From atom at smasher.org Thu Dec 1 04:03:19 2005 From: atom at smasher.org (Atom Smasher) Date: Thu Dec 1 04:03:10 2005 Subject: PK-Encrypt-only In-Reply-To: <438DC633.2050305@excelcia.org> References: <438DC633.2050305@excelcia.org> Message-ID: <20051201030322.72281.qmail@smasher.org> On Wed, 30 Nov 2005, Kurt Fitzner wrote: > I am contemplating a change to my GnuPG Explorer Extension, but I need > some background information. > > I know that encrypting a file without signing it is commonly done with > symmetrical encryption. My question is, do people commonly use GnuPG to > encrypt a file without signing it using PK-encryption? > > Personally, I don't think this would be very common at all. I mean, I > can come up with conceptual reasons why someone might want to encrypt a > file to someone else's key without signing the file, but in practice I > would think it would be very rare. > > I would appreciate knowing if this is something that is commonly done, > or if it is very rare. ========================= done all the time in email for, um, (somewhat) plausible deniability. encrypting without signing can also be useful in automated encryption applications where it would not be beneficial to leave a signing key laying around. things such as writing data to a database or sending out an encrypted email can benefit from public key encryption; if the server is successfully attacked, the public key is compromised and can not aid the attacker in recovering encrypted data. adding a signing key (that's available to an automated application, and also an attacker) only adds a false sense of security as to the message's authenticity. -- ...atom _________________________________________ PGP key - http://atom.smasher.org/pgp.txt 762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808 ------------------------------------------------- "According to the Environmental Protection Agency, factory farming pollutes U.S. waterways more than all industrial sources combined." -- PETA From wk at gnupg.org Thu Dec 1 11:58:56 2005 From: wk at gnupg.org (Werner Koch) Date: Thu Dec 1 12:01:50 2005 Subject: PK-Encrypt-only In-Reply-To: <438DC633.2050305@excelcia.org> (Kurt Fitzner's message of "Wed, 30 Nov 2005 08:33:07 -0700") References: <438DC633.2050305@excelcia.org> Message-ID: <87iru9t767.fsf@wheatstone.g10code.de> On Wed, 30 Nov 2005 08:33:07 -0700, Kurt Fitzner said: > I know that encrypting a file without signing it is commonly done with > symmetrical encryption. My question is, do people commonly use GnuPG to > encrypt a file without signing it using PK-encryption? In email I use it when I have no access to my signing key. On a more regular basis I use it to encrypt senstive parts of a backups as well as confidential information stored in databases. Salam-Shalom, Werner From gnupg-users=gnupg.org at lists.palfrader.org Thu Dec 1 12:04:13 2005 From: gnupg-users=gnupg.org at lists.palfrader.org (Peter Palfrader) Date: Thu Dec 1 15:55:40 2005 Subject: --openpgp, MDC and similar flags In-Reply-To: <438BAEC8.4050708@mathematica.scientia.net> References: <438BAEC8.4050708@mathematica.scientia.net> Message-ID: <20051201110413.GF601@asteria.noreply.org> On Tue, 29 Nov 2005, Christoph Anton Mitterer wrote: > ... as you can see, MDC is set. Referring to > http://lists.gnupg.org/pipermail/gnupg-users/2003-May/018442.html and > RFC2440 I assume that MDC is still not part of the standard. Why is it > activated in my key? (Of course this is a good thing, but I just wonder > that if "openpgp" did not work for MDC, other things might be > "incompatible", too) > > > 2) What other things does GPG that are beyond RFC2440? > 3) Are there any other flags like MDC? I know about keyserver-no-modify > but that is documented in RFC2440. GnuPG is staying up to date with the changes that have been proposed after RFC2440 was released. The IETF OpenPGP working group is now in its last steps to release a new internet draft, the current snapshot of their work is 2440bis-15. http://www.ietf.org/internet-drafts/draft-ietf-openpgp-rfc2440bis-15.txt MDC and back signatures (0x19) are specified there. HTH, Peter -- PGP signed and encrypted | .''`. ** Debian GNU/Linux ** messages preferred. | : :' : The universal | `. `' Operating System http://www.palfrader.org/ | `- http://www.debian.org/ From alex at bofh.net.pl Thu Dec 1 16:11:36 2005 From: alex at bofh.net.pl (Janusz A. Urbanowicz) Date: Thu Dec 1 16:55:59 2005 Subject: PK-Encrypt-only In-Reply-To: <438DC633.2050305@excelcia.org> References: <438DC633.2050305@excelcia.org> Message-ID: <20051201151135.GZ29592@syjon.fantastyka.net> On Wed, Nov 30, 2005 at 08:33:07AM -0700, Kurt Fitzner wrote: > I am contemplating a change to my GnuPG Explorer Extension, but I need > some background information. > > I know that encrypting a file without signing it is commonly done with > symmetrical encryption. My question is, do people commonly use GnuPG to > encrypt a file without signing it using PK-encryption? > > Personally, I don't think this would be very common at all. I mean, I > can come up with conceptual reasons why someone might want to encrypt a > file to someone else's key without signing the file, but in practice I > would think it would be very rare. > > I would appreciate knowing if this is something that is commonly done, > or if it is very rare. This is routinely done when file is encrypted for storage - instead of using password which might get forgotten and is problematic for shring, file is encrypted with keys of persons that are allowed to decrypt it, then stored. This is done for files like backups, source code archives, etc. Alex -- mors ab alto 0x46399138 From telegraph at gmx.net Fri Dec 2 13:10:01 2005 From: telegraph at gmx.net (Gregor Zattler) Date: Fri Dec 2 13:10:50 2005 Subject: disjunct paths In-Reply-To: <20051130201702.GB23434@jabberwocky.com> References: <20051125235616.GA19545@a-eskwadraat.nl> <20051129044151.GC18812@jabberwocky.com> <20051130152921.GL5208@pit.ID-43118.user.dfncis.de> <20051130184217.GA23434@jabberwocky.com> <20051130191144.GB32380@pit.ID-43118.user.dfncis.de> <20051130201702.GB23434@jabberwocky.com> Message-ID: <20051202121001.GH5123@pit.ID-43118.user.dfncis.de> Hi David, * David Shaw [30. Nov. 2005]: > On Wed, Nov 30, 2005 at 08:11:44PM +0100, Gregor Zattler wrote: > > * David Shaw [30. Nov. 2005]: > > > On Wed, Nov 30, 2005 at 04:29:21PM +0100, Gregor Zattler wrote: > > > > * David Shaw [28. Nov. 2005]: > > > > > On Sat, Nov 26, 2005 at 12:56:16AM +0100, Jaap Eldering wrote: > > > > > Yes, it is. There are a few servers that do more or less what you > > > > > describe (for example http://www.lysator.liu.se/~jc/wotsap/). It's > > > > > useful to see the various paths, but unless you trust each step in the > > > > > chain, it doesn't really help you get trust in the end point. > > > > > > > > Doesn't it help if there are several disjunct paths? Couldn't I > > > > say I trust a User-Id if more than n discunct paths of trust > > > > exist from my key to the other? > > > > > > Yes, if you trust those disjunct paths :) A hundred disjunct paths > > > that you don't trust don't help much. > > > > Why not? The disjunct paths from my key to the target key > > all start with keys signed by me. So all owners of this said > > keys must be part of an conspiracy. If I met the different key > > owners in different contextes this isn't very likely to happen. > > Unless you're talking about paths with only one hop, it doesn't work. > The paths *start* with keys signed by you. After that, you have no > assurance. > > Given these paths: > > Gregor -> Alice -> Baker -> Charlie -> David > Gregor -> Lorina -> Mark -> Nate -> David > Gregor -> Edith -> Frank -> George -> David > > You know (because you signed them), that Alice, Lorina, and Edith are > valid. Lets say that you also fully trust them to make good > signatures, so that makes Baker, Mark, and Frank fully valid as well. > However, not knowing how well Baker, Mark, or Frank issue signatures > stops you from making Charlie, Nate or George valid, which stops you > in turn from making my key valid. O.k. it's not very likely that an attacker is able to surround all the people which keys I signed with people deliberately signing wrong keys to trick me. OTOH I can not be certain that Charlie, Nate and George know what they are doing when signing a key. But... [...] > > !? Does gpg calculate trust several hops along the trust path? > > GPG will calculate trust for 5 hops along the path, by default. You > can tune this with --max-cert-depth. How then is gpg able to calculate trust paths with more than one hop? Ciao, Gregor -- -... --- .-. . -.. ..--.. ...-.- From milan.lehocky at gmail.com Fri Dec 2 15:33:58 2005 From: milan.lehocky at gmail.com (Milan Lehocky) Date: Fri Dec 2 18:57:14 2005 Subject: gpgme streaming example Message-ID: <8dfcd0510512020633kc18c9ebsc2da4442415a8e9b@mail.gmail.com> Hi, i'm trying to write o code (using gpgme library) with on-the-fly encryption. The amount of data is about 10MB and i don't want them to be saved on the file system. Is it possible? Can you provide me an example code please? How can I use gpgme_data_new_from_stream() ? Thanks, Milan From shofer at gmx.de Sat Dec 3 18:56:42 2005 From: shofer at gmx.de (Sebastian Hofer) Date: Sat Dec 3 21:13:58 2005 Subject: gpg: [don't know]: invalid packet (ctb=2d) Message-ID: <200512031856.42761.shofer@gmx.de> Dear Listers, I am a plain user of gnupg and new to this list. SO I would like to greet you first. Now the problem: I found some discussions about the "invalid packet (ctb=2d)" thing but none of it helped me. I have been running gpg with the same keys since 2003. I started to use them on SuSE 7 and Win2K. Then I moved to Debian without a problem. Now I had a disc crash recently and switched to ubuntu. When I try to import or use my old keys I get this: ---snip---- gpg: [don't know]: invalid packet (ctb=2d) gpg: keydb_get_keyblock failed: eof gpg: [don't know]: invalid packet (ctb=2d) gpg: /home/seb/.gnupg/pubring.gpg: copy to `/home/seb/.gnupg/pubring.gpg.tmp' failed: invalid packet gpg: error writing keyring `/home/seb/.gnupg/pubring.gpg': invalid packet gpg: [don't know]: invalid packet (ctb=2d) gpg: keydb_search failed: invalid packet gpg: key 09D50FE7: public key "[User ID not found]" imported gpg: [don't know]: invalid packet (ctb=2d) gpg: keydb_search failed: invalid packet [GNUPG:] IMPORTED 0C1E3D6C09D50FE7 [?] [GNUPG:] IMPORT_OK 1 CF32CCC3BD5E61F3E8722A9D0C1E3D6C09D50FE7 gpg: [don't know]: invalid packet (ctb=2d) gpg: error reading `/home/seb/.gnupg/secring.gpg': invalid packet gpg: import from `/home/seb/.gnupg/secring.gpg' failed: invalid packet gpg: Total number processed: 0 gpg: imported: 1 [GNUPG:] IMPORT_RES 0 0 1 0 0 0 0 0 0 0 0 0 0 0 ---snap---- The keys where transfered from my external HD (backup) with all the other stuff in my home directory. Some weeks ago I tried import a copy the keys I still had on a W2K machine at work. Same error. Today I thought I will use the weekend to fix the problem. One of my guesses is that there are conflicts between my new ubuntu and the old stuff I got from my backup done on Debian Sarge?!? So I wanted to erase gpg completly and then reinstall it. But there are billions of dependencies ... What should I do? Thanks in advance and cheers, Seb From richard at sheflug.co.uk Tue Dec 6 13:16:21 2005 From: richard at sheflug.co.uk (Richard Ibbotson) Date: Tue Dec 6 16:04:34 2005 Subject: GnuPG Upgrade Problems Message-ID: <200512061216.23171.richard@sheflug.co.uk> Hi Wasn't sure whether to send this into a Debian list or a GnuPG list. Mailed my request for help here because I thought Werner might want to read about it... My own workstation was running Debian testing back in February. For various reasons I was only able to upgrade through Debian Sarge to the latest testing about two weeks ago. After upgrading I found that the box was asking to install GnuPG2 from the Debian site. I have already installed GnuPG 1.9.11 from source from the GnuPG.org site. The GnuPG file that wants to install itself is... gnupg2_1.9.15-6_i386.deb I've checked the MD5 sum for this. It's correct. Without this the system can't update itself and I can't install any updates. Can anyone offer any advice how to get out of this without breaking anything ? More info below... # apt-get -f install gnupg2 (Reading database ... 