From hmujtaba at forumsys.com Wed Dec 1 00:23:33 2004 From: hmujtaba at forumsys.com (Hasnain Mujtaba) Date: Wed Dec 1 00:20:33 2004 Subject: To sign a .jar with PGP Message-ID: <4DCE15B9C4E66F4CA967EBF64C53D64D190484@bstn-exch1.forumsys.com> Take a look at BouncyCastle's Java OpenPGP provider (www.bouncycastle.org). It explains with examples how to sign files using PGP keys. And it might even give you a PGP to X.509 converter class which you can use to store your PGP keys in a Java KeyStore. Hasnain. -----Original Message----- From: gnupg-users-bounces@gnupg.org [mailto:gnupg-users-bounces@gnupg.org] On Behalf Of Nicolas BONARDELLE Sent: Tuesday, November 30, 2004 4:58 PM To: gnupg-users@gnupg.org Subject: To sign a .jar with PGP Hi list, I'm thinking about using Jar in a Java application I'm coding. Not only as an archiving means, but also because it can be signed easily. To make the long story short, the Jar archive would contain a text file, and would be signed by everyone who enters in its possession and agrees with the content of the text file. The signer would then distribute the newly signed Jar to others. Since I can't ask every user to get a X.509 certificate, the idea is to sign the .jar with their PGP key by following exactly the Jar and Manifest specifications (http://java.sun.com/j2se/1.4.2/docs/guide/jar/jar.html). Those specs tell us that PKCS7 RSA, PKCS7 DSA and PGP are supported by default, and even that one can use its own algorithm. However, I have a few problems : 1- I can't find any live example of Jar signed with PGP 2- can't even any info about doing it programmatically 3- the 'keytool' util (with Sun's jdk) don't want to import my PGP keys in the .keystore (even if I ask him very kindly) so I can use it with the 'jarsigner' util :-[ So, a few questions that may protect me from doing naughty things : 1- am I totally nuts to want to do this ? 2- do you know a way to intrude my PGP key in the evil .keystore ? 3- do you know some application on the web (and open source preferably) using PGP to sign Jar archives ? cheers, cbonar _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users From Mike.Edwards at ega.com Wed Dec 1 15:50:20 2004 From: Mike.Edwards at ega.com (Mike Edwards) Date: Wed Dec 1 15:46:53 2004 Subject: Group use of keys Message-ID: <41ADDA2C.3070702@ega.com> There was some subscription snafu with this list and I was wondering if it was just very low traffic! I checked out the archives yesterday and saw that my post had been answered. Thanks to everyone that helped me out. I guess I have only scratched the surface using gpg and it was helpful to get a better understanding of what can/should be done--in a way that a man page can't. atom: Our customers are using PGP because of the HIPPA laws and their customers' privacy concerns in general. Some make us use laborious methods such as DHL electronic file shipping and the like, but we prefer to get encrypted files over FTP. Really allows for easier automation. Thanks again! Mike -- Mike Edwards, MIS Edwards Graphic Arts 2700 Bell Ave Des Moines, IA 50321 voice: 515.280.9765 x128 fax: 515.280.9631 e-mail: Mike dot Edwards at ega dot com From cbonar at gmail.com Wed Dec 1 21:15:26 2004 From: cbonar at gmail.com (Nicolas BONARDELLE) Date: Wed Dec 1 21:12:22 2004 Subject: To sign a .jar with PGP In-Reply-To: <4DCE15B9C4E66F4CA967EBF64C53D64D190484@bstn-exch1.forumsys.com> References: <4DCE15B9C4E66F4CA967EBF64C53D64D190484@bstn-exch1.forumsys.com> Message-ID: <200412012115.30089.cbonar@gmail.com> > Take a look at BouncyCastle's Java OpenPGP provider > (www.bouncycastle.org). It explains with examples how to sign files > using PGP keys. And it might even give you a PGP to X.509 converter > class which you can use to store your PGP keys in a Java KeyStore. > > Hasnain. > thank you, I'll check this out ++ From chd at chud.net Thu Dec 2 00:40:44 2004 From: chd at chud.net (Chris De Young) Date: Thu Dec 2 00:37:15 2004 Subject: Clarification on how revokation works Message-ID: <41AE567C.7080601@chud.net> Hi, This is probably a dumb question, but I just want to clarify how key revokation works... Am I correct in thinking that really only the public key of a key pair is what is revoked? (Though the secret key isn't all that useful without the public key being valid, of course.) We have, in addition to people's individual keys, a shared key used for sending encrypted material to a group of people. Each member of the group received a copy of the secret key with a temporary passphrase, then (presumably) changed the passphrase to something of their own. Any member of the group with the secret key can revoke that key, effectively for everyone - right? At a basic level, revoking a key is really just a matter of creating a signed statement saying "this key is no longer valid," yes? Thanks, -Chris -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 256 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20041201/a8656af1/signature.bin From dshaw at jabberwocky.com Thu Dec 2 00:57:43 2004 From: dshaw at jabberwocky.com (David Shaw) Date: Thu Dec 2 00:54:52 2004 Subject: Clarification on how revokation works In-Reply-To: <41AE567C.7080601@chud.net> References: <41AE567C.7080601@chud.net> Message-ID: <20041201235743.GD17258@jabberwocky.com> On Wed, Dec 01, 2004 at 04:40:44PM -0700, Chris De Young wrote: > Hi, > > This is probably a dumb question, but I just want to clarify how key > revokation works... > > Am I correct in thinking that really only the public key of a key pair is > what is revoked? (Though the secret key isn't all that useful without the > public key being valid, of course.) Yes. The secret key at that point is only useful for decrypting things that were encrypted before the key was revoked. > We have, in addition to people's individual keys, a shared key used for > sending encrypted material to a group of people. Each member of the group > received a copy of the secret key with a temporary passphrase, then > (presumably) changed the passphrase to something of their own. > > Any member of the group with the secret key can revoke that key, > effectively for everyone - right? Yes. > At a basic level, revoking a key is really just a matter of creating a > signed statement saying "this key is no longer valid," yes? Yes. And note that it's possible (though very difficult in practice) to unrevoke a key by removing that statement. I assume you are speaking about revoking a whole key here. It is also possible to revoke a subkey and a user ID. David From sist.mex at ovoplus.com Wed Dec 1 22:56:28 2004 From: sist.mex at ovoplus.com (Lorenzo Maldonado M.) Date: Thu Dec 2 01:17:06 2004 Subject: GPGRelay and outlook 2000 Message-ID: <20041201215537.3AF1151696@mail.ovoplus.com> Hi! I'm trying to use gpgrelay0.955 with outlook 2000 and gpg 1.2.5 to encrypt and decrypt mails. 1. When I send an encrypt mail from mozilla with any attachment in PGP/MIME, GPGRelay doesn't decrypt the mail, and outlook cannot see the messages. 2. When I send a encrypt mail from outlook to mozilla, mozilla crash and cannot see the message (mozilla1.7.3, enigmail0.84.0) Do you can help me? Thanks! From tschia at spymac.com Thu Dec 2 09:42:46 2004 From: tschia at spymac.com (tschia@spymac.com) Date: Thu Dec 2 09:39:16 2004 Subject: Protecting Private key Message-ID: <41AF5416.26523.1D78867@localhost> Hi I am new to gpg. It seem to me obtaing the private key is very simple. All you need is to execute gpg -ao tsPub.ky --export NNNNN Are there alternative to protect the private. E.g. a user can retrieve the private key provided he/she knows the Passphrase. Cheers TS From eocsor at gmail.com Thu Dec 2 10:49:47 2004 From: eocsor at gmail.com (Roscoe) Date: Thu Dec 2 10:46:25 2004 Subject: Protecting Private key In-Reply-To: <41AF5416.26523.1D78867@localhost> References: <41AF5416.26523.1D78867@localhost> Message-ID: Well, the secret key is passwd protected. You might want to try importing and using gpg -ao tsPub.ky --export NNNNN on another box/user_account and see for yourself that it the exported secret key is useless without the passwd to it.. (heh, this is the first time I've used a mailing list so if this goes horribly wrong...sorry. I did try to not stuff up.) On Thu, 02 Dec 2004 17:42:46 +0900, tschia@spymac.com wrote: > Hi > I am new to gpg. It seem to me obtaing the private key is very simple. > > All you need is to execute > gpg -ao tsPub.ky --export NNNNN > > Are there alternative to protect the private. E.g. a user can retrieve the private key > provided he/she knows the Passphrase. > > Cheers > TS > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > From jgentil at sebistar.net Thu Dec 2 16:47:49 2004 From: jgentil at sebistar.net (Jon-Pierre Gentil) Date: Thu Dec 2 16:44:22 2004 Subject: GPGRelay and outlook 2000 In-Reply-To: <20041201215537.3AF1151696@mail.ovoplus.com> References: <20041201215537.3AF1151696@mail.ovoplus.com> Message-ID: <41AF3925.6070707@sebistar.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Lorenzo Maldonado M. wrote: > 1. When I send an encrypt mail from mozilla with any attachment in > PGP/MIME, GPGRelay doesn't decrypt the mail, and outlook cannot see the > messages. > > 2. When I send a encrypt mail from outlook to mozilla, mozilla crash and > cannot see the message (mozilla1.7.3, enigmail0.84.0) You may want to View Source on the email to inspect what could be at fault. And, if at all possible, upgrade your Mozilla Mail to the latest version of Mozilla Thunderbird with the latest version of Enigmail. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (GNU/Linux) iEYEAREDAAYFAkGvOSUACgkQOrVFmaIbww6dWgCeJBxTSmPwHA/kP8lYEBPRANUW WpYAn0N+avb3kNBf6YlJhjth6Cumpq4B =awZV -----END PGP SIGNATURE----- From grnbrg at gmail.com Thu Dec 2 18:18:11 2004 From: grnbrg at gmail.com (Brian Greenberg) Date: Thu Dec 2 18:15:11 2004 Subject: Protecting Private key In-Reply-To: <41AF5416.26523.1D78867@localhost> References: <41AF5416.26523.1D78867@localhost> Message-ID: <2f30f34504120209183b4ab495@mail.gmail.com> On Thu, 02 Dec 2004 17:42:46 +0900, tschia@spymac.com wrote: > Hi > I am new to gpg. It seem to me obtaing the private key is very simple. > > All you need is to execute > gpg -ao tsPub.ky --export NNNNN > > Are there alternative to protect the private. E.g. a user can retrieve the private key > provided he/she knows the Passphrase. Keep in mind that for something like this to work for an attacker, they must have read rights to your secret keyring. The fact that read rights to such a file is quite easy to get (ie: Anyone with Admin rights) is why there is a passphrase. Further, "gpg -ao tsPub.ky --export NNNNN" exports the *public* key, in ASCII format. To export a secret key, one needs to do: gpg -ao tsSec.ky --export-secret-keys NNNNN Of course, all this does is give an ASCII formatted version of the secret keyring. While this information is sensitive, it's not very useful without the passphrase for the secret key. If an attacker can get both, then they can use the key as easily as you. This is why the paranoid will keep their secret keys on removable media. Brian. (GnuPG novice) -- Brian Greenberg grnbrg@gmail.com From cwsiv at keepandbeararms.com Thu Dec 2 23:19:42 2004 From: cwsiv at keepandbeararms.com (Carl William Spitzer IV) Date: Thu Dec 2 23:18:35 2004 Subject: can receive, but not send, encrypted e-mail In-Reply-To: <419FB789.9080400@iname.com> References: <419FB789.9080400@iname.com> Message-ID: <1102022348.3877.6.camel@linux.site> On Sat, 2004-11-20 at 13:30, Roger E. Rustad, Jr. wrote: > I just recently installed Enigmail/GnuPG on Thunderbird/Windows 2000. > > I can receive encrypted mail from people, but I can't send out encrypted > e-mail. When I check the "encrypted" option, it still sends it out in > lear text. Not sure what I might be doing wrong... Since no one else has answered Ill take a wack at the problem. first are you trying for inline or attached signatures? Inline being the more universal hence my use of kgpg in kde when I need encryption. Can you encrypt messages with the Enigmail front end if you cut and paste into its editor? -- _______ _______ _______ __ / ____\ \ / / ____|_ _\ \ / / | | \ \ /\ / / (___ | | \ \ / / | | \ \/ \/ / \___ \ | | \ \/ / | |____ \ /\ / ____) |_| |_ \ / \_____| \/ \/ |_____/|_____| \/ From cwsiv at keepandbeararms.com Thu Dec 2 23:20:18 2004 From: cwsiv at keepandbeararms.com (Carl William Spitzer IV) Date: Thu Dec 2 23:20:09 2004 Subject: Creation of encrypted virtual drives - Linux In-Reply-To: <4198790A.9000809@nebula.co.za> References: <4198790A.9000809@nebula.co.za> Message-ID: <1102022665.3877.12.camel@linux.site> On Mon, 2004-11-15 at 01:38, Rory McKinley wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi List > > I was wondering if there is way to do create an encrypted "virtual > drive" in Linux, similar to what PGP Desktop does in Windows, using my > private key? > > The only options i hav seen so far involve mountloop (oh no not another > long password to remember) or recompiling the kernel (and I am way too > much of a Linux newbie to do that. What you seem to want is a ramdisk something existing since the days of 16bit DOS. Distro? How much memory? How much Harddrive and how is it partitioned? Why not an encrypted partition? In Suse you have the option to create one at install time. Does your local university have a linux group? -- o _______________________________ o _____ | CWSIV@KeepAndBearArms.com | .][__n_n_|DD[ ====_____ | M A R K L I N T R A I N S | > (________|__|_[_________]_|___________________________| _/oo OOOOO oo` ooo ooo 'o!o!o o!o!o` From cwsiv at keepandbeararms.com Thu Dec 2 23:21:21 2004 From: cwsiv at keepandbeararms.com (Carl William Spitzer IV) Date: Thu Dec 2 23:20:21 2004 Subject: Failed installation test of GnuPG In-Reply-To: <41A8E079.405@copper.net> References: <41A8E079.405@copper.net> Message-ID: <1102022894.3877.15.camel@linux.site> On Sat, 2004-11-27 at 12:15, SnoopeReva@copper.net wrote: > To Whom It May Concern: > > So I have very patiently spent most of this day following the > installation directions for GnuPG; and, now that I go to test its > installation the command prompt window says: > > 'gpg is not recognized as an internal or external command, operable > program or batch file. Must be a windows error? In DOS/Windows and later the program must be in your path. -- o _______________________________ o _____ | CWSIV@KeepAndBearArms.com | .][__n_n_|DD[ ====_____ | M A R K L I N T R A I N S | > (________|__|_[_________]_|___________________________| _/oo OOOOO oo` ooo ooo 'o!o!o o!o!o` From ussenterprise at babylonfarms.com Fri Dec 3 05:52:14 2004 From: ussenterprise at babylonfarms.com (Troy) Date: Fri Dec 3 18:19:29 2004 Subject: newbie would like more info on waring in g-w32cli-1.3.92 Message-ID: <000c01c4d8f3$dffba500$1b41030a@Troy> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I've looked through the archives and found no answers ( I realize I could of missed it so please be kind ) Is version 1.3.92 a version that should be used or should a newbie be using a previous version until 1.4 is released? NOTE: THIS IS A DEVELOPMENT VERSION! It is only intended for test purposes and should NOT be used in a production environment or with production keys! what are the reprocusions of using 1.3.92 learning as I go....... Thanks Troy -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.3.92 (MingW32) - GPGOE 0.4.1 iD8DBQFBr/D+cPM7Cmq3BssRAr2PAKCkZX5NJBJIJqaexxbfB6eaaDN3JQCfV5uJ zRxGpOFSos2Bfj5kk9o+FaQ= =EtMX -----END PGP SIGNATURE----- From johnmoore3rd at joimail.com Fri Dec 3 19:35:36 2004 From: johnmoore3rd at joimail.com (John Moore) Date: Fri Dec 3 19:32:25 2004 Subject: newbie would like more info on waring in g-w32cli-1.3.92 In-Reply-To: <000c01c4d8f3$dffba500$1b41030a@Troy> References: <000c01c4d8f3$dffba500$1b41030a@Troy> Message-ID: <41B0B1F8.7040800@joimail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Troy wrote: | | I've looked through the archives and found no answers ( I realize I | could of missed it so please be kind ) | | Is version 1.3.92 a version that should be used or should a newbie be | using a previous version until 1.4 is released? | | NOTE: THIS IS A DEVELOPMENT VERSION! | It is only intended for test purposes and should NOT be | used in a production environment or with production keys! | | what are the reprocusions of using 1.3.92 | | | learning as I go....... | Thanks | Troy | If you're just beginning to use GnuPG I would suggest version 1.2.6 since it is the last "stable" release. While I have personally had no problems with 1.3.92, Command Line use does have a learning curve and a stable release would probably make it easier to determine whether a problem was with you or something in the version code. Should you decide to remain with 1.3.92 (as I assume it's installed now) I do recommend that you maintain a Keyring back-up "just in case." I do not know which O/S you are using, but if it's M$ Windows I generally steer new people to the Nullify version (1.2.3nrl) as it may be downloaded with a Windows installer. Personally I find command line very easy once one is familiar with it; however preferences vary. You should also look into a "frontend" for GnuPG on a Windows box. My preference there is GPG Shell, but many others prefer WinPT. JOHN :) - -- "Some people spend an entire lifetime wondering if they made a ~ difference in the world. But, the Marines don't have that problem." ~ - Ronald Reagan, President of the United States; 1985 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.3.92 (MingW32) Comment: Public Key at: http://tinyurl.com/5ztc6 Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD4DBQFBsLH1nCmZhrerneURAphJAJd448drA8uqgcjAC1MgvivcgRMxAJ9SSP8X wPgZ9DlQV0xQgfk4sRbVHg== =qiJh -----END PGP SIGNATURE----- From ramon at jonjay.com Sat Dec 4 19:31:43 2004 From: ramon at jonjay.com (Ramon F Herrera) Date: Mon Dec 13 16:33:35 2004 Subject: How to decide which private key to use? Message-ID: <41B2028F.4090607@jonjay.com> I am using the GPGme library to write a program that will decrypt files. The files to be decrypted are encrypted with exactly one out of of three keys. When I decrypt those files interactively, gpg shows me what key was used and I type the passphrase corresponding to that particular key. The problem is, I am not sure how to do that within a program: - should I keep on trying the 3 private keys (passphrases) until one of them works? (trial and error) or: - is there any way to request the key from the file, in advance, and use the corresponding passphrase? TIA, -Ramon F Herrera From linux at codehelp.co.uk Tue Dec 7 01:10:31 2004 From: linux at codehelp.co.uk (Neil Williams) Date: Mon Dec 13 16:34:14 2004 Subject: How to decide which private key to use? In-Reply-To: <41B2028F.4090607@jonjay.com> References: <41B2028F.4090607@jonjay.com> Message-ID: <200412070010.34585.linux@codehelp.co.uk> On Saturday 04 December 2004 6:31 pm, Ramon F Herrera wrote: > I am using the GPGme library to write a program that > will decrypt files. The files to be decrypted are > encrypted with exactly one out of of three keys. If one machine is decrypting all messages, why not have one passphrase for all three keys? Why use three keys? The machine running the program has to be secure - otherwise you are exposing three keys to compromise instead of just one. Any time you store passphrases for an automated process, it's as bad as having no passphrase at all. Anyone who gains access to the machine can locate the stored passphrase and the secret key file. You wouldn't put a file 'root-password.txt' in your user directory. -- Neil Williams ============= http://www.codehelp.co.uk/ http://www.dclug.org.uk/ http://www.isbn.org.uk/ http://sourceforge.net/projects/isbnsearch/ http://www.biglumber.com/x/web?qs=0x8801094A28BCB3E3 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20041207/293b3963/attachment-0001.bin From rmalayter at bai.org Tue Dec 7 18:45:58 2004 From: rmalayter at bai.org (Ryan Malayter) Date: Mon Dec 13 16:34:54 2004 Subject: How to decide which private key to use? Message-ID: <792DE28E91F6EA42B4663AE761C41C2A034B0FC7@cliff.bai.org> [Neil Williams] > > Any time you store passphrases for an automated process, it's > as bad as having > no passphrase at all. Anyone who gains access to the machine > can locate the > stored passphrase and the secret key file. Unless, of course, you use a good code-obfuscation tool to munge the program that stores a hard-coded passphrase and passes it to GnuPG. Using code obfuscation is marginally more secure than no passphrase from a practical standpoint, but not from a theoretical one. Still, decompiling and picking apart obfuscated and string-encrypted code from a tool like Preemptive's DashO is another hurdle for the attacker to go through, and may give you that much more time to notice that your server has been compromised and take remedial action. From Don.Ferguson at mitchell.com Wed Dec 8 00:40:31 2004 From: Don.Ferguson at mitchell.com (Don Ferguson) Date: Mon Dec 13 16:35:44 2004 Subject: Signature in Attachment Message-ID: <601E1B8E735FBF4FA07BB6DBCF8F480B498B9A@mail60nt.mitchell.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Many of the messages going to this mailing list also have digital signatures. I have no problem verifying the signatures that are clear signed; however, those messages with an attached signature always fail the verification. Can someone tell me the procedure to verify a signature for an email message when it is in an attachment? Thanks! -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (MingW32) - GPGshell v3.23 iD8DBQFBtj8RqxAsVB/zfWkRAodpAJ4x+iW5PvjAJ7mi68hBNqwOd3ZvqACfX0RS z7x8HQ1FaEEOeA1LxVPBFxM= =4KdV -----END PGP SIGNATURE----- From linux at thorstenhau.de Wed Dec 8 00:49:23 2004 From: linux at thorstenhau.de (Thorsten Haude) Date: Mon Dec 13 16:35:46 2004 Subject: Signature in Attachment In-Reply-To: <601E1B8E735FBF4FA07BB6DBCF8F480B498B9A@mail60nt.mitchell.com> References: <601E1B8E735FBF4FA07BB6DBCF8F480B498B9A@mail60nt.mitchell.com> Message-ID: <20041207234923.GG1783@eumel.yoo.local> Hi, * Don Ferguson wrote (2004-12-08 00:40): >Many of the messages going to this mailing list also have digital >signatures. I have no problem verifying the signatures that are clear >signed; however, those messages with an attached signature always fail >the verification. Can someone tell me the procedure to verify a >signature for an email message when it is in an attachment? The only way I can think of: Get a MUA that can do it. I know that Mutt can, and I think that Mozilla and Thunderbird can with a plugin. Thorsten -- You get your education from copyrighted books, you get your news from copyrighted papers and TV programs, you get your jobs from copyrighted want ads, you get your entertainment from copyrighted music and motion pictures - every aspect of life is affected by the law of copyright. - L. Ray Patterson -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20041208/d8e873c8/attachment-0001.bin From swright at physics.adelaide.edu.au Wed Dec 8 00:59:00 2004 From: swright at physics.adelaide.edu.au (Stewart V. Wright) Date: Mon Dec 13 16:35:47 2004 Subject: Signature in Attachment In-Reply-To: <601E1B8E735FBF4FA07BB6DBCF8F480B498B9A@mail60nt.mitchell.com> References: <601E1B8E735FBF4FA07BB6DBCF8F480B498B9A@mail60nt.mitchell.com> Message-ID: <20041207235900.GD32622@anl.gov> G'day Don, * Don Ferguson [041207 17:43]: > Many of the messages going to this mailing list also have digital > signatures. I have no problem verifying the signatures that are clear > signed; however, those messages with an attached signature always fail > the verification. Can someone tell me the procedure to verify a > signature for an email message when it is in an attachment? You need to get a real email program. Ditch the Microsoft and get something that recognises PGP/MIME. Basically signatures in the attachments are generated by emailers that are able to use RFC 2015 (I think - Google for "pgp signature rfc") which effectively specifies that the (Open)PGP signature of an email should be an attachment. The old style signatures are frowned upon (in some circles) and the argument is that "application/pgp is not really suited to a world with MIME, non-textual body parts and similar things" (from the mutt web page). Translation - MIME good. As for verifying the messages... Um, can you save both the text of the email and the attached signature and then gpg --verify them? I don't really know, mutt (my mail program) does it all automatically for me! :-) As another alternative try one of the many other programs (thunderbird, ...) that will be suggested by the other replies I expect you will receive. Cheers, S. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 274 bytes Desc: Digital signature Url : /pipermail/attachments/20041207/f6a5abbc/attachment-0001.bin From chd at chud.net Wed Dec 8 01:18:31 2004 From: chd at chud.net (Chris De Young) Date: Mon Dec 13 16:35:49 2004 Subject: Signature in Attachment In-Reply-To: <20041207235900.GD32622@anl.gov> References: <601E1B8E735FBF4FA07BB6DBCF8F480B498B9A@mail60nt.mitchell.com> <20041207235900.GD32622@anl.gov> Message-ID: <41B64857.9070509@chud.net> >>Many of the messages going to this mailing list also have digital >>signatures. I have no problem verifying the signatures that are clear >>signed; however, those messages with an attached signature always fail >>the verification. Do you mean that your mail client doesn't know what to do with them (in which case I agree with the replies that you've already gotten, and I've used both Mutt and Thunderbird with good results), or does your mail program understand what they are and what to do with them, but the signatures do not appear to be valid? If it's the latter problem, you may have something at the MTA level mucking with the MIME parts of the message before it gets to your inbox. Adding a signature or corporate disclaimer or something maybe (though that's usually a problem on the outgoing side), or wrapping lines for some (really no) reason, or doing something else to somehow alter the message? All these things and the many variations on them are all broken, but they do happen anyway. -Chris -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 256 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20041207/74011429/signature-0001.bin From Don.Ferguson at mitchell.com Wed Dec 8 01:47:48 2004 From: Don.Ferguson at mitchell.com (Don Ferguson) Date: Mon Dec 13 16:35:51 2004 Subject: Signature in Attachment Message-ID: <601E1B8E735FBF4FA07BB6DBCF8F480B498BB8@mail60nt.mitchell.com> Thanks for the response. Unfortunately ditching MS Outlook isn't an option for me. I will look at the possibility of routing a message received by Outlook into another application, but I am looking for an Outlook/ Windows solution if one exists. When I save the body of the message into a text file and use the gpg --verify option, the signature still fails. Perhaps it has something to do with the way Windows handles line breaks as opposed to Unix. -----Original Message----- From: gnupg-users-bounces@gnupg.org [mailto:gnupg-users-bounces@gnupg.org] On Behalf Of Stewart V. Wright Sent: Tuesday, December 07, 2004 3:59 PM To: gnupg-users@gnupg.org Subject: Re: Signature in Attachment G'day Don, * Don Ferguson [041207 17:43]: > Many of the messages going to this mailing list also have digital > signatures. I have no problem verifying the signatures that are clear > signed; however, those messages with an attached signature always fail > the verification. Can someone tell me the procedure to verify a > signature for an email message when it is in an attachment? You need to get a real email program. Ditch the Microsoft and get something that recognises PGP/MIME. Basically signatures in the attachments are generated by emailers that are able to use RFC 2015 (I think - Google for "pgp signature rfc") which effectively specifies that the (Open)PGP signature of an email should be an attachment. The old style signatures are frowned upon (in some circles) and the argument is that "application/pgp is not really suited to a world with MIME, non-textual body parts and similar things" (from the mutt web page). Translation - MIME good. As for verifying the messages... Um, can you save both the text of the email and the attached signature and then gpg --verify them? I don't really know, mutt (my mail program) does it all automatically for me! :-) As another alternative try one of the many other programs (thunderbird, ...) that will be suggested by the other replies I expect you will receive. Cheers, S. From swright at physics.adelaide.edu.au Wed Dec 8 02:07:06 2004 From: swright at physics.adelaide.edu.au (Stewart V. Wright) Date: Mon Dec 13 16:35:52 2004 Subject: Signature in Attachment In-Reply-To: <601E1B8E735FBF4FA07BB6DBCF8F480B498BB8@mail60nt.mitchell.com> References: <601E1B8E735FBF4FA07BB6DBCF8F480B498BB8@mail60nt.mitchell.com> Message-ID: <20041208010706.GE32622@anl.gov> G'day Don, * Don Ferguson [041207 18:51]: > > Thanks for the response. Unfortunately ditching MS Outlook isn't an > option for me. It really should be high on your priorities. Not only does it not allow your preference with GPG/PGP but it also breaks threading in replying to emails... Argh, it'd drive me mad! ;-) [Oh and whilst I am bashing you TOFU (Text Over Full-quote Under) makes reading replies difficult too... Is there anything else you do that I can complain about??? :-> ] > I will look at the possibility of routing a message > received by Outlook into another application, but I am looking for an > Outlook/ Windows solution if one exists. There should be a Outlook plugin somewhere... Did you see this message? http://lists.gnupg.org/pipermail/gnupg-users/2004-October/023487.html > When I save the body of the message into a text file and use the > gpg --verify option, the signature still fails. Perhaps it has > something to do with the way Windows handles line breaks as opposed to > Unix. Possibly that's because the signature is for the _whole_ text message, so when I view my last message I see something like... --===============0790732039== Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="envbJBWh7q8WU6mo" Content-Disposition: inline --envbJBWh7q8WU6mo Content-Type: text/plain; charset=us-ascii Content-Disposition: inline G'day Don, [SNIP] --envbJBWh7q8WU6mo You would need everything between the "--envbJBWh7q8WU6mo" lines. I should clarify that I am guessing here. Hope this helps. Cheers, S. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 274 bytes Desc: Digital signature Url : /pipermail/attachments/20041207/ca1f61a6/attachment-0001.bin From Billt at Mahagonny.com Wed Dec 8 02:38:39 2004 From: Billt at Mahagonny.com (Bill Thompson) Date: Mon Dec 13 16:35:54 2004 Subject: Signature in Attachment In-Reply-To: <601E1B8E735FBF4FA07BB6DBCF8F480B498BB8@mail60nt.mitchell.com> References: <601E1B8E735FBF4FA07BB6DBCF8F480B498BB8@mail60nt.mitchell.com> Message-ID: <20041207173839.22019ba1@BeBop> On Tue, 7 Dec 2004 16:47:48 -0800 "Don Ferguson" wrote: > > Thanks for the response. Unfortunately ditching MS Outlook isn't an > option for me. I will look at the possibility of routing a message > received by Outlook into another application, but I am looking for an > Outlook/ Windows solution if one exists. > Sorry Don, but to my knowledge the only solution to use PGP/Mime with Outlook or Outlook Express is the commercial PGP software. M$ has set-up the Outlooks so that they munge PGP/MIME attachments and you can not add additional MIME types without a plug-in of some kind. Good Luck, -- Bill Thompson BillT@Mahagonny.com -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20041207/63ef32f5/attachment-0001.bin From lists at kcoates.com Wed Dec 8 02:58:52 2004 From: lists at kcoates.com (Kevin Coates) Date: Mon Dec 13 16:35:57 2004 Subject: Signature in Attachment In-Reply-To: <601E1B8E735FBF4FA07BB6DBCF8F480B498BB8@mail60nt.mitchell.com> References: <601E1B8E735FBF4FA07BB6DBCF8F480B498BB8@mail60nt.mitchell.com> Message-ID: <818015894.20041207205852@nospam.kcoates.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Don, On Tue, 7 Dec 2004 16:47:48 -0800 (7:47 PM here), Don Ferguson [DF] wrote in : DF> Thanks for the response. Unfortunately ditching MS Outlook isn't DF> an option for me. I will look at the possibility of routing a DF> message received by Outlook into another application, but I am DF> looking for an Outlook/ Windows solution if one exists. You should take a look at GPGrelay. It works with GPG and adds PGP inlined and PGP/MIME support to Outlook or any Windows e-mail client. http://sites.inka.de/tesla/gpgrelay.html - -- Kevin Coates Dewitt, NY USA ________________________________________________________________ (see kludges for my pgp key) -----BEGIN PGP SIGNATURE----- iD8DBQFBtl/ivZSrVDqOXK0RAjbLAKCtz90LXL5/NJQvl8QzNelxRcn6uwCgpUPS X26yg7ZCGcNNDZK6MPYmXLM= =WYoy -----END PGP SIGNATURE----- From johnmoore3rd at joimail.com Wed Dec 8 04:14:49 2004 From: johnmoore3rd at joimail.com (John Moore) Date: Mon Dec 13 16:35:58 2004 Subject: Signature in Attachment In-Reply-To: <20041207173839.22019ba1@BeBop> References: <601E1B8E735FBF4FA07BB6DBCF8F480B498BB8@mail60nt.mitchell.com> <20041207173839.22019ba1@BeBop> Message-ID: <41B671A9.8020406@joimail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Bill Thompson wrote: | On Tue, 7 Dec 2004 16:47:48 -0800 | "Don Ferguson" wrote: | | |>Thanks for the response. Unfortunately ditching MS Outlook isn't an |>option for me. I will look at the possibility of routing a message |>received by Outlook into another application, but I am looking for an |>Outlook/ Windows solution if one exists. |> | | | Sorry Don, but to my knowledge the only solution to use PGP/Mime with | Outlook or Outlook Express is the commercial PGP software. M$ has set-up | the Outlooks so that they munge PGP/MIME attachments and you can not add | additional MIME types without a plug-in of some kind. | | Good Luck, | What about trying PGP-Relay, it works well with M$ and the price is just right.. JOHN :) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.3.92 (MingW32) Comment: Public Key at: http://tinyurl.com/5ztc6 Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFBtnGmnCmZhrerneURAts+AJ9Cj52LSiAslAGElXjD2u3+ONz4AQCgvih/ HWRngmOojfmLlGUqiWqOAxg= =HcUm -----END PGP SIGNATURE----- From anhny at wmdata.com Wed Dec 8 09:07:09 2004 From: anhny at wmdata.com (Henry Andrew) Date: Mon Dec 13 16:36:03 2004 Subject: OT: Question re: reply format of this mailing list Message-ID: <20D152299AA73D47941BC3A94EDFF5DE047005@WMRI000166.corp.wmdata.net> Hope I don't offend anyone by posting off-topic, but i'm curious as to why you all reply to messages by attaching an in-line message and writing your replies within the original message under the relevant parts? Personally I think it is quite difficult to read the reply this way, especially in plain-text mode. Is this something that has been decided at the list-level or is this considered to be generally good practice? Personally, I tend to strip the original mail altogether and just retain the subject line, so that I don't get a mailbox overloaded with multiple copies of the same data [text]. If there is something that I feel needs to included in the reply, I include just that specific text within quotes above my reply. When I then come to search for a message thread, I don't need to plow through several instances of the same text, and can simply read the thread by date order. Is there anything fundamentally wrong is doing things this way? Sorry for getting on the soap-box--just curious as to 'why'! --Andrew From linux at thorstenhau.de Wed Dec 8 09:34:32 2004 From: linux at thorstenhau.de (Thorsten Haude) Date: Mon Dec 13 16:36:06 2004 Subject: OT: Question re: reply format of this mailing list In-Reply-To: <20D152299AA73D47941BC3A94EDFF5DE047005@WMRI000166.corp.wmdata.net> References: <20D152299AA73D47941BC3A94EDFF5DE047005@WMRI000166.corp.wmdata.net> Message-ID: <20041208083432.GA1573@eumel.yoo.local> Hi, * Henry Andrew wrote (2004-12-08 09:07): >Hope I don't offend anyone by posting off-topic, but i'm curious as to >why you all reply to messages by attaching an in-line message and >writing your replies within the original message under the relevant >parts? Do you mean attaching as in MIME? If you talk about quoting like I did with this mail: That's what proved to be the most effective thing to do. >Personally I think it is quite difficult to read the reply this way, >especially in plain-text mode. Is this something that has been >decided at the list-level or is this considered to be generally good >practice? This may depend on the MUA you use. I sometimes read these kind of mails without color support and they are less clear then. Make sure your MUA supports either colors or has some other way to highlight the different quote levels. >Personally, I tend to strip the original mail altogether and just retain >the subject line, so that I don't get a mailbox overloaded with multiple >copies of the same data [text]. If there is something that I feel needs >to included in the reply, I include just that specific text within >quotes above my reply. That's almost what I do. We might have different views on what's need including, and we might use different quoting markers, but that's all. For a longer discussion, see learn.to/quote. Thorsten -- Das Briefgeheimnis sowie das Post- und Fernmeldegeheimnis sind unverletzlich. - Grundgesetz, Artikel 10, Abs. 1 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20041208/c2431b82/attachment-0001.bin From wk at gnupg.org Wed Dec 8 10:03:47 2004 From: wk at gnupg.org (Werner Koch) Date: Mon Dec 13 16:36:07 2004 Subject: Signature in Attachment In-Reply-To: <20041207173839.22019ba1@BeBop> (Bill Thompson's message of "Tue, 7 Dec 2004 17:38:39 -0800") References: <601E1B8E735FBF4FA07BB6DBCF8F480B498BB8@mail60nt.mitchell.com> <20041207173839.22019ba1@BeBop> Message-ID: <87d5xl5fgs.fsf@wheatstone.g10code.de> On Tue, 7 Dec 2004 17:38:39 -0800, Bill Thompson said: > Sorry Don, but to my knowledge the only solution to use PGP/Mime with > Outlook or Outlook Express is the commercial PGP software. M$ has set-up I doubt that the proprietary PGP handles PGP/MIME with Outlook. There is no documented or known way on how to send arbitrary MIME encoded messages using Outlook (i.e. using MAPI). We have figured out a way to decrypt/verify _most_ PGP/MIME messages but no way to create them. Thus we have not started to implement something. There are possible hacks of course but they would be really bad. If you are running a standalone Outlook you should try gpg-relay. Shalom-Salam, Werner From pradeepsrinivasa at yahoo.com Wed Dec 8 12:31:27 2004 From: pradeepsrinivasa at yahoo.com (Srinivasa Pradeep) Date: Mon Dec 13 16:36:08 2004 Subject: Clarification about GNUPG and GPGME Message-ID: <20041208113128.79581.qmail@web41508.mail.yahoo.com> Hello all, We plan to encrypt data using GPGME library as part of our application on Solaris. THis is a commercial product. What are the implications of using this library? Should we give the source code for our application (or provide a link for that), and should we release our application as part of GPL? If we have to release as part of GPL, kindly suggest any other PGP libraries which can be used by our appl. Best Regards, Pradeep __________________________________ Do you Yahoo!? Yahoo! Mail - now with 250MB free storage. Learn more. http://info.mail.yahoo.com/mail_250 From sgtembe at hotmail.com Wed Dec 8 17:49:07 2004 From: sgtembe at hotmail.com (Suhas Tembe) Date: Mon Dec 13 16:36:10 2004 Subject: Decryption failed error Message-ID: Hello Everyone, We sent our RSA 2048-bit public key to a customer (key id: CBD20614) which they were able to import into their key-ring. They sent us their RSA 2048-bit public key (Key id: A1C09977), which I have imported into the key-ring & given it the ultimate trust and have also signed it. The customer encrypted a test file using our public key & signed it using their key. When I try to decrypt the file at our end, I get the following error: >gpg: encrypted with ELG-E key, ID 6A4285DA >gpg: decryption failed: secret key not available I tried ./gpg --list-keys & I see only the CBD20614 & A1C09977 keys. I also tried ./gpg --list-secret-keys, but I only see the CBD20614 key. I don't see the 6A4285DA key id at all. I also tried ./gpg --verify & I get the following message: >gpg: verify signatures failed: unexpected data It seems to me that the customer used the wrong key to encrypt the file & send it to us. Am I correct or am I missing something? Can someone give me any suggestions as to why this could be happening? Thanks for any help. Suhas From Don.Ferguson at mitchell.com Wed Dec 8 19:00:57 2004 From: Don.Ferguson at mitchell.com (Don Ferguson) Date: Mon Dec 13 16:36:12 2004 Subject: Signature in Attachment Message-ID: <601E1B8E735FBF4FA07BB6DBCF8F480B498C3F@mail60nt.mitchell.com> In this case it happens to be the corporate version of Outlook with Exchange server. That's also why using other email clients really isn't an option. So as things stand for now, I may need to accept that I won't be able to verify PGP/MIME signatures attached to the messages. While it would be nice to be able to do this with Outlook, I can live without it for now. Thanks for the response and the great application that GnuPG is. -----Original Message----- From: gnupg-users-bounces@gnupg.org [mailto:gnupg-users-bounces@gnupg.org] On Behalf Of Werner Koch Sent: Wednesday, December 08, 2004 1:04 AM To: Bill Thompson Cc: gnupg-users@gnupg.org Subject: Re: Signature in Attachment On Tue, 7 Dec 2004 17:38:39 -0800, Bill Thompson said: > Sorry Don, but to my knowledge the only solution to use PGP/Mime with > Outlook or Outlook Express is the commercial PGP software. M$ has set-up I doubt that the proprietary PGP handles PGP/MIME with Outlook. There is no documented or known way on how to send arbitrary MIME encoded messages using Outlook (i.e. using MAPI). We have figured out a way to decrypt/verify _most_ PGP/MIME messages but no way to create them. Thus we have not started to implement something. There are possible hacks of course but they would be really bad. If you are running a standalone Outlook you should try gpg-relay. Shalom-Salam, Werner _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users From linux at codehelp.co.uk Wed Dec 8 20:36:28 2004 From: linux at codehelp.co.uk (Neil Williams) Date: Mon Dec 13 16:36:14 2004 Subject: Signature in Attachment In-Reply-To: <601E1B8E735FBF4FA07BB6DBCF8F480B498C3F@mail60nt.mitchell.com> References: <601E1B8E735FBF4FA07BB6DBCF8F480B498C3F@mail60nt.mitchell.com> Message-ID: <200412081936.29327.linux@codehelp.co.uk> On Wednesday 08 December 2004 6:00 pm, Don Ferguson wrote: > In this case it happens to be the corporate version of Outlook with > Exchange server. Why not post from home? > That's also why using other email clients really isn't > an option. So as things stand for now, I may need to accept that I > won't be able to verify PGP/MIME signatures attached to the messages. > While it would be nice to be able to do this with Outlook, I can live > without it for now. But old-style inline signatures are deprecated for very good reasons. PGP/MIME is the future of GnuPG/PGP signatures. You really ought to use a different email client. It isn't impossible, no matter what the corporate mentality, you could use Mozilla Thunderbird - on a USB stick if necessary. -- Neil Williams ============= http://www.codehelp.co.uk/ http://www.dclug.org.uk/ http://www.isbn.org.uk/ http://sourceforge.net/projects/isbnsearch/ http://www.biglumber.com/x/web?qs=0x8801094A28BCB3E3 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20041208/3ba1fb2b/attachment-0001.bin From Don.Ferguson at mitchell.com Wed Dec 8 20:56:28 2004 From: Don.Ferguson at mitchell.com (Don Ferguson) Date: Mon Dec 13 16:36:17 2004 Subject: Signature in Attachment Message-ID: <601E1B8E735FBF4FA07BB6DBCF8F480B498C71@mail60nt.mitchell.com> Yes, using Thunderbird from home is an option. Using Thunderbird at work would also be an option if it could directly communicate with the Exchange servers the same way Outlook does. -----Original Message----- From: gnupg-users-bounces@gnupg.org [mailto:gnupg-users-bounces@gnupg.org] On Behalf Of Neil Williams Sent: Wednesday, December 08, 2004 11:36 AM To: gnupg-users@gnupg.org Subject: Re: Signature in Attachment On Wednesday 08 December 2004 6:00 pm, Don Ferguson wrote: > In this case it happens to be the corporate version of Outlook with > Exchange server. Why not post from home? > That's also why using other email clients really isn't > an option. So as things stand for now, I may need to accept that I > won't be able to verify PGP/MIME signatures attached to the messages. > While it would be nice to be able to do this with Outlook, I can live > without it for now. But old-style inline signatures are deprecated for very good reasons. PGP/MIME is the future of GnuPG/PGP signatures. You really ought to use a different email client. It isn't impossible, no matter what the corporate mentality, you could use Mozilla Thunderbird - on a USB stick if necessary. -- Neil Williams ============= http://www.codehelp.co.uk/ http://www.dclug.org.uk/ http://www.isbn.org.uk/ http://sourceforge.net/projects/isbnsearch/ http://www.biglumber.com/x/web?qs=0x8801094A28BCB3E3 From chd at chud.net Wed Dec 8 21:14:02 2004 From: chd at chud.net (Chris De Young) Date: Mon Dec 13 16:36:19 2004 Subject: MIME vs. inline (was Re: Signature in Attachment) In-Reply-To: <200412081936.29327.linux@codehelp.co.uk> References: <601E1B8E735FBF4FA07BB6DBCF8F480B498C3F@mail60nt.mitchell.com> <200412081936.29327.linux@codehelp.co.uk> Message-ID: <41B7608A.6050804@chud.net> > But old-style inline signatures are deprecated for very good reasons. Actually, this may be a dumb question, what are some of those reasons (or can you point me to some documentation if this is a re-run for everyone else)? I'm not disagreeing with you, but I do have this discussion around here every so often with people who prefer inline signatures, and I'm not usually making very forceful arguments - especially not to people who don't really understand MIME and aren't always quite sure what their mail client is showing them. "But it's less confusing this way!" (the inline way) Thanks! -Chris -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 256 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20041208/ed82ccbd/signature-0001.bin From chd at chud.net Wed Dec 8 23:12:31 2004 From: chd at chud.net (Chris De Young) Date: Mon Dec 13 16:36:24 2004 Subject: The parts of a key? Message-ID: <41B77C4F.3050101@chud.net> Could someone point me to documentation describing the architecture of a key pair, and what gets used for what? Specifically, the role of sub-keys. I have: $ gpg --list-keys chd pub 1024D/379E6244 2001-09-28 Chris De Young uid Chris De Young uid Chris De Young sub 2048g/E0BEF64A 2001-09-28 Someone sent me a message encrypted with E0BEF64A instead of 379E6244, and I realize that I don't fully understand the differences and functions of these key parts... Thanks! -Chris -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 256 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20041208/902a6539/signature-0001.bin From linux at thorstenhau.de Thu Dec 9 00:08:44 2004 From: linux at thorstenhau.de (Thorsten Haude) Date: Mon Dec 13 16:36:27 2004 Subject: Signature in Attachment In-Reply-To: <200412081936.29327.linux@codehelp.co.uk> References: <601E1B8E735FBF4FA07BB6DBCF8F480B498C3F@mail60nt.mitchell.com> <200412081936.29327.linux@codehelp.co.uk> Message-ID: <20041208230844.GF1573@eumel.yoo.local> Hi, * Neil Williams wrote (2004-12-08 20:36): >You really ought to use a different email client. It isn't >impossible, no matter what the corporate mentality Sounds nice, isn't necessarily true. What if you not protocol but Exchange? Actually I'm lucky to even get POP3, but They won't give me a relay. I will try a little social engineering further down the road, but if that doesn't work I'm stuck with Outlook. Thorsten -- Rarely do we find people who willingly engage in hard, solid thinking. There is an almost universal quest for easy answers and half-baked solutions. Nothing pains some people more than having to think. - Martin Luther King -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20041209/2d409404/attachment-0001.bin From linux at codehelp.co.uk Thu Dec 9 00:26:07 2004 From: linux at codehelp.co.uk (Neil Williams) Date: Mon Dec 13 16:36:28 2004 Subject: The parts of a key? In-Reply-To: <41B77C4F.3050101@chud.net> References: <41B77C4F.3050101@chud.net> Message-ID: <200412082326.11973.linux@codehelp.co.uk> On Wednesday 08 December 2004 10:12 pm, Chris De Young wrote: > Could someone point me to documentation describing the architecture of a > key pair, and what gets used for what? Specifically, the role of sub-keys. http://www.gnupg.org/gph/en/manual.html#AEN26 http://www.gnupg.org/gph/en/manual.html#AEN282 http://www.gnupg.org/gph/en/manual.html#AEN526 The subkey below is the encryption key. The public key is a signature key. When someone encrypts to you, the encryption key is chosen. When you sign a file, the signature key is chosen. Different algorithms have different strengths. This is different to the 'key-pair' - a term usually meaning the public key and the secret key. You have a public key containing a signature subkey and an encryption subkey. You have a secret key containing the corresponding secret subkeys. > I have: > > $ gpg --list-keys chd > pub 1024D/379E6244 2001-09-28 Chris De Young > uid Chris De Young > uid Chris De Young > sub 2048g/E0BEF64A 2001-09-28 > > Someone sent me a message encrypted with E0BEF64A instead of 379E6244, and > I realize that I don't fully understand the differences and functions of > these key parts... A default key generation gives a strong signature key and a strong encryption key, but the keys themselves use different algorithms - playing to the respective strengths. Anyone encrypting to you using 379E6244 will always actually encrypt to E0BEF64A. It makes no odds, E0BEF64A is the encryption part of 379E6244 and your secret key for 379E6244 can decrypt the message. You can add subkeys for other purposes - like a short expiry, preference for an algorithm, as well as adding UID's. Many keys are just like yours - one pub and just one sub. -- Neil Williams ============= http://www.dclug.org.uk/ http://www.nosoftwarepatents.com/ http://sourceforge.net/projects/isbnsearch/ http://www.williamsleesmill.me.uk/ http://www.biglumber.com/x/web?qs=0x8801094A28BCB3E3 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20041208/4d430bd0/attachment-0001.bin From chd at chud.net Thu Dec 9 00:47:05 2004 From: chd at chud.net (Chris De Young) Date: Mon Dec 13 16:36:30 2004 Subject: The parts of a key? In-Reply-To: <200412082326.11973.linux@codehelp.co.uk> References: <41B77C4F.3050101@chud.net> <200412082326.11973.linux@codehelp.co.uk> Message-ID: <41B79279.3020105@chud.net> > http://www.gnupg.org/gph/en/manual.html#AEN26 > http://www.gnupg.org/gph/en/manual.html#AEN282 > http://www.gnupg.org/gph/en/manual.html#AEN526 [...] Thanks! Just what I was looking for. Is efficiency the reason for using multiple keys, rather than using a single ElGamal key (really a single public/secret pair) for everything? >>Someone sent me a message encrypted with E0BEF64A instead of 379E6244, This confusion was a result of my misunderstanding what Thunderbird was telling me about the message when I looked at the details. Thanks! -Chris -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 256 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20041208/32493cc9/signature-0001.bin From don.ferguson at mitchell.com Thu Dec 9 01:04:22 2004 From: don.ferguson at mitchell.com (Don Ferguson) Date: Mon Dec 13 16:36:32 2004 Subject: Signature in Attachment In-Reply-To: <20041208230844.GF1573@eumel.yoo.local> References: <601E1B8E735FBF4FA07BB6DBCF8F480B498C3F@mail60nt.mitchell.com> <200412081936.29327.linux@codehelp.co.uk> <20041208230844.GF1573@eumel.yoo.local> Message-ID: <41B79686.8060205@mitchell.com> Thorsten Haude wrote: >Hi, > >* Neil Williams wrote (2004-12-08 20:36): > > >>You really ought to use a different email client. It isn't >>impossible, no matter what the corporate mentality >> >> > >Sounds nice, isn't necessarily true. What if you not protocol but >Exchange? Actually I'm lucky to even get POP3, but They won't give me >a relay. > >I will try a little social engineering further down the road, but if >that doesn't work I'm stuck with Outlook. > > >Thorsten > > >------------------------------------------------------------------------ > >_______________________________________________ >Gnupg-users mailing list >Gnupg-users@gnupg.org >http://lists.gnupg.org/mailman/listinfo/gnupg-users > > It looks like Thuderbird works nicely. I guess the best way to go is to use a combination of Thunderbird and Outlook. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 254 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20041208/9db8cd82/signature-0001.bin From linux at thorstenhau.de Thu Dec 9 01:15:54 2004 From: linux at thorstenhau.de (Thorsten Haude) Date: Mon Dec 13 16:36:33 2004 Subject: Signature in Attachment In-Reply-To: <41B79686.8060205@mitchell.com> References: <601E1B8E735FBF4FA07BB6DBCF8F480B498C3F@mail60nt.mitchell.com> <200412081936.29327.linux@codehelp.co.uk> <20041208230844.GF1573@eumel.yoo.local> <41B79686.8060205@mitchell.com> Message-ID: <20041209001554.GG1573@eumel.yoo.local> Hi, please send me every mail only once. * Don Ferguson wrote (2004-12-09 01:04): >>What if you not protocol but Exchange? >> >It looks like Thuderbird works nicely. I guess the best way to go is to >use a combination of Thunderbird and Outlook. So Thunderbird knows how to talk to Exchange? Could you point to some resources explaining how it is done? Thorsten -- I believe that there are more instances of the abridgment of the freedom of the people by gradual and silent encroachment than by violent and sudden usurpations. - James Madison -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20041209/9bdd4c31/attachment-0001.bin From don.ferguson at mitchell.com Thu Dec 9 02:34:29 2004 From: don.ferguson at mitchell.com (Don Ferguson) Date: Mon Dec 13 16:36:35 2004 Subject: Signature in Attachment In-Reply-To: <20041209001554.GG1573@eumel.yoo.local> References: <601E1B8E735FBF4FA07BB6DBCF8F480B498C3F@mail60nt.mitchell.com> <200412081936.29327.linux@codehelp.co.uk> <20041208230844.GF1573@eumel.yoo.local> <41B79686.8060205@mitchell.com> <20041209001554.GG1573@eumel.yoo.local> Message-ID: <41B7ABA5.5070400@mitchell.com> Thorsten Haude wrote: >Hi, > >please send me every mail only once. > >* Don Ferguson wrote (2004-12-09 01:04): > > >>>What if you not protocol but Exchange? >>> >>> >>> >>It looks like Thuderbird works nicely. I guess the best way to go is to >>use a combination of Thunderbird and Outlook. >> >> > >So Thunderbird knows how to talk to Exchange? Could you point to some >resources explaining how it is done? > > >Thorsten > > >------------------------------------------------------------------------ > >_______________________________________________ >Gnupg-users mailing list >Gnupg-users@gnupg.org >http://lists.gnupg.org/mailman/listinfo/gnupg-users > > I am just using POP3 against the Exchange server with login credentials. Please note that POP3 will need to be enabled in Exchange. While I find it convenient to use Thunderbird for handling OpenPGP activities, it is not a suitable replacement for Outlook for my normal daily corporate email and scheduling activity. Since I don't want my messages deleted out of my exchange inbox or automatically marked as read by Thunderbird, I also enabled the following options under Account Settings --> Server Settings: Fetch headers only Leave messages on the server (Other settings may be configured to suite you personal tastes.) So when I need perform encryption or signature activity, or respond to this email thread, I just manually open Thunderbird, manually retrieve the message headers, and manually download the message I want to respond to. I realize that this is a bit of a kludge, but so far it's my best option. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 254 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20041208/10ae21e4/signature-0001.bin From atom at suspicious.org Thu Dec 9 05:59:39 2004 From: atom at suspicious.org (Atom 'Smasher') Date: Mon Dec 13 16:36:40 2004 Subject: MIME vs. inline (was Re: Signature in Attachment) In-Reply-To: <41B7608A.6050804@chud.net> References: <601E1B8E735FBF4FA07BB6DBCF8F480B498C3F@mail60nt.mitchell.com> <200412081936.29327.linux@codehelp.co.uk> <41B7608A.6050804@chud.net> Message-ID: <20041208234317.W62757@willy.wonka> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On Wed, 8 Dec 2004, Chris De Young wrote: >> But old-style inline signatures are deprecated for very good reasons. > > Actually, this may be a dumb question, what are some of those reasons > (or can you point me to some documentation if this is a re-run for > everyone else)? I'm not disagreeing with you, but I do have this > discussion around here every so often with people who prefer inline > signatures, and I'm not usually making very forceful arguments - > especially not to people who don't really understand MIME and aren't > always quite sure what their mail client is showing them. "But it's > less confusing this way!" (the inline way) ================= my reasons for preferring inline signatures and encryption: 1) poorly configured virus filters *NEVER* tear up inline pgp 2) it's simple to implement 3) many MUAs can't handle pgp-mime i really think that rumors of inline pgp being dead are grossly exaggerated... it's defined in rfc2440 sections 6-7 (i always get a kick out of the hidden message in 6.6 ;) - -- ...atom _________________________________________ PGP key - http://atom.smasher.org/pgp.txt 762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808 ------------------------------------------------- "Destroy the family, and the society will collapse." -- Vladimir Lenin -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.3.92 (FreeBSD) Comment: What is this gibberish? Comment: http://atom.smasher.org/links/#digital_signatures iQEcBAEBCAAGBQJBt9vEAAoJEAx/d+cTpVci7xIH/10pPu0Fou9uf+3TJxVLi31M w+geBgTO05ryhmyhFQyGfYtGg4o7YVCMjvPqIj/bVRD9+KuXafT0+Nz+bHHmzrWe acRXPtiKBUEb6zzD2zukRhwRL+jI5YufngYEkeA4B//ZMpUrj3IsBQThchGOAD+J JKtsynIxtfW17zIhVY40GubID5i3OELjSuSVafvckddQxpc83IxylRYV+xVTR1gF 6Xn77y6JpMEqilhfUiRzQK16unAvFSOr64AMyeOKE/CXVCFggi7yJHXisJt6qJRt j8NcVJp1RZmL4XLH50vMZj+DdrImF+sFQ2UX9Rwn+ZGhXoMLloG+SFutBetfjv8= =/ja5 -----END PGP SIGNATURE----- From torduninja at netcourrier.com Thu Dec 9 09:38:01 2004 From: torduninja at netcourrier.com (Maxine Brandt) Date: Mon Dec 13 16:36:42 2004 Subject: (no subject) Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Greetings, The information on setting up the GPG TO GO portable GnuPG application on a floppy (or USB device) has been updated (http://www.torduninja.tk). The major change is that we've found that a one-line batch script eliminates the need to copy M$ binaries to the floppy. This eases the space problems posed by the iconv.dll in the 1.3.92 Windows version discussed on the list last month. It also removes any legal obstacle to distributing GPG TO GO as a complete package, and there's now a download available which includes GnuPG-1.2.6 compiled for floppy use, with the default home directory A:\gnupg, and the binaries already compressed with upx. Salut Maxine -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.3.92 (GNU/Linux) iD8DBQFBt6oQKBY/R6nbCcARAu+0AJ9S5fLoiLAumm+/vihKaSeogDVS8QCcDRRf rPYSP1ZBjpxHXq+w7Fb1SEg= =lfTF -----END PGP SIGNATURE----- ------------------------------------------------------------- NetCourrier, votre bureau virtuel sur Internet : Mail, Agenda, Clubs, Toolbar... Web/Wap : www.netcourrier.com T?l?phone/Fax : 08 92 69 00 21 (0,34 ? TTC/min) Minitel: 3615 NETCOURRIER (0,16 ? TTC/min) From linux at codehelp.co.uk Thu Dec 9 11:00:35 2004 From: linux at codehelp.co.uk (Neil Williams) Date: Mon Dec 13 16:36:44 2004 Subject: Signature in Attachment In-Reply-To: <41B7ABA5.5070400@mitchell.com> References: <601E1B8E735FBF4FA07BB6DBCF8F480B498C3F@mail60nt.mitchell.com> <20041209001554.GG1573@eumel.yoo.local> <41B7ABA5.5070400@mitchell.com> Message-ID: <200412091000.36542.linux@codehelp.co.uk> On Thursday 09 December 2004 1:34 am, Don Ferguson wrote: > I am just using POP3 against the Exchange server with login > credentials. If Exchange can enable IMAP in the same way, it would solve this problem: > I don't > want my messages deleted out of my exchange inbox -- Neil Williams ============= http://www.dclug.org.uk/ http://www.nosoftwarepatents.com/ http://sourceforge.net/projects/isbnsearch/ http://www.williamsleesmill.me.uk/ http://www.biglumber.com/x/web?qs=0x8801094A28BCB3E3 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20041209/69fe6821/attachment-0001.bin From don.ferguson at mitchell.com Thu Dec 9 12:02:26 2004 From: don.ferguson at mitchell.com (Don Ferguson) Date: Mon Dec 13 16:36:46 2004 Subject: Signature in Attachment In-Reply-To: <200412091000.36542.linux@codehelp.co.uk> References: <601E1B8E735FBF4FA07BB6DBCF8F480B498C3F@mail60nt.mitchell.com> <20041209001554.GG1573@eumel.yoo.local> <41B7ABA5.5070400@mitchell.com> <200412091000.36542.linux@codehelp.co.uk> Message-ID: <41B830C2.7030201@mitchell.com> Neil Williams wrote: >On Thursday 09 December 2004 1:34 am, Don Ferguson wrote: > > >>I am just using POP3 against the Exchange server with login >>credentials. >> >> > >If Exchange can enable IMAP in the same way, it would solve this problem: > > > >>I don't >>want my messages deleted out of my exchange inbox >> >> IMAP should work as well although I haven't tried it yet. Again IMAP would need to be enabled at the Exchange server. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 254 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20041209/80c90c55/signature-0001.bin From dshaw at jabberwocky.com Thu Dec 9 14:28:52 2004 From: dshaw at jabberwocky.com (David Shaw) Date: Mon Dec 13 16:36:53 2004 Subject: PGP Global Directory Message-ID: <20041209132851.GB29900@jabberwocky.com> Hi Folks, I figured I'd forestall the obvious question about the new keyserver that the PGP company announced this morning: Yes, it works great with GnuPG.... but you need GnuPG 1.3.90 or later. Just set your keyserver to "ldap://keyserver-beta.pgp.com". If you aren't using that version, you can use the new keyserver through its web interface. David -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 251 bytes Desc: not available Url : /pipermail/attachments/20041209/76b9b02d/attachment-0001.bin From mwood at IUPUI.Edu Thu Dec 9 14:45:28 2004 From: mwood at IUPUI.Edu (Mark H. Wood) Date: Mon Dec 13 16:36:55 2004 Subject: Signature in Attachment In-Reply-To: <200412081936.29327.linux@codehelp.co.uk> References: <601E1B8E735FBF4FA07BB6DBCF8F480B498C3F@mail60nt.mitchell.com> <200412081936.29327.linux@codehelp.co.uk> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wed, 8 Dec 2004, Neil Williams wrote: > On Wednesday 08 December 2004 6:00 pm, Don Ferguson wrote: > > In this case it happens to be the corporate version of Outlook with > > Exchange server. > > Why not post from home? > > > That's also why using other email clients really isn't > > an option. So as things stand for now, I may need to accept that I > > won't be able to verify PGP/MIME signatures attached to the messages. > > While it would be nice to be able to do this with Outlook, I can live > > without it for now. > > But old-style inline signatures are deprecated for very good reasons. PGP/MIME > is the future of GnuPG/PGP signatures. You really ought to use a different > email client. It isn't impossible, no matter what the corporate mentality, > you could use Mozilla Thunderbird - on a USB stick if necessary. Our corporate email group runs Exchange. My MUA is Pine. Outlook is not an absolute requirement to work with Exchange. (Okay, because I'm a former Postmaster and refugee from the mainframe world, my setup is a little more complicated. Incoming mail is sucked out of Exchange using fetchmail, injected into Exim, and delivered to a local mailbox. Outgoing mail goes through Exim to wherever Exim thinks it should go, and it does the Right Thing for mail back to Exchange accounts. It all gives me something to tinker with over lunch. But Pine plus a PGP/MIME filter should suffice, so long as Exchange is set up to offer IMAP.) - -- Mark H. Wood, Lead System Programmer mwood@IUPUI.Edu Open-source executable: $0.00. Source: $0.00 Control: priceless! -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) Comment: pgpenvelope 2.10.2 - http://pgpenvelope.sourceforge.net/ iD8DBQFBuFb8s/NR4JuTKG8RAu5LAJ9WZsoLHHAYywMv2IWG6FMucQam2gCgrpIm Dr55LQGcq3dL/2H3r9EdYoY= =MCrb -----END PGP SIGNATURE----- From wk at gnupg.org Thu Dec 9 12:38:58 2004 From: wk at gnupg.org (Werner Koch) Date: Mon Dec 13 16:36:57 2004 Subject: The parts of a key? In-Reply-To: <41B79279.3020105@chud.net> (Chris De Young's message of "Wed, 08 Dec 2004 16:47:05 -0700") References: <41B77C4F.3050101@chud.net> <200412082326.11973.linux@codehelp.co.uk> <41B79279.3020105@chud.net> Message-ID: <87vfbbog4t.fsf@wheatstone.g10code.de> On Wed, 08 Dec 2004 16:47:05 -0700, Chris De Young said: > Is efficiency the reason for using multiple keys, rather than using a > single ElGamal key (really a single public/secret pair) for everything? ElGamal is not really usable to create signatures. We supported this for a long time but eventually introduced a bug leading to a real world secret key compromise. Thus no more ElGamal signing keys. The general reason for having 2 keys is a long standing cryptographic caution to use one key only for one purpose - thus the concept of subkeys to implement this. The primary key needs to have a signing capability only; whereas you may add any number of subkeys. For example, the OpenPGP card creates 2 subkeys: One for encryption and one for authentication - again you see: a key per purpose. Due to the way OpenPGP is designed the primary key may be given for all purposes and the software then looks out for an appropriate subkey for the task to be done (i.e. signing, encryption or authentication (ssh)). Shalom-Salam, Werner From Madhavi.Gandavarapu at equifax.com Thu Dec 9 15:58:04 2004 From: Madhavi.Gandavarapu at equifax.com (Madhavi.Gandavarapu@equifax.com) Date: Mon Dec 13 16:37:02 2004 Subject: Using libgcrypt1.2.0 for 3DES, ECB mode of encryption/decryption. Message-ID: Hi, I have a string that I am trying to encrypt using 3DES,ECB mode. I have a specific 24 byte key that I need to use to encrypt or decrypt. I am not getting good encrypted string back, since I can't even decrypt what I encrypted with the same key and same library. Can you point me to what I am doing wrong here. Here is the code segment. unsigned char enc_key[24] = {0x12,0x34,0x51,0x23,0x45,0x12,0x34,0x51,0x15,0x43,0x21,0x54,0x32,0x15,0x43,0x21,0x45,0x12,0x34,0x51,0x12, 0x34,0x51,0x23}; static int do_encrypt(unsigned char* dest,unsigned char* src) { //GCRY_CIPHER_3DES is the algorithm type //GCRY_CIPHER_MODE_ECB is the algorithem mode //0(zero) is the flags value to send int retVal =0; gcry_cipher_hd_t hd; int keylen; int i =0,x=0; gcry_error_t err = 0; keylen = gcry_cipher_get_algo_keylen(GCRY_CIPHER_3DES); if (!keylen) { // fail ("algo %d, mode %d, gcry_cipher_get_algo_keylen failed\n", algo, mode); logf(&bLog, LF_ERROR, "algo %s, mode %s, gcry_cipher_get_algo_keylen failed","GCRY_CIPHER_3DES" ,"GCRY_CIPHER_MODE_ECB" ); retVal = -1; return retVal; } if (keylen < 40 / 8 || keylen > 32) { // fail ("algo %d, mode %d, keylength problem (%d)\n", algo, mode, keylen); logf(&bLog, LF_ERROR, "algo %s, mode %s, keylength problem (%d)","GCRY_CIPHER_3DES" ,"GCRY_CIPHER_MODE_ECB",keylen ); retVal = -1; return retVal; } err = gcry_cipher_open (&hd, GCRY_CIPHER_3DES, GCRY_CIPHER_MODE_ECB, 0); if (err) { // fail ("algo %d, mode %d, grcy_open_cipher failed: %s\n", algo, mode, gpg_strerror (err)); logf(&bLog, LF_ERROR, "algo %s, mode %s, grcy_open_cipher failed: %s","GCRY_CIPHER_3DES" ,"GCRY_CIPHER_MODE_ECB",gpg_strerror(err) ); return err; } err = gcry_cipher_setkey (hd, &enc_key, keylen); if (err) { // fail ("algo %d, mode %d, gcry_cipher_setkey failed: %s\n", algo, mode, gpg_strerror (err)); logf(&bLog, LF_ERROR, "algo %s, mode %s, gcry_cipher_setkey failed: %s","GCRY_CIPHER_3DES" ,"GCRY_CIPHER_MODE_ECB",gpg_strerror(er r)); gcry_cipher_close (hd); return err; } //err = gcry_cipher_encrypt (hd, dest, strlen(dest), NULL,strlen(dest)); err = gcry_cipher_encrypt (hd, dest, strlen(dest), src, strlen(src)); if (err) { // fail ("algo %d, mode %d, gcry_cipher_encrypt failed: %s\n", algo, mode, gpg_strerror (err)); logf(&bLog, LF_ERROR, "algo %s, mode %s, gcry_cipher_encrypt failed: %s","GCRY_CIPHER_3DES" ,"GCRY_CIPHER_MODE_ECB",gpg_strerror(e rr)); gcry_cipher_close (hd); return err; } i =0; x=0; if((x = (strlen(dest)%bsize))) { x = (bsize - x); for(i = 0; i < x; i++) strcat(dest," "); } err = gcry_cipher_decrypt (hd, dest, strlen(dest), dest, strlen(dest)); if (err) { // fail ("algo %d, mode %d, gcry_cipher_decrypt failed: %s\n", algo, mode, gpg_strerror (err)); logf(&bLog, LF_ERROR, "algo %s, mode %s, gcry_cipher_decrypt failed: %s","GCRY_CIPHER_3DES" ,"GCRY_CIPHER_MODE_ECB",gpg_strerror(e rr)); gcry_cipher_close (hd); return err; } gcry_cipher_close (hd); Thanks and Regards Madhavi This message contains information from Equifax Inc. which may be confidential and privileged. If you are not an intended recipient, please refrain from any disclosure, copying, distribution or use of this information and note that such actions are prohibited. If you have received this transmission in error, please notify by e-mail postmaster@equifax.com. From wk at gnupg.org Thu Dec 9 17:16:22 2004 From: wk at gnupg.org (Werner Koch) Date: Mon Dec 13 16:37:15 2004 Subject: [Announce] sha1sum for MS Windows released Message-ID: <871xdz8n1l.fsf@wheatstone.g10code.de> Skipped content of type multipart/signed-------------- next part -------------- _______________________________________________ Gnupg-announce mailing list Gnupg-announce@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-announce From linux at thorstenhau.de Fri Dec 10 01:29:13 2004 From: linux at thorstenhau.de (Thorsten Haude) Date: Mon Dec 13 16:37:31 2004 Subject: Signature in Attachment In-Reply-To: <41B7ABA5.5070400@mitchell.com> References: <601E1B8E735FBF4FA07BB6DBCF8F480B498C3F@mail60nt.mitchell.com> <200412081936.29327.linux@codehelp.co.uk> <20041208230844.GF1573@eumel.yoo.local> <41B79686.8060205@mitchell.com> <20041209001554.GG1573@eumel.yoo.local> <41B7ABA5.5070400@mitchell.com> Message-ID: <20041210002913.GA2381@eumel.yoo.local> Hi, Please send me every mail only once. (Does Thunderbird know list-reply?) * Don Ferguson wrote (2004-12-09 02:34): >Thorsten Haude wrote: >>>It looks like Thuderbird works nicely. I guess the best way to go is to >>>use a combination of Thunderbird and Outlook. >> >>So Thunderbird knows how to talk to Exchange? Could you point to some >>resources explaining how it is done? >> >I am just using POP3 against the Exchange server with login >credentials. Well, but what if you don't have any protocol except what Exchange offers? I can POP3 my mails, but I don't have a relay to send any, so I have no idea how to use anything except Outlook. Can you offer any clue here? Thorsten -- Why do we drink cow's milk? Who was the first guy who first looked at a cow and said "I think I'll drink whatever comes out of these things when I squeeze 'em!"? - Calvin -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20041210/356d16dc/attachment-0001.bin From don.ferguson at mitchell.com Fri Dec 10 02:12:51 2004 From: don.ferguson at mitchell.com (Don Ferguson) Date: Mon Dec 13 16:37:32 2004 Subject: Signature in Attachment In-Reply-To: <20041210002913.GA2381@eumel.yoo.local> References: <601E1B8E735FBF4FA07BB6DBCF8F480B498C3F@mail60nt.mitchell.com> <200412081936.29327.linux@codehelp.co.uk> <20041208230844.GF1573@eumel.yoo.local> <41B79686.8060205@mitchell.com> <20041209001554.GG1573@eumel.yoo.local> <41B7ABA5.5070400@mitchell.com> <20041210002913.GA2381@eumel.yoo.local> Message-ID: <41B8F813.3040101@mitchell.com> Thorsten Haude wrote: >Hi, > >Please send me every mail only once. (Does Thunderbird know >list-reply?) > >* Don Ferguson wrote (2004-12-09 02:34): > > >>Thorsten Haude wrote: >> >> >>>>It looks like Thuderbird works nicely. I guess the best way to go is to >>>>use a combination of Thunderbird and Outlook. >>>> >>>> >>>So Thunderbird knows how to talk to Exchange? Could you point to some >>>resources explaining how it is done? >>> >>> >>> >>I am just using POP3 against the Exchange server with login >>credentials. >> >> > >Well, but what if you don't have any protocol except what Exchange >offers? I can POP3 my mails, but I don't have a relay to send any, so >I have no idea how to use anything except Outlook. Can you offer any >clue here? > > >Thorsten > > Exchange Server supports SMTP, POP3, and IMAP. As to whether or not your Exchange Server is configured to allow you to use these services is something you will need to take up with your mail administrator. For SMTP you can bounce your messages off any server that has the SMTP service running on it provide it is unrestricted. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 254 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20041209/c7aea394/signature-0001.bin From dshaw at jabberwocky.com Fri Dec 10 02:39:32 2004 From: dshaw at jabberwocky.com (David Shaw) Date: Mon Dec 13 16:37:34 2004 Subject: Decryption failed error In-Reply-To: References: Message-ID: <20041210013932.GA580@jabberwocky.com> On Wed, Dec 08, 2004 at 11:49:07AM -0500, Suhas Tembe wrote: > Hello Everyone, > > We sent our RSA 2048-bit public key to a customer (key id: CBD20614) which > they were able to import into their key-ring. They sent us their RSA > 2048-bit public key (Key id: A1C09977), which I have imported into the > key-ring & given it the ultimate trust and have also signed it. The > customer encrypted a test file using our public key & signed it using their > key. > > When I try to decrypt the file at our end, I get the following error: > > >gpg: encrypted with ELG-E key, ID 6A4285DA > >gpg: decryption failed: secret key not available > > I tried ./gpg --list-keys & I see only the CBD20614 & A1C09977 keys. I also > tried > ./gpg --list-secret-keys, but I only see the CBD20614 key. I don't see the > 6A4285DA key id at all. > > I also tried ./gpg --verify & I get the following message: > > >gpg: verify signatures failed: unexpected data > > It seems to me that the customer used the wrong key to encrypt the file & > send it to us. Am I correct or am I missing something? What happens when you say 'gpg --list-keys 6A4285DA' ? If nothing, then it does seem like your customer encrypted to the wrong key. David -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 251 bytes Desc: not available Url : /pipermail/attachments/20041209/5e59e04a/attachment-0001.bin From vishalrao at gmail.com Fri Dec 10 05:25:41 2004 From: vishalrao at gmail.com (Vishal Rao) Date: Mon Dec 13 16:37:36 2004 Subject: Using libgcrypt1.2.0 for 3DES, ECB mode of encryption/decryption. In-Reply-To: References: Message-ID: Hi, Do not use strlen() on plaintext or ciphertext! Its not really text! If there happens to be a zero in the bytes your strlen will return a shorter value! Cheers, Vishal On Thu, 9 Dec 2004 09:58:04 -0500, Madhavi.Gandavarapu@equifax.com wrote: > > > Hi, > > I have a string that I am trying to encrypt using 3DES,ECB mode. I have a > specific 24 byte key that I need to use to encrypt or decrypt. > I am not getting good encrypted string back, since I can't even decrypt what I > encrypted with the same key and same library. > > Can you point me to what I am doing wrong here. > > Here is the code segment. > > unsigned char enc_key[24] = > {0x12,0x34,0x51,0x23,0x45,0x12,0x34,0x51,0x15,0x43,0x21,0x54,0x32,0x15,0x43,0x21,0x45,0x12,0x34,0x51,0x12, > 0x34,0x51,0x23}; > > static int do_encrypt(unsigned char* dest,unsigned char* src) > { > //GCRY_CIPHER_3DES is the algorithm type > //GCRY_CIPHER_MODE_ECB is the algorithem mode > //0(zero) is the flags value to send > int retVal =0; > gcry_cipher_hd_t hd; > > int keylen; > int i =0,x=0; > gcry_error_t err = 0; > > keylen = gcry_cipher_get_algo_keylen(GCRY_CIPHER_3DES); > if (!keylen) > { > // fail ("algo %d, mode %d, gcry_cipher_get_algo_keylen failed\n", algo, > mode); > logf(&bLog, LF_ERROR, "algo %s, mode %s, gcry_cipher_get_algo_keylen > failed","GCRY_CIPHER_3DES" ,"GCRY_CIPHER_MODE_ECB" ); > retVal = -1; > return retVal; > } > if (keylen < 40 / 8 || keylen > 32) > { > // fail ("algo %d, mode %d, keylength problem (%d)\n", algo, mode, keylen); > logf(&bLog, LF_ERROR, "algo %s, mode %s, keylength problem > (%d)","GCRY_CIPHER_3DES" ,"GCRY_CIPHER_MODE_ECB",keylen ); > retVal = -1; > return retVal; > } > err = gcry_cipher_open (&hd, GCRY_CIPHER_3DES, GCRY_CIPHER_MODE_ECB, 0); > if (err) > { > // fail ("algo %d, mode %d, grcy_open_cipher failed: %s\n", algo, mode, > gpg_strerror (err)); > logf(&bLog, LF_ERROR, "algo %s, mode %s, grcy_open_cipher failed: > %s","GCRY_CIPHER_3DES" ,"GCRY_CIPHER_MODE_ECB",gpg_strerror(err) > ); > return err; > > } > err = gcry_cipher_setkey (hd, &enc_key, keylen); > if (err) > { > // fail ("algo %d, mode %d, gcry_cipher_setkey failed: %s\n", algo, mode, > gpg_strerror (err)); > logf(&bLog, LF_ERROR, "algo %s, mode %s, gcry_cipher_setkey failed: > %s","GCRY_CIPHER_3DES" ,"GCRY_CIPHER_MODE_ECB",gpg_strerror(er > r)); > gcry_cipher_close (hd); > return err; > } > //err = gcry_cipher_encrypt (hd, dest, strlen(dest), NULL,strlen(dest)); > err = gcry_cipher_encrypt (hd, dest, strlen(dest), src, strlen(src)); > if (err) > { > // fail ("algo %d, mode %d, gcry_cipher_encrypt failed: %s\n", algo, mode, > gpg_strerror (err)); > logf(&bLog, LF_ERROR, "algo %s, mode %s, gcry_cipher_encrypt failed: > %s","GCRY_CIPHER_3DES" ,"GCRY_CIPHER_MODE_ECB",gpg_strerror(e > rr)); > gcry_cipher_close (hd); > return err; > } > i =0; x=0; > if((x = (strlen(dest)%bsize))) > { > x = (bsize - x); > for(i = 0; i < x; i++) > strcat(dest," "); > } > > err = gcry_cipher_decrypt (hd, dest, strlen(dest), dest, strlen(dest)); > if (err) > { > // fail ("algo %d, mode %d, gcry_cipher_decrypt failed: %s\n", algo, mode, > gpg_strerror (err)); > logf(&bLog, LF_ERROR, "algo %s, mode %s, gcry_cipher_decrypt failed: > %s","GCRY_CIPHER_3DES" ,"GCRY_CIPHER_MODE_ECB",gpg_strerror(e > rr)); > gcry_cipher_close (hd); > return err; > } > > gcry_cipher_close (hd); > > Thanks and Regards > Madhavi > This message contains information from Equifax Inc. which may be confidential and > privileged. If you are not an intended recipient, please refrain from any > disclosure, copying, distribution or use of this information and note that such > actions are prohibited. If you have received this transmission in error, please > notify by e-mail postmaster@equifax.com. > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > -- "Thou shalt not follow the null pointer for at its end madness and chaos lie." From wk at gnupg.org Fri Dec 10 12:15:45 2004 From: wk at gnupg.org (Werner Koch) Date: Mon Dec 13 16:37:41 2004 Subject: Clarification about GNUPG and GPGME In-Reply-To: <20041208113128.79581.qmail@web41508.mail.yahoo.com> (Srinivasa Pradeep's message of "Wed, 8 Dec 2004 03:31:27 -0800 (PST)") References: <20041208113128.79581.qmail@web41508.mail.yahoo.com> Message-ID: <87wtvq2yla.fsf@wheatstone.g10code.de> On Wed, 8 Dec 2004 03:31:27 -0800 (PST), Srinivasa Pradeep said: > Should we give the source code for our application > (or provide a link for that), and should we release > our application as part of GPL? Yes, these are the conditions of the GPL. Fortunately we just chaged the license of gpgme to the GNU Lesser General Public License (LGPL), so that you may link it with your proprietary application without being required to release your application under a GPL compatible one. What you stuill have to do is to provide the source code of gpgme (a link to ftp.gnupg.org won't suffice) and give the suer a way to change gpgme and use this changed version with your application. The latter is most easily done by using gpgme as a shared library. By changing the GPGME license to the LGPL we give proprietary vendors a commercial advantage. We did this change due to general concern on security and privacy; however,we would appreciate one or the other form of compensation by vendors of proprietary applications using gpgme. Thanks, Werner From vishalrao at gmail.com Fri Dec 10 12:28:55 2004 From: vishalrao at gmail.com (Vishal Rao) Date: Mon Dec 13 16:37:44 2004 Subject: Using libgcrypt1.2.0 for 3DES, ECB mode of encryption/decryption. In-Reply-To: References: Message-ID: Hi, Also, when decrypting you are using both params as dest and dest instead of src and dest... I see towards the end of your code sample is gcry_cipher_decrypt (hd, dest, strlen(dest), dest, strlen(dest)); But I've never done GNUPG development so that may not be the problem, or see my earlier reply about not using strlen() on either ciphertext or plaintext... since its not really "text" even if your input plain text is just a "string"... Cheers, Vishal On Thu, 9 Dec 2004 09:58:04 -0500, Madhavi.Gandavarapu@equifax.com wrote: > > > Hi, > > I have a string that I am trying to encrypt using 3DES,ECB mode. I have a > specific 24 byte key that I need to use to encrypt or decrypt. > I am not getting good encrypted string back, since I can't even decrypt what I > encrypted with the same key and same library. > > Can you point me to what I am doing wrong here. > > Here is the code segment. > > unsigned char enc_key[24] = > {0x12,0x34,0x51,0x23,0x45,0x12,0x34,0x51,0x15,0x43,0x21,0x54,0x32,0x15,0x43,0x21,0x45,0x12,0x34,0x51,0x12, > 0x34,0x51,0x23}; > > static int do_encrypt(unsigned char* dest,unsigned char* src) > { > //GCRY_CIPHER_3DES is the algorithm type > //GCRY_CIPHER_MODE_ECB is the algorithem mode > //0(zero) is the flags value to send > int retVal =0; > gcry_cipher_hd_t hd; > > int keylen; > int i =0,x=0; > gcry_error_t err = 0; > > keylen = gcry_cipher_get_algo_keylen(GCRY_CIPHER_3DES); > if (!keylen) > { > // fail ("algo %d, mode %d, gcry_cipher_get_algo_keylen failed\n", algo, > mode); > logf(&bLog, LF_ERROR, "algo %s, mode %s, gcry_cipher_get_algo_keylen > failed","GCRY_CIPHER_3DES" ,"GCRY_CIPHER_MODE_ECB" ); > retVal = -1; > return retVal; > } > if (keylen < 40 / 8 || keylen > 32) > { > // fail ("algo %d, mode %d, keylength problem (%d)\n", algo, mode, keylen); > logf(&bLog, LF_ERROR, "algo %s, mode %s, keylength problem > (%d)","GCRY_CIPHER_3DES" ,"GCRY_CIPHER_MODE_ECB",keylen ); > retVal = -1; > return retVal; > } > err = gcry_cipher_open (&hd, GCRY_CIPHER_3DES, GCRY_CIPHER_MODE_ECB, 0); > if (err) > { > // fail ("algo %d, mode %d, grcy_open_cipher failed: %s\n", algo, mode, > gpg_strerror (err)); > logf(&bLog, LF_ERROR, "algo %s, mode %s, grcy_open_cipher failed: > %s","GCRY_CIPHER_3DES" ,"GCRY_CIPHER_MODE_ECB",gpg_strerror(err) > ); > return err; > > } > err = gcry_cipher_setkey (hd, &enc_key, keylen); > if (err) > { > // fail ("algo %d, mode %d, gcry_cipher_setkey failed: %s\n", algo, mode, > gpg_strerror (err)); > logf(&bLog, LF_ERROR, "algo %s, mode %s, gcry_cipher_setkey failed: > %s","GCRY_CIPHER_3DES" ,"GCRY_CIPHER_MODE_ECB",gpg_strerror(er > r)); > gcry_cipher_close (hd); > return err; > } > //err = gcry_cipher_encrypt (hd, dest, strlen(dest), NULL,strlen(dest)); > err = gcry_cipher_encrypt (hd, dest, strlen(dest), src, strlen(src)); > if (err) > { > // fail ("algo %d, mode %d, gcry_cipher_encrypt failed: %s\n", algo, mode, > gpg_strerror (err)); > logf(&bLog, LF_ERROR, "algo %s, mode %s, gcry_cipher_encrypt failed: > %s","GCRY_CIPHER_3DES" ,"GCRY_CIPHER_MODE_ECB",gpg_strerror(e > rr)); > gcry_cipher_close (hd); > return err; > } > i =0; x=0; > if((x = (strlen(dest)%bsize))) > { > x = (bsize - x); > for(i = 0; i < x; i++) > strcat(dest," "); > } > > err = gcry_cipher_decrypt (hd, dest, strlen(dest), dest, strlen(dest)); > if (err) > { > // fail ("algo %d, mode %d, gcry_cipher_decrypt failed: %s\n", algo, mode, > gpg_strerror (err)); > logf(&bLog, LF_ERROR, "algo %s, mode %s, gcry_cipher_decrypt failed: > %s","GCRY_CIPHER_3DES" ,"GCRY_CIPHER_MODE_ECB",gpg_strerror(e > rr)); > gcry_cipher_close (hd); > return err; > } > > gcry_cipher_close (hd); > > Thanks and Regards > Madhavi > This message contains information from Equifax Inc. which may be confidential and > privileged. If you are not an intended recipient, please refrain from any > disclosure, copying, distribution or use of this information and note that such > actions are prohibited. If you have received this transmission in error, please > notify by e-mail postmaster@equifax.com. > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > -- "Thou shalt not follow the null pointer for at its end madness and chaos lie." From mail at renelemme.de Fri Dec 10 16:41:25 2004 From: mail at renelemme.de (Rene Lemme) Date: Mon Dec 13 16:37:50 2004 Subject: OT: how to unsubscribe? Message-ID: <200412101641.25668.mail@renelemme.de> Hello Group, I know this is not related to GnuPG but I would like to ask how to unsubscribe for a while from this mailing list. I could find subscribe on gnupg.org but not unsubscribe. Again sorry for the off topic, ..ren? -- GnuPG Key-ID : 0xBFCC946E www.renelemme.de -- From shavital at mac.com Fri Dec 10 17:53:02 2004 From: shavital at mac.com (Charly Avital) Date: Mon Dec 13 16:37:53 2004 Subject: OT: how to unsubscribe? In-Reply-To: <200412101641.25668.mail@renelemme.de> References: <200412101641.25668.mail@renelemme.de> Message-ID: Ren?: from the headers in the list's messages: List-Unsubscribe: , Have a fine week end. Charly At 4:41 PM +0100 12/10/04, Rene Lemme wrote: >Hello Group, > >I know this is not related to GnuPG but I would like to ask how to unsubscribe >for a while from this mailing list. > >I could find subscribe on gnupg.org but not unsubscribe. > >Again sorry for the off topic, > > ..ren? > >-- > >GnuPG Key-ID : 0xBFCC946E >www.renelemme.de From linux at thorstenhau.de Fri Dec 10 02:49:31 2004 From: linux at thorstenhau.de (Thorsten Haude) Date: Mon Dec 13 16:37:54 2004 Subject: Signature in Attachment In-Reply-To: <41B8F813.3040101@mitchell.com> References: <601E1B8E735FBF4FA07BB6DBCF8F480B498C3F@mail60nt.mitchell.com> <200412081936.29327.linux@codehelp.co.uk> <20041208230844.GF1573@eumel.yoo.local> <41B79686.8060205@mitchell.com> <20041209001554.GG1573@eumel.yoo.local> <41B7ABA5.5070400@mitchell.com> <20041210002913.GA2381@eumel.yoo.local> <41B8F813.3040101@mitchell.com> Message-ID: <20041210014931.GB2381@eumel.yoo.local> Hi, * Don Ferguson wrote (2004-12-10 02:12): >Exchange Server supports SMTP, POP3, and IMAP. As to whether or not >your Exchange Server is configured to allow you to use these services is >something you will need to take up with your mail administrator. So it *does* depend on corporate mentality. >For SMTP you can bounce your messages off any server that has the >SMTP service running on it provide it is unrestricted. Unless the port is closed. Thorsten -- It has become appallingly obvious that our technology has exceeded our humanity. - Albert Einstein -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20041210/94087bda/attachment-0001.bin From linux at codehelp.co.uk Sun Dec 12 13:14:39 2004 From: linux at codehelp.co.uk (Neil Williams) Date: Mon Dec 13 16:38:28 2004 Subject: PGP Global Directory In-Reply-To: <20041209132851.GB29900@jabberwocky.com> References: <20041209132851.GB29900@jabberwocky.com> Message-ID: <200412121214.43188.linux@codehelp.co.uk> On Thursday 09 December 2004 1:28 pm, David Shaw wrote: > Hi Folks, > > I figured I'd forestall the obvious question about the new keyserver > that the PGP company announced this morning: Where can I find out some facts about this signing keyserver protocol? I've heard some rumours of what it's doing to 'verify' the uploaded key but what's the truth? Rumour: Keys uploaded to the new keyserver result in an email to the main email address of the key to see if the email address in the key actually exists and is functional and, if so, the key is signed by PGP's Global Directory Verification Key. Problem: If that is truly all that happens, it's all but useless. All it's doing is sifting out dead keys - it is migrating all the keys on current pgp keyservers. From the FAQ: Every six months, everyone with an active key is now going to receive an email from PGP. Great, thanks. If you don't reply, your key will be deleted from the Global Directory. Somehow, I see a lot of active keys being wrongly marked as dead simply because of the email process. If the message is encrypted to the key it might be something but IMHO this is BAD keysigning practice. There is no face-to-face fingerprint verification, no photo ID verification. Does it deal with subkeys? Does it deal with photos? It would take a lot more before I'd trust any signatures made by the PGP keyserver key. There are some of these automated signing keys around already and I never trust them. Without verification of the physical person behind the key, what is the point? I've tried the PGP Global Directory FAQ but it is thin on detail. http://download.pgp.com/products/pdfs/PGP-Global_Directory_Whats-New_041206_F.pdf Although don't expect a lot more than is already in HTML here: http://www.pgp.com/downloads/beta/globaldirectory/ I've got no problem with the removal of dead keys from keyservers, but what bothers me is WHY they choose to sign the key rather than simply delete ones that can't be verified. When the signature is untrustworthy, why sign at all? Simply because it purports to be 'from PGP' is not good enough. -- Neil Williams ============= http://www.dclug.org.uk/ http://www.nosoftwarepatents.com/ http://sourceforge.net/projects/isbnsearch/ http://www.williamsleesmill.me.uk/ http://www.biglumber.com/x/web?qs=0x8801094A28BCB3E3 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20041212/78080440/attachment-0001.bin From dshaw at jabberwocky.com Sun Dec 12 16:41:36 2004 From: dshaw at jabberwocky.com (David Shaw) Date: Mon Dec 13 16:38:34 2004 Subject: PGP Global Directory In-Reply-To: <200412121214.43188.linux@codehelp.co.uk> References: <20041209132851.GB29900@jabberwocky.com> <200412121214.43188.linux@codehelp.co.uk> Message-ID: <20041212154135.GH5442@jabberwocky.com> On Sun, Dec 12, 2004 at 12:14:39PM +0000, Neil Williams wrote: > On Thursday 09 December 2004 1:28 pm, David Shaw wrote: > > Hi Folks, > > > > I figured I'd forestall the obvious question about the new keyserver > > that the PGP company announced this morning: > > Where can I find out some facts about this signing keyserver > protocol? I've heard some rumours of what it's doing to 'verify' the > uploaded key but what's the truth? > > Rumour: Keys uploaded to the new keyserver result in an email to the > main email address of the key to see if the email address in the key > actually exists and is functional and, if so, the key is signed by > PGP's Global Directory Verification Key. Close. It results in an email to every email address on the key, but the rest is basically correct. > Problem: > If that is truly all that happens, it's all but useless. All it's doing is > sifting out dead keys - it is migrating all the keys on current pgp > keyservers. Weeding out dead keys is really, really useful. I often have to guess from 2-3 keys on the keyservers which is the right one to send to for a given email address (I usually just pick the most recent, but there is no guarantee that is right). With the GD, you know the key is the right one (for some reasonable value of "know"). It isn't perfect, but it's better than the current system. > From the FAQ: Every six months, everyone with an active key is now > going to receive an email from PGP. Great, thanks. If you don't > reply, your key will be deleted from the Global Directory. > > Somehow, I see a lot of active keys being wrongly marked as dead > simply because of the email process. Could be. You have 2 weeks to answer the mail probe. If you don't, your key is purged. Big deal - just send it in again. Submitting a key fresh, and reconfirming a key really amount to the same thing. The GD is supposed to be a list of active keys. If a key ages off, well, it wasn't really that active ;) > Does it deal with subkeys? Yes, as many as you like. > Does it deal with photos? Yes. I haven't tried it with multiple photos, but I expect it works. It certainly works with single photos. > It would take a lot more before I'd trust any signatures made by the > PGP keyserver key. > > There are some of these automated signing keys around already and I > never trust them. Without verification of the physical person behind > the key, what is the point? [..] > I've got no problem with the removal of dead keys from keyservers, > but what bothers me is WHY they choose to sign the key rather than > simply delete ones that can't be verified. When the signature is > untrustworthy, why sign at all? This is a very good point, and I don't think the PGP folks have made this nearly clear enough in their documentation. The fact is, the GD is serving two functions: one, a keyserver that weeds out bad email addresses, and two, a (weak) CA, based on the same idea. These two functions are related, but not identical. If you want to use it purely as a keyserver, you can do that - just treat it like any other keyserver. You will continue to use the web of trust to validate keys, and nothing has really changed for you except that it's a little easier to get keys. If you want to go further, you can get and locally sign the GD key and give it as much trust as you care to. This lets you automatically trust any key that comes from the GD. For some people, the GD mailback verification is sufficient (set trust to "full"). For some people it is a hint, but not complete (set trust to "moderate"). For some people it is completely useless (don't set any trust at all). It's important to note that this part of the system is strictly opt-in. If you do nothing, nothing happens. David -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 251 bytes Desc: not available Url : /pipermail/attachments/20041212/dbae9293/attachment-0001.bin From donald.ferguson at gmail.com Sun Dec 12 07:44:50 2004 From: donald.ferguson at gmail.com (Don Ferguson) Date: Mon Dec 13 16:38:37 2004 Subject: FW: Signature in Attachment In-Reply-To: <601E1B8E735FBF4FA07BB6DBCF8F480B06858D@mail60nt.mitchell.com> References: <601E1B8E735FBF4FA07BB6DBCF8F480B06858D@mail60nt.mitchell.com> Message-ID: <41BBE8E2.5080102@gmail.com> >So it *does* depend on corporate mentality. > > > Absolutely >>For SMTP you can bounce your messages off any server that has the SMTP >>service running on it provide it is unrestricted. >> >> > >Unless the port is closed. > > >Thorsten > > > > Exactly. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 254 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20041211/a4ac4d58/signature-0001.bin From dwerder at gmx.net Sun Dec 12 12:05:12 2004 From: dwerder at gmx.net (Dominik Werder) Date: Mon Dec 13 16:38:38 2004 Subject: md5sum incorrect? Message-ID: it seems that the md5sum for the tar.gz distribution is incorrect.. A mistake or something more serious? From jc at lysator.liu.se Sun Dec 12 16:06:42 2004 From: jc at lysator.liu.se (Jorgen Cederlof) Date: Mon Dec 13 16:38:40 2004 Subject: Announce: Wotsap 0.6 and Leaf of Trust analysis Message-ID: <20041212150642.GB1636@pyret> Hi, Version 0.6 of Web of trust statistics and pathfinder, Wotsap, is now running on and available from http://www.lysator.liu.se/~jc/wotsap/. In the development process I found some pretty image representations of the Web of Trust that might interest many readers of this mail. Take a look at http://www.lysator.liu.se/~jc/wotsap/leafoftrust.html for images and analysis. Some of the changes since last version: - The web pages have been given a well-needed face lift. - Much more documentation - Stabler and better search URLs. - News in HTML, Atom and RSS formats. - Mailing lists - All keys and signatures are now verified with GnuPG. - The primary user ID is now always used. - Indication of signature cert check level and whether the primary user ID was signed. - New .wot file format including signature types. - Key statistics can show the signatures that would lower MSD most (by Marco Bodrato) - Group matrices - show all signatures within a group of keys. - Option to dynamically add signatures, exclude signatures, signature types, non-cross-signatures and keys for the duration of a query. Stand-alone program only: - Better command line handling. - Show a whole .wot file in human-readable format. - Show all differences between two .wot files. - Everything now works without warnings in Python 2.3, should work fine in Python 2.4 and has compatibility for Python 2.2. Thanks for all the encouragement and ideas I received from lots of people during this development cycle. J?rgen Cederl?f -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : /pipermail/attachments/20041212/d0762448/attachment.bin From jerry.windrel at verizon.net Sun Dec 12 18:10:01 2004 From: jerry.windrel at verizon.net (Jerry Windrel) Date: Mon Dec 13 16:38:42 2004 Subject: Signature in Attachment References: <601E1B8E735FBF4FA07BB6DBCF8F480B498B9A@mail60nt.mitchell.com><20041207235900.GD32622@anl.gov> <41B64857.9070509@chud.net> Message-ID: <006b01c4e06d$6d1d4b70$6601a8c0@Windows> I've successfully verified MIME signatures from Outlook Express by doing the following. Right click on the message Click Properties. Click the Details tab. Click Message Source. Hit Ctrl-Shift-D. ----- Original Message ----- From: "Chris De Young" To: Sent: Tuesday, December 07, 2004 7:18 PM Subject: Re: Signature in Attachment > _______________________________________________ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > From swright at physics.adelaide.edu.au Mon Dec 13 01:36:34 2004 From: swright at physics.adelaide.edu.au (Stewart V. Wright) Date: Mon Dec 13 16:38:52 2004 Subject: PGP Global Directory In-Reply-To: <200412121214.43188.linux@codehelp.co.uk> References: <20041209132851.GB29900@jabberwocky.com> <200412121214.43188.linux@codehelp.co.uk> Message-ID: <20041213003634.GA24689@anl.gov> G'day Neil, * Neil Williams [041212 06:30]: > Rumour: > Keys uploaded to the new keyserver result in an email to the main email > address of the key to see if the email address in the key actually exists and > is functional and, if so, the key is signed by PGP's Global Directory > Verification Key. Well, in my experience this is probably the stupidest keyserver (or coders?) on the net. I received an email asking me to verify a key that has been revoked! *Sigh* Cheers, S. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 274 bytes Desc: Digital signature Url : /pipermail/attachments/20041212/2ae82eb3/attachment.bin From atom at suspicious.org Mon Dec 13 03:09:31 2004 From: atom at suspicious.org (Atom 'Smasher') Date: Mon Dec 13 16:38:56 2004 Subject: PGP Global Directory In-Reply-To: <200412121214.43188.linux@codehelp.co.uk> References: <20041209132851.GB29900@jabberwocky.com> <200412121214.43188.linux@codehelp.co.uk> Message-ID: <20041212205628.G99530@willy.wonka> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 hhmmm.... it doesn't seem to ask if one prefers HTML or text email, but sends an HTML email with 10+ images to each address in the key. each email is >20K. (my filter sent it to the spam folder... is that a sign?) i like the idea of a "verified" key server, but signing a key without a cryptographic challenge is dumb, even for an automated service. i also noticed that the email headers are plain old SMTP, not encrypted SMTP. i would expect better from PGP(tm). i guess it's still in beta phase... we'll see what they do before the official unveiling... - -- ...atom _________________________________________ PGP key - http://atom.smasher.org/pgp.txt 762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808 ------------------------------------------------- "America will never be destroyed from the outside. If we falter,and lose our freedoms, it will be because we destroyed ourselves." -- Abraham Lincoln -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.3.92 (FreeBSD) Comment: What is this gibberish? Comment: http://atom.smasher.org/links/#digital_signatures iQEcBAEBCAAGBQJBvPnlAAoJEAx/d+cTpVciNb0H/RYX1GDcVtsT2FW0xNcqtbaF /HbR9bYooaHxLD8W4Yrs6VJdLCnor6n6c3pM4BGaWEfTO6P5pXSB6BXqXhLgqzBX JRYTZRVD6YRMSzOwMuE/Yb96o+6jhEBRlJsiZFeCnpKpIx7KE4vbGlEN2zsavuAP +MJDQQBXxSOKPckFu46nrIHuvLQNPHec/EZSnOaqPFswK8FyEgd74spR4XYO9YrP jMPGcC2iI4P/49fjHfoUkU1jalyvmf0R45Fl36Vw5xY8IUWpV8ea3JYiUoGpS3Gd c1pqTRtfCsuTkpfCb0cZ5Ro4awsU/Y/oPuWx3xTHFaJMf57TT0UoLev8f0r2VH4= =4+jS -----END PGP SIGNATURE----- From jharris at widomaker.com Mon Dec 13 20:23:17 2004 From: jharris at widomaker.com (Jason Harris) Date: Tue Dec 14 07:54:30 2004 Subject: PGP Global Directory In-Reply-To: <20041213003634.GA24689@anl.gov> References: <20041209132851.GB29900@jabberwocky.com> <200412121214.43188.linux@codehelp.co.uk> <20041213003634.GA24689@anl.gov> Message-ID: <20041213192317.GO3782@wilma.widomaker.com> On Sun, Dec 12, 2004 at 06:36:34PM -0600, Stewart V. Wright wrote: > G'day Neil, > > * Neil Williams [041212 06:30]: > > Rumour: > > Keys uploaded to the new keyserver result in an email to the main email > > address of the key to see if the email address in the key actually exists and > > is functional and, if so, the key is signed by PGP's Global Directory > > Verification Key. > > Well, in my experience this is probably the stupidest keyserver (or > coders?) on the net. > > I received an email asking me to verify a key that has been revoked! Even worse, since the "challenges" aren't encrypted to the [Open]PGP key being "verified," they aren't even verifying that the keys can be used for "opportune encryption." (Has anyone tried registering a signing-only key with this PGP.com keyserver yet? :) RobotCA, http://www.toehold.com/robotca/ , encrypts its "challenges" to GPG's choice of encryption [sub]key for the [pub]key, so a decrypted, published signature from RobotCA means the key was useful for encryption when and as it was submitted to RobotCA and for subsequent decryption by a/the keyholder. http://www.biglumber.com/ doesn't issue signatures but should be able to support HKP-style key lookups for keys it verifies (by emailing an encrypted "challenge" at signup) fairly easily. -- Jason Harris | NIC: JH329, PGP: This _is_ PGP-signed, isn't it? jharris@widomaker.com _|_ web: http://keyserver.kjsl.com/~jharris/ Got photons? (TM), (C) 2004 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 187 bytes Desc: not available Url : /pipermail/attachments/20041213/ee84afa0/attachment.bin From wk at gnupg.org Mon Dec 13 21:47:49 2004 From: wk at gnupg.org (Werner Koch) Date: Tue Dec 14 07:54:36 2004 Subject: md5sum incorrect? In-Reply-To: (Dominik Werder's message of "Sun, 12 Dec 2004 12:05:12 +0100") References: Message-ID: <87hdmqgc22.fsf@wheatstone.g10code.de> On Sun, 12 Dec 2004 12:05:12 +0100, Dominik Werder said: > it seems that the md5sum for the tar.gz distribution is incorrect.. > A mistake or something more serious? Which md5sum of what program, downloaded from where? From jerry.windrel at verizon.net Mon Dec 13 23:46:50 2004 From: jerry.windrel at verizon.net (Jerry Windrel) Date: Tue Dec 14 07:54:46 2004 Subject: Signature in Attachment Message-ID: <002601c4e165$a30ed020$6601a8c0@Windows> I've successfully verified MIME signatures from Outlook Express by doing the following. Right click on the message Click Properties. Click the Details tab. Click Message Source. Hit Ctrl-Shift-D. From jharris at widomaker.com Mon Dec 13 23:19:14 2004 From: jharris at widomaker.com (Jason Harris) Date: Tue Dec 14 07:54:51 2004 Subject: new (2004-12-12) keyanalyze results (+sigcheck) Message-ID: <20041213221914.GQ3782@wilma.widomaker.com> New keyanalyze results are available at: http://keyserver.kjsl.com/~jharris/ka/2004-12-12/ Signatures are now being checked using keyanalyze+sigcheck: http://dtype.org/~aaronl/ Earlier reports are also available, for comparison: http://keyserver.kjsl.com/~jharris/ka/ Even earlier monthly reports are at: http://dtype.org/keyanalyze/ SHA-1 hashes and sizes for all the "permanent" files: cbdfae91101fa7cf5552a65475bf5f22fdcca42e 10907748 preprocess.keys 8cf0c58bb4a7f6068b57d15aba6c65a1024898c2 7015291 othersets.txt 018e2b76340e08f7fda1e4c46b4b896a996826b0 2773040 msd-sorted.txt b0f152cbac2bff77aeed70a933fec6d7ac3e7b71 1484 index.html 8b882c752b396450e76bc3a3951ba61d8c2b4b26 2289 keyring_stats 818962dcd7dace2a4ae3a620fd9b30dbbcb9483c 1091370 msd-sorted.txt.bz2 246861f9379c7fce11383b9ba6abb8d0f9c7b48f 26 other.txt 98fefcb809506b29bba723de0f9db3f6a9c67a52 1506500 othersets.txt.bz2 08cf2e8a0ebef351e29f2ead4508e609564f1c8a 4422898 preprocess.keys.bz2 bad3f75bd29f49765ea45495b00e7e44ef49d2c3 10957 status.txt ce39b2175c89ac1dfd613d932f9e53c1b78815d9 211848 top1000table.html 4aa75ab3ebf8c957bcf3cd97a9c3c1c7c7ee36a9 30652 top1000table.html.gz 69371ed4ec71d05ac828979b35b476d27bfa92da 11022 top50table.html c01a0d9395ec4cc381905684aa5e7d479c694061 2449 D3/D39DA0E3 -- Jason Harris | NIC: JH329, PGP: This _is_ PGP-signed, isn't it? jharris@widomaker.com _|_ web: http://keyserver.kjsl.com/~jharris/ Got photons? (TM), (C) 2004 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 187 bytes Desc: not available Url : /pipermail/attachments/20041213/8212a534/attachment.bin From blade at cs.tu-berlin.de Tue Dec 14 11:21:16 2004 From: blade at cs.tu-berlin.de (Stefan Bielenberg) Date: Tue Dec 14 11:26:57 2004 Subject: [GEAM] decryption not works Message-ID: Hello, I installed GEAM as a Content-Filter in Postfix and it works fine. The filters work like this: Mail -> postfix (port 25) -> geam (port 10026) -> -> amavis (Port 10024) -> postfix (port 10025) -> -> Mail-Auslieferung But there are any problems and questions: 1. only encryption works 2. where are saved the passwords for decryption 3. incoming encrypted mail are encrypted twice for the same user, if exists a option for encrypt outgoing mail for this user 4. incoming encrypted mails are not handle like an encrypted mails What can I do. Are my inner-host/outer-host configuration not right? Whats wrong with my configuration? Are there docs or mailing list for this thema? Thanks, Stefan. My Configuration: /etc/geam/decrypt: ------------------ sb@ulgeta.com gpg 123743F24998082 /etc/geam/aliases: ------------------ stefan@thonsa.de : stefan@thonsa.de sb@ulgeta.com : DECRYPT /etc/geam/encrypt: ------------------ stefan@thonsa.de gpg D04B12C6 /etc/geam/geamd.conf: --------------------- port 10026 inner-host-name localhost inner-host-port 10024 outer-host-name localhost outer-host-port 10024 # To avoid mailloops, messages with more that this number # of "Received" headers are not delivered to the smarthost. #received_headers_max 30 gpg-program /usr/bin/gpg gpg-homedir /etc/geam/gpg # The default log file is /var/log/geam/geamd to specify another, # use this option. "-" denotes to use stderr for logging # which will also disable the timestamps. log-file /var/log/geam/geamd.log debug 255 verbose verbose ------------------------ From wk at gnupg.org Tue Dec 14 11:06:45 2004 From: wk at gnupg.org (Werner Koch) Date: Tue Dec 14 11:41:25 2004 Subject: [Announce] GnuPG 1.3.93 released Message-ID: <87brcxfb2i.fsf@wheatstone.g10code.de> Skipped content of type multipart/signed-------------- next part -------------- _______________________________________________ Gnupg-announce mailing list Gnupg-announce@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-announce From jharris at widomaker.com Tue Dec 14 19:09:54 2004 From: jharris at widomaker.com (Jason Harris) Date: Tue Dec 14 19:22:38 2004 Subject: Key strangeness In-Reply-To: <20040208154658.GA29904@jabberwocky.com> References: <40257CE0.4090201@durham.ac.uk> <20040208013704.GB30966@jabberwocky.com> <402653F2.6010801@durham.ac.uk> <20040208154658.GA29904@jabberwocky.com> Message-ID: <20041214180953.GT3782@wilma.widomaker.com> On Sun, Feb 08, 2004 at 10:46:58AM -0500, David Shaw wrote: > A bug in his software (CryptoEx) would explain nearly everything > here. Since CryptoEx naturally would be compatible with itself, it > would see the keyid as 3A546EC2. It would fill in 3A546EC2 as the > issuer of signatures, and it would be able to verify its own > signatures so the key would be valid. > > That theory doesn't explain why the keyservers indexed the key as > 3A546EC2 though. GnuPG, PGP 6 and 8, and my local copy of pksd all > agree the keyid is 7EDB7A47. [I thought I would have replied to this already, but I don't see any evidence of having done so.] diffing the hd(1) output shows differences in the pubkey packet: 19c19 < 00000120 48 52 9b 03 fe 25 75 2a 3f f5 ac 00 50 00 a6 80 |HR...%u*?...P...| --- > 00000120 48 52 9b 04 00 25 75 2a 3f f5 ac 00 50 00 a6 80 |HR...%u*?...P...| which pgpdump claims are leading zeroes in an MPI (1022 v. 1024 bits): 8c8 < DSA y(1022 bits) - 25 75 2a 3f f5 ac 00 50 00 a6 80 f7 76 13 6f b5 12 61 35 9c a9 8a 68 47 75 69 e5 e6 3f e8 9d 52 67 ad ed d7 7e 9e 04 ab e2 29 7e 00 bd 27 a3 c0 7e ea 5d 13 8f bc 67 50 55 5e 82 1d 41 b4 a3 90 39 8a b4 9a 8d 60 ee 63 6b 3c 81 1d 07 6b c4 f1 31 6f 22 84 d2 ae f9 d6 55 46 1f 3c 75 7b 56 30 0a 0a 82 f7 22 3c 0d 77 1b dd ad 53 68 b7 de 5d fe 4c 5a 1f a3 33 fe b6 2f ff 3a 22 86 f2 21 ff --- > DSA y(1024 bits) - 25 75 2a 3f f5 ac 00 50 00 a6 80 f7 76 13 6f b5 12 61 35 9c a9 8a 68 47 75 69 e5 e6 3f e8 9d 52 67 ad ed d7 7e 9e 04 ab e2 29 7e 00 bd 27 a3 c0 7e ea 5d 13 8f bc 67 50 55 5e 82 1d 41 b4 a3 90 39 8a b4 9a 8d 60 ee 63 6b 3c 81 1d 07 6b c4 f1 31 6f 22 84 d2 ae f9 d6 55 46 1f 3c 75 7b 56 30 0a 0a 82 f7 22 3c 0d 77 1b dd ad 53 68 b7 de 5d fe 4c 5a 1f a3 33 fe b6 2f ff 3a 22 86 f2 21 ff The keyservers (pks, and apparently SKS) hash the pubkey packet exactly as it appears. Certain encryption clients deconstruct the packet, normalize the MPIs, and hash the new components instead of the original pubkey packet. With a zero-padded MPI, which is non-RFC-compliant, the non-RFC-compliant behavior of hashing something other than the original pubkey packet breaks the fingerprint (and therefore keyid) calculation, which causes further breakage. -- Jason Harris | NIC: JH329, PGP: This _is_ PGP-signed, isn't it? jharris@widomaker.com _|_ web: http://keyserver.kjsl.com/~jharris/ Got photons? (TM), (C) 2004 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 187 bytes Desc: not available Url : /pipermail/attachments/20041214/93469b68/attachment.bin From dshaw at jabberwocky.com Tue Dec 14 22:12:22 2004 From: dshaw at jabberwocky.com (David Shaw) Date: Tue Dec 14 22:09:29 2004 Subject: Key strangeness In-Reply-To: <20041214180953.GT3782@wilma.widomaker.com> References: <40257CE0.4090201@durham.ac.uk> <20040208013704.GB30966@jabberwocky.com> <402653F2.6010801@durham.ac.uk> <20040208154658.GA29904@jabberwocky.com> <20041214180953.GT3782@wilma.widomaker.com> Message-ID: <20041214211222.GE29531@jabberwocky.com> On Tue, Dec 14, 2004 at 01:09:54PM -0500, Jason Harris wrote: > On Sun, Feb 08, 2004 at 10:46:58AM -0500, David Shaw wrote: > > > A bug in his software (CryptoEx) would explain nearly everything > > here. Since CryptoEx naturally would be compatible with itself, it > > would see the keyid as 3A546EC2. It would fill in 3A546EC2 as the > > issuer of signatures, and it would be able to verify its own > > signatures so the key would be valid. > > > > That theory doesn't explain why the keyservers indexed the key as > > 3A546EC2 though. GnuPG, PGP 6 and 8, and my local copy of pksd all > > agree the keyid is 7EDB7A47. [..] > The keyservers (pks, and apparently SKS) hash the pubkey packet > exactly as it appears. Certain encryption clients deconstruct the > packet, normalize the MPIs, and hash the new components instead of > the original pubkey packet. With a zero-padded MPI, which is > non-RFC-compliant, the non-RFC-compliant behavior of hashing > something other than the original pubkey packet breaks the > fingerprint (and therefore keyid) calculation, which causes further > breakage. Hashing a canonicalized pubkey packet is perfectly RFC compliant, and in some cases is required. You must never hash the original pubkey packet with header, or you get problems, for example from a public key with a 1-octet length encoding versus a 2-octet length encoding. In fact, there was an old PKS bug from exactly that problem. This problem is a little different in that it is the MPI that causes the problem, which is inside the pubkey packet itself and not a header. This is not a RFC compliance issue because the RFC forbids leading zeroes in an MPI, period. Since this key has leading zeroes, it is a broken, non-RFC compliant key. Any behavior is legal, RFC-wise at this point, including discarding the bad key completely. That said, since it seems GnuPG, PGP, (and PKS?) all resolve the issue one way (canonicalize the MPI) and SKS does it the other way, it might be nice to get SKS to canonicalize. But this is not an RFC requirement. The SKS behavior is not incorrect here. Of course, you're responding to a post from over 10 months ago. This may well have been resolved since then. David From dshaw at jabberwocky.com Tue Dec 14 22:57:46 2004 From: dshaw at jabberwocky.com (David Shaw) Date: Tue Dec 14 22:54:44 2004 Subject: PGP Global Directory In-Reply-To: <20041213192317.GO3782@wilma.widomaker.com> References: <20041209132851.GB29900@jabberwocky.com> <200412121214.43188.linux@codehelp.co.uk> <20041213003634.GA24689@anl.gov> <20041213192317.GO3782@wilma.widomaker.com> Message-ID: <20041214215746.GH29531@jabberwocky.com> On Mon, Dec 13, 2004 at 02:23:17PM -0500, Jason Harris wrote: > On Sun, Dec 12, 2004 at 06:36:34PM -0600, Stewart V. Wright wrote: > > G'day Neil, > > > > * Neil Williams [041212 06:30]: > > > Rumour: > > > Keys uploaded to the new keyserver result in an email to the main email > > > address of the key to see if the email address in the key actually exists and > > > is functional and, if so, the key is signed by PGP's Global Directory > > > Verification Key. > > > > Well, in my experience this is probably the stupidest keyserver (or > > coders?) on the net. > > > > I received an email asking me to verify a key that has been revoked! > > Even worse, since the "challenges" aren't encrypted to the [Open]PGP > key being "verified," they aren't even verifying that the keys can be > used for "opportune encryption." (Has anyone tried registering a > signing-only key with this PGP.com keyserver yet? :) It should "just plain work" since, as you say, the GD isn't encrypting the mails. I think the target audience for the GD is rather different than many of the people who hang out on this list. The target audience needs a way to get keys, with as little pain as possible, and with some amount of assurance that the key is the right one. Their definition of "some amount of assurance" and yours or mine is going to be fairly different, to say the least. The thing that pleases me about the GD is that the design can be used by the beginner or the advanced user. The beginner can trust the GD key. The advanced user does not have to, and still gets the benefits of the server. David From dshaw at jabberwocky.com Tue Dec 14 23:20:02 2004 From: dshaw at jabberwocky.com (David Shaw) Date: Tue Dec 14 23:17:02 2004 Subject: PGP Global Directory In-Reply-To: <20041213003634.GA24689@anl.gov> References: <20041209132851.GB29900@jabberwocky.com> <200412121214.43188.linux@codehelp.co.uk> <20041213003634.GA24689@anl.gov> Message-ID: <20041214222002.GB31704@jabberwocky.com> On Sun, Dec 12, 2004 at 06:36:34PM -0600, Stewart V. Wright wrote: > I received an email asking me to verify a key that has been revoked! > > *Sigh* I think this is a known bug. You might tell the PGP folks about it, in case it is not known. David From jharris at widomaker.com Wed Dec 15 01:17:48 2004 From: jharris at widomaker.com (Jason Harris) Date: Wed Dec 15 01:15:42 2004 Subject: Key strangeness In-Reply-To: <20041214211222.GE29531@jabberwocky.com> References: <40257CE0.4090201@durham.ac.uk> <20040208013704.GB30966@jabberwocky.com> <402653F2.6010801@durham.ac.uk> <20040208154658.GA29904@jabberwocky.com> <20041214180953.GT3782@wilma.widomaker.com> <20041214211222.GE29531@jabberwocky.com> Message-ID: <20041215001748.GU3782@wilma.widomaker.com> On Tue, Dec 14, 2004 at 04:12:22PM -0500, David Shaw wrote: > On Tue, Dec 14, 2004 at 01:09:54PM -0500, Jason Harris wrote: > > The keyservers (pks, and apparently SKS) hash the pubkey packet > > exactly as it appears. Certain encryption clients deconstruct the > > packet, normalize the MPIs, and hash the new components instead of > > the original pubkey packet. With a zero-padded MPI, which is > > non-RFC-compliant, the non-RFC-compliant behavior of hashing > > something other than the original pubkey packet breaks the > > fingerprint (and therefore keyid) calculation, which causes further > > breakage. > Hashing a canonicalized pubkey packet is perfectly RFC compliant, and > in some cases is required. You must never hash the original pubkey > packet with header, or you get problems, for example from a public key > with a 1-octet length encoding versus a 2-octet length encoding. In Specifically (albeit from draft-ietf-openpgp-rfc2440bis-12.txt): A V4 fingerprint is the 160-bit SHA-1 hash of the octet 0x99, followed by the two-octet packet length, followed by the entire Public Key packet starting with the version field. The key ID is Not "the entire Public Key packet starting with the version field, with whatever fixes you have to make so the key is fully RFC-compliant." > That said, since it seems GnuPG, PGP, (and PKS?) all resolve the issue > one way (canonicalize the MPI) and SKS does it the other way, it might > be nice to get SKS to canonicalize. But this is not an RFC > requirement. The SKS behavior is not incorrect here. The mentioned keyservers are in agreement and hash "the entire Public Key packet starting with the version field." This is why they calculate different fingerprints for pubkey packets that have different bit sequences. Whether keyservers should store keys with zero-padded MPIs is debatable, but it is clear to me that encryption clients should not accept, modify, and propagate such keys. -- Jason Harris | NIC: JH329, PGP: This _is_ PGP-signed, isn't it? jharris@widomaker.com _|_ web: http://keyserver.kjsl.com/~jharris/ Got photons? (TM), (C) 2004 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 187 bytes Desc: not available Url : /pipermail/attachments/20041214/fb834218/attachment.bin From johanw at vulcan.xs4all.nl Wed Dec 15 01:42:07 2004 From: johanw at vulcan.xs4all.nl (Johan Wevers) Date: Wed Dec 15 01:37:28 2004 Subject: [Announce] GnuPG 1.3.93 released In-Reply-To: <87brcxfb2i.fsf@wheatstone.g10code.de> from Werner Koch at "Dec 14, 2004 11:06:45 am" Message-ID: <200412150042.BAA12703@vulcan.xs4all.nl> Werner Koch wrote: Builds OK on a libc5 Linux system and passes all tests. However, I noticed one strange thing and a bug. When I encrypt a message conventionally in pgp2 mode, compression seems to be switched off. --list-packets confirms this. However, pgp2 is still able to decrypt the message. When I try to set compression manually, the commands gpg -c --pgp2 --compress-algo=zip file and gpg -c --pgp2 --compress-level=1 file ignores it and the resulting file is still uncompressed. When I try gpg -c --pgp2 --compression-algo=zip file I get a segfault, which can't be the right. >Noteworthy changes in version 1.3.93 (2004-12-14) >------------------------------------------------- > * Ask the user to repeat a changed PIN. > > * Switched to automake 1.9. Minor big fixes. Further I noticed the SHA512 and 384 hash are finally read-write by default. But what is the Hx format I see mentioned in md.c on line 133? And why is MD5 suddenly deprecated? However, I'm glad to see the deprecated warning about IDEA is finally gone. -- ir. J.C.A. Wevers // Physics and science fiction site: johanw@vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From dshaw at jabberwocky.com Wed Dec 15 02:04:32 2004 From: dshaw at jabberwocky.com (David Shaw) Date: Wed Dec 15 02:01:44 2004 Subject: Key strangeness In-Reply-To: <20041215001748.GU3782@wilma.widomaker.com> References: <40257CE0.4090201@durham.ac.uk> <20040208013704.GB30966@jabberwocky.com> <402653F2.6010801@durham.ac.uk> <20040208154658.GA29904@jabberwocky.com> <20041214180953.GT3782@wilma.widomaker.com> <20041214211222.GE29531@jabberwocky.com> <20041215001748.GU3782@wilma.widomaker.com> Message-ID: <20041215010431.GA32762@jabberwocky.com> On Tue, Dec 14, 2004 at 07:17:48PM -0500, Jason Harris wrote: > Not "the entire Public Key packet starting with the version field, > with whatever fixes you have to make so the key is fully > RFC-compliant." At this point I think you're just trolling so I'm going to stop replying. Needless to say, you've misunderstood what the RFC requires, and what noncompliant actually means in this case. > Whether keyservers should store keys with zero-padded MPIs is debatable, > but it is clear to me that encryption clients should not accept, modify, > and propagate such keys. Clearly the authors of the various versions of PGP and GnuPG got this wrong. I suggest you contact them posthaste and point out their mistake. David From atom at suspicious.org Wed Dec 15 03:47:10 2004 From: atom at suspicious.org (Atom 'Smasher') Date: Wed Dec 15 03:42:52 2004 Subject: [Announce] GnuPG 1.3.93 released In-Reply-To: <87brcxfb2i.fsf@wheatstone.g10code.de> References: <87brcxfb2i.fsf@wheatstone.g10code.de> Message-ID: <20041215024617.18079.qmail@suspicious.org> built and running fine on freeBSD 5.3, except for the problem that david is already working on. -- ...atom _________________________________________ PGP key - http://atom.smasher.org/pgp.txt 762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808 ------------------------------------------------- "We cannot simply suspend or restrict civil liberties until the War of Terror is over, because the War on Terror is unlikely ever to be truly over... September 11, 2001, already a day of immeasurable tragedy, cannot be the day liberty perished in this country." -- Judge Gerald Tjoflat, 16 Oct 2004 From dshaw at jabberwocky.com Wed Dec 15 04:36:19 2004 From: dshaw at jabberwocky.com (David Shaw) Date: Wed Dec 15 04:49:23 2004 Subject: [Sks-devel] Re: Key strangeness In-Reply-To: <891bd33904121418347b926f1@mail.gmail.com> References: <40257CE0.4090201@durham.ac.uk> <20040208013704.GB30966@jabberwocky.com> <402653F2.6010801@durham.ac.uk> <20040208154658.GA29904@jabberwocky.com> <20041214180953.GT3782@wilma.widomaker.com> <20041214211222.GE29531@jabberwocky.com> <20041215001748.GU3782@wilma.widomaker.com> <20041215010431.GA32762@jabberwocky.com> <891bd33904121418347b926f1@mail.gmail.com> Message-ID: <20041215033618.GA1415@jabberwocky.com> On Tue, Dec 14, 2004 at 09:34:20PM -0500, Yaron Minsky wrote: > On Tue, 14 Dec 2004 20:04:32 -0500, David Shaw wrote: > > On Tue, Dec 14, 2004 at 07:17:48PM -0500, Jason Harris wrote: > > > > > Not "the entire Public Key packet starting with the version field, > > > with whatever fixes you have to make so the key is fully > > > RFC-compliant." > > > > At this point I think you're just trolling so I'm going to stop > > replying. Needless to say, you've misunderstood what the RFC > > requires, and what noncompliant actually means in this case. > > At the risk of trolling myself, Jason's reading appears to me at first > blush to be right. It says, hash the entire public key packet, > starting with the version field. It seems like a mistake to calculate > the fingerprint of a "corrected" version of the key. The RFC does say that, but it is not the whole story. It also says: The length field of an MPI describes the length starting from its most significant non-zero bit. Thus, the MPI [00 02 01] is not formed correctly. It should be [00 01 01]. MPIs with leading zeros are not RFC compliant. > That said, I do appear to be alone in PGP implementations to handle it > this way. That said, I'm not eager to fix it, since the keys in > question are clearly broken, and, I'm hoping, quite rare. Which is exactly my point. The keys are made up of noncompliant MPIs. The keys are thus corrupt/broken/not RFC compliant. Whatever we call it, the keys are outside the purview of the RFC. There is no language in the RFC that dictates how a program should handle a noncompliant key. This is a good thing, since questions like this can rapidly spiral out of control - how much corruption is too much? So given that noncompliant keys are outside the purview of the RFC, it is correct to canonicalize the MPIs in an effort to "rescue" the key. It is also correct to do nothing. It is also correct to reject the key altogether. While I think it would be nice if SKS canonicalized as PGP and GnuPG does, I would also be happy if it just rejected corrupt keys. I do think it would be a kindness to the community if SKS did not store keys under the "wrong" key ID (and I use "wrong" carefully here since it is not clear what is "right"). But this is just me expressing a preference. The RFC does not mandate any particular outcome here. David From dshaw at jabberwocky.com Wed Dec 15 04:46:36 2004 From: dshaw at jabberwocky.com (David Shaw) Date: Wed Dec 15 04:49:40 2004 Subject: [Announce] GnuPG 1.3.93 released In-Reply-To: <200412150042.BAA12703@vulcan.xs4all.nl> References: <87brcxfb2i.fsf@wheatstone.g10code.de> <200412150042.BAA12703@vulcan.xs4all.nl> Message-ID: <20041215034636.GB32762@jabberwocky.com> On Wed, Dec 15, 2004 at 01:42:07AM +0100, Johan Wevers wrote: > Werner Koch wrote: > > Builds OK on a libc5 Linux system and passes all tests. > > However, I noticed one strange thing and a bug. When I encrypt a message > conventionally in pgp2 mode, compression seems to be switched off. > --list-packets confirms this. However, pgp2 is still able to decrypt the > message. > > When I try to set compression manually, the commands > > gpg -c --pgp2 --compress-algo=zip file and > gpg -c --pgp2 --compress-level=1 file > > ignores it and the resulting file is still uncompressed. It's been a long time since I looked at this, but I seem to recall the reason is that we use indeterminate length encoding for compressed packets (we pretty much have to since you can't tell how big something will be after compression without using temp files). Since we're pushing something of indeterminate size into an encrypted data packet, the encrypted data packet length is necessarily indeterminate as well, and that chokes PGP 2.x. The thing is, this isn't something new for 1.4. Like I said, it's been a good while since I looked at this, but I think it's been this way since at least the 1.0.6 days. Are you sure that you got compression with --pgp2 before? > When I try > > gpg -c --pgp2 --compression-algo=zip file > > I get a segfault, which can't be the right. Definitely not! Here's a fix: Index: g10.c =================================================================== RCS file: /cvs/gnupg/gnupg/g10/g10.c,v retrieving revision 1.292 diff -u -r1.292 g10.c --- g10.c 11 Dec 2004 04:47:33 -0000 1.292 +++ g10.c 15 Dec 2004 01:20:53 -0000 @@ -542,7 +542,7 @@ /* hidden options */ { aListOwnerTrust, "list-ownertrust", 256, "@"}, /* deprecated */ - { oCompressAlgo, "compression-algo", 1, "@"}, /* alias */ + { oCompressAlgo, "compression-algo", 2, "@"}, /* alias */ { aPrintMDs, "print-mds" , 256, "@"}, /* old */ { aListTrustDB, "list-trustdb",0 , "@"}, /* Not yet used */ > Further I noticed the SHA512 and 384 hash are finally read-write by > default. Yes, but use at your own risk. ;) They are not widely supported outside of GnuPG. > But what is the Hx format I see mentioned in md.c on line 133? It's a bit of backwards compatibility. 1.2.x used the Hx format in "setpref" to set key preferences. To be compatible with that, 1.4 still allows them. > And why is MD5 suddenly deprecated? The latest 2440bis draft (bis-12) deprecates it. Thanks for the report! David From johanw at vulcan.xs4all.nl Wed Dec 15 11:25:50 2004 From: johanw at vulcan.xs4all.nl (Johan Wevers) Date: Wed Dec 15 11:33:18 2004 Subject: [Announce] GnuPG 1.3.93 released In-Reply-To: <20041215034636.GB32762@jabberwocky.com> from David Shaw at "Dec 14, 2004 10:46:36 pm" Message-ID: <200412151025.LAA01554@vulcan.xs4all.nl> David Shaw wrote: >The thing is, this isn't something new for 1.4. Like I said, it's >been a good while since I looked at this, but I think it's been this >way since at least the 1.0.6 days. Are you sure that you got >compression with --pgp2 before? Now that you mention it, with 1.2.6 it also doesn't compress. Apparently I didn't notice it before, otherwise I would have told about this before. >> And why is MD5 suddenly deprecated? >The latest 2440bis draft (bis-12) deprecates it. Is that because of the Wang attack you mentioned in alt.security.pgp? -- ir. J.C.A. Wevers // Physics and science fiction site: johanw@vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From yminsky at gmail.com Wed Dec 15 03:34:20 2004 From: yminsky at gmail.com (Yaron Minsky) Date: Wed Dec 15 12:16:26 2004 Subject: [Sks-devel] Re: Key strangeness In-Reply-To: <20041215010431.GA32762@jabberwocky.com> References: <40257CE0.4090201@durham.ac.uk> <20040208013704.GB30966@jabberwocky.com> <402653F2.6010801@durham.ac.uk> <20040208154658.GA29904@jabberwocky.com> <20041214180953.GT3782@wilma.widomaker.com> <20041214211222.GE29531@jabberwocky.com> <20041215001748.GU3782@wilma.widomaker.com> <20041215010431.GA32762@jabberwocky.com> Message-ID: <891bd33904121418347b926f1@mail.gmail.com> On Tue, 14 Dec 2004 20:04:32 -0500, David Shaw wrote: > On Tue, Dec 14, 2004 at 07:17:48PM -0500, Jason Harris wrote: > > > Not "the entire Public Key packet starting with the version field, > > with whatever fixes you have to make so the key is fully > > RFC-compliant." > > At this point I think you're just trolling so I'm going to stop > replying. Needless to say, you've misunderstood what the RFC > requires, and what noncompliant actually means in this case. At the risk of trolling myself, Jason's reading appears to me at first blush to be right. It says, hash the entire public key packet, starting with the version field. It seems like a mistake to calculate the fingerprint of a "corrected" version of the key. That said, I do appear to be alone in PGP implementations to handle it this way. That said, I'm not eager to fix it, since the keys in question are clearly broken, and, I'm hoping, quite rare. y From wk at gnupg.org Wed Dec 15 12:42:36 2004 From: wk at gnupg.org (Werner Koch) Date: Wed Dec 15 12:44:37 2004 Subject: [Announce] GnuPG 1.3.93 released In-Reply-To: <200412151025.LAA01554@vulcan.xs4all.nl> (Johan Wevers's message of "Wed, 15 Dec 2004 11:25:50 +0100 (MET)") References: <200412151025.LAA01554@vulcan.xs4all.nl> Message-ID: <874qinbxeb.fsf@wheatstone.g10code.de> On Wed, 15 Dec 2004 11:25:50 +0100 (MET), Johan Wevers said: > Is that because of the Wang attack you mentioned in alt.security.pgp? This was yet another nail into MD5's coffin. It all started 8 or 9 years back with Dobbertin's findings. It's high noon to let MD5 die. Using 2k and larger RSA keys but relying on MD5 is getting more and more ridiculous. Werner From admin at panta-rhei.dyndns.org Wed Dec 15 13:38:34 2004 From: admin at panta-rhei.dyndns.org (panta-admin) Date: Wed Dec 15 13:31:23 2004 Subject: Windows Client Message-ID: <2MF56SKD38336.5267824074@anonymous.poster> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi ! WinPT seems to be unmaintained, and GPA is not really mature, GPGShell is not GNU,.... Does anyone have thoughts on a Windows GUI Frontend ? Cheers, panta-admin -----BEGIN PGP SIGNATURE----- Version: N/A iQA/AwUBQcAp+R2e88Id2BOOEQIzrACgmA3yQ+f1rzKnk/SuhVDrF7n45l0An21C 3yRARBRKJg0z5QgIBqbhjidP =Kzi1 -----END PGP SIGNATURE----- From anhny at wmdata.com Wed Dec 15 14:28:12 2004 From: anhny at wmdata.com (Henry Andrew) Date: Wed Dec 15 14:24:35 2004 Subject: Windows Client Message-ID: <20D152299AA73D47941BC3A94EDFF5DE04703C@WMRI000166.corp.wmdata.net> I'd also like to know if there are any useful front ends out there. WinPT at last glance was quite buggy and lacking in features, and has not seen a significant update in a long time. I currently use GPGShell 3.30, but am not overly impressed with the sloppy integration between it and GPG. If Enigmail can write a graphical front end to the GPG interface (interprocess communication), whilst not actually containing any encryption code (which is what GPGShell purports to do), then there is no reason other than lack of knowledge or unwillingness to implement, why this cannot be implemented in GPGShell, to remove the need for command prompt windows and PAUSEs. That being said, GPGShell does make life a lot easier when using GPG, and until (a hopefully well integrated, clean front end) GPA is released, seems to be the best option at the moment. -- Andrew -----Original Message----- From: gnupg-users-bounces@gnupg.org [mailto:gnupg-users-bounces@gnupg.org] On Behalf Of panta-admin Sent: 15 December 2004 13:39 To: gnupg-users@gnupg.org Subject: Windows Client -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi ! WinPT seems to be unmaintained, and GPA is not really mature, GPGShell is not GNU,.... Does anyone have thoughts on a Windows GUI Frontend ? Cheers, panta-admin -----BEGIN PGP SIGNATURE----- Version: N/A iQA/AwUBQcAp+R2e88Id2BOOEQIzrACgmA3yQ+f1rzKnk/SuhVDrF7n45l0An21C 3yRARBRKJg0z5QgIBqbhjidP =Kzi1 -----END PGP SIGNATURE----- _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users From henkdebruijn at wanadoo.nl Wed Dec 15 14:44:17 2004 From: henkdebruijn at wanadoo.nl (Henk de Bruijn) Date: Wed Dec 15 14:40:44 2004 Subject: Windows Client In-Reply-To: <2MF56SKD38336.5267824074@anonymous.poster> References: <2MF56SKD38336.5267824074@anonymous.poster> Message-ID: <1938074507.20041215144417@wanadoo.nl> On 15 Dec 2004 12:38:34 -0000GMT (15-12-2004, 13:38 +0100, where I live), Panta-admin: > GPGShell is not GNU,.... Can you please explain what you mean? -- cheers, Henk ______________________________________________________________________ The Bat!? Natural Email System v3.0.2.10nl Professional on Windows XP SP2 PGPkey request: see headers or send email with subj.: send HenksKeyID Gossamer Spider Web of Trust http://gswot.webhop.info/ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 205 bytes Desc: not available Url : /pipermail/attachments/20041215/1be8c292/attachment-0001.bin From admin at panta-rhei.dyndns.org Wed Dec 15 15:57:04 2004 From: admin at panta-rhei.dyndns.org (panta-admin) Date: Wed Dec 15 15:56:30 2004 Subject: Windows Client References: <2MF56SKD38336.5267824074@anonymous.poster> <1938074507.20041215144417@wanadoo.nl> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 >> GPGShell is not GNU,.... > >Can you please explain what you mean? AFAIK it is not open source. In addition it fails to decrypt files sometimes, just tells me that the key is invalid. No idea why, WinPT decrypts them fine. Cheers, panta-admin -----BEGIN PGP SIGNATURE----- Version: N/A iQA/AwUBQcBL2x2e88Id2BOOEQIgegCgwCnO37lvLfrrZNhDOLO+A0Ix94YAn1b0 MG70bDoq2WnTQB+vRep7+7MH =EjZg -----END PGP SIGNATURE----- From admin at panta-rhei.dyndns.org Wed Dec 15 16:03:48 2004 From: admin at panta-rhei.dyndns.org (panta-admin) Date: Wed Dec 15 15:56:55 2004 Subject: Windows Client References: <20D152299AA73D47941BC3A94EDFF5DE04703C@WMRI000166.corp.wmdata.net> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi again ! I think at the moment there is no really nice frontend for GnuPG in Windows, which IMHO really is a problem. I was thinking along these lines: If GPA is progressing nicely it will become the key manager of choice, although it looks a bit weird on windows. So all the keyring manipulations can be done with GPA. All the windows frontend would need to do is: Provide tray icon with decrypt+verify/encrypt/sign for clipboard and current window. Provide explorer integration for Right-Click | GnuPG | decrypt+verify/encrypt/sign for files. Maybe some keyboard shortcuts for these. These are things which are very windows specific, so they will most likely not find a coder in the linux world. I do not speak C, so I cant help per se but: I have done some work with P.Gutmanns Cryptlib, for which an API interface for Visual basic was derived from the c header file of cryptlib. So if someone here could help in compiling GPG-ME into a .dll and maybe the author of the API for cryptlib or someone else creates an interface it should be possible to do all these things in VB. I am doing some work in Visual Basic and would like to give that a go. (I do not promise anything !) If this is a stupid/impossible idea let me know, Cheers, panta-admin -----BEGIN PGP SIGNATURE----- Version: N/A iQA/AwUBQcBPNh2e88Id2BOOEQK3bwCgkWNqKDMSXJTTaqPiSW5emOsd3wIAnAkQ tWOD/GYe6Z2KRqH6njaiRX8c =nBeJ -----END PGP SIGNATURE----- From twoaday at freakmail.de Wed Dec 15 16:00:24 2004 From: twoaday at freakmail.de (Timo Schulz) Date: Wed Dec 15 15:57:36 2004 Subject: Windows Client In-Reply-To: <20D152299AA73D47941BC3A94EDFF5DE04703C@WMRI000166.corp.wmdata.net> References: <20D152299AA73D47941BC3A94EDFF5DE04703C@WMRI000166.corp.wmdata.net> Message-ID: <20041215150024.GC1218@daredevil.joesixpack.net> On Wed Dec 15 2004; 14:28, Henry Andrew wrote: > I'd also like to know if there are any useful front ends out there. > WinPT at last glance was quite buggy and lacking in features, and has As the author of WinPT I'm of course not ingenuous. But let me say some things... WinPT is _not_ unmaintained. I work on it whenever it's possible and I also fixed a lot of bugs recently. The problem is that the SourceForge website is a little outdated. I recommend to use 0.9.x whenver it is possible (last version is 0.9.14) and this website which always has up-to-date files: http://www.stud.uni-hannover.de/~twoaday/winpt.html For the people who still use 0.7.x and have problems I would suggest to download 0.9.14 which contains a lot of features and bug fixes. _But of course the user has the freedom to decide what front-end to use_. Timo From admin at panta-rhei.dyndns.org Wed Dec 15 16:37:20 2004 From: admin at panta-rhei.dyndns.org (panta-admin) Date: Wed Dec 15 16:30:11 2004 Subject: Windows Client References: <20D152299AA73D47941BC3A94EDFF5DE04703C@WMRI000166.corp.wmdata.net> <20041215150024.GC1218@daredevil.joesixpack.net> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi ! >As the author of WinPT I'm of course not ingenuous. But let me say some >things... > >WinPT is _not_ unmaintained. I work on it whenever it's possible and >I also fixed a lot of bugs recently. The problem is that the SourceForge >website is a little outdated. Thanks, I am glad to hear that. Yes the site is a bit outdated. >I recommend to use 0.9.x whenver it is possible (last version is 0.9.14) >and this website which always has up-to-date files: >http://www.stud.uni-hannover.de/~twoaday/winpt.html Will have a look. Has the problem which is discussed on the winpt forum about the GnuPG binary been resolved ? >_But of course the user has the freedom to decide what front-end to use_. Timo, let me say that I am very grateful for your work on WinPT. It is a lot of unpaid, and very often unthanked for work, and I am sure you have a real life as well ;-) . Be assured we appeciate it a lot, and special thanks for making it open source. There are some things which drive me mad in WinPT though: If I try to delete keys in the keymanager it crashes. (WinXP) It failes to capture text from websites in firefox. It does not allow to do symmetric decryption of the clipboard. Is there any way we/I can help ? Cheers, panta-admin -----BEGIN PGP SIGNATURE----- Version: N/A iQA/AwUBQcBWNx2e88Id2BOOEQL6wgCgoZH0bA970/SVFlpT49c1C6Vp+f0An2U7 7Pm+kSkfdj2K/c58V/wKMpqg =QfWI -----END PGP SIGNATURE----- From vishalrao at gmail.com Wed Dec 15 18:19:33 2004 From: vishalrao at gmail.com (Vishal Rao) Date: Wed Dec 15 18:16:28 2004 Subject: Windows Client In-Reply-To: <20041215150024.GC1218@daredevil.joesixpack.net> References: <20D152299AA73D47941BC3A94EDFF5DE04703C@WMRI000166.corp.wmdata.net> <20041215150024.GC1218@daredevil.joesixpack.net> Message-ID: On Wed, 15 Dec 2004 16:00:24 +0100, Timo Schulz wrote: > As the author of WinPT I'm of course not ingenuous. But let me say some > things... > > WinPT is _not_ unmaintained. I work on it whenever it's possible and > I also fixed a lot of bugs recently. The problem is that the SourceForge > website is a little outdated. Nobody posts on WinPT-announce@lists.sourceforge.net ? Im on the list since a few months but no emails from there... Or is there some other list where I should monitor for announcements/updates? -- "Thou shalt not follow the null pointer for at its end madness and chaos lie." From jharris at widomaker.com Wed Dec 15 20:36:29 2004 From: jharris at widomaker.com (Jason Harris) Date: Thu Dec 16 14:54:34 2004 Subject: Key strangeness In-Reply-To: <20041215033618.GA1415@jabberwocky.com> References: <40257CE0.4090201@durham.ac.uk> <20040208013704.GB30966@jabberwocky.com> <402653F2.6010801@durham.ac.uk> <20040208154658.GA29904@jabberwocky.com> <20041214180953.GT3782@wilma.widomaker.com> <20041214211222.GE29531@jabberwocky.com> <20041215001748.GU3782@wilma.widomaker.com> <20041215010431.GA32762@jabberwocky.com> <891bd33904121418347b926f1@mail.gmail.com> <20041215033618.GA1415@jabberwocky.com> Message-ID: <20041215193629.GW3782@wilma.widomaker.com> On Tue, Dec 14, 2004 at 10:36:19PM -0500, David Shaw wrote: > On Tue, Dec 14, 2004 at 09:34:20PM -0500, Yaron Minsky wrote: > > > On Tue, Dec 14, 2004 at 07:17:48PM -0500, Jason Harris wrote: > > > > Not "the entire Public Key packet starting with the version field, > > > > with whatever fixes you have to make so the key is fully > > > > RFC-compliant." > > starting with the version field. It seems like a mistake to calculate > > the fingerprint of a "corrected" version of the key. > > The RFC does say that, but it is not the whole story. It also says: > > The length field of an MPI describes the length starting from its > most significant non-zero bit. Thus, the MPI [00 02 01] is not > formed correctly. It should be [00 01 01]. > > MPIs with leading zeros are not RFC compliant. Correct. > > this way. That said, I'm not eager to fix it, since the keys in > > question are clearly broken, and, I'm hoping, quite rare. > > Which is exactly my point. The keys are made up of noncompliant MPIs. > The keys are thus corrupt/broken/not RFC compliant. Whatever we call > it, the keys are outside the purview of the RFC. There is no language > in the RFC that dictates how a program should handle a noncompliant > key. This is a good thing, since questions like this can rapidly > spiral out of control - how much corruption is too much? Keys like this with non-compliant MPIs don't have valid selfsigs - unless and until the MPI is fixed _and_ the keyids in the selfsigs are changed to match the correct[ed] keyid. Then, the key can be imported and used for signature verification and/or encryption. However, the keyholder - as long as their software continues to be broken - will perpetually report the wrong key fingerprint and thus nobody should be willing to sign/trust the key. > So given that noncompliant keys are outside the purview of the RFC, it > is correct to canonicalize the MPIs in an effort to "rescue" the key. > It is also correct to do nothing. It is also correct to reject the > key altogether. It is best to reject the key and issue a warning, to stay consistent with GPG's rejection of unsigned subkeys and (default) rejection of unsigned userids. Actually, this kinda happens now: %gpg --recv 3A546EC2 gpg: requesting key 3A546EC2 from hkp://keyserver.kjsl.com gpg: request is "x-hkp://keyserver.kjsl.com/pks/lookup?op=get&search=0x3A546EC2" gpg: key 7EDB7A47: no valid user IDs gpg: this may be caused by a missing self-signature gpg: Total number processed: 1 gpg: w/o user IDs: 1 but can be circumvented with --allow-non-selfsigned-uid. However, the imported key lacks a subkey and the selfsigs are useless, being from 0x3A546EC2 instead of 0x7EDB7A47. Interestingly, 0x7EDB7A47 somehow has (valid) selfsigs made two days after its creation and 0x3A546EC2 [self]sigs, but its subkey still isn't importable. (Also, it was revoked the same day the usable selfsigs were added.) NB: ldap://horowitz.surfnet.nl:11370 stores the key under the same two keyids that pks and SKS does, which seems inconsistent with the PGP encryption program(s?). -- Jason Harris | NIC: JH329, PGP: This _is_ PGP-signed, isn't it? jharris@widomaker.com _|_ web: http://keyserver.kjsl.com/~jharris/ Got photons? (TM), (C) 2004 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 187 bytes Desc: not available Url : /pipermail/attachments/20041215/4f62f108/attachment.bin From JPClizbe at comcast.net Thu Dec 16 07:38:48 2004 From: JPClizbe at comcast.net (John Clizbe) Date: Thu Dec 16 14:54:59 2004 Subject: Problems with --check-trustdb in 1.3.93 on Windows Message-ID: <41C12D78.7050205@comcast.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 bash-2.05b$ gpg --version gpg (GnuPG) 1.3.93 bash-2.05b$ time gpg --check-trustdb gpg: renaming `C:/Documents and Settings/jpclizbe/Application Data/GnuPG\pubring.tmp' to `C:/Documents and Settings/jpclizbe/Application Data/GnuPG\pubring.gpg' failed: Permission denied gpg: failed to rebuild keyring cache: file rename error gpg: can't open `C:/Documents and Settings/jpclizbe/Application Data/GnuPG\pubring.gpg' gpg: keydb_search failed: file open error gpg: validate_key_list failed real 19m45.546s user 0m0.020s sys 0m0.020s pubring.gpg was renamed to pubring.bak, but pubring.tmp was left as it was. This was almost 20 minutes just for the cache rebuild, not even the trust check. bash-2.05b$ head/gpg --version gpg (GnuPG) 1.3.93-cvs-2004-12-11 bash-2.05b$ time head/gpg --check-trustdb gpg: renaming `C:/Documents and Settings/jpclizbe/Application Data/GnuPG\pubring.gpg' to `C:/Documents and Settings/jpclizbe/Application Data/GnuPG\pubring.bak' failed: Permission denied gpg: failed to rebuild keyring cache: file rename error gpg: 3 marginal(s) needed, 1 complete(s) needed, classic trust model gpg: depth: 0 valid: 36 signed: 429 trust: 0-, 0q, 0n, 0m, 0f, 36u gpg: depth: 1 valid: 429 signed: 162 trust: 0-, 363q, 1n, 8m, 57f, 0u gpg: depth: 2 valid: 64 signed: 60 trust: 0-, 58q, 0n, 3m, 3f, 0u gpg: depth: 3 valid: 4 signed: 13 trust: 0-, 3q, 0n, 1m, 0f, 0u gpg: next trustdb check due at 2004-12-23 real 37m14.658s user 0m0.010s sys 0m0.060s bash-2.05b$ In 1.3.93-cvs from this last weekend, the first rename failed and allowed the check-trustdb to run. Please note the time taken. Compare the time taken with 1.2.x: bash-2.05b$ stable/gpg --version gpg (GnuPG) 1.2.7-cvs-2004-12-11 bash-2.05b$ time stable/gpg --check-trustdb gpg: checking at depth 0 signed=444 ot(-/q/n/m/f/u)=0/0/0/0/0/36 gpg: checking at depth 1 signed=172 ot(-/q/n/m/f/u)=0/377/1/9/57/0 gpg: checking at depth 2 signed=66 ot(-/q/n/m/f/u)=0/67/0/5/3/0 gpg: checking at depth 3 signed=9 ot(-/q/n/m/f/u)=0/3/0/0/0/0 gpg: next trustdb check due at 2004-12-23 real 0m19.438s user 0m0.040s sys 0m0.020s bash-2.05b$ 1.2.6/gpg --version gpg (GnuPG) 1.2.6 bash-2.05b$ time 1.2.6/gpg --check-trustdb gpg: next trustdb check due at 2004-12-23 real 0m18.455s user 0m0.010s sys 0m0.020s bash-2.05b$ Checking the trustdb takes < 20 sec in 1.2.x but nearly 40 minutes in 1.3.93? OUCH! Can this be worked on before 1.4? - -- John P. Clizbe Inet: JPClizbe(a)comcast DOT nyet Golden Bear Networks PGP/GPG KeyID: 0x608D2A10 "Be who you are and say what you feel because those who mind don't matter and those who matter don't mind." - Dr Seuss, "Oh the Places You'll Go" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.7-cvs-2004-12-15 (Windows 2000 SP4) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFBwS13HQSsSmCNKhARAp08AJ9Yse3s/kTmli86XfKSobTHAosPogCghsGR /+HSgVVNEst6Pprv1yaLwHo= =RsTN -----END PGP SIGNATURE----- From twoaday at freakmail.de Thu Dec 16 13:32:15 2004 From: twoaday at freakmail.de (Timo Schulz) Date: Thu Dec 16 14:56:41 2004 Subject: Windows Client In-Reply-To: References: <20D152299AA73D47941BC3A94EDFF5DE04703C@WMRI000166.corp.wmdata.net> <20041215150024.GC1218@daredevil.joesixpack.net> Message-ID: <20041216123215.GA224@daredevil.joesixpack.net> On Wed Dec 15 2004; 22:49, Vishal Rao wrote: > Nobody posts on WinPT-announce@lists.sourceforge.net ? Im on the list > since a few months but no emails from there... > > Or is there some other list where I should monitor for announcements/updates? winpt-users@lcsweb.net The list is archived so you can also source for 'Announcement' if you just want to see the announcement mails. Timo From twoaday at freakmail.de Thu Dec 16 13:33:38 2004 From: twoaday at freakmail.de (Timo Schulz) Date: Thu Dec 16 14:56:44 2004 Subject: Windows Client In-Reply-To: References: <20D152299AA73D47941BC3A94EDFF5DE04703C@WMRI000166.corp.wmdata.net> <20041215150024.GC1218@daredevil.joesixpack.net> Message-ID: <20041216123338.GB224@daredevil.joesixpack.net> On Wed Dec 15 2004; 15:37, panta-admin wrote: > There are some things which drive me mad in WinPT though: > > If I try to delete keys in the keymanager it crashes. (WinXP) > It failes to capture text from websites in firefox. > It does not allow to do symmetric decryption of the clipboard. Hmm, this seems to be related to the version you use. WinPT 0.9.14 allow to use sym. encryption/decryption of teh clipboard. And I use XP and I don't have the crashing problem with the Key Manager. Timo From johanw at vulcan.xs4all.nl Thu Dec 16 16:25:27 2004 From: johanw at vulcan.xs4all.nl (Johan Wevers) Date: Thu Dec 16 16:20:13 2004 Subject: Windows Client In-Reply-To: <20041215150024.GC1218@daredevil.joesixpack.net> from Timo Schulz at "Dec 15, 2004 04:00:24 pm" Message-ID: <200412161525.QAA05391@vulcan.xs4all.nl> Timo Schulz wrote: >I recommend to use 0.9.x whenver it is possible (last version is 0.9.14) Can we download the complete source from this version? I remember from previous versions that the available source lay behind several versions. The latest source I find on sourceforge.net is 0.9.2, while WinPT 1.0rc2 is available for download. This makes WinPT a "somewhat open source" product to me. Better than closed source, but improvement is certainly possible. BTW, can the new version handle GnuPG installs where no language files are installed? 