Comment: What is this gibberish? Comment: http://atom.smasher.org/links/#digital_signatures iQEcBAEBCAAGBQJBAI9EAAoJEAx/d+cTpVcibb0IAIPYNzglmGiNyBLP4ogd5bI8 bSUCTLLIHkp4+dOKuxcuoNTagsNBfDC1Ny1BCL60grW5yoY0hiS1SzY+aw2/VrHg 6DEJVtXTSae/oEZv/czlVJsvI+U+OBD2JqlXIyFiayfR1R6yMVoMrX3RVyB7UklG 3a10ehfuY+pKkZa6JwYlM+TGxrNNCR5UOoNV1TdL40oLBTb0uFs+WG2tY+KYuypO ChdyAsTlBQw7b6rGRoOti93Wi4XxkFH39cFxDfRIG8Ah+J2QkRjwFrO+aUwCG7ds SjBfjV1kBWsXChS+vfzZBmwvGwZx3EDKfpBecybokyvV1jpdugyiRnV/UPERnro= =ytcR -----END PGP SIGNATURE----- From t.schorpp at gmx.de Fri Jul 23 15:26:15 2004 From: t.schorpp at gmx.de (Thomas Schorpp) Date: Fri Jul 23 15:23:49 2004 Subject: [FEATURE REQ, RFC], improving ergonomic HMI fingerprint cross verification In-Reply-To: <87zn5xxdus.fsf@wheatstone.g10code.de> References: <40F7F4A5.4000109@gmx.de> <20040716155249.GC13525@jabberwocky.com> <87u0w728o8.fsf@wheatstone.g10code.de> <40F8170C.9090904@gmx.de> <87zn5xxdus.fsf@wheatstone.g10code.de> Message-ID: <410111F7.80409@gmx.de> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Werner Koch wrote: | On Fri, 16 Jul 2004 19:57:32 +0200, Thomas Schorpp said: | | I then take that the | paper slip, put it directly onto the display surface, just below the | displayed fingerprint, and I am able to find a mismatch at a glance. | | Nowadays that everyone has a business card with a fingerprint, this | doesn't work very well anymore ;-). | well... | |>| Thus better learn the Alpha..Zulu alphabet and just use it when |>| reading fingerprints to someone. | | |>you mean it? absolutely inacceptable cause human error impliable by an | | | Yes, that are just 6 words. And well it does'nt matter mutch if you | accidently use Berta instead of Bravo. | ive got another (better) idea regarding all your comments, using colors: all (*n*x) standard consoles, websites and platform gui support the needed 16 colors for substituting a hex number, dont they? so ill have printed a line of full ascii "block, die" chars a line below ~ every fp output with a --color option to gpg: - - a look of a 1 second is needed to verify short color bars by human brains, verifying all the hex digits you need at least 5. - - no translation problems in speech verifying(self translating to any human language) - - colors are known and handled in every culture, even by childs. - - acceptable extra space needed at the --fingerprint output screen. - - acceptable to webdesigners, youll find and know with one quick look its a gpg user and his/its key and it would look "honorable" like the badges of mil generals ;), implying a trustworthy website too. y tom -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.3.6 (GNU/Linux) Comment: Using GnuPG with Debian - http://enigmail.mozdev.org iQCVAwUBQQER82qsze5HSzyoAQIlqwP8DyDR631cJQnQ/3Int8R/m5xH8yZmnm5R 7+DvxtVOqcoZJAvU7qfgjqRLp6U7UyNdCRVyqdPV+m2pMuG34HFEyZt1mxgvASd5 hN+j8B4AUQPayvsOcd6WRkYhUyeL4PpD+s0ZyaPsHmPID8dPZqP76Je+dSsMIoQA MJsFdDOCocg= =x30w -----END PGP SIGNATURE----- From thomas at northernsecurity.net Fri Jul 23 16:15:04 2004 From: thomas at northernsecurity.net (Thomas =?iso-8859-1?Q?Sj=F6gren?=) Date: Fri Jul 23 16:12:25 2004 Subject: [FEATURE REQ, RFC], improving ergonomic HMI fingerprint cross verification In-Reply-To: <410111F7.80409@gmx.de> References: <40F7F4A5.4000109@gmx.de> <20040716155249.GC13525@jabberwocky.com> <87u0w728o8.fsf@wheatstone.g10code.de> <40F8170C.9090904@gmx.de> <87zn5xxdus.fsf@wheatstone.g10code.de> <410111F7.80409@gmx.de> Message-ID: <20040723141504.GG8636@northernsecurity.net> On Fri, Jul 23, 2004 at 03:26:15PM +0200, Thomas Schorpp wrote: > ive got another (better) idea regarding all your comments, using colors: what about colourblindness then? /Thomas -- == Encrypted e-mails preferred | GPG KeyID: 114AA85C -- -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 481 bytes Desc: Digital signature Url : /pipermail/attachments/20040723/8fc1f950/attachment.bin From t.schorpp at gmx.de Fri Jul 23 17:05:55 2004 From: t.schorpp at gmx.de (Thomas Schorpp) Date: Fri Jul 23 17:03:34 2004 Subject: [FEATURE REQ, RFC], improving ergonomic HMI fingerprint cross verification In-Reply-To: <20040723141504.GG8636@northernsecurity.net> References: <40F7F4A5.4000109@gmx.de> <20040716155249.GC13525@jabberwocky.com> <87u0w728o8.fsf@wheatstone.g10code.de> <40F8170C.9090904@gmx.de> <87zn5xxdus.fsf@wheatstone.g10code.de> <410111F7.80409@gmx.de> <20040723141504.GG8636@northernsecurity.net> Message-ID: <41012953.7050102@gmx.de> Thomas Sj?gren wrote: > On Fri, Jul 23, 2004 at 03:26:15PM +0200, Thomas Schorpp wrote: > >>ive got another (better) idea regarding all your comments, using colors: > > > what about colourblindness then? > > /Thomas theyre known to be able to read clearly a 64 stage greyscale. y tom From wk at gnupg.org Fri Jul 23 19:21:28 2004 From: wk at gnupg.org (Werner Koch) Date: Fri Jul 23 19:23:25 2004 Subject: [FEATURE REQ, RFC], improving ergonomic HMI fingerprint cross verification In-Reply-To: <410111F7.80409@gmx.de> (Thomas Schorpp's message of "Fri, 23 Jul 2004 15:26:15 +0200") References: <40F7F4A5.4000109@gmx.de> <20040716155249.GC13525@jabberwocky.com> <87u0w728o8.fsf@wheatstone.g10code.de> <40F8170C.9090904@gmx.de> <87zn5xxdus.fsf@wheatstone.g10code.de> <410111F7.80409@gmx.de> Message-ID: <87bri67i7b.fsf@wheatstone.g10code.de> On Fri, 23 Jul 2004 15:26:15 +0200, Thomas Schorpp said: > all (*n*x) standard consoles, websites and platform gui support the > needed 16 colors for substituting a hex number, dont they? I guess so; it is even hard to buy a b/w display nowadays. > so ill have printed a line of full ascii "block, die" chars a line below > ~ every fp output with a --color option to gpg: Cool idea except for the 5 percent of all males who are red/green blind. > its a gpg user and his/its key and it would look "honorable" like the > badges of mil generals ;), implying a trustworthy website too. :-) Seems that I need to buy color printer now. Salam-Shalom, Werner From dgc at uchicago.edu Fri Jul 23 20:17:13 2004 From: dgc at uchicago.edu (David Champion) Date: Fri Jul 23 20:14:12 2004 Subject: [FEATURE REQ, RFC], improving ergonomic HMI fingerprint cross verification In-Reply-To: <410111F7.80409@gmx.de> References: <40F7F4A5.4000109@gmx.de> <20040716155249.GC13525@jabberwocky.com> <87u0w728o8.fsf@wheatstone.g10code.de> <40F8170C.9090904@gmx.de> <87zn5xxdus.fsf@wheatstone.g10code.de> <410111F7.80409@gmx.de> Message-ID: <20040723181713.GW27414@dust.uchicago.edu> * On 2004.07.23, in <410111F7.80409@gmx.de>, * "Thomas Schorpp" wrote: > > all (*n*x) standard consoles, websites and platform gui support the > needed 16 colors for substituting a hex number, dont they? No. And people still use serial terminals. Re colorblindness: Sure, everyone can recognize grayscales, but that's not really the problem. The problem is when it's not clear whether something is red or green. What about partial or total blindness? Screen readers can read off "Ay Be One Five Two Eff ..." but won't read "Red Green Cyan Magenta Rose Burgundy Lime Deep Forest Green". > so ill have printed a line of full ascii "block, die" chars a line below > ~ every fp output with a --color option to gpg: This is very cute, and there's nothing wrong with it -- I rather like the idea -- but it's not a general solution. It belongs in a front-end, not in the core tool. -- -D. dgc@uchicago.edu NSIT::ENSS From atom at suspicious.org Fri Jul 23 21:38:05 2004 From: atom at suspicious.org (Atom 'Smasher') Date: Fri Jul 23 21:35:14 2004 Subject: [FEATURE REQ, RFC], improving ergonomic HMI fingerprint cross verification In-Reply-To: <20040723181713.GW27414@dust.uchicago.edu> References: <40F7F4A5.4000109@gmx.de> <20040716155249.GC13525@jabberwocky.com> <87u0w728o8.fsf@wheatstone.g10code.de> <40F8170C.9090904@gmx.de> <87zn5xxdus.fsf@wheatstone.g10code.de> <410111F7.80409@gmx.de> <20040723181713.GW27414@dust.uchicago.edu> Message-ID: <20040723145609.U326@willy_wonka> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On Fri, 23 Jul 2004, David Champion wrote: > This is very cute, and there's nothing wrong with it -- I rather like > the idea -- but it's not a general solution. It belongs in a front-end, > not in the core tool. ========================== exactly. of course no single thing can solve all problems, but this seems like a great solution to a particular problem. the fact that it might *only* help 95% of the people who want to make use of it doesn't make it a bad idea... as long as it's meant to compliment the current system, not supersede it (and i don't hear any calls for throwing away the current system). the issues become standardizing colors and sizes... it would be great to hold two pieces of paper next to each other and (if the squares are the same size) identify almost immediately if it's a match or not. with only 16 colors, it allows for error in color accuracy of displays, printers, etc. an observation... here in the states a standard business card is 2 x 3.5 inches (are they 50 x 90 mm in the civilized world?)... an SHA-1 hash produces 40 characters (16^40)... if the whole width of the bottom (or top) of a business card displayed this "rainbow code" then each character could be represented by a 2.25 mm square (or a bar that's 2.25 mm wide). if used in a front-end, it would be great to have an option to resize that part of the display so a card can be held to the monitor and the sizes match. ...atom _________________________________________ PGP key - http://atom.smasher.org/pgp.txt 762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808 ------------------------------------------------- "There's no way to rule innocent men. The only power any government has is the power to crack down on criminals. Well, when there aren't enough criminals, one makes them. One declares so many things to be a crime that it becomes impossible to live without breaking laws." -- Ayn Rand, 'Atlas Shrugged' -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.3.6 (FreeBSD) Comment: What is this gibberish? Comment: http://atom.smasher.org/links/#digital_signatures iQEcBAEBCAAGBQJBAWkiAAoJEAx/d+cTpVciO8wH/1Ru2ZNtt1g8ViHQHVWBx8E3 spJm09KbRyZ2lzuRze5iSMl4z/juJeGhd7wHAg+VGEZtsqj0AYbNHvG+wJCQ6g65 729Byu15AdLrlCsLNPoCv85dv3WGge5tdlWIPtkp8PUo9Wp7xqYnnu+VfAB3N6bf o49myuTeSDiuPEiK0qKWNHClXQ9nMwHLTsS64FeH9MsCTqA/YNox78XAi7ZcAczy xOAzTd3NF1+UQmelubXC8SFjPxLy7T/WdBZBNei2C0T2E+X3LJTSXdFH0+/dBbbo OL22Kvk6VqudIyntyHeaCz9bFrEnPh3CkIkQOeJ91Tz3h64q0RG7yXjCn3+1oMQ= =fKoO -----END PGP SIGNATURE----- From atom at suspicious.org Fri Jul 23 23:50:41 2004 From: atom at suspicious.org (Atom 'Smasher') Date: Fri Jul 23 23:47:51 2004 Subject: 1.3.6 cert signatures Message-ID: <20040723174846.R326@willy_wonka> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 should "personal-digest-preferences" affect cert signatures? or is that too broad an interpretation of the intent? ...atom _________________________________________ PGP key - http://atom.smasher.org/pgp.txt 762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808 ------------------------------------------------- "If the price of cigarettes keeps going up, I'm going to quit. A quarter a pack is ridiculous." -- Overheard at a drive-in theater, circa 1957 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.3.6 (FreeBSD) Comment: What is this gibberish? Comment: http://atom.smasher.org/links/#digital_signatures iQEcBAEBCAAGBQJBAYg2AAoJEAx/d+cTpVciNIUH/2Sm1ctKfdCxL+TVJFA/ZoHr FNnbuMrmWfiCc51Ef8PRrbYJTF0GETtAwyri387ONCZr8AbsF7QdQ16mlZTZboKY INR+vpv7epA7MqnCJaQfgklOKGqAXloIFkT64nma+0EpN9wtZXny6ViuIx+umKdt LukSb681nNEvpkCL4JFlB49GpkhNIxcGgCWJJrtwDkP9EldetG1+ubHL37lAmHy2 Pe/FM+MHEKRA/r6QwwM1ke65Ic59DMC8Ae2pAVmnkpSpcBdTHWOYXBnTGgade6YN sgGfljNqmr7JPZmYp3j2+5UkhLIVFb+XLT+3GANOm6JvsO8QTGkKIksJkS8iGNg= =zRje -----END PGP SIGNATURE----- From dshaw at jabberwocky.com Sat Jul 24 01:10:55 2004 From: dshaw at jabberwocky.com (David Shaw) Date: Sat Jul 24 01:36:40 2004 Subject: 1.3.6 cert signatures In-Reply-To: <20040723174846.R326@willy_wonka> References: <20040723174846.R326@willy_wonka> Message-ID: <20040723231055.GG13749@jabberwocky.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Fri, Jul 23, 2004 at 05:50:41PM -0400, Atom 'Smasher' wrote: > should "personal-digest-preferences" affect cert signatures? > > or is that too broad an interpretation of the intent? Yes. Changing the digest for cert signatures is something that GnuPG supports for protocol completeness, but it's one of those things that you should never do unless you really, really know what you are doing. And even then you probably shouldn't do it. David -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.3.6-cvs (GNU/Linux) iGoEARECACoFAkEBmv8jGGh0dHA6Ly93d3cuamFiYmVyd29ja3kuY29tL2tleS5h c2MACgkQ4mZch0nhy8nsgQCfcGHKAv+Kfj3TDvGj/j30Pjw0EnsAn2DeZ7oWVwKO JqN2+3aofiJuh9PI =D0IX -----END PGP SIGNATURE----- From atom at suspicious.org Sat Jul 24 06:00:04 2004 From: atom at suspicious.org (Atom 'Smasher') Date: Sat Jul 24 05:57:41 2004 Subject: 1.3.6 cert signatures In-Reply-To: <20040723231055.GG13749@jabberwocky.com> References: <20040723174846.R326@willy_wonka> <20040723231055.GG13749@jabberwocky.com> Message-ID: <20040723235507.K326@willy_wonka> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On Fri, 23 Jul 2004, David Shaw wrote: > On Fri, Jul 23, 2004 at 05:50:41PM -0400, Atom 'Smasher' wrote: >> should "personal-digest-preferences" affect cert signatures? >> >> or is that too broad an interpretation of the intent? > > Yes. Changing the digest for cert signatures is something that GnuPG > supports for protocol completeness, but it's one of those things that > you should never do unless you really, really know what you are doing. > And even then you probably shouldn't do it. ==================== what problems should i expect if i use SHA-256 on keybinding and cert signatures? (aside from the obvious, that some older implementations won't be able to handle it) ...atom _________________________________________ PGP key - http://atom.smasher.org/pgp.txt 762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808 ------------------------------------------------- "Maybe this world is another planet's Hell." -- Aldous Huxley -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.3.6 (FreeBSD) Comment: What is this gibberish? Comment: http://atom.smasher.org/links/#digital_signatures iQEcBAEBCAAGBQJBAd7MAAoJEAx/d+cTpVciOfEH/jSHHSFVMv7LbWTkdsuJeKRh jA5FdrwRbusEMB6+8esvYJnuHT9JyMQNv7AqqPXG7nlSR3EHLOfAEMBzX2OyzWbo u2Re9IhOKxsugG4w8pguE7JiBKau5XGYYu17EF+m+bDVU0bNsbSNYG7/AE6cjCRo 1wDS1s+l9+4/9Z0CU4acs6AqX8SRPOj6/oWVTnUbtn+y/Srj7w9ApeEnl2FP7sC0 ZyU4aS4vX4UYEuhXsHbOyHqPidtfqaVxDiS8Vd9+1suIPqsET52lRVkcNW5t8fkb GxK5+pbwEWpGpGdovvnWkmJn5lxqYIkfWLg2bSSVyT2pUeJrlnsXpxRNYbaGMSE= =bssx -----END PGP SIGNATURE----- From t.schorpp at gmx.de Sat Jul 24 06:20:34 2004 From: t.schorpp at gmx.de (Thomas Schorpp) Date: Sat Jul 24 06:18:08 2004 Subject: [FEATURE REQ, RFC], improving ergonomic HMI fingerprint cross verification In-Reply-To: <20040723181713.GW27414@dust.uchicago.edu> References: <40F7F4A5.4000109@gmx.de> <20040716155249.GC13525@jabberwocky.com> <87u0w728o8.fsf@wheatstone.g10code.de> <40F8170C.9090904@gmx.de> <87zn5xxdus.fsf@wheatstone.g10code.de> <410111F7.80409@gmx.de> <20040723181713.GW27414@dust.uchicago.edu> Message-ID: <4101E392.3000606@gmx.de> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 David Champion wrote: | * On 2004.07.23, in <410111F7.80409@gmx.de>, | * "Thomas Schorpp" wrote: | |>all (*n*x) standard consoles, websites and platform gui support the |>needed 16 colors for substituting a hex number, dont they? | | | No. And people still use serial terminals. | well, and theres a (solvable) windos console problem. | Re colorblindness: Sure, everyone can recognize grayscales, but that's | not really the problem. The problem is when it's not clear whether | something is red or green. | cant tell as former printing and package machinery professional ;) the hex strip is always availlable. | What about partial or total blindness? Screen readers can read off "Ay | Be One Five Two Eff ..." but won't read "Red Green Cyan Magenta Rose | Burgundy Lime Deep Forest Green". | duh, only 8 colours, with bright 16. | | |>so ill have printed a line of full ascii "block, die" chars a line below |>~ every fp output with a --color option to gpg: | | | This is very cute, and there's nothing wrong with it -- I rather like | the idea -- but it's not a general solution. It belongs in a front-end, | not in the core tool. | thank you, ill like to see it in kgpg and enigmail, etc, too, but we need it at least for dev test of such apps in the secure core (the 3rd). or you have to show me how to high secure pipes and message loops, etc ;) im working on a demo patch, buts its very hard for me that i cant use c++ ostream, etc :| y tom -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.3.6 (GNU/Linux) Comment: Using GnuPG with Debian - http://enigmail.mozdev.org iQCVAwUBQQHjjmqsze5HSzyoAQJKHAQA5Yx/zY4J94CZzdbhWpaNloao1AHFk8tj emkGUBC6WzXHynU1Y20zKcqs8OV3hwSdOlEmPCVX6/Lp7i6BaHZYucr3cYdwbKaH nUgaT0AF2lnPP/g3G2CAdGb/OC+wV5n7aVzvD9ee3Q9b/CKZYU6l7RMr8tw/bAas hHuAuBJpcaw= =Z/d6 -----END PGP SIGNATURE----- From dshaw at jabberwocky.com Sat Jul 24 14:06:01 2004 From: dshaw at jabberwocky.com (David Shaw) Date: Sat Jul 24 14:02:59 2004 Subject: 1.3.6 cert signatures In-Reply-To: <20040723235507.K326@willy_wonka> References: <20040723174846.R326@willy_wonka> <20040723231055.GG13749@jabberwocky.com> <20040723235507.K326@willy_wonka> Message-ID: <20040724120601.GI13749@jabberwocky.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sat, Jul 24, 2004 at 12:00:04AM -0400, Atom 'Smasher' wrote: > On Fri, 23 Jul 2004, David Shaw wrote: > > On Fri, Jul 23, 2004 at 05:50:41PM -0400, Atom 'Smasher' wrote: > > >> should "personal-digest-preferences" affect cert signatures? > >> > >> or is that too broad an interpretation of the intent? > > > > Yes. Changing the digest for cert signatures is something that GnuPG > > supports for protocol completeness, but it's one of those things that > > you should never do unless you really, really know what you are doing. > > And even then you probably shouldn't do it. > ==================== > > what problems should i expect if i use SHA-256 on keybinding and cert > signatures? (aside from the obvious, that some older implementations won't > be able to handle it) It's the obvious, but it's more than that. It's also a lot more than "some older implementations". There are vastly more installations of PGP and GnuPG that cannot understand SHA-256 than there are that can understand SHA-256. OpenPGP has a (partially deserved) reputation for being fiddly and difficult to get to work and rife with incompatibilities. Every additional key out there that prevents, rather than helps, communication just adds to this reputation, and becomes one more barrier to people using it. It's a community good to have keys that everyone can use. In immediate terms, even some encryption fans aren't likely to upgrade just so they can use your key - they'll send in cleartext, which pretty much defeats the purpose of you having a key. Rather than gain additional security, you've actually lowered it to zero. New users, or people who are just playing around with OpenPGP are going to be utterly baffled by your key, and have one more reason to give encryption up as too confusing for them. David -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.3.6-cvs (GNU/Linux) iGoEARECACoFAkECUKkjGGh0dHA6Ly93d3cuamFiYmVyd29ja3kuY29tL2tleS5h c2MACgkQ4mZch0nhy8mEgwCdG5wk8MSbzu+eUe4uidFuIyomBBAAn0+ECuvvzecs It3b5zWaZqjeMtAD =SNGw -----END PGP SIGNATURE----- From atom at suspicious.org Sat Jul 24 20:20:44 2004 From: atom at suspicious.org (Atom 'Smasher') Date: Sat Jul 24 20:17:42 2004 Subject: 1.3.6 cert signatures In-Reply-To: <20040724120601.GI13749@jabberwocky.com> References: <20040723174846.R326@willy_wonka> <20040723231055.GG13749@jabberwocky.com> <20040723235507.K326@willy_wonka> <20040724120601.GI13749@jabberwocky.com> Message-ID: <20040724134912.F326@willy_wonka> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On Sat, 24 Jul 2004, David Shaw wrote: > It's the obvious, but it's more than that. It's also a lot more than > "some older implementations". There are vastly more installations of > PGP and GnuPG that cannot understand SHA-256 than there are that can > understand SHA-256. > > OpenPGP has a (partially deserved) reputation for being fiddly and > difficult to get to work and rife with incompatibilities. Every > additional key out there that prevents, rather than helps, > communication just adds to this reputation, and becomes one more > barrier to people using it. It's a community good to have keys that > everyone can use. > > In immediate terms, even some encryption fans aren't likely to upgrade > just so they can use your key - they'll send in cleartext, which > pretty much defeats the purpose of you having a key. Rather than gain > additional security, you've actually lowered it to zero. New users, > or people who are just playing around with OpenPGP are going to be > utterly baffled by your key, and have one more reason to give > encryption up as too confusing for them. ============================= i suspect that within my lifetime, SHA-1 will be too weak be taken seriously. with that possibility (or likelihood, depending on your paranoia) i think the standard should be thinking that far ahead, and require larger hashes to be recognized... or at least encourage their use, since there will obviously be ~some~ applications where it would be too much of a burden. what's the point of having a 2048 (or larger) signing key, if that key is only signing a 160 bit hash? it seems that nothing is gained by the larger signing key. i don't think this helps, in the long term. there are still people who use PGP-2, but that doesn't obligate me to use MD5 and IDEA. there will *always* be vintage/obsolete applications out there, but that shouldn't prevent (or discourage) someone from using what's available. (i often get mail from people and notice the "Version" header is from an old version of GnuPG... i let them know what's current, and i've almost always been thanked for pointing that out.) i ~think~ i understand your challenge as a developer here... that the application must understand how something is used, and have a large enough base that can _understand_ that feature, before that feature can safely be "turned on". that said, at what point would you feel comfortable "turning on" SHA-256 (or larger) cert hashes? BTW 1) my 4096-RSA key has a DSA and elgamal subkey (with SHA-1 cert hashes) and RSA signing & encryption subkeys (with SHA-256 cert hashes). if someones application chokes on the SHA-256 certs, they should still be able to use the older subkeys. i haven't yet heard from anyone having trouble with this. BTW 2) i've been exchanging key signatures with people and signing their keys with SHA-256. again, no complaints. ...atom _________________________________________ PGP key - http://atom.smasher.org/pgp.txt 762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808 ------------------------------------------------- When cryptography is outlawed, b25seSBvdXRsYXdzIHdpbGwgdXNlIGNyeXB0b2dyYXBoeS4K -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.3.6 (FreeBSD) Comment: What is this gibberish? Comment: http://atom.smasher.org/links/#digital_signatures iQEcBAEBCAAGBQJBAqiBAAoJEAx/d+cTpVcidWMH/jY/T0Jdt8NexfBqJR7hPPND rbuebFXBPyt1Jr2Vi0HHwgKwMeoKufrIiqa9t9g/q2GlDrov2OoH2f+GHPrD0gB/ GpSyS0/6O3zz2ZWQ1Va3aeXIuA5+Ltk62vSSwD889cCFBpIrR44YTvETvL+OBqt1 k9ukN5HFRYVOuLB5wOuE3lXqL9Fkj8llWcePCC8RU+MTGlIJBTWsEHfwum9Yqrja Mb9pkdtzaolIymdRhVtH80C00YmIjQT29Ns5gjNXS04NOdjZrGzyVJ2Yuj3dGGEN U8QXedSDSeNo9EKFLGYQye9oyV6rJEr42Qw5zfyXyPmXyXTSQijetSI+aDNNQZE= =0vqR -----END PGP SIGNATURE----- From dshaw at jabberwocky.com Sun Jul 25 06:01:06 2004 From: dshaw at jabberwocky.com (David Shaw) Date: Sun Jul 25 05:58:13 2004 Subject: 1.3.6 cert signatures In-Reply-To: <20040724134912.F326@willy_wonka> References: <20040723174846.R326@willy_wonka> <20040723231055.GG13749@jabberwocky.com> <20040723235507.K326@willy_wonka> <20040724120601.GI13749@jabberwocky.com> <20040724134912.F326@willy_wonka> Message-ID: <20040725040106.GK13749@jabberwocky.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sat, Jul 24, 2004 at 02:20:44PM -0400, Atom 'Smasher' wrote: > i suspect that within my lifetime, SHA-1 will be too weak be taken > seriously. with that possibility (or likelihood, depending on your > paranoia) i think the standard should be thinking that far ahead, > and require larger hashes to be recognized... or at least encourage > their use, since there will obviously be ~some~ applications where > it would be too much of a burden. If you think about it, it almost doesn't matter whether SHA-1 lasts forever or not. Pure conservatism pretty much requires that there be an alternative hash, just in case you are right. The standard does think that far ahead, and so includes SHA-256, 384, and 512 among others. 384 is sort of pointless in the OpenPGP context, but 256 and 512 will be useful eventually. Real world implementations and brand new standards are always a little bit different, if only because the real world takes time to get to where the standard is. Put another way, it's easier to write standards than it is to deploy code :) > what's the point of having a 2048 (or larger) signing key, if that > key is only signing a 160 bit hash? it seems that nothing is gained > by the larger signing key. i don't think this helps, in the long > term. Long term is a different story. Short term (months to a year) is the concern here. In any event, breaking a hash is not the same as breaking a key, and each gives slightly different capabilities to the attacker. Incidentally, don't assume that because SHA-256 is larger than SHA-1 that it is stronger. Remember the lesson of SHA-0. > there are still people who use PGP-2, but that doesn't obligate me to use > MD5 and IDEA. there will *always* be vintage/obsolete applications out > there, but that shouldn't prevent (or discourage) someone from using > what's available. (i often get mail from people and notice the "Version" > header is from an old version of GnuPG... i let them know what's current, > and i've almost always been thanked for pointing that out.) Programs do not become obsolete overnight. PGP 2.x is generally considered obsolete, but that took *years* (and some people seem to have missed the memo). GnuPG doesn't even support generating SHA-256 signatures yet. You are using a development build (or hacking 1.2.x) to do it, so it's rather premature to claim that the actual released version of GnuPG is now obsolete... > i ~think~ i understand your challenge as a developer here... that the > application must understand how something is used, and have a large enough > base that can _understand_ that feature, before that feature can safely be > "turned on". > > that said, at what point would you feel comfortable "turning on" SHA-256 > (or larger) cert hashes? Not today. Not tomorrow. Next year? I don't know. I have not rigorously tested interoperability with SHA-256 certification signatures. I have seen some anecdotal evidence, but nothing more. It may just not work without harming much else, or it may fail in some large and messy manner under certain conditions. Not enough data yet. To a certain extent, I guess I have cast my vote on the issue since GnuPG 1.2.x cannot generate SHA-256 certification signatures and GnuPG 1.3.x can. Even when 1.3.x becomes GnuPG 1.4, though, the default will remain SHA-1. People will need to explicitly set the digest to SHA-256 if they want to. > BTW 1) my 4096-RSA key has a DSA and elgamal subkey (with SHA-1 cert > hashes) and RSA signing & encryption subkeys (with SHA-256 cert hashes). > if someones application chokes on the SHA-256 certs, they should still be > able to use the older subkeys. i haven't yet heard from anyone having > trouble with this. What you describe sounds reasonable, but again, I haven't tested it. To a non-SHA-256 implementation, it would probably appear like two subkeys, one without a binding signature (and thus invalid) and one with (and thus valid). > BTW 2) i've been exchanging key signatures with people and signing their > keys with SHA-256. again, no complaints. I doubt most people even realize those signatures are not really connecting