268500 files and directories currently installed.) Unpacking gnupg2 (from .../gnupg2_1.9.15-6_i386.deb) ... dpkg: error processing /var/cache/apt/archives/gnupg2_1.9.15-6_i386.deb (--unpack): trying to overwrite `/usr/bin/kbxutil', which is also in package gnupg dpkg-deb: subprocess paste killed by signal (Broken pipe) Errors were encountered while processing: /var/cache/apt/archives/gnupg2_1.9.15-6_i386.deb E: Sub-process /usr/bin/dpkg returned an error code (1) # dpkg -i gnupg2_1.9.15-6_i386.deb Unpacking gnupg2 (from gnupg2_1.9.15-6_i386.deb) ... dpkg: error processing gnupg2_1.9.15-6_i386.deb (--install): trying to overwrite `/usr/bin/kbxutil', which is also in package gnupg dpkg-deb: subprocess paste killed by signal (Broken pipe) Errors were encountered while processing: gnupg2_1.9.15-6_i386.deb -- Richard From rdieter at math.unl.edu Tue Dec 6 16:40:03 2005 From: rdieter at math.unl.edu (Rex Dieter) Date: Tue Dec 6 16:47:35 2005 Subject: GnuPG Upgrade Problems In-Reply-To: <200512061216.23171.richard@sheflug.co.uk> References: <200512061216.23171.richard@sheflug.co.uk> Message-ID: Richard Ibbotson wrote: > Wasn't sure whether to send this into a Debian list or a GnuPG list. This is likely Debian-specific. -- Rex From pkern at debian.org Tue Dec 6 16:27:23 2005 From: pkern at debian.org (Philipp Kern) Date: Tue Dec 6 17:27:12 2005 Subject: GnuPG Upgrade Problems In-Reply-To: <200512061216.23171.richard@sheflug.co.uk> References: <200512061216.23171.richard@sheflug.co.uk> Message-ID: <4395ADDB.2010508@debian.org> Richard Ibbotson wrote: > Wasn't sure whether to send this into a Debian list or a GnuPG list. > Mailed my request for help here because I thought Werner might want > to read about it... Werner might want read about Debian-specific questions which are of no relation to anything but the Debian packagaing system? You should use the Debian bug tracker instead so that the maintainer of the package gets notified (the package name is in this case `gnupg2'). > # apt-get -f install gnupg2 You try to force an install which the packaging system refused. You will get into trouble if you don't know exactly what the consequences might be. > # dpkg -i gnupg2_1.9.15-6_i386.deb > Unpacking gnupg2 (from gnupg2_1.9.15-6_i386.deb) ... > dpkg: error processing gnupg2_1.9.15-6_i386.deb (--install): > trying to overwrite `/usr/bin/kbxutil', which is also in package > gnupg > dpkg-deb: subprocess paste killed by signal (Broken pipe) > Errors were encountered while processing: > gnupg2_1.9.15-6_i386.deb You screwed up here. Anything already installed `/usr/bin/kbxutil'. It is not in the *official* `gnupg' package available on the Debian mirrors. It is only provided by `gnupg2'. I advise you to do the following: * Check if you have installed the file by yourself into `/usr/bin'. If so, remove it. * Check if the packaging system knows the package it is assigned to. It claimed it to be `gnupg', you could check it with `dpkg -S /usr/bin/kbxutil'. * Force uninstall the packet owning the file. * Install `gnupg' and `gnupg2' together via apt-get in non-force mode. Both could be installed on the same machine normally without any trouble. Kind regards, Philipp Kern Debian Developer -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 186 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20051206/5be3eb12/signature.pgp From dshaw at jabberwocky.com Wed Dec 7 05:22:17 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Wed Dec 7 05:22:16 2005 Subject: disjunct paths In-Reply-To: <20051202121001.GH5123@pit.ID-43118.user.dfncis.de> References: <20051125235616.GA19545@a-eskwadraat.nl> <20051129044151.GC18812@jabberwocky.com> <20051130152921.GL5208@pit.ID-43118.user.dfncis.de> <20051130184217.GA23434@jabberwocky.com> <20051130191144.GB32380@pit.ID-43118.user.dfncis.de> <20051130201702.GB23434@jabberwocky.com> <20051202121001.GH5123@pit.ID-43118.user.dfncis.de> Message-ID: <20051207042217.GA27652@jabberwocky.com> On Fri, Dec 02, 2005 at 01:10:01PM +0100, Gregor Zattler wrote: > Hi David, > * David Shaw [30. Nov. 2005]: > > On Wed, Nov 30, 2005 at 08:11:44PM +0100, Gregor Zattler wrote: > > > * David Shaw [30. Nov. 2005]: > > > > On Wed, Nov 30, 2005 at 04:29:21PM +0100, Gregor Zattler wrote: > > > > > * David Shaw [28. Nov. 2005]: > > > > > > On Sat, Nov 26, 2005 at 12:56:16AM +0100, Jaap Eldering wrote: > > > > > > Yes, it is. There are a few servers that do more or less what you > > > > > > describe (for example http://www.lysator.liu.se/~jc/wotsap/). It's > > > > > > useful to see the various paths, but unless you trust each step in the > > > > > > chain, it doesn't really help you get trust in the end point. > > > > > > > > > > Doesn't it help if there are several disjunct paths? Couldn't I > > > > > say I trust a User-Id if more than n discunct paths of trust > > > > > exist from my key to the other? > > > > > > > > Yes, if you trust those disjunct paths :) A hundred disjunct paths > > > > that you don't trust don't help much. > > > > > > Why not? The disjunct paths from my key to the target key > > > all start with keys signed by me. So all owners of this said > > > keys must be part of an conspiracy. If I met the different key > > > owners in different contextes this isn't very likely to happen. > > > > Unless you're talking about paths with only one hop, it doesn't work. > > The paths *start* with keys signed by you. After that, you have no > > assurance. > > > > Given these paths: > > > > Gregor -> Alice -> Baker -> Charlie -> David > > Gregor -> Lorina -> Mark -> Nate -> David > > Gregor -> Edith -> Frank -> George -> David > > > > You know (because you signed them), that Alice, Lorina, and Edith are > > valid. Lets say that you also fully trust them to make good > > signatures, so that makes Baker, Mark, and Frank fully valid as well. > > However, not knowing how well Baker, Mark, or Frank issue signatures > > stops you from making Charlie, Nate or George valid, which stops you > > in turn from making my key valid. > > O.k. it's not very likely that an attacker is able to surround > all the people which keys I signed with people deliberately > signing wrong keys to trick me. OTOH I can not be certain that > Charlie, Nate and George know what they are doing when signing a > key. But... Yes, exactly. 1 hop away is easy, but as you get further and further away, you just don't know the people any longer. > > > !? Does gpg calculate trust several hops along the trust path? > > > > GPG will calculate trust for 5 hops along the path, by default. You > > can tune this with --max-cert-depth. > > How then is gpg able to calculate trust paths with more than one > hop? The same way it calculates for one hop: fully valid keys with full trust can make other keys fully valid. It doesn't matter if they are one hop or 15 hops away, so long as the hop count is less than --max-cert-depth. David From telegraph at gmx.net Wed Dec 7 14:41:26 2005 From: telegraph at gmx.net (Gregor Zattler) Date: Wed Dec 7 14:42:17 2005 Subject: disjunct paths In-Reply-To: <20051207042217.GA27652@jabberwocky.com> References: <20051125235616.GA19545@a-eskwadraat.nl> <20051129044151.GC18812@jabberwocky.com> <20051130152921.GL5208@pit.ID-43118.user.dfncis.de> <20051130184217.GA23434@jabberwocky.com> <20051130191144.GB32380@pit.ID-43118.user.dfncis.de> <20051130201702.GB23434@jabberwocky.com> <20051202121001.GH5123@pit.ID-43118.user.dfncis.de> <20051207042217.GA27652@jabberwocky.com> Message-ID: <20051207134126.GC5692@pit.ID-43118.user.dfncis.de> Hi David, * David Shaw [06. Dez. 2005]: > On Fri, Dec 02, 2005 at 01:10:01PM +0100, Gregor Zattler wrote: > > * David Shaw [30. Nov. 2005]: > > > On Wed, Nov 30, 2005 at 08:11:44PM +0100, Gregor Zattler wrote: > > O.k. it's not very likely that an attacker is able to surround > > all the people which keys I signed with people deliberately > > signing wrong keys to trick me. OTOH I can not be certain that > > Charlie, Nate and George know what they are doing when signing a > > key. But... > > Yes, exactly. 1 hop away is easy, but as you get further and further > away, you just don't know the people any longer. Yes, ... but ... > > > GPG will calculate trust for 5 hops along the path, by default. You > > > can tune this with --max-cert-depth. > > > > How then is gpg able to calculate trust paths with more than one > > hop? > > The same way it calculates for one hop: fully valid keys with full > trust can make other keys fully valid. It doesn't matter if they are > one hop or 15 hops away, so long as the hop count is less than > --max-cert-depth. Isn't that the same issue as diskussed above? What's your --max-cert-depth? Ciao, Gregor -- -... --- .-. . -.. ..--.. ...-.- From dshaw at jabberwocky.com Wed Dec 7 15:07:26 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Wed Dec 7 15:07:16 2005 Subject: disjunct paths In-Reply-To: <20051207134126.GC5692@pit.ID-43118.user.dfncis.de> References: <20051125235616.GA19545@a-eskwadraat.nl> <20051129044151.GC18812@jabberwocky.com> <20051130152921.GL5208@pit.ID-43118.user.dfncis.de> <20051130184217.GA23434@jabberwocky.com> <20051130191144.GB32380@pit.ID-43118.user.dfncis.de> <20051130201702.GB23434@jabberwocky.com> <20051202121001.GH5123@pit.ID-43118.user.dfncis.de> <20051207042217.GA27652@jabberwocky.com> <20051207134126.GC5692@pit.ID-43118.user.dfncis.de> Message-ID: <20051207140726.GA23003@jabberwocky.com> On Wed, Dec 07, 2005 at 02:41:26PM +0100, Gregor Zattler wrote: > Hi David, > * David Shaw [06. Dez. 2005]: > > On Fri, Dec 02, 2005 at 01:10:01PM +0100, Gregor Zattler wrote: > > > * David Shaw [30. Nov. 2005]: > > > > On Wed, Nov 30, 2005 at 08:11:44PM +0100, Gregor Zattler wrote: > > > O.k. it's not very likely that an attacker is able to surround > > > all the people which keys I signed with people deliberately > > > signing wrong keys to trick me. OTOH I can not be certain that > > > Charlie, Nate and George know what they are doing when signing a > > > key. But... > > > > Yes, exactly. 1 hop away is easy, but as you get further and further > > away, you just don't know the people any longer. > > Yes, ... but ... > > > > > GPG will calculate trust for 5 hops along the path, by default. You > > > > can tune this with --max-cert-depth. > > > > > > How then is gpg able to calculate trust paths with more than one > > > hop? > > > > The same way it calculates for one hop: fully valid keys with full > > trust can make other keys fully valid. It doesn't matter if they are > > one hop or 15 hops away, so long as the hop count is less than > > --max-cert-depth. > > Isn't that the same issue as diskussed above? What's your > --max-cert-depth? I leave it at the default unless I'm testing something (so it is 5). I agree it is the same issue as above, yes. 5 seems like a more or less sane default - big enough to be useful, small enough to not be (too) dangerous. Different people have a different comfort level, of course, which is why the value is changeable. In any event, the cert depth doesn't really change the actual calculations in most cases - most people don't have chains of people they know that are that long. David From aredeji at hotmail.com Thu Dec 1 18:14:29 2005 From: aredeji at hotmail.com (Aredeji 04) Date: Wed Dec 7 19:07:54 2005 Subject: Assertion Failed 1.4.2 Message-ID: I am trying to generate a key pair using the --batch option. At first it worked but now I keep getting the following error: gpg: Generating a standard key ++++++++++....++++++++++.+++++++++++++++..+++++..++++++++++++++++++++++++++++++++++++++++++++++++++.+++++.+++++..++++++++++++++++++++++++++++++.++ Assertion failed: pkt->pkt.generic, file build-packet.c, line 74 I tried using the following patch, but it did not work: Index: keygen.c =================================================================== --- keygen.c (revision 3850) +++ keygen.c (working copy) @@ -3243,15 +3243,21 @@ static int write_keyblock( IOBUF out, KBNODE node ) { - for( ; node ; node = node->next ) { - int rc = build_packet( out, node->pkt ); - if( rc ) { - log_error("build_packet(%d) failed: %s\n", + for( ; node ; node = node->next ) + { + if(!is_deleted_kbnode(node)) + { + int rc = build_packet( out, node->pkt ); + if( rc ) + { + log_error("build_packet(%d) failed: %s\n", node->pkt->pkttype, g10_errstr(rc) ); - return G10ERR_WRITE_FILE; + return G10ERR_WRITE_FILE; + } } } - return 0; + + return 0; } Please let me know how I can fix this problem. Best wishes, Ared _________________________________________________________________ Express yourself instantly with MSN Messenger! Download today - it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ From topas.org at web.de Tue Dec 6 20:55:21 2005 From: topas.org at web.de (Topas) Date: Wed Dec 7 19:07:57 2005 Subject: Release date of 1.4.3 Message-ID: <4395ECA9.5030801@web.de> Hi. Is there some kind of roadmap when 1.4.3 will be available? Another issue: gpg tarballs are signed with the following key: pub 1024D/57548DCD 1998-07-07 [expires: 2005-12-31] Key fingerprint = 6BD9 050F D8FC 941B 4341 2DCC 68B7 AB89 5754 8DCD uid Werner Koch (gnupg sig) Is it possible to meet Werner somewhere in personal and exchange keys? Somewhere in Southern-Germany regions would be great.... perhaps at some event or so. My two cents. From wilke at csaengineering.com Wed Dec 7 01:11:50 2005 From: wilke at csaengineering.com (Paul Wilke) Date: Wed Dec 7 19:07:59 2005 Subject: Problem using open PGP and enigmail Message-ID: <439628C6.4080600@csaengineering.com> Hi, I just upgraded to Thunderbird email version 1.5 RC1. I also upgraded my enigmail. Now, when I try to send and encrypted email, I get the error: "gpg: can't handle text lines longer than 19995 characters" How do I fix this? I don't use command line gpg, but rather enigmail extension to thunderbird for this. Thanks. Paul -- Paul Wilke CSA Engineering, Inc. wilke@csaengineering.com (541) 858-8556 phone (541) 857-4017 fax From wk at gnupg.org Thu Dec 8 08:24:11 2005 From: wk at gnupg.org (Werner Koch) Date: Thu Dec 8 08:27:02 2005 Subject: Release date of 1.4.3 In-Reply-To: <4395ECA9.5030801@web.de> (topas.org@web.de's message of "Tue, 06 Dec 