0.7.2 choked sometimes on that. -- ir. J.C.A. Wevers // Physics and science fiction site: johanw@vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From admin at panta-rhei.dyndns.org Thu Dec 16 16:57:04 2004 From: admin at panta-rhei.dyndns.org (panta-admin) Date: Thu Dec 16 16:50:30 2004 Subject: Windows Client References: <20D152299AA73D47941BC3A94EDFF5DE04703C@WMRI000166.corp.wmdata.net> <20041216123338.GB224@daredevil.joesixpack.net> Message-ID: <0224WI6038337.6646296296@anonymous.poster> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi ! >> If I try to delete keys in the keymanager it crashes. (WinXP) >> It failes to capture text from websites in firefox. >> It does not allow to do symmetric decryption of the clipboard. > >Hmm, this seems to be related to the version you use. Capturing text works in 0.9.14 Thanks ! >WinPT 0.9.14 allow to use sym. encryption/decryption of teh clipboard. I found the problem, sorry for blaming you ! The encryption was done with IDEA, which is of course not supported in gnupg. I am just trying to figure out how to get IDEA loaded as module. Any hints ? >And I use XP and I don't have the crashing problem with the Key Manager. Bugger, this is really annoying. Could it be because I imported all keys from PGP into my keyring ? Should I maybe export and reimport them into a new keyring ? As regarding your website: http://www.stud.uni-hannover.de/~twoaday/winpt.html This is really helpful, I maintain a website at www.panta-rhei.dyndns.org, would you object if I mirror or link to your site ? And: There was discussion on the sourceforge WinPT homepage that the newest GnuPG binary which is required for WinPT was not available for windows. Could you please also provide a download for the latest GnuPG binary ? I am also really confused about the various versions of WinPT and WinPTTray, in conjunction with GnuPG versions and so on, which is mainly caused by the outdated website at www.winpt.org and the sourceforge site. Can we in any way help you with updating these ? If the graphical installer is the way you want new users to install the whole package, what are your thoughts on updating the various components ? I run a public WiKi at www.panta-rhei.dyndns.org, should we try to get some WinPT info in there ? Eager to help, Cheers, panta-admin -----BEGIN PGP SIGNATURE----- Version: N/A iQA/AwUBQcGuKB2e88Id2BOOEQLK4QCeKQqgWHjqewAP7Vih6QrvD1/nUx0An0Z8 sl1xmmWJUPPT9yxaLyb28CBd =VAPw -----END PGP SIGNATURE----- From twoaday at freakmail.de Thu Dec 16 17:48:34 2004 From: twoaday at freakmail.de (Timo Schulz) Date: Thu Dec 16 17:41:45 2004 Subject: Windows Client In-Reply-To: <0224WI6038337.6646296296@anonymous.poster> References: <20D152299AA73D47941BC3A94EDFF5DE04703C@WMRI000166.corp.wmdata.net> <20041216123338.GB224@daredevil.joesixpack.net> <0224WI6038337.6646296296@anonymous.poster> Message-ID: <20041216164834.GB708@daredevil.joesixpack.net> On Thu Dec 16 2004; 15:57, panta-admin wrote: > http://www.stud.uni-hannover.de/~twoaday/winpt.html > This is really helpful, I maintain a website at www.panta-rhei.dyndns.org, > would you object if I mirror or link to your site ? Sure. > And: There was discussion on the sourceforge WinPT homepage that the newest > GnuPG binary which is required for WinPT was not available for windows. > Could you please also provide a download for the latest GnuPG binary ? You can find it on ftp.gnupg.org. Any _official_ version should work. The minimum required version is GPG 1.2.6 (but you can also use 1.3.x!). > I am also really confused about the various versions of WinPT and > WinPTTray, in conjunction with GnuPG versions and so on, which is mainly On SF.net WinPT means "Windows Privacy Tools". And WinPT Tray is part of the project and _my_ application so it is called "Tray". > Can we in any way help you with updating these ? If the graphical installer > is the way you want new users to install the whole package, what are your > thoughts on updating the various components ? Ralf Kreutzmann maintains an installer for WinPT and other GPG tools. But it would be useful to have some folks to maintain the SF.net files and the homepage there. > I run a public WiKi at www.panta-rhei.dyndns.org, should we try to get some > WinPT info in there ? This would be very kind. Because the thread is very WinPT specific, I suggest to continue you it either PM or on the winpt-users(@lcsweb.net) list. Thanks, Timo From twoaday at freakmail.de Thu Dec 16 17:43:45 2004 From: twoaday at freakmail.de (Timo Schulz) Date: Thu Dec 16 17:42:31 2004 Subject: Windows Client In-Reply-To: <200412161525.QAA05391@vulcan.xs4all.nl> References: <20041215150024.GC1218@daredevil.joesixpack.net> <200412161525.QAA05391@vulcan.xs4all.nl> Message-ID: <20041216164345.GA708@daredevil.joesixpack.net> On Thu Dec 16 2004; 16:25, Johan Wevers wrote: > Can we download the complete source from this version? I remember from I will update the site tomorrow. > previous versions that the available source lay behind several versions. > The latest source I find on sourceforge.net is 0.9.2, while WinPT 1.0rc2 0.9.11 should be available on the site I mentioned. And tomorrow I will upload 0.9.14. > This makes WinPT a "somewhat open source" product to me. Better than closed > source, but improvement is certainly possible. In the past I got practically never requests to upload the code. Only a handful people asked for it. And of course I would send it to anybody who had asked for it (as the GPL requests it). > BTW, can the new version handle GnuPG installs where no language files > are installed? 0.7.2 choked sometimes on that. Sure. You mean no .mo file for WinPT or GPG? This is no problem. I use this configuration on two machines without any problems. Timo From wk at gnupg.org Thu Dec 16 18:24:48 2004 From: wk at gnupg.org (Werner Koch) Date: Thu Dec 16 18:50:16 2004 Subject: [Announce] GnuPG stable 1.4 released Message-ID: <87zn0egnq7.fsf@wheatstone.g10code.de> Skipped content of type multipart/signed-------------- next part -------------- _______________________________________________ Gnupg-announce mailing list Gnupg-announce@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-announce From michael at pairofsixes.com Wed Dec 15 14:43:04 2004 From: michael at pairofsixes.com (Michael McAllister) Date: Thu Dec 16 18:53:14 2004 Subject: gen-keys hanging in WinXP SP2 Message-ID: <200412151343.iBFDh5Yn014464@ms-smtp-01-eri0.texas.rr.com> Hi (I sent a previous version of this which doesn't seem to have come through to the list. It was originally in Outlook HTML form email which I've noticed mailman sometimes filters out - so, I'm resending with more info and (hopefull!) as a plain text email.) I'm a newbie user of gpg, and am trying to generate my first key. I have version 1.2.5 installed on WinXP SP2. The software is installed in the default directory (c:\gnupg) with the main executables copied into c:\windows\system32. I started generating my first key (for this address) last night (around 11:30pm?), and as of this morning it still hasn't finished. I did spend some time registering some keyboard activity as suggested, but that doesn't seem to have helped. Does anyone have any suggestions as to what might be going wrong, and how to fix it? Specifically what happens is it asks me for my passphrase twice, and then once I've entered that, the generation of keys hangs. I have done some research and can say:- - The output of random characters (mainly plus signs?) does not occur after entering the passphrase, and while doing calculations for the key. - I do NOT receive any error about not enough entropy being available. That's because I don't receive ANYTHING ;-) Oh, forgot to mention - my machine is a 3GHz P4 with 512MB RAM, so I don't see the machine being a limiting factor. Regards Mike From johanw at vulcan.xs4all.nl Thu Dec 16 18:42:27 2004 From: johanw at vulcan.xs4all.nl (Johan Wevers) Date: Thu Dec 16 20:59:00 2004 Subject: Windows Client In-Reply-To: <0224WI6038337.6646296296@anonymous.poster> from panta-admin at "Dec 16, 2004 03:57:04 pm" Message-ID: <200412161742.SAA06665@vulcan.xs4all.nl> panta-admin wrote: >I am just trying to figure out how to get IDEA loaded as module. Any hints? Put idea.dll somewhere, and put in gpg.conf a line like load-extension drive:\directory\idea.dll -- ir. J.C.A. Wevers // Physics and science fiction site: johanw@vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From johanw at vulcan.xs4all.nl Thu Dec 16 18:44:50 2004 From: johanw at vulcan.xs4all.nl (Johan Wevers) Date: Thu Dec 16 20:59:09 2004 Subject: Windows Client In-Reply-To: <20041216164834.GB708@daredevil.joesixpack.net> from Timo Schulz at "Dec 16, 2004 05:48:34 pm" Message-ID: <200412161744.SAA06676@vulcan.xs4all.nl> Timo Schulz wrote: >You can find it on ftp.gnupg.org. Any _official_ version should work. >The minimum required version is GPG 1.2.6 (but you can also use 1.3.x!). There is no "official" windows version 1.2.6. The last windows version from www.gnupg.org is 1.2.5. But Werner wrote that's because thhe changes between them didn't occur in 2indows. -- ir. J.C.A. Wevers // Physics and science fiction site: johanw@vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From pschott at drivefinancial.com Thu Dec 16 21:59:38 2004 From: pschott at drivefinancial.com (Peter Schott) Date: Thu Dec 16 21:56:01 2004 Subject: Windows Client Message-ID: <4E28ECEE2E06784AA8921F82878C889E02105D61@DFSTXEXCH3.dfs.com> Just a note on the quote below - according to the GnuPG site, there is not an official 1.2.6 build for Windows because the bugs fixed from 1.2.5 to 1.2.6 did not affect Windows. Can we lower the min required version to 1.2.5 in light of that? Thanks. -Pete From: Timo Schulz Subject: Re: Windows Client On Thu Dec 16 2004; 15:57, panta-admin wrote: > And: There was discussion on the sourceforge WinPT homepage that the > newest GnuPG binary which is required for WinPT was not available for windows. > Could you please also provide a download for the latest GnuPG binary ? You can find it on ftp.gnupg.org. Any _official_ version should work. The minimum required version is GPG 1.2.6 (but you can also use 1.3.x!). ___________________________________________________________________________________ This e-mail is covered by the Electronic Communications Privacy Act, 18 U.S.C. Sections 2510-2521. The information contained in this e-mail is confidential and intended only for use of the individual or entity named above. If the reader of this message is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this message in error or there are any problems please notify the originator immediately. The unauthorized use, disclosure, copying or alteration of this message is strictly forbidden. This mail and any attachments have been scanned for viruses prior to leaving the Drive Financial Services network. Drive Financial Services will not be liable for direct, special, indirect or consequential damages arising from alteration of the contents of this message by a third party or as a result of any virus being passed on. ___________________________________________________________________________________ From henkdebruijn at wanadoo.nl Thu Dec 16 22:24:10 2004 From: henkdebruijn at wanadoo.nl (Henk de Bruijn) Date: Thu Dec 16 22:20:38 2004 Subject: gpg: conversion from `utf-8' to `CP0' not available In-Reply-To: <1727693086.20041129151757@wanadoo.nl> References: <1159783930.20041128155921@wanadoo.nl> <87653q7zom.fsf@wheatstone.g10code.de> <873573880.20041129090406@wanadoo.nl> <87sm6t53oa.fsf@wheatstone.g10code.de> <1727693086.20041129151757@wanadoo.nl> Message-ID: <1401690184.20041216222410@wanadoo.nl> On Mon, 29 Nov 2004 15:17:57 +0100GMT (29-11-2004, 15:17 +0100, where I live), I wrote: > Tried it all but no, think I?ll just have to keep on using 1.2.5 for > a while :-( I downloaded 1.2.4 and as expected it is not working with the Bat! When I tried: gpg --charset=CP850 -k akey or gpg --no-options --charset=CP850 -k akey I get the message gpg: error reading key: public key not found ??? I read about the possibility of trustsigning and am anxious to try this :-( -- Henk ______________________________________________________________________ The Bat!? Natural Email System v3.0.2.10nl Professional on Windows XP SP2 PGPkey request: see headers or send email with subj.: send HenksKeyID Gossamer Spider Web of Trust http://gswot.webhop.info/ From wk at gnupg.org Thu Dec 16 22:17:10 2004 From: wk at gnupg.org (Werner Koch) Date: Thu Dec 16 22:39:34 2004 Subject: [Announce] Updated GnuPG 1.4.0 Windows binary In-Reply-To: <87zn0egnq7.fsf@wheatstone.g10code.de> (Werner Koch's message of "Thu, 16 Dec 2004 18:24:48 +0100") References: <87zn0egnq7.fsf@wheatstone.g10code.de> Message-ID: <87u0qmdju1.fsf@wheatstone.g10code.de> Skipped content of type multipart/signed-------------- next part -------------- _______________________________________________ Gnupg-announce mailing list Gnupg-announce@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-announce From raindog at phreaker.net Thu Dec 16 23:01:07 2004 From: raindog at phreaker.net (raindog) Date: Thu Dec 16 22:56:39 2004 Subject: Windows Binary 1.4.0 vs 1.4.0a which to use? Message-ID: <41C205A3.1090204@phreaker.net> Well, the title says it all. I noticed on the ftp server that there is v1.4.0 and v1.4.0a for Windows. What are the differences and which one should I install? raindog -- We must all hang together, or assuredly we shall all hang separately. -- Benjamin Franklin From henkdebruijn at wanadoo.nl Thu Dec 16 23:15:19 2004 From: henkdebruijn at wanadoo.nl (Henk de Bruijn) Date: Thu Dec 16 23:11:35 2004 Subject: gpg: conversion from `utf-8 to `CP0 not available In-Reply-To: <1401690184.20041216222410@wanadoo.nl> References: <1159783930.20041128155921@wanadoo.nl> <87653q7zom.fsf@wheatstone.g10code.de> <873573880.20041129090406@wanadoo.nl> <87sm6t53oa.fsf@wheatstone.g10code.de> <1727693086.20041129151757@wanadoo.nl> <1401690184.20041216222410@wanadoo.nl> Message-ID: <2810063903.20041216231519@wanadoo.nl> On Thu, 16 Dec 2004 22:24:10 +0100GMT (16-12-2004, 22:24 +0100, where I live), I wrote wrote: > I downloaded 1.2.4 and as expected it is not working with the Bat! > When I tried: > gpg --charset=CP850 -k akey > or > gpg --no-options --charset=CP850 -k akey > I get the message gpg: error reading key: public key not found > ??? > I read about the possibility of trustsigning and am anxious to try > this :-( I meant 1.4.0 -- Henk ______________________________________________________________________ The Bat!? Natural Email System v3.0.2.10nl Professional on Windows XP SP2 PGPkey request: see headers or send email with subj.: send HenksKeyID Gossamer Spider Web of Trust http://gswot.webhop.info/ From JPClizbe at comcast.net Thu Dec 16 23:09:05 2004 From: JPClizbe at comcast.net (John Clizbe) Date: Thu Dec 16 23:22:02 2004 Subject: Windows Binary 1.4.0 vs 1.4.0a which to use? In-Reply-To: <41C205A3.1090204@phreaker.net> References: <41C205A3.1090204@phreaker.net> Message-ID: <41C20781.9000209@comcast.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 raindog wrote: > Well, the title says it all. I noticed on the ftp server that there > is v1.4.0 and v1.4.0a for Windows. What are the differences and which > one should I install? > > raindog Use 1.4.0a The change to the 1.4.0 code is: diff -u -r1.71 iobuf.c - --- util/iobuf.c 6 Dec 2004 10:32:20 -0000 1.71 +++ util/iobuf.c 16 Dec 2004 19:30:27 -0000 @@ -146,7 +146,7 @@ || (*a == '\' && *b == '/')) ) break; } - - return *(const unsigned *)a - *(const unsigned *)b; + return *(const unsigned char *)a - *(const unsigned char *)b; #else return strcmp (a, b); #endif - -- John P. Clizbe Inet: JPClizbe(a)comcast DOT nyet Golden Bear Networks PGP/GPG KeyID: 0x608D2A10 "Be who you are and say what you feel because those who mind don't matter and those who matter don't mind." - Dr Seuss, "Oh the Places You'll Go" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (MingW32) Comment: When cryptography is outlawed, b25seSBvdXRsYXdzIHdpbGwgdXNlIG Comment: Annoy John Asscraft -- Use Strong Encryption. Comment: It's YOUR right - for the time being. Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFBwgeAHQSsSmCNKhARAsgHAJoCf06DNEfvzLomnd0yyxsYRK/eQgCgpgLX IvU+ULlh10Ytk9jeKudQVbU= =0kRW -----END PGP SIGNATURE----- From eocsor at gmail.com Thu Dec 16 23:26:01 2004 From: eocsor at gmail.com (Roscoe) Date: Thu Dec 16 23:23:16 2004 Subject: Windows Binary 1.4.0 vs 1.4.0a which to use? In-Reply-To: <41C205A3.1090204@phreaker.net> References: <41C205A3.1090204@phreaker.net> Message-ID: 1.4.0a http://lists.gnupg.org/pipermail/gnupg-announce/2004q4/000187.html On Thu, 16 Dec 2004 17:01:07 -0500, raindog wrote: > Well, the title says it all. I noticed on the ftp server that there > is v1.4.0 and v1.4.0a for Windows. What are the differences and which > one should I install? > > raindog > -- > We must all hang together, or assuredly we shall all hang separately. > -- Benjamin Franklin > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > From dshaw at jabberwocky.com Thu Dec 16 23:26:02 2004 From: dshaw at jabberwocky.com (David Shaw) Date: Thu Dec 16 23:23:29 2004 Subject: Windows Binary 1.4.0 vs 1.4.0a which to use? In-Reply-To: <41C205A3.1090204@phreaker.net> References: <41C205A3.1090204@phreaker.net> Message-ID: <20041216222602.GA11734@jabberwocky.com> On Thu, Dec 16, 2004 at 05:01:07PM -0500, raindog wrote: > Well, the title says it all. I noticed on the ftp server that there > is v1.4.0 and v1.4.0a for Windows. What are the differences and which > one should I install? 1.4.0a. A bug was discovered too late to make it into 1.4.0, so a 1.4.0a was quickly released. David From donald.ferguson at gmail.com Fri Dec 17 00:22:41 2004 From: donald.ferguson at gmail.com (Don Ferguson) Date: Fri Dec 17 00:19:35 2004 Subject: [Announce] Updated GnuPG 1.4.0 Windows binary In-Reply-To: <87u0qmdju1.fsf@wheatstone.g10code.de> References: <87zn0egnq7.fsf@wheatstone.g10code.de> <87u0qmdju1.fsf@wheatstone.g10code.de> Message-ID: On Thu, 16 Dec 2004 22:17:10 +0100, Werner Koch wrote: > Hello! > > a couple of hours ago we announced GnuPG 1.4.0, claiming that a > compiled version for MS Windows is also available. Unfortunately that > Windows version version has a severe bug which makes it pretty > unusable. To fix this a new binary version has been released. The > old file has been removed from the server and the new one has been > given the version number 1.4.0a. > > If you already downloaded gnupg-w32cli-1.4.0.zip, you should replace > that with the new one: > > ftp://ftp.gnupg.org/gcrypt/binary/gnupg-w32cli-1.4.0a.zip (1627k) > ftp://ftp.gnupg.org/gcrypt/binary/gnupg-w32cli-1.4.0a.zip.sig > > The SHA1 checksum of the zip file is: > > 28be01b7f8eaa29db73d11bf8b9504e823c07c2b gnupg-w32cli-1.4.0a.zip > > I apologize for my silliness of not properly testing the Windows > version. > > Salam-Shalom, > > Werner > > -- > Werner Koch > The GnuPG Experts http://g10code.com > Free Software Foundation Europe http://fsfeurope.org > > The change to the 1.4.0 code is: > > diff -u -r1.71 iobuf.c > --- util/iobuf.c 6 Dec 2004 10:32:20 -0000 1.71 > +++ util/iobuf.c 16 Dec 2004 19:30:27 -0000 > @@ -146,7 +146,7 @@ > || (*a == '\' && *b == '/')) ) > break; > } > - return *(const unsigned *)a - *(const unsigned *)b; > + return *(const unsigned char *)a - *(const unsigned char *)b; > #else > return strcmp (a, b); > #endif > > When I run gpg, I get the message ... gpg: error loading 'iconv.dll': The specified module could not be found. I don't see iconv.dll in gnupg-w32cli-1.4.0a.zip. So how do I correct this error? From JPClizbe at comcast.net Fri Dec 17 00:33:38 2004 From: JPClizbe at comcast.net (John Clizbe) Date: Fri Dec 17 00:30:34 2004 Subject: [Announce] Updated GnuPG 1.4.0 Windows binary In-Reply-To: References: <87zn0egnq7.fsf@wheatstone.g10code.de> <87u0qmdju1.fsf@wheatstone.g10code.de> Message-ID: <41C21B52.7090902@comcast.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Don Ferguson wrote: > > When I run gpg, I get the message ... > gpg: error loading 'iconv.dll': The specified module could not be found. > > I don't see iconv.dll in gnupg-w32cli-1.4.0a.zip. So how do I correct > this error? > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > - From the 1.3.92 Announcement: http://lists.gnupg.org/pipermail/gnupg-announce/2004q4/000182.html For proper internationalization you should have the GNU iconv.dll installed. For convenience we make this DLL available at: ftp://ftp.gnupg.org/gcrypt/binary/libiconv-1.9.1.dll.zip (644k) ftp://ftp.gnupg.org/gcrypt/binary/libiconv-1.9.1.dll.zip.sig - -- John P. Clizbe Inet: JPClizbe(a)comcast DOT nyet Golden Bear Networks PGP/GPG KeyID: 0x608D2A10 "Be who you are and say what you feel because those who mind don't matter and those who matter don't mind." - Dr Seuss, "Oh the Places You'll Go" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (MingW32) Comment: When cryptography is outlawed, b25seSBvdXRsYXdzIHdpbGwgdXNlIG Comment: Annoy John Asscraft -- Use Strong Encryption. Comment: It's YOUR right - for the time being. Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFBwhtQHQSsSmCNKhARAndFAJ44Nb9Npz1fJEq6WSoEtpFZN30pHACdGoRd KW+wDwX2ZOswAGPFUdK3Zq0= =0289 -----END PGP SIGNATURE----- From shatadal at vfemail.net Fri Dec 17 00:37:21 2004 From: shatadal at vfemail.net (Shatadal) Date: Fri Dec 17 00:33:48 2004 Subject: Bad Signature (was Re: [Announce] Updated GnuPG 1.4.0 Windows binary) In-Reply-To: <87u0qmdju1.fsf@wheatstone.g10code.de> References: <87zn0egnq7.fsf@wheatstone.g10code.de> <87u0qmdju1.fsf@wheatstone.g10code.de> Message-ID: <41C21C31.1060009@vfemail.net> Werner Koch wrote: > Hello! > > a couple of hours ago we announced GnuPG 1.4.0, claiming that a > compiled version for MS Windows is also available. Unfortunately that > Windows version version has a severe bug which makes it pretty > unusable. To fix this a new binary version has been released. The > old file has been removed from the server and the new one has been > given the version number 1.4.0a. > > If you already downloaded gnupg-w32cli-1.4.0.zip, you should replace > that with the new one: > > ftp://ftp.gnupg.org/gcrypt/binary/gnupg-w32cli-1.4.0a.zip (1627k) > ftp://ftp.gnupg.org/gcrypt/binary/gnupg-w32cli-1.4.0a.zip.sig > > The SHA1 checksum of the zip file is: > > 28be01b7f8eaa29db73d11bf8b9504e823c07c2b gnupg-w32cli-1.4.0a.zip > > > I apologize for my silliness of not properly testing the Windows > version. > > > Salam-Shalom, > > Werner > Hi, It seems that your message was not signed correctly. I am using enigmail with mozilla thunderbird and it prompts me to import public keys required to verify signed messages. When I import your key however enigmail complains of a bad signature. I have imported your key from keyserver.kjsl.com and random.sks.keyserver.penguin.de and got the key for wk@gnupg.org with key id 0x5B0358A2. Interestingly enigmail asks for key ID 0x010A57ED initially to verify the signature. Maybe the problem is with enigmail. Could you help? Thanks, Shatadal. From donald.ferguson at gmail.com Fri Dec 17 00:49:11 2004 From: donald.ferguson at gmail.com (Don Ferguson) Date: Fri Dec 17 00:45:50 2004 Subject: [Announce] Updated GnuPG 1.4.0 Windows binary In-Reply-To: <41C21B52.7090902@comcast.net> References: <87zn0egnq7.fsf@wheatstone.g10code.de> <87u0qmdju1.fsf@wheatstone.g10code.de> <41C21B52.7090902@comcast.net> Message-ID: On Thu, 16 Dec 2004 17:33:38 -0600, John Clizbe wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Don Ferguson wrote: > > > > When I run gpg, I get the message ... > > gpg: error loading 'iconv.dll': The specified module could not be found. > > > > I don't see iconv.dll in gnupg-w32cli-1.4.0a.zip. So how do I correct > > this error? > > > > _______________________________________________ > > Gnupg-users mailing list > > Gnupg-users@gnupg.org > > http://lists.gnupg.org/mailman/listinfo/gnupg-users > > > > - From the 1.3.92 Announcement: > http://lists.gnupg.org/pipermail/gnupg-announce/2004q4/000182.html > > For proper internationalization you should have the GNU iconv.dll > installed. For convenience we make this DLL available at: > > ftp://ftp.gnupg.org/gcrypt/binary/libiconv-1.9.1.dll.zip (644k) > ftp://ftp.gnupg.org/gcrypt/binary/libiconv-1.9.1.dll.zip.sig > > - -- > John P. Clizbe Inet: JPClizbe(a)comcast DOT nyet > Golden Bear Networks PGP/GPG KeyID: 0x608D2A10 > "Be who you are and say what you feel because those who mind don't matter > and those who matter don't mind." - Dr Seuss, "Oh the Places You'll Go" > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.0 (MingW32) > Comment: When cryptography is outlawed, b25seSBvdXRsYXdzIHdpbGwgdXNlIG > Comment: Annoy John Asscraft -- Use Strong Encryption. > Comment: It's YOUR right - for the time being. > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > iD8DBQFBwhtQHQSsSmCNKhARAndFAJ44Nb9Npz1fJEq6WSoEtpFZN30pHACdGoRd > KW+wDwX2ZOswAGPFUdK3Zq0= > =0289 > -----END PGP SIGNATURE----- That fixed it. Thanks John! From chd at chud.net Fri Dec 17 01:25:09 2004 From: chd at chud.net (Chris De Young) Date: Fri Dec 17 01:21:19 2004 Subject: Broken signatures with Thunderbird/Enigmail since 1.4.0? Message-ID: <20041217002509.GA13382@dionysus.chud.net> Hi, Since upgrading to 1.4.0 on Linux, Thunderbird/Enigmail seems to be having trouble verifying signatures (so far mostly on messages I have sent and CC: myself). The output is difficult to paste from Thunderbird, but it's normal looking GPG output for "BAD Signature from ...". This seems to be an enigmail problem, because Mutt reports a good signature on the same copy of the same message. Has anyone else run into this, or have any guesses about any subtle behavior change in 1.4.0 that might be giving Enigmail indigestion? Thanks! -Chris -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20041216/c899904d/attachment.bin From lists at t-link.de Fri Dec 17 01:28:13 2004 From: lists at t-link.de (Michael Wenger) Date: Fri Dec 17 01:24:35 2004 Subject: Bad Signature (was Re: [Announce] Updated GnuPG 1.4.0 Window binary) In-Reply-To: <41C21C31.1060009@vfemail.net> References: <87zn0egnq7.fsf@wheatstone.g10code.de> <87u0qmdju1.fsf@wheatstone.g10code.de> <41C21C31.1060009@vfemail.net> Message-ID: <41C2281D.9030001@t-link.de> Hi Werner! Shatadal schrieb am 17.12.2004 00:37 : > It seems that your message was not signed correctly. I am using enigmail > with mozilla thunderbird and it prompts me to import public keys > required to verify signed messages. When I import your key however > enigmail complains of a bad signature. I have imported your key from > keyserver.kjsl.com and random.sks.keyserver.penguin.de and got the key > for wk@gnupg.org with key id 0x5B0358A2. Interestingly enigmail asks for > key ID 0x010A57ED initially to verify the signature. Maybe the problem > is with enigmail. Could you help? The same with me. Your signature is the only one which Enigmail cannot verify correctly. The error message says: gpg: Unterschrift vom 12/16/04 22:17:17, DSA Schl?ssel ID 010A57ED gpg: FALSCHE Unterschrift von "Werner Koch " Thunderbird 0.9 DE EnigMail 0.89.0 GnuPG 1.2.5 Windows Millennium I have had no problems with any signatures till now. Can you tell us, what went wrong? Regards, Michael From dshaw at jabberwocky.com Fri Dec 17 01:58:18 2004 From: dshaw at jabberwocky.com (David Shaw) Date: Fri Dec 17 01:55:29 2004 Subject: Broken signatures with Thunderbird/Enigmail since 1.4.0? In-Reply-To: <20041217002509.GA13382@dionysus.chud.net> References: <20041217002509.GA13382@dionysus.chud.net> Message-ID: <20041217005818.GA12845@jabberwocky.com> On Thu, Dec 16, 2004 at 05:25:09PM -0700, Chris De Young wrote: > Since upgrading to 1.4.0 on Linux, Thunderbird/Enigmail seems to be > having trouble verifying signatures (so far mostly on messages I have > sent and CC: myself). The output is difficult to paste from > Thunderbird, but it's normal looking GPG output for "BAD Signature > from ...". > > This seems to be an enigmail problem, because Mutt reports a good > signature on the same copy of the same message. > > Has anyone else run into this, or have any guesses about any subtle > behavior change in 1.4.0 that might be giving Enigmail indigestion? Can you post the gpg command line that Enigmail uses to process a signed message? David -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 250 bytes Desc: not available Url : /pipermail/attachments/20041216/42b08a98/attachment-0001.bin From johanw at vulcan.xs4all.nl Fri Dec 17 02:11:01 2004 From: johanw at vulcan.xs4all.nl (Johan Wevers) Date: Fri Dec 17 02:14:06 2004 Subject: [Announce] GnuPG stable 1.4 released In-Reply-To: <87zn0egnq7.fsf@wheatstone.g10code.de> from Werner Koch at "Dec 16, 2004 06:24:48 pm" Message-ID: <200412170111.CAA00342@vulcan.xs4all.nl> Werner Koch wrote: >We are pleased to announce the availability of the new stable GnuPG >series. This first release is version 1.4.0 OK, compiles, builds and works OK as far as I tested it. One question though does the bug that required the 1.4.0a binary for win32 - also affect Linux? And if so, what kind of errors can I expect? Should I patch the source and rebuild? -- ir. J.C.A. Wevers // Physics and science fiction site: johanw@vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From JPClizbe at comcast.net Fri Dec 17 02:23:06 2004 From: JPClizbe at comcast.net (John Clizbe) Date: Fri Dec 17 02:20:02 2004 Subject: Broken signatures with Thunderbird/Enigmail since 1.4.0? In-Reply-To: <20041217005818.GA12845@jabberwocky.com> References: <20041217002509.GA13382@dionysus.chud.net> <20041217005818.GA12845@jabberwocky.com> Message-ID: <41C234FA.50208@comcast.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 David Shaw wrote: > > Can you post the gpg command line that Enigmail uses to process a > signed message? enigmail> C:\Program Files\GnuPG\gpg.exe --batch --no-tty --status-fd 2 - --verify gpg: Signature made 12/16/04 15:17:17 CST using DSA key ID 010A57ED gpg: BAD signature from "Werner Koch " enigmail.js: Enigmail.decryptMessageEnd: Error in command execution Barry posted about this to the Enigmail team earlier this afternoon. For him it looked to be a problem with PGP/MIME messages that contain "-- ". Only happens on signed PGP/MIME messages. Not signed and encrypted PGP/MIME which works fine. Barry reported that dropping back to 1.3.92 worked fine. Will investigate more. - -- John P. Clizbe Inet: JPClizbe(a)comcast DOT nyet Golden Bear Networks PGP/GPG KeyID: 0x608D2A10 "Be who you are and say what you feel because those who mind don't matter and those who matter don't mind." - Dr Seuss, "Oh the Places You'll Go" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (MingW32) Comment: When cryptography is outlawed, b25seSBvdXRsYXdzIHdpbGwgdXNlIG Comment: Annoy John Asscraft -- Use Strong Encryption. Comment: It's YOUR right - for the time being. Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFBwjT3HQSsSmCNKhARAg+1AKDQM4RCIQ5i0Yg7ineY54JEoOgcPACfT+Cm 8JsQLri/7iwaBwBEYru0fEU= =Zl2n -----END PGP SIGNATURE----- From shatadal at vfemail.net Fri Dec 17 02:30:40 2004 From: shatadal at vfemail.net (Shatadal) Date: Fri Dec 17 02:27:04 2004 Subject: Broken signatures with Thunderbird/Enigmail since 1.4.0? In-Reply-To: <20041217005818.GA12845@jabberwocky.com> References: <20041217002509.GA13382@dionysus.chud.net> <20041217005818.GA12845@jabberwocky.com> Message-ID: <41C236C0.1010001@vfemail.net> David Shaw wrote: > On Thu, Dec 16, 2004 at 05:25:09PM -0700, Chris De Young wrote: > > >>Since upgrading to 1.4.0 on Linux, Thunderbird/Enigmail seems to be >>having trouble verifying signatures (so far mostly on messages I have >>sent and CC: myself). The output is difficult to paste from >>Thunderbird, but it's normal looking GPG output for "BAD Signature >>from ...". >> >>This seems to be an enigmail problem, because Mutt reports a good >>signature on the same copy of the same message. >> >>Has anyone else run into this, or have any guesses about any subtle >>behavior change in 1.4.0 that might be giving Enigmail indigestion? > > > Can you post the gpg command line that Enigmail uses to process a > signed message? > > David I use Enigmail 0.89.5.0 on Thunderbird version 1.0 (20041206) on Windows XP and gnupg 1.2.5 The command line used is gpg.exe --batch --no-tty --status-fd2 --verify Shatadal. From dshaw at jabberwocky.com Fri Dec 17 02:31:33 2004 From: dshaw at jabberwocky.com (David Shaw) Date: Fri Dec 17 02:28:32 2004 Subject: [Announce] GnuPG stable 1.4 released In-Reply-To: <200412170111.CAA00342@vulcan.xs4all.nl> References: <87zn0egnq7.fsf@wheatstone.g10code.de> <200412170111.CAA00342@vulcan.xs4all.nl> Message-ID: <20041217013133.GB12845@jabberwocky.com> On Fri, Dec 17, 2004 at 02:11:01AM +0100, Johan Wevers wrote: > Werner Koch wrote: > > >We are pleased to announce the availability of the new stable GnuPG > >series. This first release is version 1.4.0 > > OK, compiles, builds and works OK as far as I tested it. > > One question though does the bug that required the 1.4.0a binary for win32 > - also affect Linux? And if so, what kind of errors can I expect? Should I > patch the source and rebuild? No need. It's a Win32-specific problem. David -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 250 bytes Desc: not available Url : /pipermail/attachments/20041216/601bf555/attachment.bin From chd at chud.net Fri Dec 17 02:36:57 2004 From: chd at chud.net (Chris De Young) Date: Fri Dec 17 02:33:27 2004 Subject: Broken signatures with Thunderbird/Enigmail since 1.4.0? In-Reply-To: <20041217005818.GA12845@jabberwocky.com> References: <20041217002509.GA13382@dionysus.chud.net> <20041217005818.GA12845@jabberwocky.com> Message-ID: <41C23839.8010305@chud.net> > Can you post the gpg command line that Enigmail uses to process a > signed message? /usr/bin/gpg --batch --no-tty --status-fd 2 --verify A further bit of info -- checking against signatures made by mutt, Enigmail verifies them as good (well, three such messages, anyway). So far the only problem case I'm sure of is with signatures made from Enigmail as well as verified with it. Thanks! -Chris -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 256 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20041216/fe2f5dc9/signature.bin From lune0002 at algonquincollege.com Fri Dec 17 03:19:03 2004 From: lune0002 at algonquincollege.com (Brian Lunergan) Date: Fri Dec 17 03:16:05 2004 Subject: Windows Binary 1.4.0 vs 1.4.0a which to use? In-Reply-To: <20041216222602.GA11734@jabberwocky.com> References: <41C205A3.1090204@phreaker.net> <20041216222602.GA11734@jabberwocky.com> Message-ID: <41C24217.4060908@algonquincollege.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi folks: Loaded the 1.40a onto a system running win98se. When I open a dos prompt directory and type gpg I still get the loading iconv.dll error. Is there something I'm missing? David Shaw wrote: > On Thu, Dec 16, 2004 at 05:01:07PM -0500, raindog wrote: > >>Well, the title says it all. I noticed on the ftp server that there >>is v1.4.0 and v1.4.0a for Windows. What are the differences and which >>one should I install? > > > 1.4.0a. A bug was discovered too late to make it into 1.4.0, so a > 1.4.0a was quickly released. > > David - -- Brian Lunergan *************************************** IM Contact: AIM: lnrgnb ICQ: 207423899 MSN: brianlunergan@hotmail.com (nickname: GreyWolf706) Yahoo: brianlunergan *************************************** -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (MingW32) - GPGshell v3.30 iD8DBQFBwkHzYAcjwnB5eagRAvJlAJ42rX5myG3pqT162bWG355XxJkZOwCdHoSC jzPbd9BgM6rGVXcqvY3qdoA= =JEck -----END PGP SIGNATURE----- --- avast! Antivirus: Outbound message clean. Virus Database (VPS): 0451-1, 2004/12/14 Tested on: 16/12/04 9:19:06 PM avast! is copyright (c) 2000-2003 ALWIL Software. http://www.avast.com From dshaw at jabberwocky.com Fri Dec 17 03:21:45 2004 From: dshaw at jabberwocky.com (David Shaw) Date: Fri Dec 17 03:18:47 2004 Subject: Broken signatures with Thunderbird/Enigmail since 1.4.0? In-Reply-To: <41C234FA.50208@comcast.net> References: <20041217002509.GA13382@dionysus.chud.net> <20041217005818.GA12845@jabberwocky.com> <41C234FA.50208@comcast.net> Message-ID: <20041217022145.GC12845@jabberwocky.com> On Thu, Dec 16, 2004 at 07:23:06PM -0600, John Clizbe wrote: > David Shaw wrote: > > > > Can you post the gpg command line that Enigmail uses to process a > > signed message? > > enigmail> C:\Program Files\GnuPG\gpg.exe --batch --no-tty --status-fd 2 > --verify > gpg: Signature made 12/16/04 15:17:17 CST using DSA key ID 010A57ED > gpg: BAD signature from "Werner Koch " > enigmail.js: Enigmail.decryptMessageEnd: Error in command execution > > Barry posted about this to the Enigmail team earlier this afternoon. For > him it looked to be a problem with PGP/MIME messages that contain "-- ". > > Only happens on signed PGP/MIME messages. Not signed and encrypted > PGP/MIME which works fine. Barry reported that dropping back to 1.3.92 > worked fine. Okay, I bet I know what the problem is. I need to talk to some of the Enigmail folks. I think they may have a PGP/MIME text canonicalization bug that one of the changes in 1.4 is aggravating. In the meantime, you can work around the problem with the attached patch to GnuPG. This isn't a real fix for the problem, but should get you going with 1.4 again until the real fix is ready. David -------------- next part -------------- Index: textfilter.c =================================================================== RCS file: /cvs/gnupg/gnupg/g10/textfilter.c,v retrieving revision 1.17 diff -u -r1.17 textfilter.c --- textfilter.c 11 Dec 2004 04:47:33 -0000 1.17 +++ textfilter.c 17 Dec 2004 02:14:59 -0000 @@ -105,7 +105,7 @@ behavior (ignoring 2440 itself), so this actually makes us compatible with PGP textmode detached signatures for the first time. */ - if(RFC2440) + if(1) tfx->buffer_len=trim_trailing_chars(tfx->buffer,tfx->buffer_len, " \t\r\n"); else From JPClizbe at comcast.net Fri Dec 17 03:40:15 2004 From: JPClizbe at comcast.net (John Clizbe) Date: Fri Dec 17 03:37:14 2004 Subject: Windows Binary 1.4.0 vs 1.4.0a which to use? In-Reply-To: <41C24217.4060908@algonquincollege.com> References: <41C205A3.1090204@phreaker.net> <20041216222602.GA11734@jabberwocky.com> <41C24217.4060908@algonquincollege.com> Message-ID: <41C2470F.30506@comcast.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Brian Lunergan wrote: > Hi folks: > > Loaded the 1.40a onto a system running win98se. When I open a > dos prompt directory and type gpg I still get the loading > iconv.dll error. Is there something I'm missing? Just answered earlier: http://lists.gnupg.org/pipermail/gnupg-users/2004-December/023911.html - -- John P. Clizbe Inet: JPClizbe(a)comcast DOT nyet Golden Bear Networks PGP/GPG KeyID: 0x608D2A10 "Be who you are and say what you feel because those who mind don't matter and those who matter don't mind." - Dr Seuss, "Oh the Places You'll Go" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (MingW32) Comment: When cryptography is outlawed, b25seSBvdXRsYXdzIHdpbGwgdXNlIG Comment: Annoy John Asscraft -- Use Strong Encryption. Comment: It's YOUR right - for the time being. Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFBwkcOHQSsSmCNKhARApOnAJ9gb5dkmGiFJO8mDzalO/mxGbJqVACgrFay tci4nB0h4bLrHLDW8Hc8hUo= =VZq3 -----END PGP SIGNATURE----- From lune0002 at algonquincollege.com Fri Dec 17 03:52:59 2004 From: lune0002 at algonquincollege.com (Brian Lunergan) Date: Fri Dec 17 03:53:12 2004 Subject: Windows Binary 1.4.0 vs 1.4.0a which to use? In-Reply-To: <41C2470F.30506@comcast.net> References: <41C205A3.1090204@phreaker.net> <20041216222602.GA11734@jabberwocky.com> <41C24217.4060908@algonquincollege.com> <41C2470F.30506@comcast.net> Message-ID: <41C24A0B.4090902@algonquincollege.com> Oops! Sorry about that. I'll tiptoe off to the address provided and get things sorted out. John Clizbe wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Brian Lunergan wrote: > >>Hi folks: >> >>Loaded the 1.40a onto a system running win98se. When I open a >>dos prompt directory and type gpg I still get the loading >>iconv.dll error. Is there something I'm missing? > > > Just answered earlier: > > http://lists.gnupg.org/pipermail/gnupg-users/2004-December/023911.html > > > - -- > John P. Clizbe Inet: JPClizbe(a)comcast DOT nyet > Golden Bear Networks PGP/GPG KeyID: 0x608D2A10 > "Be who you are and say what you feel because those who mind don't matter > and those who matter don't mind." - Dr Seuss, "Oh the Places You'll Go" > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.0 (MingW32) > Comment: When cryptography is outlawed, b25seSBvdXRsYXdzIHdpbGwgdXNlIG > Comment: Annoy John Asscraft -- Use Strong Encryption. > Comment: It's YOUR right - for the time being. > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > iD8DBQFBwkcOHQSsSmCNKhARApOnAJ9gb5dkmGiFJO8mDzalO/mxGbJqVACgrFay > tci4nB0h4bLrHLDW8Hc8hUo= > =VZq3 > -----END PGP SIGNATURE----- > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > > > --- > avast! Antivirus: Inbound message clean. > Virus Database (VPS): 0451-1, 2004/12/14 > Tested on: 16/12/04 9:49:56 PM > avast! is copyright (c) 2000-2003 ALWIL Software. > http://www.avast.com > > > > -- Brian Lunergan *************************************** IM Contact: AIM: lnrgnb ICQ: 207423899 MSN: brianlunergan@hotmail.com (nickname: GreyWolf706) Yahoo: brianlunergan *************************************** --- avast! Antivirus: Outbound message clean. Virus Database (VPS): 0451-1, 2004/12/14 Tested on: 16/12/04 9:53:01 PM avast! is copyright (c) 2000-2003 ALWIL Software. http://www.avast.com From shavital at mac.com Fri Dec 17 05:03:22 2004 From: shavital at mac.com (Charly Avital) Date: Fri Dec 17 05:01:04 2004 Subject: Bad Signature (was Re: [Announce] Updated GnuPG 1.4.0 Window binary) In-Reply-To: <41C2281D.9030001@t-link.de> References: <87zn0egnq7.fsf@wheatstone.g10code.de> <87u0qmdju1.fsf@wheatstone.g10code.de> <41C21C31.1060009@vfemail.net> <41C2281D.9030001@t-link.de> Message-ID: <97BC68E2-4FE0-11D9-B2B5-000A95D5D874@mac.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I believe WK is using an additional subkey to sign, that might be the reason: - - WK's signature verified on Thunderbird 1.0 (Macintosh), Mac OS X 10.3.7, GnuPG 1.4.0. Bad signature. - - verified with Apple's Mail.app/GnuPG 1.4.0/GPGMail 1.0.2 (St?phane Corth?sy). Verifies OK. Meaning good signature. - - verified with Apple's Mail.app/Services>PGP 8.1, "unknown key", and states signature's date and time. WK's key is included in PGP 8.1 Keyring. This is why I think this is a subkey signature. For all it is worth, Charly On Dec 16, 2004, at 7:28 PM, Michael Wenger wrote: > Hi Werner! > > Shatadal schrieb am 17.12.2004 00:37 : > >> It seems that your message was not signed correctly. I am using >> enigmail >> with mozilla thunderbird and it prompts me to import public keys >> required to verify signed messages. When I import your key however >> enigmail complains of a bad signature. I have imported your key from >> keyserver.kjsl.com and random.sks.keyserver.penguin.de and got the key >> for wk@gnupg.org with key id 0x5B0358A2. Interestingly enigmail asks >> for >> key ID 0x010A57ED initially to verify the signature. Maybe the problem >> is with enigmail. Could you help? > > The same with me. Your signature is the only one which Enigmail cannot > verify correctly. > The error message says: > gpg: Unterschrift vom 12/16/04 22:17:17, DSA Schl?ssel ID 010A57ED > gpg: FALSCHE Unterschrift von "Werner Koch " > > Thunderbird 0.9 DE > EnigMail 0.89.0 > GnuPG 1.2.5 > Windows Millennium > > I have had no problems with any signatures till now. > Can you tell us, what went wrong? > > Regards, > Michael -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (Darwin) iD8DBQFBwlqX8SG5rMkbCF4RAoztAKC7BwI06f+7GnTt2DUy7l7CvckUbQCfUnB7 QOibpjNLy/oAN8g2GkqXzeE= =yPeA -----END PGP SIGNATURE----- From JPClizbe at comcast.net Fri Dec 17 06:46:59 2004 From: JPClizbe at comcast.net (John Clizbe) Date: Fri Dec 17 06:44:09 2004 Subject: Broken signatures with Thunderbird/Enigmail since 1.4.0? In-Reply-To: <20041217002509.GA13382@dionysus.chud.net> References: <20041217002509.GA13382@dionysus.chud.net> Message-ID: <41C272D3.8000209@comcast.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Chris De Young wrote: > Hi, > > Since upgrading to 1.4.0 on Linux, Thunderbird/Enigmail seems to be > having trouble verifying signatures (so far mostly on messages I have > sent and CC: myself). The output is difficult to paste from > Thunderbird, but it's normal looking GPG output for "BAD Signature > from ...". > > This seems to be an enigmail problem, because Mutt reports a good > signature on the same copy of the same message. > > Has anyone else run into this, or have any guesses about any subtle > behavior change in 1.4.0 that might be giving Enigmail indigestion? Hi all, Had the opportunity to test this with David Shaw a bit ago. Until there is an Enigmail fix ready, the work around is to fall back to GnuPG 1.3.92 or 1.2.6. Regards, The Enigmail team - -------- Original Message -------- Subject: Re: First mail Date: Thu, 16 Dec 2004 23:50:59 -0500 From: David Shaw Okay, this is interesting. Your 1.4.0 message only works with 1.4.0, and your 1.3.92 message only works with the modified 1.4.0. (same as 1.3.92 in the end of line code). My messages verify with either 1.4.0 and 1.3.92 on your side. So.... I'm thinking text canonicalization. The PGP/MIME spec requires end-of-line whitespace to be protected by MIME encoding. It seems mutt is doing this, which is why you can verify my messages with either version. It seems Enigmail isn't doing this which is why your 1.4 messages only work with 1.4 here and your 1.3.92 messages only work with the modified 1.4 here. The reason why it suddenly stopped working with 1.4 is that the revision to the OpenPGP spec changed the end-of-line rules slightly. In the past, the rule was to remove spaces and tabs then canonicalize the line ending to CR+LF. The new rule is just to canonicalize the line ending. It seems that Enigmail is relying on GnuPG to handle the end-of-line whitespace and isn't protecting or removing it internally like mutt does. Since GnuPG doesn't do it any longer, we have breakage. - -------- End Original Message -------- - -- John P. Clizbe Inet: JPClizbe(a)comcast DOT nyet Golden Bear Networks PGP/GPG KeyID: 0x608D2A10 "Be who you are and say what you feel because those who mind don't matter and those who matter don't mind." - Dr Seuss, "Oh the Places You'll Go" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0a (Windows 2000 SP4) Comment: When cryptography is outlawed, b25seSBvdXRsYXdzIHdpbGwgdXNlIG Comment: It's YOUR right - for the time being. Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFBwnLRHQSsSmCNKhARAhH3AJ42QLFi8ZRPqfOx8WQV2VYqy19CwACg121O ejXo+wZqxHEjpRIorUsIrGw= =nXCz -----END PGP SIGNATURE----- From atom at suspicious.org Fri Dec 17 07:46:46 2004 From: atom at suspicious.org (Atom 'Smasher') Date: Fri Dec 17 07:42:19 2004 Subject: --list-keys == -k Message-ID: <20041217064546.99873.qmail@suspicious.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 going through the documentation for 1.4, i see the man page mentions: --list-keys [names] --list-public-keys [names] but no mention of "-k". documentation error? btw, builds and runs fine on freeBSD 5.3 (aside from BSD's secmem issue). thanks to everyone who worked on it!!! - -- ...atom _________________________________________ PGP key - http://atom.smasher.org/pgp.txt 762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808 ------------------------------------------------- "Aerial bombardment is never proportionate, measured or targeted. It evolves a logic of its own, an escalation of horror similar to that unleashed by the terrorist. Like all distant and indiscriminate violence, it breeds a violent response. It is the dumbest weapon of war." -- Simon Jenkins They Opted to Bomb - It Had Better Work -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (FreeBSD) Comment: What is this gibberish? Comment: http://atom.smasher.org/links/#digital_signatures iQEcBAEBCAAGBQJBwoDcAAoJEAx/d+cTpVciGYYH/39426Zo/6zEiIqp2UbrdrnL q14fQJuoXc29pnqMochhaH75GUb43fV1ynXcuaICk7bx+pzU8SdkNdik+51bSUQe GvNgfaOGZMrmX3TcpI/4WOvblqWPSNvBvbExrYA2PAwQZm5QBGpztViuhRVdEi8j 7nCEAN3J97/QCPoppMZp7P5gHWj6VUb+rtUQIJKrk/apymEQSdoPEwOAoNpcj/fz DAQdadeX2cSJpm6njpc5rr3Gh14LsiGnz4gEYxo0gYeyfIMb5bsEV59xrG285VH4 o2YfhhNhniT7r7BYErYEvEVgWgL1LFqv2qx8oSm/JKozPyOlDJTfPNqHwfsPeW0= =Mcgd -----END PGP SIGNATURE----- From atom at suspicious.org Fri Dec 17 08:11:03 2004 From: atom at suspicious.org (Atom 'Smasher') Date: Fri Dec 17 08:16:30 2004 Subject: dearmor/enarmor Message-ID: <20041217071008.11176.qmail@suspicious.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 dearmor/enarmor aren't mentioned in the man page... do they deserve any mention? i'm sure most people will never use them, but i find them handy for packet-hacking. - -- ...atom _________________________________________ PGP key - http://atom.smasher.org/pgp.txt 762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808 ------------------------------------------------- "I made a pilgrimage to save this human race Never comprehending the race that's long gone by" -- Modern English -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (FreeBSD) Comment: What is this gibberish? Comment: http://atom.smasher.org/links/#digital_signatures iQEcBAEBCAAGBQJBwoaOAAoJEAx/d+cTpVci38cH/Any4U/5931wtk9WvcbXEV5s +I2hmZmjmXcprhgKQc8XbhcNHWayrMEy1vsJxHO4ItuiJsbAjGIoWN+sF6xiY3Qp 8FR9LJGAdp3n3ErrgcMO6LQVb2DfWMG9VzRaX3IpFI+IVF+2lTFHJ89MGOb6tnyF vhOgYhCMsKV4dJ9Wx02KGLDf4nWiuUx93XWant6awa24JcmloysQlkEQgel4/qmc cpKLo2FiucHselJFR9ndG54KwRipeZtBFqzllfzudpUUzSacDLl+9jTYuH7UuNGJ wIo5ABhed1T1gYqM89oMlT5EarqUK+u9bi0BKtPiOMVhCq447rDfqpeC5xvB0CQ= =qWlS -----END PGP SIGNATURE----- From twoaday at freakmail.de Fri Dec 17 07:52:14 2004 From: twoaday at freakmail.de (Timo Schulz) Date: Fri Dec 17 08:32:18 2004 Subject: Windows Client In-Reply-To: <4E28ECEE2E06784AA8921F82878C889E02105D61@DFSTXEXCH3.dfs.com> References: <4E28ECEE2E06784AA8921F82878C889E02105D61@DFSTXEXCH3.dfs.com> Message-ID: <20041217065214.GB412@daredevil.joesixpack.net> On Thu Dec 16 2004; 14:59, Peter Schott wrote: > Just a note on the quote below - according to the GnuPG site, there is > not an official 1.2.6 build for Windows because the bugs fixed from > 1.2.5 to 1.2.6 did not affect Windows. Can we lower the min required > version to 1.2.5 in light of that? My mistake, I often compile my own version so I forgot that 1.2.6 does not exist. But 1.2.5 is also perfectly okay. Or use the 1.3.x (now 1.4) versions. Timo From atom at suspicious.org Fri Dec 17 08:49:14 2004 From: atom at suspicious.org (Atom 'Smasher') Date: Fri Dec 17 08:44:36 2004 Subject: "authentication" key flag Message-ID: <20041217074814.26277.qmail@suspicious.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 can anyone tell me how/what gpg authentication may be used for? rfc 2440bis-12 doesn't mention any details other than mentioning (in "5.2.3.21. Key Flags") that such capability exists. any use that i can think of for such a key seems like it could be handled by a ~regular~ signing key... - -- ...atom _________________________________________ PGP key - http://atom.smasher.org/pgp.txt 762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808 ------------------------------------------------- "Your password must be at least 18770 characters and cannot repeat any of your previous 30689 passwords. Please type a different password. Type a password that meets these requirements in both text boxes." -- Microsoft takes security seriously in Knowledge Base Article Q276304. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (FreeBSD) Comment: What is this gibberish? Comment: http://atom.smasher.org/links/#digital_signatures iQEcBAEBCAAGBQJBwo+AAAoJEAx/d+cTpVciElYH/RYYI1PS8cTYkvtUFf8dNn1T FavIb45J8nkriFOebUSfHylqlFA67jCt73Pyasp4eMR/XpuWa5tUjJDZ3qUV/X2B 0ysNFmiv87cI3yv+xDrdQbbnzth8s0EgmmsXUST5R13hy0GJWjIuh2qkBYbAtq+H WqU8MzRk8tfLaTRXhSb+PYUhuNq7H40qsUpgdBJrSgGdG2GjwmUqFXbJ2SGXtFNI pXs7mtBylfzQCZi49+sq5pNbU3+AmLt0duqzmP2Hx6F1njekI7rPMSWS1KLU0l7D pvtsMY0EwYUJzUlBbRX3CE993+ILKpg2HZaTJt/EXnYyiqZh1cDLtvgl8JfetsQ= =jA0/ -----END PGP SIGNATURE----- From kairaven at arcor.de Fri Dec 17 09:11:08 2004 From: kairaven at arcor.de (Kai Raven) Date: Fri Dec 17 09:14:13 2004 Subject: [Announce] GnuPG stable 1.4 released In-Reply-To: <87zn0egnq7.fsf@wheatstone.g10code.de> References: <87zn0egnq7.fsf@wheatstone.g10code.de> Message-ID: <20041217091108.4d8e46e0@localhost.localdomain> Skipped content of type multipart/mixed-------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 1027 bytes Desc: not available Url : /pipermail/attachments/20041217/874c2e4d/attachment-0001.bin From wk at gnupg.org Fri Dec 17 09:40:18 2004 From: wk at gnupg.org (Werner Koch) Date: Fri Dec 17 09:44:40 2004 Subject: Windows Binary 1.4.0 vs 1.4.0a which to use? In-Reply-To: <41C205A3.1090204@phreaker.net> (raindog@phreaker.net's message of "Thu, 16 Dec 2004 17:01:07 -0500") References: <41C205A3.1090204@phreaker.net> Message-ID: <87brcte2rx.fsf@wheatstone.g10code.de> On Thu, 16 Dec 2004 17:01:07 -0500, raindog said: > Well, the title says it all. I noticed on the ftp server that there > is v1.4.0 and v1.4.0a for Windows. What are the differences and which > one should I install? As written in the announcement 1.4.0a. Werner From wk at gnupg.org Fri Dec 17 09:44:02 2004 From: wk at gnupg.org (Werner Koch) Date: Fri Dec 17 09:44:52 2004 Subject: Bad Signature In-Reply-To: <97BC68E2-4FE0-11D9-B2B5-000A95D5D874@mac.com> (Charly Avital's message of "Thu, 16 Dec 2004 23:03:22 -0500") References: <87zn0egnq7.fsf@wheatstone.g10code.de> <87u0qmdju1.fsf@wheatstone.g10code.de> <41C21C31.1060009@vfemail.net> <41C2281D.9030001@t-link.de> <97BC68E2-4FE0-11D9-B2B5-000A95D5D874@mac.com> Message-ID: <877jnhe2lp.fsf@wheatstone.g10code.de> On Thu, 16 Dec 2004 23:03:22 -0500, Charly Avital said: > I believe WK is using an additional subkey to sign, that might be the > reason: That's true. I am using this since quite a time and never got any problem reports. That is also the reason why gpg shows a different key ID. gpg as well as pgp 8 handle this automagically. Werner -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 196 bytes Desc: not available Url : /pipermail/attachments/20041217/7d0e9abb/attachment-0001.bin From johanw at vulcan.xs4all.nl Fri Dec 17 02:27:22 2004 From: johanw at vulcan.xs4all.nl (Johan Wevers) Date: Fri Dec 17 09:48:01 2004 Subject: [Announce] Updated GnuPG 1.4.0 Windows binary In-Reply-To: from Don Ferguson at "Dec 16, 2004 03:22:41 pm" Message-ID: <200412170127.CAA01041@vulcan.xs4all.nl> Don Ferguson wrote: >gpg: error loading 'iconv.dll': The specified module could not be found. It's only a warning, if you don't use any translations you can ignore it. If you do need translations, download iconv.dll and install it. -- ir. J.C.A. Wevers // Physics and science fiction site: johanw@vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From wk at gnupg.org Fri Dec 17 09:47:19 2004 From: wk at gnupg.org (Werner Koch) Date: Fri Dec 17 09:49:41 2004 Subject: gpg: conversion from `utf-8 to `CP0 not available In-Reply-To: <2810063903.20041216231519@wanadoo.nl> (Henk de Bruijn's message of "Thu, 16 Dec 2004 23:15:19 +0100") References: <1159783930.20041128155921@wanadoo.nl> <87653q7zom.fsf@wheatstone.g10code.de> <873573880.20041129090406@wanadoo.nl> <87sm6t53oa.fsf@wheatstone.g10code.de> <1727693086.20041129151757@wanadoo.nl> <1401690184.20041216222410@wanadoo.nl> <2810063903.20041216231519@wanadoo.nl> Message-ID: <873by5e2g8.fsf@wheatstone.g10code.de> On Thu, 16 Dec 2004 23:15:19 +0100, Henk de Bruijn said: >> gpg --charset=CP850 -k akey >> I get the message gpg: error reading key: public key not found Well there is simply no key with the user ID "akey". Does gpg --list-keys show this key? If so I guess your user ID includes a non-ascii character and something with the internal mapping went wrong. Werner From wk at gnupg.org Fri Dec 17 10:00:07 2004 From: wk at gnupg.org (Werner Koch) Date: Fri Dec 17 10:49:05 2004 Subject: "authentication" key flag In-Reply-To: <20041217074814.26277.qmail@suspicious.org> (atom@suspicious.org's message of "Fri, 17 Dec 2004 02:49:14 -0500 (EST)") References: <20041217074814.26277.qmail@suspicious.org> Message-ID: <87pt19cnag.fsf@wheatstone.g10code.de> On Fri, 17 Dec 2004 02:49:14 -0500 (EST), Atom 'Smasher' said: > can anyone tell me how/what gpg authentication may be used for? rfc > 2440bis-12 doesn't mention any details other than mentioning (in > "5.2.3.21. Key Flags") that such capability exists. It is currently only used to tell gpg not to use this key for signing (if is does not also has the "s" capability). The idea is to use such keys for SSH and similar. The OpenPGP card features a key dedicated to that purpose. > any use that i can think of for such a key seems like it could be > handled by a ~regular~ signing key... The general rule is to use one key for one purpose. Salam-Shalom, Werner From wk at gnupg.org Fri Dec 17 09:57:04 2004 From: wk at gnupg.org (Werner Koch) Date: Fri Dec 17 10:49:27 2004 Subject: --list-keys == -k In-Reply-To: <20041217064546.99873.qmail@suspicious.org> (atom@suspicious.org's message of "Fri, 17 Dec 2004 01:46:46 -0500 (EST)") References: <20041217064546.99873.qmail@suspicious.org> Message-ID: <87u0qlcnfj.fsf@wheatstone.g10code.de> On Fri, 17 Dec 2004 01:46:46 -0500 (EST), Atom 'Smasher' said: > going through the documentation for 1.4, i see the man page mentions: > --list-keys [names] > --list-public-keys [names] > but no mention of "-k". > documentation error? No, this is on purpose. -k is still a kludge to be commandline compatible to PGG 2. The semantics of -k and --list-keys are slighlty different and we want to fade out the use of the PGP 2 compatibility mode. Eventually -k will be an alias for --list-kyes. BTW, there is already the lias -K for --list-secret-keys. Werner From shavital at mac.com Fri Dec 17 11:30:13 2004 From: shavital at mac.com (Charly Avital) Date: Fri Dec 17 11:26:40 2004 Subject: Bad Signature In-Reply-To: <877jnhe2lp.fsf@wheatstone.g10code.de> References: <87zn0egnq7.fsf@wheatstone.g10code.de> <87u0qmdju1.fsf@wheatstone.g10code.de> <41C21C31.1060009@vfemail.net> <41C2281D.9030001@t-link.de> <97BC68E2-4FE0-11D9-B2B5-000A95D5D874@mac.com> <877jnhe2lp.fsf@wheatstone.g10code.de> Message-ID: I believe the problem is with the way some MUAs interact with GnuPG. All your signed messages are correctly verified when I use (like here) Apple's Mail.app and GPGMail 1.2, the "module" that connects between the application and GnuPG. Charly On Dec 17, 2004, at 3:44 AM, Werner Koch wrote: > On Thu, 16 Dec 2004 23:03:22 -0500, Charly Avital said: > >> I believe WK is using an additional subkey to sign, that might be the >> reason: > > That's true. I am using this since quite a time and never got any > problem reports. That is also the reason why gpg shows a different > key ID. gpg as well as pgp 8 handle this automagically. > > Werner > From lists at t-link.de Fri Dec 17 12:21:53 2004 From: lists at t-link.de (Michael Wenger) Date: Fri Dec 17 12:18:29 2004 Subject: Bad Signature In-Reply-To: <877jnhe2lp.fsf@wheatstone.g10code.de> References: <87zn0egnq7.fsf@wheatstone.g10code.de> <87u0qmdju1.fsf@wheatstone.g10code.de> <41C21C31.1060009@vfemail.net> <41C2281D.9030001@t-link.de> <97BC68E2-4FE0-11D9-B2B5-000A95D5D874@mac.com> <877jnhe2lp.fsf@wheatstone.g10code.de> Message-ID: <41C2C151.3060607@t-link.de> Hi Werner! Werner Koch schrieb am 17.12.2004 09:44 : > On Thu, 16 Dec 2004 23:03:22 -0500, Charly Avital said: > >>I believe WK is using an additional subkey to sign, that might be the >>reason: > > That's true. I am using this since quite a time and never got any > problem reports. That is also the reason why gpg shows a different > key ID. gpg as well as pgp 8 handle this automagically. The signature of this mail has been verified successfully. I haven't changed anything in my configuration since yesterday. Very strange... Regards, Michael -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 546 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20041217/2575b9f1/signature.bin From wk at gnupg.org Fri Dec 17 12:41:42 2004 From: wk at gnupg.org (Werner Koch) Date: Fri Dec 17 12:48:08 2004 Subject: Bad Signature In-Reply-To: <41C2C151.3060607@t-link.de> (Michael Wenger's message of "Fri, 17 Dec 2004 12:21:53 +0100") References: <87zn0egnq7.fsf@wheatstone.g10code.de> <87u0qmdju1.fsf@wheatstone.g10code.de> <41C21C31.1060009@vfemail.net> <41C2281D.9030001@t-link.de> <97BC68E2-4FE0-11D9-B2B5-000A95D5D874@mac.com> <877jnhe2lp.fsf@wheatstone.g10code.de> <41C2C151.3060607@t-link.de> Message-ID: <873by5b18p.fsf@wheatstone.g10code.de> On Fri, 17 Dec 2004 12:21:53 +0100, Michael Wenger said: > The signature of this mail has been verified successfully. > I haven't changed anything in my configuration since yesterday. > Very strange... That depends on whether trailing spaces are in the message or not. Sometimes I hit the space key at the end of a line or due to cut+paste spaces are added. That is an Enigmail issue. In general MUAs should protect important trailing spaces using QP encoding (e.g. for the signature delimiter "-- ") so that they are not relevant for OpenPGP or PGP/MIME. I will check whether my MUA (Gnus) does it right. Werner -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 196 bytes Desc: not available Url : /pipermail/attachments/20041217/9a213013/attachment.bin From michael at pairofsixes.com Fri Dec 17 13:26:14 2004 From: michael at pairofsixes.com (Michael McAllister) Date: Fri Dec 17 13:22:53 2004 Subject: gen-keys hanging in WinXP SP2 Message-ID: <200412171226.iBHCQGJ6010853@ms-smtp-04.texas.rr.com> All I have upgraded my machine to use 1.4.0a and the problem is still occurring. Any suggestions? FWIW, I have pasted below my signature a text capture of the command and my responses. Regards Mike C:\>gpg --gen-key gpg (GnuPG) 1.4.0; Copyright (C) 2004 Free Software Foundation, Inc. This program comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it under certain conditions. See the file COPYING for details. Please select what kind of key you want: (1) DSA and Elgamal (default) (2) DSA (sign only) (5) RSA (sign only) Your selection? 1 DSA keypair will have 1024 bits. ELG-E keys may be between 1024 and 4096 bits long. What keysize do you want? (2048) Requested keysize is 2048 bits Please specify how long the key should be valid. 0 = key does not expire = key expires in n days w = key expires in n weeks m = key expires in n months y = key expires in n years Key is valid for? (0) Key does not expire at all Is this correct? (y/N) y You need a user ID to identify your key; the software constructs the user ID from the Real Name, Comment and Email Address in this form: "Heinrich Heine (Der Dichter) " Real name: Michael McAllister Email address: michael@pairofsixes.com Comment: Home Address You selected this USER-ID: "Michael McAllister (Home Address) " Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O You need a Passphrase to protect your secret key. -----Original Message----- From: Michael McAllister [mailto:michael@pairofsixes.com] Sent: Wednesday, December 15, 2004 7:43 AM To: 'gnupg-users@gnupg.org' Subject: gen-keys hanging in WinXP SP2 Hi (I sent a previous version of this which doesn't seem to have come through to the list. It was originally in Outlook HTML form email which I've noticed mailman sometimes filters out - so, I'm resending with more info and (hopefull!) as a plain text email.) I'm a newbie user of gpg, and am trying to generate my first key. I have version 1.2.5 installed on WinXP SP2. The software is installed in the default directory (c:\gnupg) with the main executables copied into c:\windows\system32. I started generating my first key (for this address) last night (around 11:30pm?), and as of this morning it still hasn't finished. I did spend some time registering some keyboard activity as suggested, but that doesn't seem to have helped. Does anyone have any suggestions as to what might be going wrong, and how to fix it? Specifically what happens is it asks me for my passphrase twice, and then once I've entered that, the generation of keys hangs. I have done some research and can say:- - The output of random characters (mainly plus signs?) does not occur after entering the passphrase, and while doing calculations for the key. - I do NOT receive any error about not enough entropy being available. That's because I don't receive ANYTHING ;-) Oh, forgot to mention - my machine is a 3GHz P4 with 512MB RAM, so I don't see the machine being a limiting factor. Regards Mike From lists at t-link.de Fri Dec 17 13:54:38 2004 From: lists at t-link.de (Michael Wenger) Date: Fri Dec 17 13:51:17 2004 Subject: Bad Signature In-Reply-To: <873by5b18p.fsf@wheatstone.g10code.de> References: <87zn0egnq7.fsf@wheatstone.g10code.de> <87u0qmdju1.fsf@wheatstone.g10code.de> <41C21C31.1060009@vfemail.net> <41C2281D.9030001@t-link.de> <97BC68E2-4FE0-11D9-B2B5-000A95D5D874@mac.com> <877jnhe2lp.fsf@wheatstone.g10code.de> <41C2C151.3060607@t-link.de> <873by5b18p.fsf@wheatstone.g10code.de> Message-ID: <41C2D70E.1020707@t-link.de> Hi Werner! Werner Koch schrieb am 17.12.2004 12:41 : > On Fri, 17 Dec 2004 12:21:53 +0100, Michael Wenger said: > >>The signature of this mail has been verified successfully. >>I haven't changed anything in my configuration since yesterday. >>Very strange... > > That depends on whether trailing spaces are in the message or not. > Sometimes I hit the space key at the end of a line or due to cut+paste > spaces are added. That is an Enigmail issue. In general MUAs should > protect important trailing spaces using QP encoding (e.g. for the > signature delimiter "-- ") so that they are not relevant for OpenPGP > or PGP/MIME. I will check whether my MUA (Gnus) does it right. Thanks a lot for this explanation. I hope, the Enigmail-Developers will resolve this issue. Maybe, I should upgrade to the latest Enigmail-version. But in order to do so, I will have to upgrade Thunderbird and many many extensions... Btw: This mail has not been verified correctly, again ;-) Michael -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 546 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20041217/47e53dab/signature.bin From henkdebruijn at wanadoo.nl Fri Dec 17 14:03:09 2004 From: henkdebruijn at wanadoo.nl (Henk de Bruijn) Date: Fri Dec 17 13:59:30 2004 Subject: gpg: conversion from `utf-8 to `CP0 not available In-Reply-To: <873by5e2g8.fsf@wheatstone.g10code.de> References: <1159783930.20041128155921@wanadoo.nl> <87653q7zom.fsf@wheatstone.g10code.de> <873573880.20041129090406@wanadoo.nl> <87sm6t53oa.fsf@wheatstone.g10code.de> <1727693086.20041129151757@wanadoo.nl> <1401690184.20041216222410@wanadoo.nl> <2810063903.20041216231519@wanadoo.nl> <873by5e2g8.fsf@wheatstone.g10code.de> Message-ID: <526535830.20041217140309@wanadoo.nl> On Fri, 17 Dec 2004 09:47:19 +0100GMT (17-12-2004, 9:47 +0100, where I live), Werner Koch wrote: > On Thu, 16 Dec 2004 23:15:19 +0100, Henk de Bruijn said: >>> gpg --charset=CP850 -k akey >>> I get the message gpg: error reading key: public key not found > Well there is simply no key with the user ID "akey". Does > gpg --list-keys > show this key? If so I guess your user ID includes a non-ascii > character and something with the internal mapping went wrong. Yes, gpg --list-keys shows among others this key. I read that other the Bat! users having simular problems, so I will put this on the Bat! bugtracker. Btw using Thunderbird 1.0 with Enigmail works fine. -- Henk ______________________________________________________________________ The Bat!? Natural Email System v3.0.2.10nl Professional on Windows XP SP2 PGPkey request: see headers or send email with subj.: send HenksKeyID Gossamer Spider Web of Trust http://gswot.webhop.info/ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 205 bytes Desc: not available Url : /pipermail/attachments/20041217/d4cbe47f/attachment-0001.bin From wk at gnupg.org Fri Dec 17 14:50:31 2004 From: wk at gnupg.org (Werner Koch) Date: Fri Dec 17 14:54:40 2004 Subject: Bad Signature In-Reply-To: <41C2D70E.1020707@t-link.de> (Michael Wenger's message of "Fri, 17 Dec 2004 13:54:38 +0100") References: <87zn0egnq7.fsf@wheatstone.g10code.de> <87u0qmdju1.fsf@wheatstone.g10code.de> <41C21C31.1060009@vfemail.net> <41C2281D.9030001@t-link.de> <97BC68E2-4FE0-11D9-B2B5-000A95D5D874@mac.com> <877jnhe2lp.fsf@wheatstone.g10code.de> <41C2C151.3060607@t-link.de> <873by5b18p.fsf@wheatstone.g10code.de> <41C2D70E.1020707@t-link.de> Message-ID: <87brct9gpk.fsf@wheatstone.g10code.de> On Fri, 17 Dec 2004 13:54:38 +0100, Michael Wenger said: > Btw: This mail has not been verified correctly, again ;-) Yes, Gnus does it also not in a robust way. I already reported this to the Gnus list. Werner From bbodi at web.de Thu Dec 16 11:03:59 2004 From: bbodi at web.de (Bernhard Bodenstorfer) Date: Fri Dec 17 15:10:08 2004 Subject: gpg: conversion from `utf-8' to `CP0' not available Message-ID: <1813673219@web.de> With gpg 1.3.93 on a Sun SPARC running Solaris 8, I run into a similar problem: gpg: conversion from `utf-8' to `646' not available I am calling gpg from the command line and did try various settings of --display-charset and --charset on the command line. No success. Kind regards, Bernhard __________________________________________________________ Mit WEB.DE FreePhone mit hoechster Qualitaet ab 0 Ct./Min. weltweit telefonieren! http://freephone.web.de/?mc=021201 From dshaw at jabberwocky.com Fri Dec 17 15:24:00 2004 From: dshaw at jabberwocky.com (David Shaw) Date: Fri Dec 17 15:20:56 2004 Subject: [Announce] GnuPG stable 1.4 released In-Reply-To: <20041217091108.4d8e46e0@localhost.localdomain> References: <87zn0egnq7.fsf@wheatstone.g10code.de> <20041217091108.4d8e46e0@localhost.localdomain> Message-ID: <20041217142400.GJ13882@jabberwocky.com> On Fri, Dec 17, 2004 at 09:11:08AM +0100, Kai Raven wrote: > RPM building works and GnuPG runs fine under Fedora Core 3. But it > was necessary to put the option exec-path for the keyserver helpers > into gpg.conf. It wasn't necessary with a manual compilation of > 1.3.92. Where do the keyserver helpers end up with an RPM build? If they aren't in your $PATH, then you do need exec-path. David -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 250 bytes Desc: not available Url : /pipermail/attachments/20041217/e704e539/attachment.bin From dshaw at jabberwocky.com Fri Dec 17 15:35:21 2004 From: dshaw at jabberwocky.com (David Shaw) Date: Fri Dec 17 15:32:17 2004 Subject: [Announce] GnuPG stable 1.4 released In-Reply-To: <20041217142400.GJ13882@jabberwocky.com> References: <87zn0egnq7.fsf@wheatstone.g10code.de> <20041217091108.4d8e46e0@localhost.localdomain> <20041217142400.GJ13882@jabberwocky.com> Message-ID: <20041217143521.GK13882@jabberwocky.com> On Fri, Dec 17, 2004 at 09:24:00AM -0500, David Shaw wrote: > On Fri, Dec 17, 2004 at 09:11:08AM +0100, Kai Raven wrote: > > > RPM building works and GnuPG runs fine under Fedora Core 3. But it > > was necessary to put the option exec-path for the keyserver helpers > > into gpg.conf. It wasn't necessary with a manual compilation of > > 1.3.92. > > Where do the keyserver helpers end up with an RPM build? If they > aren't in your $PATH, then you do need exec-path. Oops - meant to say "If they aren't in your libexecdir", which is /usr/local/libexec/gnupg unless you override it at configure time. David -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 250 bytes Desc: not available Url : /pipermail/attachments/20041217/0ac3cedc/attachment.bin From pt at radvis.nu Fri Dec 17 19:51:52 2004 From: pt at radvis.nu (Per Tunedal Casual) Date: Fri Dec 17 20:09:36 2004 Subject: OT sha1sum.exe doesn't work in a batch fil Message-ID: <6.1.2.0.2.20041217194529.03bf9bf8@localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, I use batch-files with a shortcut in the Send-to folder to perform simple tasks on Windows XP. It works OK to let gpg.exe display sha1 for a file, but sha1sum.exe doesn't work. Why? I tried: sha1sum %1 pause echo Hit any key to finish! pause > nul V?nligen Per Tunedal Civ. ing. Civ. ek. S:t Mickelsgatan 148 129 44 H?gersten Telefon: 08-646 34 83 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (MingW32) - GPGrelay v0.955 Comment: Vad ?r en PGP-signatur? www.clipanish.com/PGP/pgp.html iD8DBQFBwyrlaDDfzFT+2PIRAuTOAJ9SYFyv//eW6bICL9dAxbd9XONnRACcC4KZ qtZ9QPKjvKW8sAeZ6L+c9/A= =/jJ+ -----END PGP SIGNATURE----- From raindog at phreaker.net Fri Dec 17 21:40:59 2004 From: raindog at phreaker.net (raindog) Date: Fri Dec 17 21:37:23 2004 Subject: Windows Binary 1.4.0 vs 1.4.0a which to use? In-Reply-To: <87brcte2rx.fsf@wheatstone.g10code.de> References: <41C205A3.1090204@phreaker.net> <87brcte2rx.fsf@wheatstone.g10code.de> Message-ID: <41C3445B.9070603@phreaker.