them to the web of trust in the way they think. Someday they will connect, but I don't think SHA-256 has enough penetration yet. David -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.3.6-cvs (GNU/Linux) iGoEARECACoFAkEDMIIjGGh0dHA6Ly93d3cuamFiYmVyd29ja3kuY29tL2tleS5h c2MACgkQ4mZch0nhy8mE7ACghTaI46OC0QKNSiT7tEnWJPL/LUcAoJY8b5V6bZBr 2W7WI++WrSc8i/tt =TRe4 -----END PGP SIGNATURE----- From atom at suspicious.org Sun Jul 25 08:24:41 2004 From: atom at suspicious.org (Atom 'Smasher') Date: Sun Jul 25 08:21:57 2004 Subject: 1.3.6 cert signatures In-Reply-To: <20040725040106.GK13749@jabberwocky.com> References: <20040723174846.R326@willy_wonka> <20040723231055.GG13749@jabberwocky.com> <20040723235507.K326@willy_wonka> <20040724120601.GI13749@jabberwocky.com> <20040724134912.F326@willy_wonka> <20040725040106.GK13749@jabberwocky.com> Message-ID: <20040725005842.L326@willy_wonka> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On Sun, 25 Jul 2004, David Shaw wrote: > Incidentally, don't assume that because SHA-256 is larger than SHA-1 > that it is stronger. Remember the lesson of SHA-0. ================ very true. i have to admit that i was ASSuming that the difference in strength between SHA-1 and SHA-256 is straightforward... but history may prove otherwise. > Programs do not become obsolete overnight. PGP 2.x is generally > considered obsolete, but that took *years* (and some people seem to > have missed the memo). GnuPG doesn't even support generating SHA-256 > signatures yet. You are using a development build (or hacking 1.2.x) > to do it, so it's rather premature to claim that the actual released > version of GnuPG is now obsolete... ================== i don't want to imply that the release branch is obsolete, or even lacking anything for 99.99% of users... i'm well aware that i'm pushing things to the limit. i can't remember the last time a saw a 1.2.2 version header. (are GnuPG users just more likely than PGP users to upgrade regularly?) i'm generating the SHA-256 certs with 1.3.x, and 1.2.4 seems to handle them fine. i have both versions installed on my desktop, and did enough testing between them that i'm happy with it. > Not today. Not tomorrow. Next year? I don't know. I have not > rigorously tested interoperability with SHA-256 certification > signatures. I have seen some anecdotal evidence, but nothing more. > It may just not work without harming much else, or it may fail in some > large and messy manner under certain conditions. Not enough data yet. ================ i guess i'll be the guinea pig ;) > To a certain extent, I guess I have cast my vote on the issue since > GnuPG 1.2.x cannot generate SHA-256 certification signatures and GnuPG > 1.3.x can. > > Even when 1.3.x becomes GnuPG 1.4, though, the default will remain > SHA-1. People will need to explicitly set the digest to SHA-256 if > they want to. ================== as long as most people are using DSA primary keys, most people will never generate a cert signature with anything but SHA-1. while we're kind of on the topic, i noticed these things when signing keys with 1.3.6: 1) if i do explicitly set it to generate a cert with SHA-256, and i'm signing something with a DSA key, gpg will consider it a hard error and exit. would it make more sense to just issue a warning in that case? i'm not going to ask for a "cert-digest-preferences" option. 2) according to the 1.3.6 man page, "--ask-cert-level" should be on by default. that seems to be incorrect. ...atom _________________________________________ PGP key - http://atom.smasher.org/pgp.txt 762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808 ------------------------------------------------- "Under this law (Controlled Substances Act) a bureaucrat - usually not elected - decides whether or not a substance is dangerous and how dangerous that substance is. There's no more messing around with legislatures, presidents, or other bothersome formalities. When MDMA (ecstasy) was made illegal in 1986, no elected official voted on that. It was done "in house." People are now in jail because they did something that an administrator declared was wrong." -- Peter McWilliams, "A Closer Look at the Consensual Crimes" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.3.6 (FreeBSD) Comment: What is this gibberish? Comment: http://atom.smasher.org/links/#digital_signatures iQEcBAEBCAAGBQJBA1IuAAoJEAx/d+cTpVciD6EIAJnrC1bHVL91gQkpsd+1atZw cr212UNfoXM6X/xwEVhXz/jZhmSOZkX9sygeRpHBafP7Bgy75im+28TWoplJSoda fG7zP9RGXFHSwPGFJzLbwvfjcOEziw3bfg6jz4OG1zysouI+xteB4zX23ciNwjWy XPr56WsV0cif68gXxnaoPWWEul7QKGvVwc0/QDss+/HJYSijVOwLpE5YTKSHC4aM +DH3K1xHupLnNOQCKG0q3XJNfQP2rWSDm7EU+cvb/C1X/oHCBwoaBrI/5Hfh26QU Rm6jyFCqW3Yu0CxsrAoQIzRFXPCCsy2OECWS/bHTMjHhjcwDOswEHZFKobnIbT4= =v6ym -----END PGP SIGNATURE----- From atom at suspicious.org Sun Jul 25 08:31:39 2004 From: atom at suspicious.org (Atom 'Smasher') Date: Sun Jul 25 08:28:37 2004 Subject: 1.3.6 trust-model ??? Message-ID: <20040725022512.M326@willy_wonka> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 the 1.3.6 man page says that the "pgp" trust model is the default. but if i run: $ gpg --verbose --list-keys 0xD9F57808 it tells me: gpg: using classic trust model ...atom _________________________________________ PGP key - http://atom.smasher.org/pgp.txt 762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808 ------------------------------------------------- On finding Osama Bin Laden in Central Asia: "We're going to hunt them down one at a time... it doesn't matter where they hide, as we work with our friends we will find them and bring them to justice." -- President George W. Bush, 22 Nov 2002 On finding Saddam Hussein in the Mideast: "We are continuing the pursuit and it's a matter of time before [Saddam] is found and brought to justice." -- White House spokesman McClellan, 17 Sep 2003 On finding who leaked the identity of undercover CIA agent Valerie Plame in the close confines of the White House: "I don't know if we're going to find out the senior administration official. I don't have any idea." -- President George W. Bush, Oct 7 2003 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.3.6 (FreeBSD) Comment: What is this gibberish? Comment: http://atom.smasher.org/links/#digital_signatures iQEcBAEBCAAGBQJBA1PRAAoJEAx/d+cTpVcie1UH/0yH6t0W3u02dmnb+ORbJA7I x1WZSpTU5ddQHqE9qUakuSvKZH17FvTbCDD8laTajcijBxatCL8OM1VyXWqcfLf1 04UukBEchnzOarN2M+auNpxDf47DMfzC1P1nia7zcJ9/cM3IbHErt/i0vtrvqGZr 3i1HV634W1ekBOUs/FhdfEo50idCDQzaYZ3cHCnGKgYIaqEvAkmbubPV+ayc8ERG oslcJkZZXcDzo56AGh8qgPRQb+KQzpgAY0nZh9zj1xwJSMxBXKQvV9MyrytWfm70 2haakEO7blcb5aZWuj0jbenVcs+f6VYELu8OUPtbLyl1ipIur8xShYeCxdMefDE= =Itz8 -----END PGP SIGNATURE----- From atom at suspicious.org Sun Jul 25 08:42:00 2004 From: atom at suspicious.org (Atom 'Smasher') Date: Sun Jul 25 08:38:57 2004 Subject: 1.3.6 --verbose --charset Message-ID: <20040725023307.A326@willy_wonka> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 regarding --charset, the 1.3.6 man page says, "A verbosity level of 3 shows the used one." but... --verbose says, "If used twice, the input data is listed in detail." no mention here that it can be used three times. also, there's the "historical feature" of sending some of the level 2-3 verbose information to STDOUT instead of STDERR... will that change by 1.4? thanks... ...atom _________________________________________ PGP key - http://atom.smasher.org/pgp.txt 762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808 ------------------------------------------------- "We really haven't done everything we could to protect our customers... Our products just aren't engineered for security" -- Brian Valentine, Senior Vice President of Microsoft, Windows Division -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.3.6 (FreeBSD) Comment: What is this gibberish? Comment: http://atom.smasher.org/links/#digital_signatures iQEcBAEBCAAGBQJBA1Y9AAoJEAx/d+cTpVci3LcIAIBFWIjU9ym4+u//pbN2v2vx 1ErnP7BqeHgxtPazvJksfASMXcshVu3A1ZY0SIcjnx9i1az1JZ7mr5NzOa9yUeNa 0FOGjx0DyYRguhlPXpbb0JhVXshHspBqtARj9Mdt8WXkyhFa1sKM1gOwUmPoidMz /bczKBkqt8ukEUd1VVOou4K86hDpgkp62Y52wDx7935cwW/dPKtBDmOSHnRUYWgQ Pc88feFnLRl9bxoLM81G2HrpueGZ/rxpnnooJhKY7P8M61+PZ3LG16j1m2cdGzcE z8z2WoCRGvDjJ+nEwQ+6Spp04garfS12jt0jLK1KZ76fR0NCHgUkOIvuml0WcKk= =kbVT -----END PGP SIGNATURE----- From atom at suspicious.org Sun Jul 25 08:51:24 2004 From: atom at suspicious.org (Atom 'Smasher') Date: Sun Jul 25 08:48:21 2004 Subject: --with-key-data Message-ID: <20040725024658.Y326@willy_wonka> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 if i run: $ gpg --with-key-data < phils_new_key it gives a lot less information than: $ gpg --with-key-data --list-keys phil should it give the same information in both cases? thanks... ...atom _________________________________________ PGP key - http://atom.smasher.org/pgp.txt 762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808 ------------------------------------------------- "The problem with capitalism is that it best rewards the worst part of us: the ruthless, competitive, conniving, opportunistic, acquisitive drives, giving little reward and often much punishment - or at least much handicap - to honesty, compassion, fair play, many forms of hard work, love of justice, and a concern for those in need." -- Michael Parenti, Land of Idols (1994) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.3.6 (FreeBSD) Comment: What is this gibberish? Comment: http://atom.smasher.org/links/#digital_signatures iQEcBAEBCAAGBQJBA1hxAAoJEAx/d+cTpVciHkAIAKDbYhz9g/Rv+j036JC6/L+n C/ahA8o5I+BQC3X7QzGvrXGeVzWrSvb48wyz92sDxxqTNUTKSWLAuN80roE8XsEX jMmI8eOArDWZg/y8E5edRSDFMtV323/o6tkr989oOHfHUF5tcuAo8uC+CfYPhYNW RuDYRUqbNC60CouUtzMp6qVa4guA72RBleji6vvFY6Ta7HlgKGi/XG3SPMeF6i1G OuZMVTJfe9Vkw64LNy5wnKgWCgbLWwWnOs28bHYbMFtpwS8XQqtiqAeuehF57OvD XFdNEo0qKGyp2WaFqo73mw8Fv0fXu6yC+/2HnhRF9YnNM89YHf7ywnVKIhZJYV4= =EQdK -----END PGP SIGNATURE----- From atom at suspicious.org Sun Jul 25 08:52:41 2004 From: atom at suspicious.org (Atom 'Smasher') Date: Sun Jul 25 08:49:38 2004 Subject: --with-fingerprint Message-ID: <20040725025136.O326@willy_wonka> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 should the man page specify that, like --fingerprint, this can be used twice to show subkey fingerprints? thanks.... ...atom _________________________________________ PGP key - http://atom.smasher.org/pgp.txt 762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808 ------------------------------------------------- "Everything that can be invented has been invented." -- Charles H. Duell, Commissioner, U.S. Office of Patents, 1899 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.3.6 (FreeBSD) Comment: What is this gibberish? Comment: http://atom.smasher.org/links/#digital_signatures iQEcBAEBCAAGBQJBA1i+AAoJEAx/d+cTpVcig2sIAJoWhF9geL4oCLzgc/R0Rp+j jbzlvtrQ3aortnhJrotNQC8vh9ivbPBigYw58Sc5uubL/rILZ587NSxhbAj4PmbE 1SzGwx9IopWrO53ijouuvs1WURwvzCmeQG0p+mOltvELZPE48jUirBs3/jNVMqwh f2kKOLjyjMTfvgHgR63Fp8qkmL9A7ZnUQ8c1Tv/dJ099PhDCM0i9EDqRRGm6xZAr dSUvr1agmOUbYvjIm/YuAxjBrMPvJ3iz1+tbIBIofs6/yNnXlpP69ZpoyEls7gXB 9JIbZAk1JA+iVRjzqvakHiqWBB/ofXekmzCtAGroFdlwhn8G6Y0pK/W+bklWhpE= =hsyL -----END PGP SIGNATURE----- From t.schorpp at gmx.de Sun Jul 25 12:58:16 2004 From: t.schorpp at gmx.de (Thomas Schorpp) Date: Sun Jul 25 12:56:07 2004 Subject: [ PATCH],improving ergonomic HMI fingerprint cross verification, 01 (DEMO ONLY) In-Reply-To: <20040718140614.GE18366@jabberwocky.com> References: <40F7F4A5.4000109@gmx.de> <20040716155249.GC13525@jabberwocky.com> <20040717004649.M26762@willy_wonka> <20040718140614.GE18366@jabberwocky.com> Message-ID: <41039248.9040903@gmx.de> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 hello, first demo patch attached. todo: - - fixing hex nipple of fingerprint chars to colormap assignment ( yes its crap until now ;) - - sync to real colormap - - handle all list modes - - pack in extra function - - all platforms (colleague said windos 2000 console couldnt handle the esc[[attr,fg,bgm color seq., other console colormap) - - use foreground chars to enable clipboard etc (if not security risky) . . . y thomas schorpp -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.3.6 (GNU/Linux) Comment: Using GnuPG with Debian - http://enigmail.mozdev.org iQCVAwUBQQOSRGqsze5HSzyoAQK6hwQAxaqnls938WjCZLahcw33xQptEVkFm6L2 XRV8TU2IbBOOZYpGrAvL6a0BZw0VceJKhuf+0EsaNsDOIzFxDTRaJFDOkobi6/cg Ty1gcdKYp1PU821E6ZmY+4xuw2CcjKi876nenAXoLXcd4c28T6DV+GXuorXV9DFx OpawVyup0YI= =ojFc -----END PGP SIGNATURE----- -------------- next part -------------- A non-text attachment was scrubbed... Name: fp-color-ts01.diff Type: text/x-patch Size: 2775 bytes Desc: not available Url : /pipermail/attachments/20040725/1975e84b/fp-color-ts01.bin -------------- next part -------------- A non-text attachment was scrubbed... Name: fp-color-ts01.diff.sig Type: application/octet-stream Size: 152 bytes Desc: not available Url : /pipermail/attachments/20040725/1975e84b/fp-color-ts01.diff.exe From dshaw at jabberwocky.com Sun Jul 25 18:02:09 2004 From: dshaw at jabberwocky.com (David Shaw) Date: Sun Jul 25 17:59:04 2004 Subject: 1.3.6 trust-model ??? In-Reply-To: <20040725022512.M326@willy_wonka> References: <20040725022512.M326@willy_wonka> Message-ID: <20040725160209.GL13749@jabberwocky.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sun, Jul 25, 2004 at 02:31:39AM -0400, Atom 'Smasher' wrote: > the 1.3.6 man page says that the "pgp" trust model is the default. but if > i run: > $ gpg --verbose --list-keys 0xD9F57808 > > it tells me: > gpg: using classic trust model GnuPG uses the "PGP" trust model as the default in 1.3.x, but if your trustdb was created using 1.2.x, then it is a "classic" trustdb, and using 1.3.x will not change this. If you want to force a change, do "gpg --trust-model pgp --update-trustdb" David -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.3.6-cvs (GNU/Linux) iGoEARECACoFAkED2YEjGGh0dHA6Ly93d3cuamFiYmVyd29ja3kuY29tL2tleS5h c2MACgkQ4mZch0nhy8kceQCgv4gL7ovWHYxbOERkRvlcUi2AsU0An08+AAn0SnLm 3c0v7MuTUiQDfokf =dF4Y -----END PGP SIGNATURE----- From dshaw at jabberwocky.com Sun Jul 25 19:35:46 2004 From: dshaw at jabberwocky.com (David Shaw) Date: Sun Jul 25 19:32:42 2004 Subject: 1.3.6 cert signatures In-Reply-To: <20040725005842.L326@willy_wonka> References: <20040723174846.R326@willy_wonka> <20040723231055.GG13749@jabberwocky.com> <20040723235507.K326@willy_wonka> <20040724120601.GI13749@jabberwocky.com> <20040724134912.F326@willy_wonka> <20040725040106.GK13749@jabberwocky.com> <20040725005842.L326@willy_wonka> Message-ID: <20040725173545.GM13749@jabberwocky.