2005 20:55:21 +0100") References: <4395ECA9.5030801@web.de> Message-ID: <87wtiggig4.fsf@wheatstone.g10code.de> On Tue, 06 Dec 2005 20:55:21 +0100, Topas said: > Is there some kind of roadmap when 1.4.3 will be available? There will be a release candidate soon. > gpg tarballs are signed with the following key: > pub 1024D/57548DCD 1998-07-07 [expires: 2005-12-31] I ususally prolong the key if it is close to expire. However, I may move to a smartcard based key now. Have not decided that yet. > Is it possible to meet Werner somewhere in personal and exchange keys? > Somewhere in Southern-Germany regions would be great.... perhaps at some You need to come to D?sseldorf. I do not have any travel plans for the south; next events I plan to attend are the FOSDEM at Brussels (Feb. 25+26) and the GUUG Fr?hjahrsfachgespr?ch at Osnabr?ck (Mar 21-24). Shalom-Salam, Werner From wk at gnupg.org Thu Dec 8 08:26:24 2005 From: wk at gnupg.org (Werner Koch) Date: Thu Dec 8 08:31:56 2005 Subject: Using TC Trustcenter.de certificates In-Reply-To: <871x0z5vbl.fsf@plailis.daheim.bs> (Markus Plail's message of "Tue, 29 Nov 2005 16:26:38 +0100") References: <87zmnqs7l3.fsf@plailis.daheim.bs> <87ek50oljs.fsf@wheatstone.g10code.de> <87veycwy68.fsf@plailis.daheim.bs> <87y837rjcv.fsf@wheatstone.g10code.de> <871x0z5vbl.fsf@plailis.daheim.bs> Message-ID: <87slt4gicf.fsf@wheatstone.g10code.de> On Tue, 29 Nov 2005 16:26:38 +0100, Markus Plail said: > Ok, thanks for the info, but is there a way to import p12 into gpg? I > didn't get it to work and so worked around it by importing the p12 key No OpenPGP and X.509 are different formats. You can't import them. PGP uses a hack to encapsulate an X.509 certificate within an OpenPGP keyblock probably for use with their VPN stuff. The specs are available but IMHO it does not make much sense. Salam-Shalom, Werner From wk at gnupg.org Thu Dec 8 08:28:05 2005 From: wk at gnupg.org (Werner Koch) Date: Thu Dec 8 08:32:06 2005 Subject: Assertion Failed 1.4.2 In-Reply-To: (aredeji@hotmail.com's message of "Thu, 01 Dec 2005 17:14:29 +0000") References: Message-ID: <87oe3sgi9m.fsf@wheatstone.g10code.de> On Thu, 01 Dec 2005 17:14:29 +0000, Aredeji 04 said: > I am trying to generate a key pair using the --batch option. This is known and fixed in the SVN. You may find a snapshot at ftp://ftp.g10code.com/g10code/scratch/gnupg-1.4.3-cvs.tar.bz2 ftp://ftp.g10code.com/g10code/scratch/gnupg-1.4.3-cvs.tar.bz2.sig Shalom-Salam, Werner From fbigda at BabsonCapital.com Thu Dec 8 20:11:27 2005 From: fbigda at BabsonCapital.com (Bigda, Faith) Date: Fri Dec 9 01:04:40 2005 Subject: mpi too large Message-ID: I've been researching and I can't seem to determine what the problem is with the key. It appears to have a bad signature? I imported the key and do an edit check: C:\GnuPG>gpg --import xx.asc gpg: key F867286A: public key "Named File Transfer" imported gpg: Total number processed: 1 gpg: imported: 1 C:\GnuPG>gpg --edit-key F867286A gpg (GnuPG) 1.2.3; Copyright (C) 2003 Free Software Foundation, Inc. This program comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it under certain conditions. See the file COPYING for details. gpg: checking the trustdb gpg: checking at depth 0 signed=0 ot(-/q/n/m/f/u)=0/0/0/0/0/7 This key may be revoked by DSA key 8C5F4D13 [?] pub 1024D/F867286A created: 2004-11-09 expires: never trust: -/- sub 3072g/EC820541 created: 2004-11-09 expires: never (1). Named File Transfer Command> check uid Named File Transfer sig! F867286A 2004-11-09 [self-signature] 1 signature not checked due to a missing key Command> The problem is that even if I follow through and TRUST it anyway, when I try to decrypt a file from them I get an error: "mpi too large". I don't know if the problems are even related. I've been working on this guy for some time now. If there anyone that can help? Thank you Faith Bigda Babson Capital Information Systems Babson Capital Management LLC tel: +1.413.226.1102 fax: +1.413.226.2102 FBigda@BabsonCapital.com --------------------------------------------------------- This e-mail transmission may contain information that is proprietary, privileged and/or confidential and is intended exclusively for the person(s) to whom it is addressed. Any use, copying, retention or disclosure by any person other than the intended recipient or the intended recipient's designees is strictly prohibited. If you are not the intended recipient or their designee, please notify the sender immediately by return e-mail and delete all copies. --------------------------------------------------------- From bob.duell at cingular.com Thu Dec 8 18:59:42 2005 From: bob.duell at cingular.com (Duell, Bob) Date: Fri Dec 9 01:34:32 2005 Subject: Automation advice wanted Message-ID: <60FD157FF7C6334581C6D8D830A205C501C09A67@WA-MSG04-BTH.wireless.attws.com> Hi, Can anyone recommend a book or article with very simple instructions on using gpg in a work-group environment? I've searched many places, including FAQs and past messages, but I still have many questions. Our group regularly uses gpg to send files to various external vendors and suppliers, using that recipient's public key. We've all done this individually, importing private keys into our personal keyrings (on a UNIX server). However, our group has grown such that it's becoming difficult to manage the process, especially sharing the public keys of target recipients. Incoming files also are encrypted with public keys created by individuals, keys which must be exchanged privately. Also, one external sender may deal with many individuals in our group, so they end up managing multiple keys to send data to us. I am considering creating a "public" keyring for our group, one into which I can import the keys for "registered" recipients. I can define the "public" keyring directory and file as global read/execute; users would refer to the public ring using the "-keyring" option. One in our group would be the designated "key master", responsible for maintaining the keyring. Although I've read about keyservers, I'm not sure we can use them here. At any rate, I'm looking for a very simple solution. I'd also like to create a master keypair for the group, a single key that can be use by everyone sending files to us. I was thinking a UNIX script could be used to handle signing and decryption, thereby preserving the secrecy of the passphrase. I'd appreciate any advice, and most especially any examples! Thanks, Bob From bernhard.walle at gmx.de Sat Dec 10 15:24:17 2005 From: bernhard.walle at gmx.de (Bernhard Walle) Date: Sat Dec 10 15:24:36 2005 Subject: OpenPGP card and gpgme Message-ID: <20051210152417.38c7b2df@hugo.local> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello, I use a OpenPGP card for signing and encrypting mails together with Sylpheed Claws which uses gpgme. It works fine with two exceptions: - If the card is not inserted before the passphrase should be entered, Sylpheed hangs. So I have to insert the card first (which I normally do, anyway). In console, gpg asks to insert the card in the reader. - The User-ID is not diplayed but the string "[no user id]"). From the source code I expect it's missing in the uid_hint parameter of the gpgme_passphrase_cb_t function. The sylpheed developers told me to ask here. Regards, Bernhard - -- "The PROPER way to handle HTML postings is to cancel the article, then hire a hitman to kill the poster, his wife and kids, and fuck his dog and smash his computer into little bits. Anything more is just extremism." -- Paul Tomblin -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) iD8DBQFDmuUViGU2lt2vZFQRAsVFAJ9kPGw2ctZ+F5HivAxEcST5sKZdfACcDCim T1ZBrptKfrTBvyXnXNiBm9U= =Ijam -----END PGP SIGNATURE----- From kfitzner at excelcia.org Mon Dec 12 01:31:58 2005 From: kfitzner at excelcia.org (Kurt Fitzner) Date: Tue Dec 13 01:34:28 2005 Subject: [Announce] GnuPG Explorer Extension (GPGee) version 1.2.2 released! Message-ID: <439CC4FE.2040105@excelcia.org> Skipped content of type multipart/signed-------------- next part -------------- _______________________________________________ Gnupg-announce mailing list Gnupg-announce@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-announce From kfitzner at excelcia.org Mon Dec 12 23:52:11 2005 From: kfitzner at excelcia.org (Kurt Fitzner) Date: Tue Dec 13 10:08:56 2005 Subject: [Announce] GPGee 1.2.2 has a bug - 1.2.3 corrects this. Message-ID: <439DFF1B.6020007@excelcia.org> Skipped content of type multipart/signed-------------- next part -------------- _______________________________________________ Gnupg-announce mailing list Gnupg-announce@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-announce From milan.lehocky at gmail.com Tue Dec 13 17:35:05 2005 From: milan.lehocky at gmail.com (Milan Lehocky) Date: Tue Dec 13 17:34:52 2005 Subject: GPGME signing problem Message-ID: <8dfcd0510512130835v643e3555ja8d0c3895cc7e42e@mail.gmail.com> Hi, running the example t-sign.c (gpgme-1.0.3) hangs on function gpgme_op_sign() when the passphrase_cb is set. If I remove the gpgme_set_passphrase_cb(..) example ends with no signatures made. The passphrase callback function is never called.. - that is strange. I'm running SunOS 5.8. I also tried this: gpgme_error_t pass_cb (void *opaque, const char *uid_hint, const char *passphrase_info, int last_was_bad, int fd) { write (fd, "asdf\n", 5); return 0; } code: gpgme_set_passphrase_cb (ctx, pass_cb, NULL); err = gpgme_get_key (ctx, "", &signers_key, 1); fail_if_err (err); err = gpgme_signers_add(ctx, signers_key); fail_if_err (err); printf("before\n"); err = gpgme_op_sign(ctx, in, out_signed, GPGME_SIG_MODE_CLEAR); printf("after\n"); // this never hapens.. But it hangs, too. Do you have any suggestions? Thanks a lot, Milan Lehocky From wk at gnupg.org Wed Dec 14 14:02:09 2005 From: wk at gnupg.org (Werner Koch) Date: Wed Dec 14 14:07:04 2005 Subject: OpenPGP card and gpgme In-Reply-To: <20051210152417.38c7b2df@hugo.local> (Bernhard Walle's message of "Sat, 10 Dec 2005 15:24:17 +0100") References: <20051210152417.38c7b2df@hugo.local> Message-ID: <87bqzjltm6.fsf@wheatstone.g10code.de> On Sat, 10 Dec 2005 15:24:17 +0100, Bernhard Walle said: > I use a OpenPGP card for signing and encrypting mails together with > Sylpheed Claws which uses gpgme. It works fine with two exceptions: > - If the card is not inserted before the passphrase should be entered, > Sylpheed hangs. So I have to insert the card first (which I normally > do, anyway). You are not using gpg-agent, right? In general the apssphrase call back should work too but it is often problematic. You are better off in any case to use gpg-agent. > - The User-ID is not diplayed but the string "[no user id]"). > From the source code I expect it's missing in the uid_hint > parameter of the gpgme_passphrase_cb_t function. Not sure about this. We are currently working on an updated Sylpheed port to Windows and while doing this we will for sure also check out this problem because there is no well working gpg-agent for Windows yet and thus we need to make the passphrase callback working. So, please have some patience in case you can't use gpg-agent. Salam-Shalom, Werner From wk at gnupg.org Wed Dec 14 14:04:07 2005 From: wk at gnupg.org (Werner Koch) Date: Wed Dec 14 14:07:12 2005 Subject: GPGME signing problem In-Reply-To: <8dfcd0510512130835v643e3555ja8d0c3895cc7e42e@mail.gmail.com> (Milan Lehocky's message of "Tue, 13 Dec 2005 17:35:05 +0100") References: <8dfcd0510512130835v643e3555ja8d0c3895cc7e42e@mail.gmail.com> Message-ID: <877ja7ltiw.fsf@wheatstone.g10code.de> On Tue, 13 Dec 2005 17:35:05 +0100, Milan Lehocky said: > The passphrase callback function is never called.. - that is strange. > I'm running SunOS 5.8. Please run in debug mode: $ GPGME_DEBUG=5:/tmp/mygpgme.log ./myapp (the file name is optional, it defaults to stderr) Shalom-Salam, Werner From topas.org at web.de Thu Dec 8 11:47:42 2005 From: topas.org at web.de (Topas) Date: Wed Dec 14 14:34:54 2005 Subject: Signature has algorithms Message-ID: <43980F4E.8040804@web.de> Hi. I've seen that one can use different hash algorithms for creating signatures. The default is SHA-1 I think, but (and correct me if I'm wrong) SHA-512 (or even the "smaller" ones) should be more secure. Ok,.. I've seen that one is able to change the used algorithm with the "--cert-digest-algo" option. For the primary key I could do the following: 1) Set the new algo (gpg.conf or command line). 2) Edit the key. 2a) Set prefered key server URL. 2b) Set some other settings from the primary key self-signature. 2c) Set prefered algorithms. 3) Delete every new self-signature except the last one (which shuld contain all the new settings with the new hash algorithm). (Is this possible/resonable, to delete the others?) 