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Werner Koch wrote: | On Thu, 16 Dec 2004 17:01:07 -0500, raindog said: | |> Well, the title says it all. I noticed on the ftp server that |> there is v1.4.0 and v1.4.0a for Windows. What are the |> differences and which one should I install? | | | As written in the announcement 1.4.0a. | | Werner | | I originally posted my question before the updated announcement hit the list. - -- Economists exist to boost astrologers' credibility. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFBw0RbKMTS1WgyzMQRAtxfAJoDDhQ5LPuJK5YwrCmZxAyfRENdAwCgj7p8 CDIXZkKuPLHWXb27WsmQlfA= =bSfP -----END PGP SIGNATURE----- From wk at gnupg.org Fri Dec 17 20:02:13 2004 From: wk at gnupg.org (Werner Koch) Date: Fri Dec 17 23:24:00 2004 Subject: gpg: conversion from `utf-8' to `CP0' not available In-Reply-To: <1813673219@web.de> (Bernhard Bodenstorfer's message of "Thu, 16 Dec 2004 12:03:59 +0200") References: <1813673219@web.de> Message-ID: <87u0qk7npm.fsf@wheatstone.g10code.de> On Thu, 16 Dec 2004 12:03:59 +0200, Bernhard Bodenstorfer said: > gpg: conversion from `utf-8' to `646' not available You should set your locale correctly. IIRC, 646 means plain 7 bit ASCII and thus mapping of any 8 bit character set is not possible. > I am calling gpg from the command line and did try various settings of --display-charset and --charset on the command line. No success. Check your OS manuals on how to set the locale. Hth, Werner From henkdebruijn at wanadoo.nl Fri Dec 17 17:26:30 2004 From: henkdebruijn at wanadoo.nl (Henk de Bruijn) Date: Fri Dec 17 23:42:22 2004 Subject: gpg: conversion from `utf-8 to `CP0 not available In-Reply-To: References: <1159783930.20041128155921@wanadoo.nl> <87653q7zom.fsf@wheatstone.g10code.de> <873573880.20041129090406@wanadoo.nl> <87sm6t53oa.fsf@wheatstone.g10code.de> <1727693086.20041129151757@wanadoo.nl> <1401690184.20041216222410@wanadoo.nl> <2810063903.20041216231519@wanadoo.nl> <873by5e2g8.fsf@wheatstone.g10code.de> <526535830.20041217140309__28601.3212673881$1103288766$gmane$org@wanadoo.nl> Message-ID: <41C308B6.4060500@wanadoo.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Melchior de Contades schreef: | Hi, | | Henk de Bruijn ?crivait (wrote) le (on) 17/12/04 14:03: | |> Btw using Thunderbird 1.0 with Enigmail works fine. | | | I'd like to know how you manage... | | Running Thunderbird 1.0 here with Enigmail v0.89.5-tb-win32.xpi. I | need also the Enigmime module, but the only one i found | v0.86.1-tb-win32.xpi is NOT compatible with Thunderbird 1.0 | | Is there a new Enigmime module for Thunderbird 1.0 ? Where i can | find one ? I can't do anything without a compatible Enigmime. | | Thank you for any tips. Thunderbird 1.0 Enigmail v0.89.5 on Windows XP SP2 cheers, Henk -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFBwwi2Egabk9vm5ngRAoahAJ9WNPHKxg0yZGlZxUBlv0aMp8M3BACg7DWP HJYuKw5oIQK9X3PM9FnRwX4= =Jhx0 -----END PGP SIGNATURE----- From kairaven at arcor.de Fri Dec 17 17:00:25 2004 From: kairaven at arcor.de (Kai Raven) Date: Sat Dec 18 00:46:06 2004 Subject: [Announce] GnuPG stable 1.4 released In-Reply-To: <20041217143521.GK13882@jabberwocky.com> References: <87zn0egnq7.fsf@wheatstone.g10code.de> <20041217091108.4d8e46e0@localhost.localdomain> <20041217142400.GJ13882@jabberwocky.com> <20041217143521.GK13882@jabberwocky.com> Message-ID: <20041217170025.2b3b4e6f@localhost.localdomain> Hi David, On Fri, 17 Dec 2004 09:35:21 -0500 you wrote: > Oops - meant to say "If they aren't in your libexecdir", which is > /usr/local/libexec/gnupg unless you override it at configure time. Ah, OK. I have used /usr as prefix :) -- Ciao Kai WWW: http://kai.iks-jena.de/ Blog: http://rabenhorst.blogg.de/ GnuPG-Key: 0xD6E995A0 Jabber: kraven@jabber.ccc.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 860 bytes Desc: not available Url : /pipermail/attachments/20041217/d47685f5/attachment.bin From dshaw at jabberwocky.com Sat Dec 18 06:24:48 2004 From: dshaw at jabberwocky.com (David Shaw) Date: Sat Dec 18 07:33:42 2004 Subject: [Announce] GnuPG stable 1.4 released In-Reply-To: <20041217170025.2b3b4e6f@localhost.localdomain> References: <87zn0egnq7.fsf@wheatstone.g10code.de> <20041217091108.4d8e46e0@localhost.localdomain> <20041217142400.GJ13882@jabberwocky.com> <20041217143521.GK13882@jabberwocky.com> <20041217170025.2b3b4e6f@localhost.localdomain> Message-ID: <20041218052447.GF10188@jabberwocky.com> On Fri, Dec 17, 2004 at 05:00:25PM +0100, Kai Raven wrote: > > Hi David, > > On Fri, 17 Dec 2004 09:35:21 -0500 you wrote: > > > Oops - meant to say "If they aren't in your libexecdir", which is > > /usr/local/libexec/gnupg unless you override it at configure time. > > Ah, OK. I have used /usr as prefix :) If you use configure --prefix=/usr then the libexecdir will end up being /usr/libexec/gnupg. David From usenet-2004 at webmounty.de Fri Dec 17 16:02:19 2004 From: usenet-2004 at webmounty.de (Ingo Buescher) Date: Mon Dec 20 11:01:44 2004 Subject: locally signed keys are not necessarily fully trusted any more Message-ID: Hi, after I switched from gnupg-1.2.6 to gnupg-1.4.0 I noticed a peculiar problem concerning the validity of some of the keys in my keyring - although I signed all of them locally some are not regarded "fully" trusted any more. gallatin@nathan:~/.gnupg $ gpg --list-sig netfilter pub 1024D/CA9A8D5B 2001-09-15 [expires: 2006-09-14] uid [ unknown] Netfilter Core Team sig 3 CA9A8D5B 2001-09-15 never Netfilter Core Team sig 470DB964 2001-12-18 never [User ID not found] sig 1 L DF00C939 2004-06-08 2006-09-14 Ingo Buescher sig 7135E366 2003-12-21 never [User ID not found] sub 1024g/85DD6C1A 2001-09-15 [expires: 2006-09-14] sig CA9A8D5B 2001-09-15 never Netfilter Core Team other keys I signed locally are just fine and no - those are not signed by a trusted third party either. I can repair the problem if I remove my local signature from those keys and use "lsign" again. Am I making a stupid mistake here? IB -- =========================================================================== Ingo Buescher "As a Usenet discussion grows longer, the probability of a comparison involving Nazis or Hitler approaches one." -- Godwin's Law From daniel.briley at ntlworld.com Sat Dec 18 13:14:24 2004 From: daniel.briley at ntlworld.com (Daniel Briley) Date: Mon Dec 20 11:01:51 2004 Subject: Use of PGP to sign distributed files Message-ID: <20041218121552.VLQR7271.aamta06-winn.mailhost.ntl.com@winxp> Hi, I'm looking to distribute some text files on a peer to peer network containing some information. The problem I have is that with p2p being a public system, people can easily create and share bogus versions of your file. I've been looking into a way to digitally sign my files to ensure their authenticity once downloaded by a user. Would you, in your opinion, consider GnuPG to be suitable for this task? I've been looking into GnuPG because it's free of some of the licensing constraints of other versions. Also, in the future I've thought about possibly creating an app to run these checks automatically. Would you recommend using portions of the GnuPG code in my app for this? Many thanks, Daniel From patrick.brunschwig at gmx.net Sat Dec 18 18:13:39 2004 From: patrick.brunschwig at gmx.net (Patrick Brunschwig) Date: Mon Dec 20 11:01:54 2004 Subject: Enigmail v0.89.6 available Message-ID: <41C46543.1070800@gmx.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I have released Enigmail v0.89.6 for Thunderbird 1.0 and Mozilla 1.7.x. I fixed creation of PGP/MIME messages and other compatibility issues with GnuPG 1.4.0. Thanks to John and David for analyzing the problem so quickly! At the same time I'm taking the opportunity to announce the availability of the new OpenPGP key management in Enigmail. Most of the important functionality is currently available; more will follow soon. Enigmail is available from http://enigmail.mozdev.org/download.html Patrick -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFBxGVA2KgHx8zsInsRAqYhAJ9iIr8lku7JqjmCH+bCCG1RrfT8GgCgrAsp pbo8Vq+cIQKSFAwE/T6eiZk= =1sXA -----END PGP SIGNATURE----- From kairaven at arcor.de Sat Dec 18 22:07:15 2004 From: kairaven at arcor.de (Kai Raven) Date: Mon Dec 20 11:01:56 2004 Subject: [Announce] GnuPG stable 1.4 released In-Reply-To: <20041218052447.GF10188@jabberwocky.com> References: <87zn0egnq7.fsf@wheatstone.g10code.de> <20041217091108.4d8e46e0@localhost.localdomain> <20041217142400.GJ13882@jabberwocky.com> <20041217143521.GK13882@jabberwocky.com> <20041217170025.2b3b4e6f@localhost.localdomain> <20041218052447.GF10188@jabberwocky.com> Message-ID: <20041218220715.0ff645b6@localhost.localdomain> Hi David, On Sat, 18 Dec 2004 00:24:48 -0500 you wrote: > If you use configure --prefix=/usr then the libexecdir will end up > being /usr/libexec/gnupg. mmh, the gpgkeys_* helpers are in /usr/libexec, but I have set exec-path /usr/libexec and all is working fine :) -- Ciao Kai WWW: http://kai.iks-jena.de/ Blog: http://rabenhorst.blogg.de/ GnuPG-Key: 0xD6E995A0 Jabber: kraven@jabber.ccc.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 860 bytes Desc: not available Url : /pipermail/attachments/20041218/fb7a4a60/attachment.bin From jharris at widomaker.com Sun Dec 19 22:09:48 2004 From: jharris at widomaker.com (Jason Harris) Date: Mon Dec 20 11:02:44 2004 Subject: WinPT key POSTing problem Message-ID: <20041219210948.GA39398@wilma.widomaker.com> A few WinPT users popped up in my keyserver log recently. Some were sending a bad POST command: (cmd path User-Agent: Host:) POST http://wwwkeys.us.pgp.net:11371/pks/add "WinPT/W32" "wwwkeys.us.pgp.net:11371" It is an error to have http+hostname+port in the POST path, only the local path, /pks/add, is correct. These were given an HTTP 404 response. In this instance, the Host: header is correct, and is the proper place to include the hostname and port number. Of course, another user sent a malformed Host: header: (cmd path User-Agent: Host:) POST /pks/add "WinPT/W32" "http://subkeys.pgp.net:11371" but was at least able to post their key. (There are no checks on the value/validity of the Host: header at this time.) However, the "http://" is incorrect and needs to be dropped from Host:. I also notice these requests were identified as HTTP/1.0. Other than understanding and sending "Connection: close" headers, is there a reason to not identify them as HTTP/1.1 requests? [new feature] keyserver.kjsl.com has been generating (HTTP/1.1) ETag: headers, first on port 80 (a PHP page), followed shortly by port 11371 (patched pks). It also supports HEAD requests and ETag: cache-control semantics, albeit only for single ETags (in the If-None-Match: header). If WinPT were to store the ETag: as it downloaded each key, it could ask for that key and send 'If-None-Match: ""\r\n' in order to get the key only if it has changed. -- Jason Harris | NIC: JH329, PGP: This _is_ PGP-signed, isn't it? jharris@widomaker.com _|_ web: http://keyserver.kjsl.com/~jharris/ Got photons? (TM), (C) 2004 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 187 bytes Desc: not available Url : /pipermail/attachments/20041219/1a8cfa5f/attachment.bin From kairaven at arcor.de Sat Dec 18 22:13:19 2004 From: kairaven at arcor.de (Kai Raven) Date: Mon Dec 20 11:03:14 2004 Subject: secret- and public-key crypto Message-ID: <20041218221319.3c8faab4@localhost.localdomain> Hi, i have one question about the new symmetric and public-key encryption. Is the same session key used or a separate one for each encryption? -- Ciao Kai WWW: http://kai.iks-jena.de/ Blog: http://rabenhorst.blogg.de/ GnuPG-Key: 0xD6E995A0 Jabber: kraven@jabber.ccc.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 860 bytes Desc: not available Url : /pipermail/attachments/20041218/177ef1b0/attachment.bin From linux at codehelp.co.uk Mon Dec 20 12:00:06 2004 From: linux at codehelp.co.uk (Neil Williams) Date: Mon Dec 20 11:56:40 2004 Subject: locally signed keys are not necessarily fully trusted any more In-Reply-To: References: Message-ID: <200412201100.11366.linux@codehelp.co.uk> On Friday 17 December 2004 3:02 pm, Ingo Buescher wrote: > Hi, > after I switched from gnupg-1.2.6 to gnupg-1.4.0 I noticed a peculiar > problem concerning the validity of some of the keys in my keyring - > although I signed all of them locally some are not regarded "fully" > trusted any more. > > gallatin@nathan:~/.gnupg $ gpg --list-sig netfilter > pub 1024D/CA9A8D5B 2001-09-15 [expires: 2006-09-14] > uid [ unknown] Netfilter Core Team > sig 3 CA9A8D5B 2001-09-15 never Netfilter Core Team sig 3: indicating very careful checking prior to signature. > > sig 470DB964 2001-12-18 never [User ID not found] > sig 1 L DF00C939 2004-06-08 2006-09-14 Ingo Buescher sig 1: indicating casual checking. Is GnuPG taking that into account? Are the other locally signed keys sig 3? > other keys I signed locally are just fine and no - those are not > signed by a trusted third party either. > I can repair the problem if I remove my local signature from those keys > and use "lsign" again. Am I making a stupid mistake here? At what LEVEL are you re-signing? -- Neil Williams ============= http://www.dclug.org.uk/ http://www.nosoftwarepatents.com/ http://sourceforge.net/projects/isbnsearch/ http://www.williamsleesmill.me.uk/ http://www.biglumber.com/x/web?qs=0x8801094A28BCB3E3 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20041220/5b795436/attachment-0001.bin From linux at codehelp.co.uk Mon Dec 20 12:25:20 2004 From: linux at codehelp.co.uk (Neil Williams) Date: Mon Dec 20 12:31:43 2004 Subject: Use of PGP to sign distributed files In-Reply-To: <20041218121552.VLQR7271.aamta06-winn.mailhost.ntl.com@winxp> References: <20041218121552.VLQR7271.aamta06-winn.mailhost.ntl.com@winxp> Message-ID: <200412201125.22956.linux@codehelp.co.uk> On Saturday 18 December 2004 12:14 pm, Daniel Briley wrote: > Hi, > > I'm looking to distribute some text files on a peer to peer network > containing some information. The problem I have is that with p2p being a > public system, people can easily create and share bogus versions of your > file. I've been looking into a way to digitally sign my files to ensure > their authenticity once downloaded by a user. That's why packages on websites are often signed using GnuPG, so yes, it is suitable in general terms. You create a detached signature (gpg -ab) and post that alongside the file - it is given the same name with a .asc extension by default. Try downloading and verifying some packages yourself - to start you off, look at: http://sourceforge.net/project/showfiles.php?group_id=90779 > Also, in the future I've thought about possibly creating an app to run Signatures can be verified automatically as long as the public key is available. > these checks automatically. Would you recommend using portions of the GnuPG > code in my app for this? Don't split the code - use it as it is and use the functionality from the program. Look at man gpg and the options: --with-colons --fixed-list-mode gpg --verify sigfile [files] Verify the signature of the file but do not output the data. The second form is used for detached signatures, where sigfile is the detached signature (either ASCII armored or binary) and [files] are the signed data; if this is not given, the name of the file holding the signed data is constructed by cutting off the extension (".asc" or ".sig") of sigfile or by asking the user for the filename. -- Neil Williams ============= http://www.dclug.org.uk/ http://www.nosoftwarepatents.com/ http://sourceforge.net/projects/isbnsearch/ http://www.williamsleesmill.me.uk/ http://www.biglumber.com/x/web?qs=0x8801094A28BCB3E3 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20041220/30218bbb/attachment.bin From wk at gnupg.org Mon Dec 20 12:47:04 2004 From: wk at gnupg.org (Werner Koch) Date: Mon Dec 20 12:49:45 2004 Subject: secret- and public-key crypto In-Reply-To: <20041218221319.3c8faab4@localhost.localdomain> (Kai Raven's message of "Sat, 18 Dec 2004 22:13:19 +0100") References: <20041218221319.3c8faab4@localhost.localdomain> Message-ID: <87brcpxkcn.fsf@wheatstone.g10code.de> On Sat, 18 Dec 2004 22:13:19 +0100, Kai Raven said: > i have one question about the new symmetric and public-key encryption. > Is the same session key used or a separate one for each encryption? That's easy to check: Just encrypt a large message and see whether the size doubles if you add second key... You will notice that the same session key is used. Werner From michael at hirnreck.de Mon Dec 20 13:43:42 2004 From: michael at hirnreck.de (Michael Kirchner) Date: Mon Dec 20 13:40:23 2004 Subject: expire function Message-ID: <41C6C8FE.9000402@hirnreck.de> Hi all, I am using GPG with Thunderbird and Enigmail to sign and encrypt mostly private communication. Up to now I used the "expires" date to make sure that my key will only be valid for about a year and so something like a date is attached to my signatures. After about a year I then generated a new key (eventually upgraded the size of the key), signed the new key with the old one and uploaded it. While at the time of starting with this method, some years back, everything seemed reasonable I lately come to think about it again, as I did never see anyone else do so (with the exception of the German CERT). Perhaps you might enlighten me: is there an special security problem connected to a yearly expire and reissuing of my keys? Regards, -- Michael Thomas Kirchner From wk at gnupg.org Mon Dec 20 13:48:22 2004 From: wk at gnupg.org (Werner Koch) Date: Mon Dec 20 13:49:41 2004 Subject: Use of PGP to sign distributed files In-Reply-To: <200412201125.22956.linux@codehelp.co.uk> (Neil Williams's message of "Mon, 20 Dec 2004 11:25:20 +0000") References: <20041218121552.VLQR7271.aamta06-winn.mailhost.ntl.com@winxp> <200412201125.22956.linux@codehelp.co.uk> Message-ID: <873by1xhih.fsf@wheatstone.g10code.de> On Mon, 20 Dec 2004 11:25:20 +0000, Neil Williams said: > Don't split the code - use it as it is and use the functionality from the > program. Look at man gpg and the options: > --with-colons > --fixed-list-mode Or use gpgme (http://www.gnupg.org/related_software/gpgme/) and don't care about the options to use. Werner From wk at gnupg.org Mon Dec 20 13:52:12 2004 From: wk at gnupg.org (Werner Koch) Date: Mon Dec 20 13:54:41 2004 Subject: locally signed keys are not necessarily fully trusted any more In-Reply-To: <200412201100.11366.linux@codehelp.co.uk> (Neil Williams's message of "Mon, 20 Dec 2004 11:00:06 +0000") References: <200412201100.11366.linux@codehelp.co.uk> Message-ID: <87y8ftw2rn.fsf@wheatstone.g10code.de> On Mon, 20 Dec 2004 11:00:06 +0000, Neil Williams said: > sig 1: indicating casual checking. > Is GnuPG taking that into account? --min-cert-level When building the trust database, disregard any signatures with a certification level below this. Defaults to 2, which disregards level 1 signatures. From maillists at webmounty.de Mon Dec 20 14:52:29 2004 From: maillists at webmounty.de (Ingo Buescher) Date: Mon Dec 20 14:53:49 2004 Subject: locally signed keys are not necessarily fully trusted any more Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Neil Williams wrote: >> gallatin@nathan:~/.gnupg $ gpg --list-sig netfilter >> pub 1024D/CA9A8D5B 2001-09-15 [expires: 2006-09-14] >> uid [ unknown] Netfilter Core Team >> sig 3 CA9A8D5B 2001-09-15 never Netfilter Core Team >sig 3: indicating very careful checking prior to signature. >> >> sig 470DB964 2001-12-18 never [User ID not found] >> sig 1 L DF00C939 2004-06-08 2006-09-14 Ingo Buescher >sig 1: indicating casual checking. >Is GnuPG taking that into account? >Are the other locally signed keys sig 3? Yes, they are. I really can't imagine why the default cert level might have changed when I signed keys but since I switched on the option ask-cert-level now, I made sure that from now on I'll be asked every time for my trust in the validity of the key. I think the problem will not arise again. Thank you. Ingo - -- =========================================================================== Ingo Buescher "This country is at an awkward stage. It's too late to work within the system, but too early to shoot the bastards." -- Claire Wolfe -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (GNU/Linux) Comment: Made with pgp4pine 1.76 iD8DBQFBxtkpCHha398AyTkRAnbQAJ9aFnRwx3pVmdEB9FSioniPo1/J7wCeLf6Y CZEiZ+q1gFAFkxBHCTSyCkA= =aXed -----END PGP SIGNATURE----- From dshaw at jabberwocky.com Mon Dec 20 14:59:39 2004 From: dshaw at jabberwocky.com (David Shaw) Date: Mon Dec 20 14:56:32 2004 Subject: Use of PGP to sign distributed files In-Reply-To: <200412201125.22956.linux@codehelp.co.uk> References: <20041218121552.VLQR7271.aamta06-winn.mailhost.ntl.com@winxp> <200412201125.22956.linux@codehelp.co.uk> Message-ID: <20041220135939.GC22290@jabberwocky.com> On Mon, Dec 20, 2004 at 11:25:20AM +0000, Neil Williams wrote: > > Also, in the future I've thought about possibly creating an app to run > > Signatures can be verified automatically as long as the public key > is available. And if the public key isn't available, you can have GnuPG go and fetch it for you automatically from a keyserver. In fact, in 1.4, you can tell GnuPG where to get a key without even having it on a keyserver. David -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 250 bytes Desc: not available Url : /pipermail/attachments/20041220/cea9092c/attachment.bin From apavelec at benefit-services.com Mon Dec 20 15:03:36 2004 From: apavelec at benefit-services.com (Adam Pavelec) Date: Mon Dec 20 15:00:14 2004 Subject: FYI References: <20041218121552.VLQR7271.aamta06-winn.mailhost.ntl.com@winxp><200412201125.22956.linux@codehelp.co.uk> <873by1xhih.fsf@wheatstone.g10code.de> Message-ID: <00c701c4e69c$b644def0$2027a8c0@PAVELECA> Not sure if this is a bug or not, but I unsubscribed from this ML a very long time ago and somehow have been magically resubscribed. It's really no big deal, and I think I'll stick around to see what's been going on lately, but I just thought the powers that be might like to know about it. -Adam From dshaw at jabberwocky.com Mon Dec 20 15:13:36 2004 From: dshaw at jabberwocky.com (David Shaw) Date: Mon Dec 20 15:10:31 2004 Subject: expire function In-Reply-To: <41C6C8FE.9000402@hirnreck.de> References: <41C6C8FE.9000402@hirnreck.de> Message-ID: <20041220141336.GD22290@jabberwocky.com> On Mon, Dec 20, 2004 at 06:13:42PM +0530, Michael Kirchner wrote: > Hi all, > > I am using GPG with Thunderbird and Enigmail to sign and encrypt mostly > private communication. Up to now I used the "expires" date to make sure > that my key will only be valid for about a year and so something like a > date is attached to my signatures. After about a year I then generated a > new key (eventually upgraded the size of the key), signed the new key > with the old one and uploaded it. > > While at the time of starting with this method, some years back, > everything seemed reasonable I lately come to think about it again, as I > did never see anyone else do so (with the exception of the German CERT). > > Perhaps you might enlighten me: is there an special security problem > connected to a yearly expire and reissuing of my keys? The main problem is one of convenience. If you have gathered a number of signatures on your key, you have to get them over again with a new key. Since you say you are using it mainly for private communication, perhaps this reason does not apply to you. Note that signing the new key with the old one doesn't do anything in the web of trust: expired keys are not counted. A reasonable solution for the desire to have expiring keys, plus the desire to have one well-known key to sign is to use subkeys and have the subkeys expire. That is what I do. David -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 250 bytes Desc: not available Url : /pipermail/attachments/20041220/11adb586/attachment.bin From linux at codehelp.co.uk Mon Dec 20 15:12:21 2004 From: linux at codehelp.co.uk (Neil Williams) Date: Mon Dec 20 15:14:57 2004 Subject: expire function In-Reply-To: <41C6C8FE.9000402@hirnreck.de> References: <41C6C8FE.9000402@hirnreck.de> Message-ID: <200412201412.24918.linux@codehelp.co.uk> On Monday 20 December 2004 12:43 pm, Michael Kirchner wrote: > Perhaps you might enlighten me: is there an special security problem > connected to a yearly expire and reissuing of my keys? You lose all your signatures and therefore trust. One alternative is to issue a unlimited expiry main key with a subkey that expires. You need to then use updated keyservers and you'll get people asking why they cannot get/use your key. -- Neil Williams ============= http://www.dclug.org.uk/ http://www.nosoftwarepatents.com/ http://sourceforge.net/projects/isbnsearch/ http://www.williamsleesmill.me.uk/ http://www.biglumber.com/x/web?qs=0x8801094A28BCB3E3 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20041220/6671d703/attachment-0001.bin From lune0002 at algonquincollege.com Mon Dec 20 15:18:21 2004 From: lune0002 at algonquincollege.com (Brian Lunergan) Date: Mon Dec 20 15:27:39 2004 Subject: How do I confirm the version I have... Message-ID: <41C6DF2D.70207@algonquincollege.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Folks: Downloaded and installed what I thought was v1.4.0a but it is still reporting 1.4.0 when I run a show version command. Also, when I run a check trust function using GPGShell a file renaming error comes up that the author suggested was a bug that was supposed to be cleared up in v1.4.0a. How do I confirm if I have the right version or not?? - -- Brian Lunergan *************************************** IM Contact: AIM: lnrgnb ICQ: 207423899 MSN: brianlunergan@hotmail.com (nickname: GreyWolf706) Yahoo: brianlunergan *************************************** -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (MingW32) - GPGshell v3.30 iD8DBQFBxt8MYAcjwnB5eagRAhh3AJsGBF5avb0hkQheJ4sX12yVyytlQgCcD/I7 42w9z67m+ag6b0/dVfSLbWc= =1Sh2 -----END PGP SIGNATURE----- --- avast! Antivirus: Outbound message clean. Virus Database (VPS): 0451-2, 2004/12/17 Tested on: 20/12/04 9:18:23 AM avast! is copyright (c) 2000-2003 ALWIL Software. http://www.avast.com From michael at hirnreck.de Mon Dec 20 15:43:01 2004 From: michael at hirnreck.de (Michael Kirchner) Date: Mon Dec 20 15:41:04 2004 Subject: expire function In-Reply-To: <20041220141336.GD22290@jabberwocky.com> References: <41C6C8FE.9000402@hirnreck.de> <20041220141336.GD22290@jabberwocky.com> Message-ID: <41C6E4F5.8020702@hirnreck.de> Hi David, David Shaw wrote: > The main problem is one of convenience. If you have gathered a number > of signatures on your key, you have to get them over again with a new > key. Since you say you are using it mainly for private communication, > perhaps this reason does not apply to you. Yes, there are only very few signatures on my key. > Note that signing the new key with the old one doesn't do anything in > the web of trust: expired keys are not counted. This was the information I was missing. Is this badly documented or did I have chicken-sandwich on my eyes when I read the manuals about public key infrastructure? > A reasonable solution for the desire to have expiring keys, plus the > desire to have one well-known key to sign is to use subkeys and have > the subkeys expire. That is what I do. OK, thanks, I will look into that. Regards, -- Michael Thomas Kirchner From poplawsk at informatik.uni-freiburg.de Mon Dec 20 15:45:59 2004 From: poplawsk at informatik.uni-freiburg.de (poplawsk@informatik.uni-freiburg.de) Date: Mon Dec 20 15:42:05 2004 Subject: FYI In-Reply-To: <00c701c4e69c$b644def0$2027a8c0@PAVELECA> References: <20041218121552.VLQR7271.aamta06-winn.mailhost.ntl.com@winxp> <873by1xhih.fsf@wheatstone.g10code.de> <00c701c4e69c$b644def0$2027a8c0@PAVELECA> Message-ID: <200412201545.59905.poplawsk@informatik.uni-freiburg.de> Same here. I'm getting posts since today around noon. ...Volker Am Montag, 20. Dezember 2004 15:03 schrieb Adam Pavelec: > Not sure if this is a bug or not, but I unsubscribed from this ML a very > long time ago and somehow have been magically resubscribed. It's really no > big deal, and I think I'll stick around to see what's been going on lately, > but I just thought the powers that be might like to know about it. > > -Adam From dshaw at jabberwocky.com Mon Dec 20 17:39:31 2004 From: dshaw at jabberwocky.com (David Shaw) Date: Mon Dec 20 17:36:23 2004 Subject: expire function In-Reply-To: <200412201412.24918.linux@codehelp.co.uk> References: <41C6C8FE.9000402@hirnreck.de> <200412201412.24918.linux@codehelp.co.uk> Message-ID: <20041220163931.GG22290@jabberwocky.com> On Mon, Dec 20, 2004 at 02:12:21PM +0000, Neil Williams wrote: > On Monday 20 December 2004 12:43 pm, Michael Kirchner wrote: > > Perhaps you might enlighten me: is there an special security problem > > connected to a yearly expire and reissuing of my keys? > > You lose all your signatures and therefore trust. > > One alternative is to issue a unlimited expiry main key with a > subkey that expires. You need to then use updated keyservers and > you'll get people asking why they cannot get/use your key. Ah, what a perfect opening to talk about the new 1.4 features to help with the keyserver problem! 1.4 has the ability to embed a URL in a key or signature to tell people which keyserver the key owner prefers to keep his key on. The URL can even be a web page or finger file so people don't even have to use keyservers at all. I'll send a longer writeup to this list. David -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 250 bytes Desc: not available Url : /pipermail/attachments/20041220/0c633442/attachment.bin From dshaw at jabberwocky.com Mon Dec 20 17:40:01 2004 From: dshaw at jabberwocky.com (David Shaw) Date: Mon Dec 20 17:36:59 2004 Subject: Using the "preferred keyserver URL" in GnuPG 1.4 Message-ID: <20041220164001.GA30899@jabberwocky.com> GnuPG has long had a feature where a missing key would be fetched from the keyserver upon signature verification (turn this feature on with the keyserver option "auto-key-retrieve"). However, this did not handle the case where the key owner preferred one particular keyserver (say, one that wasn't broken or one that supports subkeys and photo IDs). GnuPG 1.4 adds a new "preferred keyserver" feature, that lets you include a URL with your key and/or with signatures you issue to help the recipient know where and how to get your key. To add a URL to your key, follow these steps: 1) gpg --edit-key (yourkey) 2) keyserver (yoururl) 3) save The preferred keyserver URL lives on the user ID self-signature (along with the other preferences), so if you want to get fancy, you can even have a different preferred keyserver URL on each user ID. Just select the user ID you want the preferred keyserver URL on before entering "keyserver". Once you have done this on your key, any user who uses "--refresh-keys" on your key will automatically get your key from the URL you have chosen. The keyserver option "honor-keyserver-url" turns this features on, and "no-honor-keyserver-url" turns it off. It is on by default. To add a URL to your signatures, just stick this in your gpg.conf: sig-keyserver-url (yoururl) Once you have done this, any user who verifies your signature but does not have your key can automatically fetch it if they have the both the keyserver options "honor-keyserver-url" and "auto-key-retrieve" set. Note that honor-keyserver-url is on by default, but auto-key-retrieve is not. The URLs can be: hkp for HKP servers for example: hkp://subkeys.pgp.net ldap for LDAP servers for example: ldap://keyserver.pgp.com http for a file on the web for example: http://www.jabberwocky.com/key.asc finger for a finger plan: for example: finger:wk@g10code.com David -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 250 bytes Desc: not available Url : /pipermail/attachments/20041220/d277c21a/attachment.bin From wk at gnupg.org Mon Dec 20 18:40:06 2004 From: wk at gnupg.org (Werner Koch) Date: Mon Dec 20 18:39:44 2004 Subject: How do I confirm the version I have... In-Reply-To: <41C6DF2D.70207@algonquincollege.com> (Brian Lunergan's message of "Mon, 20 Dec 2004 09:18:21 -0500") References: <41C6DF2D.70207@algonquincollege.com> Message-ID: <871xdkx409.fsf@wheatstone.g10code.de> On Mon, 20 Dec 2004 09:18:21 -0500, Brian Lunergan said: > Downloaded and installed what I thought was v1.4.0a but it is > still reporting 1.4.0 when I run a show version command. Also, I am sorry for this. I didn't change the version number because this make a large patch as several generated files are changed too and the old ZIP file was only out for a couple of hours. I didn't realized that the main server which mirrors the the one I upload too, didn't automatically deleted the 1.4.0.zip. > How do I confirm if I have the right version or not?? Run "gpg --check-trustdb" - the 1.4.0 version should fail. Or faster and read-only: gpg --print-md SHA1 gpg.exe should print for the bad one (1.4.0): gpg.exe: 20F7 3F35 434B 708E C907 1CB2 EB7F 8AAB 72AF 641C and for the good one (1.4.0a): gpg.exe: 19E1 C0E1 1402 B986 8CA8 77A5 0AC7 7224 8FC1 EC40 Hth, Werner From kairaven at arcor.de Sun Dec 19 21:30:41 2004 From: kairaven at arcor.de (Kai Raven) Date: Mon Dec 20 19:21:50 2004 Subject: Broken signatures with Thunderbird/Enigmail since 1.4.0? In-Reply-To: <20041217022145.GC12845@jabberwocky.com> References: <20041217002509.GA13382@dionysus.chud.net> <20041217005818.GA12845@jabberwocky.com> <41C234FA.50208@comcast.net> <20041217022145.GC12845@jabberwocky.com> Message-ID: <20041219213041.0cef4ee8@localhost.localdomain> Hi David, On Thu, 16 Dec 2004 21:21:45 -0500 you wrote: > Okay, I bet I know what the problem is. I need to talk to some of the > Enigmail folks. I think they may have a PGP/MIME text > canonicalization bug that one of the changes in 1.4 is aggravating. Are file signatures affected the same way? Today, i downloaded the new spamassassin, checked the signature an got a bad signature. I wrote to the spamassassin folks and Theo Van Dinter replied: === Interestingly, I decided to upgrade to 1.4.0 and try again: $ gpg --verify Mail-SpamAssassin-3.0.2.tar.gz.asc gpg: Signature made Wed 15 Dec 2004 10:57:53 PM EST using DSA key ID 265FA05B gpg: BAD signature from "SpamAssassin Signing Key " exact same files as I had previously tested with 1.2.4... Going to 1.2.6 (may as well go to the latest 1.2 release): gpg: Signature made Wed 15 Dec 2004 10:57:53 PM EST using DSA key ID 265FA05B gpg: Good signature from "SpamAssassin Signing Key " === -- Ciao Kai WWW: http://kai.iks-jena.de/ Blog: http://rabenhorst.blogg.de/ GnuPG-Key: 0xD6E995A0 Jabber: kraven@jabber.ccc.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 904 bytes Desc: not available Url : /pipermail/attachments/20041219/953ae970/attachment-0001.bin From lune0002 at algonquincollege.com Mon Dec 20 05:02:14 2004 From: lune0002 at algonquincollege.com (Brian Lunergan) Date: Mon Dec 20 19:22:01 2004 Subject: Question about GPGShell and v1.4.0 GnuPG on a Win98SE system.... Message-ID: <41C64EC6.5090804@algonquincollege.com> Not site feedback I'm afraid, but a question about GPGShell. I'm using v3.30 on a system showing the following environment info: Operating System : Windows 98 (CP850/CP1252) DLL/OCX Versions vb40032.dll : v4.0.29.24 (required: v4.0.29.24 or later) comdlg32.ocx : v6.0.84.18 (required: v6.0.84.18 or later) mscomctl.ocx : v6.0.88.62 (required: v6.0.88.62 or later) richtx32.ocx : v6.0.88.4 (required: v6.0.88.4 or later) GnuPG Version : v1.4.0 (required: v1.2.5 (v1.3.6)) Directories GnuPG (gpg.exe) : c:\gnupg GnuPG-HomeDir : c:\gnupg GPGshell : c:\program files\gpgshell GPGshell-HomeDir: c:\windows\application data\gpgshell PGPdump : Windows : c:\windows Parameters : Translation : Variables COMSPEC System : c:\windows\command.com GPGshell: c:\windows\command.com HTTP_PROXY : PATH : c:\windows;c:\windows\command;c:\utils\arj;c:\utils\lhar;c:\utils\pk;c:\gnupg;c:\gnupg\locale TEMP : c:\windows\temp TZ : Every time I try to run Trust>Check Trust DB I get the following error turning up in the output window: gpg: renaming `C:/GnuPG\pubring.gpg' to `C:/GnuPG\pubring.bak' failed: Permission denied gpg: failed to rebuild keyring cache: file rename error gpg: renaming `c:\gnupg\pubring.gpg' to `c:\gnupg\pubring.bak' failed: Permission denied gpg: failed to rebuild keyring cache: file rename error gpg: public key of ultimately trusted key 0xEA99B0E23922AC2A not found gpg: public key of ultimately trusted key 0xAFB4B8D0806B3F08 not found gpg: 3 marginal(s) needed, 1 complete(s) needed, classic trust model gpg: depth: 0 valid: 3 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 3u Press any key to continue . . . Any suggestions as to what might be causing this would be greatly appreciated. Kind regards... -- Brian Lunergan *************************************** IM Contact: AIM: lnrgnb ICQ: 207423899 MSN: brianlunergan@hotmail.com (nickname: GreyWolf706) Yahoo: brianlunergan *************************************** --- avast! Antivirus: Outbound message clean. Virus Database (VPS): 0451-2, 2004/12/17 Tested on: 19/12/04 11:02:22 PM avast! is copyright (c) 2000-2003 ALWIL Software. http://www.avast.com From michael at pairofsixes.com Mon Dec 20 05:11:21 2004 From: michael at pairofsixes.com (Michael McAllister) Date: Mon Dec 20 19:22:07 2004 Subject: gen-keys hanging in WinXP SP2 Message-ID: <20041220041121.0206B40185@cmlapp10.siteprotect.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 All The problem I was having with gen-keys has gone away. I had a problem with my XP installation. A reinstall fixed everything. Regards Mike -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (MingW32) - GPGshell v3.30 iD8DBQFBxlDRNnPc4AY2E9ERAneiAJ0RvpWAwc3e7jBUEe9Vdh7WqDHefACfWDF/ feYzCV5YI7E9XgROSZj6gqk= =MLkQ -----END PGP SIGNATURE----- From npellegr at numericable.fr Mon Dec 20 17:07:33 2004 From: npellegr at numericable.fr (npellegr@numericable.fr) Date: Mon Dec 20 19:22:13 2004 Subject: Choosing the Hash and cyphering algorithm Message-ID: <1103558853.41c6f8c5b9c16@webmail.numericable.fr> Hi all, Just an issue I hope somebody could help me with : 1) How could I specify (whether it's possible!) what hash algorithm: MD5, SHA-1 TIGER ... (Ok i'm joking for MD5 !!) I want to use for signing ? 2) The same for symmetric cyphering, is possible to specify i need to use DES or AES or 3-DES ? 3) Is it possible (like it's likely done during the signing step) to cypher something using my RSA secret key ? I can't see anything about it on the man page so ... because the gnupg.org features page says it's compatible with those cryptosystems i'm wondering how to use it using the command line. Perhaps in the gpg.conf file but i can't find all available options. Thank's for help ! Nicolas Pellegrin n.pellegrin@numericable.fr From dshaw at jabberwocky.com Mon Dec 20 19:44:16 2004 From: dshaw at jabberwocky.com (David Shaw) Date: Mon Dec 20 19:41:27 2004 Subject: Broken signatures with Thunderbird/Enigmail since 1.4.0? In-Reply-To: <20041219213041.0cef4ee8@localhost.localdomain> References: <20041217002509.GA13382@dionysus.chud.net> <20041217005818.GA12845@jabberwocky.com> <41C234FA.50208@comcast.net> <20041217022145.GC12845@jabberwocky.com> <20041219213041.0cef4ee8@localhost.localdomain> Message-ID: <20041220184416.GK22290@jabberwocky.com> On Sun, Dec 19, 2004 at 09:30:41PM +0100, Kai Raven wrote: > > Hi David, > > On Thu, 16 Dec 2004 21:21:45 -0500 you wrote: > > > Okay, I bet I know what the problem is. I need to talk to some of the > > Enigmail folks. I think they may have a PGP/MIME text > > canonicalization bug that one of the changes in 1.4 is aggravating. > > Are file signatures affected the same way? > Today, i downloaded the new spamassassin, checked the signature an got > a bad signature. I wrote to the spamassassin folks and Theo Van Dinter > replied: > === > Interestingly, I decided to upgrade to 1.4.0 and try again: > > $ gpg --verify Mail-SpamAssassin-3.0.2.tar.gz.asc > gpg: Signature made Wed 15 Dec 2004 10:57:53 PM EST using DSA key ID 265FA05B > gpg: BAD signature from "SpamAssassin Signing Key " > > exact same files as I had previously tested with 1.2.4... Going to 1.2.6 (may > as well go to the latest 1.2 release): > > gpg: Signature made Wed 15 Dec 2004 10:57:53 PM EST using DSA key ID 265FA05B > gpg: Good signature from "SpamAssassin Signing Key " 1.4.0 is not the problem here. The problem is that the signer has made a --textmode signature over a binary object (a gz file). This won't work reliably because gpg will try and change the line endings and there aren't real line endings inside a binary blob. This signature won't work with PGP either for the same reason. The fact that it works with gpg 1.2.6 is mostly luck. David -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 250 bytes Desc: not available Url : /pipermail/attachments/20041220/917a5afe/attachment.bin From twoaday at freakmail.de Mon Dec 20 18:58:16 2004 From: twoaday at freakmail.de (Timo Schulz) Date: Mon Dec 20 19:46:21 2004 Subject: WinPT 0.9.14 and GPG 1.4.0 Message-ID: <20041220175816.GF276@daredevil.joesixpack.net> Hi! I just wanted to let all users know that I uploaded a new version (0.9.14-1) of WinPT which also works with GPG 1.4.0(a). And now the source of it is also available. (http://www.stud.uni-hannover.de/~twoaday/winpt.html) Timo From twoaday at freakmail.de Mon Dec 20 11:40:50 2004 From: twoaday at freakmail.de (Timo Schulz) Date: Mon Dec 20 19:46:30 2004 Subject: WinPT key POSTing problem In-Reply-To: <20041219210948.GA39398@wilma.widomaker.com> References: <20041219210948.GA39398@wilma.widomaker.com> Message-ID: <20041220104050.GA1038@daredevil.joesixpack.net> On Sun Dec 19 2004; 16:09, Jason Harris wrote: > It is an error to have http+hostname+port in the POST path, only the > local path, /pks/add, is correct. These were given an HTTP 404 response. Thanks for the report. I will change this ASAP. But did it work in the past? Or is it more likely that it does not work but nobody told me this? > but was at least able to post their key. (There are no checks on the > value/validity of the Host: header at this time.) However, the "http://" > is incorrect and needs to be dropped from Host:. OK. It's on my TODO list for some time to revamp the keyserver code because it also does not work for searching keys with a recent keyserver. > I also notice these requests were identified as HTTP/1.0. Other than > understanding and sending "Connection: close" headers, is there a reason > to not identify them as HTTP/1.1 requests? I will also fix this problem. Thanks. Timo -- Colt at WinPT.org keyid BF3DF9B4 (http://www.winpt.org) WinPT (http://www.stud.uni-hannover.de/~twoaday/winpt.html) Installer (http://www.equipmente.de/viewtopic.php?t=433#1080) From andriash at uniserve.com Mon Dec 20 20:38:17 2004 From: andriash at uniserve.com (Nick Andriash) Date: Mon Dec 20 20:42:02 2004 Subject: Question about GPGShell and v1.4.0 GnuPG on a Win98SE system.... In-Reply-To: <41C64EC6.5090804@algonquincollege.com> References: <41C64EC6.5090804@algonquincollege.com> Message-ID: <41C72A29.2030005@uniserve.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Brian Lunergan wrote: > gpg: renaming `C:/GnuPG\pubring.gpg' to `C:/GnuPG\pubring.bak' failed: > Permission denied > gpg: failed to rebuild keyring cache: file rename error > gpg: renaming `c:\gnupg\pubring.gpg' to `c:\gnupg\pubring.bak' failed: > Permission denied > Any suggestions as to what might be causing this would be greatly > appreciated. You need to download the latest version of GnuPG, which is now 1.0.4(a) and is now listed on the GPG Download page. - -- -=Nick Andriash=- Creston, B.C. Canada -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFBxyop2usvuTvKfdIRAgQDAKDiC7+WsI9bk87qMDUBIP4wqbg4xgCeNlzA t/nM7lpVlAoU8F/4AxC9CzU= =e8jf -----END PGP SIGNATURE----- From jharris at widomaker.com Mon Dec 20 20:34:20 2004 From: jharris at widomaker.com (Jason Harris) Date: Mon Dec 20 20:42:12 2004 Subject: WinPT key POSTing problem In-Reply-To: <20041220104050.GA1038@daredevil.joesixpack.net> References: <20041219210948.GA39398@wilma.widomaker.com> <20041220104050.GA1038@daredevil.joesixpack.net> Message-ID: <20041220193419.GA45700@wilma.widomaker.com> On Mon, Dec 20, 2004 at 11:40:50AM +0100, Timo Schulz wrote: > On Sun Dec 19 2004; 16:09, Jason Harris wrote: > > > It is an error to have http+hostname+port in the POST path, only the > > local path, /pks/add, is correct. These were given an HTTP 404 response. > > Thanks for the report. I will change this ASAP. But did it work in the > past? Or is it more likely that it does not work but nobody told me this? I think you made the change to the path (which resulted in 404 respones) only recently. The few other POSTs I see on the 16th and 17th of this month only have "Host: http://wwwkeys.at.pgp.net:11371" set incorrectly. Putting the version of WinPT in the User-Agent will help diagnose this problem, at least when using keyserver (and/or webserver) logs. Going back to the 14th, this request was correct: POST /pks/add "WinPT/W32" "wwwkeys.us.pgp.net:11371" in its path and Host:. > OK. It's on my TODO list for some time to revamp the keyserver code > because it also does not work for searching keys with a recent keyserver. (Visit http://lists.alt.org/pipermail/pgp-keyserver-folk/ if you have any keyserver questions.) > > I also notice these requests were identified as HTTP/1.0. Other than > > understanding and sending "Connection: close" headers, is there a reason > > to not identify them as HTTP/1.1 requests? > > I will also fix this problem. Thanks. In that case, be sure you send "Connection; close\r\n" when you want to (more quickly) close your connection to keyserver.kjsl.com:11371, which now identifies itself as HTTP/1.1, and shutdown/close your socket when you receive that header. If you don't send or see that header, you can keep that socket open and send further requests on it, taking advantage of (my still experimental) connection reuse and HTTP/1.1 pipelining. This really speeds up multiple requests, so I hope your/our users will enjoy it. -- Jason Harris | NIC: JH329, PGP: This _is_ PGP-signed, isn't it? jharris@widomaker.com _|_ web: http://keyserver.kjsl.com/~jharris/ Got photons? (TM), (C) 2004 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 187 bytes Desc: not available Url : /pipermail/attachments/20041220/9e11fa1c/attachment.bin From johanw at vulcan.xs4all.nl Mon Dec 20 15:59:26 2004 From: johanw at vulcan.xs4all.nl (Johan Wevers) Date: Mon Dec 20 21:40:04 2004 Subject: How do I confirm the version I have... In-Reply-To: <41C6DF2D.70207@algonquincollege.com> from Brian Lunergan at "Dec 20, 2004 09:18:21 am" Message-ID: <200412201459.PAA04504@vulcan.xs4all.nl> Brian Lunergan wrote: >How do I confirm if I have the right version or not?? Check the signature with the signature on ftp.gnupg.org. -- ir. J.C.A. Wevers // Physics and science fiction site: johanw@vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From lune0002 at algonquincollege.com Mon Dec 20 22:03:29 2004 From: lune0002 at algonquincollege.com (Brian Lunergan) Date: Mon Dec 20 22:27:59 2004 Subject: Solved one and found another... Message-ID: <41C73E21.4080104@algonquincollege.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Thanks, all, for the assist on the version question and file renaming error. Found I am, indeed, using v1.4.0a. The file renaming error turned out to be me shooting myself in the foot with inappropriate use of the keyring and secret-keyring options. I only have one of each and so should not have be using them. New problem. GPGShell has a window for reloading keys. It flashes by with warnings about the no-show-photos option being deprecated and providing helpful suggestions on alternates. Moves too fast for me to catch what's written, but as it's a warning it's probably harmless. Since I'm now aware that the option is deprecated I'd like to shut that warning off without resorting to hiding the window. Any suggestions?? - -- Brian Lunergan *************************************** IM Contact: AIM: lnrgnb ICQ: 207423899 MSN: brianlunergan@hotmail.com (nickname: GreyWolf706) Yahoo: brianlunergan *************************************** -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (MingW32) - GPGshell v3.30 iD8DBQFBxz4bYAcjwnB5eagRArVYAJ4gBBQepB5OE7gjDHSgt+mYMdVyEgCfVSZQ q9xXOO0FIbZkC29ZWhPokmY= =YQT7 -----END PGP SIGNATURE----- --- avast! Antivirus: Outbound message clean. Virus Database (VPS): 0451-2, 2004/12/17 Tested on: 20/12/04 4:03:32 PM avast! is copyright (c) 2000-2003 ALWIL Software. http://www.avast.com From jharris at widomaker.com Mon Dec 20 22:45:47 2004 From: jharris at widomaker.com (Jason Harris) Date: Mon Dec 20 22:42:14 2004 Subject: Using the "preferred keyserver URL" in GnuPG 1.4 In-Reply-To: <20041220164001.GA30899@jabberwocky.com> References: <20041220164001.GA30899@jabberwocky.com> Message-ID: <20041220214547.GA46211@wilma.widomaker.com> On Mon, Dec 20, 2004 at 11:40:01AM -0500, David Shaw wrote: > To add a URL to your signatures, just stick this in your gpg.conf: > > sig-keyserver-url (yoururl) NB: You may also have to specify: no-force-v3-sigs and may want to specify: verify-options show-keyserver-urls -- Jason Harris | NIC: JH329, PGP: This _is_ PGP-signed, isn't it? jharris@widomaker.com _|_ web: http://keyserver.kjsl.com/~jharris/ Got photons? (TM), (C) 2004 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 309 bytes Desc: not available Url : /pipermail/attachments/20041220/4413b971/attachment-0001.bin From ben at benfinney.id.au Mon Dec 20 22:46:56 2004 From: ben at benfinney.id.au (Ben Finney) Date: Mon Dec 20 22:43:20 2004 Subject: Unsolicited re-subscription In-Reply-To: <00c701c4e69c$b644def0$2027a8c0@PAVELECA> References: <873by1xhih.fsf@wheatstone.g10code.de> <00c701c4e69c$b644def0$2027a8c0@PAVELECA> Message-ID: <20041220214656.GA14697@benfinney.id.au> On 20-Dec-2004, Adam Pavelec wrote: > Not sure if this is a bug or not, but I unsubscribed from this ML a > very long time ago and somehow have been magically resubscribed. It's > really no big deal, and I think I'll stick around to see what's been > going on lately, but I just thought the powers that be might like to > know about it. Same here. By human accident or programming bug (same thing?) I've been re-subscribed to this list without asking. Could the powers that be please investigate and correct? It seems a lot of people may be affected in this way. -- \ "[W]e are still the first generation of users, and for all that | `\ we may have invented the net, we still don't really get it." | _o__) -- Douglas Adams | Ben Finney From ben at benfinney.id.au Mon Dec 20 22:46:56 2004 From: ben at benfinney.id.au (Ben Finney) Date: Mon Dec 20 22:44:07 2004 Subject: Unsolicited re-subscription In-Reply-To: <00c701c4e69c$b644def0$2027a8c0@PAVELECA> References: <873by1xhih.fsf@wheatstone.g10code.de> <00c701c4e69c$b644def0$2027a8c0@PAVELECA> Message-ID: <20041220214656.GA14697@benfinney.id.au> On 20-Dec-2004, Adam Pavelec wrote: > Not sure if this is a bug or not, but I unsubscribed from this ML a > very long time ago and somehow have been magically resubscribed. It's > really no big deal, and I think I'll stick around to see what's been > going on lately, but I just thought the powers that be might like to > know about it. Same here. By human accident or programming bug (same thing?) I've been re-subscribed to this list without asking. Could the powers that be please investigate and correct? It seems a lot of people may be affected in this way. -- \ "[W]e are still the first generation of users, and for all that | `\ we may have invented the net, we still don't really get it." | _o__) -- Douglas Adams | Ben Finney -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: Digital signature Url : /pipermail/attachments/20041221/90679732/attachment.bin From dshaw at jabberwocky.com Mon Dec 20 23:08:14 2004 From: dshaw at jabberwocky.com (David Shaw) Date: Mon Dec 20 23:05:12 2004 Subject: Using the "preferred keyserver URL" in GnuPG 1.4 In-Reply-To: <20041220214547.GA46211@wilma.widomaker.com> References: <20041220164001.GA30899@jabberwocky.com> <20041220214547.GA46211@wilma.widomaker.com> Message-ID: <20041220220814.GN22290@jabberwocky.com> On Mon, Dec 20, 2004 at 04:45:47PM -0500, Jason Harris wrote: > On Mon, Dec 20, 2004 at 11:40:01AM -0500, David Shaw wrote: > > > To add a URL to your signatures, just stick this in your gpg.conf: > > > > sig-keyserver-url (yoururl) > > NB: You may also have to specify: > > no-force-v3-sigs Quite right. I had forgotten about that since I have it in my gpg.conf. Someday no-force-v3-sigs will be the default. > and may want to specify: > > verify-options show-keyserver-urls Yes. This shows what the keyserver URL is for the interested. Note that if you don't have the key when verifying a signature and there is a keyserver URL present, the URL is *always* shown to you. This option only controls whether the URL is shown when verifying sigs from keys you already have. David -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 250 bytes Desc: not available Url : /pipermail/attachments/20041220/f5cf4f28/attachment.bin From Lamont_Gilbert at RigidSoftware.com Mon Dec 20 23:44:05 2004 From: Lamont_Gilbert at RigidSoftware.com (CL Gilbert) Date: Mon Dec 20 23:40:56 2004 Subject: Unsolicited re-subscription In-Reply-To: <20041220214656.GA14697@benfinney.id.au> References: <873by1xhih.fsf@wheatstone.g10code.de> <00c701c4e69c$b644def0$2027a8c0@PAVELECA> <20041220214656.GA14697@benfinney.id.au> Message-ID: <41C755B5.6080403@RigidSoftware.com> Same here. Ben Finney wrote: > On 20-Dec-2004, Adam Pavelec wrote: > >>Not sure if this is a bug or not, but I unsubscribed from this ML a >>very long time ago and somehow have been magically resubscribed. It's >>really no big deal, and I think I'll stick around to see what's been >>going on lately, but I just thought the powers that be might like to >>know about it. > > > Same here. By human accident or programming bug (same thing?) I've been > re-subscribed to this list without asking. > > Could the powers that be please investigate and correct? It seems a lot > of people may be affected in this way. > > > > ------------------------------------------------------------------------ > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users -- Thank you, CL Gilbert "Then said I, Wisdom [is] better than strength: nevertheless the poor man's wisdom [is] despised, and his words are not heard." Ecclesiastes 9:16 GnuPG Key Fingerprint: 82A6 8893 C2A1 F64E A9AD 19AE 55B2 4CD7 80D2 0A2D GNU Privacy Guard http://www.gnupg.org From sean.bofinger at wotif.com Mon Dec 20 23:58:00 2004 From: sean.bofinger at wotif.com (Sean Bofinger) Date: Mon Dec 20 23:54:59 2004 Subject: Unsolicited re-subscription In-Reply-To: <41C755B5.6080403@RigidSoftware.com> References: <873by1xhih.fsf@wheatstone.g10code.de> <00c701c4e69c$b644def0$2027a8c0@PAVELECA> <20041220214656.GA14697@benfinney.id.au> <41C755B5.6080403@RigidSoftware.com> Message-ID: <41C758F8.8010600@wotif.com> Me too Sean Bofinger Systems and Network Administrator Wotif.com www.wotif.com t: +61 7 3512 9999 f: +61 7 3512 9900 e: sean.bofinger@wotif.com Wotif.com is the global specialist in last-minute accommodation. Wotif.com's properties can be booked online or through our call centre which operates 24 hours a day, 7 days a week. CL Gilbert wrote: > Same here. > > Ben Finney wrote: > >> On 20-Dec-2004, Adam Pavelec wrote: >> >>> Not sure if this is a bug or not, but I unsubscribed from this ML a >>> very long time ago and somehow have been magically resubscribed. It's >>> really no big deal, and I think I'll stick around to see what's been >>> going on lately, but I just thought the powers that be might like to >>> know about it. >> >> >> >> Same here. By human accident or programming bug (same thing?) I've been >> re-subscribed to this list without asking. >> >> Could the powers that be please investigate and correct? It seems a lot >> of people may be affected in this way. >> >> >> >> ------------------------------------------------------------------------ >> >> _______________________________________________ >> Gnupg-users mailing list >> Gnupg-users@gnupg.org >> http://lists.gnupg.org/mailman/listinfo/gnupg-users > > > From johanw at vulcan.xs4all.nl Mon Dec 20 21:59:32 2004 From: johanw at vulcan.xs4all.nl (Johan Wevers) Date: Tue Dec 21 00:42:31 2004 Subject: WinPT 0.9.14 and GPG 1.4.0 In-Reply-To: <20041220175816.GF276@daredevil.joesixpack.net> from Timo Schulz at "Dec 20, 2004 06:58:16 pm" Message-ID: <200412202059.VAA00645@vulcan.xs4all.nl> Timo Schulz wrote: >I just wanted to let all users know that I uploaded a new >version (0.9.14-1) of WinPT which also works with GPG 1.4.0(a). Thanks. The file, however, is signed with an expired key 0x27F36D14, (it says it's your laptop key) which I can't find on the keyservers. Is there a version that is not expired somewhere? >And now the source of it is also available. This file is unsigned. Thanks for the effort. -- ir. J.C.A. Wevers // Physics and science fiction site: johanw@vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From dbergstein at comcast.net Tue Dec 21 01:30:24 2004 From: dbergstein at comcast.net (David R. Bergstein) Date: Tue Dec 21 01:27:43 2004 Subject: Unsolicited re-subscription In-Reply-To: <41C758F8.8010600@wotif.com> References: <873by1xhih.fsf@wheatstone.g10code.de> <00c701c4e69c$b644def0$2027a8c0@PAVELECA> <20041220214656.GA14697@benfinney.id.au> <41C755B5.6080403@RigidSoftware.com> <41C758F8.8010600@wotif.com> Message-ID: <41C76EA0.6030803@comcast.net> Sean Bofinger wrote: > Me too > > Sean Bofinger > > Systems and Network Administrator > Wotif.com > www.wotif.com > > t: +61 7 3512 9999 > f: +61 7 3512 9900 > e: sean.bofinger@wotif.com > > Wotif.com is the global specialist in last-minute accommodation. > Wotif.com's properties can be booked online or through our call centre > which operates 24 hours a day, 7 days a week. > > > > CL Gilbert wrote: > >> Same here. >> >> Ben Finney wrote: >> >>> On 20-Dec-2004, Adam Pavelec wrote: >>> >>>> Not sure if this is a bug or not, but I unsubscribed from this ML a >>>> very long time ago and somehow have been magically resubscribed. It's >>>> really no big deal, and I think I'll stick around to see what's been >>>> going on lately, but I just thought the powers that be might like to >>>> know about it. >>> >>> >>> >>> >>> Same here. By human accident or programming bug (same thing?) I've been >>> re-subscribed to this list without asking. >>> >>> Could the powers that be please investigate and correct? It seems a lot >>> of people may be affected in this way. >>> >>> >>> I have the same issue as the folks above; please unsubscribe me too. -- David R. Bergstein Systems Engineer and Blues Musician - http://home.comcast.net/~dbergstein Heart of Blue - bookings on-line at http://www.heartofblue.com OpenPGP Public Key 0xE1F138CA - For info see http://www.gnupg.org Key fingerprint = C86E CA2A 4171 AC73 91D7 3DCE 8832 D764 E1F1 38CA From donald.ferguson at gmail.com Tue Dec 21 01:44:44 2004 From: donald.ferguson at gmail.com (Don Ferguson) Date: Tue Dec 21 01:41:39 2004 Subject: Unsolicited re-subscription In-Reply-To: <41C76EA0.6030803@comcast.net> References: <873by1xhih.fsf@wheatstone.g10code.de> <00c701c4e69c$b644def0$2027a8c0@PAVELECA> <20041220214656.GA14697@benfinney.id.au> <41C755B5.6080403@RigidSoftware.com> <41C758F8.8010600@wotif.com> <41C76EA0.6030803@comcast.net> Message-ID: I had the opposite problem. I recently joined this mailing list and stopped receiving messages. I had to re-subscribe. I think it is obvious that the database for current mailing list was overwritten by an older copy. On Mon, 20 Dec 2004 19:30:24 -0500, David R. Bergstein wrote: > Sean Bofinger wrote: > > Me too > > > > Sean Bofinger > > > > Systems and Network Administrator > > Wotif.com > > www.wotif.com > > > > t: +61 7 3512 9999 > > f: +61 7 3512 9900 > > e: sean.bofinger@wotif.com > > > > Wotif.com is the global specialist in last-minute accommodation. > > Wotif.com's properties can be booked online or through our call centre > > which operates 24 hours a day, 7 days a week. > > > > > > > > CL Gilbert wrote: > > > >> Same here. > >> > >> Ben Finney wrote: > >> > >>> On 20-Dec-2004, Adam Pavelec wrote: > >>> > >>>> Not sure if this is a bug or not, but I unsubscribed from this ML a > >>>> very long time ago and somehow have been magically resubscribed. It's > >>>> really no big deal, and I think I'll stick around to see what's been > >>>> going on lately, but I just thought the powers that be might like to > >>>> know about it. > >>> > >>> > >>> > >>> > >>> Same here. By human accident or programming bug (same thing?) I've been > >>> re-subscribed to this list without asking. > >>> > >>> Could the powers that be please investigate and correct? It seems a lot > >>> of people may be affected in this way. > >>> > >>> > >>> > > I have the same issue as the folks above; please unsubscribe me too. > > -- > > David R. Bergstein > Systems Engineer and Blues Musician - http://home.comcast.net/~dbergstein > Heart of Blue - bookings on-line at http://www.heartofblue.com > OpenPGP Public Key 0xE1F138CA - For info see http://www.gnupg.org > Key fingerprint = C86E CA2A 4171 AC73 91D7 3DCE 8832 D764 E1F1 38CA > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > From Freedom_Lover at pobox.com Tue Dec 21 09:19:57 2004 From: Freedom_Lover at pobox.com (Todd) Date: Tue Dec 21 09:16:56 2004 Subject: Using the "preferred keyserver URL" in GnuPG 1.4 In-Reply-To: <20041220164001.GA30899@jabberwocky.com> References: <20041220164001.GA30899@jabberwocky.com> Message-ID: <20041221081957.GU2824@psilocybe.teonanacatl.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 David Shaw wrote: > GnuPG 1.4 adds a new "preferred keyserver" feature, that lets you > include a URL with your key and/or with signatures you issue to help > the recipient know where and how to get your key. This is a damn cool feature. Thanks for adding it! I have a few questions about it after poking around with it briefly. > To add a URL to your key, follow these steps: > > 1) gpg --edit-key (yourkey) > 2) keyserver (yoururl) > 3) save Doing this, I was surprised to find that the revoked user ids on my key were now not shown as revoked. I'm guessing that's due to the new signature added when the preferred keyserver was added? I ended up selecting the non-revoked user ids and then using the keyserver command. Is this the intended way to go about things? It seemed rather unintuitive at first glance. > The URLs can be: [...] > http for a file on the web > for example: http://www.jabberwocky.com/key.asc I tried using a pobox.com URL. When I tested it I received this message from gpg: Key available at: http://www.pobox.com/~tmz/pgp/tmz.asc requesting key D654075A from http server www.pobox.com no valid OpenPGP data found. requesting key D654075A from hkp server subkeys.pgp.net Again I'm just guessing, but I figure it's because pobox.com redirects to where my current ISP gives me some webspace. I'd like to be able to put a preferred keyserver url in my key and signatures that won't change often, hence the pobox.com url would be nice to use. Is it a conscious decision not to follow redirects or just a limitation of the gpg http code (or a complete misunderstanding on my part, hehe)? Thanks again for all the great work on GnuPG, it's very much appreciated! - -- Todd OpenPGP -> KeyID: 0xD654075A | URL: www.pobox.com/~tmz/pgp ====================================================================== An optimist believes we live in the best of all possible worlds. A pessimist is sure of it! -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (GNU/Linux) Comment: When crypto is outlawed bayl bhgynjf jvyy unir cevinpl. iEYEARECAAYFAkHH3K0ACgkQuv+09NZUB1r/5wCg7TY6WmR3dxjC6eFDhlAhSRSz VBQAoJLq4AJJjh73CrV5C91UPdMf9ntV =rGje -----END PGP SIGNATURE----- From swright at physics.adelaide.edu.au Tue Dec 21 00:09:55 2004 From: swright at physics.adelaide.edu.au (Stewart V. Wright) Date: Tue Dec 21 09:20:51 2004 Subject: [WOT] Re: Unsolicited re-subscription In-Reply-To: <41C758F8.8010600@wotif.com> References: <873by1xhih.fsf@wheatstone.g10code.de> <00c701c4e69c$b644def0$2027a8c0@PAVELECA> <20041220214656.GA14697@benfinney.id.au> <41C755B5.6080403@RigidSoftware.com> <41C758F8.8010600@wotif.com> Message-ID: <20041220230955.GB14867@anl.gov> G'day Sean and others, * Sean Bofinger [041220 17:02]: > Me too Please, please, please can we stop with the "Me too"'s. I don't want to appear rude, but you're all grown-ups, solve your own problems and unsubscribe yourself. It is _known_ that there was a screw up. You know that this list and its members aren't deliberately annoying you. Let it go. > Systems and Network Administrator Be proactive... http://lists.gnupg.org/mailman/listinfo/gnupg-users Cheers, S. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 274 bytes Desc: Digital signature Url : /pipermail/attachments/20041220/f77eac73/attachment.bin From rukew at servgate.com Tue Dec 21 00:13:17 2004 From: rukew at servgate.com (Ruke Wang) Date: Tue Dec 21 09:21:05 2004 Subject: Unsolicited re-subscription Message-ID: Same here. Thanks, Ruke Wang ServGate Technologies www.servgate.com -----Original Message----- From: gnupg-users-bounces@gnupg.org [mailto:gnupg-users-bounces@gnupg.org]On Behalf Of Sean Bofinger Sent: Monday, December 20, 2004 2:58 PM To: gnupg-users@gnupg.org Subject: Re: Unsolicited re-subscription Me too Sean Bofinger Systems and Network Administrator Wotif.com www.wotif.com t: +61 7 3512 9999 f: +61 7 3512 9900 e: sean.bofinger@wotif.com Wotif.com is the global specialist in last-minute accommodation. Wotif.com's properties can be booked online or through our call centre which operates 24 hours a day, 7 days a week. CL Gilbert wrote: > Same here. > > Ben Finney wrote: > >> On 20-Dec-2004, Adam Pavelec wrote: >> >>> Not sure if this is a bug or not, but I unsubscribed from this ML a >>> very long time ago and somehow have been magically resubscribed. It's >>> really no big deal, and I think I'll stick around to see what's been >>> going on lately, but I just thought the powers that be might like to >>> know about it. >> >> >> >> Same here. By human accident or programming bug (same thing?) I've been >> re-subscribed to this list without asking. >> >> Could the powers that be please investigate and correct? It seems a lot >> of people may be affected in this way. >> >> >> >> ------------------------------------------------------------------------ >> >> _______________________________________________ >> Gnupg-users mailing list >> Gnupg-users@gnupg.org >> http://lists.gnupg.org/mailman/listinfo/gnupg-users > > > _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users From atom at suspicious.org Tue Dec 21 06:02:58 2004 From: atom at suspicious.org (Atom 'Smasher') Date: Tue Dec 21 09:21:16 2004 Subject: secret- and public-key crypto In-Reply-To: <20041218221319.3c8faab4@localhost.localdomain> References: <20041218221319.3c8faab4@localhost.localdomain> Message-ID: <20041221050137.55198.qmail@suspicious.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On Sat, 18 Dec 2004, Kai Raven wrote: > i have one question about the new symmetric and public-key encryption. > Is the same session key used or a separate one for each encryption? =============== each encrypted message has one session key. if you encrypt one message to multiple people, they all use their secret keys to decrypt the same session key, which is then used to decrypt the message. if you send a million encrypted messages to one person, each message will have a unique session key. Hybrid ciphers http://www.gnupg.org/gph/en/manual.html#AEN210 - -- ...atom _________________________________________ PGP key - http://atom.smasher.org/pgp.txt 762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808 ------------------------------------------------- "I hope we shall crush in its birth the aristocracy of our monied corporations which dare already to challenge our government to a trial of strength, and bid defiance to the laws our country." -- Thomas Jefferson, 1816 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (FreeBSD) Comment: What is this gibberish? Comment: http://atom.smasher.org/links/#digital_signatures iQEcBAEBCAAGBQJBx66NAAoJEAx/d+cTpVci9MgH/3Uk9rK/pBUu4SXHnvhs93k3 4gb9id8LLTzvt0ATptkKR2rUnu8Ul+St2xqXggECJcuO5eJXSI4HzNtY8HbLlMST AaLuJPU5wXGg/Lck3xSEZiYUWm+Sdz60VSDLT6AAPeERU3V2OFcXT/IuwzSJeT/I GYrDb9gp2Yo4gc/RaiYoy67mRfY7wrahvXyPvXVeLjYDB/QSCTfL7UMJaV5kvA9H zwfKbd3Bo/brBJtpi0PEAsAbhxC3t0of2RsWPcYqbE5/aMc5mMj9Bdw0N+0zIASq gnPITWuV5Bk8kxWK/ix3fvb/uiri5EaHNFrY74hGLrhKG1brD4IJ/ovMdADqcAc= =mK5h -----END PGP SIGNATURE----- From atom at suspicious.org Tue Dec 21 06:31:47 2004 From: atom at suspicious.org (Atom 'Smasher') Date: Tue Dec 21 09:21:20 2004 Subject: Choosing the Hash and cyphering algorithm In-Reply-To: <1103558853.41c6f8c5b9c16@webmail.numericable.fr> References: <1103558853.41c6f8c5b9c16@webmail.numericable.fr> Message-ID: <20041221053027.68208.qmail@suspicious.