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sun, Jul 25, 2004 at 02:24:41AM -0400, Atom 'Smasher' wrote: > On Sun, 25 Jul 2004, David Shaw wrote: > > > Incidentally, don't assume that because SHA-256 is larger than SHA-1 > > that it is stronger. Remember the lesson of SHA-0. > ================ > > very true. i have to admit that i was ASSuming that the difference in > strength between SHA-1 and SHA-256 is straightforward... but history may > prove otherwise. Yes. SHA-1 has been around and studied since 1995 - nearly 10 years. SHA-256 has only been around since 2001. > > Programs do not become obsolete overnight. PGP 2.x is generally > > considered obsolete, but that took *years* (and some people seem to > > have missed the memo). GnuPG doesn't even support generating SHA-256 > > signatures yet. You are using a development build (or hacking 1.2.x) > > to do it, so it's rather premature to claim that the actual released > > version of GnuPG is now obsolete... > ================== > > i don't want to imply that the release branch is obsolete, or even lacking > anything for 99.99% of users... i'm well aware that i'm pushing things to > the limit. > > i can't remember the last time a saw a 1.2.2 version header. (are GnuPG > users just more likely than PGP users to upgrade regularly?) I'm not sure, but remember that 1.2.4 contained a security fix (the Elgamal signing keys) that was announced pretty widely, and caused various *nix distributions to issue neatly packaged updates. After that, I'm not surprised that most people who care at all about using GnuPG upgraded. I've noticed in the PGP world, the users who don't upgrade do tend to upgrade within a particular series of PGP. So PGP 6 people will use the latest PGP 6, but not upgrade to PGP 7 or 8, etc. This sort of makes sense since each major release of PGP has had fairly different characteristics (command line available or not, source code release or not, and so on). > i'm generating the SHA-256 certs with 1.3.x, and 1.2.4 seems to > handle them fine. i have both versions installed on my desktop, and > did enough testing between them that i'm happy with it. The SHA-256 code is identical between the two. The only difference is that 1.2.4 has some extra code in the main program to prevent people from making signatures with it (or 384/512). Did you try the SHA-256 cert signatures with PGP 8? > 1) if i do explicitly set it to generate a cert with SHA-256, and > i'm signing something with a DSA key, gpg will consider it a hard > error and exit. would it make more sense to just issue a warning in > that case? i'm not going to ask for a "cert-digest-preferences" > option. No. This is a hard error, since you asked GnuPG to do something that is not possible (use a >160-bit hash with DSA). A warning (and presumably using SHA-1 as the hash) risks doing something the user did not desire to happen. > 2) according to the 1.3.6 man page, "--ask-cert-level" should be on by > default. that seems to be incorrect. Yes. That's a documentation error. --ask-cert-level is off by default. David -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.3.6-cvs (GNU/Linux) iGoEARECACoFAkED73EjGGh0dHA6Ly93d3cuamFiYmVyd29ja3kuY29tL2tleS5h c2MACgkQ4mZch0nhy8ndHgCgyDV3EvvPSdu711G9ya2q9tPQuGgAn2LvPWlfPJzY U2Sa3GJeqt8d4jrr =seAe -----END PGP SIGNATURE----- From JPClizbe at comcast.net Sun Jul 25 21:13:56 2004 From: JPClizbe at comcast.net (John Clizbe) Date: Sun Jul 25 21:11:20 2004 Subject: --with-fingerprint In-Reply-To: <20040725025136.O326@willy_wonka> References: <20040725025136.O326@willy_wonka> Message-ID: <41040674.3070009@comcast.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Atom 'Smasher' wrote: > should the man page specify that, like --fingerprint, this can be used > twice to show subkey fingerprints? > I'm certain the maintainers would welcome your patches to the man page. As well as any other corrections you would wish to submit. 8-{) - -- John P. Clizbe Inet: JPClizbe(a)comcast DOT nyet Golden Bear Networks PGP/GPG KeyID: 0x608D2A10 "Why is my life an endless John Hughes movie when I'm pushing Oliver Stone potential?" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.3.6 (Windows 2000 SP4) Comment: Annoy John Asscraft -- Use Strong Encryption Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFBBAZzHQSsSmCNKhARAoaoAJ9bhqZxeuMwZKh4f9zHnuzJoqu+RQCbBUZj vlyPOc/Vj4TjNXuah0U/Dq4= =+rAe -----END PGP SIGNATURE----- From atom at suspicious.org Sun Jul 25 23:30:01 2004 From: atom at suspicious.org (Atom 'Smasher') Date: Sun Jul 25 23:27:09 2004 Subject: 1.3.6 cert signatures In-Reply-To: <20040725173545.GM13749@jabberwocky.com> References: <20040723174846.R326@willy_wonka> <20040723231055.GG13749@jabberwocky.com> <20040723235507.K326@willy_wonka> <20040724120601.GI13749@jabberwocky.com> <20040724134912.F326@willy_wonka> <20040725040106.GK13749@jabberwocky.com> <20040725005842.L326@willy_wonka> <20040725173545.GM13749@jabberwocky.com> Message-ID: <20040725141545.C326@willy_wonka> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On Sun, 25 Jul 2004, David Shaw wrote: > On Sun, Jul 25, 2004 at 02:24:41AM -0400, Atom 'Smasher' wrote: > I've noticed in the PGP world, the users who don't upgrade do tend to > upgrade within a particular series of PGP. So PGP 6 people will use > the latest PGP 6, but not upgrade to PGP 7 or 8, etc. This sort of > makes sense since each major release of PGP has had fairly different > characteristics (command line available or not, source code release or > not, and so on). ================ sounds to me like more good reasons to be using GnuPG ;) > Did you try the SHA-256 cert signatures with PGP 8? ================= no, but i think it claims to support SHA-256. if anyone has a copy (of PGP-8) installed, feel free to test my key on it... i recently added two RSA subkeys with SHA-256 certs. > No. This is a hard error, since you asked GnuPG to do something that > is not possible (use a >160-bit hash with DSA). A warning (and > presumably using SHA-1 as the hash) risks doing something the user did > not desire to happen. ================== that makes sense... the only time it's a problem is either if it's in the config file, or if i run something like: gpg -u dsa-user -u rsa-user --cert-digest-algo sha256 --sign-key xyz where one signing key is DSA and one isn't. >> 2) according to the 1.3.6 man page, "--ask-cert-level" should be on by >> default. that seems to be incorrect. > > Yes. That's a documentation error. --ask-cert-level is off by > default. =================== i would think the default should be to ask... new users won't know to set an option, and experienced users can turn it off if they want. ...atom _________________________________________ PGP key - http://atom.smasher.org/pgp.txt 762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808 ------------------------------------------------- "HEY! HO! LET'S GO!" -- The Ramones -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.3.6 (FreeBSD) Comment: What is this gibberish? Comment: http://atom.smasher.org/links/#digital_signatures iQEcBAEBCAAGBQJBBCZfAAoJEAx/d+cTpVcitpcIAL1kCcY2VOaj+UCqfT42aHCy K2Mhvo7Vm276oYKziVdhxbRI0t2+DYd3CD0BbC/jXS95bZpQUGSPgH+ivkSVBgtH TxtUFQuiYYFZOPPxF9+8c2XT7q8+KRtThc0wmSyjlZj16mVqOcBXypEVGzCMz3f7 y1OF427tiBRBnapITfe/ox/1rRR0g8b+Y+iiv53o7kJXZLNjiwxiwbNUPX+ZHQTg Bbm4kgF0DUIR774C8lr+Hb6h4fPj35r2LVjxNrhx8p1q5rFN4eBEaopcFZKLXDD/ +OBVPX1UonipPAJC+wvw0xdPnOznZse1mVHck3PM5BQ7rKptDN2JtShHSiSNNyE= =ZgUj -----END PGP SIGNATURE----- From t.schorpp at gmx.de Sun Jul 25 23:34:19 2004 From: t.schorpp at gmx.de (Thomas Schorpp) Date: Sun Jul 25 23:32:05 2004 Subject: [ PATCH][TESTREQ],fingerprint colorcode, V 0.2 In-Reply-To: <20040718140614.GE18366@jabberwocky.com> References: <40F7F4A5.4000109@gmx.de> <20040716155249.GC13525@jabberwocky.com> <20040717004649.M26762@willy_wonka> <20040718140614.GE18366@jabberwocky.com> Message-ID: <4104275B.8060902@gmx.de> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 hello, more "usable" demo patch attached, now matching full colormap. issues: on my console dim yellow and bright and few other look SAME (bash shell), thats bad, could other platforms verify that, pls? thank you. todo: - - handle all list modes - - pack print bunch in own function - - implement command line arg " --colorcode" - - all platforms (colleague said windos 2000 console couldnt handle the esc[[attr,fg,bgm color seq., other console colormap) - - use foreground chars to enable clipboard etc (if not security risky) - - all charsets and unicode (aargh! :), chinese ? . . . y thomas schorpp -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.3.6 (GNU/Linux) Comment: Using GnuPG with Debian - http://enigmail.mozdev.org iQCVAwUBQQQnV2qsze5HSzyoAQIkgAP8DYvNhclssdRM0UkFSLcNk/2ZjuaZ+Hyx 9zzGvDdUdXk6NNcoiVxFSDbeNoGEsoemu64kldFBY0AG7UARJIWD5UR7qU8H6pVS w19X05z3f1UrkV4UUmNpOiTh+NdT+M0wOR3Y2PBmeKOpzrPNGCiuls9r2Dm3lGjc 5La+KgIaAQg= =lV7B -----END PGP SIGNATURE----- -------------- next part -------------- A non-text attachment was scrubbed... Name: fp-color-ts02.diff.sig Type: application/octet-stream Size: 152 bytes Desc: not available Url : /pipermail/attachments/20040725/95043b0e/fp-color-ts02.diff-0001.exe -------------- next part -------------- A non-text attachment was scrubbed... Name: fp-color-ts02.diff Type: text/x-patch Size: 2803 bytes Desc: not available Url : /pipermail/attachments/20040725/95043b0e/fp-color-ts02-0001.bin From atom at suspicious.org Mon Jul 26 00:01:55 2004 From: atom at suspicious.org (Atom 'Smasher') Date: Sun Jul 25 23:58:52 2004 Subject: [ PATCH][TESTREQ],fingerprint colorcode, V 0.2 In-Reply-To: <4104275B.8060902@gmx.de> References: <40F7F4A5.4000109@gmx.de> <20040716155249.GC13525@jabberwocky.com> <20040717004649.M26762@willy_wonka> <20040718140614.GE18366@jabberwocky.com> <4104275B.8060902@gmx.de> Message-ID: <20040725173638.K326@willy_wonka> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On Sun, 25 Jul 2004, Thomas Schorpp wrote: > issues: on my console dim yellow and bright and few other look SAME > (bash shell), thats bad, could other platforms verify that, pls? thank you. ==================== i think that depends more on the terminal than the shell. i attached a TXT file with control characters that are not universal, but should work on ~most~ current terminals to display colors. just cat the file in some different terminals and you'll find which ones work, and to what degree. MD5 (colors) = 62ebf3373f8c54b582a1c8ada32167c9 i would think this is best suited for GUI interfaces (kgpg, seahorse, html keyservers, gimp plug-in, etc), not a command line interface... trying to do colors on a terminal is an uphill battle that would probably require a fair amount of dependencies (curses, slang, etc) and still not work everywhere. especially if someone has their terminal configured to display non-standard colors. hhmmm... in the same way that an external photo-viewer can be specified, maybe a tiny (external) app can be specified to show fingerprints? how are you coordinating hex digits to colors? maybe i can whip out some PHP for web based apps (aka keyservers). one question, to everyone who's reading... should this type of interface discriminate between v3 and v4 fingerprints? should v3 fingerprints be ignored? should there be a border around each color box, so 8 blank spaces of a v3 fingerprint can't be confused as 8 white boxes of a v4 fingerprint? ...atom _________________________________________ PGP key - http://atom.smasher.org/pgp.txt 762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808 ------------------------------------------------- "Human beings, who are almost unique in having the ability to learn from the experience of others, are also remarkable for their apparent disinclination to do so." -- Douglas Adams, Last Chance to See -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.3.6 (FreeBSD) Comment: What is this gibberish? Comment: http://atom.smasher.org/links/#digital_signatures iQEcBAEBCAAGBQJBBC3YAAoJEAx/d+cTpVciMuoIAIep0AYAPohyih+iQOMAYR96 xuB8kvps2i/4J4GT+r74dxCbT951D5bNev+cHVrGFzc4iXDTKDPEzT/2crZ+V9BN khSev3hZOxxgYpP59z/HoEyhelBlbroLCTtrmHLLO3cZhteL9ILHB3uAcBxCeirM QkW2lROVnTmhgJHCnthGNGYD5VZScctx7BBigZqDUBaFzu+ScC07VseAJMHAPXX3 88UMASLJfkrqVbQF56Kx9w2x9PVNCy76Uk0x79c4a36GPKFQ3AAyBIHX39XejrTZ ME9jCowrpg2RxAkIv/SnIJDuBsUVg19z8dTYB2tqnyKkePdUE8p77Q4RjBNV/vI= =4K61 -----END PGP SIGNATURE----- -------------- next part -------------- 1 Bold * Bold 2 Dim or secondary color * Dim or secondary color 3 Italic * Italic 4 Underscore * Underscore 5 Slow Blink * Slow Blink 6 Fast Blink * Fast Blink 7 Reverse * Reverse 8 Concealed - do not echo * Concealed - do not echo 30 Black * Black 31 Red * Red 32 Green * Green 33 Yellow or Brown * Yellow or Brown 34 Blue * Blue 35 Purple * Purple 36 Cyan * Cyan 37 White or Grey * White or Grey 90 Dark Grey * Dark Grey 91 Bright Red * Bright Red 92 Bright Green * Bright Green 93 Bright Yellow * Bright Yellow 94 Bright Blue * Bright Blue 95 Bright Purple * Bright Purple 96 Bright Cyan * Bright Cyan 97 White * White 40 Black Background * Black Background 41 Red Background * Red Background 42 Green Background * Green Background 43 Yellow or Brown Background * Yellow or Brown Background 44 Blue Background * Blue Background 45 Purple Background * Purple Background 46 Cyan Background * Cyan Background 47 White or Grey Background * White or Grey Background 100 Dark Grey Background * Dark Grey Background 101 Bright Red Background * Bright Red Background 102 Bright Green Background * Bright Green Background 103 Bright Yellow Background * Bright Yellow Background 104 Bright Blue Background * Bright Blue Background 105 Bright Purple Background * Bright Purple Background 106 Bright Cyan Background * Bright Cyan Background 107 White Background * White Background From gdt at ir.bbn.com Mon Jul 26 14:49:30 2004 From: gdt at