4) Save the key and be happy. But what can I do with the self-sigs from my existing keys? How can I recreate them (with the new hash algorithm). Thanks in advance. From abhalerao at apple.com Mon Dec 12 23:17:52 2005 From: abhalerao at apple.com (amit bhalerao) Date: Wed Dec 14 14:34:58 2005 Subject: Encrypting a file in a non -interactive mode Message-ID: HI , COuld anyone please tell me how to encrypt a file in a non- interactive mode or batch mode ? -Amit From dshaw at jabberwocky.com Wed Dec 14 16:00:33 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Wed Dec 14 16:00:22 2005 Subject: Encrypting a file in a non -interactive mode In-Reply-To: References: Message-ID: <20051214150033.GA23131@jabberwocky.com> On Mon, Dec 12, 2005 at 02:17:52PM -0800, amit bhalerao wrote: > HI , > > COuld anyone please tell me how to encrypt a file in a non- > interactive mode or batch mode ? Sure, just do something like this: gpg --batch -r (recipient) --output (name-for-encrypted-file) --encrypt (file-to-encrypt) However, this assumes that the recipient is trusted by you. If not, then you also need to add "--trust-model always" to override that. This also assumes that name-for-encrypted-file doesn't exist. GPG won't overwrite it if it exists. To force GPG to overwrite the existing file, add "--yes". David From dshaw at jabberwocky.com Wed Dec 14 17:52:15 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Wed Dec 14 17:51:59 2005 Subject: Signature has algorithms In-Reply-To: <43980F4E.8040804@web.de> References: <43980F4E.8040804@web.de> Message-ID: <20051214165215.GA23408@jabberwocky.com> On Thu, Dec 08, 2005 at 11:47:42AM +0100, Topas wrote: > Hi. > > I've seen that one can use different hash algorithms for creating > signatures. The default is SHA-1 I think, but (and correct me if I'm > wrong) SHA-512 (or even the "smaller" ones) should be more secure. > > Ok,.. I've seen that one is able to change the used algorithm with the > "--cert-digest-algo" option. For the primary key I could do the following: > 1) Set the new algo (gpg.conf or command line). > 2) Edit the key. > 2a) Set prefered key server URL. > 2b) Set some other settings from the primary key self-signature. > 2c) Set prefered algorithms. > 3) Delete every new self-signature except the last one (which shuld > contain all the new settings with the new hash algorithm). (Is this > possible/resonable, to delete the others?) > 4) Save the key and be happy. > > But what can I do with the self-sigs from my existing keys? How can I > recreate them (with the new hash algorithm). The procedure you give above will put new self signatures on the key. You can't recreate old ones, but you can delete them. Note that if you have your key on a keyserver, the old self-sigs will come back since the keyserver (or really anyone else who has a copy of your current key) doesn't delete the old self-sigs. David From bernhard.walle at gmx.de Wed Dec 14 21:52:12 2005 From: bernhard.walle at gmx.de (Bernhard Walle) Date: Wed Dec 14 21:52:28 2005 Subject: OpenPGP card and gpgme In-Reply-To: <87bqzjltm6.fsf@wheatstone.g10code.de> References: <20051210152417.38c7b2df@hugo.local> <87bqzjltm6.fsf@wheatstone.g10code.de> Message-ID: <20051214215212.6d4ee023@hugo.local> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Werner Koch [2005-12-14]: > On Sat, 10 Dec 2005 15:24:17 +0100, Bernhard Walle said: > > > I use a OpenPGP card for signing and encrypting mails together with > > Sylpheed Claws which uses gpgme. It works fine with two exceptions: > > > - If the card is not inserted before the passphrase should be entered, > > Sylpheed hangs. So I have to insert the card first (which I normally > > do, anyway). > > > You are not using gpg-agent, right? In general the apssphrase call > back should work too but it is often problematic. You are better off > in any case to use gpg-agent. Yes. I would like to use gpg-agent, but it does not work. I wrote a mail at Mon, 21 Nov 2005 22:10:38 +0100 in this mailinglist, but nobody could help me. > > - The User-ID is not diplayed but the string "[no user id]"). > > From the source code I expect it's missing in the uid_hint > > parameter of the gpgme_passphrase_cb_t function. > > Not sure about this. We are currently working on an updated Sylpheed port > to Windows and while doing this we will for sure also check out this > problem because there is no well working gpg-agent for Windows yet and > thus we need to make the passphrase callback working. So, please have > some patience in case you can't use gpg-agent. Great. Regards, Bernhard - -- "Damn the torpedoes. Full speed ahead" -- Capt. David Farragut -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) iD8DBQFDoIX/iGU2lt2vZFQRAlBPAJ4gTqZ/HmMWJl4IV1pY6LN+npowjACglOL/ bbCrBqjoibrnRggw8b/0pdQ= =GNk6 -----END PGP SIGNATURE----- From milan.lehocky at gmail.com Thu Dec 15 17:46:05 2005 From: milan.lehocky at gmail.com (Milan Lehocky) Date: Thu Dec 15 17:45:45 2005 Subject: GPGME signing problem In-Reply-To: <877ja7ltiw.fsf@wheatstone.g10code.de> References: <8dfcd0510512130835v643e3555ja8d0c3895cc7e42e@mail.gmail.com> <877ja7ltiw.fsf@wheatstone.g10code.de> Message-ID: <8dfcd0510512150846u7f9a6185md1d4d900959244d1@mail.gmail.com> this is from log (plain text already passed to gpg): ........ posix-io.c:340: gpgme:select on [ r3 ] posix-io.c:386: select OK [ r3 ] posix-io.c:72: fd 3: about to read 1024 bytes posix-io.c:79: fd 3: got 94 bytes fd 3: got `[GNUPG:] USERID_HINT 30E8F3701B56AE33 Application (toto je testovaci kluc pre App) ' posix-io.c:340: gpgme:select on [ r3 r10 ] posix-io.c:386: select OK [ r3 ] posix-io.c:340: gpgme:select on [ r3 ] posix-io.c:386: select OK [ r3 ] posix-io.c:72: fd 3: about to read 1024 bytes posix-io.c:79: fd 3: got 64 bytes fd 3: got `[GNUPG:] NEED_PASSPHRASE 30E8F3701B56AE33 30E8F3701B56AE33 17 0 ' posix-io.c:340: gpgme:select on [ r3 r10 ] posix-io.c:386: select OK [ r3 ] posix-io.c:340: gpgme:select on [ r3 ] posix-io.c:386: select OK [ r3 ] posix-io.c:72: fd 3: about to read 1024 bytes posix-io.c:79: fd 3: got 37 bytes fd 3: got `[GNUPG:] GET_HIDDEN passphrase.enter ' posix-io.c:340: gpgme:select on [ r3 r10 ] posix-io.c:386: select OK [ ] posix-io.c:340: gpgme:select on [ r3 r10 ] posix-io.c:386: select OK [ ] posix-io.c:340: gpgme:select on [ r3 r10 ] .... this continues until i press ctr-c gpg asks for passphrase, but nothing happens On 12/14/05, Werner Koch wrote: > On Tue, 13 Dec 2005 17:35:05 +0100, Milan Lehocky said: > > > The passphrase callback function is never called.. - that is strange. > > I'm running SunOS 5.8. > > Please run in debug mode: > > $ GPGME_DEBUG=5:/tmp/mygpgme.log ./myapp > > (the file name is optional, it defaults to stderr) > > Shalom-Salam, > > Werner > > From dshaw at jabberwocky.com Fri Dec 16 05:12:11 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Fri Dec 16 05:11:55 2005 Subject: Automation advice wanted In-Reply-To: <60FD157FF7C6334581C6D8D830A205C501C09A67@WA-MSG04-BTH.wireless.attws.com> References: <60FD157FF7C6334581C6D8D830A205C501C09A67@WA-MSG04-BTH.wireless.attws.com> Message-ID: <20051216041211.GB5063@jabberwocky.com> On Thu, Dec 08, 2005 at 09:59:42AM -0800, Duell, Bob wrote: > I am considering creating a "public" keyring for our group, one into > which I can import the keys for "registered" recipients. I can define > the "public" keyring directory and file as global read/execute; users > would refer to the public ring using the "-keyring" option. One in our > group would be the designated "key master", responsible for maintaining > the keyring. This is a reasonable thing to do. > Although I've read about keyservers, I'm not sure we can use them here. > At any rate, I'm looking for a very simple solution. > > I'd also like to create a master keypair for the group, a single key > that can be use by everyone sending files to us. I was thinking a UNIX > script could be used to handle signing and decryption, thereby > preserving the secrecy of the passphrase. This can be reasonable in some circumstances, but also can be risky - it's hard to hide a passphrase in a script that way. Also, how do you plan to prevent people just copying the script, key, passphrase, and all? It's hard to suggest an alternative without knowing more about what you're trying to do. Is there actually a need for encryption once the data in question is on-site, or is it just a transit issue? Would it be acceptable for one person to own the master key and decrypt and then re-encrypt to a list of individual keys for your internal users? David From dshaw at jabberwocky.com Fri Dec 16 14:32:11 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Fri Dec 16 14:32:10 2005 Subject: mpi too large In-Reply-To: References: Message-ID: <20051216133211.GD5063@jabberwocky.com> On Thu, Dec 08, 2005 at 02:11:27PM -0500, Bigda, Faith wrote: > I've been researching and I can't seem to determine what the problem is with the key. It appears to have a bad signature? I imported the key and do an edit check: > > C:\GnuPG>gpg --import xx.asc > gpg: key F867286A: public key "Named File Transfer" imported > gpg: Total number processed: 1 > gpg: imported: 1 > > C:\GnuPG>gpg --edit-key F867286A > gpg (GnuPG) 1.2.3; Copyright (C) 2003 Free Software Foundation, Inc. > This program comes with ABSOLUTELY NO WARRANTY. > This is free software, and you are welcome to redistribute it > under certain conditions. See the file COPYING for details. > > gpg: checking the trustdb > gpg: checking at depth 0 signed=0 ot(-/q/n/m/f/u)=0/0/0/0/0/7 > This key may be revoked by DSA key 8C5F4D13 [?] > pub 1024D/F867286A created: 2004-11-09 expires: never trust: -/- > sub 3072g/EC820541 created: 2004-11-09 expires: never > (1). Named File Transfer > > Command> check > uid Named File Transfer > sig! F867286A 2004-11-09 [self-signature] > 1 signature not checked due to a missing key > > Command> > > > The problem is that even if I follow through and TRUST it anyway, > when I try to decrypt a file from them I get an error: "mpi too > large". I don't know if the problems are even related. Probably unrelated. The "signature not checked" is not an error, but normal operation: the key you imported has a signature from a key you don't have. It's just a note so you can go out and get this other key if you care. The "mpi too large" is a problem, but likely on the sender side. Do you know what program they are using to encrypt? David From shofer at gmx.de Sat Dec 17 19:35:07 2005 From: shofer at gmx.de (Sebastian Hofer) Date: Sat Dec 17 19:35:29 2005 Subject: Solved: gpg: [don't know]: invalid packet (ctb=2d) In-Reply-To: <200512031856.42761.shofer@gmx.de> References: <200512031856.42761.shofer@gmx.de> Message-ID: <200512171935.07665.shofer@gmx.de> Dear Listers, I solved my problem (see at the bottom). But first the SUM of the answers I got: No answers, nor reactions oder hints :( The solution was: I had to delete the .gnupg-directory in my home directory. It seems like I copied old settings from Debian to Ubuntu taht caused the troubles. Cheers. Seb Am Samstag 03 Dezember 2005 18:56 schrieb Sebastian Hofer: > Dear Listers, > > I am a plain user of gnupg and new to this list. SO I would like to greet > you first. > > Now the problem: I found some discussions about the "invalid packet > (ctb=2d)" thing but none of it helped me. > > I have been running gpg with the same keys since 2003. I started to use > them on SuSE 7 and Win2K. Then I moved to Debian without a problem. Now I > had a disc crash recently and switched to ubuntu. When I try to import or > use my old keys I get this: > > ---snip---- > gpg: [don't know]: invalid packet (ctb=2d) > gpg: keydb_get_keyblock failed: eof > gpg: [don't know]: invalid packet (ctb=2d) > gpg: /home/seb/.gnupg/pubring.gpg: copy to > `/home/seb/.gnupg/pubring.gpg.tmp' failed: invalid packet > gpg: error writing keyring `/home/seb/.gnupg/pubring.gpg': invalid packet > gpg: [don't know]: invalid packet (ctb=2d) > gpg: keydb_search failed: invalid packet > gpg: key 09D50FE7: public key "[User ID not found]" imported > gpg: [don't know]: invalid packet (ctb=2d) > gpg: keydb_search failed: invalid packet > [GNUPG:] IMPORTED 0C1E3D6C09D50FE7 [?] > [GNUPG:] IMPORT_OK 1 CF32CCC3BD5E61F3E8722A9D0C1E3D6C09D50FE7 > gpg: [don't know]: invalid packet (ctb=2d) > gpg: error reading `/home/seb/.gnupg/secring.gpg': invalid packet > gpg: import from `/home/seb/.gnupg/secring.gpg' failed: invalid packet > gpg: Total number processed: 0 > gpg: imported: 1 > [GNUPG:] IMPORT_RES 0 0 1 0 0 0 0 0 0 0 0 0 0 0 > ---snap---- > > The keys where transfered from my external HD (backup) with all the other > stuff in my home directory. > Some weeks ago I tried import a copy the keys I still had on a W2K machine > at work. Same error. > Today I thought I will use the weekend to fix the problem. One of my > guesses is that there are conflicts between my new ubuntu and the old stuff > I got from my backup done on Debian Sarge?!? So I wanted to erase gpg > completly and then reinstall it. But there are billions of dependencies ... > What should I do? > > Thanks in advance and cheers, > Seb > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users From jharris at widomaker.com Mon Dec 19 01:58:12 2005 From: jharris at widomaker.com (Jason Harris) Date: Mon Dec 19 01:58:29 2005 Subject: new (2005-12-11) keyanalyze results (+sigcheck) Message-ID: <20051219005811.GA411@wilma.widomaker.com> New keyanalyze results are available at: http://keyserver.kjsl.com/~jharris/ka/2005-12-11/ Signatures are now being checked using keyanalyze+sigcheck: http://dtype.org/~aaronl/ Earlier reports are also available, for comparison: http://keyserver.kjsl.com/~jharris/ka/ Even earlier monthly reports are at: http://dtype.org/keyanalyze/ SHA-1 hashes and sizes for all the "permanent" files: 489935cbcf0a6047fd26a45c72b65f2ec9e8fdb7 13171806 preprocess.keys 029de743b3e436e968301fec2effab831e0aa4bb 7963616 othersets.txt 7e61c672464edd69f9ab62594027540bc5274465 3249040 msd-sorted.txt a751f9d5477744a4f5e5ce6ebad6a60908e317ee 1372 index.html be184646b736dd40e6eca5c76ce71153364156bb 2291 keyring_stats 07ed524e7f7b3a5e7ab7d1c8bb80641d2ff633a7 1278076 msd-sorted.txt.bz2 29b525da814cf19d8ddd1b3ae67835fd5807457c 26 other.txt 9fef3fa32a80b6f772502b28ae88409e8562a7ad 1722601 othersets.txt.bz2 d91508dbac9382994fdf69031317476ae0d73c0b 5342573 preprocess.keys.bz2 dbb2b34d7385fa93c2454e73a33ba955e7294bd9 13336 status.txt 78315a010646c70e3f6a75bfd8aacce7a6493b74 210078 top1000table.html e506bb7f276b3ee43632998b19084211b9d2951e 30083 top1000table.html.gz a28e7f0cd5362b007604f00a1bdd3fca8005b99c 10780 top50table.html b1610820aa1e16cabf4b6e4f2e6c07aeb871f8b2 2514 D3/D39DA0E3 -- Jason Harris | NIC: JH329, PGP: This _is_ PGP-signed, isn't it? jharris@widomaker.com _|_ web: http://keyserver.kjsl.com/~jharris/ Got photons? (TM), (C) 2004 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 313 bytes Desc: not available Url : /pipermail/attachments/20051218/e0cc61c6/attachment.pgp From sebastian.murawski at gmail.com Fri Dec 16 21:17:16 2005 From: sebastian.murawski at gmail.com (Sebastian Murawski) Date: Mon Dec 19 10:54:19 2005 Subject: GPG 1.4.2 and Aladdin eToken Pro Message-ID: <1748406206.20051216221716@lazikowiec.pl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello GnuPG Users!!! Works GnuPG with this hardware token. I try to find some solutions to make this two things working but without success. Is there some manual to connect this two parts. I use Windows XP sp2. I want to change my PGP to GnuPG but I have only this little problem. OK now info: Z:\GnuPG>gpg --card-status gpg: detected reader `AKS ifdh 0' gpg: detected reader `AKS ifdh 1' gpg: pcsc_connect failed: sharing violation (0x8010000b) gpg: card reader not available gpg: OpenPGP card not available: b??d og?lny - -- Thanks and best regards, Sebastian Murawski -----BEGIN PGP SIGNATURE----- Version: PGP SDK 3.5.2 Comment: "" iQCVAwUBQ6Mgs/UyV2U0pGyNAQLFGQP/fhIj4H6ar6j0F43QbxxDTQq/TZ11j67r 7qtEHosa4q5ck4QeF11r2v5wy545573adRvnP86iWpowHE6GsdNcLjGmuMVAd3XX B1net/kO92WpxglgEn4aLV6QnYwqeMGXTGtz6fMPYucADpgbULN6NFWXxHoncpT6 cIxyaTDiMtU= =8LjS -----END PGP SIGNATURE----- From topas.org at web.de Wed Dec 14 19:02:35 2005 From: topas.org at web.de (Topas) Date: Mon Dec 19 11:09:41 2005 Subject: Signature has algorithms In-Reply-To: <20051214165215.GA23408@jabberwocky.com> References: <43980F4E.8040804@web.de> <20051214165215.GA23408@jabberwocky.com> Message-ID: <43A05E3B.1000906@web.de> David Shaw wrote: >The procedure you give above will put new self signatures on the key. >You can't recreate old ones, but you can delete them. Note that if >you have your key on a keyserver, the old self-sigs will come back >since the keyserver (or really anyone else who has a copy of your >current key) doesn't delete the old self-sigs. > > Oh I forogt a little detail,.. =) It was clear to me that I get new selfsigs on the primarykey/userid when changin settings (like prefered algorithms, etc.) and it is also clear to me that the older selfsigs will return from the keyserver (but they should be ignored by other users due to the older creation time). Was I wanted to know was: How can I get new subkey binding sigs for my subkey (new: with more recent creation time, and of course with the "better" hash algorithm)? It would be better to wait with doing this until gpg understands backsigs, right? btw: Do encryption keys get backsigs, too? If not why not? Best wishes, Topas. From bernis at moredirect.com Wed Dec 14 15:56:00 2005 From: bernis at moredirect.com (Berni Sicard) Date: Mon Dec 19 11:09:50 2005 Subject: Encrypting a file in a non -interactive mode Message-ID: <8026F739C487014C8350935C730F912B041E14@lassie.moredirect.com> I use the following command...(UNIX) gpg -r recipientkeyname -o $ENCRYPTOUTFILE -e $OUTFILE >> $LOGFILE 2>&1 Thanks, Berni Sicard V.P. of MIS & Technology MoreDirect, Inc. B.Sicard@MoreDirect.com 561-237-3333 -----Original Message----- From: gnupg-users-bounces+b.sicard=moredirect.com@gnupg.org [mailto:gnupg-users-bounces+b.sicard=moredirect.com@gnupg.org] On Behalf Of amit bhalerao Sent: Monday, December 12, 2005 5:18 PM To: gnupg-users@gnupg.org Subject: Encrypting a file in a non -interactive mode HI , COuld anyone please tell me how to encrypt a file in a non- interactive mode or batch mode ? -Amit _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users From dshaw at jabberwocky.com Mon Dec 19 20:34:56 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Mon Dec 19 20:34:45 2005 Subject: Signature has algorithms In-Reply-To: <43A05E3B.1000906@web.de> References: <43980F4E.8040804@web.de> <20051214165215.GA23408@jabberwocky.com> <43A05E3B.1000906@web.de> Message-ID: <20051219193456.GI2483@jabberwocky.com> On Wed, Dec 14, 2005 at 07:02:35PM +0100, Topas wrote: > David Shaw wrote: > > >The procedure you give above will put new self signatures on the key. > >You can't recreate old ones, but you can delete them. Note that if > >you have your key on a keyserver, the old self-sigs will come back > >since the keyserver (or really anyone else who has a copy of your > >current key) doesn't delete the old self-sigs. > > > > > Oh I forogt a little detail,.. =) > It was clear to me that I get new selfsigs on the primarykey/userid when > changin settings (like prefered algorithms, etc.) and it is also clear > to me that the older selfsigs will return from the keyserver (but they > should be ignored by other users due to the older creation time). > > Was I wanted to know was: How can I get new subkey binding sigs for my > subkey (new: with more recent creation time, and of course with the > "better" hash algorithm)? You can't, without hacking GPG to do it. It's easier to just make a new subkey. > It would be better to wait with doing this until gpg understands > backsigs, right? > > btw: Do encryption keys get backsigs, too? If not why not? No. Backsigs are not really meaningful for encryption keys. Backsigs protect against a particular attack (someone claiming your signing is theirs) that isn't relevant to encryption keys - if someone stole an encryption key, they might try and claim they owned it, but that doesn't mean much as they couldn't read anything encrypted to it. I'm vaguely toying with the idea of including backsigs for encryption keys with an algorithm that can at least issue signatures (i.e. RSA), since it doesn't hurt and might be marginally useful, but this couldn't be a general thing since not all encryption algorithms can sig (i.e. Elgamal). David From cam at mathematica.scientia.net Mon Dec 19 21:56:40 2005 From: cam at mathematica.scientia.net (Christoph Anton Mitterer) Date: Mon Dec 19 21:56:17 2005 Subject: Signature has algorithms In-Reply-To: <20051219193456.GI2483@jabberwocky.com> References: <43980F4E.8040804@web.de> <20051214165215.GA23408@jabberwocky.com> <43A05E3B.1000906@web.de> <20051219193456.GI2483@jabberwocky.com> Message-ID: <43A71E88.7020008@mathematica.scientia.net> David Shaw wrote: >>Was I wanted to know was: How can I get new subkey binding sigs for my >>subkey (new: with more recent creation time, and of course with the >>"better" hash algorithm)? >> >> >You can't, without hacking GPG to do it. It's easier to just make a >new subkey. > > Ah,.. too bad :-/ I've read some emails from a guy here that currently seems to do some hacking with gpg, perhaps he can help me (@Chris: plz contact me directly as I'm not subscribed to the list). btw: It's pretty bad that one can't change the preferrence settings for his subkeys (or is this possible?). I'm havin a key with one email (UID) for different roles. But each role is using a different encryption subkey. Now in the office my machine is very slow and if someone sent me a big encrypted file (for the office subkey),... it takes very long. So it would be nice if one could specify these things for the keys to (perhaps in the selfsigs of the subkeys?) Regards, Topas From wk at gnupg.org Tue Dec 20 11:15:20 2005 From: wk at gnupg.org (Werner Koch) Date: Tue Dec 20 11:22:10 2005 Subject: GPGME signing problem In-Reply-To: <8dfcd0510512150846u7f9a6185md1d4d900959244d1@mail.gmail.com> (Milan Lehocky's message of "Thu, 15 Dec 2005 17:46:05 +0100") References: <8dfcd0510512130835v643e3555ja8d0c3895cc7e42e@mail.gmail.com> <877ja7ltiw.fsf@wheatstone.g10code.de> <8dfcd0510512150846u7f9a6185md1d4d900959244d1@mail.gmail.com> Message-ID: <87psnscbwn.fsf@wheatstone.g10code.de> On Thu, 15 Dec 2005 17:46:05 +0100, Milan Lehocky said: > fd 3: got `[GNUPG:] GET_HIDDEN passphrase.enter > ' > posix-io.c:340: gpgme:select on [ r3 r10 ] > posix-io.c:386: select OK [ ] > posix-io.c:340: gpgme:select on [ r3 r10 ] > posix-io.c:386: select OK [ ] > posix-io.c:340: gpgme:select on [ r3 r10 ] > .... > this continues until i press ctr-c > gpg asks for passphrase, but nothing happens Sure that you registered the passphrase callback? Salam-Shalom, Werner From wk at gnupg.org Tue Dec 20 12:14:05 2005 From: wk at gnupg.org (Werner Koch) Date: Tue Dec 20 13:51:45 2005 Subject: [Announce] GnuPG 1.9.20 (S/MIME and gpg-agent) released Message-ID: <87acewc96q.fsf@wheatstone.g10code.de> Skipped content of type multipart/signed-------------- next part -------------- _______________________________________________ Gnupg-announce mailing list Gnupg-announce@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-announce From fbigda at BabsonCapital.com Tue Dec 20 15:35:24 2005 From: fbigda at BabsonCapital.com (Bigda, Faith) Date: Tue Dec 20 16:19:21 2005 Subject: mpi too large Message-ID: They are using PGP Ver. 7.0.1 -----Original Message----- From: David Shaw [mailto:dshaw@jabberwocky.com] Sent: Friday, December 16, 2005 8:32 AM To: gnupg-users@gnupg.org Cc: Bigda, Faith Subject: Re: mpi too large On Thu, Dec 08, 2005 at 02:11:27PM -0500, Bigda, Faith wrote: > I've been researching and I can't seem to determine what the problem is with the key. It appears to have a bad signature? I imported the key and do an edit check: > > C:\GnuPG>gpg --import xx.asc > gpg: key F867286A: public key "Named File Transfer" imported > gpg: Total number processed: 1 > gpg: imported: 1 > > C:\GnuPG>gpg --edit-key F867286A > gpg (GnuPG) 1.2.3; Copyright (C) 2003 Free Software Foundation, Inc. > This program comes with ABSOLUTELY NO WARRANTY. > This is free software, and you are welcome to redistribute it > under certain conditions. See the file COPYING for details. > > gpg: checking the trustdb > gpg: checking at depth 0 signed=0 ot(-/q/n/m/f/u)=0/0/0/0/0/7 > This key may be revoked by DSA key 8C5F4D13 [?] > pub 1024D/F867286A created: 2004-11-09 expires: never trust: -/- > sub 3072g/EC820541 created: 2004-11-09 expires: never > (1). Named File Transfer > > Command> check > uid Named File Transfer > sig! F867286A 2004-11-09 [self-signature] > 1 signature not checked due to a missing key > > Command> > > > The problem is that even if I follow through and TRUST it anyway, > when I try to decrypt a file from them I get an error: "mpi too > large". I don't know if the problems are even related. Probably unrelated. The "signature not checked" is not an error, but normal operation: the key you imported has a signature from a key you don't have. It's just a note so you can go out and get this other key if you care. The "mpi too large" is a problem, but likely on the sender side. Do you know what program they are using to encrypt? David --------------------------------------------------------- This e-mail transmission may contain information that is proprietary, privileged and/or confidential and is intended exclusively for the person(s) to whom it is addressed. Any use, copying, retention or disclosure by any person other than the intended recipient or the intended recipient's designees is strictly prohibited. If you are not the intended recipient or their designee, please notify the sender immediately by return e-mail and delete all copies. --------------------------------------------------------- From patrick at mozilla-enigmail.org Tue Dec 20 17:13:29 2005 From: patrick at mozilla-enigmail.org (Patrick Brunschwig) Date: Tue Dec 20 17:16:27 2005 Subject: Problem using open PGP and enigmail In-Reply-To: <439628C6.4080600__34723.133853595$1133979303$gmane$org@csaengineering.com> References: <439628C6.4080600__34723.133853595$1133979303$gmane$org@csaengineering.com> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Paul Wilke wrote: > Hi, > > I just upgraded to Thunderbird email version 1.5 RC1. I also upgraded > my enigmail. Now, when I try to send and encrypted email, I get the error: > > "gpg: can't handle text lines longer than 19995 characters" > > How do I fix this? I don't use command line gpg, but rather enigmail > extension to thunderbird for this. Thanks. Try to rewrap the message before sending (Edit > Rewrap) - -Patrick -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFDqC2n2KgHx8zsInsRAn1kAJ9Dv0t3XRnGz4nQ1kbe0azI0OrthQCeLxNt +jWQBDyUEdm8QDpKknl+JT8= =v8f4 -----END PGP SIGNATURE----- From milan.lehocky at gmail.com Tue Dec 20 17:26:47 2005 From: milan.lehocky