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On Mon, 20 Dec 2004 npellegr@numericable.fr wrote: > Just an issue I hope somebody could help me with : > > 1) How could I specify (whether it's possible!) what hash algorithm: > MD5, SHA-1 TIGER ... (Ok i'm joking for MD5 !!) I want to use for > signing ? =================== take tiger off of your list, it's no longer part of rfc2440. "--personal-digest-preferences" will let you specify your order of preference for hash. note that if you (hypothetically) make md5 your most preferred hash and encrypt a message to someone who does not list md5 in their key's preferences, it will be skipped. in a (1.4) config file: personal-digest-preferences MD5 SHA-1 RIPEMD160 > 2) The same for symmetric cyphering, is possible to specify i need to > use DES or AES or 3-DES ? ====================== same thing, this time with "--personal-cipher-preferences". using my key as an example, my preferred ciphers are: Twofish with 256-bit key(sym 10) Blowfish(sym 4) CAST5(sym 3) Triple-DES(sym 2) if a (1.4) config file contains: personal-cipher-preferences AES AES192 AES256 BLOWFISH CAST5 and you encrypt a message to me, blowfish would be used. it's the first match between our preferences. > 3) Is it possible (like it's likely done during the signing step) to > cypher something using my RSA secret key ? ====================== gpg -ear 0x12345678! where "0x12345678" is the subkey you want to specify. just add the bang (!) at the end and you can specify a particular subkey. - -- ...atom _________________________________________ PGP key - http://atom.smasher.org/pgp.txt 762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808 ------------------------------------------------- "Any sufficiently advanced technology is indistinguishable from magic." -- Arthur C. Clarke -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (FreeBSD) Comment: What is this gibberish? Comment: http://atom.smasher.org/links/#digital_signatures iQEcBAEBCAAGBQJBx7VOAAoJEAx/d+cTpVciD8sH/RaLtnSeiy7zjLJhOpl4LJcl XBgmhZz8FKlUnMP/E5H/Zdph2tXFQRLLxsgISVZLvXtw95EDLQV00/Sw1Qfiyu8j kf8417LGvZMp98MI02TOGhs9VfqwALhW4HpJyYvMA8wJRGjCk08Vqlp3ab9LRp79 cwxLQsja785n2G8yV8Ra6sjijzvS2OWMQlpspcrOh0dk1/YjPca2jzlqnaY3s/2O t8su9joqTmQy/cKatxfJm4dPh4Mtro6IcrUyfx2JpPSQtIX4pSHV2/9rSn+2RP+v 7Rmqw7MZOHewfXiV4d6693uCMrpbdBo24pGC/Z7bab5u8teO96KI1Yg8JdRw0uE= =wfDh -----END PGP SIGNATURE----- From wk at gnupg.org Tue Dec 21 09:44:05 2004 From: wk at gnupg.org (Werner Koch) Date: Tue Dec 21 09:44:54 2004 Subject: Unsolicited re-subscription In-Reply-To: <20041220214656.GA14697@benfinney.id.au> (Ben Finney's message of "Tue, 21 Dec 2004 08:46:56 +1100") References: <873by1xhih.fsf@wheatstone.g10code.de> <00c701c4e69c$b644def0$2027a8c0@PAVELECA> <20041220214656.GA14697@benfinney.id.au> Message-ID: <878y7st50q.fsf@wheatstone.g10code.de> On Tue, 21 Dec 2004 08:46:56 +1100, Ben Finney said: > Same here. By human accident or programming bug (same thing?) I've been > re-subscribed to this list without asking. I have unsubscribed you and a couple of other folks who also complained. I AFAICS, On Dec 18 we had several out of memory conditions as well as too may open files. Mailman seems to have a several stages fallback policy to old config files and obviously it then saved the the last working state in the default config file. I have restored the config.pck from config.pck.safety so everything should be back at the state of the early morning of Dec 18. Werner From twoaday at freakmail.de Tue Dec 21 08:54:08 2004 From: twoaday at freakmail.de (Timo Schulz) Date: Tue Dec 21 09:58:36 2004 Subject: WinPT key POSTing problem In-Reply-To: <20041220193419.GA45700@wilma.widomaker.com> References: <20041219210948.GA39398@wilma.widomaker.com> <20041220104050.GA1038@daredevil.joesixpack.net> <20041220193419.GA45700@wilma.widomaker.com> Message-ID: <20041221075408.GD644@daredevil.joesixpack.net> On Mon Dec 20 2004; 14:34, Jason Harris wrote: > I think you made the change to the path (which resulted in 404 respones) > only recently. The few other POSTs I see on the 16th and 17th of this > month only have "Host: http://wwwkeys.at.pgp.net:11371" set incorrectly. Hmm, maybe somebody compiled its own version because I did not touch the keyserver code in the last weeks. > Going back to the 14th, this request was correct: > > POST /pks/add "WinPT/W32" "wwwkeys.us.pgp.net:11371" Weird. I need to modify the header so I know if it is an official release or a self-compiled version. > > OK. It's on my TODO list for some time to revamp the keyserver code > > because it also does not work for searching keys with a recent keyserver. > > (Visit http://lists.alt.org/pipermail/pgp-keyserver-folk/ if you have > any keyserver questions.) Thanks. > In that case, be sure you send "Connection; close\r\n" when you want to > (more quickly) close your connection to keyserver.kjsl.com:11371, which > now identifies itself as HTTP/1.1, and shutdown/close your socket when Yes, I'm familiar with the basics of the HTTP protocol. I need to test the entire code and I will try to implement bug fixes for the described problems. As long is it won't break compatibility with other keyservers so the code cannot be used in general. > keep that socket open and send further requests on it, taking advantage > of (my still experimental) connection reuse and HTTP/1.1 pipelining. > This really speeds up multiple requests, so I hope your/our users will This is really a nice idea but I don't think that keys are requested too often. But for the 'refresh all keys' it could be very useful because of its speed. Timo From twoaday at freakmail.de Tue Dec 21 08:59:01 2004 From: twoaday at freakmail.de (Timo Schulz) Date: Tue Dec 21 09:59:25 2004 Subject: WinPT 0.9.14 and GPG 1.4.0 In-Reply-To: <200412202059.VAA00645@vulcan.xs4all.nl> References: <20041220175816.GF276@daredevil.joesixpack.net> <200412202059.VAA00645@vulcan.xs4all.nl> Message-ID: <20041221075901.GE644@daredevil.joesixpack.net> On Mon Dec 20 2004; 21:59, Johan Wevers wrote: > Thanks. The file, however, is signed with an expired key 0x27F36D14, > (it says it's your laptop key) which I can't find on the keyservers. > Is there a version that is not expired somewhere? I will upload the updated version (expires 2005-12-21) after I answered the mail (to a keyserver!). And it is signed by my main key (BF3DF9B4) if this key is in your WoT. Of course I will also update the twoaday.asc file. > >And now the source of it is also available. > > This file is unsigned. Oops, I forgot to add the sig. I will do it today... Thanks, Timo From jas at extundo.com Tue Dec 21 11:39:15 2004 From: jas at extundo.com (Simon Josefsson) Date: Tue Dec 21 11:35:48 2004 Subject: Using the "preferred keyserver URL" in GnuPG 1.4 In-Reply-To: <20041220164001.GA30899__10352.9219203212$1103564914$gmane$org@jabberwocky.com> (David Shaw's message of "Mon, 20 Dec 2004 11:40:01 -0500") References: <20041220164001.GA30899__10352.9219203212$1103564914$gmane$org@jabberwocky.com> Message-ID: David Shaw writes: > 1) gpg --edit-key (yourkey) > 2) keyserver (yoururl) > 3) save When I do this, gpg seem to expire my key... what am I doing wrong? Thanks. jas@latte:~$ gpg --version|head -1 gpg (GnuPG) 1.4.0 jas@latte:~$ gpg --list-key b565716f gpg: WARNING: using insecure memory! gpg: please see http://www.gnupg.org/faq.html for more information pub 1280R/B565716F 2002-05-05 [expires: 2005-04-13] uid Simon Josefsson uid Simon Josefsson sub 1280R/4D5D40AE 2002-05-05 [expires: 2005-04-13] jas@latte:~$ gpg --edit-key b565716f gpg (GnuPG) 1.4.0; Copyright (C) 2004 Free Software Foundation, Inc. This program comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it under certain conditions. See the file COPYING for details. gpg: WARNING: using insecure memory! gpg: please see http://www.gnupg.org/faq.html for more information Secret key is available. pub 1280R/B565716F created: 2002-05-05 expires: 2005-04-13 usage: CS trust: ultimate validity: ultimate sub 1280R/4D5D40AE created: 2002-05-05 expires: 2005-04-13 usage: E [ultimate] (1). Simon Josefsson [ultimate] (2) Simon Josefsson Command> keyserver http://josefsson.org/key.txt gpg: WARNING: no user ID has been marked as primary. This command may cause a different user ID to become the assumed primary. You need a passphrase to unlock the secret key for user: "Simon Josefsson " 1280-bit RSA key, ID B565716F, created 2002-05-05 pub 1280R/B565716F created: 2002-05-05 expired: 2003-05-05 usage: CS trust: ultimate validity: expired sub 1280R/4D5D40AE created: 2002-05-05 expired: 2005-04-13 usage: E [ expired] (1). Simon Josefsson [ expired] (2) Simon Josefsson Command> q Save changes? (y/N) y jas@latte:~$ gpg --list-key b565716f gpg: WARNING: using insecure memory! gpg: please see http://www.gnupg.org/faq.html for more information pub 1280R/B565716F 2002-05-05 [expired: 2003-05-05)] uid Simon Josefsson uid Simon Josefsson jas@latte:~$ From asmart at kingsdown.swindon.sch.uk Tue Dec 21 11:51:12 2004 From: asmart at kingsdown.swindon.sch.uk (Andy Smart) Date: Tue Dec 21 11:47:38 2004 Subject: Keyserver and spam Message-ID: <41C80020.6020103@kingsdown.swindon.sch.uk> Whats the current state of play with keyservers and spammers? Is it technically possible for them to harvest addresses from keyservers, and does anybody know if its a problem? Xmas wishes andy -------------- next part -------------- A non-text attachment was scrubbed... Name: asmart.vcf Type: text/x-vcard Size: 313 bytes Desc: not available Url : /pipermail/attachments/20041221/8cd88c4a/asmart-0001.bin From maillists at webmounty.de Tue Dec 21 14:13:11 2004 From: maillists at webmounty.de (Ingo Buescher) Date: Tue Dec 21 14:10:04 2004 Subject: Keyserver and spam In-Reply-To: <41C80020.6020103@kingsdown.swindon.sch.uk> References: <41C80020.6020103@kingsdown.swindon.sch.uk> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tue, 21 Dec 2004, Andy Smart wrote: > Whats the current state of play with keyservers and spammers? Is it > technically possible for them to harvest addresses from keyservers, and does > anybody know if its a problem? Spammers definitely use keyservers to get addresses to spam. I uploaded a key some time ago with an address, that I never used anywhere before - two days later they(tm) began spamming and no, the address isn't easy to guess. > andy > Ingo - -- =========================================================================== Ingo Buescher "As war and government prove, insanity is the most contagious of diseases." -- Edward Abbey -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (GNU/Linux) Comment: Made with pgp4pine 1.76 iD8DBQFByCFsCHha398AyTkRApatAJ44iGPxQwPNOd4+ILdSz3QJyUER0gCff07R G6KigWnSHib3KQ52BHozQok= =tn/u -----END PGP SIGNATURE----- From dshaw at jabberwocky.com Tue Dec 21 14:52:14 2004 From: dshaw at jabberwocky.com (David Shaw) Date: Tue Dec 21 14:49:18 2004 Subject: Using the "preferred keyserver URL" in GnuPG 1.4 In-Reply-To: References: <20041220164001.GA30899__10352.9219203212$1103564914$gmane$org@jabberwocky.com> Message-ID: <20041221135214.GO22290@jabberwocky.com> On Tue, Dec 21, 2004 at 11:39:15AM +0100, Simon Josefsson wrote: > David Shaw writes: > > > 1) gpg --edit-key (yourkey) > > 2) keyserver (yoururl) > > 3) save > > When I do this, gpg seem to expire my key... what am I doing wrong? Interesting bug. Try this patch to keyedit.c David -------------- next part -------------- Index: keyedit.c =================================================================== RCS file: /cvs/gnupg/gnupg/g10/keyedit.c,v retrieving revision 1.165 diff -u -r1.165 keyedit.c --- keyedit.c 21 Dec 2004 04:19:03 -0000 1.165 +++ keyedit.c 21 Dec 2004 13:52:16 -0000 @@ -3558,7 +3558,8 @@ { PKT_signature *sig = node->pkt->pkt.signature; if ( keyid[0] == sig->keyid[0] && keyid[1] == sig->keyid[1] - && (uid && (sig->sig_class&~3) == 0x10) ) + && (uid && (sig->sig_class&~3) == 0x10) + && sig->flags.chosen_selfsig) { char *user=utf8_to_native(uid->name,strlen(uid->name),0); if( sig->version < 4 ) From dshaw at jabberwocky.com Tue Dec 21 15:01:22 2004 From: dshaw at jabberwocky.com (David Shaw) Date: Tue Dec 21 14:58:22 2004 Subject: Using the "preferred keyserver URL" in GnuPG 1.4 In-Reply-To: <20041221081957.GU2824@psilocybe.teonanacatl.org> References: <20041220164001.GA30899@jabberwocky.com> <20041221081957.GU2824@psilocybe.teonanacatl.org> Message-ID: <20041221140122.GP22290@jabberwocky.com> On Tue, Dec 21, 2004 at 03:19:57AM -0500, Todd wrote: > David Shaw wrote: > > GnuPG 1.4 adds a new "preferred keyserver" feature, that lets you > > include a URL with your key and/or with signatures you issue to help > > the recipient know where and how to get your key. > > This is a damn cool feature. Thanks for adding it! > > I have a few questions about it after poking around with it briefly. > > > To add a URL to your key, follow these steps: > > > > 1) gpg --edit-key (yourkey) > > 2) keyserver (yoururl) > > 3) save > > Doing this, I was surprised to find that the revoked user ids on my > key were now not shown as revoked. I'm guessing that's due to the new > signature added when the preferred keyserver was added? I ended up > selecting the non-revoked user ids and then using the keyserver > command. Is this the intended way to go about things? It seemed > rather unintuitive at first glance. Different result, but underneath it's the same bug that Simon Josefsson saw. Try the patch I just sent to the list. > > The URLs can be: > [...] > > http for a file on the web > > for example: http://www.jabberwocky.com/key.asc > > I tried using a pobox.com URL. When I tested it I received this > message from gpg: > > Key available at: http://www.pobox.com/~tmz/pgp/tmz.asc > requesting key D654075A from http server www.pobox.com > no valid OpenPGP data found. > requesting key D654075A from hkp server subkeys.pgp.net > > Again I'm just guessing, but I figure it's because pobox.com redirects > to where my current ISP gives me some webspace. I'd like to be able > to put a preferred keyserver url in my key and signatures that won't > change often, hence the pobox.com url would be nice to use. Is it a > conscious decision not to follow redirects or just a limitation of the > gpg http code (or a complete misunderstanding on my part, hehe)? Good guess - it is indeed that the http code does not follow redirects. I have to think about how best to handle this. David From jas at extundo.com Tue Dec 21 15:41:08 2004 From: jas at extundo.com (Simon Josefsson) Date: Tue Dec 21 15:38:44 2004 Subject: Using the "preferred keyserver URL" in GnuPG 1.4 In-Reply-To: <20041221135214.GO22290__20568.8764028766$1103638152$gmane$org@jabberwocky.com> (David Shaw's message of "Tue, 21 Dec 2004 08:52:14 -0500") References: <20041220164001.GA30899__10352.9219203212$1103564914$gmane$org@jabberwocky.com> <20041221135214.GO22290__20568.8764028766$1103638152$gmane$org@jabberwocky.com> Message-ID: David Shaw writes: > On Tue, Dec 21, 2004 at 11:39:15AM +0100, Simon Josefsson wrote: >> David Shaw writes: >> >> > 1) gpg --edit-key (yourkey) >> > 2) keyserver (yoururl) >> > 3) save >> >> When I do this, gpg seem to expire my key... what am I doing wrong? > > Interesting bug. Try this patch to keyedit.c It works fine now. Thanks. jas@latte:~$ gpg --edit-key b565716f gpg (GnuPG) 1.4.0; Copyright (C) 2004 Free Software Foundation, Inc. This program comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it under certain conditions. See the file COPYING for details. gpg: WARNING: using insecure memory! gpg: please see http://www.gnupg.org/faq.html for more information Secret key is available. pub 1280R/B565716F created: 2002-05-05 expires: 2005-04-13 usage: CS trust: ultimate validity: ultimate sub 1280R/4D5D40AE created: 2002-05-05 expires: 2005-04-13 usage: E [ultimate] (1). Simon Josefsson [ultimate] (2) Simon Josefsson Command> keyserver dns:simon.josefsson.org?type=CERT gpg: WARNING: no user ID has been marked as primary. This command may cause a different user ID to become the assumed primary. You need a passphrase to unlock the secret key for user: "Simon Josefsson " 1280-bit RSA key, ID B565716F, created 2002-05-05 pub 1280R/B565716F created: 2002-05-05 expires: 2005-04-13 usage: CS trust: ultimate validity: ultimate sub 1280R/4D5D40AE created: 2002-05-05 expires: 2005-04-13 usage: E [ultimate] (1) Simon Josefsson [ultimate] (2). Simon Josefsson Command> q Save changes? (y/N) y jas@latte:~$ From dshaw at jabberwocky.com Tue Dec 21 17:05:33 2004 From: dshaw at jabberwocky.com (David Shaw) Date: Tue Dec 21 17:02:30 2004 Subject: Using the "preferred keyserver URL" in GnuPG 1.4 In-Reply-To: References: <20041220164001.GA30899__10352.9219203212$1103564914$gmane$org@jabberwocky.com> <20041221135214.GO22290__20568.8764028766$1103638152$gmane$org@jabberwocky.com> Message-ID: <20041221160533.GA10888@jabberwocky.com> On Tue, Dec 21, 2004 at 03:41:08PM +0100, Simon Josefsson wrote: > David Shaw writes: > > > On Tue, Dec 21, 2004 at 11:39:15AM +0100, Simon Josefsson wrote: > >> David Shaw writes: > >> > >> > 1) gpg --edit-key (yourkey) > >> > 2) keyserver (yoururl) > >> > 3) save > >> > >> When I do this, gpg seem to expire my key... what am I doing wrong? > > > > Interesting bug. Try this patch to keyedit.c > > It works fine now. Excellent. The fix will be in 1.4.1. > Command> keyserver dns:simon.josefsson.org?type=CERT Neat. Where can I download gpgkeys_dns? ;) David From jas at extundo.com Tue Dec 21 17:54:34 2004 From: jas at extundo.com (Simon Josefsson) Date: Tue Dec 21 17:51:05 2004 Subject: Using the "preferred keyserver URL" in GnuPG 1.4 In-Reply-To: <20041221160533.GA10888__10161.5904867232$1103645825$gmane$org@jabberwocky.com> (David Shaw's message of "Tue, 21 Dec 2004 11:05:33 -0500") References: <20041220164001.GA30899__10352.9219203212$1103564914$gmane$org@jabberwocky.com> <20041221135214.GO22290__20568.8764028766$1103638152$gmane$org@jabberwocky.com> <20041221160533.GA10888__10161.5904867232$1103645825$gmane$org@jabberwocky.com> Message-ID: David Shaw writes: > Excellent. The fix will be in 1.4.1. Great! >> Command> keyserver dns:simon.josefsson.org?type=CERT > > Neat. Where can I download gpgkeys_dns? ;) I did some work on a DNS based client earlier, , but I'm not sure how well it works today. But writing a gpgkeys_dns.c using res_query should not be difficult. Would you accept it if I wrote it? Could be a fun Christmas project... Sadly there is no easily available C libraries for dynamic update, so sending keys to DNS keyservers is more difficult to implement in C. Can gpg use the keyserver infrastructure for revocation checking? Regards, Simon From Freedom_Lover at pobox.com Tue Dec 21 18:00:46 2004 From: Freedom_Lover at pobox.com (Todd) Date: Tue Dec 21 17:57:52 2004 Subject: Using the "preferred keyserver URL" in GnuPG 1.4 In-Reply-To: <20041221140122.GP22290@jabberwocky.com> References: <20041220164001.GA30899@jabberwocky.com> <20041221081957.GU2824@psilocybe.teonanacatl.org> <20041221140122.GP22290@jabberwocky.com> Message-ID: <20041221170046.GW2824@psilocybe.teonanacatl.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 David Shaw wrote: > Different result, but underneath it's the same bug that Simon > Josefsson saw. Try the patch I just sent to the list. Yep, WORKSFORME. Thanks again David. > Good guess - it is indeed that the http code does not follow > redirects. I have to think about how best to handle this. Cool. Good to know. Thanks for all the effort! - -- Todd OpenPGP -> KeyID: 0xD654075A | URL: www.pobox.com/~tmz/pgp ====================================================================== A political man can have as his aim the realization of freedom, but he has no means to realize it other than through violence. -- Jean Paul Sartre -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (GNU/Linux) Comment: When crypto is outlawed bayl bhgynjf jvyy unir cevinpl. iG0EARECAC0FAkHIVr4mGGh0dHA6Ly93d3cucG9ib3guY29tL350bXovcGdwL3Rt ei5hc2MACgkQuv+09NZUB1r4UwCgrMuPWhCT+o3InW1C/gfemcDaK0AAnRnG2EYF JFAPcHcrysmYvkq8BHKN =h+Im -----END PGP SIGNATURE----- From Freedom_Lover at pobox.com Tue Dec 21 18:10:42 2004 From: Freedom_Lover at pobox.com (Todd) Date: Tue Dec 21 18:07:38 2004 Subject: Readline support in 1.4 Message-ID: <20041221171042.GX2824@psilocybe.teonanacatl.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I've built 1.4.0 on Fedora Core 2 and haven't been able to get readline support working. The configure output says it has found the proper readline libraries, at least partly: checking whether readline support is requested... yes [...] checking for add_history in -lreadline... no checking readline/readline.h usability... yes checking readline/readline.h presence... yes checking for readline/readline.h... yes I'm not much for understanding the autoconf tools, but looking a little at it, I think it's because of the failure to find add_history in -lreadline. That looks like it leaves HAVE_LIBREADLINE undefined in config.h and so readline doesn't get used. Is there something wrong with the readline libs on FC2 (too new, too old, borked install, sysadmin stupidity)? Or maybe it's a libtool problem? Readline is version 4.3, with the devel rpm installed. Libtool is 1.5.6. I can post config.log from my build if it'd help. - -- Todd OpenPGP -> KeyID: 0xD654075A | URL: www.pobox.com/~tmz/pgp ====================================================================== Drugs may lead to nowhere, but at least it's the scenic route. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (GNU/Linux) Comment: When crypto is outlawed bayl bhgynjf jvyy unir cevinpl. iG0EARECAC0FAkHIWRImGGh0dHA6Ly93d3cucG9ib3guY29tL350bXovcGdwL3Rt ei5hc2MACgkQuv+09NZUB1pZTQCg3mfqACqtusOMjgn4MIp6OY5Wos8AoI3v940L cmN9XAePm0gccLFLfk02 =81SY -----END PGP SIGNATURE----- From dshaw at jabberwocky.com Tue Dec 21 18:29:40 2004 From: dshaw at jabberwocky.com (David Shaw) Date: Tue Dec 21 18:26:42 2004 Subject: Readline support in 1.4 In-Reply-To: <20041221171042.GX2824@psilocybe.teonanacatl.org> References: <20041221171042.GX2824@psilocybe.teonanacatl.org> Message-ID: <20041221172940.GC10888@jabberwocky.com> On Tue, Dec 21, 2004 at 12:10:42PM -0500, Todd wrote: > I've built 1.4.0 on Fedora Core 2 and haven't been able to get > readline support working. The configure output says it has found the > proper readline libraries, at least partly: > > checking whether readline support is requested... yes > [...] > checking for add_history in -lreadline... no > checking readline/readline.h usability... yes > checking readline/readline.h presence... yes > checking for readline/readline.h... yes > > I'm not much for understanding the autoconf tools, but looking a > little at it, I think it's because of the failure to find add_history > in -lreadline. That looks like it leaves HAVE_LIBREADLINE undefined > in config.h and so readline doesn't get used. > > Is there something wrong with the readline libs on FC2 (too new, too > old, borked install, sysadmin stupidity)? Or maybe it's a libtool > problem? There was a little problem with the autoconf check for readline in 1.4.0. It's already been fixed for 1.4.1, but the fix is too large for me to just send to you as a patch. The problem is that on some platforms, readline needs other libraries as a sub-dependency (usually termcap or curses). It seems that FC2 is one of those platforms. You might try doing: LIBS="-ltermcap" ./configure David From bpm at idiom.com Tue Dec 21 18:42:51 2004 From: bpm at idiom.com (Breen Mullins) Date: Tue Dec 21 18:39:14 2004 Subject: Readline support in 1.4 In-Reply-To: <20041221171042.GX2824@psilocybe.teonanacatl.org> References: <20041221171042.GX2824@psilocybe.teonanacatl.org> Message-ID: <20041221174251.GA2570@idiom.com> On Tue, Dec 21, 2004 at 12:10:42PM -0500, Todd wrote: > I've built 1.4.0 on Fedora Core 2 and haven't been able to get > readline support working. The configure output says it has found the > proper readline libraries, at least partly: > > checking whether readline support is requested... yes > [...] > checking for add_history in -lreadline... no > checking readline/readline.h usability... yes > checking readline/readline.h presence... yes > checking for readline/readline.h... yes Hmm. Confirmed on FC3. There, add_history is in libhistory. Breen -- Breen Mullins Menlo Park, California From henkdebruijn at wanadoo.nl Tue Dec 21 19:03:18 2004 From: henkdebruijn at wanadoo.nl (Henk de Bruijn) Date: Tue Dec 21 18:59:47 2004 Subject: gpg: conversion from `utf-8 to `CP0 not available In-Reply-To: <87u0qk7npm.fsf@wheatstone.g10code.de> References: <1813673219@web.de> <87u0qk7npm.fsf@wheatstone.g10code.de> Message-ID: <48927115.20041221190318@wanadoo.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On the tbbetalist another reader and the Bat! user made a fix: http://www.andric.com/gnupg/gnupg-w32cli-1.4.0a-cpfix.zip And after replacing gpg.exe and placing iconv.dll back it works!!! Thanks very much Dimitry! - -- Henk ______________________________________________________________________ The Bat!? Natural Email System v3.0.2.10nl Professional on Windows XP SP2 PGPkey available at http://www.biglumber.com/x/web?qs=0x12069B93DBE6E678 Gossamer Spider Web of Trust GSWoT https://gswot.dyndns.org/ A Progressive and Innovative Web of Trust -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (MingW32) - GPGrelay v0.955 iD8DBQFByGVuEgabk9vm5ngRAn9CAJ40TZ+4Wuryv8Gxpo1sKXF/clrMTwCfeRQk Ts4fZj4zbhz1DipKj2KCP68= =65iS -----END PGP SIGNATURE----- From wk at gnupg.org Tue Dec 21 20:05:57 2004 From: wk at gnupg.org (Werner Koch) Date: Tue Dec 21 20:09:42 2004 Subject: Using the "preferred keyserver URL" in GnuPG 1.4 In-Reply-To: (Simon Josefsson's message of "Tue, 21 Dec 2004 17:54:34 +0100") References: <20041220164001.GA30899__10352.9219203212$1103564914$gmane$org@jabberwocky.com> <20041221135214.GO22290__20568.8764028766$1103638152$gmane$org@jabberwocky.com> <20041221160533.GA10888__10161.5904867232$1103645825$gmane$org@jabberwocky.com> Message-ID: <87sm5zqxnu.fsf@wheatstone.g10code.de> On Tue, 21 Dec 2004 17:54:34 +0100, Simon Josefsson said: > But writing a gpgkeys_dns.c using res_query should not be difficult. > Would you accept it if I wrote it? Could be a fun Christmas > project... If David agrees we can do that. We need a copyright assignment of course. Werner From dshaw at jabberwocky.com Tue Dec 21 20:21:05 2004 From: dshaw at jabberwocky.com (David Shaw) Date: Tue Dec 21 20:18:02 2004 Subject: Using the "preferred keyserver URL" in GnuPG 1.4 In-Reply-To: References: <20041220164001.GA30899__10352.9219203212$1103564914$gmane$org@jabberwocky.com> <20041221135214.GO22290__20568.8764028766$1103638152$gmane$org@jabberwocky.com> <20041221160533.GA10888__10161.5904867232$1103645825$gmane$org@jabberwocky.com> Message-ID: <20041221192105.GA11678@jabberwocky.com> On Tue, Dec 21, 2004 at 05:54:34PM +0100, Simon Josefsson wrote: > David Shaw writes: > > > Excellent. The fix will be in 1.4.1. > > Great! > > >> Command> keyserver dns:simon.josefsson.org?type=CERT > > > > Neat. Where can I download gpgkeys_dns? ;) > > I did some work on a DNS based client earlier, > , but I'm not sure how well it > works today. > > But writing a gpgkeys_dns.c using res_query should not be difficult. > Would you accept it if I wrote it? Could be a fun Christmas > project... If it is okay with Werner, it is ok with me. The only thing is that we need a copyright assignment to the FSF. Keep in mind that you're committing yourself to maintain it on different platforms :) :) > Can gpg use the keyserver infrastructure for revocation checking? Not currently. Somewhere on the todo list is a change to allow that. It is difficult since there is no way to say "give me this update only if it is revoked" in many keyserver protocols. It is possible in LDAP, and with CERT of course. David From Freedom_Lover at pobox.com Tue Dec 21 20:28:27 2004 From: Freedom_Lover at pobox.com (Todd) Date: Tue Dec 21 20:25:26 2004 Subject: Readline support in 1.4 In-Reply-To: <20041221172940.GC10888@jabberwocky.com> References: <20041221171042.GX2824@psilocybe.teonanacatl.org> <20041221172940.GC10888@jabberwocky.com> Message-ID: <20041221192827.GZ2824@psilocybe.teonanacatl.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 David Shaw wrote: > There was a little problem with the autoconf check for readline in > 1.4.0. It's already been fixed for 1.4.1, but the fix is too large > for me to just send to you as a patch. > > The problem is that on some platforms, readline needs other > libraries as a sub-dependency (usually termcap or curses). It seems > that FC2 is one of those platforms. Thanks for the info. > You might try doing: > > LIBS="-ltermcap" ./configure I tried this (as well as with -lcurses and -lncurses) and while this does succeed in building with readline support, I don't think it's right still. Tabbing at the Command> prompt for --edit-key completes the file names in the current dir, not the command names like I'd expect. I suppose I'll just wait until 1.4.1 or give CVS a try to see if it behaves differently. - -- Todd OpenPGP -> KeyID: 0xD654075A | URL: www.pobox.com/~tmz/pgp ====================================================================== Cogito cogito ergo cogito sum -- I think that I think, therefore I think that I am. -- Ambrose Bierce, "The Devil's Dictionary" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (GNU/Linux) Comment: When crypto is outlawed bayl bhgynjf jvyy unir cevinpl. iG0EARECAC0FAkHIeVgmGGh0dHA6Ly93d3cucG9ib3guY29tL350bXovcGdwL3Rt ei5hc2MACgkQuv+09NZUB1qD3gCbBtTpM3RcCoCQC/tiKhAGdhNgYqEAniHacicQ d4UiEtO4hXjElIBrvc7p =3Cex -----END PGP SIGNATURE----- From dshaw at jabberwocky.com Tue Dec 21 21:18:47 2004 From: dshaw at jabberwocky.com (David Shaw) Date: Tue Dec 21 21:15:53 2004 Subject: Readline support in 1.4 In-Reply-To: <20041221192827.GZ2824@psilocybe.teonanacatl.org> References: <20041221171042.GX2824@psilocybe.teonanacatl.org> <20041221172940.GC10888@jabberwocky.com> <20041221192827.GZ2824@psilocybe.teonanacatl.org> Message-ID: <20041221201847.GB11678@jabberwocky.com> On Tue, Dec 21, 2004 at 02:28:27PM -0500, Todd wrote: > David Shaw wrote: > > There was a little problem with the autoconf check for readline in > > 1.4.0. It's already been fixed for 1.4.1, but the fix is too large > > for me to just send to you as a patch. > > > > The problem is that on some platforms, readline needs other > > libraries as a sub-dependency (usually termcap or curses). It seems > > that FC2 is one of those platforms. > > Thanks for the info. > > > You might try doing: > > > > LIBS="-ltermcap" ./configure > > I tried this (as well as with -lcurses and -lncurses) and while this > does succeed in building with readline support, I don't think it's > right still. Tabbing at the Command> prompt for --edit-key completes > the file names in the current dir, not the command names like I'd > expect. I suppose I'll just wait until 1.4.1 or give CVS a try to see > if it behaves differently. Tab-completion is a whole different problem. Does the up-arrow history stuff work properly for you when building with -ltermcap? David From Freedom_Lover at pobox.com Tue Dec 21 21:40:19 2004 From: Freedom_Lover at pobox.com (Todd) Date: Tue Dec 21 21:37:15 2004 Subject: Readline support in 1.4 In-Reply-To: <20041221201847.GB11678@jabberwocky.com> References: <20041221171042.GX2824@psilocybe.teonanacatl.org> <20041221172940.GC10888@jabberwocky.com> <20041221192827.GZ2824@psilocybe.teonanacatl.org> <20041221201847.GB11678@jabberwocky.com> Message-ID: <20041221204018.GA2824@psilocybe.teonanacatl.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 David Shaw wrote: > Tab-completion is a whole different problem. Does the up-arrow > history stuff work properly for you when building with -ltermcap? Indeed it does. I was thinking readline support meant tab-completion for the commands. Someday I need to learn to code in C so I can help add stuff like that when I miss it. Thanks again for the clarification David. - -- Todd OpenPGP -> KeyID: 0xD654075A | URL: www.pobox.com/~tmz/pgp ====================================================================== The trouble with opportunity is that it always comes disguised as hard work. -- Herbert V. Prochnow -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (GNU/Linux) Comment: When crypto is outlawed bayl bhgynjf jvyy unir cevinpl. iG0EARECAC0FAkHIijImGGh0dHA6Ly93d3cucG9ib3guY29tL350bXovcGdwL3Rt ei5hc2MACgkQuv+09NZUB1puOACg8D7bhKCg9DbcEOBVs0eCcekaWvkAoMUphsa0 0nQSizn10FnBuIxAbo0M =CDAz -----END PGP SIGNATURE----- From jas at extundo.com Tue Dec 21 22:27:59 2004 From: jas at extundo.com (Simon Josefsson) Date: Tue Dec 21 22:24:30 2004 Subject: Using the "preferred keyserver URL" in GnuPG 1.4 In-Reply-To: <20041221192105.GA11678__49043.8050045215$1103657757$gmane$org@jabberwocky.com> (David Shaw's message of "Tue, 21 Dec 2004 14:21:05 -0500") References: <20041220164001.GA30899__10352.9219203212$1103564914$gmane$org@jabberwocky.com> <20041221135214.GO22290__20568.8764028766$1103638152$gmane$org@jabberwocky.com> <20041221160533.GA10888__10161.5904867232$1103645825$gmane$org@jabberwocky.com> <20041221192105.GA11678__49043.8050045215$1103657757$gmane$org@jabberwocky.com> Message-ID: David Shaw writes: >> But writing a gpgkeys_dns.c using res_query should not be difficult. >> Would you accept it if I wrote it? Could be a fun Christmas >> project... > > If it is okay with Werner, it is ok with me. The only thing is that > we need a copyright assignment to the FSF. Keep in mind that you're > committing yourself to maintain it on different platforms :) :) I think the main concern is that res_query is non-standard, but when it is not available, disabling gpgkeys_dns seem like a simple solution. Fortunately there seem to already be code in gpg that have the same issue, so much can be reused. >> Can gpg use the keyserver infrastructure for revocation checking? > > Not currently. Somewhere on the todo list is a change to allow that. > It is difficult since there is no way to say "give me this update only > if it is revoked" in many keyserver protocols. It is possible in > LDAP, and with CERT of course. Perhaps gpg could support it for those keyserver protocols were it is easy to support that model. Could be a nice test of PGP revocation certs using CERT. On the other hand, there are some advantages in creating a new DNS type for OpenPGP revocation certs, that is separate from CERT. (Query simon.josefsson.org IN CERT to see why... The PKIX certificate would still overflow the UDP limit.) However, implementing the idea in gpg might be a first step in dispersing knowledge about the idea... Thanks. From dshaw at jabberwocky.com Tue Dec 21 22:31:46 2004 From: dshaw at jabberwocky.com (David Shaw) Date: Tue Dec 21 22:28:47 2004 Subject: Readline support in 1.4 In-Reply-To: <20041221174251.GA2570@idiom.com> References: <20041221171042.GX2824@psilocybe.teonanacatl.org> <20041221174251.GA2570@idiom.com> Message-ID: <20041221213146.GC11678@jabberwocky.com> On Tue, Dec 21, 2004 at 09:42:51AM -0800, Breen Mullins wrote: > On Tue, Dec 21, 2004 at 12:10:42PM -0500, Todd wrote: > > I've built 1.4.0 on Fedora Core 2 and haven't been able to get > > readline support working. The configure output says it has found the > > proper readline libraries, at least partly: > > > > checking whether readline support is requested... yes > > [...] > > checking for add_history in -lreadline... no > > checking readline/readline.h usability... yes > > checking readline/readline.h presence... yes > > checking for readline/readline.h... yes > > Hmm. Confirmed on FC3. > > There, add_history is in libhistory. Do you think you could try the CVS version and let me know if things work properly for you on FC3? David From dshaw at jabberwocky.com Tue Dec 21 22:37:08 2004 From: dshaw at jabberwocky.com (David Shaw) Date: Tue Dec 21 22:34:15 2004 Subject: Readline support in 1.4 In-Reply-To: <20041221204018.GA2824@psilocybe.teonanacatl.org> References: <20041221171042.GX2824@psilocybe.teonanacatl.org> <20041221172940.GC10888@jabberwocky.com> <20041221192827.GZ2824@psilocybe.teonanacatl.org> <20041221201847.GB11678@jabberwocky.com> <20041221204018.GA2824@psilocybe.teonanacatl.org> Message-ID: <20041221213708.GD11678@jabberwocky.com> On Tue, Dec 21, 2004 at 03:40:19PM -0500, Todd wrote: > David Shaw wrote: > > Tab-completion is a whole different problem. Does the up-arrow > > history stuff work properly for you when building with -ltermcap? > > Indeed it does. I was thinking readline support meant tab-completion > for the commands. Someday I need to learn to code in C so I can help > add stuff like that when I miss it. Thanks again for the > clarification David. It's not a bad idea to tab-complete the commands. If nothing else, we should turn off the tab-completion of filenames in the keyedit menu since it doesn't actually take filenames.. David From bpm at idiom.com Tue Dec 21 22:54:52 2004 From: bpm at idiom.com (Breen Mullins) Date: Tue Dec 21 22:51:32 2004 Subject: Readline support in 1.4 In-Reply-To: <20041221213146.GC11678@jabberwocky.com> References: <20041221171042.GX2824@psilocybe.teonanacatl.org> <20041221174251.GA2570@idiom.com> <20041221213146.GC11678@jabberwocky.com> Message-ID: <20041221215451.GF2570@idiom.com> On Tue, Dec 21, 2004 at 04:31:46PM -0500, David Shaw wrote: > Do you think you could try the CVS version and let me know if things > work properly for you on FC3? I've checked out CVS - will try it when I get a chance. Breen -- Breen Mullins Menlo Park, California From Freedom_Lover at pobox.com Tue Dec 21 22:57:25 2004 From: Freedom_Lover at pobox.com (Todd) Date: Tue Dec 21 22:54:20 2004 Subject: Readline support in 1.4 In-Reply-To: <20041221213708.GD11678@jabberwocky.com> References: <20041221171042.GX2824@psilocybe.teonanacatl.org> <20041221172940.GC10888@jabberwocky.com> <20041221192827.GZ2824@psilocybe.teonanacatl.org> <20041221201847.GB11678@jabberwocky.com> <20041221204018.GA2824@psilocybe.teonanacatl.org> <20041221213708.GD11678@jabberwocky.com> Message-ID: <20041221215725.GC2824@psilocybe.teonanacatl.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 David Shaw wrote: > It's not a bad idea to tab-complete the commands. Count me as a user that'd find that real handy. I'm just waiting to my tab key to break from overuse. :) But for as often as I need to use the edit key commands, it's certainly not something I miss every day. > If nothing else, we should turn off the tab-completion of filenames > in the keyedit menu since it doesn't actually take filenames.. Yeah, when I first tabbed, I was in the gnupg build dir and the lower left filename was checks, which I saw and thought was the check command and that tab completions was working. Then I opened my eyes further and realized I was just seeing what I wanted to see. Ha. - -- Todd OpenPGP -> KeyID: 0xD654075A | URL: www.pobox.com/~tmz/pgp ====================================================================== There is no pleasure in having nothing to do; the fun is in having lots to do and not doing it. -- Mary Wilson Little -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (GNU/Linux) Comment: When crypto is outlawed bayl bhgynjf jvyy unir cevinpl. iG0EARECAC0FAkHInEUmGGh0dHA6Ly93d3cucG9ib3guY29tL350bXovcGdwL3Rt ei5hc2MACgkQuv+09NZUB1rM6wCgpmITk6aM4s+iwWXhdeMrcsEaHlIAoIQSoxrT pl/Z2oUn1/iS0Bd7X1uz =yqrm -----END PGP SIGNATURE----- From dshaw at jabberwocky.com Tue Dec 21 23:17:04 2004 From: dshaw at jabberwocky.com (David Shaw) Date: Tue Dec 21 23:14:02 2004 Subject: Using the "preferred keyserver URL" in GnuPG 1.4 In-Reply-To: References: <20041220164001.GA30899__10352.9219203212$1103564914$gmane$org@jabberwocky.com> <20041221135214.GO22290__20568.8764028766$1103638152$gmane$org@jabberwocky.com> <20041221160533.GA10888__10161.5904867232$1103645825$gmane$org@jabberwocky.com> <20041221192105.GA11678__49043.8050045215$1103657757$gmane$org@jabberwocky.com> Message-ID: <20041221221704.GE11678@jabberwocky.com> On Tue, Dec 21, 2004 at 10:27:59PM +0100, Simon Josefsson wrote: > David Shaw writes: > > >> But writing a gpgkeys_dns.c using res_query should not be difficult. > >> Would you accept it if I wrote it? Could be a fun Christmas > >> project... > > > > If it is okay with Werner, it is ok with me. The only thing is that > > we need a copyright assignment to the FSF. Keep in mind that you're > > committing yourself to maintain it on different platforms :) :) > > I think the main concern is that res_query is non-standard, but when > it is not available, disabling gpgkeys_dns seem like a simple > solution. Fortunately there seem to already be code in gpg that have > the same issue, so much can be reused. Yes, the SRV code uses res_query. If you use HAVE_DNS_SRV to detect whether res_query is available and link with @SRVLIBS@ then you can safely use res_query anywhere. If HAVE_DNS_SRV is set, you can rely on res_query(), dn_expand(), and dn_skipname(). > >> Can gpg use the keyserver infrastructure for revocation checking? > > > > Not currently. Somewhere on the todo list is a change to allow that. > > It is difficult since there is no way to say "give me this update only > > if it is revoked" in many keyserver protocols. It is possible in > > LDAP, and with CERT of course. > > Perhaps gpg could support it for those keyserver protocols were it is > easy to support that model. Could be a nice test of PGP revocation > certs using CERT. On the other hand, there are some advantages in > creating a new DNS type for OpenPGP revocation certs, that is separate > from CERT. (Query simon.josefsson.org IN CERT to see why... The PKIX > certificate would still overflow the UDP limit.) However, > implementing the idea in gpg might be a first step in dispersing > knowledge about the idea... I'll make you a deal - if you write the DNS handler to properly handle a flag passed from gpg to do a revocation-only search, I'll write the code in gpg to pass that flag when appropriate. Since a revocation-only check can also be fulfilled (though slower) by a regular check, this would be nicely backwards compatible. David From bpm at idiom.com Wed Dec 22 00:45:03 2004 From: bpm at idiom.com (Breen Mullins) Date: Wed Dec 22 00:42:12 2004 Subject: Readline support in 1.4 In-Reply-To: <20041221232249.GH11678@jabberwocky.com> References: <20041221171042.GX2824@psilocybe.teonanacatl.org> <20041221174251.GA2570@idiom.com> <20041221213146.GC11678@jabberwocky.com> <20041221231915.GG2570@idiom.com> <20041221232249.GH11678@jabberwocky.com> Message-ID: <20041221234503.GI2570@idiom.com> On Tue, Dec 21, 2004 at 06:22:49PM -0500, David Shaw wrote: > On Tue, Dec 21, 2004 at 03:19:15PM -0800, Breen Mullins wrote: > > On Tue, Dec 21, 2004 at 04:31:46PM -0500, David Shaw wrote: > > > > > > Do you think you could try the CVS version and let me know if things > > > work properly for you on FC3? > > > > Appears to be good here: > > > > configure:21604: checking whether readline via "-lreadline -ltermcap" is > > present and sane > > configure:21627: gcc -o conftest -g -O2 conftest.c -lreadline > > -ltermcap >&5 > > configure:21633: $? = 0 > > configure:21637: test -z > > || test ! -s conftest.err > > configure:21640: $? = 0 > > configure:21643: test -s conftest > > configure:21646: $? = 0 > > configure:21658: result: yes > > Excellent. Does it actually work after all that? (do a gpg > --edit-key, enter a few commands and try do to a up-arrow for > history). [Added list back. Sorry.] Yes, works fine. Both {up,down}-arrow and Ctrl-{P,N}. Breen -- Breen Mullins Menlo Park, California From jas at extundo.com Wed Dec 22 02:22:21 2004 From: jas at extundo.com (Simon Josefsson) Date: Wed Dec 22 02:19:55 2004 Subject: Using the "preferred keyserver URL" in GnuPG 1.4 In-Reply-To: <20041221221704.GE11678__21572.7356299341$1103667630$gmane$org@jabberwocky.com> (David Shaw's message of "Tue, 21 Dec 2004 17:17:04 -0500") References: <20041220164001.GA30899__10352.9219203212$1103564914$gmane$org@jabberwocky.com> <20041221135214.GO22290__20568.8764028766$1103638152$gmane$org@jabberwocky.com> <20041221160533.GA10888__10161.5904867232$1103645825$gmane$org@jabberwocky.com> <20041221192105.GA11678__49043.8050045215$1103657757$gmane$org@jabberwocky.com> <20041221221704.GE11678__21572.7356299341$1103667630$gmane$org@jabberwocky.com> Message-ID: David Shaw writes: > I'll make you a deal - if you write the DNS handler to properly handle > a flag passed from gpg to do a revocation-only search, I'll write the > code in gpg to pass that flag when appropriate. Since a > revocation-only check can also be fulfilled (though slower) by a > regular check, this would be nicely backwards compatible. I tried my Perl version, and it still worked. Is Perl acceptable, or do I have to rewrite it in C? Get http://josefsson.org/gpgkeys_jkp/gpgkeys_jkp, and install it in the keyserver directory, add keyserver jkp://josefsson.org The server knows the 57548DCD and b565716f keys only: jas@latte:~$ gpg gnupg-1.4.0.tar.bz2.sig gpg: WARNING: using insecure memory! gpg: please see http://www.gnupg.org/faq.html for more information gpg: Signature made Thu 16 Dec 2004 11:50:52 AM CET using DSA key ID 57548DCD gpg: requesting key 57548DCD from jkp server josefsson.org gpgkeys: attempting key 0x68B7AB8957548DCD from jkp://josefsson.org gpgkeys: querying for (0x57548DCD.josefsson.org, CERT) gpgkeys: key 0x57548DCD retrieved from josefsson.org gpg: key 57548DCD: public key "Werner Koch (gnupg sig) " importedgpg: 3 marginal(s) needed, 1 complete(s) needed, classic trust model gpg: depth: 0 valid: 3 signed: 3 trust: 0-, 0q, 0n, 0m, 0f, 3u gpg: depth: 1 valid: 3 signed: 5 trust: 2-, 0q, 0n, 1m, 0f, 0u gpg: next trustdb check due at 2005-04-13 gpg: Total number processed: 1 gpg: imported: 1 gpg: Good signature from "Werner Koch (gnupg sig) " gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 6BD9 050F D8FC 941B 4341 2DCC 68B7 AB89 5754 8DCD jas@latte:~$ How will you design the protocol for revocation checks only? When is it appropriate to do the revocation check? It sounds as if this should be configurable? Maybe add a parameter: revocationserver jkp://josefsson.org or something? Or would revocation only be done through the "preferred key server" field from the owner's key? Perhaps revocation checks shouldn't be done too often? Might be some work in remembering when the last check was done, though... Thanks. PS. I'll take care of the paper work as well, of course. From greg at turnstep.com Wed Dec 22 02:44:04 2004 From: greg at turnstep.com (Greg Sabino Mullane) Date: Wed Dec 22 02:40:54 2004 Subject: Keyserver and spam In-Reply-To: <41C80020.6020103@kingsdown.swindon.sch.uk> Message-ID: <244aefd9be99127c3a090e2f1dc16508@biglumber.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > Whats the current state of play with keyservers and spammers? Is it > technically possible for them to harvest addresses from keyservers, and > does anybody know if its a problem? Yes it's possible, and no, it's not a problem. While possible, it is very unlikely, as there are so many other easier ways to get email addresses. However, your email may be scraped by keyservers or keyserver-related applications that put your key information on a web page. But I seriously doubt that a spammer has ever gotten email addresses directly from a keyserver. - -- Greg Sabino Mullane greg@turnstep.com PGP Key: 0x14964AC8 200412212044 http://biglumber.com/x/web?pk=2529DF6AB8F79407E94445B4BC9B906714964AC8 -----BEGIN PGP SIGNATURE----- iD8DBQFByNG3vJuQZxSWSsgRAuQ2AKCFJ8xVlYG0O1XoBOIFOIFqyxe2hACg8cTK l7iP3LUKZFvQIJTJXwWWZn0= =T5UF -----END PGP SIGNATURE----- From eocsor at gmail.com Wed Dec 22 05:18:50 2004 From: eocsor at gmail.com (Roscoe) Date: Wed Dec 22 05:15:44 2004 Subject: Keyserver and spam In-Reply-To: <244aefd9be99127c3a090e2f1dc16508@biglumber.com> References: <41C80020.6020103@kingsdown.swindon.sch.uk> <244aefd9be99127c3a090e2f1dc16508@biglumber.com> Message-ID: I suppose its time for my two cents: I'm sure someone will rebuke me for what I did, though I was curious as to this keyserver spam issue as well. So I uploaded a key with a spamgourmet disposible email address, that email address was solely for the purpose of checking if spammers harvested addresses from keyservers. If your familar with how spamgourmet works, youll know by default that email address is only capable of recieving three emails before they just get dropped into the intarweb ether. I did get 3 articles of spam, sent to that address, the first one came the day after key upload, then 2 more the day (or was it the two days?) after that. So, you see, I myself am fairly confident spammers do harvest keyservers for emails, (and if they didnt I'd be surprised, if I were a spammer I would..) but at the same time the convenience they offer me far out weighs the problems. So far gmail's been doing pretty damn well at sorting spam from none spam, so well infact that spam isnt a problem to me, I couldnt care less. (Key was uploaded to subkeys.pgp.net btw) On Wed, 22 Dec 2004 01:44:04 -0000, Greg Sabino Mullane wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > Whats the current state of play with keyservers and spammers? Is it > > technically possible for them to harvest addresses from keyservers, and > > does anybody know if its a problem? > > Yes it's possible, and no, it's not a problem. While possible, it is very > unlikely, as there are so many other easier ways to get email addresses. > However, your email may be scraped by keyservers or keyserver-related > applications that put your key information on a web page. But I seriously > doubt that a spammer has ever gotten email addresses directly from a keyserver. > > - -- > Greg Sabino Mullane greg@turnstep.com > PGP Key: 0x14964AC8 200412212044 > http://biglumber.com/x/web?pk=2529DF6AB8F79407E94445B4BC9B906714964AC8 > > -----BEGIN PGP SIGNATURE----- > > iD8DBQFByNG3vJuQZxSWSsgRAuQ2AKCFJ8xVlYG0O1XoBOIFOIFqyxe2hACg8cTK > l7iP3LUKZFvQIJTJXwWWZn0= > =T5UF > -----END PGP SIGNATURE----- > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > From dshaw at jabberwocky.com Wed Dec 22 06:41:50 2004 From: dshaw at jabberwocky.com (David Shaw) Date: Wed Dec 22 06:39:06 2004 Subject: Using the "preferred keyserver URL" in GnuPG 1.4 In-Reply-To: References: <20041220164001.GA30899__10352.9219203212$1103564914$gmane$org@jabberwocky.com> <20041221135214.GO22290__20568.8764028766$1103638152$gmane$org@jabberwocky.com> <20041221160533.GA10888__10161.5904867232$1103645825$gmane$org@jabberwocky.com> <20041221192105.GA11678__49043.8050045215$1103657757$gmane$org@jabberwocky.com> <20041221221704.GE11678__21572.7356299341$1103667630$gmane$org@jabberwocky.com> Message-ID: <20041222054150.GA15489@jabberwocky.com> On Wed, Dec 22, 2004 at 02:22:21AM +0100, Simon Josefsson wrote: > David Shaw writes: > > > I'll make you a deal - if you write the DNS handler to properly handle > > a flag passed from gpg to do a revocation-only search, I'll write the > > code in gpg to pass that flag when appropriate. Since a > > revocation-only check can also be fulfilled (though slower) by a > > regular check, this would be nicely backwards compatible. > > I tried my Perl version, and it still worked. Is Perl acceptable, or > do I have to rewrite it in C? I think Perl is probably fine (after all the "mailto" handler is Perl). The only thing is that we must make sure that all of the Perl module dependencies are there before using it. We can do that in autoconf. > Get http://josefsson.org/gpgkeys_jkp/gpgkeys_jkp, and install it in > the keyserver directory, add > > keyserver jkp://josefsson.org jkp is not the same as the proposed dns:// url. Any reason not to use 'dns'? I know the RFC hasn't been published yet, but perhaps this can give you a chance to try the naming scheme out. > How will you design the protocol for revocation checks only? > > When is it appropriate to do the revocation check? It sounds as if > this should be configurable? Maybe add a parameter: > > revocationserver jkp://josefsson.org > > or something? > > Or would revocation only be done through the "preferred key server" > field from the owner's key? I'm not sure, exactly. I hadn't really thought about having a different server for revocations. Is it sufficient to have a revocation context flag passed to the gpgkeys_foo program? For example, in LDAP, the query string which is usually something like '(pgpcertid=DB698D7199242560)' could be changed to '(|(pgpcertid=DB698D7199242560)(pgprevoked=1))'. > Perhaps revocation checks shouldn't be done too often? Might be some > work in remembering when the last check was done, though... I worry about this sort of thing. It can lead to serious user confusion since gpg (or more likely gpgkeys) needs to track when the key was last retrieved, and some users use different servers at different times so it would have to be stored per-server and then the user wonders why their key didn't update because it was within the lockout period, etc, etc... David From henkdebruijn at wanadoo.nl Wed Dec 22 09:47:46 2004 From: henkdebruijn at wanadoo.nl (Henk de Bruijn) Date: Wed Dec 22 09:44:13 2004 Subject: t-sign Message-ID: <12942293.20041222094746@wanadoo.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Till now I used PGP for trustsigning and GnuPG for the rest of my daily work. When I heard of the possiblity of t-sign in GnuPG I was anxious to give it a try. I manage to produce the simular sig (trusted introducer) as in PGP. Do these signatures behave simular as in PGP, I mean can I get rid of PGP now? - -- Henk ______________________________________________________________________ The Bat!? Natural Email System v3.0.2.10nl Professional on Windows XP SP2 PGPkey available at http://www.biglumber.com/x/web?qs=0x12069B93DBE6E678 Gossamer Spider Web of Trust GSWoT https://gswot.dyndns.org/ A Progressive and Innovative Web of Trust -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (MingW32) - GPGrelay v0.955 iD8DBQFByTS6Egabk9vm5ngRApOJAKDjJNwxKxTirHYFyekNS3Dye22dygCeLIAG UdajZhsL7mqfP6hEdTTvluQ= =j6ST -----END PGP SIGNATURE----- From wk at gnupg.org Wed Dec 22 10:10:50 2004 From: wk at gnupg.org (Werner Koch) Date: Wed Dec 22 10:19:54 2004 Subject: Keyserver and spam In-Reply-To: (eocsor@gmail.com's message of "Wed, 22 Dec 2004 13:48:50 +0930") References: <41C80020.6020103@kingsdown.swindon.sch.uk> <244aefd9be99127c3a090e2f1dc16508@biglumber.com> Message-ID: <873bxyr945.fsf@wheatstone.g10code.de> On Wed, 22 Dec 2004 13:48:50 +0930, Roscoe said: > I did get 3 articles of spam, sent to that address, the first one came > the day after key upload, then 2 more the day (or was it the two > days?) after that. So this has changed since that last spam report, where they researched the orgins of addresses used for spam. IIRC, that report claimed that no spam has been received through keyservers. Sorry, I can't rememeber a URL or the year (my guess is 2 years ago). Werner. From wk at gnupg.org Wed Dec 22 10:04:18 2004 From: wk at gnupg.org (Werner Koch) Date: Wed Dec 22 10:20:44 2004 Subject: Readline support in 1.4 In-Reply-To: <20041221213708.GD11678@jabberwocky.com> (David Shaw's message of "Tue, 21 Dec 2004 16:37:08 -0500") References: <20041221171042.GX2824@psilocybe.teonanacatl.org> <20041221172940.GC10888@jabberwocky.com> <20041221192827.GZ2824@psilocybe.teonanacatl.org> <20041221201847.GB11678@jabberwocky.com> <20041221204018.GA2824@psilocybe.teonanacatl.org> <20041221213708.GD11678@jabberwocky.com> Message-ID: <877jnar9f1.fsf@wheatstone.g10code.de> On Tue, 21 Dec 2004 16:37:08 -0500, David Shaw said: > It's not a bad idea to tab-complete the commands. If nothing else, we I looked at how to implement it but at that stage of development I was afraid to break too much and we hoped to get out 1.4 soon. Yes, we should eventually add this to 1.4 Werner From wk at gnupg.org Wed Dec 22 10:48:36 2004 From: wk at gnupg.org (Werner Koch) Date: Wed Dec 22 10:49:45 2004 Subject: t-sign In-Reply-To: <12942293.20041222094746@wanadoo.nl> (Henk de Bruijn's message of "Wed, 22 Dec 2004 09:47:46 +0100") References: <12942293.20041222094746@wanadoo.nl> Message-ID: <87llbqpssr.fsf@wheatstone.g10code.de> On Wed, 22 Dec 2004 09:47:46 +0100, Henk de Bruijn said: > I manage to produce the simular sig (trusted introducer) as in PGP. > Do these signatures behave simular as in PGP, I mean can I get rid of > PGP now? Trust signatures are an OpenPGP feature, so both PGP and GnuPG ought to be compatible. Werner From henkdebruijn at wanadoo.nl Wed Dec 22 11:26:49 2004 From: henkdebruijn at wanadoo.nl (Henk de Bruijn) Date: Wed Dec 22 11:23:18 2004 Subject: t-sign In-Reply-To: <87llbqpssr.fsf@wheatstone.g10code.de> References: <12942293.20041222094746@wanadoo.nl> <87llbqpssr.fsf@wheatstone.g10code.de> Message-ID: <1215125902.20041222112649@wanadoo.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wed, 22 Dec 2004 10:48:36 +0100GMT (22-12-2004, 10:48 +0100, where I live), Werner Koch wrote: > On Wed, 22 Dec 2004 09:47:46 +0100, Henk de Bruijn said: >> I manage to produce the simular sig (trusted introducer) as in PGP. >> Do these signatures behave simular as in PGP, I mean can I get rid of >> PGP now? > Trust signatures are an OpenPGP feature, so both PGP and GnuPG ought > to be compatible. Great! next trusted signature I will make with GnuPG. Thanks for you quick reply. - -- Henk ______________________________________________________________________ The Bat!? Natural Email System v3.0.2.10nl Professional on Windows XP SP2 PGPkey available at http://www.biglumber.com/x/web?qs=0x12069B93DBE6E678 Gossamer Spider Web of Trust GSWoT https://gswot.dyndns.org/ A Progressive and Innovative Web of Trust -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (MingW32) - GPGrelay v0.955 iD8DBQFByUvqEgabk9vm5ngRAhERAKD06rAF3PSks/+z5XPtGc3ZVZa9yQCg24Sp fp/3qzg13klhzCI9V8p/ogc= =9Y9v -----END PGP SIGNATURE----- From sebastian at karotte.org Wed Dec 22 14:45:30 2004 From: sebastian at karotte.org (Sebastian Wiesinger) Date: Wed Dec 22 14:42:02 2004 Subject: Display Hash? Message-ID: <20041222134530.GA15684@data.fire-world.de> Hi, is there a way to display the Hash Algo when verifying a message? I want to see which hash it uses. (mutt hides the "Hash: " line). Regards, Sebastian -- GPG Key-ID: 0x76B79F20 (0x1B6034F476B79F20) Wehret den Anfaengen: http://odem.org/informationsfreiheit/ Thunder rolled. ... It rolled a six. --Terry Pratchett, Guards! Guards! -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 282 bytes Desc: Digital signature Url : /pipermail/attachments/20041222/0b9e6e06/attachment.bin From dshaw at jabberwocky.com Wed Dec 22 15:02:16 2004 From: dshaw at jabberwocky.com (David Shaw) Date: Wed Dec 22 14:59:10 2004 Subject: Display Hash? In-Reply-To: <20041222134530.GA15684@data.fire-world.de> References: <20041222134530.GA15684@data.fire-world.de> Message-ID: <20041222140215.GA1006@jabberwocky.com> On Wed, Dec 22, 2004 at 02:45:30PM +0100, Sebastian Wiesinger wrote: > Hi, is there a way to display the Hash Algo when verifying a message? > I want to see which hash it uses. (mutt hides the "Hash: " line). Add a --verbose to the gpg command line. David From henk-piet.glas at altium.nl Wed Dec 22 15:33:07 2004 From: henk-piet.glas at altium.nl (Henk-Piet Glas) Date: Wed Dec 22 15:30:56 2004 Subject: host not found: ec=11001 Message-ID: <41C985A3.2090807@altium.nl> Dear All, I'm using the following config file: keyserver hkp://subkeys.pgp.net keyserver-options honor-http-proxy,verbose,auto-key-retrieve And http_proxy is as follows: http://MyUserName:MyPassWord@MyProxy:80/ From the command line I use: gpg --verify gnupg-1.4.0.tar.bz2.sig Which returns: gpg: Signature made 12/16/04 11:50:52 using DSA key ID 57548DCD gpg: requesting key 57548DCD from hkp://subkeys.pgp.net gpg: MyUserName: host not found: ec=11001 gpg: can't get key from keyserver: No such file or directory gpg: Total number processed: 0 gpg: Can't check signature: public key not found It looks as if 'MyUserName' as embedded in the keyserver URL is wrongfully assumed to be the host. I am currently using version 1.2.5 of gpg. Is this a bug or am I overlooking something? Regards, -- Henk-Piet Glas Support Engineer ----------------------------------------------------------- E-mail: support.nl@altium.nl Altium Software BV Voice: +31-33-455 85 84 Saturnus 2 Fax: +31-33-455 55 03 3824 ME Amersfoort WWW: http://www.altium.com The Netherlands --------[Altium - Making Electronics Design Easier]-------- From dshaw at jabberwocky.com Wed Dec 22 15:41:13 2004 From: dshaw at jabberwocky.com (David Shaw) Date: Wed Dec 22 15:38:09 2004 Subject: host not found: ec=11001 In-Reply-To: <41C985A3.2090807@altium.nl> References: <41C985A3.2090807@altium.nl> Message-ID: <20041222144113.GA1012@jabberwocky.com> On Wed, Dec 22, 2004 at 03:33:07PM +0100, Henk-Piet Glas wrote: > Dear All, > > I'm using the following config file: > > keyserver hkp://subkeys.pgp.net > keyserver-options honor-http-proxy,verbose,auto-key-retrieve > > And http_proxy is as follows: > > http://MyUserName:MyPassWord@MyProxy:80/ > > From the command line I use: > > gpg --verify gnupg-1.4.0.tar.bz2.sig > > Which returns: > > gpg: Signature made 12/16/04 11:50:52 using DSA key ID 57548DCD > gpg: requesting key 57548DCD from hkp://subkeys.pgp.net > gpg: MyUserName: host not found: ec=11001 > gpg: can't get key from keyserver: No such file or directory > gpg: Total number processed: 0 > gpg: Can't check signature: public key not found > > It looks as if 'MyUserName' as embedded in the keyserver URL is > wrongfully assumed to be the host. I am currently using version 1.2.5 of > gpg. Is this a bug or am I overlooking something? Authenticated proxy support was just added in 1.4.0. It will not work in 1.2.5. (and yes, I see the amusement of needing to upgrade to get the key to verify the upgrade with... you'll have to get the key another way for this one!) David From dshaw at jabberwocky.com Wed Dec 22 15:49:23 2004 From: dshaw at jabberwocky.com (David Shaw) Date: Wed Dec 22 15:46:20 2004 Subject: t-sign In-Reply-To: <1215125902.20041222112649@wanadoo.nl> References: <12942293.20041222094746@wanadoo.nl> <87llbqpssr.fsf@wheatstone.g10code.de> <1215125902.20041222112649@wanadoo.nl> Message-ID: <20041222144923.GC1012@jabberwocky.com> On Wed, Dec 22, 2004 at 11:26:49AM +0100, Henk de Bruijn wrote: > On Wed, 22 Dec 2004 10:48:36 +0100GMT (22-12-2004, 10:48 +0100, where > I live), Werner Koch wrote: > > > On Wed, 22 Dec 2004 09:47:46 +0100, Henk de Bruijn said: > > >> I manage to produce the simular sig (trusted introducer) as in PGP. > >> Do these signatures behave simular as in PGP, I mean can I get rid of > >> PGP now? > > > Trust signatures are an OpenPGP feature, so both PGP and GnuPG ought > > to be compatible. > > Great! next trusted signature I will make with GnuPG. When I wrote it, I did a lot of black-box testing against PGP 8 (I must have made hundreds of test signatures). So long as you use the "PGP" trust model (remember that if you upgraded to 1.4.0 from 1.2.x, you may still have the "classic" trust model), both programs should behave the same way. To see what trust model your trustdb is using, use: gpg --check-trustdb To update an old trustdb to the PGP trust model, use: gpg --trust-model pgp --check-trustdb After that, gpg will always use the PGP model until you change it again. David From jas at extundo.com Wed Dec 22 16:36:32 2004 From: jas at extundo.com (Simon Josefsson) Date: Wed Dec 22 16:33:07 2004 Subject: Using the "preferred keyserver URL" in GnuPG 1.4 In-Reply-To: <20041222054150.GA15489__33223.120441153$1103694431$gmane$org@jabberwocky.com> (David Shaw's message of "Wed, 22 Dec 2004 00:41:50 -0500") References: <20041220164001.GA30899__10352.9219203212$1103564914$gmane$org@jabberwocky.com> <20041221135214.GO22290__20568.8764028766$1103638152$gmane$org@jabberwocky.com> <20041221160533.GA10888__10161.5904867232$1103645825$gmane$org@jabberwocky.com> <20041221192105.GA11678__49043.8050045215$1103657757$gmane$org@jabberwocky.com> <20041221221704.GE11678__21572.7356299341$1103667630$gmane$org@jabberwocky.com> <20041222054150.GA15489__33223.120441153$1103694431$gmane$org@jabberwocky.com> Message-ID: David Shaw writes: >> I tried my Perl version, and it still worked. Is Perl acceptable, or >> do I have to rewrite it in C? > > I think Perl is probably fine (after all the "mailto" handler is > Perl). The only thing is that we must make sure that all of the Perl > module dependencies are there before using it. We can do that in > autoconf. Yup. >> Get http://josefsson.org/gpgkeys_jkp/gpgkeys_jkp, and install it in >> the keyserver directory, add >> >> keyserver jkp://josefsson.org > > jkp is not the same as the proposed dns:// url. Any reason not to use > 'dns'? I know the RFC hasn't been published yet, but perhaps this can > give you a chance to try the naming scheme out. Yes. I worry that "dns" might not be unique enough, though. I think it might be possible to use DNS storage of keys in other ways than how I would want to do it. Hence jkp, inspired by hkp, to signal the specific non-standard approach used here. I see there are gpgkeys_hkp and gpgkeys_http, what is the difference between them? >> How will you design the protocol for revocation checks only? >> >> When is it appropriate to do the revocation check? It sounds as if >> this should be configurable? Maybe add a parameter: >> >> revocationserver jkp://josefsson.org >> >> or something? >> >> Or would revocation only be done through the "preferred key server" >> field from the owner's key? > > I'm not sure, exactly. I hadn't really thought about having a > different server for revocations. Is it sufficient to have a > revocation context flag passed to the gpgkeys_foo program? For > example, in LDAP, the query string which is usually something like > '(pgpcertid=DB698D7199242560)' could be changed to > '(|(pgpcertid=DB698D7199242560)(pgprevoked=1))'. That should be sufficient. The way I read the 2440 wording for preferred key server, it seems possible to implement it as making the URL empty until you revoke the key, in which case you place the revocation certificate there. I'm not sure this is what people do, though. I suspect everyone just places an URL to their current key in the field. Which would be inefficient to retrieve every time you want to do a revocation check. So there seem to be some motivation to separate these features. I.e., separate "updated key" and "revocation server". What does OPTION include-revoked mean? Perhaps the interface could be OPTION only-revoked or something? Assuming other plugins ignore unknown options, this seem backwards compatible. >> Perhaps revocation checks shouldn't be done too often? Might be some >> work in remembering when the last check was done, though... > > I worry about this sort of thing. It can lead to serious user > confusion since gpg (or more likely gpgkeys) needs to track when the > key was last retrieved, and some users use different servers at > different times so it would have to be stored per-server and then the > user wonders why their key didn't update because it was within the > lockout period, etc, etc... Right. Better not support it initially. I suspect it shouldn't be the default, as well. People who enable it can experiment with how well it works, and if a caching mechanism is required. Data should be cached in your local DNS forwarded, though. (I'm using dnsmasq on my firewall, which, alas, doesn't cache responses received over TCP...) Thanks, Simon From nouak at zeitform.de Wed Dec 22 17:51:38 2004 From: nouak at zeitform.de (Alexander Nouak) Date: Wed Dec 22 17:48:02 2004 Subject: Readline support in 1.4 In-Reply-To: <20041221172940.GC10888@jabberwocky.com> References: <20041221171042.GX2824@psilocybe.teonanacatl.org> <20041221172940.GC10888@jabberwocky.com> Message-ID: Am 21.12.2004 um 18:29 Uhr schrieb David Shaw: > The problem is that on some platforms, readline needs other libraries > as a sub-dependency (usually termcap or curses). It seems that FC2 is > one of those platforms. Mac OS X is another one. > You might try doing: > > LIBS="-ltermcap" ./configure After installing readline (not present on Darwin by default!) and running configure like you suggested will in gnupg with readline support on Darwin. However, if you can wait some more days Mac GPG Project will offer binaries with readline support. Servus Alexander http://macgpg.sf.net -- Alexander Nouak zeitform Internet Dienste OHG mailto:nouak@zeitform.de Fraunhoferstra?e 5 GPG/PGP: http://keys.zeitform.de/an 64283 Darmstadt, Germany Telefon: +49-6151-155 637 Fax: 155 634 http://www.zeitform.de -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 2392 bytes Desc: not available Url : /pipermail/attachments/20041222/07e10572/smime.bin From support at bytesinteractive.com Wed Dec 22 22:42:35 2004 From: support at bytesinteractive.com (David Jourard) Date: Wed Dec 22 21:36:33 2004 Subject: Decrypting HTML Pages as e-mails Message-ID: <4.2.0.58.20041222153322.00ce28f0@69.20.59.174> Hi, I have a couple of clients who have some web forms submitted and sent as encrypted e-mails using gpg. I would like to have the forms when decrypted program formatted as an HTML document. (I'm using pgp to do the decryption on a Win32 machine.) I've tried with both eudora and outlook express but after decryption the e-mails are displayed with all the HTML code rather than resolving the HTML as an HTML page. Has anyone successfully carried this out with Eudora or outlook express using pgp or gpg frontends to decrypt an e-mail so that it resolves into an html page. Perhaps a browser that has an e-mail client might work. Thanks David J. From Freedom_Lover at pobox.com Wed Dec 22 22:02:07 2004 From: Freedom_Lover at pobox.com (Todd) Date: Wed Dec 22 21:59:03 2004 Subject: Readline support in 1.4 In-Reply-To: <20041221213146.GC11678@jabberwocky.com> References: <20041221171042.GX2824@psilocybe.teonanacatl.org> <20041221174251.GA2570@idiom.com> <20041221213146.GC11678@jabberwocky.com> Message-ID: <20041222210207.GD2824@psilocybe.teonanacatl.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 David Shaw wrote: > Do you think you could try the CVS version and let me know if things > work properly for you on FC3? CVS also works on FC2 (after picking up automake 1.9, which isn't included in FC2). - -- Todd OpenPGP -> KeyID: 0xD654075A | URL: www.pobox.com/~tmz/pgp ====================================================================== If you can't change your mind, do you wonder if you still have one? -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (GNU/Linux) Comment: When crypto is outlawed bayl bhgynjf jvyy unir cevinpl. iG0EARECAC0FAkHJ4M0mGGh0dHA6Ly93d3cucG9ib3guY29tL350bXovcGdwL3Rt ei5hc2MACgkQuv+09NZUB1qcrQCdGwhbNQ/SvThyCPANhEJN9M6R+1EAn0/EMwUz T+ul4tReAcc1fpeJIBKv =KQdv -----END PGP SIGNATURE----- From help at nantucket.net Wed Dec 22 22:14:53 2004 From: help at nantucket.net (help@nantucket.net) Date: Wed Dec 22 22:10:02 2004 Subject: Install Message-ID: Hello all: Trying to get gnupg running on my Cobalt RaQ4. I get the following during make: make[2]: *** [ttyio.o] Error 1 make[2]: Leaving directory `/home/packages/gnupg-1.4.0/util' make[1]: *** [all-recursive] Error 1 make[1]: Leaving directory `/home/packages/gnupg-1.4.0' make: *** [all] Error 2 Make check yields much the same: make[1]: *** [ttyio.o] Error 1 make[1]: Leaving directory `/home/packages/gnupg-1.4.0/util' make: *** [check-recursive] Error 1 Needless to say, the make install errors and nothing really installs: make[1]: *** [ttyio.o] Error 1 make[1]: Leaving directory `/home/packages/gnupg-1.4.0/util' make: *** [install-recursive] Error 1 Ive ran make clean and hope that you can help me out! From dshaw at jabberwocky.com Wed Dec 22 22:18:25 2004 From: dshaw at jabberwocky.com (David Shaw) Date: Wed Dec 22 22:15:19 2004 Subject: Install In-Reply-To: References: Message-ID: <20041222211824.GB13662@jabberwocky.com> On Wed, Dec 22, 2004 at 04:14:53PM -0500, help@nantucket.net wrote: > Hello all: > > Trying to get gnupg running on my Cobalt RaQ4. I get the following during > make: > > make[2]: *** [ttyio.o] Error 1 > make[2]: Leaving directory `/home/packages/gnupg-1.4.0/util' > make[1]: *** [all-recursive] Error 1 > make[1]: Leaving directory `/home/packages/gnupg-1.4.0' > make: *** [all] Error 2 Can you post a few more lines before "Error 1"? You snipped out what the actual problem was :) David From help at nantucket.net Wed Dec 22 22:29:32 2004 From: help at nantucket.net (help@nantucket.net) Date: Wed Dec 22 22:24:43 2004 Subject: Install (updated) Message-ID: Hello all: Trying to get gnupg running on my Cobalt RaQ4. I get the following during make: ttyio.c: In function `init_ttyfp': ttyio.c:166: `rl_catch_signals' undeclared (first use in this function) ttyio.c:166: (Each undeclared identifier is reported only once ttyio.c:166: for each function it appears in.) make[2]: *** [ttyio.o] Error 1 make[2]: Leaving directory `/home/packages/gnupg-1.4.0/util' make[1]: *** [all-recursive] Error 1 make[1]: Leaving directory `/home/packages/gnupg-1.4.0' make: *** [all] Error 2 Make check yields much the same: ttyio.c: In function `init_ttyfp': ttyio.c:166: `rl_catch_signals' undeclared (first use in this function) ttyio.c:166: (Each undeclared identifier is reported only once ttyio.c:166: for each function it appears in.) make[1]: *** [ttyio.o] Error 1 make[1]: Leaving directory `/home/packages/gnupg-1.4.0/util' make: *** [check-recursive] Error 1 Needless to say, the make install errors and nothing really installs: ttyio.c: In function `init_ttyfp': ttyio.c:166: `rl_catch_signals' undeclared (first use in this function) ttyio.c:166: (Each undeclared identifier is reported only once ttyio.c:166: for each function it appears in.) make[1]: *** [ttyio.o] Error 1 make[1]: Leaving directory `/home/packages/gnupg-1.4.0/util' make: *** [install-recursive] Error 1 Ive ran make clean and hope that you can help me out! From ben.branders at skynet.be Tue Dec 21 17:12:16 2004 From: ben.branders at skynet.be (Ben Branders) Date: Wed Dec 22 22:27:25 2004 Subject: Large signature Message-ID: <41C84B60.80308@skynet.be> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Can someone please explain me why my OpenPGP-signature is so big? It used to be about 3 lines, now it has doubled! A couple of days ago I added a UID to this key. Has that anything to do with it or is it just a wrong setting? For the record: the signature verifies OK (here at least). Regards - -- Ben Branders http://bytewarrior.madoka.be .---. E-mail privacy is a right, not a privilege. / |\________________ Please sign and/or encrypt your mail. | () | ________ _ _) \ |/ | | | | Gnu Privacy Guard: http://gnupg.org `---' "-" |_| Enigmail: http://enigmail.mozdev.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (MingW32) iQEVAwUBQchLXgFKg/m5iD7uAQI8TAgAtQK7dzWrZSZpzmvwbLX3vffsoe6Sgkud 5BO0hCN1bsTrER/Y2GSwqFIpyM4i6jnUFWD2UIdLqOTVCBIwni0x6myDTEBGclE0 LynSd7DqzNElPyhCkwU/6Xq/ezXcH74Isszq/ZJ2K5fVbJ4MBxNgXOJyYDkVd52i 8+uQtIB9K9v2ckyTpaomEYrIxce+N+SQrUAkhvo/e3yf0RtZj4WHv9Sz/QhvgD1B HtYKIhWKoRWFILlFYUVRGR/fz9Z3idUskLS1iiNZkJYXAjOzUPTtYqLwTD53TTyU B7nVOMjF61x25yaqcGVWyGNkOpYlr1iOymjzCG5nt2N2MwaivWO9Og== =rHtS -----END PGP SIGNATURE----- From ben at benfinney.id.au Tue Dec 21 23:18:34 2004 From: ben at benfinney.id.au (Ben Finney) Date: Wed Dec 22 22:27:43 2004 Subject: [WOT] Re: Unsolicited re-subscription In-Reply-To: <20041220230955.GB14867@anl.gov> References: <873by1xhih.fsf@wheatstone.g10code.de> <00c701c4e69c$b644def0$2027a8c0@PAVELECA> <20041220214656.GA14697@benfinney.id.au> <41C755B5.6080403@RigidSoftware.com> <41C758F8.8010600@wotif.com> <20041220230955.GB14867@anl.gov> Message-ID: <20041221221834.GA5260@benfinney.id.au> On 20-Dec-2004, Stewart V. Wright wrote: > Please, please, please can we stop with the "Me too"'s. > > I don't want to appear rude, but you're all grown-ups, solve your own > problems and unsubscribe yourself. It is _known_ that there was a > screw up. You know that this list and its members aren't deliberately > annoying you. Let it go. The admins have solved the problems much better than that; the subscriber list has been restored from the erroneous setting it had. I'm glad it was this easy to solve the problem. -- \ "He that would make his own liberty secure must guard even his | `\ enemy from oppression." -- Thomas Paine | _o__) | Ben Finney From ben at benfinney.id.au Tue Dec 21 23:18:34 2004 From: ben at benfinney.id.au (Ben Finney) Date: Wed Dec 22 22:27:51 2004 Subject: [WOT] Re: Unsolicited re-subscription In-Reply-To: <20041220230955.GB14867@anl.gov> References: <873by1xhih.fsf@wheatstone.g10code.de> <00c701c4e69c$b644def0$2027a8c0@PAVELECA> <20041220214656.GA14697@benfinney.id.au> <41C755B5.6080403@RigidSoftware.com> <41C758F8.8010600@wotif.com> <20041220230955.GB14867@anl.gov> Message-ID: <20041221221834.GA5260@benfinney.id.au> On 20-Dec-2004, Stewart V. Wright wrote: > Please, please, please can we stop with the "Me too"'s. > > I don't want to appear rude, but you're all grown-ups, solve your own > problems and unsubscribe yourself. It is _known_ that there was a > screw up. You know that this list and its members aren't deliberately > annoying you. Let it go. The admins have solved the problems much better than that; the subscriber list has been restored from the erroneous setting it had. I'm glad it was this easy to solve the problem. -- \ "He that would make his own liberty secure must guard even his | `\ enemy from oppression." -- Thomas Paine | _o__) | Ben Finney -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: Digital signature Url : /pipermail/attachments/20041222/7ffb74ca/attachment-0001.bin From npellegr at numericable.fr Wed Dec 22 14:34:42 2004 From: npellegr at numericable.fr (npellegr@numericable.fr) Date: Wed Dec 22 22:28:00 2004 Subject: Choosing the Hash and cyphering algorithm Message-ID: <1103722482.41c977f2a2817@webmail.numericable.fr> Thank's for all Atom ! It works. Almost ... actually I still can't force gpg to use the secret RSA key to cypher. gpg -aer [long_or_short_key_id]! [file] => it uses the public key anyway whithout asking for a special subkey. Actually with gpg i can't see the difference between the private key and the public key whereas i know there is a big one ;). The two keys fingerprints of the pair must be different but i can't see it and moreover it looks like pub=sec. By using : gpg --list-keys gpg --list-secret-keys the only difference is the "pub" and "sec" field whereas it should'nt. Finally i tried : gpg -aer [long_or_short_key_id]!sec[file] => error gpg -aer [long_or_short_key_id] [file] => normal using gpg -aer [long_or_short_key_id]![file] => idem Is it possible to separate the secret key from the public one? Nicolas Pellegrin From dshaw at jabberwocky.com Wed Dec 22 22:43:27 2004 From: dshaw at jabberwocky.com (David Shaw) Date: Wed Dec 22 22:40:56 2004 Subject: Install (updated) In-Reply-To: References: Message-ID: <20041222214327.GD13662@jabberwocky.com> On Wed, Dec 22, 2004 at 04:29:32PM -0500, help@nantucket.net wrote: > Hello all: > > Trying to get gnupg running on my Cobalt RaQ4. I get the following during > make: > > ttyio.c: In function `init_ttyfp': > ttyio.c:166: `rl_catch_signals' undeclared (first use in this function) > ttyio.c:166: (Each undeclared identifier is reported only once > ttyio.c:166: for each function it appears in.) > make[2]: *** [ttyio.o] Error 1 > make[2]: Leaving directory `/home/packages/gnupg-1.4.0/util' > make[1]: *** [all-recursive] Error 1 > make[1]: Leaving directory `/home/packages/gnupg-1.4.0' > make: *** [all] Error 2 I believe this is the same problem several people have had with readline. What happens if you build with: LIBS="-ltermcap" ./configure David From wk at gnupg.org Wed Dec 22 22:45:27 2004 From: wk at gnupg.org (Werner Koch) Date: Wed Dec 22 22:49:46 2004 Subject: Install (updated) In-Reply-To: (help@nantucket.net's message of "Wed, 22 Dec 2004 16:29:32 -0500") References: Message-ID: <87zn06m2h4.fsf@wheatstone.g10code.de> On Wed, 22 Dec 2004 16:29:32 -0500, help@nantucket net said: > ttyio.c: In function `init_ttyfp': > ttyio.c:166: `rl_catch_signals' undeclared (first use in this function) This is a readline problem. We have already fixed this in CVS. See the ML archive for other notes. Werner From wk at gnupg.org Wed Dec 22 22:52:14 2004 From: wk at gnupg.org (Werner Koch) Date: Wed Dec 22 22:54:46 2004 Subject: Choosing the Hash and cyphering algorithm In-Reply-To: <1103722482.41c977f2a2817@webmail.numericable.fr> (npellegr@numericable.fr's message of "Wed, 22 Dec 2004 14:34:42 +0100") References: <1103722482.41c977f2a2817@webmail.numericable.fr> Message-ID: <87vfaum25t.fsf@wheatstone.g10code.de> On Wed, 22 Dec 2004 14:34:42 +0100, npellegr said: > Almost ... actually I still can't force gpg to use the secret RSA key to > cypher. The whole point with public key cryptography is that you use the *public* for *en*cryption buit the *private* (aka secret) key for *de*cryption. > gpg -aer [long_or_short_key_id]! [file] => it uses the public key anyway > whithout asking for a special subkey. I guess you want to force gpg to use one of the subkeys for encryption: as stated somewhere in tghe man page, you need to suffic the keyID with a bang; e.g.: gpg -aer 0x12345678! foo.txt Encrypts to the subkey with thye keyid 0x12345678. Depending on your shell you might need to escape the bang. In general using a specific sub key is not very useful; gpg uses the best fitting subkey automagically. Werner From johnmoore3rd at joimail.com Thu Dec 23 00:18:41 2004 From: johnmoore3rd at joimail.com (John W. Moore III) Date: Thu Dec 23 00:15:24 2004 Subject: Large signature In-Reply-To: <41C84B60.80308@skynet.be> References: <41C84B60.80308@skynet.be> Message-ID: <41CA00D1.3060501@joimail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Ben Branders wrote: | Hi | | | | Can someone please explain me why my OpenPGP-signature is so big? It used | to be about 3 lines, now it has doubled! | | A couple of days ago I added a UID to this key. Has that anything to do | with it or is it just a wrong setting? | | | For the record: the signature verifies OK (here at least). | Verifies good here also; was the additional UserID a jpeg likeness? JOHN :) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (MingW32) Comment: Public Key at: http://tinyurl.com/5ztc6 Comment: Gossamer Spider Web of Trust: http://gswot.dyndns.org Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFBygDNnCmZhrerneURAhxPAJ4tLv4kJRfEeZhn8Iw349Jt1R1G0ACgu57W LeVKzqbiUWG8uM1VqUchxkg= =RGgR -----END PGP SIGNATURE----- From henkdebruijn at wanadoo.nl Thu Dec 23 00:45:32 2004 From: henkdebruijn at wanadoo.nl (Henk de Bruijn) Date: Thu Dec 23 00:41:59 2004 Subject: t-sign In-Reply-To: <20041222144923.GC1012@jabberwocky.com> References: <12942293.20041222094746@wanadoo.nl> <87llbqpssr.fsf@wheatstone.g10code.de> <1215125902.20041222112649@wanadoo.nl> <20041222144923.GC1012@jabberwocky.com> Message-ID: <64396324.20041223004532@wanadoo.