ir.bbn.com (Greg Troxel) Date: Mon Jul 26 14:46:23 2004 Subject: [FEATURE REQ, RFC], improving ergonomic HMI fingerprint cross verification In-Reply-To: <20040716155249.GC13525@jabberwocky.com> References: <40F7F4A5.4000109@gmx.de> <20040716155249.GC13525@jabberwocky.com> Message-ID: The problem with this sort of thing is translation. I don't know what "Alpha Bravo Charlie Delta Echo Foxtrot" would be in other languages, or even if it would be pronounced the same way. Still, this is an ITU standard, so perhaps it would be familiar enough. The whole point of the ICAO phonetic alphabet (adopted by ITU) is that it can be pronounced unambiguously by speakers of any language. See http://en.wikipedia.org/wiki/NATO_phonetic_alphabet for a nice description. So from one viewpoint, that of amateur radio and aviation, no translation is needed. Still, it's unfriendly to speakers of other than western European languages to impose words which are basically drawn from English/French/Spanish. But, it is arguably sensible for cross-language fingerprint checking. It's not clear to me how hexadecimal is used in countries with non-latin alphabets. (Perhaps fingerprints should have been in octal!) -- Greg Troxel From atom at suspicious.org Mon Jul 26 19:20:26 2004 From: atom at suspicious.org (Atom 'Smasher') Date: Mon Jul 26 19:17:41 2004 Subject: binding sigs Message-ID: <20040726125312.O326@willy_wonka> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 is this considered an attack: mallory generates a few thousand (or more) keys and signs bob's key with all of them (maybe spoofing different dates). mallory posts bob's signed key to a keyserver, where these signatures will spread and become a burden, not an asset, to bob's key. mallory could also create keys with UIDs of infamous persons, and post those public keys to the keyservers, giving the *impression* that bob's key was signed by mass murderers, rapists, war criminals, etc. of course the way to avoid this (and similar nuisances) is to require that certification signatures (0x10 - 0x13) must be accepted by bob's primary key before they are accepted by OpenPGP implementations (especially keyservers). however, bob must be able to import such a key signature before it's accepted, or he will have no way to accept it. and, of course, if bob accepts a certification signature from alice, alice must be able to revoke that signature without requiring acceptance from bob. is it feasible (or desired) to add such a mechanism to the OpenPGP standard? thanks.... ...atom _________________________________________ PGP key - http://atom.smasher.org/pgp.txt 762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808 ------------------------------------------------- "I am committed to helping Ohio deliver its electoral votes to the president [Bush] next year" -- Walden O'Dell, CEO of Diebold August 2003 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.3.6 (FreeBSD) Comment: What is this gibberish? Comment: http://atom.smasher.org/links/#digital_signatures iQEcBAEBCAAGBQJBBT1hAAoJEAx/d+cTpVciXcQH/RYxVfcqFEClzHCI+Yet/Bfb R184URYZTjnfxpRwALPiofJ26OY3srk8LtuBpTZwCo8ovSd7O4ByjS5b2y8JYgwj 3gDQN25CWbld/U5oKUkuu6YM4Fz/LFEgDLII8xqv7YURIuOvtfbU4zsb8mZxIyRu Qg045+zmFXN06L8jGojKPEoZO+8nhCR/q5xJ2hJ9kcUKrlKxnIKJIcAQyj/dyAcQ 5BMdmlILHuQXVIuZTgDr0qVsfrXrDUVfVaRRjfRNE4ptxUrYvINuTg8lSZcbjJ/6 t3P85I66VazJp2yxDdQWJppfdgDozqhyX4kIEQIZZVh9BwPTA0mef8K9VaybEfY= =SWAd -----END PGP SIGNATURE----- From dshaw at jabberwocky.com Mon Jul 26 19:32:34 2004 From: dshaw at jabberwocky.com (David Shaw) Date: Mon Jul 26 19:29:34 2004 Subject: binding sigs In-Reply-To: <20040726125312.O326@willy_wonka> References: <20040726125312.O326@willy_wonka> Message-ID: <20040726173234.GA19598@jabberwocky.com> On Mon, Jul 26, 2004 at 01:20:26PM -0400, Atom 'Smasher' wrote: > is this considered an attack: > mallory generates a few thousand (or more) keys and signs bob's > key with all of them (maybe spoofing different dates). mallory posts bob's > signed key to a keyserver, where these signatures will spread and become a > burden, not an asset, to bob's key. > > mallory could also create keys with UIDs of infamous persons, and post > those public keys to the keyservers, giving the *impression* that bob's > key was signed by mass murderers, rapists, war criminals, etc. It's not a really useful attack since it does not actually impact the security of the system. It's more of an prank. It happened quite a bit back in the PGP 2 days (check out some of the sigs on prz's key), but then people got bored with it since it doesn't actually do anything harmful. > of course the way to avoid this (and similar nuisances) is to require that > certification signatures (0x10 - 0x13) must be accepted by bob's primary > key before they are accepted by OpenPGP implementations (especially > keyservers). however, bob must be able to import such a key signature > before it's accepted, or he will have no way to accept it. > > and, of course, if bob accepts a certification signature from alice, alice > must be able to revoke that signature without requiring acceptance from > bob. > > is it feasible (or desired) to add such a mechanism to the OpenPGP > standard? Already in there. That's what the keyserver no-modify flag is for. No keyserver currently follows it though. David From t.schorpp at gmx.de Tue Jul 27 08:51:00 2004 From: t.schorpp at gmx.de (Thomas Schorpp) Date: Tue Jul 27 08:48:36 2004 Subject: [ PATCH][TESTREQ],fingerprint colorcode, V 0.2 In-Reply-To: <20040725173638.K326@willy_wonka> References: <40F7F4A5.4000109@gmx.de> <20040716155249.GC13525@jabberwocky.com> <20040717004649.M26762@willy_wonka> <20040718140614.GE18366@jabberwocky.com> <4104275B.8060902@gmx.de> <20040725173638.K326@willy_wonka> Message-ID: <4105FB54.9070600@gmx.de> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 hi man, Atom 'Smasher' wrote: | On Sun, 25 Jul 2004, Thomas Schorpp wrote: | | i would think this is best suited for GUI interfaces (kgpg, seahorse, | html keyservers, gimp plug-in, etc), not a command line interface... you are right IF you can assure highly secure interfaces and comms to these apps then. i like it in terminal and testers of gui apps surely too for verification of bugs. | trying to do colors on a terminal is an uphill battle that would | probably require a fair amount of dependencies (curses, slang, etc) and | still not work everywhere. especially if someone has their terminal | configured to display non-standard colors. e.g.? | | hhmmm... in the same way that an external photo-viewer can be specified, | maybe a tiny (external) app can be specified to show fingerprints? no, it should be in standard gpg gui apps. | | how are you coordinating hex digits to colors? maybe i can whip out some | PHP for web based apps (aka keyservers). not vorrectly yet, it seems, bright isnt working: p_padala@yahoo.com: ~ [{attr};{fg};{bg}m ~ The first character is ESC which has to be printed by pressing CTRL+V and then ESC on the Linux console or in xterm, konsole, kvt, etc. ("CTRL+V ESC" is also the way to embed an escape character in a document in vim.) Then {attr}, {fg}, {bg} have to be replaced with the correct value to get the corresponding effect. attr is the attribute like blinking or underlined etc.. fg and bg are foreground and background colors respectively. You don't have to put braces around the number. Just writing the number will suffice. {attr} is one of following ~ 0 Reset All Attributes (return to normal mode) ~ 1 Bright (Usually turns on BOLD) ~ 2 Dim ~ 3 Underline ~ 5 Blink ~ 7 Reverse ~ 8 Hidden {fg} is one of the following ~ 30 Black ~ 31 Red ~ 32 Green ~ 33 Yellow ~ 34 Blue ~ 35 Magenta ~ 36 Cyan ~ 37 White {bg} is one of the following ~ 40 Black ~ 41 Red ~ 42 Green ~ 43 Yellow ~ 44 Blue ~ 45 Magenta ~ 46 Cyan ~ 47 White ... is outdated, but your codes work fine, ill correct this now, thx. | | one question, to everyone who's reading... should this type of interface | discriminate between v3 and v4 fingerprints? should v3 fingerprints be | ignored? should there be a border around each color box, so 8 blank | spaces of a v3 fingerprint can't be confused as 8 white boxes of a v4 | fingerprint? | i try to assure that. | | ...atom y tom -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.3.6 (GNU/Linux) Comment: Using GnuPG with Debian - http://enigmail.mozdev.org iQCVAwUBQQX7UWqsze5HSzyoAQJ1EgP+PvFazscYRLl5yfG43mgfssYoHiWmc2Tk ZHqh2wLM581XtRWl8vS4UPcKhHl1iqrrMfFFqWq7sqk2gGoismfuAbuJqYwzfPz5 AvOmB0YEDAmap9uQDOHpnc3xxOKblItstnfxsMPWjr9yFP7a5AGQDnchiJs5p45K d7Lv4rPwpwo= =O5Xa -----END PGP SIGNATURE----- From Stefan.Haller at ascom.ch Tue Jul 27 08:58:04 2004 From: Stefan.Haller at ascom.ch (Stefan Haller) Date: Tue Jul 27 08:54:52 2004 Subject: Concurrency Issues with gnupg 1.2.3: keyring is deleted Message-ID: Hi all I have some concurrency problems with GPG. I would appreciate any help. I wrote a service which verifies messages, afterwards processes the message and encrypts a result to return to the caller. Such a request arrives about once a second, sometimes more, sometimes less. In parallel, automatic public key imports may happen in case new keys are delivered to the system. The service runs up to 20 gnupg processes at the same time to get a good enough performance in request processing. I am using gnupg because PGP provides all functionality I need and I was to lazy to program something on my own (I usually only found low-level interfaces to such encription tasks in the existing libraries). Problem 1: locking of keyring, minor problem Quite often, gpg tells me that the keyring is locked (using verify, sign or encrypt). Question: may I use the option --lock-never, or may this corrupt the keyring because of write accesses in those functions? Of course, I will do my own locking for updates that locks out verify, sign and encrypt functions in this case. Solution two (a bit less obfuscated) would be to spot the exit code if a lock file caused unsuccessful exit and rerun the operation in this case. Unfortunately, from what I see in g10/keyring.c it seems that gnupg returns always G10ERR_GENERAL in error cases, therefore, I will have to define my own return code that indicates locks. Problem 2: keyring is completely deleted, fatal problem Yesterday, my whole public key ring was deleted by gnupg (note, I'm not using the --lock-never function yet, current options are --batch, --no-secmem-warning and --always-trust). Well it happend that the system was importing several keys while the service was running. An import was happening and at the same time a verify was started. The verify returned the message '"pubring.gpg" created' and the whole ring was suddently 0 bytes. The backup was gone, too, because more keys were imported afterwards. Therefore, I suspect that locking does not work appropriately when importing. Do you confirm that? I would appreciate any advice on how to solve this. Or should I abandon gnupg completely as it is not intended to be used with more than one instance for the same user? Thank you for your time. Stefan Haller Stefan Haller Software Development Transport Revenue ________________________________ Ascom Autelca Ltd. Worbstrasse 201 CH-3073 G?mligen Phone Fax +41 31 999 65 06 +41 31 999 65 82 stefan.haller@ascom.ch www.ascom.com From wk at gnupg.org Tue Jul 27 09:08:27 2004 From: wk at gnupg.org (Werner Koch) Date: Tue Jul 27 09:08:29 2004 Subject: [Announce] GnuPG 1.2.5 released Message-ID: Hello! We are pleased to announce the availability of a new stable GnuPG release: Version 1.2.5 The GNU Privacy Guard (GnuPG) is GNU's tool for secure communication and data storage. It is a complete and free replacement of PGP and can be used to encrypt data and to create digital signatures. It includes an advanced key management facility and is compliant with the proposed OpenPGP Internet standard as described in RFC2440. This is mainly a bug fix release; for details see the "What's New" section below. Getting the Software ==================== Please follow the instructions found at http://www.gnupg.org/download/ or read on: GnuPG 1.2.5 may be downloaded from one of the GnuPG mirror sites or direct from ftp://ftp.gnupg.org/gcrypt . The list of mirrors can be found at http://www.gnupg.org/mirrors.html . Note, that GnuPG is not available at ftp.gnu.org. On the mirrors you should find the following files in the *gnupg* directory: gnupg-1.2.5.tar.bz2 (2430k) gnupg-1.2.5.tar.bz2.sig GnuPG source compressed using BZIP2 and OpenPGP signature. gnupg-1.2.5.tar.gz (3559k) gnupg-1.2.5.tar.gz.sig GnuPG source compressed using GZIP and OpenPGP signature. gnupg-1.2.4-1.2.5.diff.gz (979k) A patch file to upgrade a 1.2.4 GnuPG source. This file is signed; you have to use GnuPG > 0.9.5 to verify the signature. GnuPG has a feature to allow clear signed patch files which can still be processed by the patch utility. Select one of them. To shorten the download time, you probably want to get the BZIP2 compressed file. Please try another mirror if exceptional your mirror is not yet up to date. In the *binary* directory, you should find these files: gnupg-w32cli-1.2.5.zip (1468k) gnupg-w32cli-1.2.5.zip.sig GnuPG compiled for Microsoft Windows and OpenPGP signature. Note that this is a command line version and comes without a graphical installer tool. You have to use an UNZIP utility to extract the files and install them manually. The included file README.W32 has further instructions. Checking the Integrity ====================== In order to check that the version of GnuPG which you are going to install is an original and unmodified one, you can do it in one of the following ways: * If you already have a trusted version of GnuPG installed, you can simply check the supplied signature. For example to check the signature of the file gnupg-1.2.4.tar.bz2 you would use this command: gpg --verify gnupg-1.2.5.tar.bz2.sig This checks whether the signature file matches the source file. You should see a message indicating that the signature is good and made by that signing key. Make sure that you have the right key, either by checking the fingerprint of that key with other sources or by checking that the key has been signed by a trustworthy other key. Note, that