at gmail.com (Milan Lehocky) Date: Tue Dec 20 17:26:30 2005 Subject: GPGME signing problem In-Reply-To: <87psnscbwn.fsf@wheatstone.g10code.de> References: <8dfcd0510512130835v643e3555ja8d0c3895cc7e42e@mail.gmail.com> <877ja7ltiw.fsf@wheatstone.g10code.de> <8dfcd0510512150846u7f9a6185md1d4d900959244d1@mail.gmail.com> <87psnscbwn.fsf@wheatstone.g10code.de> Message-ID: <8dfcd0510512200826l280687e7i52f9e37f998b12b5@mail.gmail.com> Hi, I found the problem: the script mkstatus (which should generate status-table.h) is not working because of awk used there. The awk on my SunOS 5.8 seems not to accept using variables without '-vvar=value' etc.. I modified the script and it works now :) Thanks o lot for your time, Milan On 12/20/05, Werner Koch wrote: > On Thu, 15 Dec 2005 17:46:05 +0100, Milan Lehocky said: > > > fd 3: got `[GNUPG:] GET_HIDDEN passphrase.enter > > ' > > posix-io.c:340: gpgme:select on [ r3 r10 ] > > posix-io.c:386: select OK [ ] > > posix-io.c:340: gpgme:select on [ r3 r10 ] > > posix-io.c:386: select OK [ ] > > posix-io.c:340: gpgme:select on [ r3 r10 ] > > .... > > this continues until i press ctr-c > > > gpg asks for passphrase, but nothing happens > > Sure that you registered the passphrase callback? > > > Salam-Shalom, > > Werner > > From abhalerao at apple.com Tue Dec 20 00:15:21 2005 From: abhalerao at apple.com (amit bhalerao) Date: Tue Dec 20 17:46:26 2005 Subject: Moving the GPG keys from 1 machine to another Message-ID: <6FB2D371-4B4B-4F52-96DE-C9FE1FD76118@apple.com> Hi , We have just completed the migration of the application from 1 AIX box to another and have changed the encryption from PGP to GPG. Since there are many external vendors involved the process is bit tedious following up with vendor to change keys. JUst wanted to confirm in case if we move the application from 1 AIX box to another : 1. Do we have to create a new GPG keys on new machine and send it to vendor and repeat the tedious process again everytime we move to new machine? 2. Is there any way we can migrate GPG keys from old box to new box without following up with vendors to change key at their end? If anyone has done before please let me know. Thanks, Amit From dshaw at jabberwocky.com Tue Dec 20 17:59:37 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Tue Dec 20 17:59:17 2005 Subject: Moving the GPG keys from 1 machine to another In-Reply-To: <6FB2D371-4B4B-4F52-96DE-C9FE1FD76118@apple.com> References: <6FB2D371-4B4B-4F52-96DE-C9FE1FD76118@apple.com> Message-ID: <20051220165937.GA7752@jabberwocky.com> On Mon, Dec 19, 2005 at 03:15:21PM -0800, amit bhalerao wrote: > Hi , > > We have just completed the migration of the application from 1 > AIX box to another and have changed the encryption from PGP to GPG. > Since there are many external vendors involved the process is bit > tedious following up with vendor to change keys. > JUst wanted to confirm in case if we move the application from 1 > AIX box to another : > 1. Do we have to create a new GPG keys on new machine and send it > to vendor and repeat the tedious process again everytime we move to > new machine? No, you don't. > 2. Is there any way we can migrate GPG keys from old box to new box > without following up with vendors to change key at their end? > If anyone has done before please let me know. On old box: gpg --export-key (thekey) > mykeyfile.gpg gpg --export-secret-key (thekey) >> mykeyfile.gpg (now copy mykeyfile.gpg from old machine to new) On new box: gpg --import mykeyfile.gpg David From JPClizbe at comcast.net Tue Dec 20 18:18:46 2005 From: JPClizbe at comcast.net (John Clizbe) Date: Tue Dec 20 18:19:39 2005 Subject: Moving the GPG keys from 1 machine to another In-Reply-To: <6FB2D371-4B4B-4F52-96DE-C9FE1FD76118@apple.com> References: <6FB2D371-4B4B-4F52-96DE-C9FE1FD76118@apple.com> Message-ID: <43A83CF6.6000309@comcast.net> amit bhalerao wrote: > Hi , > > We have just completed the migration of the application from 1 > AIX box to another and have changed the encryption from PGP to GPG. > Since there are many external vendors involved the process is bit > tedious following up with vendor to change keys. Vendor follow-up? It should have been transparent to an external entity. > Just wanted to confirm in case if we move the application from 1 > AIX box to another : > 1. Do we have to create a new GPG keys on new machine and send it > to vendor and repeat the tedious process again everytime we move to > new machine? All that is necessary is to binary copy the *.gpg files (pubring.gpg; secring.gpg; trustdb.gpg; and trustedkeys.gpg, if it exists) along with gpg.conf from the GnuPG home directory (usually ~/.gnupg) on one machine to the new machine. > 2. Is there any way we can migrate GPG keys from old box to new box > without following up with vendors to change key at their end? > If anyone has done before please let me know. See Above. As a rule,GnuPG keyring files are binary-compatible across OS versions. The same applies to PGP keyring files (pubring.pkr & secring.skr). There should really be no need to change to a new key unless the old key expires or is compromised. (You *DO* have revocation certs generated and safely stored off-machine "just in case", right?) Since you mentioned you changed from PGP to GnuPG above, you can migrate all your PGP keys to GnuPG usually simply by importing the keyrings: gpg --import secring.skr gpg --import pubring.pkr Imported keypairs will need to be set to 'Ultimate Trust' in GnuPG; this is called 'Implicit Trust' in PGP. -- John P. Clizbe Inet: JPClizbe(a)comcast DOT nyet Golden Bear Networks PGP/GPG KeyID: 0x608D2A10 "Be who you are and say what you feel because those who mind don't matter and those who matter don't mind." - Dr Seuss, "Oh the Places You'll Go" -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 669 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20051220/be1fdec7/signature.pgp From henkdebruijn at wanadoo.nl Tue Dec 20 20:08:12 2005 From: henkdebruijn at wanadoo.nl (Henk M. de Bruijn) Date: Wed Dec 21 03:03:57 2005 Subject: [Announce] GnuPG 1.9.20 (S/MIME and gpg-agent) released In-Reply-To: <87acewc96q.fsf@wheatstone.g10code.de> References: <87acewc96q.fsf@wheatstone.g10code.de> Message-ID: <108174341.20051220200812@wanadoo.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On Tue, 20 Dec 2005 12:14:05 +0100GMT (20-12-2005, 12:14 +0200, where I live), Werner Koch wrote: > We are pleased to announce the availability of GnuPG 1.9.20 - the > branch of GnuPG featuring the S/MIME protocol. You should consider > using GnuPG 1.9 if you want to use the GPG-AGENT or GPGSM. The > GPG-AGENT is also helpful when using the stable GPG version 1.4 or if > you want to check out its ssh-agent replacement feature. > GnuPG 1.9 is the current development version of GnuPG. Despite of > that, most parts (in particular GPG-AGENT and GPGSM) are considered > ready for production use. Please keep on using GnuPG 1.4.x for > OpenPGP; 1.9 and 1.4 may - and actually should - be installed > simultaneously. Would love to test this under Windows XP. Next to that I am looking for a possibility of keysigning with one or two of the GnuPG team (David, Stefan, Timo and Werner). Where are you guys living? - -- cheers, Henk M. de Bruijn ______________________________________________________________________ The Bat! Natural E-Mail System? version 3.63.15 (Beta) Pro on Windows XP SP2 PGPkey at: http://www.biglumber.com/x/web?qs=0X11EECBEEB464DD0F Gossamer Spider Web of Trust http://www.gswot.org A progressive and innovative Web of Trust -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3-cvs-3968 (MingW32) iQEVAwUBQ6hWmBHuy+60ZN0PAQju+Qf/Qr2mAUtujRBTByX0KICj2MipoMBblJkj 68HDYLBqH4+9GZrsK/f++gRjrLRyF9YMkcZ9YYMr+GcbtZ6JNv8qxJcq1aSxOlN/ vkxSyWC9OdZ9enZAOeVQkxHQqQOdVCeXCkz6xy7YKZWdQEuOS/GM9AyWAYaxtJZg aWrcIxSQNpE77WqBsdcSFj9606rEbzGYh8DkkqBHUS1f2egneu2x6HyEnExl29t9 BoYdGlJ29qPYhSx9r8PJnyuyXdBh6ZXatDQVL2ySvP8x7cnxNxKaMBCw2WIktEUO GOhORcH2cI0VapT0u5omxzl3v3kUWAAxw/gcR6R5HPTNYY8xYgcu5Q== =+0xu -----END PGP SIGNATURE----- From holger.schuettel at googlemail.com Wed Dec 21 11:02:56 2005 From: holger.schuettel at googlemail.com (Holger Schuettel) Date: Wed Dec 21 12:09:47 2005 Subject: Create key's over 4096 bit ???? Message-ID: <43A92850.9000000@googlemail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi I've any questions. How can i generate a keypair with size more than 4096 bits? I've a RSA key from my friend in my keyring with 16384 bits. How is that possible? I've to try it with gnupg to generate a key over 4096 bits and thats not possible. Can you help me ? Sorry for my english :-) (german answer preferred) Many Thanks and - -- ________________________________________________________________________________ With best regards, Holger Schuettel E-Mail: holger.schuettel@googlemail.com FAX: + 49 69 13 30 69 12 572 Homepage Gnupg: http://www.gnupg.org/ GnuPG-Key-ID: 0xC956679A http://tinyurl.com/9b4y8 Fingerprint: 96A0 B66D D1B7 620D 9C3D E5F9 8EAA B85E C956 679A Encrypted e-mail preferred. -----BEGIN PGP SIGNATURE----- Comment: With Regards Holger Schuettel Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFDqShOjqq4XslWZ5oRAtP6AJ40JQTQ3wURrz6c47uCXH4bRPvKywCfV8xP FA8nqPhvfQk4llNw8xUUS44= =citX -----END PGP SIGNATURE----- From johanw at vulcan.xs4all.nl Wed Dec 21 16:36:28 2005 From: johanw at vulcan.xs4all.nl (Johan Wevers) Date: Wed Dec 21 16:34:48 2005 Subject: Create key's over 4096 bit ???? In-Reply-To: <43A92850.9000000@googlemail.com> Message-ID: <200512211536.jBLFaS9W002767@vulcan.xs4all.nl> Holger Schuettel wrote: >I've any questions. How can i generate a keypair with size more than >4096 bits? I've a RSA key from my friend in my keyring with 16384 bits. >How is that possible? It's probably created with one of the many hacked versions of pgp 2.x that are around. The 2048 bits 2.x enforced was an arbitrary cutoff - the code could be used for 16k keys max. >I've to try it with gnupg to generate a key over >4096 bits and thats not possible. Can you help me ? I'm sure it's possible to hack the gpg sourcecode to do it. I found in g10/keygen.c the lines: static unsigned ask_keysize( int algo ) { unsigned nbits,min,def=2048,max=4096; [...] If you change the max= into the size you want, I think it would work. I don't know how large RSA keys the gpg code can really handle, so I would do a bit more checking before you adapt your gpg version. >(german answer preferred) Sorry, my German writing is far worse than my English. -- ir. J.C.A. Wevers // Physics and science fiction site: johanw@vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From cam at mathematica.scientia.net Wed Dec 21 18:36:20 2005 From: cam at mathematica.scientia.net (Christoph Anton Mitterer) Date: Wed Dec 21 18:36:19 2005 Subject: Create key's over 4096 bit ???? In-Reply-To: <43A92850.9000000@googlemail.com> References: <43A92850.9000000@googlemail.com> Message-ID: <43A99294.6010408@mathematica.scientia.net> Holger Schuettel wrote: > I've any questions. How can i generate a keypair with size more than > 4096 bits? I've a RSA key from my friend in my keyring with 16384 bits. This is not desirable at all. - First of all you may encounter compatibility problems (although I haven't found any limit on the key size in the standard). - And even from a cryptographic point of view this wouldn't make sense (as far as I know), as currently hashfunctions are the weak point of the whole system. Regards, Chris. -------------- next part -------------- A non-text attachment was scrubbed... Name: cam.vcf Type: text/x-vcard Size: 449 bytes Desc: not available Url : /pipermail/attachments/20051221/16d441e8/cam.vcf From alex at milivojevic.org Wed Dec 21 21:23:26 2005 From: alex at milivojevic.org (Aleksandar Milivojevic) Date: Wed Dec 21 21:25:19 2005 Subject: using gpgsm Message-ID: <20051221142326.2t6o7ivrtwkg08og@www.milivojevic.org> I've downloaded GnuPG 1.9.20, just to do some testing with S/MIME, considering it as replacement for openssl tools once stable version is out. However, have some trouble with using it. I was able to import CA certificate, and importing other certificates seems to work too (almost). I wasn't able to import my private key (with certificate) from PKCS#12 file. I've generated the PKCS#12 file using: openssl pkcs12 -export -in file.crt -inkey file.key -out file.p12 This is what I get when running gpgsm: $ gpgsm --import file.p12 Secure memory is not locked into core gpgsm: NOTE: THIS IS A DEVELOPMENT VERSION! gpgsm: It is only intended for test purposes and should NOT be gpgsm: used in a production environment or with production keys! gpgsm: gpgsm: GPG_TTY has not been set - using maybe bogus default gpgsm: gpg-protect-tool: Secure memory is not locked into core gpgsm: gpg-protect-tool: gpg-agent is not available in this session gpgsm: gpg-protect-tool: error while asking for the passphrase: Invalid digest algorithm gpgsm: error running `/srv/test/libexec/gpg-protect-tool': exit status 2 gpgsm: total number processed: 0 I've also attempted to use -keypbe and -certpbe options to openssl to specify different algorithms to use (for example PBE-SHA1-3DES), but no luck. Gpgsm simply fails to process those file. I was able to import the certificate separately from the PEM encoded file (file.crt from openssl example above). So I know that certificate is good. But not really usefull if I can't get gpgsm to import the private key too. Attempting to generate new private key using --gen-key hasn't worked eiter (this function is not yet available from the commandline). Another question is about support for non US-ASCII characters in certificates (something tells me you might be getting lot of these questions). I've received one certificate that has some accented letters in CN and OU. After importing it, and then doing "gpgsm --list-keys", the output shows the Subject without CN and OU (only O, L, ST and C are displayed). Is this certificate unusable with gpgsm, or is this just displaying issue (gpgsm simply not displaying attributes that have accented characters in them). ---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program. From vedaal at hush.com Wed Dec 21 23:17:01 2005 From: vedaal at hush.com (vedaal@hush.com) Date: Wed Dec 21 23:16:46 2005 Subject: Create key's over 4096 bit ???? Message-ID: <20051221221704.EF4B033C5B@mailserver5.hushmail.com> Holger Schuettel wrote: >I've any questions. How can i generate a keypair with size more than >4096 bits? I've a RSA key from my friend in my keyring with 16384 bits. >How is that possible? 