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wed, 22 Dec 2004 09:49:23 -0500GMT (22-12-2004, 15:49 +0100, where I live), David Shaw wrote: > On Wed, Dec 22, 2004 at 11:26:49AM +0100, Henk de Bruijn wrote: >> Great! next trusted signature I will make with GnuPG. > To see what trust model your trustdb is using, use: > gpg --check-trustdb > To update an old trustdb to the PGP trust model, use: > gpg --trust-model pgp --check-trustdb > After that, gpg will always use the PGP model until you change it > again. Thanks, it says now PGP trust model ;-) - -- Henk ______________________________________________________________________ The Bat!? Natural Email System v3.0.1.33nl Professional on Windows XP SP2 PGPkey available at http://www.biglumber.com/x/web?qs=0x12069B93DBE6E678 Gossamer Spider Web of Trust GSWoT http://gswot.dyndns.org/ A Progressive and Innovative Web of Trust -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (MingW32) - GPGrelay v0.955 iD8DBQFBygclEgabk9vm5ngRAiN7AJ9g6yc8f1BiPcRG8zvbruzxSp1bmwCguhTl 6tyxt+xd25G05o1HD3p6sJY= =CM4/ -----END PGP SIGNATURE----- From JPClizbe at comcast.net Thu Dec 23 01:13:31 2004 From: JPClizbe at comcast.net (John Clizbe) Date: Thu Dec 23 01:10:25 2004 Subject: Large signature In-Reply-To: <41C84B60.80308@skynet.be> References: <41C84B60.80308@skynet.be> Message-ID: <41CA0DAB.8040407@comcast.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Ben Branders wrote: > Hi > > > > Can someone please explain me why my OpenPGP-signature is so big? It used > to be about 3 lines, now it has doubled! Ben, The signing keyid isn't the 1024 DSA key, 46938FDB, but a 2048 bit RSA signing sub-key, 0xB9883EEE. Bigger signing key ==> Bigger signature block in email. - -- John P. Clizbe Inet: JPClizbe(a)comcast DOT nyet Golden Bear Networks PGP/GPG KeyID: 0x608D2A10 "Be who you are and say what you feel because those who mind don't matter and those who matter don't mind." - Dr Seuss, "Oh the Places You'll Go" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0a (Windows 2000 SP4) Comment: When cryptography is outlawed, b25seSBvdXRsYXdzIHdpbGwgdXNlIG Comment: It's YOUR right - for the time being. Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFByg2rHQSsSmCNKhARAh6vAJ0YC9JTGnr34l/xTiMaLQdzu3gbmACgk/fM TQKaqPtI3yIm5Og4CBE0Xoo= =NEKb -----END PGP SIGNATURE----- From linux at thorstenhau.de Thu Dec 23 01:18:08 2004 From: linux at thorstenhau.de (Thorsten Haude) Date: Thu Dec 23 01:14:41 2004 Subject: Decrypting HTML Pages as e-mails In-Reply-To: <4.2.0.58.20041222153322.00ce28f0@69.20.59.174> References: <4.2.0.58.20041222153322.00ce28f0@69.20.59.174> Message-ID: <20041223001808.GA1867@eumel.yoo.local> Hi, * David Jourard wrote (2004-12-22 22:42): >I have a couple of clients who have some web forms submitted and sent as >encrypted e-mails using gpg. > >I would like to have the forms when decrypted program formatted as an HTML >document. (I'm using pgp to do the decryption on a Win32 machine.) I haven't tried, but from your description it sounds as if Mutt should be able to work. Thorsten -- I fear that Digital Rights Management today is Political Rights Management tomorrow. That embedding these kinds of technological controls into the very architecture of computing has the capacity to become a form of political control in the not so distant future. - John Perry Barlow -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20041223/ebbd899c/attachment.bin From atlan_d at web.de Thu Dec 23 01:29:35 2004 From: atlan_d at web.de (david atlan (PHENO)) Date: Thu Dec 23 01:26:30 2004 Subject: gpg: conversion from `utf-8' to `CP437' not available (WinXP) Message-ID: Hi, I am new to Gnupg, I have downloaded gnupg-w32cli-1.4.0a.zip and verified the checksum. I have created a directory as indicated in the manual and copied the gpg.exe file and launched it from the dos command line: C:\gnupg>gpg gpg: conversion from `utf-8' to `CP437' not available did I miss something somewhere??? Merry christmas and happy new year, David From wk at gnupg.org Thu Dec 23 08:00:51 2004 From: wk at gnupg.org (Werner Koch) Date: Thu Dec 23 08:04:46 2004 Subject: gpg: conversion from `utf-8' to `CP437' not available (WinXP) In-Reply-To: (david atlan's message of "Thu, 23 Dec 2004 01:29:35 +0100") References: Message-ID: <87r7lhmrbw.fsf@wheatstone.g10code.de> On Thu, 23 Dec 2004 01:29:35 +0100, david atlan (PHENO) said: > C:\gnupg>gpg > gpg: conversion from `utf-8' to `CP437' not available Did you install iconv.dll (ftp.gnupg.org/gcrypt/binary/libiconv-1.9.1.dll.zip)? Werner From henk-piet.glas at altium.nl Thu Dec 23 11:06:27 2004 From: henk-piet.glas at altium.nl (Henk-Piet Glas) Date: Thu Dec 23 11:04:22 2004 Subject: host not found: ec=11001 In-Reply-To: <20041222144113.GA1012@jabberwocky.com> References: <41C985A3.2090807@altium.nl> <20041222144113.GA1012@jabberwocky.com> Message-ID: <41CA98A3.3050604@altium.nl> David Shaw wrote: > (...) I see the amusement (...) Wondered if anyone would notice. Got Werner's key and installed 1.4.0 and made sure to retry but now have the following output: gpg: Signature (...) Time using DSA key ID 57548DCD gpg: requesting key 57548DCD from (...) subkeys.pgp.net ?: subkeys.pgp.net: Host not found: ec=11001 gpgkeys: HKP fetch error: No error gpg: no valid OpenPGP data found. gpg: Total number processed: 0 gpg: Can't check signature: public key not found The one that puzzles me is: ?: subkeys.pgp.net: Host not found: ec=11001 I repeat, http_proxy has been set to: http://MyUserName:MyPassWord@MyProxy:80/ Any thoughts? Things I can do to futher trace this? Regards, -- Henk-Piet Glas Support Engineer ----------------------------------------------------------- E-mail: support.nl@altium.nl Altium Software BV Voice: +31-33-455 85 84 Saturnus 2 Fax: +31-33-455 55 03 3824 ME Amersfoort WWW: http://www.altium.com The Netherlands --------[Altium - Making Electronics Design Easier]-------- From npellegr at numericable.fr Thu Dec 23 09:46:52 2004 From: npellegr at numericable.fr (npellegr@numericable.fr) Date: Thu Dec 23 11:31:22 2004 Subject: Choosing the Hash and cyphering algorithm In-Reply-To: <87vfaum25t.fsf@wheatstone.g10code.de> References: <1103722482.41c977f2a2817@webmail.numericable.fr> <87vfaum25t.fsf@wheatstone.g10code.de> Message-ID: <1103791612.41ca85fc3c175@webmail.numericable.fr> Well about he whole point and especially RSA I should be able to cypher with my private key since the exponents are inverses : q = e^-1 mod (p-1)(q-1) with q the private exponent and e the public one. Actually when you sign something it's c = RSA(priv,H(m)) with H the Hash function. So I know it's possible. I only want to "c = m^q mod n" Nicolas Pellegrin Selon Werner Koch : > On Wed, 22 Dec 2004 14:34:42 +0100, npellegr said: > > > Almost ... actually I still can't force gpg to use the secret RSA key to > > cypher. > > The whole point with public key cryptography is that you use the > *public* for *en*cryption buit the *private* (aka secret) key for > *de*cryption. > > > gpg -aer [long_or_short_key_id]! [file] => it uses the public key anyway > > whithout asking for a special subkey. > > I guess you want to force gpg to use one of the subkeys for > encryption: as stated somewhere in tghe man page, you need to suffic > the keyID with a bang; e.g.: > > gpg -aer 0x12345678! foo.txt > > Encrypts to the subkey with thye keyid 0x12345678. Depending on your > shell you might need to escape the bang. In general using a specific > sub key is not very useful; gpg uses the best fitting subkey > automagically. > > Werner > > > From help at nantucket.net Thu Dec 23 14:33:36 2004 From: help at nantucket.net (help@nantucket.net) Date: Thu Dec 23 14:28:43 2004 Subject: Install (updated) In-Reply-To: <20041222214327.GD13662@jabberwocky.com> Message-ID: The configure is fine, but the make still yields: ttyio.c: In function `init_ttyfp': ttyio.c:166: `rl_catch_signals' undeclared (first use in this function) ttyio.c:166: (Each undeclared identifier is reported only once ttyio.c:166: for each function it appears in.) make[2]: *** [ttyio.o] Error 1 make[2]: Leaving directory `/home/packages/gnupg-1.4.0/util' make[1]: *** [all-recursive] Error 1 make[1]: Leaving directory `/home/packages/gnupg-1.4.0' make: *** [all] Error 2 > From: David Shaw > Date: Wed, 22 Dec 2004 16:43:27 -0500 > To: gnupg-users@gnupg.org > Subject: Re: Install (updated) > > On Wed, Dec 22, 2004 at 04:29:32PM -0500, help@nantucket.net wrote: >> Hello all: >> >> Trying to get gnupg running on my Cobalt RaQ4. I get the following during >> make: >> >> ttyio.c: In function `init_ttyfp': >> ttyio.c:166: `rl_catch_signals' undeclared (first use in this function) >> ttyio.c:166: (Each undeclared identifier is reported only once >> ttyio.c:166: for each function it appears in.) >> make[2]: *** [ttyio.o] Error 1 >> make[2]: Leaving directory `/home/packages/gnupg-1.4.0/util' >> make[1]: *** [all-recursive] Error 1 >> make[1]: Leaving directory `/home/packages/gnupg-1.4.0' >> make: *** [all] Error 2 > > I believe this is the same problem several people have had with > readline. > > What happens if you build with: > > LIBS="-ltermcap" ./configure > > David > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > From dshaw at jabberwocky.com Thu Dec 23 14:35:01 2004 From: dshaw at jabberwocky.com (David Shaw) Date: Thu Dec 23 14:32:01 2004 Subject: Install (updated) In-Reply-To: References: <20041222214327.GD13662@jabberwocky.com> Message-ID: <20041223133501.GA24174@jabberwocky.com> On Thu, Dec 23, 2004 at 08:33:36AM -0500, help@nantucket.net wrote: > The configure is fine, but the make still yields: > > ttyio.c: In function `init_ttyfp': > ttyio.c:166: `rl_catch_signals' undeclared (first use in this function) > ttyio.c:166: (Each undeclared identifier is reported only once > ttyio.c:166: for each function it appears in.) > make[2]: *** [ttyio.o] Error 1 > make[2]: Leaving directory `/home/packages/gnupg-1.4.0/util' > make[1]: *** [all-recursive] Error 1 > make[1]: Leaving directory `/home/packages/gnupg-1.4.0' > make: *** [all] Error 2 Very interesting. Hmm. Can you tell me what version of readline you have installed? Cobalt RaQ4 uses RPMs if I recall, so do "rpm -qa | grep readline" David From help at nantucket.net Thu Dec 23 14:45:38 2004 From: help at nantucket.net (help@nantucket.net) Date: Thu Dec 23 14:40:42 2004 Subject: Install (updated) In-Reply-To: <20041223133501.GA24174@jabberwocky.com> Message-ID: readline-2.2.1-6 readline-devel-2.2.1-6 Thanks! > From: David Shaw > Date: Thu, 23 Dec 2004 08:35:01 -0500 > To: "help@nantucket.net" > Cc: gnupg-users@gnupg.org > Subject: Re: Install (updated) > > rpm -qa | grep readline From dshaw at jabberwocky.com Thu Dec 23 14:51:41 2004 From: dshaw at jabberwocky.com (David Shaw) Date: Thu Dec 23 14:48:32 2004 Subject: Install (updated) In-Reply-To: References: <20041223133501.GA24174@jabberwocky.com> Message-ID: <20041223135141.GB24174@jabberwocky.com> On Thu, Dec 23, 2004 at 08:45:38AM -0500, help@nantucket.net wrote: > > From: David Shaw > > Date: Thu, 23 Dec 2004 08:35:01 -0500 > > To: "help@nantucket.net" > > Cc: gnupg-users@gnupg.org > > Subject: Re: Install (updated) > > > > rpm -qa | grep readline > readline-2.2.1-6 > readline-devel-2.2.1-6 Wow. No wonder it isn't building. Okay, you can build GnuPG like this: ./configure --without-readline David From help at nantucket.net Thu Dec 23 14:56:13 2004 From: help at nantucket.net (help@nantucket.net) Date: Thu Dec 23 14:51:32 2004 Subject: Install (updated) In-Reply-To: <20041223135141.GB24174@jabberwocky.com> Message-ID: Really old version I take it? The RaQ is about 4 years old now id say. > From: David Shaw > Date: Thu, 23 Dec 2004 08:51:41 -0500 > To: "help@nantucket.net" > Cc: gnupg-users@gnupg.org > Subject: Re: Install (updated) > > On Thu, Dec 23, 2004 at 08:45:38AM -0500, help@nantucket.net wrote: >>> From: David Shaw >>> Date: Thu, 23 Dec 2004 08:35:01 -0500 >>> To: "help@nantucket.net" >>> Cc: gnupg-users@gnupg.org >>> Subject: Re: Install (updated) >>> >>> rpm -qa | grep readline > >> readline-2.2.1-6 >> readline-devel-2.2.1-6 > > Wow. No wonder it isn't building. Okay, you can build GnuPG like > this: > > ./configure --without-readline > > David > From dshaw at jabberwocky.com Thu Dec 23 15:11:14 2004 From: dshaw at jabberwocky.com (David Shaw) Date: Thu Dec 23 15:08:07 2004 Subject: Install (updated) In-Reply-To: References: <20041223135141.GB24174@jabberwocky.com> Message-ID: <20041223141114.GF15426@jabberwocky.com> > >>> rpm -qa | grep readline > > > >> readline-2.2.1-6 > >> readline-devel-2.2.1-6 > > > > Wow. No wonder it isn't building. Okay, you can build GnuPG like > > this: > > > > ./configure --without-readline > Really old version I take it? > > The RaQ is about 4 years old now id say. That readline dates from around 1998. No big deal, but I need to update the readline test for 1.4.1 to automatically detect the problem you saw and leave readline support out. You don't actually need readline to build GnuPG - it's just a convenience. David From help at nantucket.net Thu Dec 23 15:21:44 2004 From: help at nantucket.net (help@nantucket.net) Date: Thu Dec 23 15:16:54 2004 Subject: Install (updated) In-Reply-To: <20041223141114.GF15426@jabberwocky.com> Message-ID: So I see, as it installed fine now. Thank you for your prompt help! > From: David Shaw > Date: Thu, 23 Dec 2004 09:11:14 -0500 > To: "help@nantucket.net" > Cc: gnupg-users@gnupg.org > Subject: Re: Install (updated) > >>>>> rpm -qa | grep readline >>> >>>> readline-2.2.1-6 >>>> readline-devel-2.2.1-6 >>> >>> Wow. No wonder it isn't building. Okay, you can build GnuPG like >>> this: >>> >>> ./configure --without-readline > >> Really old version I take it? >> >> The RaQ is about 4 years old now id say. > > That readline dates from around 1998. No big deal, but I need to > update the readline test for 1.4.1 to automatically detect the problem > you saw and leave readline support out. You don't actually need > readline to build GnuPG - it's just a convenience. > > David > From dshaw at jabberwocky.com Thu Dec 23 15:55:19 2004 From: dshaw at jabberwocky.com (David Shaw) Date: Thu Dec 23 15:52:10 2004 Subject: host not found: ec=11001 In-Reply-To: <41CA98A3.3050604@altium.nl> References: <41C985A3.2090807@altium.nl> <20041222144113.GA1012@jabberwocky.com> <41CA98A3.3050604@altium.nl> Message-ID: <20041223145519.GI15426@jabberwocky.com> On Thu, Dec 23, 2004 at 11:06:27AM +0100, Henk-Piet Glas wrote: > David Shaw wrote: > > >(...) I see the amusement (...) > > Wondered if anyone would notice. Got Werner's key and > installed 1.4.0 and made sure to retry but now have the > following output: > > gpg: Signature (...) Time using DSA key ID 57548DCD > gpg: requesting key 57548DCD from (...) subkeys.pgp.net > ?: subkeys.pgp.net: Host not found: ec=11001 > gpgkeys: HKP fetch error: No error > gpg: no valid OpenPGP data found. > gpg: Total number processed: 0 > gpg: Can't check signature: public key not found > > The one that puzzles me is: > > ?: subkeys.pgp.net: Host not found: ec=11001 > > I repeat, http_proxy has been set to: > > http://MyUserName:MyPassWord@MyProxy:80/ > > Any thoughts? Things I can do to futher trace this? What happens if you stick in your gpg.conf file: keyserver-options http-proxy David From henk-piet.glas at altium.nl Thu Dec 23 16:36:16 2004 From: henk-piet.glas at altium.nl (Henk-Piet Glas) Date: Thu Dec 23 16:34:12 2004 Subject: host not found: ec=11001 In-Reply-To: <20041223145519.GI15426@jabberwocky.com> References: <41C985A3.2090807@altium.nl> <20041222144113.GA1012@jabberwocky.com> <41CA98A3.3050604@altium.nl> <20041223145519.GI15426@jabberwocky.com> Message-ID: <41CAE5F0.8090103@altium.nl> David Shaw wrote: > What happens if you stick in your gpg.conf file: > > keyserver-options http-proxy > That first didn't appear to work. I was using the same http_proxy as before (one that includes user name and password). However when I used HTTP_PROXY with the same contents it works. I used lowercase since gpg.man lists it as lowercase. Thanks for your help. Regards, -- Henk-Piet Glas Support Engineer ----------------------------------------------------------- E-mail: support.nl@altium.nl Altium Software BV Voice: +31-33-455 85 84 Saturnus 2 Fax: +31-33-455 55 03 3824 ME Amersfoort WWW: http://www.altium.com The Netherlands --------[Altium - Making Electronics Design Easier]-------- From dshaw at jabberwocky.com Thu Dec 23 17:03:34 2004 From: dshaw at jabberwocky.com (David Shaw) Date: Thu Dec 23 17:00:30 2004 Subject: host not found: ec=11001 In-Reply-To: <41CAE5F0.8090103@altium.nl> References: <41C985A3.2090807@altium.nl> <20041222144113.GA1012@jabberwocky.com> <41CA98A3.3050604@altium.nl> <20041223145519.GI15426@jabberwocky.com> <41CAE5F0.8090103@altium.nl> Message-ID: <20041223160334.GB8257@jabberwocky.com> On Thu, Dec 23, 2004 at 04:36:16PM +0100, Henk-Piet Glas wrote: > David Shaw wrote: > > >What happens if you stick in your gpg.conf file: > > > > keyserver-options http-proxy > > > > That first didn't appear to work. I was using the same > http_proxy as before (one that includes user name and > password). However when I used HTTP_PROXY with the same > contents it works. I used lowercase since gpg.man lists it > as lowercase. Thanks for your help. Oops - this is a bug. It should be lowercase. I will fix it for the next release. Note, by the way, that you can do: keyserver-options http-proxy="http://foo:bar@my.proxy" and avoid the whole environment variable thing if you want. David From dshaw at jabberwocky.com Thu Dec 23 17:06:20 2004 From: dshaw at jabberwocky.com (David Shaw) Date: Thu Dec 23 17:03:22 2004 Subject: host not found: ec=11001 In-Reply-To: <41CAE5F0.8090103@altium.nl> References: <41C985A3.2090807@altium.nl> <20041222144113.GA1012@jabberwocky.com> <41CA98A3.3050604@altium.nl> <20041223145519.GI15426@jabberwocky.com> <41CAE5F0.8090103@altium.nl> Message-ID: <20041223160620.GA8547@jabberwocky.com> On Thu, Dec 23, 2004 at 04:36:16PM +0100, Henk-Piet Glas wrote: > David Shaw wrote: > > >What happens if you stick in your gpg.conf file: > > > > keyserver-options http-proxy > > > > That first didn't appear to work. I was using the same > http_proxy as before (one that includes user name and > password). However when I used HTTP_PROXY with the same > contents it works. I used lowercase since gpg.man lists it > as lowercase. Thanks for your help. Wait a moment. I thought there was a bug, but the code looks correct. Did it work for you with "HTTP_PROXY" or "http_proxy" ? "http_proxy" (lowercase) is the correct one. David From wk at gnupg.org Thu Dec 23 17:48:07 2004 From: wk at gnupg.org (Werner Koch) Date: Thu Dec 23 17:49:47 2004 Subject: host not found: ec=11001 In-Reply-To: <20041223160620.GA8547@jabberwocky.com> (David Shaw's message of "Thu, 23 Dec 2004 11:06:20 -0500") References: <41C985A3.2090807@altium.nl> <20041222144113.GA1012@jabberwocky.com> <41CA98A3.3050604@altium.nl> <20041223145519.GI15426@jabberwocky.com> <41CAE5F0.8090103@altium.nl> <20041223160620.GA8547@jabberwocky.com> Message-ID: <87brclj708.fsf@wheatstone.g10code.de> On Thu, 23 Dec 2004 11:06:20 -0500, David Shaw said: > "http_proxy" (lowercase) is the correct one. Under Windows when you do a set http_proxy=foo cmd.exe will convert it to HTTP_PROXY=foo :-(. Not sure whether this is specified but I made this experience. Werner From ben.branders at skynet.be Thu Dec 23 17:50:27 2004 From: ben.branders at skynet.be (Ben Branders) Date: Thu Dec 23 17:56:48 2004 Subject: KSP question: merge signatures? Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi We are planning to organise a keysigning party for Flanders (part of Belgium) and the Netherlands, but we have a question. Suppose person A signs your key at the same moment as person B. They send the signed key back to you. Now you end up with 2 signed keys. Does GnuPG automatically merge the signatures in the key? I.e. does GnuPG copy the signature from A and the signature from B to your key or only from A (or only from B)? Regards, - -- Ben Branders http://bytewarrior.madoka.be .---. E-mail privacy is a right, not a privilege. / |\________________ Please sign and/or encrypt your mail. | () | ________ _ _) \ |/ | | | | Gnu Privacy Guard: http://gnupg.org `---' "-" |_| Enigmail: http://enigmail.mozdev.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (MingW32) iD8DBQFByvdPqLIDOkaTj9sRAlPpAKD5fy37NHm/EaYiGl6gkQheGfD51wCff3HZ KX8sE9jn9eM+QFj2d5Ts2pA= =jXmX -----END PGP SIGNATURE----- From dshaw at jabberwocky.com Thu Dec 23 18:08:26 2004 From: dshaw at jabberwocky.com (David Shaw) Date: Thu Dec 23 18:05:22 2004 Subject: KSP question: merge signatures? In-Reply-To: References: Message-ID: <20041223170826.GA8620@jabberwocky.com> On Thu, Dec 23, 2004 at 05:50:27PM +0100, Ben Branders wrote: > We are planning to organise a keysigning party for Flanders (part of > Belgium) and the Netherlands, but we have a question. > > Suppose person A signs your key at the same moment as person B. They send > the signed key back to you. Now you end up with 2 signed keys. > > Does GnuPG automatically merge the signatures in the key? I.e. does GnuPG > copy the signature from A and the signature from B to your key or only > from A (or only from B)? Automatically merges. Just import both keys and you're all set. David From ben.branders at skynet.be Thu Dec 23 18:17:40 2004 From: ben.branders at skynet.be (Ben Branders) Date: Thu Dec 23 18:13:49 2004 Subject: KSP question: merge signatures? In-Reply-To: <20041223170826.GA8620__45517.4234034077$1103822008$gmane$org@jabberwocky.com> References: <20041223170826.GA8620__45517.4234034077$1103822008$gmane$org@jabberwocky.com> Message-ID: <41CAFDB4.5090909@skynet.be> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 David Shaw - 23/12/04 18:08: > Automatically merges. Just import both keys and you're all set. OK, nothing to worry about then. :-) Thank you! - -- Ben Branders http://bytewarrior.madoka.be .---. E-mail privacy is a right, not a privilege. / |\________________ Please sign and/or encrypt your mail. | () | ________ _ _) \ |/ | | | | Gnu Privacy Guard: http://gnupg.org `---' "-" |_| Enigmail: http://enigmail.mozdev.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (MingW32) iD8DBQFByv2xqLIDOkaTj9sRApZEAJ421K//LrzHbNd9rFg/zoCKNYA0FQCfQBr9 3tN9KQUxWeROthqgB4XkXfM= =OGLl -----END PGP SIGNATURE----- From vedaal at hush.com Thu Dec 23 23:20:03 2004 From: vedaal at hush.com (vedaal@hush.com) Date: Thu Dec 23 23:16:29 2004 Subject: Decrypting HTML Pages as e-mails Message-ID: <200412232220.iBNMK7qi076158@mailserver3.hushmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 >Message: 2 >Date: Wed, 22 Dec 2004 15:42:35 -0600 >From: David Jourard >Subject: Decrypting HTML Pages as e-mails >To: gnupg-users@gnupg.org >Message-ID: <4.2.0.58.20041222153322.00ce28f0@69.20.59.174> >Content-Type: text/plain; charset="us-ascii"; format=flowed >I have a couple of clients who have some web forms submitted and >sent as >encrypted e-mails using gpg. > >I would like to have the forms when decrypted program formatted as >an HTML >document. (I'm using pgp to do the decryption on a Win32 machine.) > >I've tried with both eudora and outlook express but after >decryption the >e-mails are displayed with all the HTML code rather than resolving >the HTML >as an HTML page. > >Has anyone successfully carried this out with Eudora or outlook >express >using pgp or gpg frontends to decrypt an e-mail so that it >resolves into an >html page. > >Perhaps a browser that has an e-mail client might work. i have succesfully carried it out, but somewhat modified, in that i don't allow/accept html e-mails, but have instructed people how to send them to me, and upon decryption, it can be viewed as an html document in either the internet explorer or opera browser here are the steps that worked: [1] sender has an html form, call it form1 [2] sender views this an an html page in internet explorer [3] from the internet explorer top toolbar, sender clicks 'view' then 'source' [4] notepad opens with the html code of the form [5] save this as form1.htm (not as .txt) [6] sign and encrypt this with gnupg, getting form1.htm.gpg [7] decrypt with either pgp or gnupg and save the verified decrypted file as form1.htm (i successfully decrypted with pgp8/pgpmail/freeware) [8] open windows explorer and double-click on form1.htm, and the original html form is displayed in internet explorer (or whatever your default html viewer is) vedaal -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (MingW32) - WinPT 0.9.14-1 Comment: Acts of Kindness better the World, and protect the Soul iQIVAwUBQctEOVqiDIZqWJqXAQiNUQ/+I85c8PaPArXo3lVuvIy2jjYe/kpEEA6C Kb4FecIvbbynnwWN3hoWvr/jIDynuSGs6cDXUn/8OKjE+wFQgM5RPw1b/3lV+iz2 N3kEBsSHgcvlroPBK7FQt+YDUwkK0yjmJYlsGdhBjApwpoS1hJJLugaBpjadCODs 1IxiTQhhspmn39HH/hVLi3NLBQAl8oHu7dechFdcfJY2EafuvCxu9bNPjVl7UV65 E3Zwck7PI3QZ2xn5xgXt3c2zd3fBM2Kqpo6WyH/6TkVUjuh4+QSOcd1YqSPWjYZ5 8/iOPH6RfcscF01lPd3E+sppAbegIlfb4ChlZT2Jp+ObkEkYo8mUxdB7dkxDXMyV OzqYuejJj8ZLgQK4f4PJ95m4znHnkW9T7OzSXLFD0NOWYSfq9lMUGfq0/C9S+U5S gHyr/vSdzk9nLsg6rBUgBRtTIxmnGGPE7UKlO281RQtmzHTqwhf7u1ppvV/CWNNW SdbJXqNHytx4bGsBXLZrXOBq1ADCddknYlaO51TpHLcJkVyAibG+UqPAiGPNJyO1 TTves7iVMsIk2ps9h96uu6Ylso8LINLF04vmiozbpJCg+MGFl4lz10HBpiWbUgqr z8KMahFhm76CFm/BV4Xa0olaj7kygMYMdRb/C7zj3Tgz3XzXz/brMWXsT0XIducg vo1NHoYpr3c= =c8qV -----END PGP SIGNATURE----- Concerned about your privacy? Follow this link to get secure FREE email: http://www.hushmail.com/?l=2 Free, ultra-private instant messaging with Hush Messenger http://www.hushmail.com/services-messenger?l=434 Promote security and make money with the Hushmail Affiliate Program: http://www.hushmail.com/about-affiliate?l=427 From atom at suspicious.org Fri Dec 24 07:25:00 2004 From: atom at suspicious.org (Atom 'Smasher') Date: Fri Dec 24 07:19:43 2004 Subject: Choosing the Hash and cyphering algorithm In-Reply-To: <1103722482.41c977f2a2817@webmail.numericable.fr> References: <1103722482.41c977f2a2817@webmail.numericable.fr> Message-ID: <20041224062309.42353.qmail@suspicious.org> On Wed, 22 Dec 2004 npellegr@numericable.fr wrote: > Thank's for all Atom ! > > It works. ==================== cool.... > Almost ... actually I still can't force gpg to use the secret RSA key to > cypher. ===================== are you trying to specify a subkey that isn't for encryption use? if you're trying to encrypt with a subkey that's a signing-only subkey it won't work for encryption. but what's that about the _secret_ RSA key being used to cipher? gpg will ENcrypt to a public key and DEcrypt with a corresponding secret key. -- ...atom _________________________________________ PGP key - http://atom.smasher.org/pgp.txt 762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808 ------------------------------------------------- "The universe is not hostile, nor yet is it friendly. It is simply indifferent." -- John Hughes Holmes From henk-piet.glas at altium.nl Fri Dec 24 09:17:13 2004 From: henk-piet.glas at altium.nl (Henk-Piet Glas) Date: Fri Dec 24 09:14:48 2004 Subject: host not found: ec=11001 In-Reply-To: <20041223160620.GA8547@jabberwocky.com> References: <41C985A3.2090807@altium.nl> <20041222144113.GA1012@jabberwocky.com> <41CA98A3.3050604@altium.nl> <20041223145519.GI15426@jabberwocky.com> <41CAE5F0.8090103@altium.nl> <20041223160620.GA8547@jabberwocky.com> Message-ID: <41CBD089.7030508@altium.nl> David Shaw wrote: > > Wait a moment. I thought (...) the correct one. > Turns out both work. Just tried it (I am using XP). In both tests I made sure to start with a fresh environment i.e. neither HTTP_PROXY nor http_proxy exists initially. Only one is set before verifying. Werner is right about windows SET. Doing: SET GLAS="aap" SET glas="noot" Results in a single variable: GLAS="noot" Yet in all cases I work from cygwin and after: export GLAS="aap" export glas="noot" I have one lower and one upper case environment variable called glas. When I say "both work" I mean both exports work. I am now using http-proxy[=value]. Regards, -- Henk-Piet Glas Support Engineer ----------------------------------------------------------- E-mail: support.nl@altium.nl Altium Software BV Voice: +31-33-455 85 84 Saturnus 2 Fax: +31-33-455 55 03 3824 ME Amersfoort WWW: http://www.altium.com The Netherlands --------[Altium - Making Electronics Design Easier]-------- From dshaw at jabberwocky.com Fri Dec 24 22:03:30 2004 From: dshaw at jabberwocky.com (David Shaw) Date: Fri Dec 24 22:00:31 2004 Subject: [IPC Error Console] What's that ? In-Reply-To: References: Message-ID: <20041224210329.GF26371@jabberwocky.com> On Fri, Dec 24, 2004 at 08:29:31AM +0100, Melchior de Contades wrote: > Hi all, > > [Running Enigmail 0.89.6 with GnuPG 1.4.0a on a Win98 machine and > Thunderbird 1.0] > > Enigmail is running well here (sign - encrypt - decrypt) and it seems > that there is absolutely no problem with GnuPG... > > BUT, when i start reading my first mail on a session, even non signed or > non encrypted, i see briefly a window named "IPC error Console" > flashing... It is happening only for the first mail i read. > (Have no time to see if something is mentionned in it). > > What's that "IPC Error Console" ?.. Does it tell me that something is > not working somewhere ? Is it a matter of GnuPG or Enigmail ? GnuPG has no windows, so it's being generated from Enigmail or Thunderbird. I'd ask the Enigmail folks. David From ben.branders at skynet.be Sat Dec 25 20:44:45 2004 From: ben.branders at skynet.be (Ben Branders) Date: Sat Dec 25 20:40:55 2004 Subject: The disadvantages of online KSP Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi As already discussed in another thread, there will be a keysigning party for Flanders (Belgium) and the Netherlands. This KSP will take place online (via IRC) and the participants won't meet eachother in real life. Naturally, the biggest disadvantage is that you can't verify that the person really is who he says he is. You can check if the e-mailadres belongs to him, but there is no way of knowing if he is an impostor or not. But then again, you can never know for sure that someone is an imposter or not. There are a lot of people who share exactly the same name. Even if you check their identity in real life, one of them can mislead you... There are also people who use nicknames in their key IDs and their email addresses. You can't check their identity, because AFAIK your nickname isn't on your driving license or on you passport. Or am I missing something here? And has online KSP other disadvantages? Regards - -- Ben Branders http://bytewarrior.madoka.be .---. E-mail privacy is a right, not a privilege. / |\________________ Please sign and/or encrypt your mail. | () | ________ _ _) \ |/ | | | | Gnu Privacy Guard: http://gnupg.org `---' "-" |_| Enigmail: http://enigmail.mozdev.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (MingW32) iD8DBQFBzcMqqLIDOkaTj9sRAtTOAKCUgn52a6Vgyd1PE3bOS0nLAoN6fwCeLuhv NWmSe2YgngsqZ3r85fLqSsU= =ccqS -----END PGP SIGNATURE----- From dshaw at jabberwocky.com Sat Dec 25 21:33:42 2004 From: dshaw at jabberwocky.com (David Shaw) Date: Sat Dec 25 21:30:42 2004 Subject: The disadvantages of online KSP In-Reply-To: References: Message-ID: <20041225203342.GJ26371@jabberwocky.com> On Sat, Dec 25, 2004 at 08:44:45PM +0100, Ben Branders wrote: > As already discussed in another thread, there will be a keysigning > party for Flanders (Belgium) and the Netherlands. This KSP will take > place online (via IRC) and the participants won't meet eachother in > real life. > > Naturally, the biggest disadvantage is that you can't verify that > the person really is who he says he is. You can check if the > e-mailadres belongs to him, but there is no way of knowing if he is > an impostor or not. > > But then again, you can never know for sure that someone is an > imposter or not. There are a lot of people who share exactly the > same name. Even if you check their identity in real life, one of > them can mislead you... Signing someone's key is you making a statement that you have checked that the key belongs to the person named in the user ID. You really can't do that in a strong way without meeting physically. I would not sign someone's key under such circumstances. David From ben.branders at skynet.be Sat Dec 25 22:01:19 2004 From: ben.branders at skynet.be (Ben Branders) Date: Sat Dec 25 21:57:36 2004 Subject: The disadvantages of online KSP In-Reply-To: <20041225203342.GJ26371__23781.3209103935$1104007076$gmane$org@jabberwocky.com> References: <20041225203342.GJ26371__23781.3209103935$1104007076$gmane$org@jabberwocky.com> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 David Shaw - 25/12/04 21:33: > Signing someone's key is you making a statement that you have checked > that the key belongs to the person named in the user ID. You really > can't do that in a strong way without meeting physically. Yes, of course. But even if you do meet them in real life, how can you ever be sure? If, for example, someone uses a nickname for his e-mailadres and his key, how can you check if he really 'owns' that nickname. Suppose I know someone with the nickname X2. I also know that there is a key signing party next week. I make a new e-mailaccount, x2@mail.com. Then I generate a key for that account, but instead of typing my name, I use 'X2' (which is of course the nickname of someone else). I go to the KSP and someone wants to sign my key. Although he can check my identity, he can't know if X2 is my real nickname or not... How does OpenPGP take care of that? Or am I forgetting something in my little story here? Regards - -- Ben Branders http://bytewarrior.madoka.be .---. E-mail privacy is a right, not a privilege. / |\________________ Please sign and/or encrypt your mail. | () | ________ _ _) \ |/ | | | | Gnu Privacy Guard: http://gnupg.org `---' "-" |_| Enigmail: http://enigmail.mozdev.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (MingW32) iD8DBQFBzdUcqLIDOkaTj9sRAti6AJ9gXcDy7ZuhdgXkkA77kc+63+usTQCdEajN wCqOEGc1l42LeSkQeZHU6cY= =SCKH -----END PGP SIGNATURE----- From fw at deneb.enyo.de Sat Dec 25 22:10:37 2004 From: fw at deneb.enyo.de (Florian Weimer) Date: Sat Dec 25 22:07:01 2004 Subject: The disadvantages of online KSP In-Reply-To: (Ben Branders's message of "Sat, 25 Dec 2004 22:01:19 +0100") References: <20041225203342.GJ26371__23781.3209103935$1104007076$gmane$org@jabberwocky.com> Message-ID: <87is6qm6cy.fsf@deneb.enyo.de> * Ben Branders: > Yes, of course. But even if you do meet them in real life, how can you > ever be sure? If, for example, someone uses a nickname for his e-mailadres > and his key, how can you check if he really 'owns' that nickname. You don't sign such things. It's a simple matter of policy. You only mark keys as trusted if you the key holder follows the same policy. > How does OpenPGP take care of that? Or am I forgetting something in my > little story here? It doesn't. OpenPGP only specifies a transport format, and hardly any semantics. Implementations enforce some semantics (and sometimes, they disagree), others a matter of the policy the users choose to follow. This is both the strength and weakness of OpenPGP, compared to X.509. From cedar at 3web.net Sun Dec 26 00:36:29 2004 From: cedar at 3web.net (C. D. Rok) Date: Sun Dec 26 00:33:32 2004 Subject: The disadvantages of online KSP In-Reply-To: References: Message-ID: <41CDF97D.4070207@3web.net> Ben Branders wrote: > ... > But then again, you can never know for sure that someone is an imposter or > not. There are a lot of people who share exactly the same name. Even if > you check their identity in real life, one of them can mislead you... > ... What the whole GPG WOT needs is the definition of "the user": an assumption that a user (of any computer system) has a one-to-one relationship to a living organism of Homo Sapiens kind is naive and never works well in practice. In the absence of such definition it is perfectly reasonable to use whatever definition seems "right" to you under the circumstances. Signing a key of someone who you don't know but who has presented you with a piece of paper you have no way of authenticating is certainly no better or worse than signing a key of someone whom you have met and conversed with online. C Rok From sckbr at alltel.net Sun Dec 26 01:16:31 2004 From: sckbr at alltel.net (Bob) Date: Sun Dec 26 01:13:21 2004 Subject: Which 1.4.0a to download Message-ID: <41CE02DF.4020406@alltel.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Having little exposure to linux, and no knowledge of the extensions, I wonder which file to download 1.4.0a.zip or 1.4.0a.zip.sig. TIA Bob -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.3.92 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFBzgLdDJ0/sRiMjykRAv0FAJ9HFREhGK42VuM3cBAqayVRVvpiMQCdFCR1 g8tH7DafwozmmYaKtB2wc8E= =+Xvz -----END PGP SIGNATURE----- From sckbr at alltel.net Sun Dec 26 01:23:23 2004 From: sckbr at alltel.net (Bob) Date: Sun Dec 26 01:20:17 2004 Subject: Which 1.4.0a to download In-Reply-To: <41CE02DF.4020406@alltel.net> References: <41CE02DF.4020406@alltel.net> Message-ID: <41CE047B.3070203@alltel.net> Please disragard this, I am full, sleep, and thankful Merry Christmas to all Bob wrote: > Having little exposure to linux, and no knowledge of the extensions, I > wonder which file to download 1.4.0a.zip or 1.4.0a.zip.sig. TIA > > Bob _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users From atom at suspicious.org Sun Dec 26 05:27:13 2004 From: atom at suspicious.org (Atom 'Smasher') Date: Sun Dec 26 05:22:12 2004 Subject: The disadvantages of online KSP In-Reply-To: References: Message-ID: <20041226042519.30189.qmail@suspicious.org> On Sat, 25 Dec 2004, Ben Branders wrote: > Or am I missing something here? > And has online KSP other disadvantages? ====================== where's the party? that's just a key-signing. if you can't do any in-person identity checking, it's not much different than just sending an email to anyone with a key and signing it if they respond. i at least hope that no one would sign one of these keys with anything other than a level 0-1 signature, but certainly people will sign with other levels. really, this is terribly insecure... someone (other than the real ben branders) could register ben_branders@hotmail (or something) and collect signatures on it? that's just asking for trouble. if i know that someone participated in such insecure and irresponsible key signing practices i would have to NOT trust any signatures made with their key: gpg --edit-key 0x12345678 trust 2 - I do NOT trust -- ...atom _________________________________________ PGP key - http://atom.smasher.org/pgp.txt 762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808 ------------------------------------------------- "A farmer's duty, is protecting the earth, maintaining it's fertility, and maintaining the fertility of seed. That is part of being a farmer. A farmer is not a low-paid tractor driver, that's a modern definition of what a farmer is. The real definition of a farmer is a person who relates to the land and relates to the seed and keeps it for future generations, keeps renewing it, fertility." -- Dr. Vandana Shiva From atom at suspicious.org Sun Dec 26 05:46:16 2004 From: atom at suspicious.org (Atom 'Smasher') Date: Sun Dec 26 05:40:34 2004 Subject: The disadvantages of online KSP In-Reply-To: References: <20041225203342.GJ26371__23781.3209103935$1104007076$gmane$org@jabberwocky.com> Message-ID: <20041226044413.37546.qmail@suspicious.org> On Sat, 25 Dec 2004, Ben Branders wrote: > Yes, of course. But even if you do meet them in real life, how can you > ever be sure? If, for example, someone uses a nickname for his > e-mailadres and his key, how can you check if he really 'owns' that > nickname. > > Suppose I know someone with the nickname X2. I also know that there is a > key signing party next week. I make a new e-mailaccount, x2@mail.com. > Then I generate a key for that account, but instead of typing my name, I > use 'X2' (which is of course the nickname of someone else). > > I go to the KSP and someone wants to sign my key. Although he can check > my identity, he can't know if X2 is my real nickname or not... ======================= it makes no difference whether they're using a real name or pseudonym, if someone wants me to sign their key they have to *PROVE* to my satisfaction that they are who they claim to be. if someone is known as X2, then they have the same burden of proving their identity as they would if their name is david shaw. in either case they have to convince me that they are who they claim to be, although X2 may have a harder time of it than david shaw (i used to know someone else named david shaw). if either of them can't convince me that they are who they claim to be i will NOT sign their key. i just wrote an extensive article on this topic (pgp Key Signing Observations - Overlooked Social and Technical Considerations) and i hope to see it soon in 2600, and several other publications after they break it. i'll also be talking about it at interz0ne 4. -- ...atom _________________________________________ PGP key - http://atom.smasher.org/pgp.txt 762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808 ------------------------------------------------- "Simply stated, there is no doubt that Saddam Hussein now has weapons of mass destruction." -- Dick Cheney, 26 August 2002 From henkdebruijn at wanadoo.nl Sun Dec 26 07:32:38 2004 From: henkdebruijn at wanadoo.nl (Henk de Bruijn) Date: Sun Dec 26 07:29:09 2004 Subject: The disadvantages of online KSP In-Reply-To: <20041225203342.GJ26371@jabberwocky.com> References: <20041225203342.GJ26371@jabberwocky.com> Message-ID: <1237350735.20041226073238@wanadoo.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sat, 25 Dec 2004 15:33:42 -0500GMT (25-12-2004, 21:33 +0100, where I live), David Shaw wrote: > On Sat, Dec 25, 2004 at 08:44:45PM +0100, Ben Branders wrote: ... >> But then again, you can never know for sure that someone is an >> imposter or not. There are a lot of people who share exactly the >> same name. Even if you check their identity in real life, one of >> them can mislead you... > Signing someone's key is you making a statement that you have checked > that the key belongs to the person named in the user ID. You really > can't do that in a strong way without meeting physically. > I would not sign someone's key under such circumstances. Neither would I. - -- Henk ______________________________________________________________________ The Bat!? Natural Email System v3.0.1nl Professional on Windows XP SP2 PGPkey available at http://www.biglumber.com/x/web?qs=0x12069B93DBE6E678 Gossamer Spider Web of Trust GSWoT http://gswot.dyndns.org/ A Progressive and Innovative Web of Trust -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (MingW32) - GPGrelay v0.955 iD8DBQFBzlsNEgabk9vm5ngRAjL6AJ0Z4AowbODhoWp/3/Rt7L0TT0YsbACeIgXS VUsb+B/e8ca1/X39Ldz3sNc= =mZh0 -----END PGP SIGNATURE----- From ben.branders at skynet.be Sun Dec 26 11:06:36 2004 From: ben.branders at skynet.be (Ben Branders) Date: Sun Dec 26 11:02:57 2004 Subject: The disadvantages of online KSP In-Reply-To: References: Message-ID: <41CE8D2C.1000308@skynet.be> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Thank you for the information. I didn't know all that. I understand now why those online keysigning are considered harmful for the WoT... Maybe things like this can be made more clear in the Keysigning HOWTO, so that everyone knows about the problems with those online keysignings (I couldn't find anything about this in the HOWTO or in the FAQ). Regards - -- Ben Branders http://bytewarrior.madoka.be .---. E-mail privacy is a right, not a privilege. / |\________________ Please sign and/or encrypt your mail. | () | ________ _ _) \ |/ | | | | Gnu Privacy Guard: http://gnupg.org `---' "-" |_| Enigmail: http://enigmail.mozdev.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (MingW32) iD8DBQFBzo0pqLIDOkaTj9sRAkrzAJ9EYYND/ytEn9XoO/9LRrMXjgu/jQCgysRG YsaMbdWAUAhv1oGB/7w4r+Y= =dsv9 -----END PGP SIGNATURE----- From johanw at vulcan.xs4all.nl Sun Dec 26 12:00:18 2004 From: johanw at vulcan.xs4all.nl (Johan Wevers) Date: Sun Dec 26 13:29:41 2004 Subject: The disadvantages of online KSP In-Reply-To: <20041226042519.30189.qmail@suspicious.org> from "Atom 'Smasher'" at "Dec 25, 2004 11:27:13 pm" Message-ID: <200412261100.MAA06159@vulcan.xs4all.nl> Atom 'Smasher' wrote: >really, this is terribly insecure... Oh, well, the WOT has limited usability anyway. Before I send someone sensitive, encrypted data, I'll ask which key to use anyway. And I don't send sensitive data to people I don't know, so checking isn't really a problem. -- ir. J.C.A. Wevers // Physics and science fiction site: johanw@vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From dshaw at jabberwocky.com Sun Dec 26 14:11:54 2004 From: dshaw at jabberwocky.com (David Shaw) Date: Sun Dec 26 14:08:57 2004 Subject: The disadvantages of online KSP In-Reply-To: <20041226042519.30189.qmail@suspicious.org> References: <20041226042519.30189.qmail@suspicious.org> Message-ID: <20041226131153.GK26371@jabberwocky.com> On Sat, Dec 25, 2004 at 11:27:13PM -0500, Atom 'Smasher' wrote: > On Sat, 25 Dec 2004, Ben Branders wrote: > > >Or am I missing something here? > >And has online KSP other disadvantages? > ====================== > > where's the party? that's just a key-signing. > > if you can't do any in-person identity checking, it's not much different > than just sending an email to anyone with a key and signing it if they > respond. > > i at least hope that no one would sign one of these keys with anything > other than a level 0-1 signature, but certainly people will sign with > other levels. Be very careful with the signature levels. They're not as meaningful as many people think. First of all, they are really only for human eyes - the web of trust does not give more trust with a level 3 than with a level 2. PGP and (until recently) GnuPG treats all signatures, whether 0, 1, 2, or 3 alike. These days, to help deal with a large number of pointless and completely unchecked signatures, GnuPG actually discards any level 1 signatures it sees. Finally, note that 0 is not lower than 1. 0 is "I do not participate in this signature scheme so I will not answer". 1 is the lowest. The bottom line is that signature levels are vaguely useful as an indication from one human being to another, but for the sake of the web of trust, don't think that a lousy signature can be made less bad by making it level 1. A lousy signature is a lousy signature. David From atom at suspicious.org Sun Dec 26 19:28:38 2004 From: atom at suspicious.org (Atom 'Smasher') Date: Mon Dec 27 10:36:59 2004 Subject: The disadvantages of online KSP In-Reply-To: <200412261100.MAA06159@vulcan.xs4all.nl> References: <200412261100.MAA06159@vulcan.xs4all.nl> Message-ID: <20041226182642.57045.qmail@suspicious.org> On Sun, 26 Dec 2004, Johan Wevers wrote: > Oh, well, the WOT has limited usability anyway. Before I send someone > sensitive, encrypted data, I'll ask which key to use anyway. And I don't > send sensitive data to people I don't know, so checking isn't really a > problem. ================= how do you ask? if it's someone you don't know, do you call them on the phone? send an unencrypted email? if i need to send encrypted data to someone i've never met, the WoT can often be the best way there is to determine who they are and what key to use. -- ...atom _________________________________________ PGP key - http://atom.smasher.org/pgp.txt 762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808 ------------------------------------------------- "The Final Act of the Uruguay Round, marking the conclusion of the most ambitious trade negotiation of our century, will give birth - in Morocco - to the World Trade Organization, the third pillar of the New World Order, along with the United Nations and the International Monetary Fund." -- Part of full-page advertisement by the government of Morocco in The New York Times (April 1994) From jharris at widomaker.com Sun Dec 26 23:59:59 2004 From: jharris at widomaker.com (Jason Harris) Date: Mon Dec 27 10:37:16 2004 Subject: new (2004-12-26) keyanalyze results (+sigcheck) Message-ID: <20041226225959.GA684@wilma.widomaker.com> New keyanalyze results are available at: http://keyserver.kjsl.com/~jharris/ka/2004-12-26/ Signatures are now being checked using keyanalyze+sigcheck: http://dtype.org/~aaronl/ Earlier reports are also available, for comparison: http://keyserver.kjsl.com/~jharris/ka/ Even earlier monthly reports are at: http://dtype.org/keyanalyze/ SHA-1 hashes and sizes for all the "permanent" files: b0d8e6aaf4e0f8c8092a6b3a04cf77fe1bf6b49a 10970784 preprocess.keys ad4995b67d89b23eaeec23f655bc78c00262b580 7046060 othersets.txt a987a77c8405dd380e74fd92b755a53f892f7918 2791502 msd-sorted.txt b0f152cbac2bff77aeed70a933fec6d7ac3e7b71 1484 index.html 8ff5d5c723401f9310da98883b4676cac19face9 2289 keyring_stats ae6f1cebcb12a4f4f6433913c1d909f743129505 1099074 msd-sorted.txt.bz2 a57dc17348cd940e8ddee79ce83e361338fa046b 26 other.txt 7bd51d0728aa9c3549c3f7e443301334eacd8c1c 1513582 othersets.txt.bz2 05a0fffd0e0501ec033a95469b919ef52bd43c77 4452520 preprocess.keys.bz2 8f464bea869f74adb0637b438cf98422fd148442 11031 status.txt 5e7171097aad94a32f170e7f0c751edbf7966aac 211744 top1000table.html 72ad04c6dae3a3611e276d56e218515fecfa366f 30628 top1000table.html.gz 819326c72d00b58abbe6ec9aae5d834608e9337c 11004 top50table.html ffc6e143ea23ee6bb9eb3db01459a989683b864a 2449 D3/D39DA0E3 -- Jason Harris | NIC: JH329, PGP: This _is_ PGP-signed, isn't it? jharris@widomaker.com _|_ web: http://keyserver.kjsl.com/~jharris/ Got photons? (TM), (C) 2004 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 309 bytes Desc: not available Url : /pipermail/attachments/20041226/2278b9a9/attachment.bin From waltman at pobox.com Mon Dec 27 04:01:31 2004 From: waltman at pobox.com (Walt Mankowski) Date: Mon Dec 27 10:37:25 2004 Subject: GPG wants to check trustdb every day Message-ID: <20041227030131.GN591@waltman.dnsalias.org> I'm running version 1.2.4 of gpg, from the Debian's 1.2.4-4 package of gnupg. Several days ago I noticed that gpg suddenly wants to start rechecking the trustdb every single day. Prior to this, it was just checking it every month or so. Here's the output from "gpg --check-trustdb": % gpg --check-trustdb gpg: public key 98645519 is 43099 seconds newer than the signature gpg: checking at depth 0 signed=86 ot(-/q/n/m/f/u)=0/0/0/0/0/1 gpg: public key 98645519 is 43099 seconds newer than the signature gpg: checking at depth 1 signed=257 ot(-/q/n/m/f/u)=22/0/0/54/10/0 gpg: public key 98645519 is 43099 seconds newer than the signature gpg: checking at depth 2 signed=628 ot(-/q/n/m/f/u)=134/0/0/0/0/0 gpg: next trustdb check due at 2004-12-27 As far as I know I haven't changed anything. /usr/bin/gpg was last changed on 2004-02-23, and ~/.gnupg/options was changed on 2003-07-30. I've tried running "gpg --rebuild-keydb-caches" but that didn't help. Anyone know what else might be causing this? Thanks. Walt -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : /pipermail/attachments/20041226/db46f430/attachment.bin From linux at codehelp.co.uk Mon Dec 27 11:40:30 2004 From: linux at codehelp.co.uk (Neil Williams) Date: Mon Dec 27 11:36:56 2004 Subject: GPG wants to check trustdb every day In-Reply-To: <20041227030131.GN591@waltman.dnsalias.org> References: <20041227030131.GN591@waltman.dnsalias.org> Message-ID: <200412271040.33559.linux@codehelp.co.uk> On Monday 27 December 2004 3:01 am, Walt Mankowski wrote: > I'm running version 1.2.4 of gpg, from the Debian's 1.2.4-4 package of > gnupg. Several days ago I noticed that gpg suddenly wants to start > rechecking the trustdb every single day. Prior to this, it was just > checking it every month or so. > > Here's the output from "gpg --check-trustdb": > > % gpg --check-trustdb > gpg: public key 98645519 is 43099 seconds newer than the signature When did you import 0x98645519? From the keyserver output, it would seem that there is an oddity with the signatures: pub 1024R/98645519 1998-10-14 Jeremy Blosser Key fingerprint = 1D D8 8E 3C 3E 19 74 EB 2F 70 EA 79 4B 50 D3 B5 sig 0x10 98645519 1998-10-13 [selfsig] uid Jeremy Blosser sig 0x10 98645519 1998-10-13 [selfsig] Does removing this key eliminate the check-trustdb problem? Maybe if the keyholder edits the key (e.g. set the passphrase again (same one, just repeat it), his copy of gpg will put a new self-sig on the key to solve this problem? > As far as I know I haven't changed anything. /usr/bin/gpg was last > changed on 2004-02-23, and ~/.gnupg/options was changed on 2003-07-30. > > I've tried running "gpg --rebuild-keydb-caches" but that didn't help. > Anyone know what else might be causing this? I'd blame the key before gpg. -- Neil Williams ============= http://www.dclug.org.uk/ http://www.nosoftwarepatents.com/ http://sourceforge.net/projects/isbnsearch/ http://www.williamsleesmill.me.uk/ http://www.biglumber.com/x/web?qs=0x8801094A28BCB3E3 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20041227/72298bec/attachment-0001.bin From waltman at pobox.com Mon Dec 27 14:43:43 2004 From: waltman at pobox.com (Walt Mankowski) Date: Mon Dec 27 14:40:03 2004 Subject: GPG wants to check trustdb every day In-Reply-To: <200412271040.33559.linux@codehelp.co.uk> References: <20041227030131.GN591@waltman.dnsalias.org> <200412271040.33559.linux@codehelp.co.uk> Message-ID: <20041227134343.GS591@waltman.dnsalias.org> On Mon, Dec 27, 2004 at 10:40:30AM +0000, Neil Williams wrote: > When did you import 0x98645519? I don't know how to determine that, but judging from the other keys around it in the output of "gpg --list-keys" I'd say it was sometime in 2000 or 2001. I've noticed those sorts of error messages before but they never seemed to cause any problems. > > From the keyserver output, it would seem that there is an oddity with the > signatures: > pub 1024R/98645519 1998-10-14 Jeremy Blosser > Key fingerprint = 1D D8 8E 3C 3E 19 74 EB 2F 70 EA 79 4B 50 D3 B5 > sig 0x10 98645519 1998-10-13 [selfsig] > uid Jeremy Blosser > sig 0x10 98645519 1998-10-13 [selfsig] > > Does removing this key eliminate the check-trustdb problem? > > Maybe if the keyholder edits the key (e.g. set the passphrase again (same one, > just repeat it), his copy of gpg will put a new self-sig on the key to solve > this problem? > > > As far as I know I haven't changed anything. /usr/bin/gpg was last > > changed on 2004-02-23, and ~/.gnupg/options was changed on 2003-07-30. > > > > I've tried running "gpg --rebuild-keydb-caches" but that didn't help. > > Anyone know what else might be causing this? > > I'd blame the key before gpg. I'm doubtful, since it's been on my keyring for years without any problem. Walt -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : /pipermail/attachments/20041227/8fa30629/attachment.bin From johanw at vulcan.xs4all.nl Mon Dec 27 13:18:18 2004 From: johanw at vulcan.xs4all.nl (Johan Wevers) Date: Mon Dec 27 14:51:04 2004 Subject: The disadvantages of online KSP In-Reply-To: <20041226182642.57045.qmail@suspicious.org> from "Atom 'Smasher'" at "Dec 26, 2004 01:28:38 pm" Message-ID: <200412271218.NAA12450@vulcan.xs4all.nl> Atom 'Smasher' wrote: >how do you ask? if it's someone you don't know, Then I don't send him sensitive data anyway. Encrypted or not isn't the question then. If it would be for company use (happened once), I got the key to use on a floppy from a manager, so that wasn't difficult. If it's someone I've never met but have had email conversations with before, I'll discuss which key to use over email. Unencrypted, since someone who intercepts the message will find out which key I use anyway. If --throw-keyid comes into view, via remailers, it's probably someone I know personally anyway. -- ir. J.C.A. Wevers // Physics and science fiction site: johanw@vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From waltman at pobox.com Mon Dec 27 23:24:54 2004 From: waltman at pobox.com (Walt Mankowski) Date: Tue Dec 28 02:12:33 2004 Subject: GPG wants to check trustdb every day In-Reply-To: <20041227134343.GS591@waltman.dnsalias.org> References: <20041227030131.GN591@waltman.dnsalias.org> <200412271040.33559.linux@codehelp.co.uk> <20041227134343.GS591@waltman.dnsalias.org> Message-ID: <20041227222454.GW591@waltman.dnsalias.org> On Mon, Dec 27, 2004 at 08:43:43AM -0500, Walt Mankowski wrote: > I'm doubtful, since it's been on my keyring for years without any > problem. Well, I didn't change anything, and I just verified a signature that forced today's check of the trustdb. Interestingly, this time it said that the next trustdb check is scheduled for December 30. A check every 3 days beats a check everyday, but I'd still rather have the old once-a-monthish behavior. Does anyone know what the formula is that gpg uses to decide when the next check is supposed to be? Everything I've been able to find online has been pretty vague. Walt -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : /pipermail/attachments/20041227/54385519/attachment-0001.bin From jeroen at lightyear.be Tue Dec 28 00:34:00 2004 From: jeroen at lightyear.be (Jeroen Budts) Date: Tue Dec 28 02:12:46 2004 Subject: Compile GnuPG 1.4 under cygwin? Message-ID: Hi! Is it possible to compile GnuPG 1.4.0 using cygwin on WinXP? When i try to run the configure script everything seems to work fine (see output below), but when i then do 'make' i get some errors.. Do i need to modify some files? I searched google for a while but couldn't find any manual or howto.. I am totally new to compiling programs this way and i have in fact as good as no experience with linux but i'm willing to learn and slowly i'm moving from windows to linux... thx! (and sorry if this is a stupid question...) Jeroen Budts output of './configure' -------------------------------------------- teranex@thunderbox /d/gnupg-1.4.0 $ ./configure checking build system type... i686-pc-cygwin checking host system type... i686-pc-cygwin checking for a BSD-compatible install... /usr/bin/install -c checking whether build environment is sane... yes checking for gawk... gawk checking whether make sets $(MAKE)... yes checking which random module to use... default checking whether use of /dev/random is requested... yes checking whether assembler modules are requested... yes checking whether memory guard is requested... no checking whether SELinux support is requested... no checking whether OpenPGP card support is requested... yes checking whether readline support is requested... yes checking whether the new iconv based code is requested... yes checking whether to enable the experimental backsigs code... no checking whether to enable the RSA public key algorithm... yes checking whether to enable the IDEA cipher... yes checking for idea cipher module... no checking whether to enable the CAST5 cipher... yes checking whether to enable the BLOWFISH cipher... yes checking whether to enable the AES ciphers... yes checking whether to enable the TWOFISH cipher... yes checking whether to enable the SHA-256 digest... yes checking whether to enable the SHA-384 and SHA-512 digests... yes checking whether to enable the BZIP2 compression algorithm... yes checking whether to enable external program execution... yes checking whether to enable photo ID viewing... yes checking whether to use a fixed photo ID viewer... no checking whether to enable external keyserver helpers... yes checking whether LDAP keyserver support is requested... yes checking whether HKP keyserver support is requested... yes checking whether HTTP key fetching support is requested... yes checking whether Finger key fetching support is requested... yes checking whether email keyserver support is requested... yes checking whether keyserver exec-path is enabled... yes checking whether the included zlib is requested... no checking for the size of the key and uid cache... 4096 checking whether use of capabilities is requested... no checking whether to enable maintainer-specific portions of Makefiles... no checking whether make sets $(MAKE)... (cached) yes checking whether build environment is sane... yes checking for gcc... gcc checking for C compiler default output file name... a.exe checking whether the C compiler works... yes checking whether we are cross compiling... no checking for suffix of executables... .exe checking for suffix of object files... o checking whether we are using the GNU C compiler... yes checking whether gcc accepts -g... yes checking for gcc option to accept ANSI C... none needed checking for style of include used by make... GNU checking dependency style of gcc... gcc3 checking how to run the C preprocessor... gcc -E checking for ranlib... ranlib checking for ar... ar checking for perl... /usr/bin/perl checking for library containing strerror... none required checking for special C compiler options needed for large files... no checking for _FILE_OFFSET_BITS value needed for large files... no checking for _LARGE_FILES value needed for large files... no checking for a BSD-compatible install... /usr/bin/install -c checking whether ln -s works... yes checking for gawk... (cached) gawk checking for docbook-to-man... no checking for faqprog.pl... no checking for docbook2texi... no checking for sgml to texi tools... no checking for BSD-compatible nm... /usr/bin/nm -B checking command to parse /usr/bin/nm -B output... yes checking for _ prefix in compiled symbols... yes checking for gethostbyname... yes checking for setsockopt... yes checking for library containing res_query... no checking for library containing __res_query... no checking for library containing dn_expand... no checking for library containing __dn_expand... no checking for library containing dn_skipname... no checking for library containing __dn_skipname... no configure: Resolver functions not found or not usable. Disabling DNS SRV. checking whether LDAP via "-lldap" is present and sane... no checking whether LDAP via "-lldap -llber" is present and sane... no checking whether LDAP via "-lldap -llber -lresolv" is present and sane... no checking whether LDAP via "-lwldap32" is present and sane... no checking for sendmail... no checking whether NLS is requested... yes checking for msgfmt... no checking for gmsgfmt... : checking for xgettext... no checking for msgmerge... no checking for egrep... grep -E checking for ANSI C header files... yes checking for an ANSI C-conforming const... yes checking for signed... yes checking for inline... inline checking for sys/types.h... yes checking for sys/stat.h... yes checking for stdlib.h... yes checking for string.h... yes checking for memory.h... yes checking for strings.h... yes checking for inttypes.h... yes checking for stdint.h... yes checking for unistd.h... yes checking for off_t... yes checking for size_t... yes checking for long long... yes checking for long double... yes checking for wchar_t... yes checking for wint_t... yes checking for inttypes.h... yes checking for stdint.h... yes checking for intmax_t... yes checking whether printf() supports POSIX/XSI format strings... no checking for working alloca.h... yes checking for alloca... yes checking for stdlib.h... (cached) yes checking for unistd.h... (cached) yes checking for getpagesize... yes checking for working mmap... no checking whether we are using the GNU C Library 2.1 or newer... no checking whether integer division by zero raises SIGFPE... yes checking for unsigned long long... yes checking for inttypes.h... yes checking whether the inttypes.h PRIxNN macros are broken... no checking for stdint.h... (cached) yes checking for SIZE_MAX... yes checking for stdint.h... (cached) yes checking for ld used by GCC... /usr/i686-pc-cygwin/bin/ld.exe checking if the linker (/usr/i686-pc-cygwin/bin/ld.exe) is GNU ld... yes checking for shared library run path origin... done checking for ptrdiff_t... yes checking argz.h usability... yes checking argz.h presence... yes checking for argz.h... yes checking limits.h usability... yes checking limits.h presence... yes checking for limits.h... yes checking locale.h usability... yes checking locale.h presence... yes checking for locale.h... yes checking nl_types.h usability... no checking nl_types.h presence... no checking for nl_types.h... no checking malloc.h usability... yes checking malloc.h presence... yes checking for malloc.h... yes checking stddef.h usability... yes checking stddef.h presence... yes checking for stddef.h... yes checking for stdlib.h... (cached) yes checking for string.h... (cached) yes checking for unistd.h... (cached) yes checking sys/param.h usability... yes checking sys/param.h presence... yes checking for sys/param.h... yes checking for asprintf... yes checking for fwprintf... no checking for getcwd... yes checking for getegid... yes checking for geteuid... yes checking for getgid... yes checking for getuid... yes checking for mempcpy... yes checking for munmap... yes checking for putenv... yes checking for setenv... yes checking for setlocale... yes checking for snprintf... yes checking for stpcpy... no checking for strcasecmp... yes checking for strdup... yes checking for strtoul... yes checking for tsearch... yes checking for wcslen... yes checking for __argz_count... yes checking for __argz_stringify... yes checking for __argz_next... yes checking for __fsetlocking... no checking whether _snprintf is declared... no checking whether _snwprintf is declared... no checking whether feof_unlocked is declared... no checking whether fgets_unlocked is declared... no checking whether getc_unlocked is declared... yes checking for iconv... yes checking how to link with libiconv... -liconv checking for iconv declaration... extern size_t iconv (iconv_t cd, const char * *inbuf, size_t *inbytesleft, char * *outbuf, size_t *outbytesleft); checking for nl_langinfo and CODESET... yes checking for LC_MESSAGES... yes checking for bison... no checking whether NLS is requested... yes checking whether included gettext is requested... no checking for GNU gettext in libc... no checking for GNU gettext in libintl... yes checking whether to use NLS... yes checking where the gettext function comes from... external libintl checking how to link with libintl... -lintl checking for strchr... yes checking for library containing dlopen... none required checking for ANSI C header files... (cached) yes checking for unistd.h... (cached) yes checking langinfo.h usability... yes checking langinfo.h presence... yes checking for langinfo.h... yes checking termio.h usability... yes checking termio.h presence... yes checking for termio.h... yes checking for locale.h... (cached) yes checking getopt.h usability... yes checking getopt.h presence... yes checking for getopt.h... yes checking for an ANSI C-conforming const... (cached) yes checking for inline... (cached) inline checking for working volatile... yes checking for size_t... (cached) yes checking for mode_t... yes checking return type of signal handlers... void checking whether sys_siglist is declared... no checking endianess... little checking for byte typedef... no checking for ushort typedef... yes checking for ulong typedef... no checking for u16 typedef... no checking for u32 typedef... no checking for unsigned short... yes checking size of unsigned short... 2 checking for unsigned int... yes checking size of unsigned int... 4 checking for unsigned long... yes checking size of unsigned long... 4 checking for unsigned long long... (cached) yes checking size of unsigned long long... 8 checking for inttypes.h... (cached) yes checking for UINT64_C... no checking for _LARGEFILE_SOURCE value needed for large files... no checking for fseeko... yes checking for vprintf... yes checking for _doprnt... no checking for pid_t... yes checking for unistd.h... (cached) yes checking vfork.h usability... no checking vfork.h presence... no checking for vfork.h... no checking for fork... yes checking for vfork... yes checking for working fork... yes checking for working vfork... (cached) yes checking for strerror... yes checking for stpcpy... (cached) no checking for strsep... yes checking for strlwr... yes checking for tcgetattr... yes checking for strtoul... (cached) yes checking for mmap... yes checking for strcasecmp... (cached) yes checking for strncasecmp... yes checking for ctermid... yes checking for times... yes checking for unsetenv... yes checking for memmove... yes checking for gettimeofday... yes checking for getrusage... yes checking for setrlimit... yes checking for clock_gettime... yes checking for atexit... yes checking for raise... yes checking for getpagesize... (cached) yes checking for strftime... yes checking for nl_langinfo... yes checking for setlocale... (cached) yes checking for waitpid... yes checking for wait4... yes checking for sigaction... yes checking for sigprocmask... yes checking for rand... yes checking for pipe... yes checking for stat... yes checking for getaddrinfo... no checking for mkdtemp... no checking for timegm... no checking for struct sigaction... yes checking for sigset_t... yes checking for getopt... yes checking for gethrtime... no checking for mlock... no checking sys/mman.h usability... yes checking sys/mman.h presence... yes checking for sys/mman.h... yes checking for memlk in -lrt... no checking whether mlock is in sys/mman.h... no checking for sys/stat.h... (cached) yes checking for unistd.h... (cached) yes checking direct.h usability... no checking direct.h presence... no checking for direct.h... no checking if mkdir takes one argument... no checking sys/ipc.h usability... yes checking sys/ipc.h presence... yes checking for sys/ipc.h... yes checking sys/shm.h usability... yes checking sys/shm.h presence... yes checking for sys/shm.h... yes checking whether IPC_RMID allowes subsequent attaches... no checking whether SHM_LOCK is available... no checking for random device... yes checking for mpi assembler functions... done checking whether regular expression support is requested... yes checking whether the included regex lib is requested... no checking for regcomp... yes checking whether your system's regexp library is broken... no checking zlib.h usability... yes checking zlib.h presence... yes checking for zlib.h... yes checking for deflateInit2_ in -lz... yes checking for bzlib.h... yes checking for BZ2_bzCompressInit in -lbz2... yes checking for usb_bulk_write in -lusb... no checking for usb_get_busses... no checking for add_history in -lreadline... yes checking readline/readline.h usability... yes checking readline/readline.h presence... yes checking for readline/readline.h... yes configure: creating ./config.status config.status: creating Makefile config.status: creating m4/Makefile config.status: creating intl/Makefile config.status: creating po/Makefile.in config.status: creating util/Makefile config.status: creating mpi/Makefile config.status: creating cipher/Makefile config.status: creating g10/Makefile config.status: creating keyserver/Makefile config.status: creating keyserver/gpgkeys_mailto config.status: creating keyserver/gpgkeys_test config.status: creating doc/Makefile config.status: creating tools/Makefile config.status: creating zlib/Makefile config.status: creating checks/Makefile config.status: creating config.h config.status: config.h is unchanged config.status: linking ./mpi/i386/mpih-add1.S to mpi/mpih-add1.S config.status: linking ./mpi/i386/mpih-mul1.S to mpi/mpih-mul1.S config.status: linking ./mpi/i386/mpih-mul2.S to mpi/mpih-mul2.S config.status: linking ./mpi/i386/mpih-mul3.S to mpi/mpih-mul3.S config.status: linking ./mpi/i386/mpih-lshift.S to mpi/mpih-lshift.S config.status: linking ./mpi/i386/mpih-rshift.S to mpi/mpih-rshift.S config.status: linking ./mpi/i386/mpih-sub1.S to mpi/mpih-sub1.S config.status: linking ./mpi/generic/mpi-asm-defs.h to mpi/mpi-asm-defs.h config.status: executing depfiles commands config.status: executing default-1 commands config.status: creating po/POTFILES config.status: creating po/Makefile config.status: executing g10defs.h commands g10defs.h is unchanged Configured for: Cygwin (i686-pc-cygwin) output of 'make' -------------------------------------------- teranex@thunderbox /d/gnupg-1.4.0 $ make make all-recursive make[1]: Entering directory `/d/gnupg-1.4.0' Making all in m4 make[2]: Entering directory `/d/gnupg-1.4.0/m4' make[2]: Nothing to be done for `all'. make[2]: Leaving directory `/d/gnupg-1.4.0/m4' Making all in intl make[2]: Entering directory `/d/gnupg-1.4.0/intl' make[2]: Nothing to be done for `all'. make[2]: Leaving directory `/d/gnupg-1.4.0/intl' Making all in zlib make[2]: Entering directory `/d/gnupg-1.4.0/zlib' make[2]: Nothing to be done for `all'. make[2]: Leaving directory `/d/gnupg-1.4.0/zlib' Making all in util make[2]: Entering directory `/d/gnupg-1.4.0/util' if gcc -DHAVE_CONFIG_H -I. -I. -I.. -I.. -I../include -I../intl -g -O2 -Wall -MT logger.o -MD -MP -MF ".deps/logger.Tpo" -c -o logger.o logger.c; \ then mv -f ".deps/logger.Tpo" ".deps/logger.Po"; else rm -f ".deps/logger.Tpo"; exit 1; fi if gcc -DHAVE_CONFIG_H -I. -I. -I.. -I.. -I../include -I../intl -g -O2 -Wall -MT fileutil.o -MD -MP -MF ".deps/fileutil.Tpo" -c -o fileutil.o fileutil.c; \ then mv -f ".deps/fileutil.Tpo" ".deps/fileutil.Po"; else rm -f ".deps/fileutil.Tpo"; exit 1; fi if gcc -DHAVE_CONFIG_H -I. -I. -I.. -I.. -I../include -I../intl -g -O2 -Wall -MT miscutil.o -MD -MP -MF ".deps/miscutil.Tpo" -c -o miscutil.o miscutil.c; \ then mv -f ".deps/miscutil.Tpo" ".deps/miscutil.Po"; else rm -f ".deps/miscutil.Tpo"; exit 1; fi if gcc -DHAVE_CONFIG_H -I. -I. -I.. -I.. -I../include -I../intl -g -O2 -Wall -MT strgutil.o -MD -MP -MF ".deps/strgutil.Tpo" -c -o strgutil.o strgutil.c; \ then mv -f ".deps/strgutil.Tpo" ".deps/strgutil.Po"; else rm -f ".deps/strgutil.Tpo"; exit 1; fi if gcc -DHAVE_CONFIG_H -I. -I. -I.. -I.. -I../include -I../intl -g -O2 -Wall -MT ttyio.o -MD -MP -MF ".deps/ttyio.Tpo" -c -o ttyio.o ttyio.c; \ then mv -f ".deps/ttyio.Tpo" ".deps/ttyio.Po"; else rm -f ".deps/ttyio.Tpo"; exit 1; fi if gcc -DHAVE_CONFIG_H -I. -I. -I.. -I.. -I../include -I../intl -g -O2 -Wall -MT argparse.o -MD -MP -MF ".deps/argparse.Tpo" -c -o argparse.o argparse.c; \ then mv -f ".deps/argparse.Tpo" ".deps/argparse.Po"; else rm -f ".deps/argparse.Tpo"; exit 1; fi if gcc -DHAVE_CONFIG_H -I. -I. -I.. -I.. -I../include -I../intl -g -O2 -Wall -MT memory.o -MD -MP -MF ".deps/memory.Tpo" -c -o memory.o memory.c; \ then mv -f ".deps/memory.Tpo" ".deps/memory.Po"; else rm -f ".deps/memory.Tpo"; exit 1; fi if gcc -DHAVE_CONFIG_H -I. -I. -I.. -I.. -I../include -I../intl -g -O2 -Wall -MT secmem.o -MD -MP -MF ".deps/secmem.Tpo" -c -o secmem.o secmem.c; \ then mv -f ".deps/secmem.Tpo" ".deps/secmem.Po"; else rm -f ".deps/secmem.Tpo"; exit 1; fi if gcc -DHAVE_CONFIG_H -I. -I. -I.. -I.. -I../include -I../intl -g -O2 -Wall -MT errors.o -MD -MP -MF ".deps/errors.Tpo" -c -o errors.o errors.c; \ then mv -f ".deps/errors.Tpo" ".deps/errors.Po"; else rm -f ".deps/errors.Tpo"; exit 1; fi if gcc -DHAVE_CONFIG_H -I. -I. -I.. -I.. -I../include -I../intl -g -O2 -Wall -MT iobuf.o -MD -MP -MF ".deps/iobuf.Tpo" -c -o iobuf.o iobuf.c; \ then mv -f ".deps/iobuf.Tpo" ".deps/iobuf.Po"; else rm -f ".deps/iobuf.Tpo"; exit 1; fi if gcc -DHAVE_CONFIG_H -I. -I. -I.. -I.. -I../include -I../intl -g -O2 -Wall -MT dotlock.o -MD -MP -MF ".deps/dotlock.Tpo" -c -o dotlock.o dotlock.c; \ then mv -f ".deps/dotlock.Tpo" ".deps/dotlock.Po"; else rm -f ".deps/dotlock.Tpo"; exit 1; fi if gcc -DHAVE_CONFIG_H -I. -I. -I.. -I.. -I../include -I../intl -g -O2 -Wall -MT http.o -MD -MP -MF ".deps/http.Tpo" -c -o http.o http.c; \ then mv -f ".deps/http.Tpo" ".deps/http.Po"; else rm -f ".deps/http.Tpo"; exit 1; fi In file included from http.c:46: srv.h:28:26: arpa/nameser.h: No such file or directory srv.h:29:20: resolv.h: No such file or directory make[2]: *** [http.o] Error 1 make[2]: Leaving directory `/d/gnupg-1.4.0/util' make[1]: *** [all-recursive] Error 1 make[1]: Leaving directory `/d/gnupg-1.4.0' make: *** [all] Error 2 From JPClizbe at comcast.net Tue Dec 28 03:14:19 2004 From: JPClizbe at comcast.net (John Clizbe) Date: Tue Dec 28 03:11:16 2004 Subject: Compile GnuPG 1.4 under cygwin? In-Reply-To: References: Message-ID: <41D0C17B.2010407@comcast.