you can retrieve the signing key using "finger wk 'at' g10code.com" or "dd9jn 'at' gnu.org" or using the keyservers. I recently prolonged the expiration date; thus you might need a fresh copy of that key. Never use a GnuPG version you just downloaded to check the integrity of the source - use an existing GnuPG installation! * If you are not able to use an old version of GnuPG, you have to verify the MD5 checksum. Assuming you downloaded the file gnupg-1.2.5.tar.bz2, you would run the md5sum command like this: md5sum gnupg-1.2.5.tar.bz2 and check that the output matches the first line from the following list: 9109ff94f7a502acd915a6e61d28d98a gnupg-1.2.5.tar.gz e4991e46fde52b216410ef0f485b4217 gnupg-1.2.5.tar.bz2 d591cb58a7bc81d4e5572260ba2cd595 gnupg-1.2.4-1.2.5.diff.gz 3d93d73942117c4c0182cb15e01de70f gnupg-w32cli-1.2.5.zip Upgrade Information =================== If you are upgrading from a version prior to 1.0.7, you should run the script tools/convert-from-106 once. Please note also that due to a bug in versions prior to 1.0.6 it may not be possible to downgrade to such versions unless you apply the patch http://www.gnupg.org/developer/gpg-woody-fix.txt . If you have any problems, please see the FAQ and the mailing list archive at http://lists.gnupg.org. Please direct questions to the gnupg-users@gnupg.org mailing list. What's New =========== Here is a list of major user visible changes since 1.2.4: * New --ask-cert-level/--no-ask-cert-level option to turn on and off the prompt for signature level when signing a key. Defaults to on. * New --min-cert-level option to disregard key signatures that are under a specified level. Defaults to 1 (i.e. don't disregard anything). * New --max-output option to limit the amount of plaintext output generated by GnuPG. This option can be used by programs which call GnuPG to process messages that may result in plaintext larger than the calling program is prepared to handle. This is sometimes called a "Decompression Bomb". * New --list-config command for frontends and other programs that call GnuPG. See doc/DETAILS for the specifics of this. * New --gpgconf-list command for internal use by the gpgconf utility from gnupg 1.9.x. * Some performance improvements with large keyrings. See --enable-key-cache=SIZE in the README file for details. * Some portability fixes for the OpenBSD/i386, HPPA, and AIX platforms. * Simplified Chinese translation. Internationalization ==================== GnuPG comes with support for 28 languages: American English Indonesian (id) Bela-Russian (be)[*] Italian (it) Catalan (ca)[*] Japanese (ja)[*] Czech (cs) Polish (pl) Danish (da)[*] Brazilian Portuguese (pt_BR)[*] Dutch (nl) Portuguese (pt)[*] Esperanto (eo)[*] Romanian (ro) Estonian (et) Russian (ru) Finnish (fi) Slovak (sk) French (fr) Spanish (es) Galician (gl)[*] Swedish (sv)[*] German (de) Traditional Chinese (zh_TW)[*] Greek (el) Simplified Chinese (zh_CN) Hungarian (hu) Turkish (tr) Languages marked with [*] were not updated for this release and you may notice untranslated messages. Many thanks to the translators for their ongoing support of GnuPG. Future Directions ================= GnuPG 1.2.x is the current stable branch and won't undergo any serious changes. We will just fix bugs and add compatibility fixes as required. GnuPG 1.3.x is the version were we do most new stuff and it will lead to the next stable version 1.4 not too far away. GnuPG 1.9.x is next generation GnuPG. This version merged the code From the Aegypten project and thus it includes the gpg-agent, a smartcard daemon and gpg's S/MIME cousin gpgsm. The design is different to the previous versions and we may not support all ancient systems - thus POSIX compatibility will be an absolute requirement for supported platforms. 1.9 is based on an somewhat older 1.3 code and will peacefully coexist with other GnuPG versions. Happy Hacking, The GnuPG Team (David, Stefan, Timo and Werner) -- Werner Koch The GnuPG Experts http://g10code.com Free Software Foundation Europe http://fsfeurope.org -------------- next part -------------- _______________________________________________ Gnupg-announce mailing list Gnupg-announce@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-announce From t.schorpp at gmx.de Tue Jul 27 09:21:55 2004 From: t.schorpp at gmx.de (Thomas Schorpp) Date: Tue Jul 27 09:19:25 2004 Subject: [ PATCH][TESTREQ],fingerprint colorcode, V 0.3, now with all colors In-Reply-To: <20040725173638.K326@willy_wonka> References: <40F7F4A5.4000109@gmx.de> <20040716155249.GC13525@jabberwocky.com> <20040717004649.M26762@willy_wonka> <20040718140614.GE18366@jabberwocky.com> <4104275B.8060902@gmx.de> <20040725173638.K326@willy_wonka> Message-ID: <41060293.3040506@gmx.de> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 hi man, Atom 'Smasher' wrote: | On Sun, 25 Jul 2004, Thomas Schorpp wrote: | | | how are you coordinating hex digits to colors? maybe i can whip out >some | PHP for web based apps (aka keyservers). |not vorrectly yet, it seems, bright isnt working: now it is working correctly (linux kde-term, console term). thanks to atom for providing the correct color table ;) now searching for the "die" char and implemeting foreground chars for copying (dont know if clipboards will work) | | ...atom y tom -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.3.6 (GNU/Linux) Comment: Using GnuPG with Debian - http://enigmail.mozdev.org iQCVAwUBQQYCkGqsze5HSzyoAQLBEgP+LcH3Pa5yuX0M2p8LCgKI9hnxMNbGHnZt 5vmS7r65q8GYnPB9YQu4fk0wJAyCkTbme8IJisOTgRdihLPJgzMh8WSnYjgqvLVu KhgLV8eADca6DSjvwSDDM0J0uEQHUiTXVRXoqwnCGGvK41umV85xB9MrgUe4osHg Ryz7ROeZdgU= =eX2m -----END PGP SIGNATURE----- -------------- next part -------------- A non-text attachment was scrubbed... Name: fp-color-ts03.diff.sig Type: application/octet-stream Size: 152 bytes Desc: not available Url : /pipermail/attachments/20040727/12da9782/fp-color-ts03.diff.exe -------------- next part -------------- A non-text attachment was scrubbed... Name: fp-color-ts03.diff Type: text/x-patch Size: 2804 bytes Desc: not available Url : /pipermail/attachments/20040727/12da9782/fp-color-ts03.bin From t.schorpp at gmx.de Tue Jul 27 09:16:13 2004 From: t.schorpp at gmx.de (Thomas Schorpp) Date: Tue Jul 27 09:20:35 2004 Subject: [ PATCH][TESTREQ],fingerprint colorcode, V 0.3, now with all colors In-Reply-To: <20040725173638.K326@willy_wonka> References: <40F7F4A5.4000109@gmx.de> <20040716155249.GC13525@jabberwocky.com> <20040717004649.M26762@willy_wonka> <20040718140614.GE18366@jabberwocky.com> <4104275B.8060902@gmx.de> <20040725173638.K326@willy_wonka> Message-ID: <4106013D.5010001@gmx.de> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 hi man, Atom 'Smasher' wrote: | On Sun, 25 Jul 2004, Thomas Schorpp wrote: | | | how are you coordinating hex digits to colors? maybe i can whip out >some | PHP for web based apps (aka keyservers). |not vorrectly yet, it seems, bright isnt working: now it is working correctly (linux kde-term, console term). thanks to atom for providing the correct color table ;) now searching for the "die" char and implemeting foreground chars for copying (dont know if clipboards will work) | | ...atom y tom -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.3.6 (GNU/Linux) Comment: Using GnuPG with Debian - http://enigmail.mozdev.org iQCVAwUBQQYBOWqsze5HSzyoAQKuIQQAraf2d2BGX0E5Qj286ipzxgqNW5VliGWu G0NgkK6qmrQoaR7MAy7Q55pFUpSxlnUSqZmhn5QGbWKWkBXTCivQebBy2CzNZR2U NLucH8b1EMQ10yVwFMb8XPcBOdrUN84Dg/BTOVt84hxSJceWN1T5ine2/kc9yfIj d2StiE7ekf8= =XVhs -----END PGP SIGNATURE----- -------------- next part -------------- A non-text attachment was scrubbed... Name: fpcolors03.jpg Type: image/jpeg Size: 125936 bytes Desc: not available Url : /pipermail/attachments/20040727/f02f5746/fpcolors03-0001.jpg -------------- next part -------------- A non-text attachment was scrubbed... Name: fp-color-ts03.diff.sig Type: application/octet-stream Size: 152 bytes Desc: not available Url : /pipermail/attachments/20040727/f02f5746/fp-color-ts03.diff-0001.exe -------------- next part -------------- A non-text attachment was scrubbed... Name: fp-color-ts03.diff Type: text/x-patch Size: 2803 bytes Desc: not available Url : /pipermail/attachments/20040727/f02f5746/fp-color-ts03-0001.bin From wk at gnupg.org Tue Jul 27 09:42:37 2004 From: wk at gnupg.org (Werner Koch) Date: Tue Jul 27 09:56:37 2004 Subject: [Announce] GnuPG 1.2.5 released Message-ID: <871xixkiaa.fsf@wheatstone.g10code.de> [reposted due to the Mailman garbled signature] Hello! We are pleased to announce the availability of a new stable GnuPG release: Version 1.2.5 The GNU Privacy Guard (GnuPG) is GNU's tool for secure communication and data storage. It is a complete and free replacement of PGP and can be used to encrypt data and to create digital signatures. It includes an advanced key management facility and is compliant with the proposed OpenPGP Internet standard as described in RFC2440. This is mainly a bug fix release; for details see the "What's New" section below. Getting the Software ==================== Please follow the instructions found at http://www.gnupg.org/download/ or read on: GnuPG 1.2.5 may be downloaded from one of the GnuPG mirror sites or direct from ftp://ftp.gnupg.org/gcrypt . The list of mirrors can be found at http://www.gnupg.org/mirrors.html . Note, that GnuPG is not available at ftp.gnu.org. On the mirrors you should find the following files in the *gnupg* directory: gnupg-1.2.5.tar.bz2 (2430k) gnupg-1.2.5.tar.bz2.sig GnuPG source compressed using BZIP2 and OpenPGP signature. gnupg-1.2.5.tar.gz (3559k) gnupg-1.2.5.tar.gz.sig GnuPG source compressed using GZIP and OpenPGP signature. gnupg-1.2.4-1.2.5.diff.gz (979k) A patch file to upgrade a 1.2.4 GnuPG source. This file is signed; you have to use GnuPG > 0.9.5 to verify the signature. GnuPG has a feature to allow clear signed patch files which can still be processed by the patch utility. Select one of them. To shorten the download time, you probably want to get the BZIP2 compressed file. Please try another mirror if exceptional your mirror is not yet up to date. In the *binary* directory, you should find these files: gnupg-w32cli-1.2.5.zip (1468k) gnupg-w32cli-1.2.5.zip.sig GnuPG compiled for Microsoft Windows and OpenPGP signature. Note that this is a command line version and comes without a graphical installer tool. You have to use an UNZIP utility to extract the files and install them manually. The included file README.W32 has further instructions. Checking the Integrity ====================== In order to check that the version of GnuPG which you are going to install is an original and unmodified one, you can do it in one of the following ways: * If you already have a trusted version of GnuPG installed, you can simply check the supplied signature. For example to check the signature of the file gnupg-1.2.4.tar.bz2 you would use this command: gpg --verify gnupg-1.2.5.tar.bz2.sig This checks whether the signature file matches the source file. You should see a message indicating that the signature is good and made by that signing key. Make sure that you have the right key, either by checking the fingerprint of that key with other sources or by checking that the key has been signed by a trustworthy other key. Note, that you can retrieve the signing key using "finger wk 'at' g10code.com" or "dd9jn 'at' gnu.org" or using the keyservers. I recently prolonged the expiration date; thus you might need a fresh copy of that key. Never use a GnuPG version you just downloaded to check the integrity of the source - use an existing GnuPG installation! * If you are not able to use an old version of GnuPG, you have to verify the MD5 checksum. Assuming you downloaded the file gnupg-1.2.5.tar.bz2, you would run the md5sum command like this: md5sum gnupg-1.2.5.tar.bz2 and check that the output matches the first line from the following list: 9109ff94f7a502acd915a6e61d28d98a gnupg-1.2.5.tar.gz e4991e46fde52b216410ef0f485b4217 gnupg-1.2.5.tar.bz2 d591cb58a7bc81d4e5572260ba2cd595 gnupg-1.2.4-1.2.5.diff.gz 3d93d73942117c4c0182cb15e01de70f gnupg-w32cli-1.2.5.zip Upgrade Information =================== If you are upgrading from a version prior to 1.0.7, you should run the script tools/convert-from-106 once. Please note also that due to a bug in versions prior to 1.0.6 it may not be possible to downgrade to such versions unless you apply the patch http://www.gnupg.org/developer/gpg-woody-fix.txt . If you have any problems, please see the FAQ and the mailing list archive at http://lists.gnupg.org. Please direct questions to the gnupg-users@gnupg.org mailing list. What's New =========== Here is a list of major user visible changes since 1.2.4: * New --ask-cert-level/--no-ask-cert-level option to turn on and off the prompt for signature level when signing a key. Defaults to on. * New --min-cert-level option to disregard key signatures that are under a specified level. Defaults to 1 (i.e. don't disregard anything). * New --max-output option to limit the amount of plaintext output generated by GnuPG. This option can be used by programs which call GnuPG to process messages that may result in plaintext larger than the calling program is prepared to handle. This is sometimes called a "Decompression Bomb". * New --list-config command for frontends and other programs that call GnuPG. See doc/DETAILS for the specifics of this. * New --gpgconf-list command for internal use by the gpgconf utility from gnupg 1.9.x. * Some performance improvements with large keyrings. See --enable-key-cache=SIZE in the README file for details. * Some portability fixes for the OpenBSD/i386, HPPA, and AIX platforms. * Simplified Chinese translation. Internationalization ==================== GnuPG comes with support for 28 languages: American English Indonesian (id) Bela-Russian (be)[*] Italian (it) Catalan (ca)[*] Japanese (ja)[*] Czech (cs) Polish (pl) Danish (da)[*] Brazilian Portuguese (pt_BR)[*] Dutch (nl) Portuguese (pt)[*] Esperanto (eo)[*] Romanian (ro) Estonian (et) Russian (ru) Finnish (fi) Slovak (sk) French (fr) Spanish (es) Galician (gl)[*] Swedish (sv)[*] German (de) Traditional Chinese (zh_TW)[*] Greek (el) Simplified Chinese (zh_CN) Hungarian (hu) Turkish (tr) Languages marked with [*] were not updated for this release and you may notice untranslated messages. Many thanks to the translators for their ongoing support of GnuPG. Future Directions ================= GnuPG 1.2.x is the current stable branch and won't undergo any serious changes. We will just fix bugs and add compatibility fixes as required. GnuPG 1.3.x is the version were we do most new stuff and it will lead to the next stable version 1.4 not too far away. GnuPG 1.9.x is next generation GnuPG. This version merged the code From the Aegypten project and thus it includes the gpg-agent, a smartcard daemon and gpg's S/MIME cousin gpgsm. The design is different to the previous versions and we may not support all ancient systems - thus POSIX compatibility will be an absolute requirement for supported platforms. 