16k rsa keys are very bulky to use, and provide *very, very, long* signatures (i tried it out just to see what would happen,;-) but see no advantage, and have not bothered to make a another key for security use, after trying the test key but if you really want to try out of curiosity and then be done with it, it is compatible with gnupg the only existing program that does this, (as far as i know) is the ckt hacked version of pgp 6.5.8 (available only in english) it is available here: ftp://ftp.zedz.net/pub/crypto/pgp/pgp60/pgp658_ckt/ click on the last line pgp658ckt09b3.zip this is compatible with the gnupg improved hash protection of the secret key ckt editions prior to 08 are not compatible with current gnupg but to save yourself a great deal of time, i can send you a test 16k rsa key pair, that you can import into gnupg, and see for yourself that it is nothing you would really benefit from using, if, after trying it, you still want to generate your own, then you can get the ckt program here is a free translation service between english and german, and i have used it for the translation of this message that appears below http://translate.google.com/translate_t so, if the german is inaccurate, or sounds silly, please blame them ;-) good luck, vedaal Schlüssel des rsa 16k sind sehr umfangreich zu verwenden und liefern * sehr sehr lang * Unterzeichnungen (mich versuchte es heraus gerade, um zu sehen was geschehen würde,; -) aber sehen keinen Vorteil und haben nicht gestört, einen einen anderen Schlüssel für Sicherheitsgebrauch, nachdem sie die Test-Taste aber versucht haben, wenn Sie wirklich von der Neugier ausprobieren und mit ihr dann getan werden möchten, sie, zu bilden ist kompatibel mit gnupg das einzige vorhandene Programm, das dies tut, (insoweit ich weiß), ist die ckt zerhackte Version von PGP 6,5,8 (vorhanden nur auf englisch) es ist hier vorhanden: ftp://ftp.zedz.net/pub/crypto/pgp/pgp60/pgp658_ckt/ klicken Sie an die letzte Linie pgp658ckt09b3.zip, das dieses mit dem gnupg verbesserten Durcheinanderschutz der geheimen SchlüsselCKTausgaben vor 08 sind nicht kompatibel mit gegenwärtigem gnupg kompatibel ist aber, sich viel Zeit zu speichern, kann ich Ihnen ein rsa- Schlüsselpaar des Tests 16k schicken, das Sie in gnupg importieren können, und sehe für selbst, daß es nichts ist, das Sie wirklich vom Verwenden profitieren würden, wenn, nachdem Sie es versucht haben, Sie noch Ihre Selbst erzeugen möchten, dann können Sie das ckt programm erhalten ist hier ein freier Übersetzungsdienst zwischen englischem und deutschem, und ich habe es für die Übersetzung dieser Anzeige verwendet, die unter http://translate.google.com/translate_t erscheint so wenn der Deutsche ungenau ist, oder klingt, tadelt sie bitte dumm ;-) gutes Glück, vedaal Concerned about your privacy? Instantly send FREE secure email, no account required http://www.hushmail.com/send?l=480 Get the best prices on SSL certificates from Hushmail https://www.hushssl.com?l=485 From cam at mathematica.scientia.net Wed Dec 21 23:25:07 2005 From: cam at mathematica.scientia.net (Christoph Anton Mitterer) Date: Wed Dec 21 23:24:44 2005 Subject: Create key's over 4096 bit ???? (OT) In-Reply-To: <20051221221704.EF4B033C5B@mailserver5.hushmail.com> References: <20051221221704.EF4B033C5B@mailserver5.hushmail.com> Message-ID: <43A9D643.7070400@mathematica.scientia.net> >Schl?ssel des rsa 16k sind sehr umfangreich zu verwenden und >liefern * sehr sehr lang * Unterzeichnungen (mich versuchte es >heraus gerade, um zu sehen was geschehen w?rde,; -) aber sehen >keinen Vorteil und haben nicht gest?rt, einen einen anderen >Schl?ssel f?r Sicherheitsgebrauch, nachdem sie die Test-Taste aber >versucht haben, wenn Sie wirklich von der Neugier ausprobieren und >mit ihr dann getan werden m?chten, sie, zu bilden ist kompatibel >mit gnupg > >das einzige vorhandene Programm, das dies tut, (insoweit ich wei?), >ist die ckt zerhackte Version von PGP 6,5,8 (vorhanden nur auf >englisch) > >es ist hier vorhanden: >ftp://ftp.zedz.net/pub/crypto/pgp/pgp60/pgp658_ckt/ > >klicken Sie an die letzte Linie pgp658ckt09b3.zip, das dieses mit >dem gnupg verbesserten Durcheinanderschutz der geheimen >Schl?sselCKTausgaben vor 08 sind nicht kompatibel mit gegenw?rtigem >gnupg kompatibel ist > >aber, sich viel Zeit zu speichern, kann ich Ihnen ein rsa- >Schl?sselpaar des Tests 16k schicken, das Sie in gnupg importieren >k?nnen, und sehe f?r selbst, da? es nichts ist, das Sie wirklich >vom Verwenden profitieren w?rden, >wenn, nachdem Sie es versucht haben, Sie noch Ihre Selbst erzeugen >m?chten, dann k?nnen Sie das ckt programm erhalten > > >ist hier ein freier ?bersetzungsdienst zwischen englischem und >deutschem, und ich habe es f?r die ?bersetzung dieser Anzeige >verwendet, die unter >http://translate.google.com/translate_t >erscheint > >so wenn der Deutsche ungenau ist, oder klingt, >tadelt sie bitte dumm ;-) > >gutes Gl?ck, > >vedaal > > lol,.. was sieht man hieran? ?bersetzungssoftware taugt einfach nichts.... -------------- next part -------------- A non-text attachment was scrubbed... Name: cam.vcf Type: text/x-vcard Size: 449 bytes Desc: not available Url : /pipermail/attachments/20051221/85b118b3/cam.vcf From vedaal at hush.com Wed Dec 21 23:58:47 2005 From: vedaal at hush.com (vedaal@hush.com) Date: Wed Dec 21 23:58:23 2005 Subject: Create key's over 4096 bit ???? (OT) Message-ID: <20051221225850.7DD7533C23@mailserver5.hushmail.com> Christoph Anton Mitterer cam at mathematica.scientia.net wrote on Wed Dec 21 23:25:07 CET 2005 : > lol,.. was sieht man hieran? Übersetzungssoftware taugt einfach >nichts.... i must agree with you *completely* about this :-))) i just translated the german translation back into english using the google translator program and it was nothing like the original english message at all i didn't think it would be *that* 'bad' of a translation ! sorry for any confusion it may have caused to the original poster, vedaal Concerned about your privacy? Instantly send FREE secure email, no account required http://www.hushmail.com/send?l=480 Get the best prices on SSL certificates from Hushmail https://www.hushssl.com?l=485 From alex at milivojevic.org Thu Dec 22 05:12:03 2005 From: alex at milivojevic.org (Aleksandar Milivojevic) Date: Thu Dec 22 05:20:10 2005 Subject: Create key's over 4096 bit ???? In-Reply-To: <20051221221704.EF4B033C5B@mailserver5.hushmail.com> References: <20051221221704.EF4B033C5B@mailserver5.hushmail.com> Message-ID: <43AA2793.2010405@milivojevic.org> vedaal@hush.com wrote: > 16k rsa keys are very bulky to use, and provide *very, very, long* > signatures (i tried it out just to see what would happen,;-) but > see no advantage, and have not bothered to make a another key for > security use, after trying the test key but if you really want > to try out of curiosity and then be done with it, it is compatible > with gnupg My previous message somehow didn't made it to the list. Anyhow, I can only confirm what you wrote. If you want to play with 16k RSA key, one way to do it is to use "openssl genrsa -des3 -out long.key 16384". You can then create self signed certificate to play with. It takes somewhere around 13-14 minutes to generate 16k RSA key on 2.8GHz Pentium D. On slower machine, it can take hours to generate 16k RSA key. So have lots of patience when experimenting. Very soon you'll realize why nobody uses such long keys. The 4k limit is there for your own protection ;-) If you really have tons of time to waste, openssl will allow you to create even longer keys (why not try 262144 bit long key, and let us know how long it took to generate). From the security standpoint, more bits do not buy you more security. Having 16k key or 2k key will buy you about the same security. It is not all in the key lenght. My opinion is, just use 2k key. It will serve you well. I generated one 4k key some time ago, and have almost never used it. Looking back, that was really pointless thing to do. From alex at milivojevic.org Wed Dec 21 19:02:14 2005 From: alex at milivojevic.org (Aleksandar Milivojevic) Date: Thu Dec 22 06:41:20 2005 Subject: Create key's over 4096 bit ???? In-Reply-To: <43A92850.9000000@googlemail.com> References: <43A92850.9000000@googlemail.com> Message-ID: <20051221120214.4ilo2ygxwg8k8g4w@www.milivojevic.org> Quoting Holger Schuettel : > I've any questions. How can i generate a keypair with size more than > 4096 bits? I've a RSA key from my friend in my keyring with 16384 bits. > How is that possible? Your friend probably used some hacked code that has limit removed. Anyhow, generating such a long key isn't going to buy you anything (other than people making jokes about you). The 2048 bit keys are more than sufficiently long. If you *really* want long key, use 4096 (you are not going to be any more secure, but if it will make you feel better go for it). I've one 4096 bit key that I almost never used (the ones that I did use we all at most 2048 bits long). This includes both PGP and S/MIME keys. It would take *very* long time to generate 16k key. On my 2.8GHz Pentium D it is very slow. All operations on such a long key would also take a lot of CPU cycles. See for yourself: $ openssl genrsa -out looong.key 16384 ---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program. From atom at smasher.org Thu Dec 22 06:47:05 2005 From: atom at smasher.org (Atom Smasher) Date: Thu Dec 22 06:46:51 2005 Subject: Create key's over 4096 bit ???? In-Reply-To: <43AA2793.2010405@milivojevic.org> References: <20051221221704.EF4B033C5B@mailserver5.hushmail.com> <43AA2793.2010405@milivojevic.org> Message-ID: <20051222054709.97910.qmail@smasher.org> On Wed, 21 Dec 2005, Aleksandar Milivojevic wrote: > From the security standpoint, more bits do not buy you more security. > Having 16k key or 2k key will buy you about the same security. It is > not all in the key lenght. My opinion is, just use 2k key. It will > serve you well. I generated one 4k key some time ago, and have almost > never used it. Looking back, that was really pointless thing to do. ====================== to paraphrase bruce schneier: what's more secure? a fence that's a thousand feet tall or a fence that's ten thousand feet tall? that said, computers keep getting faster and attacks keep getting better. back in the early days of PGP(tm) a 1024 bit key would have been considered bigger than you'd ever need. history has shown that 1024 bit keys are now generally considered the smallest key you'd want to use, and may not be "safe" over the course of the next 10-20 years. the thing to bear in mind, though, is that a 2048 bit key isn't *just* twice as strong as a 1024 bit key... (according to my math, please correct me if i'm wrong) it's this many times stronger: 17976931348623159077293051907890247336179769789423065727343008115773\ 26758055009631327084773224075360211201138798713933576587897688144166\ 22492847430639474124377767893424865485276302219601246094119453082952\ 08500576883815068234246288147391311054082723716335051068458629823994\ 7245938479716304835356329624224137216 a 1025 bit key (if there was such a thing) would be [merely] twice as strong as a 1024 bit key. a 1028 bit key would be 16 times stronger. compared to a 1024 bit key, a 4096 bit key is stronger by a number that's represented by (about) 4624 decimal digits. since no one has publicly broken a 1K key i feel pretty safe using 2K keys for everyday stuff. also, anyone considering huge keys should read this section from the diceware FAQ - and remember that breaking a key is the hardest way to "break" pgp... there are a lot of easier methods, such as key-loggers and spy-cameras. -- ...atom _________________________________________ PGP key - http://atom.smasher.org/pgp.txt 762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808 ------------------------------------------------- "What sane person could live in this world and not be crazy?" -- Ursula K. LeGuin From johanw at vulcan.xs4all.nl Wed Dec 21 20:16:43 2005 From: johanw at vulcan.xs4all.nl (Johan Wevers) Date: Thu Dec 22 10:24:15 2005 Subject: Create key's over 4096 bit ???? In-Reply-To: <43A99294.6010408@mathematica.scientia.net> Message-ID: <200512211916.jBLJGh1E003970@vulcan.xs4all.nl> Christoph Anton Mitterer wrote: >- And even from a cryptographic point of view this wouldn't make sense >(as far as I know), as currently hashfunctions are the weak point of the >whole system. That depends on what you consider important. Hash functions are only used for signing; for encryption, currently the 256 bit algo's are the strongest. -- ir. J.C.A. Wevers // Physics and science fiction site: johanw@vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From johanw at vulcan.xs4all.nl Thu Dec 22 10:45:19 2005 From: johanw at vulcan.xs4all.nl (Johan Wevers) Date: Thu Dec 22 11:30:27 2005 Subject: Create key's over 4096 bit ???? In-Reply-To: <20051222054709.97910.qmail@smasher.org> Message-ID: <200512220945.jBM9jJQE002312@vulcan.xs4all.nl> Atom Smasher wrote: >a 1025 bit key (if there was such a thing) would be [merely] twice as >strong as a 1024 bit key. a 1028 bit key would be 16 times stronger. That is true for symmetric encryption, but not for the algorithms used for public key encryption since the attacs on RSA and ElGamal are better. -- ir. J.C.A. Wevers // Physics and science fiction site: johanw@vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From mlisten at hammernoch.net Thu Dec 22 11:41:19 2005 From: mlisten at hammernoch.net (=?ISO-8859-1?Q?Ludwig_H=FCgelsch=E4fer?