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jeroen Budts wrote: > Hi! > > Is it possible to compile GnuPG 1.4.0 using cygwin on WinXP? > When i try to run the configure script everything seems to work fine > (see output below), but when i then do 'make' i get some errors.. > Do i need to modify some files? > I searched google for a while but couldn't find any manual or howto.. > > I am totally new to compiling programs this way and i have in fact as > good as no experience with linux but i'm willing to learn and slowly i'm > moving from windows to linux... > > thx! (and sorry if this is a stupid question...) > Jeroen Budts Hi Jeroen, There are no stupid questions, however, the nonexistence of stupid answers has yet to be proven. 8-}) There always seems to be some additional changes to Cygwin builds. You might want to look at the existing Cygwin GnuPG source, IIRC, version 1.2.4 - there's a 90k patch to the gnupg tarball. Since you're coming from a Windows environment, you should probably consider MinGW/MSys with a few optional pieces from the SourceForge GnuWin32 project. GnuPG builds fine out-of-the-box with MinGW and doesn't have the additional Cygwin-1.dll dependency. You'll have some dependencies such as zlib, bzip2, and iconv unless you static link that code. If you want I can share my experience with your and get you started. Just email me at this address. - -- John P. Clizbe Inet: JPClizbe(a)comcast DOT nyet Golden Bear Networks PGP/GPG KeyID: 0x608D2A10 "Be who you are and say what you feel because those who mind don't matter and those who matter don't mind." - Dr Seuss, "Oh the Places You'll Go" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0a (Windows 2000 SP4) Comment: When cryptography is outlawed, b25seSBvdXRsYXdzIHdpbGwgdXNlIG Comment: It's YOUR right - for the time being. Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFB0MF5HQSsSmCNKhARAtHTAKD4RZBuCmcskLiDrbxU43aU1YPKvACg4vCE 82N4DbMTqIeTmMTVbefnP1Y= =NXTO -----END PGP SIGNATURE----- From dshaw at jabberwocky.com Tue Dec 28 04:35:02 2004 From: dshaw at jabberwocky.com (David Shaw) Date: Tue Dec 28 04:31:58 2004 Subject: Compile GnuPG 1.4 under cygwin? In-Reply-To: References: Message-ID: <20041228033502.GC30683@jabberwocky.com> On Tue, Dec 28, 2004 at 12:34:00AM +0100, Jeroen Budts wrote: > Hi! > > Is it possible to compile GnuPG 1.4.0 using cygwin on WinXP? > When i try to run the configure script everything seems to work fine > (see output below), but when i then do 'make' i get some errors.. > Do i need to modify some files? > I searched google for a while but couldn't find any manual or howto.. > > I am totally new to compiling programs this way and i have in fact as > good as no experience with linux but i'm willing to learn and slowly i'm > moving from windows to linux... > > thx! (and sorry if this is a stupid question...) Not a stupid question at all. The problem you are having is a known bug in 1.4.0, and I believe it is fixed for the upcoming 1.4.1. However, this bit: > In file included from http.c:46: > srv.h:28:26: arpa/nameser.h: No such file or directory > srv.h:29:20: resolv.h: No such file or directory troubles me a little. Can you check if there is a resolv.h in your cygwin install? I was under the impression (possibly incorrect) that resolv.h existed. David From dshaw at jabberwocky.com Tue Dec 28 04:45:13 2004 From: dshaw at jabberwocky.com (David Shaw) Date: Tue Dec 28 04:42:09 2004 Subject: GPG wants to check trustdb every day In-Reply-To: <20041227222454.GW591@waltman.dnsalias.org> References: <20041227030131.GN591@waltman.dnsalias.org> <200412271040.33559.linux@codehelp.co.uk> <20041227134343.GS591@waltman.dnsalias.org> <20041227222454.GW591@waltman.dnsalias.org> Message-ID: <20041228034513.GD30683@jabberwocky.com> On Mon, Dec 27, 2004 at 05:24:54PM -0500, Walt Mankowski wrote: > On Mon, Dec 27, 2004 at 08:43:43AM -0500, Walt Mankowski wrote: > > I'm doubtful, since it's been on my keyring for years without any > > problem. > > Well, I didn't change anything, and I just verified a signature that > forced today's check of the trustdb. Interestingly, this time it said > that the next trustdb check is scheduled for December 30. A check > every 3 days beats a check everyday, but I'd still rather have the old > once-a-monthish behavior. > > Does anyone know what the formula is that gpg uses to decide when the > next check is supposed to be? Everything I've been able to find > online has been pretty vague. The date is set to the nearest expiration (key or signature) that affects the calculated trust (i.e. a key or signature that actually got used in your web of trust). So the check is not really once a month or so, it's when needed. If you have no expiring keys or signatures, GnuPG will never recheck. Note that many actions (including importing keys, deleting keys, revoking keys, revoking user IDs, etc) all force a recheck of the trustdb since these actions may invalidate the existing web of trust. If you're next trustdb check is scheduled for December 30th, then you probably have a key or signature that expires then. Note that if you're using PGP's global directory service, you will always have a signature that expires soon since the GD issues 14 day signatures. David From JPClizbe at comcast.net Tue Dec 28 05:06:48 2004 From: JPClizbe at comcast.net (John Clizbe) Date: Tue Dec 28 05:03:52 2004 Subject: Compile GnuPG 1.4 under cygwin? In-Reply-To: <20041228033502.GC30683@jabberwocky.com> References: <20041228033502.GC30683@jabberwocky.com> Message-ID: <41D0DBD8.4070509@comcast.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 David Shaw wrote: > Not a stupid question at all. The problem you are having is a known > bug in 1.4.0, and I believe it is fixed for the upcoming 1.4.1. > However, this bit: > >> In file included from http.c:46: >> srv.h:28:26: arpa/nameser.h: No such file or directory >> srv.h:29:20: resolv.h: No such file or directory > > troubles me a little. Can you check if there is a resolv.h in your > cygwin install? I was under the impression (possibly incorrect) that > resolv.h existed. Both resolv.h and arpa/nameser.h exist in my Cygwin install. - -- John P. Clizbe Inet: JPClizbe(a)comcast DOT nyet Golden Bear Networks PGP/GPG KeyID: 0x608D2A10 "Be who you are and say what you feel because those who mind don't matter and those who matter don't mind." - Dr Seuss, "Oh the Places You'll Go" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0a (Windows 2000 SP4) Comment: When cryptography is outlawed, b25seSBvdXRsYXdzIHdpbGwgdXNlIG Comment: It's YOUR right - for the time being. Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD4DBQFB0NvXHQSsSmCNKhARApWGAJiXiu+pQN1wX9170CRxcKd8X4dRAJ4o+Rwr vlB7zCVLr9tpQfby6dQBBA== =veIZ -----END PGP SIGNATURE----- From dshaw at jabberwocky.com Tue Dec 28 05:17:59 2004 From: dshaw at jabberwocky.com (David Shaw) Date: Tue Dec 28 05:15:15 2004 Subject: Compile GnuPG 1.4 under cygwin? In-Reply-To: <41D0DBD8.4070509@comcast.net> References: <20041228033502.GC30683@jabberwocky.com> <41D0DBD8.4070509@comcast.net> Message-ID: <20041228041759.GE30683@jabberwocky.com> On Mon, Dec 27, 2004 at 10:06:48PM -0600, John Clizbe wrote: > David Shaw wrote: > > Not a stupid question at all. The problem you are having is a known > > bug in 1.4.0, and I believe it is fixed for the upcoming 1.4.1. > > However, this bit: > > > >> In file included from http.c:46: > >> srv.h:28:26: arpa/nameser.h: No such file or directory > >> srv.h:29:20: resolv.h: No such file or directory > > > > troubles me a little. Can you check if there is a resolv.h in your > > cygwin install? I was under the impression (possibly incorrect) that > > resolv.h existed. > > Both resolv.h and arpa/nameser.h exist in my Cygwin install. Hmm. Are you able to build 1.4.0 with it? How new is your Cygwin installation? David From waltman at pobox.com Tue Dec 28 05:24:42 2004 From: waltman at pobox.com (Walt Mankowski) Date: Tue Dec 28 05:21:22 2004 Subject: GPG wants to check trustdb every day In-Reply-To: <20041228034513.GD30683@jabberwocky.com> References: <20041227030131.GN591@waltman.dnsalias.org> <200412271040.33559.linux@codehelp.co.uk> <20041227134343.GS591@waltman.dnsalias.org> <20041227222454.GW591@waltman.dnsalias.org> <20041228034513.GD30683@jabberwocky.com> Message-ID: <20041228042442.GX591@waltman.dnsalias.org> On Mon, Dec 27, 2004 at 10:45:13PM -0500, David Shaw wrote: > The date is set to the nearest expiration (key or signature) that > affects the calculated trust (i.e. a key or signature that actually > got used in your web of trust). So the check is not really once a > month or so, it's when needed. If you have no expiring keys or > signatures, GnuPG will never recheck. > > Note that many actions (including importing keys, deleting keys, > revoking keys, revoking user IDs, etc) all force a recheck of the > trustdb since these actions may invalidate the existing web of trust. > > If you're next trustdb check is scheduled for December 30th, then you > probably have a key or signature that expires then. > > Note that if you're using PGP's global directory service, you will > always have a signature that expires soon since the GD issues 14 day > signatures. Aha! That explains it. I must just have a bunch of signatures expiring around the end of the year. Thanks! Walt -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : /pipermail/attachments/20041227/e06f6ace/attachment.bin From johanw at vulcan.xs4all.nl Tue Dec 28 07:16:16 2004 From: johanw at vulcan.xs4all.nl (Johan Wevers) Date: Tue Dec 28 07:40:25 2004 Subject: GPG wants to check trustdb every day In-Reply-To: <20041228034513.GD30683@jabberwocky.com> from David Shaw at "Dec 27, 2004 10:45:13 pm" Message-ID: <200412280616.HAA01721@vulcan.xs4all.nl> David Shaw wrote: >Note that if you're using PGP's global directory service, you will >always have a signature that expires soon since the GD issues 14 day >signatures. That short? Does it replace them every 14 days too? In that case I'll have to keep my DH key away of it if I don't want it blogged on the other with lots of useless signatures. -- ir. J.C.A. Wevers // Physics and science fiction site: johanw@vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From jeroen at lightyear.be Tue Dec 28 09:55:05 2004 From: jeroen at lightyear.be (Jeroen Budts) Date: Tue Dec 28 09:51:26 2004 Subject: Compile GnuPG 1.4 under cygwin? In-Reply-To: <41D0C17B.2010407__40177.3049532951$1104200554$gmane$org@comcast.net> References: <41D0C17B.2010407__40177.3049532951$1104200554$gmane$org@comcast.net> Message-ID: John Clizbe wrote: > Jeroen Budts wrote: >> >> Is it possible to compile GnuPG 1.4.0 using cygwin on WinXP? >> When i try to run the configure script everything seems to work fine >> (see output below), but when i then do 'make' i get some errors.. > > There always seems to be some additional changes to Cygwin builds. You > might want to look at the existing Cygwin GnuPG source, IIRC, version > 1.2.4 - there's a 90k patch to the gnupg tarball. > > Since you're coming from a Windows environment, you should probably > consider MinGW/MSys with a few optional pieces from the SourceForge > GnuWin32 project. > Yes maybe that's indeed better. I already had a look on the document that explains building GnuPG using MingW [1] but since i already have cygwin on my system and MingW seems to try to do about the same as cygwin but in a different way, it seemed a bit like installing the same software twice to me... (but maybe that's a wrong interpretation) In the how-to they say to modify two files: the configure-script and seat.test. Looking at the configure script in gnupg 1.4 these changes or not necessary anymore (the how-to is for 1.3.92), since a precompiler if statement was added. However seat.test is still the same so does it needs the change from the how-to? I'll try it this evening :) Thanks! Jeroen [1] http://clbianco.altervista.org/gnupg/eng/gnupg.html From jeroen at lightyear.be Tue Dec 28 10:01:11 2004 From: jeroen at lightyear.be (Jeroen Budts) Date: Tue Dec 28 09:58:04 2004 Subject: Compile GnuPG 1.4 under cygwin? In-Reply-To: <20041228033502.GC30683__48628.1448080719$1104205431$gmane$org@jabberwocky.com> References: <20041228033502.GC30683__48628.1448080719$1104205431$gmane$org@jabberwocky.com> Message-ID: David Shaw wrote: > On Tue, Dec 28, 2004 at 12:34:00AM +0100, Jeroen Budts wrote: > >> In file included from http.c:46: >> srv.h:28:26: arpa/nameser.h: No such file or directory >> srv.h:29:20: resolv.h: No such file or directory > > troubles me a little. Can you check if there is a resolv.h in your > cygwin install? I was under the impression (possibly incorrect) that > resolv.h existed. > I can't find any resolv.h in my cygwin directory.. Do i need to download any sources of cygwin to get it? I did find a message [1] on the devel-list about the same problem. When i apply the patch to srv.h make works a bit longer, however after a while it still gives an error, but now a different one. I'll try compiling GnuPG using MingW. Thanks! Jeroen [1] http://lists.gnupg.org/pipermail/gnupg-devel/2004-December/021593.html the error in case it is useful: ... make[1]: Entering directory `/d/gnupg-1.4.0/g10' gcc -DGNUPG_LIBEXECDIR="\"/usr/local/libexec/gnupg\"" -g -O2 -Wall -o gpg.exe g10.o build-packet.o compress.o compress-bz2.o free-packet.o getkey.o keydb.o keyring.o seskey.o kbnode.o mainproc.o armor.o mdfilter.o textfilter.o progress.o misc.o openfile.o keyid.o parse-packet.o comment.o status.o plaintext.o sig-check.o keylist.o signal.o cardglue.o tlv.o card-util.o app-openpgp.o iso7816.o apdu.o ccid-driver.o pkclist.o skclist.o pubkey-enc.o passphrase.o seckey-cert.o encr-data.o cipher.o encode.o sign.o verify.o revoke.o decrypt.o keyedit.o dearmor.o import.o export.o trustdb.o tdbdump.o tdbio.o delkey.o keygen.o pipemode.o helptext.o keyserver.o photoid.o exec.o ../cipher/libcipher.a ../mpi/libmpi.a ../util/libutil.a -liconv -lintl -lz -lbz2 -lreadline passphrase.o(.text+0x232): In function `writen': /d/gnupg-1.4.0/g10/passphrase.c:204: undefined reference to `_w32_strerror' passphrase.o(.text+0x2e5): In function `readn': /d/gnupg-1.4.0/g10/passphrase.c:252: undefined reference to `_w32_strerror' Info: resolving _rl_catch_signals by linking to __imp__rl_catch_signals (auto-import) Info: resolving _rl_outstream by linking to __imp__rl_outstream (auto-import) Info: resolving _rl_instream by linking to __imp__rl_instream (auto-import) collect2: ld returned 1 exit status make[1]: *** [gpg.exe] Error 1 make[1]: Leaving directory `/d/gnupg-1.4.0/g10' make: *** [check-recursive] Error 1 From wk at gnupg.org Tue Dec 28 11:54:32 2004 From: wk at gnupg.org (Werner Koch) Date: Tue Dec 28 12:26:45 2004 Subject: [Announce] GnuPG 1.2.7 released Message-ID: <87wtv2g0bb.fsf@wheatstone.g10code.de> Skipped content of type multipart/signed-------------- next part -------------- _______________________________________________ Gnupg-announce mailing list Gnupg-announce@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-announce From dshaw at jabberwocky.com Tue Dec 28 15:02:39 2004 From: dshaw at jabberwocky.com (David Shaw) Date: Tue Dec 28 16:41:43 2004 Subject: Compile GnuPG 1.4 under cygwin? In-Reply-To: References: <20041228033502.GC30683__48628.1448080719$1104205431$gmane$org@jabberwocky.com> Message-ID: <20041228140238.GF30683@jabberwocky.com> On Tue, Dec 28, 2004 at 10:01:11AM +0100, Jeroen Budts wrote: > David Shaw wrote: > >On Tue, Dec 28, 2004 at 12:34:00AM +0100, Jeroen Budts wrote: > > > >>In file included from http.c:46: > >>srv.h:28:26: arpa/nameser.h: No such file or directory > >>srv.h:29:20: resolv.h: No such file or directory > > > >troubles me a little. Can you check if there is a resolv.h in your > >cygwin install? I was under the impression (possibly incorrect) that > >resolv.h existed. > > > I can't find any resolv.h in my cygwin directory.. Do i need to download > any sources of cygwin to get it? No, it's okay to not have it. It is for an optional feature of the HTTP handler (SRV support), and things work fine without it. > I did find a message [1] on the devel-list about the same problem. When > i apply the patch to srv.h make works a bit longer, however after a > while it still gives an error, but now a different one. Try the attached patch. David -------------- next part -------------- Index: passphrase.c =================================================================== RCS file: /cvs/gnupg/gnupg/g10/passphrase.c,v retrieving revision 1.73 retrieving revision 1.74 diff -u -r1.73 -r1.74 --- passphrase.c 17 Dec 2004 18:51:32 -0000 1.73 +++ passphrase.c 20 Dec 2004 05:19:09 -0000 1.74 @@ -30,8 +30,8 @@ #include #include #endif -#if defined (_WIN32) || defined (__CYGWIN32__) -# include +#if defined (_WIN32) +#include #endif #include #ifdef HAVE_LOCALE_H From dshaw at jabberwocky.com Tue Dec 28 16:15:59 2004 From: dshaw at jabberwocky.com (David Shaw) Date: Tue Dec 28 16:42:04 2004 Subject: Global Directory signatures (was Re: GPG wants to check trustdb every day) In-Reply-To: <200412280616.HAA01721@vulcan.xs4all.nl> References: <20041228034513.GD30683@jabberwocky.com> <200412280616.HAA01721@vulcan.xs4all.nl> Message-ID: <20041228151558.GG30683@jabberwocky.com> On Tue, Dec 28, 2004 at 07:16:16AM +0100, Johan Wevers wrote: > David Shaw wrote: > > >Note that if you're using PGP's global directory service, you will > >always have a signature that expires soon since the GD issues 14 day > >signatures. > > That short? Does it replace them every 14 days too? In that case I'll have > to keep my DH key away of it if I don't want it blogged on the other with > lots of useless signatures. From bogus@does.not.exist.com Tue Dec 28 16:41:44 2004 From: bogus@does.not.exist.com () Date: Tue Dec 28 16:42:05 2004 Subject: No subject Message-ID: seems what what happens is that the signature is issued when a key is requested FROM the server, and not when it is added TO the server. The signatures are set to expire after 14 days. If you request a key from the GD from the 10-13th day onward (unclear where the dividing line lies), it makes a new signature. So, if you are relying on the GD signature to make a key valid, or just do a --refresh-keys every now and then, then you'll end up with a whole lot of expired signatures from the GD after a while. I don't know if the 14-day thing is because the GD is still in beta and the PGP folks don't want longer duration signatures out just yet. Still, any way you look at it, expired GD signatures will eventually build up, whether they increase every 2 weeks or every 6 months. There is no security problem with this, of course, but it does mean that after a while, your key will start to get big with all those signatures (and --list-sigs gets really ugly). Eventually, those sigs will make it to the keyserver net and then we're stuck with them forever. I have been toying with various possible things to do about it, and I welcome anyone's thoughts. Things I'm wondering about: * A new switch to not send expired sigs to keyservers and/or a switch to not accept expired sigs from keyservers. This would slow down the growth, but not fix it completely as there is still the 2-week window before the sig expires. This might be a good thing for general keyserver and keyring cleanliness though. * A new option to indicate a key from which signatures were not exported. This is a better fix since GD signatures should always come directly from the GD, and have no need to be sent anywhere. The person who commented that GD sigs should be local was on the right track here, though there are other problems with importing a local signature. Unfortunately, this option could not be set by default (I do not want to hardcode the GD fingerprint into gpg), so if it was not manually set by everyone (and it certainly wouldn't be), then we're back in the same boat. * Have keyservers discard GD signatures? * Ask the PGP folks to do something (what?) * Do nothing? David From henkdebruijn at wanadoo.nl Tue Dec 28 17:15:15 2004 From: henkdebruijn at wanadoo.nl (Henk de Bruijn) Date: Tue Dec 28 17:11:51 2004 Subject: confused Message-ID: <78124328.20041228171515@wanadoo.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, I am using 1.4.0 and now I read the release of 1.2.7. With my knowledge of the English language I understand that I just have to keep on using 1.4.0? Thanks! - -- Henk ______________________________________________________________________ The Bat!? Natural Email System v3.0.1.33nl Professional on Windows XP SP2 PGPkey available at http://www.biglumber.com/x/web?qs=0x12069B93DBE6E678 Gossamer Spider Web of Trust GSWoT http://gswot.dyndns.org/ A Progressive and Innovative Web of Trust -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (MingW32) - GPGrelay v0.955 iD8DBQFB0YacEgabk9vm5ngRAuoqAJ0U8FqeSyBb9wORvQrm5IGxiWm5hACfQhml Fo45QfG696IDxHjHKxyCp20= =xtqn -----END PGP SIGNATURE----- From allen.schultz at gmail.com Tue Dec 28 17:40:08 2004 From: allen.schultz at gmail.com (Allen Schultz) Date: Tue Dec 28 22:12:05 2004 Subject: The disadvantages of online KSP In-Reply-To: References: Message-ID: <3f34f84204122808402a154d23@mail.gmail.com> I make it a standard to include both my nickname and real name to an associated email address of mine. On Sat, 25 Dec 2004 20:44:45 +0100, Ben Branders wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi > > As already discussed in another thread, there will be a keysigning party > for Flanders (Belgium) and the Netherlands. This KSP will take place > online (via IRC) and the participants won't meet eachother in real life. > > Naturally, the biggest disadvantage is that you can't verify that the > person really is who he says he is. You can check if the e-mailadres > belongs to him, but there is no way of knowing if he is an impostor or not. > > But then again, you can never know for sure that someone is an imposter or > not. There are a lot of people who share exactly the same name. Even if > you check their identity in real life, one of them can mislead you... > > There are also people who use nicknames in their key IDs and their email > addresses. You can't check their identity, because AFAIK your nickname > isn't on your driving license or on you passport. > > Or am I missing something here? > And has online KSP other disadvantages? > > Regards > - -- > Ben Branders http://bytewarrior.madoka.be > > .---. E-mail privacy is a right, not a privilege. > / |\________________ Please sign and/or encrypt your mail. > | () | ________ _ _) > \ |/ | | | | Gnu Privacy Guard: http://gnupg.org > `---' "-" |_| Enigmail: http://enigmail.mozdev.org > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.0 (MingW32) > > iD8DBQFBzcMqqLIDOkaTj9sRAtTOAKCUgn52a6Vgyd1PE3bOS0nLAoN6fwCeLuhv > NWmSe2YgngsqZ3r85fLqSsU= > =ccqS > -----END PGP SIGNATURE----- > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > From zuxy.meng at gmail.com Tue Dec 28 17:16:52 2004 From: zuxy.meng at gmail.com (Zuxy) Date: Tue Dec 28 22:12:14 2004 Subject: Is there a gpgkeys_mailto for Win32? Message-ID: gpgkeys_mailto is now a perl script and hence not natively supported by Windows. I installed a perl interpreter and managed to activate gpgkeys_mailto simply by typing its name under console, i.e. "gpgkeys_mailto" instead of "perl -w gpgkeys_mailto", but gpg can't recognize this. I hacked into the source and found that the problem is gpg uses CreateProcess API under Win32 instead of a simple system() call. In fact, under Win32, system("gpgkeys_mailto") works while CreateProcess(NULL, "gpgkeys_mailto", ...) fails. So would the team either 1. provide a gpgkeys_mailto.exe for Win32; or 2. find some workaround so that gpgkeys_mailto will work with a perl interpreter and a sendmail installation; or (the most native way) 3. write a .WSH file, and replace "sendmail" with a mailto url therein. Thanks. -- Zuxy Beauty is truth, While truth is beauty. PGP KeyID: E8555ED6 From torduninja at mail.pf Tue Dec 28 19:40:17 2004 From: torduninja at mail.pf (Maxine Brandt) Date: Tue Dec 28 22:12:19 2004 Subject: Compile GnuPG 1.4 under cygwin? Message-ID: <41D1A891.20408@mail.pf> Jeroen Budts wrote: > >Since you're coming from a Windows environment, you should probably > >> consider MinGW/MSys with a few optional pieces from the SourceForge > >> GnuWin32 project. > >> > > Yes maybe that's indeed better. I already had a look on the document > that explains building GnuPG using MingW [1] but since i already have > cygwin on my system and MingW seems to try to do about the same as > cygwin but in a different way, it seemed a bit like installing the same > software twice to me... (but maybe that's a wrong interpretation) > > In the how-to they say to modify two files: the configure-script and > seat.test. Looking at the configure script in gnupg 1.4 these changes or > not necessary anymore (the how-to is for 1.3.92), since a precompiler if > statement was added. However seat.test is still the same so does it > needs the change from the how-to? Yes, you should modify the seat.test file, though this only affects whether or not the seat test is passed in "make check". More importantly you will have to fix the bug that prompted the quick release of 1.4.0a for Windows. John Clizbe posted the fix on Dec. 16: ==================== diff -u -r1.71 iobuf.c - --- util/iobuf.c 6 Dec 2004 10:32:20 -0000 1.71 +++ util/iobuf.c 16 Dec 2004 19:30:27 -0000 @@ -146,7 +146,7 @@ || (*a == '\' && *b == '/')) ) break; } - - return *(const unsigned *)a - *(const unsigned *)b; + return *(const unsigned char *)a - *(const unsigned char *)b; #else return strcmp (a, b); #endif ===================== With those two changes it compiled for me apparently without error, though I found a minor problem with the gpgkeys_ldap binary; --send-keys doesn't recognise a keyserver option in gpg.conf and the keyserver must be specified in the command. Salut Maxine From ekot at narod.ru Tue Dec 28 22:51:52 2004 From: ekot at narod.ru (Eugene Kotlyarov) Date: Tue Dec 28 22:48:49 2004 Subject: Compile GnuPG 1.4 under cygwin? In-Reply-To: <20041228041759.GE30683@jabberwocky.com> References: <20041228033502.GC30683@jabberwocky.com> <41D0DBD8.4070509@comcast.net> <20041228041759.GE30683@jabberwocky.com> Message-ID: <41D1D578.3080903@narod.ru> David Shaw wrote: >>>troubles me a little. Can you check if there is a resolv.h in your >>>cygwin install? I was under the impression (possibly incorrect) that >>>resolv.h existed. >> >>Both resolv.h and arpa/nameser.h exist in my Cygwin install. > > Hmm. Are you able to build 1.4.0 with it? How new is your Cygwin > installation? These files just are not in base cygwin package where most of the include files are. With them and with the patch to passphrase.c it builds fine. PS. for those who are interested they are in minires-devel package From atom at suspicious.org Wed Dec 29 04:16:24 2004 From: atom at suspicious.org (Atom 'Smasher') Date: Wed Dec 29 04:10:37 2004 Subject: Global Directory signatures (was Re: GPG wants to check trustdb every day) In-Reply-To: <20041228151558.GG30683@jabberwocky.com> References: <20041228034513.GD30683@jabberwocky.com> <200412280616.HAA01721@vulcan.xs4all.nl> <20041228151558.GG30683@jabberwocky.com> Message-ID: <20041229031406.53906.qmail@suspicious.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On Tue, 28 Dec 2004, David Shaw wrote: > I have been toying with various possible things to do about it, and I > welcome anyone's thoughts. > > Things I'm wondering about: > > * Have keyservers discard GD signatures? =============== all GD sigs or expired GD sigs? > * Ask the PGP folks to do something (what?) =============== if you're in contact with them, at least ask what the hell they're thinking... this is a horrible pollution of the key-servers and WoT. > * Do nothing? ================ *something* will have to be done.... another possibility might be an option to purge expired sigs from a local keyring. - -- ...atom _________________________________________ PGP key - http://atom.smasher.org/pgp.txt 762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808 ------------------------------------------------- "Patriotism is your conviction that this country is superior to all other countries because you were born in it." -- George Bernard Shaw -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (FreeBSD) Comment: What is this gibberish? Comment: http://atom.smasher.org/links/#digital_signatures iQEcBAEBCAAGBQJB0iGNAAoJEAx/d+cTpVciOIEH/2Bu2UQi11AdV5Vm7QdVOGzu CgBmWbEXeyu84htv3QX6GFJj7XjzqlhYhhiUeBT3dkv5NLXQ7zSiAn0OAtPcoku2 JYB8kA1rQeNE9+dVaILwcxr8ImyUMSd+A+nc+cfK8sGt7nelDNXEE37kU94XDPlD DNJySGMfw/KmvaY1+wpRRxub4mR/2a5Q/tuwbLF9wCzUqv8Gik0juS1uCiaSpUgN g0OciOkvdR/FOQq5Tt3iVomtle6lIwihou7Xt+WgtIl+WObbt55xPIGmRX0xC64S XepnqTmZdqkAqoDP8CN6GAsqs1RLJg2FNBLPR3nN3cPIEhEmqLkC77WlKSYo8gs= =mJu5 -----END PGP SIGNATURE----- From JPClizbe at comcast.net Wed Dec 29 04:55:55 2004 From: JPClizbe at comcast.net (John Clizbe) Date: Wed Dec 29 04:53:02 2004 Subject: Compile GnuPG 1.4 under cygwin? In-Reply-To: <41D1A891.20408@mail.pf> References: <41D1A891.20408@mail.pf> Message-ID: <41D22ACA.1010601@comcast.net> Maxine Brandt wrote: > Yes, you should modify the seat.test file, though this only affects > whether or not the seat test is passed in "make check". More importantly > you will have to fix the bug that prompted the quick release of 1.4.0a > for Windows. > > John Clizbe posted the fix on Dec. 16: > ==================== > diff -u -r1.71 iobuf.c > - --- util/iobuf.c 6 Dec 2004 10:32:20 -0000 1.71 > +++ util/iobuf.c 16 Dec 2004 19:30:27 -0000 > @@ -146,7 +146,7 @@ > || (*a == '\' && *b == '/')) ) > break; > } > - - return *(const unsigned *)a - *(const unsigned *)b; > + return *(const unsigned char *)a - *(const unsigned char *)b; > #else > return strcmp (a, b); > #endif > ===================== > > With those two changes it compiled for me apparently without error, > though I found a minor problem with the gpgkeys_ldap binary; --send-keys > doesn't recognise a keyserver option in gpg.conf and the keyserver must > be specified in the command. Sorry Maxine. That was Werner's fix not mine. I think it was quoted in a later message of mine. -- John P. Clizbe Inet: JPClizbe(a)comcast DOT nyet Golden Bear Networks PGP/GPG KeyID: 0x608D2A10 "Be who you are and say what you feel because those who mind don't matter and those who matter don't mind." - Dr Seuss, "Oh the Places You'll Go" -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 378 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20041228/d0349048/signature.bin From dshaw at jabberwocky.com Wed Dec 29 05:02:44 2004 From: dshaw at jabberwocky.com (David Shaw) Date: Wed Dec 29 04:59:39 2004 Subject: Global Directory signatures (was Re: GPG wants to check trustdb every day) In-Reply-To: <20041229031406.53906.qmail@suspicious.org> References: <20041228034513.GD30683@jabberwocky.com> <200412280616.HAA01721@vulcan.xs4all.nl> <20041228151558.GG30683@jabberwocky.com> <20041229031406.53906.qmail@suspicious.org> Message-ID: <20041229040243.GD30683@jabberwocky.com> On Tue, Dec 28, 2004 at 10:16:24PM -0500, Atom 'Smasher' wrote: > On Tue, 28 Dec 2004, David Shaw wrote: > > > I have been toying with various possible things to do about it, and I > > welcome anyone's thoughts. > > > > Things I'm wondering about: > > > > * Have keyservers discard GD signatures? > =============== > > all GD sigs or expired GD sigs? No real preference. All? The GD sigs aren't really relevant outside of the GD system. > > * Ask the PGP folks to do something (what?) > =============== > > if you're in contact with them, at least ask what the hell they're > thinking... this is a horrible pollution of the key-servers and WoT. I strongly disagree. The GD is just a key signer. The GD does not send its signatures to keyservers. The GD doesn't even issue the signature until someone asks it to. If what the GD does could have an actual impact on the keyservers and web of trust, then the keyservers and web of trust were already hopelessly broken. They weren't broken before, and the GD doesn't break them any more than any prolific signer would (that is, not at all). There is only one thing that the GD actually breaks, and that's the various "what's the path from key XXXXX to key YYYYY" servers like wotsap. Those servers will eventually need to leave the GD key out to avoid the short circuit that the GD signature provides. My concern is mainly about the aesthetics here. It's unattractive (and over time large) to have that many expired sigs on your key. > another possibility might be an option to purge expired sigs from a local > keyring. This is essentially the same as not exporting expired sigs to keyservers. It doesn't work well for the reasons I mentioned in the last email, though it might work well enough to slow the problem down. David From atom at suspicious.org Wed Dec 29 05:16:27 2004 From: atom at suspicious.org (Atom 'Smasher') Date: Wed Dec 29 05:10:39 2004 Subject: Global Directory signatures (was Re: GPG wants to check trustdb every day) In-Reply-To: <20041229040243.GD30683@jabberwocky.com> References: <20041228034513.GD30683@jabberwocky.com> <200412280616.HAA01721@vulcan.xs4all.nl> <20041228151558.GG30683@jabberwocky.com> <20041229031406.53906.qmail@suspicious.org> <20041229040243.GD30683@jabberwocky.com> Message-ID: <20041229041420.81638.qmail@suspicious.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On Tue, 28 Dec 2004, David Shaw wrote: > If what the GD does could have an actual impact on the keyservers and > web of trust, then the keyservers and web of trust were already > hopelessly broken. ============= how many key-servers support the no-modify flag? it's part of the standard and it could keep these auto-pilot sigs (and other unwanted sigs) from polluting the system, but it's not supported. to that extent, the key servers *are* hopelessly broken. biglumber is the closest i've seen to being a good implementation, in this regard. > My concern is mainly about the aesthetics here. It's unattractive (and > over time large) to have that many expired sigs on your key. =============== not to downplay the matter of aesthetics, but it also becomes a usability issue if the UI is cluttered with unwanted information. - -- ...atom _________________________________________ PGP key - http://atom.smasher.org/pgp.txt 762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808 ------------------------------------------------- "A criminal is a person with predatory instincts without sufficient capital to form a corporation." -- Howard Scott -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (FreeBSD) Comment: What is this gibberish? Comment: http://atom.smasher.org/links/#digital_signatures iQEcBAEBCAAGBQJB0i+hAAoJEAx/d+cTpVcimhQH/AhT4d3mkIPc7YzttrDjHwg2 cS3NEoD6gIpMPahHQkTcHiuyUGua3P0qfcZLAYI4dQPijYLQq47tbYhNSWhBSmNb x6Kgjv9YOZO6us2KRCWtOjL6D+/D3vJCC6iQRu9hV/KBMwEZr7f9F2zUKoA2qsnt Zx/emuPiJIYp10XGuzbYOa2+4PV7tmInU8hnlzmmaGJq6WvUGZ0/PHxrdScXkI6D 9v4o+v4fFsZv0ZD3322zkLyIfGSIBzFQZ9/gOjYOXpIqykErqdV2mCdvm8qB12LV /noureS2XdC5n/kHGN0L1s7AanTE7n9vX8EgOT+K1wK+E/YF38H0dxHBkFhz42Q= =ItTd -----END PGP SIGNATURE----- From dshaw at jabberwocky.com Wed Dec 29 05:14:52 2004 From: dshaw at jabberwocky.com (David Shaw) Date: Wed Dec 29 05:11:48 2004 Subject: Is there a gpgkeys_mailto for Win32? In-Reply-To: References: Message-ID: <20041229041452.GE30683@jabberwocky.com> On Wed, Dec 29, 2004 at 12:16:52AM +0800, Zuxy wrote: > gpgkeys_mailto is now a perl script and hence not natively supported > by Windows. I installed a perl interpreter and managed to activate > gpgkeys_mailto simply by typing its name under console, i.e. > "gpgkeys_mailto" instead of "perl -w gpgkeys_mailto", but gpg can't > recognize this. > > I hacked into the source and found that the problem is gpg uses > CreateProcess API under Win32 instead of a simple system() call. In > fact, under Win32, system("gpgkeys_mailto") works while > CreateProcess(NULL, "gpgkeys_mailto", ...) fails. This is intentional. Unlike the unix-ish system(), win32 system() returns immediately to the calling process and does not wait for the spawned process to exit. This does not work for GnuPG since we need to know when the child process exited and what its return code was. Hence the CreateProcess call. > So would the team either > 1. provide a gpgkeys_mailto.exe for Win32; I'm not against it, but not that interested in writing it myself ;) The mailto keyserver helper has always been a bit of a lower priority. I was surprised to see your mail, actually. I didn't think anyone was using it. > 2. find some workaround so that gpgkeys_mailto will work with a perl > interpreter and a sendmail installation; Anyone have any ideas on this one? Is there some win32 shell magic that can be used to associate gpgkeys_mailto with a perl interpreter? > or (the most native way) > 3. write a .WSH file, and replace "sendmail" with a mailto url therein. I'd like more information about this. Can you give me a pointer? David From dshaw at jabberwocky.com Wed Dec 29 05:44:21 2004 From: dshaw at jabberwocky.com (David Shaw) Date: Wed Dec 29 05:41:35 2004 Subject: Global Directory signatures (was Re: GPG wants to check trustdb every day) In-Reply-To: <20041229041420.81638.qmail@suspicious.org> References: <20041228034513.GD30683@jabberwocky.com> <200412280616.HAA01721@vulcan.xs4all.nl> <20041228151558.GG30683@jabberwocky.com> <20041229031406.53906.qmail@suspicious.org> <20041229040243.GD30683@jabberwocky.com> <20041229041420.81638.qmail@suspicious.org> Message-ID: <20041229044421.GF30683@jabberwocky.com> On Tue, Dec 28, 2004 at 11:16:27PM -0500, Atom 'Smasher' wrote: > On Tue, 28 Dec 2004, David Shaw wrote: > > > If what the GD does could have an actual impact on the keyservers and > > web of trust, then the keyservers and web of trust were already > > hopelessly broken. > ============= > > how many key-servers support the no-modify flag? it's part of the standard > and it could keep these auto-pilot sigs (and other unwanted sigs) from > polluting the system, but it's not supported. to that extent, the key > servers *are* hopelessly broken. biglumber is the closest i've seen to > being a good implementation, in this regard. I certainly won't argue that many aspects of the keyserver design are broken. The problem is, some of the brokenness is also a design requirement for some people. "Broken" is really a question of "broken for whom" ;) Someone told me once that the old NAI "LDAP keyserver" supported no-modify, but even if it is supported, neither of the two servers running this software has it turned on. The GD doesn't support no-modify either. > > My concern is mainly about the aesthetics here. It's unattractive (and > > over time large) to have that many expired sigs on your key. > =============== > > not to downplay the matter of aesthetics, but it also becomes a usability > issue if the UI is cluttered with unwanted information. True. However if the concern is strictly the UI then a "don't show unusable sigs" flag would handle that. There is already a "don't show unusable user IDs" and "don't show unusable subkeys", so adding one for sigs is no big deal. David From JPClizbe at comcast.net Wed Dec 29 05:59:32 2004 From: JPClizbe at comcast.net (John Clizbe) Date: Wed Dec 29 05:56:27 2004 Subject: Is there a gpgkeys_mailto for Win32? In-Reply-To: <20041229041452.GE30683@jabberwocky.com> References: <20041229041452.GE30683@jabberwocky.com> Message-ID: <41D239B4.30001@comcast.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 David Shaw wrote: > On Wed, Dec 29, 2004 at 12:16:52AM +0800, Zuxy wrote: >> So would the team either >> 1. provide a gpgkeys_mailto.exe for Win32; > > I'm not against it, but not that interested in writing it myself ;) > > The mailto keyserver helper has always been a bit of a lower > priority. I was surprised to see your mail, actually. I didn't think > anyone was using it. Robert Golovniov was asking about it over the summer. But getting it to work in Windows has always had two headaches: 1) reliance on Sendmail; 2) no Win32 equivalent to #!/perl. 1) Microsoft's Services for Unix ships with a Sendmail - haven't even checked it out, just know that it's there. 2) Wouldn't need to be a .exe. A .pl extension would normally call Perl to handle the file. But then the calling code in gpg would need to be hacked to handle a non-standard call. 8-{( >> 2. find some workaround so that gpgkeys_mailto will work with a perl >> interpreter and a sendmail installation; > > Anyone have any ideas on this one? Is there some win32 shell magic > that can be used to associate gpgkeys_mailto with a perl interpreter? Just thinking about this earlier in the week. Maybe rewrite entirely in Perl with modules and then wrap it up in something like perl2exe, but I'm not sure about the OSS availability of perl2exe. >> or (the most native way) >> 3. write a .WSH file, and replace "sendmail" with a mailto url therein. > > I'd like more information about this. Can you give me a pointer? I'd like to see more on that also. - -- John P. Clizbe Inet: JPClizbe(a)comcast DOT nyet Golden Bear Networks PGP/GPG KeyID: 0x608D2A10 "Be who you are and say what you feel because those who mind don't matter and those who matter don't mind." - Dr Seuss, "Oh the Places You'll Go" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0a (Windows 2000 SP4) Comment: When cryptography is outlawed, b25seSBvdXRsYXdzIHdpbGwgdXNlIG Comment: It's YOUR right - for the time being. Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFB0jmzHQSsSmCNKhARAq54AJ9EYN6LZBWaoRKdnjvME0Sw1j1MkgCfZ6hh PUEHBvGc6h3m6I/FJEgraoo= =p3Of -----END PGP SIGNATURE----- From zuxy.meng at gmail.com Wed Dec 29 06:06:52 2004 From: zuxy.meng at gmail.com (Zuxy) Date: Wed Dec 29 06:03:45 2004 Subject: Is there a gpgkeys_mailto for Win32? In-Reply-To: <20041229041452.GE30683@jabberwocky.com> References: <20041229041452.GE30683@jabberwocky.com> Message-ID: Thanks for your reply. On Tue, 28 Dec 2004 23:14:52 -0500, David Shaw wrote: > This is intentional. Unlike the unix-ish system(), win32 system() > returns immediately to the calling process and does not wait for the > spawned process to exit. This does not work for GnuPG since we need > to know when the child process exited and what its return code was. > Hence the CreateProcess call. CreateProcess is stupid. It must know the module (perl.exe) name and the exact path to gpgkeys_mailto. Does windows' system() really return immediately? I searched MSDN and found nothing about it. I wrote a short piece of code and it seems taht system() returns the error code after the child process finishes, too. > I'm not against it, but not that interested in writing it myself ;) > > The mailto keyserver helper has always been a bit of a lower > priority. I was surprised to see your mail, actually. I didn't think > anyone was using it. > > Anyone have any ideas on this one? Is there some win32 shell magic > that can be used to associate gpgkeys_mailto with a perl interpreter? If system() works, register the .PL suffix (usually done during the perl installation), add .PL to $PATHEXT, rename gpgkeys_mailto to gpgkeys_mailto.pl, then system("gpgkeys_mailto") will work. If system() doesn't work, we have to write something like CreateProcess(NULL, "perl -w \\GPG\\gpgkeys_mailto") if perl is in $PATH. > > or (the most native way) > > 3. write a .WSH file, and replace "sendmail" with a mailto url therein. > > I'd like more information about this. Can you give me a pointer? > > David .WSH (Windows Script Host) is supported natively by Win32. Its syntax can be Java-like or VB-like. Detailed infomation can be found on MSDN (under Web Developement->Scripting->Microsoft Script Technologies). A mailto url is something like "mailto:someone@somewhere.net?Subject=ADD&Body=-----BEGIN PGP PUBLIC KEY BLOCK-----%0A%0DVersion:...." -- Zuxy Beauty is truth, While truth is beauty. PGP KeyID: E8555ED6 From dshaw at jabberwocky.com Wed Dec 29 06:14:47 2004 From: dshaw at jabberwocky.com (David Shaw) Date: Wed Dec 29 06:12:04 2004 Subject: Is there a gpgkeys_mailto for Win32? In-Reply-To: <41D239B4.30001@comcast.net> References: <20041229041452.GE30683@jabberwocky.com> <41D239B4.30001@comcast.net> Message-ID: <20041229051447.GG30683@jabberwocky.com> On Tue, Dec 28, 2004 at 10:59:32PM -0600, John Clizbe wrote: > David Shaw wrote: > > On Wed, Dec 29, 2004 at 12:16:52AM +0800, Zuxy wrote: > >> So would the team either > >> 1. provide a gpgkeys_mailto.exe for Win32; > > > > I'm not against it, but not that interested in writing it myself ;) > > > > The mailto keyserver helper has always been a bit of a lower > > priority. I was surprised to see your mail, actually. I didn't think > > anyone was using it. > > Robert Golovniov was asking about it over the summer. But getting it to > work in Windows has always had two headaches: 1) reliance on Sendmail; > 2) no Win32 equivalent to #!/perl. > > 1) Microsoft's Services for Unix ships with a Sendmail - haven't even > checked it out, just know that it's there. > > 2) Wouldn't need to be a .exe. A .pl extension would normally call Perl to > handle the file. But then the calling code in gpg would need to be hacked > to handle a non-standard call. 8-{( We don't actually need perl or sendmail - just the ability to send mail somehow. I did it with perl and sendmail on unix because it was easy, not because it was portable :) I wonder if it would solve all the problems to provide an actual gpgkeys_mailto.exe on win32 that used ShellExecute() to "open" a mailto: URL. The user would get a pre-filled in mail window from whatever program they use for email, and just have to hit send. David From torduninja at mail.pf Wed Dec 29 06:17:28 2004 From: torduninja at mail.pf (Maxine Brandt) Date: Wed Dec 29 06:14:00 2004 Subject: Compile GnuPG 1.4 under cygwin? Message-ID: <41D23DE8.5060803@mail.pf> John Clizbe wrote: > Sorry Maxine. That was Werner's fix not mine. I think it was quoted in a > later message of mine. Thanks for the clarification. Your message was the only one I saw on this list detailing the bug fix. Salut Maxine From dshaw at jabberwocky.com Wed Dec 29 06:28:16 2004 From: dshaw at jabberwocky.com (David Shaw) Date: Wed Dec 29 06:25:14 2004 Subject: Is there a gpgkeys_mailto for Win32? In-Reply-To: References: <20041229041452.GE30683@jabberwocky.com> Message-ID: <20041229052816.GH30683@jabberwocky.com> On Wed, Dec 29, 2004 at 01:06:52PM +0800, Zuxy wrote: > Thanks for your reply. > > On Tue, 28 Dec 2004 23:14:52 -0500, David Shaw wrote: > > This is intentional. Unlike the unix-ish system(), win32 system() > > returns immediately to the calling process and does not wait for the > > spawned process to exit. This does not work for GnuPG since we need > > to know when the child process exited and what its return code was. > > Hence the CreateProcess call. > > CreateProcess is stupid. It must know the module (perl.exe) name and > the exact path to gpgkeys_mailto. > > Does windows' system() really return immediately? I searched MSDN and > found nothing about it. I wrote a short piece of code and it seems > taht system() returns the error code after the child process finishes, > too. When I was writing the original keyserver exec code, back in the 1.0.7 timeframe, system() was certainly returning immediately. It could very well have been command or cmd.exe returning immediately after launching the command line, but either way, the practical result was that system() returned control to gpg before the child process ended. David From jharris at widomaker.com Wed Dec 29 06:47:22 2004 From: jharris at widomaker.com (Jason Harris) Date: Wed Dec 29 06:43:48 2004 Subject: Global Directory signatures (was Re: GPG wants to check trustdb every day) In-Reply-To: <20041229044421.GF30683@jabberwocky.com> References: <20041228034513.GD30683@jabberwocky.com> <200412280616.HAA01721@vulcan.xs4all.nl> <20041228151558.GG30683@jabberwocky.com> <20041229031406.53906.qmail@suspicious.org> <20041229040243.GD30683@jabberwocky.com> <20041229041420.81638.qmail@suspicious.org> <20041229044421.GF30683@jabberwocky.com> Message-ID: <20041229054722.GC684@wilma.widomaker.com> On Tue, Dec 28, 2004 at 11:44:21PM -0500, David Shaw wrote: > The GD doesn't support no-modify either. It is enforcing something. It won't take any new signatures on its own key, 0xCA57AD7C, and the only signatures it has on your key, 0x99242560, all seem to be from other keys it has stored. Also, it doesn't necessarily wait until its last signature expires before issuing a new one: [pull key from GD] %gpg --check-sigs 99242560 ... sig! CA57AD7C 2004-12-29 PGP Global Directory Verification Key sig! CA57AD7C 2004-12-29 PGP Global Directory Verification Key ... [delete key, pull it from kjsl] %gpg --check-sigs 99242560 ... sig! CA57AD7C 2004-12-29 PGP Global Directory Verification Key sig! CA57AD7C 2004-12-29 PGP Global Directory Verification Key sig! CA57AD7C 2004-12-21 PGP Global Directory Verification Key sig! X CA57AD7C 2004-12-08 PGP Global Directory Verification Key ... -- Jason Harris | NIC: JH329, PGP: This _is_ PGP-signed, isn't it? jharris@widomaker.com _|_ web: http://keyserver.kjsl.com/~jharris/ Got photons? (TM), (C) 2004 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 309 bytes Desc: not available Url : /pipermail/attachments/20041229/eda6ebc0/attachment.bin From rabbi at abditum.com Wed Dec 29 06:59:31 2004 From: rabbi at abditum.com (Len Sassaman) Date: Wed Dec 29 06:55:50 2004 Subject: Global Directory signatures (was Re: GPG wants to check trustdb every day) In-Reply-To: <20041229031406.53906.qmail@suspicious.org> References: <20041228034513.GD30683@jabberwocky.com> <200412280616.HAA01721@vulcan.xs4all.nl> <20041228151558.GG30683@jabberwocky.com> <20041229031406.53906.qmail@suspicious.org> Message-ID: On Tue, 28 Dec 2004, Atom 'Smasher' wrote: > > * Ask the PGP folks to do something (what?) > =============== > > if you're in contact with them, at least ask what the hell they're > thinking... this is a horrible pollution of the key-servers and WoT. How is this a pollution of the "web of trust"? From fox3ec208 at wideopenwest.com Wed Dec 29 13:13:03 2004 From: fox3ec208 at wideopenwest.com (Terry Polzin) Date: Wed Dec 29 13:24:03 2004 Subject: ElGamal sub key expired Message-ID: <200412290713.09857.fox3ec208@wideopenwest.com> How do I extend the expiration date on this sub key. All attempts I've made so far effect the primary key. THANKS, Terry -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20041229/e8a72a7e/attachment.bin From dshaw at jabberwocky.com Wed Dec 29 14:23:17 2004 From: dshaw at jabberwocky.com (David Shaw) Date: Wed Dec 29 14:20:12 2004 Subject: Global Directory signatures (was Re: GPG wants to check trustdb every day) In-Reply-To: <20041229054722.GC684@wilma.widomaker.com> References: <20041228034513.GD30683@jabberwocky.com> <200412280616.HAA01721@vulcan.xs4all.nl> <20041228151558.GG30683@jabberwocky.com> <20041229031406.53906.qmail@suspicious.org> <20041229040243.GD30683@jabberwocky.com> <20041229041420.81638.qmail@suspicious.org> <20041229044421.GF30683@jabberwocky.com> <20041229054722.GC684@wilma.widomaker.com> Message-ID: <20041229132316.GI30683@jabberwocky.com> On Wed, Dec 29, 2004 at 12:47:22AM -0500, Jason Harris wrote: > On Tue, Dec 28, 2004 at 11:44:21PM -0500, David Shaw wrote: > > > The GD doesn't support no-modify either. > > It is enforcing something. It won't take any new signatures on its own > key, 0xCA57AD7C, and the only signatures it has on your key, 0x99242560, > all seem to be from other keys it has stored. Yes. As I understand it, the GD has a weak form of no-modify since it does not allow new user IDs or subkeys without approval, but does allow new signatures without approval. The new signatures must come from a key that is already on the GD. It's not a bad way to go, considering the GD is aimed at "regular people" rather than crypto enthusiasts. One less special key option for people to understand. I'd prefer no-modify, but I'm not the target audience. Security-wise, it's safe. One of my concerns when I first heard about the GD was that the approval process would allow a key owner to prevent a signature revocation or designated key revocation from a third party from reaching his key. Since third party signatures are allowed in without key owner approval, this cannot happen. > Also, it doesn't necessarily wait until its last signature expires before > issuing a new one: Yes, I mentioned this in my first mail. There seems to be an overlap between the old and new signatures. The signature lasts for 14 days, but the new signature is issued sooner. I've seen overlaps as short as 8 days. David From dshaw at jabberwocky.com Wed Dec 29 14:32:59 2004 From: dshaw at jabberwocky.com (David Shaw) Date: Wed Dec 29 14:29:58 2004 Subject: ElGamal sub key expired In-Reply-To: <200412290713.09857.fox3ec208@wideopenwest.com> References: <200412290713.09857.fox3ec208@wideopenwest.com> Message-ID: <20041229133259.GA11687@jabberwocky.com> On Wed, Dec 29, 2004 at 07:13:03AM -0500, Terry Polzin wrote: > How do I extend the expiration date on this sub key. All attempts I've made > so far effect the primary key. In the --edit-key menu, type "key n" where n is the subkey number. An asterisk will appear next to the subkey to show you which key you chose. Then enter "expire". David From johanw at vulcan.xs4all.nl Wed Dec 29 15:48:48 2004 From: johanw at vulcan.xs4all.nl (Johan Wevers) Date: Wed Dec 29 15:50:50 2004 Subject: Global Directory signatures (was Re: GPG wants to check trustdb every day) In-Reply-To: <20041228151558.GG30683@jabberwocky.com> from David Shaw at "Dec 28, 2004 10:15:59 am" Message-ID: <200412291448.PAA02829@vulcan.xs4all.nl> David Shaw wrote: >* A new switch to not send expired sigs to keyservers and/or a switch > to not accept expired sigs from keyservers. This would slow down > the growth, but not fix it completely as there is still the 2-week > window before the sig expires. This might be a good thing for > general keyserver and keyring cleanliness though. Yes. However, it still doesn't prevent the keyservers from being loaded with a lot of useless signatures. I don't know how this would affect the load of the keyservers. To solve this the keyserver software has to be modified, for example to delete expired sigs, or at least not to send them out. But it will keep the gpg keyrings clean. >* Have keyservers discard GD signatures? Or at least have them remove all GD sigs except the last issued. >* Ask the PGP folks to do something (what?) Increase the expiry date of their signature to someting more usefull, like a year. >* Do nothing? That would blog my keyring if there are some keys on it that are placed on the GD. However, what about an GnuPG option like --clean-keyring that deletes all expired sigs, or perhaps deletes all (expired or not?) sigs from a given key, from your pubring? If the blogging occurs, you could at least clean up your keyring without manually deleting all those signatures. -- ir. J.C.A. Wevers // Physics and science fiction site: johanw@vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From johanw at vulcan.xs4all.nl Wed Dec 29 15:51:11 2004 From: johanw at vulcan.xs4all.nl (Johan Wevers) Date: Wed Dec 29 15:51:06 2004 Subject: Global Directory signatures (was Re: GPG wants to check trustdb every day) In-Reply-To: <20041229040243.GD30683@jabberwocky.com> from David Shaw at "Dec 28, 2004 11:02:44 pm" Message-ID: <200412291451.PAA02849@vulcan.xs4all.nl> David Shaw wrote: >> another possibility might be an option to purge expired sigs from a local >> keyring. >This is essentially the same as not exporting expired sigs to >keyservers. It doesn't work well for the reasons I mentioned in the >last email, though it might work well enough to slow the problem down. But it would at least keep your local keyring clean. You'd need to reissue the command after each key update though. -- ir. J.C.A. Wevers // Physics and science fiction site: johanw@vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From dshaw at jabberwocky.com Wed Dec 29 16:34:01 2004 From: dshaw at jabberwocky.com (David Shaw) Date: Wed Dec 29 19:15:59 2004 Subject: Global Directory signatures (was Re: GPG wants to check trustdb every day) In-Reply-To: <200412291448.PAA02829@vulcan.xs4all.nl> References: <20041228151558.GG30683@jabberwocky.com> <200412291448.PAA02829@vulcan.xs4all.nl> Message-ID: <20041229153400.GJ30683@jabberwocky.com> On Wed, Dec 29, 2004 at 03:48:48PM +0100, Johan Wevers wrote: > David Shaw wrote: > > >* A new switch to not send expired sigs to keyservers and/or a switch > > to not accept expired sigs from keyservers. This would slow down > > the growth, but not fix it completely as there is still the 2-week > > window before the sig expires. This might be a good thing for > > general keyserver and keyring cleanliness though. > > Yes. However, it still doesn't prevent the keyservers from being > loaded with a lot of useless signatures. I don't know how this would > affect the load of the keyservers. It lowers the rate of growth (and thus the keyserver load) since gpg would not send out expired sigs to keyservers. The GD itself doesn't export keys, so if we can prevent users from doing it accidentally, then the useless sigs never get onto the keyserver net. > >* Have keyservers discard GD signatures? > > Or at least have them remove all GD sigs except the last issued. That's up to the keyserver authors. I'm not against it, but they might be as it involves special-casing certain keys. > >* Ask the PGP folks to do something (what?) > > Increase the expiry date of their signature to someting more usefull, > like a year. I'm still holding out hope that the current 14 day expiry is because the keyserver is still in beta. The GD is supposed to revalidate keys every 6 months, so a 6 month expiry seems obvious to me. > However, what about an GnuPG option like --clean-keyring that > deletes all expired sigs, or perhaps deletes all (expired or not?) > sigs from a given key, from your pubring? If the blogging occurs, > you could at least clean up your keyring without manually deleting > all those signatures. I wonder if it is better to "clean" the keyring by simply not showing or preventing the import of sigs that are not useful rather than by deleting them after they are already imported. Flags for "don't show/expire/import expired sigs" you can set once in gpg.conf and you're done. Deleting expired sigs you have to do every single time you do a --refresh-keys. David From johanw at vulcan.xs4all.nl Wed Dec 29 15:58:21 2004 From: johanw at vulcan.xs4all.nl (Johan Wevers) Date: Wed Dec 29 19:47:20 2004 Subject: Is there a gpgkeys_mailto for Win32? In-Reply-To: from Zuxy at "Dec 29, 2004 01:06:52 pm" Message-ID: <200412291458.PAA03189@vulcan.xs4all.nl> Zuxy wrote: >.WSH (Windows Script Host) is supported natively by Win32. Not all flavours of win32 as far as I know. I doubt win98 supports it, and I thought on win2000 you had to download and install it manually. -- ir. J.C.A. Wevers // Physics and science fiction site: johanw@vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From alperatici at ttnet.net.tr Wed Dec 29 19:41:03 2004 From: alperatici at ttnet.net.tr (A. Alper Atici) Date: Wed Dec 29 19:56:56 2004 Subject: 1.4.0: gpgkeys_hkp: cygwin1.dll, cygminires.dll not found Message-ID: Hello, Using --send-keys/--recv-keys commands with a Cygwin build of gnupg-1.4.0 does not succeed due to missing dll's. It seems the executables in /usr/sbin/gnupg do not honor the Cygwin PATH (unless I've screwed sth up). Copying the said dll's into /usr/sbin/gnupg solves this issue, but I don't want multiple copies of libraries floating around, nor want to add Cygwin bin dir to Windows PATH. Can anyone repeat/confirm this issue? -- A. Alper Atici OpenPGP KeyID: 0xB824F550 From dshaw at jabberwocky.com Wed Dec 29 20:17:39 2004 From: dshaw at jabberwocky.com (David Shaw) Date: Wed Dec 29 20:14:37 2004 Subject: Is there a gpgkeys_mailto for Win32? In-Reply-To: <200412291458.PAA03189@vulcan.xs4all.nl> References: <200412291458.PAA03189@vulcan.xs4all.nl> Message-ID: <20041229191739.GK30683@jabberwocky.com> On Wed, Dec 29, 2004 at 03:58:21PM +0100, Johan Wevers wrote: > Zuxy wrote: > > >.WSH (Windows Script Host) is supported natively by Win32. > > Not all flavours of win32 as far as I know. I doubt win98 supports it, > and I thought on win2000 you had to download and install it manually. Do you happen to know if using ShellExecute() to open a mailto: URL is widely supported? Writing a new gpgkeys_mailto seems like a pain, but it would allow me to cross a different item off my todo list: removing the various perl dependencies which makes packaging GnuPG difficult. David From johanw at vulcan.xs4all.nl Wed Dec 29 19:54:30 2004 From: johanw at vulcan.xs4all.nl (Johan Wevers) Date: Wed Dec 29 20:57:40 2004 Subject: Global Directory signatures (was Re: GPG wants to check trustdb every day) In-Reply-To: <20041229153400.GJ30683@jabberwocky.com> from David Shaw at "Dec 29, 2004 10:34:01 am" Message-ID: <200412291854.TAA00416@vulcan.xs4all.nl> David Shaw wrote: >> Yes. However, it still doesn't prevent the keyservers from being >> loaded with a lot of useless signatures. I don't know how this would >> affect the load of the keyservers. >It lowers the rate of growth (and thus the keyserver load) since gpg >would not send out expired sigs to keyservers. GPG would not, put pgp probably will, so the blogging will still occur. If the keyservers won't sct against that, gpg will have to. >I wonder if it is better to "clean" the keyring by simply not showing >or preventing the import of sigs that are not useful rather than by >deleting them after they are already imported. In that case the keyring does remain big. If I get a keyring with each key hundreds of expired sigs, I'm affraid gpg might get slow and diskusage for the keyrings will increase (also a problem for "gpg on a floppy" solotions). A bit like the situation now with a key like PRZ's, 0xFAEBD5FC has 1528 sigs on my machine and is 135kb when exported unarmoured. >Deleting expired sigs you have to do every single time >you do a --refresh-keys. I'm not saying the don't show options don't have their use, but if I want my keyring clean I might choose to do a keyring cleanup every now and then. -- ir. J.C.A. Wevers // Physics and science fiction site: johanw@vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From atom at suspicious.org Wed Dec 29 21:03:50 2004 From: atom at suspicious.org (Atom 'Smasher') Date: Wed Dec 29 20:58:00 2004 Subject: Global Directory signatures (was Re: GPG wants to check trustdb every day) In-Reply-To: References: <20041228034513.GD30683@jabberwocky.com> <200412280616.HAA01721@vulcan.xs4all.nl> <20041228151558.GG30683@jabberwocky.com> <20041229031406.53906.qmail@suspicious.org> Message-ID: <20041229200139.9687.qmail@suspicious.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On Tue, 28 Dec 2004, Len Sassaman wrote: > On Tue, 28 Dec 2004, Atom 'Smasher' wrote: > >>> * Ask the PGP folks to do something (what?) >> =============== >> >> if you're in contact with them, at least ask what the hell they're >> thinking... this is a horrible pollution of the key-servers and WoT. > > How is this a pollution of the "web of trust"? ============= every signature on a key becomes part of the WoT... if (when?) automated, expired or otherwise useless signatures start taking up a noticeable percentage of the signatures collected on keys, it's noise. it's pollution just as much as generating bogus keys and using them to sign real keys. - -- ...atom _________________________________________ PGP key - http://atom.smasher.org/pgp.txt 762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808 ------------------------------------------------- "If you take out the killings, Washington actually has a very very low crime rate." -- M. Barry, Mayor of Washington, DC -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (FreeBSD) Comment: What is this gibberish? Comment: http://atom.smasher.org/links/#digital_signatures iQEcBAEBCAAGBQJB0w2sAAoJEAx/d+cTpVciquUH/3uQIka9h3z+6tCNeZIE1kZQ UqfuQgh2OszmeuhXk8NKpeJS2nEEaIfvKoRHq/0Kl1ufknZ9AGBCglWZgbuOVb0O zIlluREAPxVQzDXpY8hLRKeexm6koBc2vDujTyIfj17xJfVnUSjNz4yWSoWVb/OG IN7ZmY8GkGwx1h5S6N4MuB+QSsJi0056IFlyWQOwZfZ+KfEtITBX8r++EUOHWIe8 ao1j2iE3wPaPqN1rO0nECh4Hbos/16EKwgiz5L39vzTv1nKbT10OokOHUT9OFKdc c7YmeNzIy6lRKBFmZp1/9hlzbpK8r9sMOx9x7+15HP1D5oicURVbZMFuYiKu578= =arsB -----END PGP SIGNATURE----- From jharris at widomaker.com Wed Dec 29 21:18:51 2004 From: jharris at widomaker.com (Jason Harris) Date: Wed Dec 29 21:26:52 2004 Subject: Global Directory signatures (was Re: GPG wants to check trustdb every day) In-Reply-To: <20041229132316.GI30683@jabberwocky.com> References: <20041228034513.GD30683@jabberwocky.com> <200412280616.HAA01721@vulcan.xs4all.nl> <20041228151558.GG30683@jabberwocky.com> <20041229031406.53906.qmail@suspicious.org> <20041229040243.GD30683@jabberwocky.com> <20041229041420.81638.qmail@suspicious.org> <20041229044421.GF30683@jabberwocky.com> <20041229054722.GC684@wilma.widomaker.com> <20041229132316.GI30683@jabberwocky.com> Message-ID: <20041229201851.GD684@wilma.widomaker.com> On Wed, Dec 29, 2004 at 08:23:17AM -0500, David Shaw wrote: > On Wed, Dec 29, 2004 at 12:47:22AM -0500, Jason Harris wrote: > > On Tue, Dec 28, 2004 at 11:44:21PM -0500, David Shaw wrote: > > > The GD doesn't support no-modify either. > > > > It is enforcing something. It won't take any new signatures on its own > > key, 0xCA57AD7C, and the only signatures it has on your key, 0x99242560, > > all seem to be from other keys it has stored. > > Yes. As I understand it, the GD has a weak form of no-modify since it > does not allow new user IDs or subkeys without approval, but does > allow new signatures without approval. The new signatures must come > from a key that is already on the GD. Not for 0xCA57AD7C itself. On regular keyservers, we see three external revocations on 0xCA57AD7C and a few hundred signatures on 0xCA57AD7C v. a few on the pgp.com keyserver. Even if ldap://keyserver.pgp.com isn't enforcing no-modify on 0xCA57AD7C via cryptographic checks, it still appears to be doing so from the outside. (Yes, at least some of the external sigs on 0xCA57AD7C are for keys found on keyserver.pgp.com.) (Alas, I don't see no-modify set in the current selfsigs on 0xCA57AD7C from ldap://keyserver.pgp.com at all.) > > Also, it doesn't necessarily wait until its last signature expires before > > issuing a new one: > > Yes, I mentioned this in my first mail. There seems to be an overlap > between the old and new signatures. The signature lasts for 14 days, > but the new signature is issued sooner. I've seen overlaps as short > as 8 days. Your own key, 0x99242560, has two valid signatures made during the same (TZ=UTC) day by 0xCA57AD7C, as I mentioned in my last message. Specifically, they are timestamped Wed Dec 29 05:12:01 UTC 2004 and Wed Dec 29 05:24:00 UTC 2004. (If this was a one-time bug, fine.) -- Jason Harris | NIC: JH329, PGP: This _is_ PGP-signed, isn't it? jharris@widomaker.com _|_ web: http://keyserver.kjsl.com/~jharris/ Got photons? (TM), (C) 2004 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 309 bytes Desc: not available Url : /pipermail/attachments/20041229/cab90a4b/attachment.bin From johanw at vulcan.xs4all.nl Wed Dec 29 21:36:04 2004 From: johanw at vulcan.xs4all.nl (Johan Wevers) Date: Wed Dec 29 21:33:16 2004 Subject: Is there a gpgkeys_mailto for Win32? In-Reply-To: <20041229191739.GK30683@jabberwocky.com> from David Shaw at "Dec 29, 2004 02:17:39 pm" Message-ID: <200412292036.VAA00953@vulcan.xs4all.nl> David Shaw wrote: >Do you happen to know if using ShellExecute() to open a mailto: URL is >widely supported? It is, as long as there is a mail application associated with such an URL. But if there's no mailer installed there is no point in using gpgkeys_mailto anyway. -- ir. J.C.A. Wevers // Physics and science fiction site: johanw@vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From dshaw at jabberwocky.com Thu Dec 30 00:36:03 2004 From: dshaw at jabberwocky.com (David Shaw) Date: Thu Dec 30 00:33:09 2004 Subject: Global Directory signatures (was Re: GPG wants to check trustdb every day) In-Reply-To: <20041229201851.GD684@wilma.widomaker.com> References: <20041228034513.GD30683@jabberwocky.com> <200412280616.HAA01721@vulcan.xs4all.nl> <20041228151558.GG30683@jabberwocky.com> <20041229031406.53906.qmail@suspicious.org> <20041229040243.GD30683@jabberwocky.com> <20041229041420.81638.qmail@suspicious.org> <20041229044421.GF30683@jabberwocky.com> <20041229054722.GC684@wilma.widomaker.com> <20041229132316.GI30683@jabberwocky.com> <20041229201851.GD684@wilma.widomaker.com> Message-ID: <20041229233603.GS30683@jabberwocky.com> On Wed, Dec 29, 2004 at 03:18:51PM -0500, Jason Harris wrote: > On Wed, Dec 29, 2004 at 08:23:17AM -0500, David Shaw wrote: > > On Wed, Dec 29, 2004 at 12:47:22AM -0500, Jason Harris wrote: > > > On Tue, Dec 28, 2004 at 11:44:21PM -0500, David Shaw wrote: > > > > > The GD doesn't support no-modify either. > > > > > > It is enforcing something. It won't take any new signatures on its own > > > key, 0xCA57AD7C, and the only signatures it has on your key, 0x99242560, > > > all seem to be from other keys it has stored. > > > > Yes. As I understand it, the GD has a weak form of no-modify since it > > does not allow new user IDs or subkeys without approval, but does > > allow new signatures without approval. The new signatures must come > > from a key that is already on the GD. > > Not for 0xCA57AD7C itself. Yes, it seems that the GD key itself is not changing. Since the GD has a LDAP backend, this wouldn't be hard to do. > Your own key, 0x99242560, has two valid signatures made during the > same (TZ=UTC) day by 0xCA57AD7C, as I mentioned in my last message. > Specifically, they are timestamped Wed Dec 29 05:12:01 UTC 2004 and > Wed Dec 29 05:24:00 UTC 2004. (If this was a one-time bug, fine.) No idea. This is all black box conjecture. David From dshaw at jabberwocky.com Thu Dec 30 03:32:37 2004 From: dshaw at jabberwocky.com (David Shaw) Date: Thu Dec 30 03:57:26 2004 Subject: Global Directory signatures (was Re: GPG wants to check trustdb every day) In-Reply-To: <20041229200139.9687.qmail@suspicious.org> References: <20041228034513.GD30683@jabberwocky.com> <200412280616.HAA01721@vulcan.xs4all.nl> <20041228151558.GG30683@jabberwocky.com> <20041229031406.53906.qmail@suspicious.org> <20041229200139.9687.qmail@suspicious.org> Message-ID: <20041230023236.GV30683@jabberwocky.com> On Wed, Dec 29, 2004 at 03:03:50PM -0500, Atom 'Smasher' wrote: > On Tue, 28 Dec 2004, Len Sassaman wrote: > > > On Tue, 28 Dec 2004, Atom 'Smasher' wrote: > > > >>> * Ask the PGP folks to do something (what?) > >> =============== > >> > >> if you're in contact with them, at least ask what the hell they're > >> thinking... this is a horrible pollution of the key-servers and WoT. > > > > How is this a pollution of the "web of trust"? > ============= > > every signature on a key becomes part of the WoT... if (when?) automated, > expired or otherwise useless signatures start taking up a noticeable > percentage of the signatures collected on keys, it's noise. it's pollution > just as much as generating bogus keys and using them to sign real keys. Generating bogus keys and using them to sign real keys is noise in the web of trust. The GD is actual useful signatures, though not useful to all people. Neither has any meaningful impact on the web of trust. The web is just not designed that way. If you don't give trust to a bogus key that someone generated to be "funny", signatures from that key are invisible to you. Similarly, if you don't give trust to the GD key, the GD signatures are invisible to you. The web of trust is a perfect example of a strict "opt in" system. The worst thing that unusable signatures can do is to make keys larger and make UI displays unattractive. This isn't impacting the web of trust. David From dshaw at jabberwocky.com Thu Dec 30 02:44:43 2004 From: dshaw at jabberwocky.com (David Shaw) Date: Thu Dec 30 04:34:45 2004 Subject: Global Directory signatures (was Re: GPG wants to check trustdb every day) In-Reply-To: <200412291854.TAA00416@vulcan.xs4all.nl> References: <20041229153400.GJ30683@jabberwocky.com> <200412291854.TAA00416@vulcan.xs4all.nl> Message-ID: <20041230014443.GU30683@jabberwocky.com> On Wed, Dec 29, 2004 at 07:54:30PM +0100, Johan Wevers wrote: > David Shaw wrote: > > >> Yes. However, it still doesn't prevent the keyservers from being > >> loaded with a lot of useless signatures. I don't know how this would > >> affect the load of the keyservers. > > >It lowers the rate of growth (and thus the keyserver load) since gpg > >would not send out expired sigs to keyservers. > > GPG would not, put pgp probably will, so the blogging will still occur. > If the keyservers won't sct against that, gpg will have to. > > >I wonder if it is better to "clean" the keyring by simply not showing > >or preventing the import of sigs that are not useful rather than by > >deleting them after they are already imported. > > In that case the keyring does remain big. If I get a keyring with each key > hundreds of expired sigs, I'm affraid gpg might get slow and diskusage for > the keyrings will increase (also a problem for "gpg on a floppy" solotions). Yes, this is true. Ok, how about going back to the idea of import and export options to not import or export expired sigs. It's not perfect, due to the time overlap between expired and reissued GD signatures, but it's a reasonably good solution. I rather like the notion of GPG keeping GPG clean, the keyservers keeping the keyservers clean, and so on. So long as people aren't actively bridging keys between the GD and the keyserver net (which seems to be happening in my case, though I have no idea why someone would bother), this should be okay. David From dshaw at jabberwocky.com Thu Dec 30 05:12:00 2004 From: dshaw at jabberwocky.com (David Shaw) Date: Thu Dec 30 05:09:11 2004 Subject: Is there a gpgkeys_mailto for Win32? In-Reply-To: <20041230012239.GT30683@jabberwocky.com> References: <20041229191739.GK30683@jabberwocky.com> <200412292036.VAA00953@vulcan.xs4all.nl> <20041230012239.GT30683@jabberwocky.com> Message-ID: <20041230041200.GW30683@jabberwocky.com> On Wed, Dec 29, 2004 at 08:22:39PM -0500, David Shaw wrote: > On Wed, Dec 29, 2004 at 09:36:04PM +0100, Johan Wevers wrote: > > David Shaw wrote: > > > > >Do you happen to know if using ShellExecute() to open a mailto: URL is > > >widely supported? > > > > It is, as long as there is a mail application associated with such an > > URL. But if there's no mailer installed there is no point in using > > gpgkeys_mailto anyway. > > Hmm, so it's worth a try. Adding a key via a mailto URL could be > interesting, though. I wonder how the various mailto handlers would > deal with an URL that is over 32k long! Looks like using mailto: is a non-starter whether from ShellExecute() or WSH. The limit is 2k, and even smaller on some older versions of win32. 