1.9 is based on an somewhat older 1.3 code and will peacefully coexist with other GnuPG versions. Happy Hacking, The GnuPG Team (David, Stefan, Timo and Werner) -- Werner Koch The GnuPG Experts http://g10code.com Free Software Foundation Europe http://fsfeurope.org -------------- next part -------------- _______________________________________________ Gnupg-announce mailing list Gnupg-announce@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-announce From wk at gnupg.org Tue Jul 27 12:08:54 2004 From: wk at gnupg.org (Werner Koch) Date: Tue Jul 27 12:08:28 2004 Subject: [Announce] GnuPG 1.2.5 released In-Reply-To: <871xixkiaa.fsf@wheatstone.g10code.de> (Werner Koch's message of "Tue, 27 Jul 2004 09:42:37 +0200") References: <871xixkiaa.fsf@wheatstone.g10code.de> Message-ID: <87d62hiwy1.fsf@wheatstone.g10code.de> On Tue, 27 Jul 2004 09:42:37 +0200, Werner Koch said: > [reposted due to the Mailman garbled signature] Yes, I know: Mailman stripped the signature part this time too :-( Werner From albrecht.dress at arcor.de Tue Jul 27 19:57:32 2004 From: albrecht.dress at arcor.de (=?iso-8859-1?q?Albrecht_Dre=DF?=) Date: Tue Jul 27 19:54:47 2004 Subject: [BUG?] gpgme 0.9.0 & passphrase oddity In-Reply-To: <873c3m78uh.wl@ulysses.g10code.de> (from marcus.brinkmann@ruhr-uni-bochum.de on Die, Jul 20, 2004 at 21:54:30 +0200) References: <1089320527l.26965l.0l@antares.localdomain> <873c3m78uh.wl@ulysses.g10code.de> Message-ID: <1090951063l.1889l.0l@antares.localdomain> Am 20.07.04 21:54 schrieb(en) Marcus Brinkmann: > I agree :) This does not seem to be a GPGME issue, though. Some > versions of gpg-agent swallow the cancel from pinentry. I have to > take a closer look at which versions are affected. I meanwhile upgraded to gpg(-agent) 1.9.10 (from 1.9.8), but this wrong behaviour is still there. The other software I use is gpg 1.2.5, gpgme 0.9.0 and pinentry 0.7.1, with my gtk+-2.4 patch applied and using the gtk-2 version. It does reply with "ERR 111 canceled" when I press "Cancel" after GETPIN. Is this the correct behaviour, or did I make a mistake there? Cheers, Albrecht. -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Albrecht Dre? - Johanna-Kirchner-Stra?e 13 - D-53123 Bonn (Germany) Phone (+49) 228 6199571 - mailto:albrecht.dress@arcor.de _________________________________________________________________________ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20040727/8bcb6b65/signature.bin From wk at gnupg.org Tue Jul 27 19:44:14 2004 From: wk at gnupg.org (Werner Koch) Date: Tue Jul 27 20:07:07 2004 Subject: [Announce] gnupg 1.2.5 build instruction update Message-ID: <877jspfiq9.fsf@wheatstone.g10code.de> Uv, qhr gb n ceboyrz jvgu gur trggrkg vafgnyyngvba ba gur ohvyq znpuvar n yvggyr naablvat oht jvyy qvfgheo gur ohvyq cebprff bs TahCT 1.2.5 jura qbvat gur "znxr vafgnyy": ../../fpevcgf/zxvafgnyyqvef: ../../fpevcgf/zxvafgnyyqvef: Ab fhpu svyr be qverpgbel znxr[1]: *** [vafgnyy-qngn-lrf] Reebe 127 Gurer vf n fvzcyr jbexnebhaq ubjrire: Vafgrnq bs "znxr vafgnyy" hfr znxr vafgnyy zxvafgnyyqvef=`cjq`/fpevcgf/zxvafgnyyqvef naq vg fubhyq jbex nf rkcrpgrq. Nygubhtu V nyjnlf cercner qvfgevohgvbaf hfvat "znxr qvfgpurpx", V boivbhfyl sbetbg gb qb n znahny vafgnyy gb qrgrpg aba-ICNGU eryngrq ohvyq ceboyrzf. Fbzrbar fubhyq unir abgvprq naq ercbegrq guvf oht jvgu gur ynfg eryrnfr pnaqvqngr, juvpu va snpg jnf nyfb nssrpgrq ol vg. Unccl Unpxvat, Jreare -- Jreare Xbpu Gur TahCT Rkcregf uggc://t10pbqr.pbz Serr Fbsgjner Sbhaqngvba Rhebcr uggc://sfsrhebcr.bet _______________________________________________ Gnupg-announce mailing list Gnupg-announce@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-announce From wk at gnupg.org Tue Jul 27 19:55:06 2004 From: wk at gnupg.org (Werner Koch) Date: Tue Jul 27 20:16:36 2004 Subject: [Announce] GnuPG 1.2.5 build instruction update Message-ID: <873c3dfi85.fsf@wheatstone.g10code.de> [Okay, its not my day. I accidently hit C-c r right before sending the mail.] Hi, due to a problem with the gettext installation on the build machine a little annoying bug will disturb the build process of GnuPG 1.2.5 when doing the "make install": ../../scripts/mkinstalldirs: ../../scripts/mkinstalldirs: No such file or directory make[1]: *** [install-data-yes] Error 127 There is a simple workaround however: Instead of "make install" use make install mkinstalldirs=`pwd`/scripts/mkinstalldirs and it should work as expected. Although I always prepare distributions using "make distcheck", I obviously forgot to do a manual install to detect non-VPATH related build problems. Someone should have noticed and reported this bug with the last release candidate, which in fact was also affected by it. Salve Gnus, Werner -- Werner Koch The GnuPG Experts http://g10code.com Free Software Foundation Europe http://fsfeurope.org _______________________________________________ Gnupg-announce mailing list Gnupg-announce@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-announce From md at Linux.IT Tue Jul 27 21:06:09 2004 From: md at Linux.IT (Marco d'Itri) Date: Tue Jul 27 21:14:53 2004 Subject: [ PATCH][TESTREQ], fingerprint colorcode, V 0.3, now with all colors In-Reply-To: <4106013D.5010001@gmx.de> References: <40F7F4A5.4000109@gmx.de> <20040716155249.GC13525@jabberwocky.com> <20040717004649.M26762@willy_wonka> <20040718140614.GE18366@jabberwocky.com> <4104275B.8060902@gmx.de> <20040725173638.K326@willy_wonka> <4106013D.5010001@gmx.de> Message-ID: <20040727190609.GA15874@wonderland.linux.it> On Jul 27, Thomas Schorpp wrote: What about coloring the fingerprint numbers instead? -- ciao, | Marco | [7307 in2HMrJi4HsWI] From t.schorpp at gmx.de Tue Jul 27 23:02:45 2004 From: t.schorpp at gmx.de (Thomas Schorpp) Date: Tue Jul 27 23:00:31 2004 Subject: [ PATCH][TESTREQ], fingerprint colorcode, V 0.3, now with all colors In-Reply-To: <20040727190609.GA15874@wonderland.linux.it> References: <40F7F4A5.4000109@gmx.de> <20040716155249.GC13525@jabberwocky.com> <20040717004649.M26762@willy_wonka> <20040718140614.GE18366@jabberwocky.com> <4104275B.8060902@gmx.de> <20040725173638.K326@willy_wonka> <4106013D.5010001@gmx.de> <20040727190609.GA15874@wonderland.linux.it> Message-ID: <4106C2F5.2030801@gmx.de> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Marco d'Itri wrote: | On Jul 27, Thomas Schorpp wrote: | | What about coloring the fingerprint numbers instead? | ergonomics: even harder readable. point is to verify fp by quick look. code: affects front end guis, they must parse the escape seqs then. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.3.6 (GNU/Linux) Comment: Using GnuPG with Debian - http://enigmail.mozdev.org iQCVAwUBQQbC8Wqsze5HSzyoAQKvSwP+KLnj5F7z6RHUWeWeFR9pPv09azQeMkLe XE2X6OGKQoHoGms7ZbR1zxnk/QWm1wNLxmZNsJ3t4IGNYshuuPDzi3U/ND79tcP5 eqtUk8QfKVjGV6cMsdDQAW2bHZFOMpYa1BXHu1f1DMJzfx0KZHJsSis1HC8KDsd+ 5jyhuog/VkA= =4KVf -----END PGP SIGNATURE----- From atom at suspicious.org Tue Jul 27 23:55:53 2004 From: atom at suspicious.org (Atom 'Smasher') Date: Tue Jul 27 23:53:09 2004 Subject: [ PATCH][TESTREQ],fingerprint colorcode, V 0.2 In-Reply-To: <4105FB54.9070600@gmx.de> References: <40F7F4A5.4000109@gmx.de> <20040716155249.GC13525@jabberwocky.com> <20040717004649.M26762@willy_wonka> <20040718140614.GE18366@jabberwocky.com> <4104275B.8060902@gmx.de> <20040725173638.K326@willy_wonka> <4105FB54.9070600@gmx.de> Message-ID: <20040727171322.N45133@willy_wonka> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On Tue, 27 Jul 2004, Thomas Schorpp wrote: > Atom 'Smasher' wrote: > | i would think this is best suited for GUI interfaces (kgpg, seahorse, > | html keyservers, gimp plug-in, etc), not a command line interface... > > you are right IF you can assure highly secure interfaces and comms to > these apps then. i like it in terminal and testers of gui apps surely > too for verification of bugs. ============= we accept a "non-secure" photo viewer... the problem with terminals is that some are monochrome, some display 8 colors, some display a *different* 8 colors, some display 16 colors, some display 256 colors... to even attempt that this would work on all terminals capable of displaying 16 (or more) colors would require curses, slang, or similar. even then, i'm not sure if 16 colors can all get along in the same terminal and be portable. http://www.linuxgazette.com/issue65/padala.html > | trying to do colors on a terminal is an uphill battle that would > | probably require a fair amount of dependencies (curses, slang, etc) and > | still not work everywhere. especially if someone has their terminal > | configured to display non-standard colors. > > e.g.? ============= from man terminfo(5): can_change... terminal can redefine existing colors AFAIK, that can be used so a terminal displays red as green, black as white, etc. sending simple control sequences would have undesired effects. > | hhmmm... in the same way that an external photo-viewer can be specified, > | maybe a tiny (external) app can be specified to show fingerprints? > > no, it should be in standard gpg gui apps. ============== yeah, that too... not that it should be part of gpg itself (which is a command line tool), but it should be part of kgpg, seahorse, etc... but also, for someone who just uses the command line in an X session, a small app that just translates fingerprints to colors and opens a window to display a color bar. > | how are you coordinating hex digits to colors? maybe i can whip out some > | PHP for web based apps (aka keyservers). > > not vorrectly yet, it seems, bright isnt working: > > p_padala@yahoo.com: > > ~ [{attr};{fg};{bg}m ===================== i don't think you have to specify bg/fg. attached is script (and screenshot) that displays boxes of colors by specifying only the bg color and displaying two spaces (0x20). MD5 (bar) = d84cdee8b7df4a4732f986ff6e45a00d MD5 (bar.png) = eca9bfd6af503df88abd2de3caa9a24f it's probably not necessary to specify "^[[0m" between each color, but it certainly doesn't seem to hurt. like any simple script that displays colors, the results will vary widely depending on what terminal you view it on. anyway, what relationship are you trying to get between hex and colors? ...atom _________________________________________ PGP key - http://atom.smasher.org/pgp.txt 762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808 ------------------------------------------------- "My kind of loyalty was loyalty to one's country, not to its institutions or its officeholders. The country is the real thing, the substantial thing, the eternal thing; it is the thing to watch over, and care for, and be loyal to; institutions are extraneous, they are its mere clothing, and clothing can wear out, become ragged, cease to be comfortable, cease to protect the body from winter, disease, and death." - A Connecticut Yankee in King Arthur's Court -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.3.6 (FreeBSD) Comment: What is this gibberish? Comment: http://atom.smasher.org/links/#digital_signatures iQEcBAEBCAAGBQJBBs9wAAoJEAx/d+cTpVci0ScH/3WHfcpYfAZlLtq4IwdKORsm eW8c0wfHm4vuqLk/biD74buaei2x5PMvyGTU8CLDhib7nntZzKZ2b6H3ydPhssL6 2bQINk6omGYDAe03PctOFeMLDRWngDGfwqfJnqEfl3TdLxNSHc+84GX//3UMR+yL KG6/brluiLepovwCNrpLoqf03UxWQGmJZ1UJFxsBPJjhXBpxONYU/JTtQzfRUV4D 7CoB+h92p4DzoYJvai5O8aJ8CBUf/pSjV1uWbFuohZ6VjVbq7LKaVQSz5yMs0EBj ix6hPAju3dM30F9K2jSSt/jW/1h+YqbxFFYTwYgQwIlGNMykxkwnFY2HXrtX1V0= =8+Y5 -----END PGP SIGNATURE----- -------------- next part -------------- #!/bin/sh echo "                " -------------- next part -------------- A non-text attachment was scrubbed... Name: bar.png Type: application/octet-stream Size: 1087 bytes Desc: Url : /pipermail/attachments/20040727/eae79645/bar-0001.exe From t.schorpp at gmx.de Wed Jul 28 00:58:11 2004 From: t.schorpp at gmx.de (Thomas Schorpp) Date: Wed Jul 28 00:55:55 2004 Subject: [ PATCH][TESTREQ],fingerprint colorcode, V 0 .3 (!) In-Reply-To: <20040727171322.N45133@willy_wonka> References: <40F7F4A5.4000109@gmx.de> <20040716155249.GC13525@jabberwocky.com> <20040717004649.M26762@willy_wonka> <20040718140614.GE18366@jabberwocky.com> <4104275B.8060902@gmx.de> <20040725173638.K326@willy_wonka> <4105FB54.9070600@gmx.de> <20040727171322.N45133@willy_wonka> Message-ID: <4106DE03.2070900@gmx.de> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Atom 'Smasher' wrote: | On Tue, 27 Jul 2004, Thomas Schorpp wrote: | |>> Atom 'Smasher' wrote: | | | we accept a "non-secure" photo viewer... human brains can distuingish clearly beetween (known) faces, so security is less relevant, but not for providing abstract coded fingerprints. ~ the problem with terminals is | that some are monochrome, some display 8 colors, some display a | *different* 8 colors, some display 16 colors, some display 256 colors... | to even attempt that this would work on all terminals capable of | displaying 16 (or more) colors would require curses, slang, or similar. | even then, i'm not sure if 16 colors can all get along in the same | terminal and be portable. | | http://www.linuxgazette.com/issue65/padala.html yes, youre right, bad analysis from me, sorry, im glad a very experienced unixer like you is here. ive thought about curses before, but we cant bloat up gnupg that way, can we? so ive abandoned it so far. | from man terminfo(5): | can_change... terminal can redefine existing colors yes, ive seen it before too. but surely this can be queried and adopted to from runtime (or setup). | | AFAIK, that can be used so a terminal displays red as green, black as | white, etc. sending simple control sequences would have undesired effects. | maybe on one systems entity it should be consistent but communicating beetween different systems or even x/term clients would be out then, not o.k.. a critical requirement would be not met then. | | |>> | hhmmm... in the same way that an external photo-viewer can be |>> specified, |>> | maybe a tiny (external) app can be specified to show fingerprints? |>> |>> no, it should be in standard gpg gui apps. | | ============== | | yeah, that too... not that it should be part of gpg itself (which is a | command line tool), but it should be part of kgpg, seahorse, etc... but | also, for someone who just uses the command line in an X session, a | small app that just translates fingerprints to colors and opens a window | to display a color bar. | yes, sure, this is all free software here, as i understood, nobody needs to wait for my implementations, im only holding the basic "idea". |>> ~ [{attr};{fg};{bg}m | | ===================== | | i don't think you have to specify bg/fg. attached is script (and | screenshot) that displays boxes of colors by specifying only the bg | color and displaying two spaces (0x20). | | MD5 (bar) = d84cdee8b7df4a4732f986ff6e45a00d | MD5 (bar.png) = eca9bfd6af503df88abd2de3caa9a24f | | it's probably not necessary to specify "^[[0m" between each color, but | it certainly doesn't seem to hurt. | yes right, ive discovered this too, yesterday. | like any simple script that displays colors, the results will vary | widely depending on what terminal you view it on. not discovered on my terms yet, but surely in remote fp verification. ... and blue and cyan look critical identical on my display, but collisions on misinterpretation should be rare. but printing multiple fps out on one terminal you can clearly distuingish or verify with one quick look now, that has been my primary target of requirements... and met. many thanks for your work (as you make me do mine ;) | | anyway, what relationship are you trying to get between hex and colors? ? your and padalas colorcode tables. | | | ...atom y tom p.s.: im on holidays from 3rd of august (if no wireless ap is in range, at least ;) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.3.6 (GNU/Linux) Comment: Using GnuPG with Debian - http://enigmail.mozdev.org iQCVAwUBQQbeAGqsze5HSzyoAQJbFQP7Bv3Bzy2LLLdNfJ53DHSQYHASiufOQ4tX NOK5svJGfeAOG8zcSpOEW9j+Kf4IgpE4u5AX7rJ1WZRaVrMW6dWuxvBa39FcX0W9 3UiGUbQzNadMsKXGlt/n6K9ica0i3nxgd/uZSEXoal230dCLZyX5EGTvhAE+BN80 SVzl2rRzaBA= =PXUr -----END PGP SIGNATURE----- From atom at suspicious.org Wed Jul 28 01:38:03 2004 From: atom at suspicious.org (Atom 'Smasher') Date: Wed Jul 28 01:35:06 2004 Subject: [ PATCH][TESTREQ],fingerprint colorcode, V 0 .3 (!) In-Reply-To: <4106DE03.2070900@gmx.de> References: <40F7F4A5.4000109@gmx.de> <20040716155249.GC13525@jabberwocky.com> <20040717004649.M26762@willy_wonka> <20040718140614.GE18366@jabberwocky.com> <4104275B.8060902@gmx.de> <20040725173638.K326@willy_wonka> <4105FB54.9070600@gmx.de> <20040727171322.N45133@willy_wonka> <4106DE03.2070900@gmx.de> Message-ID: <20040727192809.U45133@willy_wonka> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On Wed, 28 Jul 2004, Thomas Schorpp wrote: > Atom 'Smasher' wrote: > | anyway, what relationship are you trying to get between hex and colors? > > ? your and padalas colorcode tables. ================= so this seems good? 0 Black 1 Red 2 Green 3 Yellow 4 Blue 5 Purple 6 Cyan 7 Grey 8 Dark Grey 9 Bright Red A Bright Green B Bright Yellow C Bright Blue D Bright Purple E Bright Cyan F White can anyone think of a reason why there might be a better way to coordinate colors to hex digits? ...atom _________________________________________ PGP key - http://atom.smasher.org/pgp.txt 762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808 ------------------------------------------------- "America may be the best country in the world, but that's kind of like being the valedictorian of summer school." -- Dennis Miller -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.3.6 (FreeBSD) Comment: What is this gibberish? Comment: http://atom.smasher.org/links/#digital_signatures iQEcBAEBCAAGBQJBBudhAAoJEAx/d+cTpVci8pAIAIAjPkQx+JjNjYoMuEa3bJ4A z+1xJxTQQOyeFaIqx+82r/8o6LcrhMJX/3fXQ/JaopSFdSb+CrCBNyAoNMitOo8E uG3Y2L0iCySFJtdqD2wMCKHHewIOKnJ2qqwx/aFzCZe/CjlK2PI8TMtggi6HBzlf Rpu0BIeif8ajK2ARPhsiUtK2yq5zKgK2yXBWoRUOM8O1Uyq+/c5Vl1poi2u0c+du x8/d6VWuLWQ9kysq5XpTdvcUFJyxCruvLqpENQ6+6DAZmW9Vn1OguePT19TZRj/L Ml4692JV0FutF5I++B8oa5ZlHN3C8cWXshVSxvhV/AIrNMLPn6wiXZYCTH98mCU= =fyBo -----END PGP SIGNATURE----- From t.schorpp at gmx.de Wed Jul 28 02:26:28 2004 From: t.schorpp at gmx.de (Thomas Schorpp) Date: Wed Jul 28 02:24:21 2004 Subject: [ PATCH][TESTREQ],fingerprint colorcode, V 0 .3 (!) In-Reply-To: <20040727192809.U45133@willy_wonka> References: <40F7F4A5.4000109@gmx.de> <20040716155249.GC13525@jabberwocky.com> <20040717004649.M26762@willy_wonka> <20040718140614.GE18366@jabberwocky.com> <4104275B.8060902@gmx.de> <20040725173638.K326@willy_wonka> <4105FB54.9070600@gmx.de> <20040727171322.N45133@willy_wonka> <4106DE03.2070900@gmx.de> <20040727192809.U45133@willy_wonka> Message-ID: <4106F2B4.5090403@gmx.de> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Atom 'Smasher' wrote: | On Wed, 28 Jul 2004, Thomas Schorpp wrote: | |>> Atom 'Smasher' wrote: | | |>> | anyway, what relationship are you trying to get between hex and colors? |>> |>> ? your and padalas colorcode tables. | | ================= | | so this seems good? | | 0 Black | 1 Red | 2 Green | 3 Yellow | 4 Blue | 5 Purple | 6 Cyan | 7 Grey | 8 Dark Grey | 9 Bright Red | A Bright Green | B Bright Yellow | C Bright Blue | D Bright Purple | E Bright Cyan | F White | | can anyone think of a reason why there might be a better way to | coordinate colors to hex digits? | from my coding habits view ;) and yes, you ask what you know already, humans would like to have color steps grouped to similar hex steps: ... | 1 Red | 2 Bright Red ... but i fear what makes real sense as requirement here is more to cryptographics science than ergonomics and coding... therefore weve the analysises rather here and not yet on the kgpg, eg. devel list. | | ...atom -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.3.6 (GNU/Linux) Comment: Using GnuPG with Debian - http://enigmail.mozdev.org iQCVAwUBQQbysGqsze5HSzyoAQKHGQQAxeSj6pYMKEj25zEk5nwZ+p+jwD8heMAX 8q3ufrJrtB87GTcbRKI3OpRvg0AdH9C3iREjvfRmXlLY7m21ePJdedO1il75TmYO dBkXGFDi0qe0u0JoD7EeOxE8YhEXaM8g6QZTlSb86Ot60MA9y5xqix/9P+6td6QU Q41Y49wZyCI= =+7l1 -----END PGP SIGNATURE----- From atom at suspicious.org Wed Jul 28 05:46:50 2004 From: atom at suspicious.org (Atom 'Smasher') Date: Wed Jul 28 05:43:49 2004 Subject: [ PATCH][TESTREQ],fingerprint colorcode, V 0 .3 (!) In-Reply-To: <4106F2B4.5090403@gmx.de> References: <40F7F4A5.4000109@gmx.de> <20040716155249.GC13525@jabberwocky.com> <20040717004649.M26762@willy_wonka> <20040718140614.GE18366@jabberwocky.com> <4104275B.8060902@gmx.de> <20040725173638.K326@willy_wonka> <4105FB54.9070600@gmx.de> <20040727171322.N45133@willy_wonka> <4106DE03.2070900@gmx.de> <20040727192809.U45133@willy_wonka> <4106F2B4.5090403@gmx.de> Message-ID: <20040727233702.R45133@willy_wonka> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On Wed, 28 Jul 2004, Thomas Schorpp wrote: > and yes, you ask what you know already, humans would like to have color > steps grouped to similar hex steps: > > ... > | 1 Red > | 2 Bright Red > ... > > but i fear what makes real sense as requirement here is more to > cryptographics science than ergonomics and coding... ======================= with only 16 colors to deal with, ergonomics can take priority over ease of coding. if it doesn't work well ergonomically, then it won't provide a security benefit. the real question should be, "does it make a difference how we relate hex digits to colors?" assuming a more-or-less random distribution of hex digits throughout a fingerprint, and the foreseeable use of holding two instances of a color bar next to each other for comparison, does it make any difference (in an ergonomic sense) what hex digit corresponds to what color? intuitively, i'd say that it doesn't make a difference... but someone with a degree in ergonomics may have a great reason for using a particular arrangement. does anyone here know anyone with a degree in ergonomics? ...atom _________________________________________ PGP key - http://atom.smasher.org/pgp.txt 762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808 ------------------------------------------------- "They do not bear arms, and do not know them, for I showed them a sword, they took it by the edge and cut themselves out of ignorance. They have no iron. Their spears are made of cane... They would make fine servants... With fifty men we could subjugate them all and make them do whatever we want." -- Christopher Columbus, after "Discovering America" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.3.6 (FreeBSD) Comment: What is this gibberish? Comment: http://atom.smasher.org/links/#digital_signatures iQEcBAEBCAAGBQJBByGvAAoJEAx/d+cTpVcio5sH/i3GzgiA9HiznZK8htXoBlGe ULotmLq7Lr2MRIWzgcuot4wyrhbixitqshr4eoySF7/W1GgKTZYP9Nbp0GFK4yVJ +Qz80U2rmrVp8ZLHCXQtcXy9/0q1re8yDgmPf8zIWwP98VQ3hAXrUPvUtIC+vuug o9ZjI8LXxnDCoQvt+E7EqHB8wdqGCXXMBFFLhYHVuRw+wJEmJ77+YlOHZFURo3DP u/TIw+RtdP9nbAaM3N9ZnGePRboCNdmJlONejPteOT3xUXU28OnpATCZt6MRbxR6 ca7rwez3wKWyR56RIFedDBPsR59dIOBR0bNAuGgihia0X78IDE2OPdlf4cgfHg0= =Eg+k -----END PGP SIGNATURE----- From bfriesen at simple.dallas.tx.us Wed Jul 28 06:00:07 2004 From: bfriesen at simple.dallas.tx.us (Bob Friesenhahn) Date: Wed Jul 28 05:59:31 2004 Subject: libgcrypt/tests/Makefile.am patch Message-ID: Libgcrypt does not completely build under Solaris due to a missing Makefile.am library dependency. The attached patch solves the problem. Bob Index: tests/Makefile.am =================================================================== RCS file: /cvs/gnupg/libgcrypt/tests/Makefile.am,v retrieving revision 1.16 diff -u -u -r1.16 Makefile.am --- tests/Makefile.am 3 Mar 2004 08:08:05 -0000 1.16 +++ tests/Makefile.am 28 Jul 2004 03:54:43 -0000 @@ -21,7 +21,7 @@ TESTS = prime register ac basic tsexp keygen pubkey benchmark INCLUDES = -I$(top_srcdir)/src -LDADD = ../src/libgcrypt.la +LDADD = ../src/libgcrypt.la ../cipher/libcipher.la EXTRA_PROGRAMS = testapi noinst_PROGRAMS = $(TESTS) From bfriesen at simple.dallas.tx.us Wed Jul 28 06:00:07 2004 From: bfriesen at simple.dallas.tx.us (Bob Friesenhahn) Date: Wed Jul 28 13:23:58 2004 Subject: libgcrypt/tests/Makefile.am patch Message-ID: Libgcrypt does not completely build under Solaris due to a missing Makefile.am library dependency. The attached patch solves the problem. Bob Index: tests/Makefile.am =================================================================== RCS file: /cvs/gnupg/libgcrypt/tests/Makefile.am,v retrieving revision 1.16 diff -u -u -r1.16 Makefile.am --- tests/Makefile.am 3 Mar 2004 08:08:05 -0000 1.16 +++ tests/Makefile.am 28 Jul 2004 03:54:43 -0000 @@ -21,7 +21,7 @@ TESTS = prime register ac basic tsexp keygen pubkey benchmark INCLUDES = -I$(top_srcdir)/src -LDADD = ../src/libgcrypt.la +LDADD = ../src/libgcrypt.la ../cipher/libcipher.la EXTRA_PROGRAMS = testapi noinst_PROGRAMS = $(TESTS) From t.schorpp at gmx.de Wed Jul 28 19:40:33 2004 From: t.schorpp at gmx.de (Thomas Schorpp) Date: Wed Jul 28 19:38:25 2004 Subject: links to ergonomics groups In-Reply-To: <20040727233702.R45133@willy_wonka> References: <40F7F4A5.4000109@gmx.de> <20040716155249.GC13525@jabberwocky.com> <20040717004649.M26762@willy_wonka> <20040718140614.GE18366@jabberwocky.com> <4104275B.8060902@gmx.de> <20040725173638.K326@willy_wonka> <4105FB54.9070600@gmx.de> <20040727171322.N45133@willy_wonka> <4106DE03.2070900@gmx.de> <20040727192809.U45133@willy_wonka> <4106F2B4.5090403@gmx.de> <20040727233702.R45133@willy_wonka> Message-ID: <4107E511.2070005@gmx.de> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Atom 'Smasher' wrote: | does anyone here know anyone with a degree in ergonomics? | sorry, my friends are contract prohibited to assist in here. how about those people? http://www.hcibib.org/hci-sites/MAIL.html theres a newsgroup, too. | | ...atom | y tom -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.3.6 (GNU/Linux) Comment: Using GnuPG with Debian - http://enigmail.mozdev.org iQCVAwUBQQflDmqsze5HSzyoAQLA+wP8C8zL98XX+lmlkio0uooOQHa5kkir9lQK c0KLxbiUHaVe9AQCuWYchvpbCPzYqNAFtFOp3P0JzwMYZnks6Zxs6PJ2h4aB0m9a gp/eJgxoru9DWVvDWSNtRZDFVq+MPyfWv8Yyx791QBwoticK1AKafNm9BH2h53D9 F9VjogZIdU0= =AuBG -----END PGP SIGNATURE----- From douglist at anize.org Fri Jul 30 20:35:42 2004 From: douglist at anize.org (Douglas F. Calvert) Date: Mon Aug 2 16:17:43 2004 Subject: Feature Request: More output on signature In-Reply-To: <20040522134540.GB13121@jabberwocky.com> References: <20040522134540.GB13121@jabberwocky.com> Message-ID: <1091212542.12601.63.camel@liberate> On Sat, 2004-05-22 at 09:45 -0400, David Shaw wrote: > This release brings development even closer to a good point for 1.4. > If there is something that you do not like here, be it a missing > feature, a UI choice, or, well, anything, now is the time to speak up. > Once 1.3.x becomes the new stable, large changes will be unlikely. > While we obviously cannot guarantee that every suggestion will be > included, they will all be looked at. I would like to see an option that made gpg print out more information during signature verifications. When keys are q, m or f trusted I would like to be able to discern what the trust path looks like. I am not exactly sure what I would want it to look like, this is the hard part. Anyone else have any thoughts on this? Also it would be nice to have gpg notify users if there is a new key preference that they should set. I generated my keys pre-MDC I was unaware that this feature was added until i started digging around in the prefs. This would have been a nice time to educate users on MDC and increase the number of keys that had this option set. -- -- Douglas F. Calvert This is my mailing list account. Real Email: dfc@anize.org Spam Inbox: maudet@anize.org