2k isn't enough to do much more than submit the very smallest of keys. David From dshaw at jabberwocky.com Thu Dec 30 05:23:18 2004 From: dshaw at jabberwocky.com (David Shaw) Date: Thu Dec 30 05:21:06 2004 Subject: Global Directory signatures (was Re: GPG wants to check trustdb every day) In-Reply-To: <20041230014443.GU30683@jabberwocky.com> References: <20041229153400.GJ30683@jabberwocky.com> <200412291854.TAA00416@vulcan.xs4all.nl> <20041230014443.GU30683@jabberwocky.com> Message-ID: <20041230042318.GX30683@jabberwocky.com> On Wed, Dec 29, 2004 at 08:44:43PM -0500, David Shaw wrote: > On Wed, Dec 29, 2004 at 07:54:30PM +0100, Johan Wevers wrote: > > David Shaw wrote: > > > > >> Yes. However, it still doesn't prevent the keyservers from being > > >> loaded with a lot of useless signatures. I don't know how this would > > >> affect the load of the keyservers. > > > > >It lowers the rate of growth (and thus the keyserver load) since gpg > > >would not send out expired sigs to keyservers. > > > > GPG would not, put pgp probably will, so the blogging will still occur. > > If the keyservers won't sct against that, gpg will have to. > > > > >I wonder if it is better to "clean" the keyring by simply not showing > > >or preventing the import of sigs that are not useful rather than by > > >deleting them after they are already imported. > > > > In that case the keyring does remain big. If I get a keyring with each key > > hundreds of expired sigs, I'm affraid gpg might get slow and diskusage for > > the keyrings will increase (also a problem for "gpg on a floppy" solotions). > > Yes, this is true. Ok, how about going back to the idea of import and > export options to not import or export expired sigs. It's not > perfect, due to the time overlap between expired and reissued GD > signatures, but it's a reasonably good solution. Try this patch to 1.4. It adds an export-option "export-unusable-sigs" and an import-option "import-unusable-sigs". Both are off by default. Comments welcome. David -------------- next part -------------- Index: export.c =================================================================== RCS file: /cvs/gnupg/gnupg/g10/export.c,v retrieving revision 1.44 diff -u -r1.44 export.c --- export.c 26 Nov 2004 16:48:05 -0000 1.44 +++ export.c 30 Dec 2004 04:16:30 -0000 @@ -49,6 +49,7 @@ {"export-attributes",EXPORT_ATTRIBUTES,NULL}, {"export-sensitive-revkeys",EXPORT_SENSITIVE_REVKEYS,NULL}, {"export-minimal",EXPORT_MINIMAL,NULL}, + {"export-unusable-sigs",EXPORT_UNUSABLE_SIGS,NULL}, /* Aliases for backward compatibility */ {"include-local-sigs",EXPORT_LOCAL_SIGS,NULL}, {"include-attributes",EXPORT_ATTRIBUTES,NULL}, @@ -314,12 +315,22 @@ if( node->pkt->pkttype == PKT_SIGNATURE ) { - /* If we have minimal-export turned on, do not include + /* If we have export-minimal turned on, do not include any signature that isn't a selfsig. Note that this only applies to uid sigs (0x10, 0x11, 0x12, and 0x13). A designated revocation is not stripped. */ if((options&EXPORT_MINIMAL) && IS_UID_SIG(node->pkt->pkt.signature) + && (node->pkt->pkt.signature->keyid[0]!=keyid[0] + || node->pkt->pkt.signature->keyid[1]!=keyid[1])) + continue; + + /* We do basically the same thing for + export-unusable-sigs. It only applies to expired + uid sigs that aren't selfsigs. */ + if(!(options&EXPORT_UNUSABLE_SIGS) + && IS_UID_SIG(node->pkt->pkt.signature) + && node->pkt->pkt.signature->flags.expired && (node->pkt->pkt.signature->keyid[0]!=keyid[0] || node->pkt->pkt.signature->keyid[1]!=keyid[1])) continue; Index: import.c =================================================================== RCS file: /cvs/gnupg/gnupg/g10/import.c,v retrieving revision 1.117 diff -u -r1.117 import.c --- import.c 26 Nov 2004 15:51:37 -0000 1.117 +++ import.c 30 Dec 2004 04:16:32 -0000 @@ -93,6 +93,7 @@ {"fast-import",IMPORT_FAST,NULL}, {"convert-sk-to-pk",IMPORT_SK2PK,NULL}, {"merge-only",IMPORT_MERGE_ONLY,NULL}, + {"import-unusable-sigs",IMPORT_UNUSABLE_SIGS,NULL}, /* Aliases for backward compatibility */ {"allow-local-sigs",IMPORT_LOCAL_SIGS,NULL}, {"repair-hkp-subkey-bug",IMPORT_REPAIR_PKS_SUBKEY_BUG,NULL}, @@ -1555,6 +1556,21 @@ log_info(_("key %s: unexpected signature class (0x%02X) -" " skipped\n"),keystr(keyid), node->pkt->pkt.signature->sig_class); + delete_kbnode(node); + } + else if(node->pkt->pkttype==PKT_SIGNATURE + && IS_UID_SIG(node->pkt->pkt.signature) + && node->pkt->pkt.signature->flags.expired + && !(options&IMPORT_UNUSABLE_SIGS)) + { + if(opt.verbose) + { + char *kid=m_strdup(keystr(keyid)); + log_info(_("key %s: expired signature from key %s -" + " skipped\n"),kid, + keystr(node->pkt->pkt.signature->keyid)); + m_free(kid); + } delete_kbnode(node); } else if( (node->flag & 4) ) /* marked for deletion */ Index: options.h =================================================================== RCS file: /cvs/gnupg/gnupg/g10/options.h,v retrieving revision 1.132 diff -u -r1.132 options.h --- options.h 22 Dec 2004 18:09:41 -0000 1.132 +++ options.h 30 Dec 2004 04:16:32 -0000 @@ -252,11 +252,13 @@ #define IMPORT_FAST (1<<2) #define IMPORT_SK2PK (1<<3) #define IMPORT_MERGE_ONLY (1<<4) +#define IMPORT_UNUSABLE_SIGS (1<<5) #define EXPORT_LOCAL_SIGS (1<<0) #define EXPORT_ATTRIBUTES (1<<1) #define EXPORT_SENSITIVE_REVKEYS (1<<2) #define EXPORT_MINIMAL (1<<3) +#define EXPORT_UNUSABLE_SIGS (1<<4) #define LIST_SHOW_PHOTOS (1<<0) #define LIST_SHOW_POLICY_URLS (1<<1) From jharris at widomaker.com Thu Dec 30 05:35:12 2004 From: jharris at widomaker.com (Jason Harris) Date: Thu Dec 30 05:31:45 2004 Subject: Global Directory signatures (was Re: GPG wants to check trustdb every day) In-Reply-To: <20041230014443.GU30683@jabberwocky.com> References: <20041229153400.GJ30683@jabberwocky.com> <200412291854.TAA00416@vulcan.xs4all.nl> <20041230014443.GU30683@jabberwocky.com> Message-ID: <20041230043512.GE684@wilma.widomaker.com> On Wed, Dec 29, 2004 at 08:44:43PM -0500, David Shaw wrote: > I rather like the notion of GPG keeping GPG clean, the keyservers > keeping the keyservers clean, and so on. So long as people aren't > actively bridging keys between the GD and the keyserver net (which > seems to be happening in my case, though I have no idea why someone > would bother), this should be okay. Good luck. Each person who signed 0xCA57AD7C and uploaded their signature for others to use: http://keyserver.kjsl.com:11371/pks/lookup?op=vindex&search=0xCA57AD7C probably disagrees, unless keyserver.pgp.com is now secretly infiltrating its keys into the regular public keyserver network. Besides, using only keyserver.pgp.com isn't feasible if you care about signatures from keys not registered with it. This is because it now implements "weak no-modify" in addition to being unsynchronized, whereas in the past it was only because it stopped synchronizing with other keyservers. If signatures from 0xCA57AD7C were issued when a key is first verified by GD and set to expire yearly (a la RobotCA), there wouldn't be a problem. -- Jason Harris | NIC: JH329, PGP: This _is_ PGP-signed, isn't it? jharris@widomaker.com _|_ web: http://keyserver.kjsl.com/~jharris/ Got photons? (TM), (C) 2004 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 309 bytes Desc: not available Url : /pipermail/attachments/20041229/1c52d17b/attachment.bin From dshaw at jabberwocky.com Thu Dec 30 06:19:45 2004 From: dshaw at jabberwocky.com (David Shaw) Date: Thu Dec 30 15:04:39 2004 Subject: Global Directory signatures (was Re: GPG wants to check trustdb every day) In-Reply-To: <20041230043512.GE684@wilma.widomaker.com> References: <20041229153400.GJ30683@jabberwocky.com> <200412291854.TAA00416@vulcan.xs4all.nl> <20041230014443.GU30683@jabberwocky.com> <20041230043512.GE684@wilma.widomaker.com> Message-ID: <20041230051945.GY30683@jabberwocky.com> On Wed, Dec 29, 2004 at 11:35:12PM -0500, Jason Harris wrote: > On Wed, Dec 29, 2004 at 08:44:43PM -0500, David Shaw wrote: > > > I rather like the notion of GPG keeping GPG clean, the keyservers > > keeping the keyservers clean, and so on. So long as people aren't > > actively bridging keys between the GD and the keyserver net (which > > seems to be happening in my case, though I have no idea why someone > > would bother), this should be okay. > > Good luck. Each person who signed 0xCA57AD7C and uploaded their > signature for others to use: > > http://keyserver.kjsl.com:11371/pks/lookup?op=vindex&search=0xCA57AD7C > > probably disagrees, unless keyserver.pgp.com is now secretly > infiltrating its keys into the regular public keyserver network. I'm not sure what connection this comment has with the discussion. You're talking about people signing a key and uploading their signatures (however foolish this might be in the case of the GD key). I'm talking about someone downloading keys from the GD and then pushing them onto the keyserver net. As I said, unless someone is bridging keys intentionally, then the GnuPG filter should handle it reasonably well. (Only "reasonably" well because of the overlap in signature dates). > Besides, using only keyserver.pgp.com isn't feasible if you care about > signatures from keys not registered with it. This is because it now > implements "weak no-modify" in addition to being unsynchronized, whereas > in the past it was only because it stopped synchronizing with other > keyservers. I think the people who the GD was designed for pretty much don't care about signatures from keys not registered with it. That's the whole point. Understand that being "unsynchronized" is a major *feature* of the GD. A goal of the GD is to keep all of the old crap from the keyserver net off. I know you like synchronization, but you are not the target audience for the GD. Neither am I. I use it because it provides some level of useful functionality even to people who aren't the target audience. David From samuel at Update.UU.SE Thu Dec 30 16:48:45 2004 From: samuel at Update.UU.SE (Samuel ]slund) Date: Thu Dec 30 17:35:58 2004 Subject: Is there a gpgkeys_mailto for Win32? In-Reply-To: <20041229191739.GK30683@jabberwocky.com> References: <200412291458.PAA03189@vulcan.xs4all.nl> <20041229191739.GK30683@jabberwocky.com> Message-ID: <20041230154845.GA17927@Update.UU.SE> On Wed, Dec 29, 2004 at 02:17:39PM -0500, David Shaw wrote: > On Wed, Dec 29, 2004 at 03:58:21PM +0100, Johan Wevers wrote: > > Zuxy wrote: > > > > >.WSH (Windows Script Host) is supported natively by Win32. > > > > Not all flavours of win32 as far as I know. I doubt win98 supports it, > > and I thought on win2000 you had to download and install it manually. > > Do you happen to know if using ShellExecute() to open a mailto: URL is > widely supported? > > Writing a new gpgkeys_mailto seems like a pain, but it would allow me > to cross a different item off my todo list: removing the various perl > dependencies which makes packaging GnuPG difficult. Why do you not use a .bat or .cmd to wrap the perl call? It probably has the same security issues as a shelscript but does that matter? A gpgkeys_mailto.bat should be executed by calling gpgkeys_mailto on the commandline, just like a .exe would. //Samuel From atom at suspicious.org Thu Dec 30 06:17:54 2004 From: atom at suspicious.org (Atom 'Smasher') Date: Thu Dec 30 18:41:44 2004 Subject: signing a robot's key - was: Re: Global Directory signatures In-Reply-To: <20041230043512.GE684@wilma.widomaker.com> References: <20041229153400.GJ30683@jabberwocky.com> <200412291854.TAA00416@vulcan.xs4all.nl> <20041230014443.GU30683@jabberwocky.com> <20041230043512.GE684@wilma.widomaker.com> Message-ID: <20041230000801.N31825@willy.wonka> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On Wed, 29 Dec 2004, Jason Harris wrote: > Good luck. Each person who signed 0xCA57AD7C and uploaded their > signature for others to use: > > http://keyserver.kjsl.com:11371/pks/lookup?op=vindex&search=0xCA57AD7C ================ YIKES!! why on earth would anyone sign this key? the UID identifies the key as belonging to "PGP Global Directory Verification Key"... can anyone prove ownership of that key? has the owner of that key been going to key signing parties all over the world? the key has >250 signatures ranging from 0x10 - 0x13! can anyone explain to me why they signed this key, and how they verified that the key *really* is the "PGP Global Directory Verification Key"? unless someone can explain to me why they had a good reason for signing this key i'm tempted to include everyone who signed it in my "untrusted signers" list. signing a robot's key seems to violate every good practice of responsible keysigning. - -- ...atom _________________________________________ PGP key - http://atom.smasher.org/pgp.txt 762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808 ------------------------------------------------- Where is Lee Harvey Oswald now that we really need him? -- Bumper Sticker -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (FreeBSD) Comment: What is this gibberish? Comment: http://atom.smasher.org/links/#digital_signatures iQEcBAEBCAAGBQJB04+HAAoJEAx/d+cTpVciYRkH/2H1GZo00MV+Mx+Aeat00fe4 I8ZIbiQJpjgsSAH11aNxFJ45t8ytOs1kPCJb9KFQ85p3MPdrwblL0yOVGPbeFO72 lsmYzzS6drAgK56WmjFsRj8Ym/9Uw1WIl4lxovxRPjTK4034+pxfJw6NQINH36z6 lNvJPZVKb5DXR2LtDr4z+gKtbLtBARJG/unh2IpEbzt1p8mJaOtXLQOrnMkPySOY t2OWyIWh+PXvi5f2/PG2m1fhF4FxzkT3ufX4Fsrj3kgZCPpRr03ZKSNtF6soCmpA 3YbVg9DejOVK8E8hw1uhDW+XpS8lZU46i6qpmKSZ7+rG91U93OlOTG7yJlBZso8= =Rx/K -----END PGP SIGNATURE----- From jharris at widomaker.com Thu Dec 30 18:51:08 2004 From: jharris at widomaker.com (Jason Harris) Date: Thu Dec 30 18:47:29 2004 Subject: Global Directory signatures (was Re: GPG wants to check trustdb every day) In-Reply-To: <20041230051945.GY30683@jabberwocky.com> References: <20041229153400.GJ30683@jabberwocky.com> <200412291854.TAA00416@vulcan.xs4all.nl> <20041230014443.GU30683@jabberwocky.com> <20041230043512.GE684@wilma.widomaker.com> <20041230051945.GY30683@jabberwocky.com> Message-ID: <20041230175107.GF684@wilma.widomaker.com> On Thu, Dec 30, 2004 at 12:19:45AM -0500, David Shaw wrote: > On Wed, Dec 29, 2004 at 11:35:12PM -0500, Jason Harris wrote: > > Good luck. Each person who signed 0xCA57AD7C and uploaded their > > signature for others to use: > > probably disagrees, unless keyserver.pgp.com is now secretly > > infiltrating its keys into the regular public keyserver network. > > I'm not sure what connection this comment has with the discussion. > As I said, unless someone is bridging keys intentionally, then the > GnuPG filter should handle it reasonably well. (Only "reasonably" > well because of the overlap in signature dates). People are "bridging keys[erver networks]." They have to be downloading their signed key from the pgp.com keyserver, verifying the signature from 0xCA57AD7C, signing 0xCA57AD7C, and uploading it with their reciprocal signature to a synchronized keyserver. (OK, they could be skipping the first two steps... :) http://keyserver.kjsl.com/~jharris/ka/current/CA/CA57AD7C shows 163 signatures to and 120 signatures from 0xCA57AD7C by 2004-12-26. The report for 2004-12-12 lists 36 signatures to and from 0xCA57AD7C. All of these keys signed by 0xCA57AD7C made their way from the pgp.com keyserver to the regular keyservers. Assuming all signatures from 0xCA57AD7C expire in 14 days, any keys appearing in both reports were uploaded twice. OK, 0xF7447263 is the only key common to these two reports. NB: Pulling 0xF7447263 from keyserver.pgp.com just now didn't add a new sig. by 0xCA57AD7C, so it looks like the 8 day bug/feature is gone. -- Jason Harris | NIC: JH329, PGP: This _is_ PGP-signed, isn't it? jharris@widomaker.com _|_ web: http://keyserver.kjsl.com/~jharris/ Got photons? (TM), (C) 2004 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 309 bytes Desc: not available Url : /pipermail/attachments/20041230/e045349d/attachment.bin From npellegr at numericable.fr Thu Dec 30 19:35:01 2004 From: npellegr at numericable.fr (nicolas pellegrin) Date: Thu Dec 30 21:01:23 2004 Subject: Choosing the Hash and cyphering algorithm References: <1103558853.41c6f8c5b9c16@webmail.numericable.fr> <20041221053027.68208.qmail@suspicious.org> Message-ID: <00c001c4ee9e$4591e810$2055ec50@hal> Sorry I made a mistake switching d and q .. i modify the initial message ! => Well about he whole point and especially RSA I should be able to cypher with my private key since the exponents are inverses : d = e^-1 mod (p-1)(q-1) with q the private exponent and e the public one. Actually when you sign something it's c = RSA(priv,H(m)) with H the Hash function. So I know it's possible. I only want to "c = m^d mod n" Nicolas Pellegrin >Well about he whole point and especially RSA I should be able to cypher >with my >private key since the exponents are inverses : >q = e^-1 mod (p-1)(q-1) with q the private exponent and e the public one. >Actually when you sign something it's >c = RSA(priv,H(m)) with H the Hash function. >So I know it's possible. I only want to "c = m^q mod From kyle at toehold.com Thu Dec 30 20:50:24 2004 From: kyle at toehold.com (Kyle Hasselbacher) Date: Thu Dec 30 21:01:40 2004 Subject: signing a robot's key - was: Re: Global Directory signatures In-Reply-To: <20041230000801.N31825@willy.wonka> References: <20041229153400.GJ30683@jabberwocky.com> <200412291854.TAA00416@vulcan.xs4all.nl> <20041230014443.GU30683@jabberwocky.com> <20041230043512.GE684@wilma.widomaker.com> <20041230000801.N31825@willy.wonka> Message-ID: <41D45C00.6030204@toehold.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Atom 'Smasher' wrote: | why on earth would anyone sign this key? the UID identifies the key as | belonging to "PGP Global Directory Verification Key"... Some folks signed the Robot CA key (C521097E) to show that they believed that it is what it says it is: a gravel-dumb key verifier. In some cases, a user might have wanted to use it as a trusted introducer. To assign owner trust, it has to be valid. To be valid, they have to sign it. Perhaps some of them knew that this is better done with a local signature and fat fingered the signing, but it's a little hard to believe someone understood the web of trust well enough to want to sign but not well enough to know a local sig was better. Some people may have seen it as a back door into the global strong set. The Robot CA is in the strong set, and it gives out signatures easily. Give a signature back, and you're in the strong set too. I signed it because I wrote it and run it. Are folks signing the Global Directory key for the same reasons? I don't know, but it's possible. Kyle -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3-nr1 (Windows XP) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFB1Fv/zS7R/flctWYRAvbrAKCQNEAmEyepjtgs/R/x9FA44GbXLACgpHS4 t1ClyCfBc32ueLaxWOTXGwI= =g+iR -----END PGP SIGNATURE----- From dshaw at jabberwocky.com Thu Dec 30 21:25:10 2004 From: dshaw at jabberwocky.com (David Shaw) Date: Thu Dec 30 21:22:03 2004 Subject: signing a robot's key - was: Re: Global Directory signatures In-Reply-To: <41D45C00.6030204@toehold.com> References: <20041229153400.GJ30683@jabberwocky.com> <200412291854.TAA00416@vulcan.xs4all.nl> <20041230014443.GU30683@jabberwocky.com> <20041230043512.GE684@wilma.widomaker.com> <20041230000801.N31825@willy.wonka> <41D45C00.6030204@toehold.com> Message-ID: <20041230202510.GD12645@jabberwocky.com> On Thu, Dec 30, 2004 at 01:50:24PM -0600, Kyle Hasselbacher wrote: > In some cases, a user might have wanted to use it as a trusted > introducer. To assign owner trust, it has to be valid. To be > valid, they have to sign it. Perhaps some of them knew that this is > better done with a local signature and fat fingered the signing, but > it's a little hard to believe someone understood the web of trust > well enough to want to sign but not well enough to know a local sig > was better. Oh, I can believe that. It's the "I need to sign this to make things work" thing. Do beginners necessarily understand what signing entails? No. Do they necessarily understand what the web of trust even is? No. All they know is that the instructions say to sign the key, so they sign the key. David From atom at suspicious.org Thu Dec 30 21:31:44 2004 From: atom at suspicious.org (Atom 'Smasher') Date: Thu Dec 30 21:25:45 2004 Subject: signing a robot's key - was: Re: Global Directory signatures In-Reply-To: <41D45C00.6030204@toehold.com> References: <20041229153400.GJ30683@jabberwocky.com> <200412291854.TAA00416@vulcan.xs4all.nl> <20041230014443.GU30683@jabberwocky.com> <20041230043512.GE684@wilma.widomaker.com> <20041230000801.N31825@willy.wonka> <41D45C00.6030204@toehold.com> Message-ID: <20041230202915.34191.qmail@suspicious.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On Thu, 30 Dec 2004, Kyle Hasselbacher wrote: > I signed it because I wrote it and run it. ================== that's a good reason. should i look for a 0x13 sig from the GD key to you? i can't find that you and the GD key have exchanged signatures. for everyone else who gave it an exportable signature and didn't write it and isn't running it, i still think that their behavior should an earn them a place in my "untrusted signers" list. - -- ...atom _________________________________________ PGP key - http://atom.smasher.org/pgp.txt 762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808 ------------------------------------------------- "It must be in our vital interest whether we ever send troops. The mission must be clear. Soldiers must understand why we're going. The force must be strong enough so that the mission can be accomplished. And the exit strategy needs to be well-defined." -- George "dubya" Bush 3rd Bush-Gore debate, 17 Oct 2000 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (FreeBSD) Comment: What is this gibberish? Comment: http://atom.smasher.org/links/#digital_signatures iQEcBAEBCAAGBQJB1GW1AAoJEAx/d+cTpVcit04IALqlRxkUZ/+SMOym0n1xVcWi G4FrBdfEwffHrNpzZWdDPgUbsBPTGD2yd+yQ87hGaKS3kj39NSCc9zKTjNRJ7Xvo LCejjuDKsJ/tP34B73jZOqIg7pKropuN8SmSRtehX+HLxXo9konVHa/HsPlYKK0W bw2asswdt9El6J0mvr3H3ulq5UFfAwdikvVS6NptcyfzSeawf4wCoTB3TcaFLCt6 xe0Rw8q3JcSBF8ZysNgtVV6phXx+4UtKxca+vo3Gg+eLJZ80xosZm/x93+MzsDN1 zH8vnmf9WhAHtwMRS5so4nkxfXtyLNSTRnwWOdMSAg68sWrQltVwbLmJ5Lmbhp0= =o4+g -----END PGP SIGNATURE----- From atom at suspicious.org Thu Dec 30 21:37:26 2004 From: atom at suspicious.org (Atom 'Smasher') Date: Thu Dec 30 21:31:17 2004 Subject: signing a robot's key - was: Re: Global Directory signatures In-Reply-To: <20041230202510.GD12645@jabberwocky.com> References: <20041229153400.GJ30683@jabberwocky.com> <200412291854.TAA00416@vulcan.xs4all.nl> <20041230014443.GU30683@jabberwocky.com> <20041230043512.GE684@wilma.widomaker.com> <20041230000801.N31825@willy.wonka> <41D45C00.6030204@toehold.com> <20041230202510.GD12645@jabberwocky.com> Message-ID: <20041230203457.36781.qmail@suspicious.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On Thu, 30 Dec 2004, David Shaw wrote: > On Thu, Dec 30, 2004 at 01:50:24PM -0600, Kyle Hasselbacher wrote: > >> In some cases, a user might have wanted to use it as a trusted >> introducer. To assign owner trust, it has to be valid. To be valid, >> they have to sign it. Perhaps some of them knew that this is better >> done with a local signature and fat fingered the signing, but it's a >> little hard to believe someone understood the web of trust well enough >> to want to sign but not well enough to know a local sig was better. > > Oh, I can believe that. It's the "I need to sign this to make things > work" thing. Do beginners necessarily understand what signing entails? > No. Do they necessarily understand what the web of trust even is? No. > All they know is that the instructions say to sign the key, so they sign > the key. ===================== is that the behavior of PGP(tm)? i once helped someone use PGP(tm) and in the 30-60 seconds that i was using it, it seemed to require a signature before it would recognize an imported key... i helped the user to make a non-exportable signature, but i don't recall that being the default. - -- ...atom _________________________________________ PGP key - http://atom.smasher.org/pgp.txt 762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808 ------------------------------------------------- "To invent, you need a good imagination and a pile of junk." -- Thomas Edison -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (FreeBSD) Comment: What is this gibberish? Comment: http://atom.smasher.org/links/#digital_signatures iQEcBAEBCAAGBQJB1GcMAAoJEAx/d+cTpVcivtQIAKD8Si9WkdnmciU++xjP4x2y Z7GyoTRt4ySIGioXh3rhmI5kFQ719/ZnQBZYGizHukvsUZyM2DOuEbvk7RCp4exq xqplS6V90xpkpddwkSa4xMVzTzHFU6UEUROtoMQ3jIfz4F9nHPKXHdBlECPUMsRy vzXg++KYSsAAt7tL9mr8BktCnnC+KGUrzUnnWUrcQr8OjDvIQcucFQqB7nz7NvJq rncclOPa6vOlwUp4UJ7i0Vo/W0M3hYlK4z4kNHVXcijXtGkWzQLLK3FoKBIG/ZuW h9eJvzLJYNXFfQxTwN6Oua95Gsl+vlCAB8Dmf8LH7eH3SKqeIpZXenjTKusu3Bg= =Z1k2 -----END PGP SIGNATURE----- From dshaw at jabberwocky.com Thu Dec 30 21:41:07 2004 From: dshaw at jabberwocky.com (David Shaw) Date: Thu Dec 30 21:38:11 2004 Subject: signing a robot's key - was: Re: Global Directory signatures In-Reply-To: <20041230000801.N31825@willy.wonka> References: <20041229153400.GJ30683@jabberwocky.com> <200412291854.TAA00416@vulcan.xs4all.nl> <20041230014443.GU30683@jabberwocky.com> <20041230043512.GE684@wilma.widomaker.com> <20041230000801.N31825@willy.wonka> Message-ID: <20041230204107.GE12645@jabberwocky.com> On Thu, Dec 30, 2004 at 12:17:54AM -0500, Atom 'Smasher' wrote: [people signing the GD key] > why on earth would anyone sign this key? the UID identifies the key > as belonging to "PGP Global Directory Verification Key"... can > anyone prove ownership of that key? has the owner of that key been > going to key signing parties all over the world? > > the key has >250 signatures ranging from 0x10 - 0x13! can anyone > explain to me why they signed this key, and how they verified that > the key *really* is the "PGP Global Directory Verification Key"? I'd estimate that around 5 of those signatures are genuine and the majority of the rest are either completely or partially accidental. Some people probably meant to locally sign, and some people just didn't have any idea what they were doing. I'm sure some people did it intentionally with full understanding of what they were doing, but I suspect they are in the minority. It's a amusing example of how well people verify keys before the sign them. I have a (much fewer) number of similar unchecked signatures on my own key. My key comes with the GnuPG distribution, so I think people use it for testing sometimes. > unless someone can explain to me why they had a good reason for > signing this key i'm tempted to include everyone who signed it in my > "untrusted signers" list. signing a robot's key seems to violate > every good practice of responsible keysigning. Unless you are or know the robot's keeper. It's an interesting keysigning question, actually. Not just for robots, but for any key that doesn't directly correspond to a single human being (robots, nym keys, role accounts, etc). David From kyle at toehold.com Thu Dec 30 21:43:03 2004 From: kyle at toehold.com (Kyle Hasselbacher) Date: Thu Dec 30 21:40:16 2004 Subject: signing a robot's key - was: Re: Global Directory signatures In-Reply-To: <20041230202915.34191.qmail@suspicious.org> References: <20041229153400.GJ30683@jabberwocky.com> <200412291854.TAA00416@vulcan.xs4all.nl> <20041230014443.GU30683@jabberwocky.com> <20041230043512.GE684@wilma.widomaker.com> <20041230000801.N31825@willy.wonka> <41D45C00.6030204@toehold.com> <20041230202915.34191.qmail@suspicious.org> Message-ID: <41D46857.7050905@toehold.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 | On Thu, 30 Dec 2004, Kyle Hasselbacher wrote: | |>> I signed it because I wrote it and run it. | that's a good reason. should i look for a 0x13 sig from the GD key to | you? i can't find that you and the GD key have exchanged signatures. No, sorry, I was talking about the Robot CA key (C521097E). It and I have certainly exchanged signatures. I'm on the GD, so I have its signature (if you ask the GD for it), but I haven't signed the GD key. If I ever do, it will be to certify that it is what it says it is (a dumb key signer). Like my other signatures, that's not an endorsement of its key signing policy, just certification of identity. | for everyone else who gave it an exportable signature and didn't write | it and isn't running it, i still think that their behavior should an | earn them a place in my "untrusted signers" list. Fine with me; it's your list. 8-) Kyle. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3-nr1 (Windows XP) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD4DBQFB1GhXzS7R/flctWYRAiiTAJ9Kd8iSohWHaeXIGc1SMEiUZSKb0wCXS5pQ LlJ30jKEaXXUtV+bQxHWgQ== =8bXO -----END PGP SIGNATURE----- From dshaw at jabberwocky.com Thu Dec 30 21:57:44 2004 From: dshaw at jabberwocky.com (David Shaw) Date: Thu Dec 30 21:54:38 2004 Subject: signing a robot's key - was: Re: Global Directory signatures In-Reply-To: <20041230203457.36781.qmail@suspicious.org> References: <20041229153400.GJ30683@jabberwocky.com> <200412291854.TAA00416@vulcan.xs4all.nl> <20041230014443.GU30683@jabberwocky.com> <20041230043512.GE684@wilma.widomaker.com> <20041230000801.N31825@willy.wonka> <41D45C00.6030204@toehold.com> <20041230202510.GD12645@jabberwocky.com> <20041230203457.36781.qmail@suspicious.org> Message-ID: <20041230205744.GF12645@jabberwocky.com> On Thu, Dec 30, 2004 at 03:37:26PM -0500, Atom 'Smasher' wrote: > On Thu, 30 Dec 2004, David Shaw wrote: > > > On Thu, Dec 30, 2004 at 01:50:24PM -0600, Kyle Hasselbacher wrote: > > > >> In some cases, a user might have wanted to use it as a trusted > >> introducer. To assign owner trust, it has to be valid. To be valid, > >> they have to sign it. Perhaps some of them knew that this is better > >> done with a local signature and fat fingered the signing, but it's a > >> little hard to believe someone understood the web of trust well enough > >> to want to sign but not well enough to know a local sig was better. > > > > Oh, I can believe that. It's the "I need to sign this to make things > > work" thing. Do beginners necessarily understand what signing entails? > > No. Do they necessarily understand what the web of trust even is? No. > > All they know is that the instructions say to sign the key, so they sign > > the key. > ===================== > > is that the behavior of PGP(tm)? i once helped someone use PGP(tm) and in > the 30-60 seconds that i was using it, it seemed to require a signature > before it would recognize an imported key... i helped the user to make a > non-exportable signature, but i don't recall that being the default. Both GnuPG and PGP do more or less the same thing here. You can import keys freely, but such keys will remain invalid until there is a valid trust path to the key. Invalid keys are usable, but you get some variation of the "are you sure?" message before you can use the key. If there is no valid trust path to the key, and you want to make it valid (say, if you want to trust signatures issued by it, as in the case of the GD key), then you need to sign or locally sign the key yourself. PGP's "Sign" command actually defaults to local signing. You need to make an explicit action (check a check box) to make it a regular exportable signature. Note that I'm speaking about PGP 8 here, though I seem to recall that PGP 7 was the same. David From dshaw at jabberwocky.com Thu Dec 30 22:00:32 2004 From: dshaw at jabberwocky.com (David Shaw) Date: Thu Dec 30 21:57:32 2004 Subject: signing a robot's key - was: Re: Global Directory signatures In-Reply-To: <41D46857.7050905@toehold.com> References: <20041229153400.GJ30683@jabberwocky.com> <200412291854.TAA00416@vulcan.xs4all.nl> <20041230014443.GU30683@jabberwocky.com> <20041230043512.GE684@wilma.widomaker.com> <20041230000801.N31825@willy.wonka> <41D45C00.6030204@toehold.com> <20041230202915.34191.qmail@suspicious.org> <41D46857.7050905@toehold.com> Message-ID: <20041230210032.GG12645@jabberwocky.com> On Thu, Dec 30, 2004 at 02:43:03PM -0600, Kyle Hasselbacher wrote: > | On Thu, 30 Dec 2004, Kyle Hasselbacher wrote: > | > |>> I signed it because I wrote it and run it. > > | that's a good reason. should i look for a 0x13 sig from the GD key to > | you? i can't find that you and the GD key have exchanged signatures. > > No, sorry, I was talking about the Robot CA key (C521097E). It and I have > certainly exchanged signatures. I'm on the GD, so I have its signature (if > you ask the GD for it), but I haven't signed the GD key. If I ever do, it > will be to certify that it is what it says it is (a dumb key signer). Like > my other signatures, that's not an endorsement of its key signing policy, > just certification of identity. Ideally, signing a key should never be affected by a key signing policy, though since this is the real world, it certainly is a factor. Still, how would you go about checking the identity of a key that identifies itself only as "PGP Global Directory Verification Key" ? I can certainly understand that you signed the Robot CA key, but signing the GD key seems to be a leap of faith rather than actual hard knowledge. David From atom at suspicious.org Thu Dec 30 22:12:45 2004 From: atom at suspicious.org (Atom 'Smasher') Date: Thu Dec 30 22:06:36 2004 Subject: signing a robot's key - was: Re: Global Directory signatures In-Reply-To: <20041230205744.GF12645@jabberwocky.com> References: <20041229153400.GJ30683@jabberwocky.com> <200412291854.TAA00416@vulcan.xs4all.nl> <20041230014443.GU30683@jabberwocky.com> <20041230043512.GE684@wilma.widomaker.com> <20041230000801.N31825@willy.wonka> <41D45C00.6030204@toehold.com> <20041230202510.GD12645@jabberwocky.com> <20041230203457.36781.qmail@suspicious.org> <20041230205744.GF12645@jabberwocky.com> Message-ID: <20041230211017.53273.qmail@suspicious.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On Thu, 30 Dec 2004, David Shaw wrote: > Both GnuPG and PGP do more or less the same thing here. You can import > keys freely, but such keys will remain invalid until there is a valid > trust path to the key. Invalid keys are usable, but you get some > variation of the "are you sure?" message before you can use the key. ==================== i don't recall PGP(tm) having the option of "are you sure" for an unsigned key, but i didn't spend much time with it. i was left with the impression that the key couldn't be used unless it had a signature. > If there is no valid trust path to the key, and you want to make it > valid (say, if you want to trust signatures issued by it, as in the case > of the GD key), then you need to sign or locally sign the key yourself. > PGP's "Sign" command actually defaults to local signing. You need to > make an explicit action (check a check box) to make it a regular > exportable signature. Note that I'm speaking about PGP 8 here, though I > seem to recall that PGP 7 was the same. ===================== one can also use edit-key and assign ultimate trust to a key, which will make it trusted without a signature. - -- ...atom _________________________________________ PGP key - http://atom.smasher.org/pgp.txt 762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808 ------------------------------------------------- "Think of the press as a great keyboard on which the government can play." -- Joseph Goebbels, Nazi Propaganda Minister. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (FreeBSD) Comment: What is this gibberish? Comment: http://atom.smasher.org/links/#digital_signatures iQEcBAEBCAAGBQJB1G9TAAoJEAx/d+cTpVcijSoIAJL+DpUKfgvY81eX+CaD/vu6 JhSW23Oa6zp3YKmO6WKnKuAEEJphrsOa38A00Jds66mXvofzFDymHR11GvCFimMW vG0+4TLtv7Kr/yCPXob+7X+K8V6BvSl0HcoSojJKCqLP5f1oULCDhBKh3+/wnnEM ndeJqW2tCvX79bu2zhPKgxP4v/eeumPAZjFcq7yg1J1455MqSXCKb9eDHyMw80Ea 6dgqw6N02R3SXVLwte/Oy645v8XgHv4eNxwlY/jaOQV50U1r/an4pEZvpqu2KT94 iUnLMyFKHXiqQQlbdkEedCy2DOvX+/oDu4+vITkgFqlBB+Hr79V7qL5a7h29BuQ= =/O5Q -----END PGP SIGNATURE----- From atom at suspicious.org Thu Dec 30 22:30:28 2004 From: atom at suspicious.org (Atom 'Smasher') Date: Thu Dec 30 22:24:29 2004 Subject: signing a robot's key - was: Re: Global Directory signatures In-Reply-To: <20041230210032.GG12645@jabberwocky.com> References: <20041229153400.GJ30683@jabberwocky.com> <200412291854.TAA00416@vulcan.xs4all.nl> <20041230014443.GU30683@jabberwocky.com> <20041230043512.GE684@wilma.widomaker.com> <20041230000801.N31825@willy.wonka> <41D45C00.6030204@toehold.com> <20041230202915.34191.qmail@suspicious.org> <41D46857.7050905@toehold.com> <20041230210032.GG12645@jabberwocky.com> Message-ID: <20041230212759.60287.qmail@suspicious.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On Thu, 30 Dec 2004, David Shaw wrote: > Still, how would you go about checking the identity of a key that > identifies itself only as "PGP Global Directory Verification Key" ? I > can certainly understand that you signed the Robot CA key, but signing > the GD key seems to be a leap of faith rather than actual hard > knowledge. ==================== if nothing else, such unverifiable signatures on a robot's key could serve as a list of who isn't doing a good job of checking when they sign keys. what to do with that list is an exercise left to the reader... - -- ...atom _________________________________________ PGP key - http://atom.smasher.org/pgp.txt 762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808 ------------------------------------------------- "Those who will not reason, are bigots, those who cannot, are fools, and those who dare not, are slaves." -- George Gordon Noel Byron (Lord Byron) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (FreeBSD) Comment: What is this gibberish? Comment: http://atom.smasher.org/links/#digital_signatures iQEcBAEBCAAGBQJB1HN5AAoJEAx/d+cTpVcisaoIALCCbKfdMu4y/TCFRwliKUJI 2aE8HH+zrRB6xPnlKZSF0EZ8Ekz63jVsFVK8HcKQUGngIW6hD2aYCkfqp23jIoYO MF8Im/srxThKDCCzbgpiVIz6YP5Bsbxiq0UIi+QQbz0BksW0aDPD7Oyy+syUfSK7 +3J6gt14qBI0D5DAZyElc+DgySWgCs/egxiYjRx0uqa/aOrsRI1CV/+LrVcRMVDe R6gXT3XsuI9YNUxVPtJNNhaxaYFRQ6RdN44Jcxx6i59agUvnqOJwwW9yrstzDnVF iuGJirNaZDKB1HFPv9Vjmvao2+Dh4yRIOk4r92sgVP+PXXhl3aikEZmScqV6S48= =rQmw -----END PGP SIGNATURE----- From dshaw at jabberwocky.com Thu Dec 30 22:27:51 2004 From: dshaw at jabberwocky.com (David Shaw) Date: Thu Dec 30 22:24:51 2004 Subject: signing a robot's key - was: Re: Global Directory signatures In-Reply-To: <20041230211017.53273.qmail@suspicious.org> References: <20041229153400.GJ30683@jabberwocky.com> <200412291854.TAA00416@vulcan.xs4all.nl> <20041230014443.GU30683@jabberwocky.com> <20041230043512.GE684@wilma.widomaker.com> <20041230000801.N31825@willy.wonka> <41D45C00.6030204@toehold.com> <20041230202510.GD12645@jabberwocky.com> <20041230203457.36781.qmail@suspicious.org> <20041230205744.GF12645@jabberwocky.com> <20041230211017.53273.qmail@suspicious.org> Message-ID: <20041230212751.GI12645@jabberwocky.com> On Thu, Dec 30, 2004 at 04:12:45PM -0500, Atom 'Smasher' wrote: > On Thu, 30 Dec 2004, David Shaw wrote: > > > Both GnuPG and PGP do more or less the same thing here. You can import > > keys freely, but such keys will remain invalid until there is a valid > > trust path to the key. Invalid keys are usable, but you get some > > variation of the "are you sure?" message before you can use the key. > ==================== > > i don't recall PGP(tm) having the option of "are you sure" for an unsigned > key, but i didn't spend much time with it. i was left with the impression > that the key couldn't be used unless it had a signature. It depends how you are using PGP, I guess. I imagine some plugins may restrict more, but the regular "PGPmail" application lets you encrypt to any key you like. It just grays out invalid keys, but they are still usable. > > If there is no valid trust path to the key, and you want to make it > > valid (say, if you want to trust signatures issued by it, as in the case > > of the GD key), then you need to sign or locally sign the key yourself. > > PGP's "Sign" command actually defaults to local signing. You need to > > make an explicit action (check a check box) to make it a regular > > exportable signature. Note that I'm speaking about PGP 8 here, though I > > seem to recall that PGP 7 was the same. > ===================== > > one can also use edit-key and assign ultimate trust to a key, which will > make it trusted without a signature. Yes. PGP differs on this point - you can only make a key ultimately trusted if you have both the public and secret parts. GnuPG lets you make any key ultimately trusted. I like the GnuPG method better since some people keep their secret keys offline. David From jeff+gnupg at jeffenstein.dyndns.org Thu Dec 30 22:36:57 2004 From: jeff+gnupg at jeffenstein.dyndns.org (Jeff Fisher) Date: Thu Dec 30 22:31:46 2004 Subject: signing a robot's key - was: Re: Global Directory signatures In-Reply-To: <20041230210032.GG12645@jabberwocky.com> References: <20041229153400.GJ30683@jabberwocky.com> <200412291854.TAA00416@vulcan.xs4all.nl> <20041230014443.GU30683@jabberwocky.com> <20041230043512.GE684@wilma.widomaker.com> <20041230000801.N31825@willy.wonka> <41D45C00.6030204@toehold.com> <20041230202915.34191.qmail@suspicious.org> <41D46857.7050905@toehold.com> <20041230210032.GG12645@jabberwocky.com> Message-ID: <20041230213657.GB14687@frogger.jeffnet> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On Thu, Dec 30, 2004 at 04:00:32PM -0500, David Shaw wrote: > > Still, how would you go about checking the identity of a key that > identifies itself only as "PGP Global Directory Verification Key" ? I > can certainly understand that you signed the Robot CA key, but signing > the GD key seems to be a leap of faith rather than actual hard > knowledge. It's signing keys left and right, which started this whole discussion. Is there any doubt that this particular key is anything but what it purportes to be? If so, where are the real signatures from the real key that is supposed to be fullfilling this role? For most of us, we're assuming that there is not an adversary with infinite resources out to get us. If there were, I would not trust any signatures except my own, or those of personally trusted associates. (And probably not gnupg itself or this computer, but there it is...) - -- Me - jeff@jeffenstein.dyndns.org -----BEGIN PGP SIGNATURE----- iQIVAwUBQdR0+BwPMBUZyYf1AQj/3g/9Ed3TXxZnm51OGYyKECANrLlTJrdsNgjC F+sj1kMYmYOjMNQouVmL9D+8pTpWcl7jfR/zqbYoxvzWT8iRdvHZuhOcnFXStU12 36poEJJRsjLBvWIAbihfFeay33DZfe3C0+TnWYEFABShxfec2XZt99UTVGJDeUiN tWTelqBJmlOSq2enUmwa+9fLw6MUj38sX/V0EyPrMtmn523ZC/G2SIg80n+rngGN JLlbb+yndGeHNAfNt1s2iLdQ7HSsw2hSqV1P1DYN5zNd7f0bKpcIDAIeMAJBjAha VAKqSGOe/CeqxNNvtvGfxXpBTNPi0Glviem+Bpi3hmdOenLIRIKz+3dYF/n+J7sI z80KmUTRF/E/nL8GOD6ERYUmmyueC31WAH/fyRzbiT3txfV0REV/SRUDZ6gdXBO9 O465KJdcXTucwPzeITzolkKOYDdPwMxy1IvYfhH0HzBaMCW8eodK9Z/cVm+jgOGA dZoFP/zInCMbnEM46ZW4jT8pL9sMQkyqTlYQUQepxjzuMlCImn+6nN0ZRKuwkOnO vDSzj7BK2ZX8EmAxwlsqQYcnPqm/5h8GFrBBUsTAzUmlXt4Dvx5EaYdhAlnIYXW/ AUck0gDL1m2JdTWwj8LL/Bs7D+BKkn77jdN0Lf4T3Fa44I/cuRw3Ho9FX+22R7Q+ onqJkp6D2V4= =COhw -----END PGP SIGNATURE----- From kyle at toehold.com Thu Dec 30 22:35:05 2004 From: kyle at toehold.com (Kyle Hasselbacher) Date: Thu Dec 30 22:32:10 2004 Subject: signing a robot's key - was: Re: Global Directory signatures In-Reply-To: <20041230210032.GG12645@jabberwocky.com> References: <20041229153400.GJ30683@jabberwocky.com> <200412291854.TAA00416@vulcan.xs4all.nl> <20041230014443.GU30683@jabberwocky.com> <20041230043512.GE684@wilma.widomaker.com> <20041230000801.N31825@willy.wonka> <41D45C00.6030204@toehold.com> <20041230202915.34191.qmail@suspicious.org> <41D46857.7050905@toehold.com> <20041230210032.GG12645@jabberwocky.com> Message-ID: <41D47489.9000206@toehold.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 David Shaw wrote: | Still, how would you go about checking the identity of a key that | identifies itself only as "PGP Global Directory Verification Key" ? I | can certainly understand that you signed the Robot CA key, but signing | the GD key seems to be a leap of faith rather than actual hard | knowledge. Yes, it would be. All I could do is verify that it APPEARS to work as advertised. Its functionality IS its identity, in my opinion, but I can see there are dueling interpretations here: * I made it and called it "Robot CA". Therefore, it is "Robot CA". Only I, its mighty creator, can verify its identity. The rest of you have to take my word for it. * It is called "Robot CA" and it performs within the definition of "Robot CA" that I agree with. Anyone satisfied with the performance can verify its identity. Satisfaction comes through software testing instead of "testing" an official document of some kind. I take the latter interpretation. It's fuzzier, but I think it conforms better to how I already think of signatures. As such, even my own signature on my own Robot CA is a matter of some faith (that it's bug-free, nyuck nyuck nyuck). I can't test the GD as a user the same way I tested RCA as an operator, so there would be more faith involved in that signature, if I ever made one. I consider that similar to the extra faith involved in signing a key named "Fred" when the state-issued ID says "Frederick". Kyle. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3-nr1 (Windows XP) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFB1HSJzS7R/flctWYRAlkWAKCcK0188iKjdKGfIh6sRyDG8Wf+zQCePY/B VAWVq68MJ5y2LUW31snErq0= =USPZ -----END PGP SIGNATURE----- From atom at suspicious.org Thu Dec 30 22:57:36 2004 From: atom at suspicious.org (Atom 'Smasher') Date: Thu Dec 30 22:51:27 2004 Subject: signing a robot's key - was: Re: Global Directory signatures In-Reply-To: <20041230213657.GB14687@frogger.jeffnet> References: <20041229153400.GJ30683@jabberwocky.com> <200412291854.TAA00416@vulcan.xs4all.nl> <20041230014443.GU30683@jabberwocky.com> <20041230043512.GE684@wilma.widomaker.com> <20041230000801.N31825@willy.wonka> <41D45C00.6030204@toehold.com> <20041230202915.34191.qmail@suspicious.org> <41D46857.7050905@toehold.com> <20041230210032.GG12645@jabberwocky.com> <20041230213657.GB14687@frogger.jeffnet> Message-ID: <20041230215507.74028.qmail@suspicious.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On Thu, 30 Dec 2004, Jeff Fisher wrote: > It's signing keys left and right, which started this whole discussion. > Is there any doubt that this particular key is anything but what it > purportes to be? If so, where are the real signatures from the real key > that is supposed to be fullfilling this role? > > For most of us, we're assuming that there is not an adversary with > infinite resources out to get us. If there were, I would not trust any > signatures except my own, or those of personally trusted associates. > (And probably not gnupg itself or this computer, but there it is...) =============================== i (or anyone) can generate a key that's identified as "PGP Global Directory Verification Key" and sign any number of keys with it. one can even get a list of keys that have exchanged signatures with the real key and sign all of them. that doesn't make it the real thing, but it sure would cause a lot of confusion. if i sign your key, and you sign bob's key, that doesn't mean that i should go and sign bob's key (unless i first verify it with bob). sure, i can trace a path from me to bob, but that's very different than signing bob's key because of that path. signing a key is a statement that one has checked and verified that the key really belongs to the person or group identified by the key. unless that verification is actually done, the only statement being made is that someone is issuing bad signatures. - -- ...atom _________________________________________ PGP key - http://atom.smasher.org/pgp.txt 762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808 ------------------------------------------------- "Politics is the art of preventing people from taking part in affairs which properly concern them." -- Paul Valery -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (FreeBSD) Comment: What is this gibberish? Comment: http://atom.smasher.org/links/#digital_signatures iQEcBAEBCAAGBQJB1HnVAAoJEAx/d+cTpVciDm8H/j7ANhOKH4cbi0i8v9K73+iq +ps/mCVnuW7YLNgCMlf9FPtwlmroTxrlbdHe4aOEZpl+Kq/DnyoslBwbX3qztVjg 9v/TXww1WlEA69208u9EJVU97wMe7EdAIg+X2UxQspJt+sB2Tp3+k7SOQ1FD5z1O mzoFCsGox5KpICospbSpG4DBlm/DzVG9iyvfjrs4gt53PM+eZzSw5DWfyPILuKxz PZbYhJYhiCn9Jc1spWriuJKdCxfhre7gIuEn5DwPv5PtUjxuMQSi6+wMOCKZLjK/ sTaPEf89M04nxDvEuFIHUMIQ3iGRSoSj1tI32O0P0MrU+BqlvsM1guhwFiuslvw= =97mN -----END PGP SIGNATURE----- From dshaw at jabberwocky.com Thu Dec 30 02:22:40 2004 From: dshaw at jabberwocky.com (David Shaw) Date: Fri Dec 31 01:56:29 2004 Subject: Is there a gpgkeys_mailto for Win32? In-Reply-To: <200412292036.VAA00953@vulcan.xs4all.nl> References: <20041229191739.GK30683@jabberwocky.com> <200412292036.VAA00953@vulcan.xs4all.nl> Message-ID: <20041230012239.GT30683@jabberwocky.com> On Wed, Dec 29, 2004 at 09:36:04PM +0100, Johan Wevers wrote: > David Shaw wrote: > > >Do you happen to know if using ShellExecute() to open a mailto: URL is > >widely supported? > > It is, as long as there is a mail application associated with such an > URL. But if there's no mailer installed there is no point in using > gpgkeys_mailto anyway. Hmm, so it's worth a try. Adding a key via a mailto URL could be interesting, though. I wonder how the various mailto handlers would deal with an URL that is over 32k long! David From atom at suspicious.org Fri Dec 31 00:47:30 2004 From: atom at suspicious.org (Atom 'Smasher') Date: Fri Dec 31 03:53:21 2004 Subject: signing a robot's key - was: Re: Global Directory signatures In-Reply-To: <20041230000801.N31825@willy.wonka> References: <20041229153400.GJ30683@jabberwocky.com> <200412291854.TAA00416@vulcan.xs4all.nl> <20041230014443.GU30683@jabberwocky.com> <20041230043512.GE684@wilma.widomaker.com> <20041230000801.N31825@willy.wonka> Message-ID: <20041230182334.O31825@willy.wonka> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 when i looked at the GD key here there are signatures from PRZ (0xB2D7795E) and some people with email addresses @pgp.com. those signatures seem reasonable, and they will be spared from my list of untrusted signers. then i noticed something else weird... the GD key has a picture... a cartoon globe behind a cartoon key... if i ever see someone who looks like that i'll have to ask if their name is "PGP Global Directory Verification Key" ;) the picture seems to offer the same advantages (ie: none) as attaching a smiley-face image to ones key, but at least a smiley is entertaining. - -- ...atom _________________________________________ PGP key - http://atom.smasher.org/pgp.txt 762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808 ------------------------------------------------- "`Energize the demolition beams.' Light poured out into the hatchways. `I don't know,' said the voice on the PA, `apathetic bloody planet, I've no sympathy at all.' It cut off. There was a terrible ghastly silence. There was a terrible ghastly noise. There was a terrible ghastly silence. -- Douglas Adams, Hitchhikers Guide to the Galaxy -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (FreeBSD) Comment: What is this gibberish? Comment: http://atom.smasher.org/links/#digital_signatures iQEcBAEBCAAGBQJB1JOYAAoJEAx/d+cTpVcipLYH/3HeJr4A2UnrDcMJSzIa7E8v WtgFMvRXrC6n+mI+8usCsvqkJzqp/mzDeK/qcOAXZ74P6zVOA82b7TQT5O3ZIbSd exhKXrdCKeiC06v3JkL3q3UCx3QyUoKBvmrKF9Ktr6MMTnCwVaHOCs2Lx6B+Muan a9tAoN8GZwaWrCLKUevuUe+qWt+hROxuMb+8lDbLYrqrGrsqLpMTsG8EGQwZpO3c dPrxrk3xnfuQXKTgXVq5lSaQBM7oEA8Yt5UL67cHMqw7hr+5IhUFVM3sr7355RIQ dluDym5igjtZYZ5CsCoGS/XVsOlhAjiDNnisNq+UG9dpziH/F668QBbFyjUUjaQ= =YqCQ -----END PGP SIGNATURE----- -------------- next part -------------- A non-text attachment was scrubbed... Name: 9710B89BCA57AD7C.jpg Type: image/jpeg Size: 3400 bytes Desc: Url : /pipermail/attachments/20041230/3ebe5b78/9710B89BCA57AD7C.jpg -------------- next part -------------- A non-text attachment was scrubbed... Name: smiley.gif Type: image/gif Size: 5113 bytes Desc: Url : /pipermail/attachments/20041230/3ebe5b78/smiley.gif From dshaw at jabberwocky.com Fri Dec 31 03:48:22 2004 From: dshaw at jabberwocky.com (David Shaw) Date: Fri Dec 31 03:53:32 2004 Subject: Global Directory signatures (was Re: GPG wants to check trustdb every day) In-Reply-To: <20041230175107.GF684@wilma.widomaker.com> References: <20041229153400.GJ30683@jabberwocky.com> <200412291854.TAA00416@vulcan.xs4all.nl> <20041230014443.GU30683@jabberwocky.com> <20041230043512.GE684@wilma.widomaker.com> <20041230051945.GY30683@jabberwocky.com> <20041230175107.GF684@wilma.widomaker.com> Message-ID: <20041231024822.GA17056@jabberwocky.com> On Thu, Dec 30, 2004 at 12:51:08PM -0500, Jason Harris wrote: > On Thu, Dec 30, 2004 at 12:19:45AM -0500, David Shaw wrote: > > On Wed, Dec 29, 2004 at 11:35:12PM -0500, Jason Harris wrote: > > > > Good luck. Each person who signed 0xCA57AD7C and uploaded their > > > signature for others to use: > > > > probably disagrees, unless keyserver.pgp.com is now secretly > > > infiltrating its keys into the regular public keyserver network. > > > > I'm not sure what connection this comment has with the discussion. > > > As I said, unless someone is bridging keys intentionally, then the > > GnuPG filter should handle it reasonably well. (Only "reasonably" > > well because of the overlap in signature dates). > > People are "bridging keys[erver networks]." They have to be downloading > their signed key from the pgp.com keyserver, verifying the signature from > 0xCA57AD7C, signing 0xCA57AD7C, and uploading it with their reciprocal > signature to a synchronized keyserver. (OK, they could be skipping the > first two steps... :) This is not an example of bridging keys. The GD key (CA57AD7C) is stored on the GD, but isn't itself certified by the GD (except for the obvious selfsig) and isn't part of the GD verification system. An example of bridging keys is (for example), my key 99242560. Someone took the trouble of downloading it from the GD, and then uploading it (gee thanks) to the keyserver net. They didn't add any signatures, they didn't add anything at all - just copied it over. It could have been accidental or it could have been intentional, and it's probably happened to at least a few keys besides mine. I don't think this sort of thing is common, or there would be a huge number of signatures from the GD key on the keyserver net, and there aren't. Since this isn't common, then a GnuPG feature to disregard expired sigs should work reasonably well, as I've said. > http://keyserver.kjsl.com/~jharris/ka/current/CA/CA57AD7C shows 163 > signatures to and 120 signatures from 0xCA57AD7C by 2004-12-26. The > report for 2004-12-12 lists 36 signatures to and from 0xCA57AD7C. > All of these keys signed by 0xCA57AD7C made their way from the > pgp.com keyserver to the regular keyservers. Assuming all > signatures from 0xCA57AD7C expire in 14 days, any keys appearing in > both reports were uploaded twice. OK, 0xF7447263 is the only key > common to these two reports. Which shows that people aren't actively bridging keys, or you'd have vastly more than 120 signatures issused by the GD key on the keyserver net. Far more than 120 people use the GD. David From dshaw at jabberwocky.com Fri Dec 31 04:17:12 2004 From: dshaw at jabberwocky.com (David Shaw) Date: Fri Dec 31 04:14:10 2004 Subject: signing a robot's key - was: Re: Global Directory signatures In-Reply-To: <20041230213657.GB14687@frogger.jeffnet> References: <20041229153400.GJ30683@jabberwocky.com> <200412291854.TAA00416@vulcan.xs4all.nl> <20041230014443.GU30683@jabberwocky.com> <20041230043512.GE684@wilma.widomaker.com> <20041230000801.N31825@willy.wonka> <41D45C00.6030204@toehold.com> <20041230202915.34191.qmail@suspicious.org> <41D46857.7050905@toehold.com> <20041230210032.GG12645@jabberwocky.com> <20041230213657.GB14687@frogger.jeffnet> Message-ID: <20041231031712.GJ12645@jabberwocky.com> On Thu, Dec 30, 2004 at 10:36:57PM +0100, Jeff Fisher wrote: > On Thu, Dec 30, 2004 at 04:00:32PM -0500, David Shaw wrote: > > > > Still, how would you go about checking the identity of a key that > > identifies itself only as "PGP Global Directory Verification Key" ? I > > can certainly understand that you signed the Robot CA key, but signing > > the GD key seems to be a leap of faith rather than actual hard > > knowledge. > > It's signing keys left and right, which started this whole > discussion. Is there any doubt that this particular key is anything > but what it purportes to be? If so, where are the real signatures > from the real key that is supposed to be fullfilling this role? There is a difference between believing something personally, and making a public statement about that same something. The first is opinion. The second needs proof. Key 57548DCD is the key that signs new GnuPG releases. I believe that this key belongs to Werner. It would be absurdly difficult for it to be some imposter since there have been however many GnuPG releases over the past few years, all signed by this key. Realistically, it is utterly obvious that Werner is the key owner. Would I sign this key without meeting Werner? No. Perhaps a better example would be Jason Harris' key D39DA0E3. I never met Jason, but his key is fully valid to me because I met another fellow and signed his key, and he in turn met Jason and signed his key. Am I confident that Jason's key is really D39DA0E3? Absolutely. Not only do I trust Douglas' signature, but Jason also signs his email, so I see a ton of signatures coming from Jason all from key D39DA0E3. Still wouldn't sign it without meeting Jason in person. Crazy, no doubt! > For most of us, we're assuming that there is not an adversary with > infinite resources out to get us. If there were, I would not trust > any signatures except my own, or those of personally trusted > associates. (And probably not gnupg itself or this computer, but > there it is...) Indeed. With trust issues it is very easy to paranoid oneself into immobility. The idea behind the GD is that some people are willing to trade a (hopefully small) amount of security for a (hopefully large) amount of usability. The neat bit of design the PGP folks did in the GD is that you can choose to get some of the usability features without trading anything in security. They left it up to the user what tradeoff to make. David From atom at suspicious.org Fri Dec 31 00:47:30 2004 From: atom at suspicious.org (Atom 'Smasher') Date: Fri Dec 31 04:40:38 2004 Subject: signing a robot's key - was: Re: Global Directory signatures In-Reply-To: <20041230000801.N31825@willy.wonka> References: <20041229153400.GJ30683@jabberwocky.com> <200412291854.TAA00416@vulcan.xs4all.nl> <20041230014443.GU30683@jabberwocky.com> <20041230043512.GE684@wilma.widomaker.com> <20041230000801.N31825@willy.wonka> Message-ID: <20041230234516.85980.qmail@suspicious.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 when i looked at the GD key here there are signatures from PRZ (0xB2D7795E) and some people with email addresses @pgp.com. those signatures seem reasonable, and they will be spared from my list of untrusted signers. then i noticed something else weird... the GD key has a picture... a cartoon globe behind a cartoon key... if i ever see someone who looks like that i'll have to ask if their name is "PGP Global Directory Verification Key" ;) the picture seems to offer the same advantages (ie: none) as attaching a smiley-face image to ones key, but at least a smiley is entertaining. - -- ...atom _________________________________________ PGP key - http://atom.smasher.org/pgp.txt 762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808 ------------------------------------------------- "`Energize the demolition beams.' Light poured out into the hatchways. `I don't know,' said the voice on the PA, `apathetic bloody planet, I've no sympathy at all.' It cut off. There was a terrible ghastly silence. There was a terrible ghastly noise. There was a terrible ghastly silence. -- Douglas Adams, Hitchhikers Guide to the Galaxy -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (FreeBSD) Comment: What is this gibberish? Comment: http://atom.smasher.org/links/#digital_signatures iQEcBAEBCAAGBQJB1JOYAAoJEAx/d+cTpVcipLYH/3HeJr4A2UnrDcMJSzIa7E8v WtgFMvRXrC6n+mI+8usCsvqkJzqp/mzDeK/qcOAXZ74P6zVOA82b7TQT5O3ZIbSd exhKXrdCKeiC06v3JkL3q3UCx3QyUoKBvmrKF9Ktr6MMTnCwVaHOCs2Lx6B+Muan a9tAoN8GZwaWrCLKUevuUe+qWt+hROxuMb+8lDbLYrqrGrsqLpMTsG8EGQwZpO3c dPrxrk3xnfuQXKTgXVq5lSaQBM7oEA8Yt5UL67cHMqw7hr+5IhUFVM3sr7355RIQ dluDym5igjtZYZ5CsCoGS/XVsOlhAjiDNnisNq+UG9dpziH/F668QBbFyjUUjaQ= =YqCQ -----END PGP SIGNATURE----- -------------- next part -------------- A non-text attachment was scrubbed... Name: 9710B89BCA57AD7C.jpg Type: image/jpeg Size: 3400 bytes Desc: Url : /pipermail/attachments/20041230/4c7bb183/9710B89BCA57AD7C.jpg -------------- next part -------------- A non-text attachment was scrubbed... Name: smiley.gif Type: image/gif Size: 5113 bytes Desc: Url : /pipermail/attachments/20041230/4c7bb183/smiley.gif From greg at turnstep.com Fri Dec 31 08:18:53 2004 From: greg at turnstep.com (Greg Sabino Mullane) Date: Fri Dec 31 08:15:47 2004 Subject: Global Directory signatures In-Reply-To: <20041228151558.GG30683@jabberwocky.com> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I've been working on this problem for a while, and finally had a chance during this past break to hash out some final issues. I'm going to be expanding biglumber soon into a "real" keyserver. However, it's going to be a little different from other keyservers. The main difference is that the owner of a key will have complete control of their public key. This means that (for example) - --recv-key will work, but --send-keys may* not. If you want to make a change to your public key, you must authenticate (currently via web/email, but either alone someday). In addition, the keyserver will only have entries from people who are either in the strong set or who have added their key to biglumber directly. I consider the fact that anyone can upload another person's changed public key to a keyserver a potential Denial of Service, and thus will not allow it. * Keys in the strong set will be allowed to be updated "anonymously" until such time as the owner logs in to biglumber, at which point it switches over to a "owner update only" key. - -- Greg Sabino Mullane greg@turnstep.com PGP Key: 0x14964AC8 200412310202 http://biglumber.com/x/web?pk=2529DF6AB8F79407E94445B4BC9B906714964AC8 -----BEGIN PGP SIGNATURE----- iD8DBQFB1P2tvJuQZxSWSsgRAknZAJ9kIUSHJGaj2fOv/4k4LyV13zwzmgCfdDsv PNd5HxgPpJqtyAJ3eJ9uQDw= =y6D6 -----END PGP SIGNATURE----- From johanw at vulcan.xs4all.nl Fri Dec 31 00:49:21 2004 From: johanw at vulcan.xs4all.nl (Johan Wevers) Date: Fri Dec 31 10:00:23 2004 Subject: Global Directory signatures (was Re: GPG wants to check trustdb every day) In-Reply-To: <20041230014443.GU30683@jabberwocky.com> from David Shaw at "Dec 29, 2004 08:44:43 pm" Message-ID: <200412302349.AAA00821@vulcan.xs4all.nl> OK, someone apparently put my key to the GD server. I got a mail with 13(!) .gif images attached asking if I want to go to a certain URL. I don't plan to do that. It said among other things: >This message was generated by request from a machine at IP address >66.28.204.22. I don't recognise the address and dig -x doesn't give anything usefull, so I've no idea who sent my key to the GD. -- ir. J.C.A. Wevers // Physics and science fiction site: johanw@vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From minnesotan at runbox.com Fri Dec 31 16:29:47 2004 From: minnesotan at runbox.com (Randy Burns) Date: Fri Dec 31 16:26:39 2004 Subject: Biglumber Keyserver (was: Global Directory signatures) In-Reply-To: Message-ID: <20041231152947.828.qmail@web50904.mail.yahoo.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - --- Greg Sabino Mullane wrote: > I've been working on this problem for a while, and finally had > a chance during this past break to hash out some final issues. > I'm going to be expanding biglumber soon into a "real" > keyserver. However, it's going to be a little different from > other keyservers. The main difference is that the owner of a > key will have complete control of their public key. This means > that (for example) > - --recv-key will work, but --send-keys may* not. > If you want to make a change to your public key, you must > authenticate (currently via web/email, but either alone > someday). In addition, the keyserver will only have entries > from people who are either in the strong set or who have added > their key to biglumber directly. I consider the fact that > anyone can upload another person's changed public key to a > keyserver a potential Denial of Service, and thus will not > allow it. > * Keys in the strong set will be allowed to be updated > "anonymously" until such time as the owner logs in to > biglumber, at which point it switches over to a "owner update > only" key. - --------------------------------------------------------- gpg: Signature made 12/31/2004 01:20:13 using DSA key ID 14964AC8 gpg: Good signature from "Greg Sabino Mullane " gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 2529 DF6A B8F7 9407 E944 45B4 BC9B 9067 1496 4AC8 Time: 12/31/2004 9:09:03 AM (12/31/2004 3:09:03 PM UTC) - --------------------------------------------------------- It sounds like a great resource for PGP/GPG users everywhere, but what about the costs--bandwidth, bug tracking, and time communicating with "customers"? Maybe bandwidth is not much of an issue with PGP keyservers--I don't know. But, I like to see people get paid for their work, and their time educating users. No good deed goes unpunished. :-) Good Luck, Randy -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (MingW32) - GPGshell v3.23 Comment: public key: www (dot) randyburns (dot) org iD8DBQFB1W72O1wFkBRYxW8RAvobAJ0bQIa5q1YToQ2gvUoH733bDr4OSwCdHA1+ 6rszMjav2/xtk4mSGnXyZsk= =SE2Q -----END PGP SIGNATURE----- From dshaw at jabberwocky.com Fri Dec 31 16:44:23 2004 From: dshaw at jabberwocky.com (David Shaw) Date: Fri Dec 31 16:41:28 2004 Subject: Global Directory signatures In-Reply-To: References: <20041228151558.GG30683@jabberwocky.com> Message-ID: <20041231154422.GA22611@jabberwocky.com> On Fri, Dec 31, 2004 at 07:18:53AM -0000, Greg Sabino Mullane wrote: > I've been working on this problem for a while, and finally had a > chance during this past break to hash out some final issues. I'm > going to be expanding biglumber soon into a "real" keyserver. > However, it's going to be a little different from other keyservers. > The main difference is that the owner of a key will have complete > control of their public key. This means that (for example) > --recv-key will work, but --send-keys may* not. If you want to make > a change to your public key, you must authenticate (currently via > web/email, but either alone someday). In addition, the keyserver > will only have entries from people who are either in the strong set > or who have added their key to biglumber directly. I consider the > fact that anyone can upload another person's changed public key to a > keyserver a potential Denial of Service, and thus will not allow it. Very neat! I'm curious about the details. What keyserver protocol are you planning to use to communicate with the outside world? (http like the current biglumber? hkp? ldap?) You may well have addressed this already, but there are a couple of hidden gotchas in a design that only allows the key owner to prevent third-party updates. Consider the case where Alice signs Baker's key, and Baker stores this signed key in biglumber. If Alice then revokes that signature, Baker may well choose to keep the signature but discard the revocation. This makes a false link, and is an attack against Alice and anyone who trusts Alice's signatures. There are similar problems with designated revocations. Baker has his key stored in biglumber but it is compromised. Alice is Baker's designated revoker, and generates a revocation certificate for Baker but cannot upload it because the false "Baker" won't allow her to. A simple solution to all of this is to allow some modifications to take place on keys without key owner approval: signature revocations (only if the original signature exists on the key), key revocations (anytime), and designated revocations (only from a designated revoker). Note that 'sensitive' designated revocations come with their own designated revoker status. Incidentally, I believe the GD handles these issues correctly, though I'm not sure about designated revocations. I know I discussed them with the PGP folks when they were designing the GD. David From npellegr at numericable.fr Wed Dec 29 10:03:55 2004 From: npellegr at numericable.fr (npellegr@numericable.fr) Date: Mon Jan 3 09:07:33 2005 Subject: Choosing the Hash and cyphering algorithm Message-ID: <1104311035.41d272fb18c43@webmail.numericable.fr> It looks like i made a mistake switching q and d ... i modify the initial msg ! Nicolas Pellegrin >>Well about he whole point and especially RSA I should be able to cypher with my >>private key since the exponents are inverses : >>d = e^-1 mod (p-1)(q-1) with q the private exponent and e the public one. >>Actually when you sign something it's >>c = RSA(priv,H(m)) with H the Hash function. >>So I know it's possible. I only want to "c = m^d mod n" Nicolas Pellegrin From ACM125 at motorola.com Thu Dec 30 17:26:38 2004 From: ACM125 at motorola.com (Mazzer Cassio-ACM125) Date: Mon Jan 3 09:07:45 2005 Subject: Encrypting a file to multiple recipients Message-ID: <77B168ACB35B1C4CA3A4CF5A4C67D3C70A1CDD85@zbr05exm02.jag.br.mot.com> Hi, I'm trying to encrypt a file using a list of recipients. For instance, I have a file called test.txt and I want to encrypt this file to send to multiple recipients (recipient_01 and recipient_02). I'm using the following command line (I have tested and it works): gpg --yes -r "recipient_01" -r "recipient_02" -e test.txt -o test_encrypted.txt.gpg. This command works fine. However, I'd like to know if I really have to repeat the "-r" before each recipient or if there is a way of executing this command typing something like gpg --yes -r--list-recipients "recipient_01" "recipient_02" -e test.txt