=) Date: Thu Dec 22 11:40:54 2005 Subject: Create key's over 4096 bit ???? In-Reply-To: <200512220945.jBM9jJQE002312@vulcan.xs4all.nl> References: <200512220945.jBM9jJQE002312@vulcan.xs4all.nl> Message-ID: <43AA82CF.3050406@hammernoch.net> On 22.12.2005 11:37 Uhr, Johan Wevers wrote: > Atom Smasher wrote: > >> a 1025 bit key (if there was such a thing) would be [merely] twice as >> strong as a 1024 bit key. a 1028 bit key would be 16 times stronger. > > That is true for symmetric encryption, but not for the algorithms used > for public key encryption since the attacs on RSA and ElGamal are better. That's true. Even considering a brute force attack, 1025 bits is in average only sqrt(2) better as 1024 bits. Ludwig From johanw at vulcan.xs4all.nl Thu Dec 22 11:47:18 2005 From: johanw at vulcan.xs4all.nl (Johan Wevers) Date: Thu Dec 22 11:47:32 2005 Subject: Create key's over 4096 bit ???? In-Reply-To: <43AA7598.2020000@hammernoch.net> Message-ID: <200512221047.jBMAlIpk002960@vulcan.xs4all.nl> Ludwig wrote: >> for encryption, currently the 256 bit algo's are the strongest. >Please don't mix symmetrical encryption strength (I suppose you are >referring to the session key length/encryption algo) with asymmetrical >encryption strength. > >A chain is only as strong as its weakest element. Indeed. And the stmmetrical algorithms are currently certainly not the weakest element. A symmetrical algo with no better than brute force attacs and 128 bits is comparable to a RSA or DH key of about 2400 bits. The 256 bit symmetrical algo's are of course stronger, I don't know how much compared with public key strength. And anyway, because breaking the pubkey algo allows one to read all ancrypted messages and breaking the symmetric key to read only one it makes sense to try to make the pubkey algo the strongest element. -- ir. J.C.A. Wevers // Physics and science fiction site: johanw@vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From cam at mathematica.scientia.net Thu Dec 22 13:43:05 2005 From: cam at mathematica.scientia.net (Christoph Anton Mitterer) Date: Thu Dec 22 13:42:39 2005 Subject: Create key's over 4096 bit ???? In-Reply-To: <200512211916.jBLJGh1E003970@vulcan.xs4all.nl> References: <200512211916.jBLJGh1E003970@vulcan.xs4all.nl> Message-ID: <43AA9F59.3010303@mathematica.scientia.net> Johan Wevers wrote: >Christoph Anton Mitterer wrote: > > >>- And even from a cryptographic point of view this wouldn't make sense >>(as far as I know), as currently hashfunctions are the weak point of the >>whole system. >> >> > >That depends on what you consider important. Hash functions are only used >for signing; for encryption, currently the 256 bit algo's are the strongest. > > Yes and no,... (btw: The strongest has should have 512 (SHA512), or am I wrong?) It is true that you don't directly use hash functions when encrypting data. But you need it indirectly too. If you encrypt to another key,.. your implementation is going to check the validity of that key (either you've signed/certified it yourself or via some trust-path). And these certificates are "bound" to the hash... Ok,.. you could argue that one use its key for local encryption only,.. but perhaps one should use other tools for that task... Chris. -------------- next part -------------- A non-text attachment was scrubbed... Name: cam.vcf Type: text/x-vcard Size: 449 bytes Desc: not available Url : /pipermail/attachments/20051222/dd0e65a6/cam.vcf From wk at gnupg.org Thu Dec 22 14:16:52 2005 From: wk at gnupg.org (Werner Koch) Date: Thu Dec 22 14:22:11 2005 Subject: Create key's over 4096 bit ???? In-Reply-To: <43A99294.6010408@mathematica.scientia.net> (Christoph Anton Mitterer's message of "Wed, 21 Dec 2005 18:36:20 +0100") References: <43A92850.9000000@googlemail.com> <43A99294.6010408@mathematica.scientia.net> Message-ID: <87acet6zln.fsf@wheatstone.g10code.de> On Wed, 21 Dec 2005 18:36:20 +0100, Christoph Anton Mitterer said: > - And even from a cryptographic point of view this wouldn't make sense > (as far as I know), as currently hashfunctions are the weak point of the > whole system. The actual weak point is the missing bugfreeness of the implementation, the toolchain, the OS, the microcode and the hardware. Talking about 4k keys is in this respect useless - unless you have very special requirements and can neglect the above points. However, with such requirements you will also have the staff and money to take proper decisions and implement new code from scratch. Shalom-Salam, Werner From eocsor at gmail.com Thu Dec 22 09:43:30 2005 From: eocsor at gmail.com (Roscoe) Date: Thu Dec 22 14:34:27 2005 Subject: Create key's over 4096 bit ???? In-Reply-To: <20051222054709.97910.qmail@smasher.org> References: <20051221221704.EF4B033C5B@mailserver5.hushmail.com> <43AA2793.2010405@milivojevic.org> <20051222054709.97910.qmail@smasher.org> Message-ID: Well, I don't think the difficulty of breaking a asymmetrical key doubles per bit like it does for symmetical keys. From vedaal at hush.com Thu Dec 22 16:04:32 2005 From: vedaal at hush.com (vedaal@hush.com) Date: Thu Dec 22 16:04:48 2005 Subject: Create key's over 4096 bit ???? Message-ID: <200512221504.jBMF4ZAE022685@mailserver2.hushmail.com> >Message: 4 >Date: Wed, 21 Dec 2005 22:12:03 -0600 >From: Aleksandar Milivojevic >Subject: Re: Create key's over 4096 bit ???? > It takes >somewhere around 13-14 minutes to generate 16k RSA key on 2.8GHz >Pentium >D. On slower machine, it can take hours to generate 16k RSA key. >So >have lots of patience when experimenting. Very soon you'll >realize why >nobody uses such long keys. even after it is generated, it takes much longer to work with, the signature block alone, is 44 lines ! here is a sample 16k v4 rsa key pair, with rijndael 256 as the preferred symmetrical algorithm, the passphrase is the same as the keyname: rsa16k -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.4.2 (MingW32) Comment: 16k v4 rsa // esca // aes-256 // no subkeys mQgLBEOqMIIBQADOLnatcT5OkI4Q0WApTbqZ7DULalwwzHmnY+HhZKSDTJIAdJ5L W1IleD88aqplyHQJz3E8t0BSsy1AAQjX2xXK013a4RA89gDUkgAFgSr1bN3hgXWR 2du+jVH4HGtsCQi8gzIOwr25WKlPm9PpzdnBWYWuR5F7xnbUtY+zvm+mWItrlxTK Og/qsJZhqUJtVWHvsAciK7N9tfhYQQh72q3nrEaNpPsy7+8d0Aw5gpyvyrDEP8Sh jPCVi3A+TPKJ2BvoBNIusblV3Lqta+PQtP6/Jah4bimEdyxWN617YdU0MGovEhDz 8K91DxEUtyyAiKWxuqE7XnkZzyb8jXHzdHN2H0/bsw782Z7V18rDwaRGXibTEDea u7/22Tnlc7+Rqu59kemvu02t4thVQSvUvcdV5Zi0HB1j8ZHXH15ywwzwdl2jZQCL 2vedNj0I5ZfvZ24tDWKwzwG3QgNNEBYJLdodQkwFmmAX4SgAqqZkfSGDhSzmrbBy +7qkFs6WA/fRzg6wenjhSDoy8Ekphm/1E73RUct8Hu/uhtWYUvwF8UbmGx2dPwIO mNYbdAur8BWEfcztlez1zst+wTq8dZzj9VY8eTalcEJE0hlzJuPYm4UytpkcOXye g7tk/0Z51YBaS4oPLY3CPRt/36AgYGutAc5FWM7KfNh4EVI3eofO4ZModeiT3CI4 b4Crswbn0hP7Pz4LzpTd6pxsQ8awzMxQzCdpIPIazjMNzsEdh2DD/l2AREkEas6+ zIZcbvGrtPt6kc/xwJQIzR+7KwFw+7kce0314cbRDd6AG05B2Shki6HNOLnJmzje qfXVN8dUZcl/qrnv6oGo02x5xTcLVw4gjYcr9DrGh3JZNLeUSTcQefu5cnHu5ZeX Gtt7d5oMQNZAC0kji3gJwZ1ZyPsz/jKpGo9/m8XxvOgabU344ONYXb7Rp/etJSbg 0wfVOJbYPB7li/dsSaKjmIEh6HJ95Uv/Fjy0/8YwJAp2Citpc+yAWkXqInj7jxs0 PcpaJmJDP0clWM+pBlrvyGilzRSBiEcSjB3rBeLmLNO72fxXCBEdw97A7TxzFKci Nai4UMRzbMPqT7sUI5wZPcDkcFV0o1+N8TjUKQUuU7pkv5Wc6/sIgZAh3ZPDhifz iYVyXH5fzIjYkuUbVPo0pG9pP51XQqC/ickSlF695cIbDP2kksx52kz64X9jmb9Y 0bySoGBTfuHmpNfnoghIaABGFi93frTk6PXGLtfci0PROL8qWr6764ySjzsbzSl/ PEUaTEt3gtDdy9QI7hsDDuyOuNsKI+wumHdMtwsoktgZGUwW8wLcyRjFhmgR0IYq V/SYzyBarhAcVgcAI/YQFqJGgEf+PHGro9r5o9xx/lk/97YZbZr/jAUt63Rj8VNe qBFgi0BnnoAQvG1jLVtt3ZEq5y66HNamViT+i2YJGP174BZqQn1cP8wllz1bWK48 2IF+Ib8TCQIYTuA3ISsNjvG3hyE5tmmLjWrZoyoKpEnRpCtARC+wV9p/raizscK7 5yGxXiXb0vVVqs3rzDvV5AhHfiAJ/SFvev9yCe8M9edufNXr8FQOGN/iCmy063WG 0uR/bJdAsk7EyYfHpXYAURsvUjq1g0Ou9SDk/zjCSu2Jt2PoMjFSlpAxhgrHTxFZ 7UTyxngnAa/FEb9IOqipj9miaWriTOd72CI0IQhWEOHTHZgQUX+7aQgGGz058++H BJXqWcuvyxik9MRKc/w/vYdnhayN1sFs0fAnWAZ7Xkqam3IX1SXV8U4aJVrb/ioJ VjD3p/SfIIwlXXHxhVYiS6Bk+mpKbWEU2Cez8l9/EmLpVT1Xqfor182asSH5waf1 xIvAlKI0KQm6X3+jqu65TEJ/u5elMhSK6WHClOREHo1v2l2S8QGOHN4gZ7JbktYQ DGooE4BD6j+MBEpN60+vVxRJKoOHFfLSUSrlPzktPj23W3uztDYVmkJdY9kldY8F 1f/yKGwbUrwJzx7ZnxXb1tJYO1dE4Qin9l1+tawfhG6uk+smjZWsnLupAhUYQRwH nNfpluhWI0rJTPvTP8dLUEA/vvXd6QZTkbu503eUPidiuetrmy6fFYqPfDMnn4ll AsKOoUqFUATXMKyNd2SZgWuSMhv6f2ZMyzOsDWfnJrMrGD6pKfirgVxJDhG0a5AU leNZg8r0ByAd1F8K/HViuUlIvV6wq4VrPJ1FEFj5fqBnL494swcmshnVbvR6+W9K Vz3zhcogl6AArxhIaxGLDhCj8zzrleS8eeUMX8XuiYCqZvE++qL+5gk9bq018X0Z qf4vVPvbJglBPR/t8irfSxeZGIgqFS8LpIlAMnuBf5uUNRKg+t89IuKy51PXQcFz FYWreBl0PuC31oAlEfw4SC/aJsLufCVfZqAbSFjWof60ImsHNDTB4ld75P+EyYSf D53iyrVHCmz9cZ2yA7KSC7ZueDx9oeEat44fqG4o4KyX8FWo6pqfCRuW83qKytyp 1D8cZu2TWQ5Oj+bH/Im6rty5QNmnrScBEyFp9WI7qQUiqp4afIVazfXE0R91fPFl a+1AyPP0azubyoYceIyG3pby4B8sj7rzmMhzr+VtFiwicFOqiqOecCD8+jLd8aJa 6TT9HXtxlah2HYRZ1zRN7Z6ZGL5/kRqvDxg2Nhs/ahAuXIW74E0fSIEjRxtKVW/Z TUCcVqgxpEMDJuqwqLafguOAHtxdo0DZ7zTcmvSIrf2BMLY7zIMHwyghAQAFEbQY cnNhMTZrIDxyc2ExNmtAa2V5LnRlc3Q+iQgpBBABCAATBQJDqjCCCQsJAgoIBwMB BAIZAQAKCRADNte/5clRO5PfP/9XjdOB+WvrhnX2hJ3QAJ5YcDQzvNIL3xpXHbLH lhKplMxtYUInvNOuw5Zl6ei5eOY+Um2lJiJQ25nZPTCnqLE8g3S+hA7H+TiXubzr idKAB10aBXao5N+CA2ManVSdOocjR0CTM8CQ1kBY1qt+0j+oPsK5SapX9QY2FNKr 8lsJ/QQWST/hVGzwi62873BQcpQCfZJH1o+I3m1brhGmNcPujRO2XbUBO7mP9KF9 dZQL6faRC836Pp+g2mmVSYWkJKGhS6wqY0fhg3iJi4ySMHF/wlQi5bxhrDM9uUK6 l+puKeT0JOnAjNMoQqGjsAgT2TENxUZEDwDJAt0bgfP3Oi/q8RZlPN3mvwyrJpRa a+lfH3wa2NaaD2fmvlwi6cEhArQaDn7uHe5ZAoaNFRMDweAnALTHaEzrdNZF/Zwx CONxFuns79thVT/dvnES/o7MetWRif4mIwNwEwFp/PHpuaJs2NgabmJP2rNODQYt NDjrsyu+rhQfVSqbAy7e3hVvqhJpdUc2fL6N85+AX6CVaasGh22YqiDKkr6STVxJ fnFCeeRShiFW+dsaySJxv4ooweLihyciIHEcsFuEypoMYqvT/IHmTLeP9ZRsMzuW lNFD8KnhtPLyiqAUL2X2lWxCGV1mcj/jqXdMidnJ2mNGUsnFQin6EMM0lCMs3nmx cmK7pPKeYmyFAC+n3XLSMTuqm3u0VHuQd/pcTpNRA0yaJL91w8nEwdRRGudOyRZE UH13oJkI6lEaQq60yuGvGZZrUilqLNQQ+Kuk4psyVgG7a28zn7UpWSuSHeipR/0d rIZAL4duATFQI8o8StxwG9xR+NA4HdBcGGEtGSXsi1aRBL9JsnaX/S3Cnt9Xaupv Oebg6rz1akeobXZBzbzlLL33rZo3VO3mCJ2X4uexCCV0Dx0BQu5TJMwSHW2kCwnt fvJlcom0deL3G2WwPitEh2KNu7f5fOEWhg7balu5HROwexzCOGk6chaikaVjpnMd kfcPoafZhQalJGq+H6tVRQnFVDdHJsESSu1P/Yi1pSjmvBKnSCGfPiJnJYn0FoUR RHP5vL+cwqf5ZAPifOS7ONITWe13/dz5mKr4G0kteWCyMwor4Y8jpuYHvXmx9s+f CKmOqSD97Bn7Bnu9Qx0x2RWjVadLdLZt1/dP0UAnqlcKRKW38u0dQFdw/PuYJnIP 26rHXyY7/UHPiR75NUA9xT2z7Szy2lMdHDGb42ZyX22bmGoGMv7mtwc00C1LwMFW To/ZUYWuyzihwVN4r+/X3b9cXI6ciC4YxpDdEBGvXO6PCjBINArvxt1xjL0W/2V6 RpcurPADcDiFjgfcybSwvwHxGqnJT1gVH5Ese63P0isAzxTNwrkdTBa0GsHmTB77 Yksu7egNbAhYhVKF0z55LLXkywc7Agqt0kcLNexfPXDlJT3H855pO2rfsqolVR4Q RS/pVB1IooLL4YtukNQ7RwXSCVAdrI07N/ny98GGYZwQ+ChzMDjftLaFU8z2GSQ1 APs4A/ClSYqvqqKzOwFiUK2Y+zhleKZB/uAMgEx6vGcGTIebZ4ltEO/avS04Kz9L jCnE+idBfrVCpG+okT+MEi8V+lXIcRqutFX5Vqe3i0mzCb9QdvO98bbJgHrkKEST GQudX0ZlYmVcVMg1GVpfI0COfB0kYGLyBxIbGfftIniSqjIn4RjaCg3N5QgOBjhL 2BKnT3bp36k/sg4CsWi0bxOiRzCmgkbyOHdwaBagOuI/ecmU0jcBaegUl+HBY47L JP8VwSMuKP3wttFjKwOezK7QCvxVlIFNPyC/5w4u2ulMecKbg1SQh1/8LD6/yJ9H Kp+tP7oRhPPQKwf2wsUv2FAvLZkrbGr48zVVQhU9GwJJXFC3pkRJY0D0iai6qSEn QPJsd+km8uk6K+iTX0v+0nwvHQzxGBQDX1GZZgLg+NH4zDKaP2adMnvqy3sCUQvg A/OBJNse+NphittKRRy/GAmSz0bz0mfgHZIcFlRdeKVB0IjHq1h4QB+r6mxX/6n6 CfJreVLP5XyQfUt5AIkxd7CtQtKZxKeHIHKSnBwijySQ0co2GgQgYkncg+RG8eIU voiLFPhvhFYB5WAMsmWz4wtX2GUV9pBVfjX/NJ/CnlP8qJ4eE96P6nCohuRESpsw /4FY1E4UOl1YPZTaKPi8QCrya8OpzbBcUfmN88ebIuPM2bn2zBZn932ALfLX503N KZ3dohFJ6/oqKNmgLW6Z2fSwf32fHVwMgH02VFG/r7e7grksbJ6KP5AmDa5NURIK Q5X+pfrm6gimABLZ7sciBHrm06IRi3LDyKeAJsiv9tT2e+weW6PVUK/RlOfpK5h3 1dGY47vNSePL7wW99yXlAIu++AayUx2SliL6EtEwftPbeUHVCpetUyICd1wypOk7 gMF9cWWl59MaBOLDS3X7geCzP5q5Jy6tF97Zl0WTom0NAYF0bUGr9J0LEj8No/1t 6cOPn4mtZrRgs771RFTWosKOrwqpSQS/LYAPhRneTQJXtuV5Gk6RkITB6/CTkXWw 7u4vWXVkAaSBIobVac8nKSCvgcSY42Qp5jFLfwYVOOl0nnxHdjfi3smqNdhBeXRh lQcGqBiTFvW2dEoFuptqseqhdGNMWund1OZXl+NDTKXEvZnx/4n1cUFAR0wmtUwM V+xciOOBCDVQ9GNyEOO0ExQcji6VQ8L8wpDQJaZcxDsTXptFUMSXcjws/woAv/Td brCk/g== =tCtI -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP PRIVATE KEY BLOCK----- Version: GnuPG v1.4.2 (MingW32) Comment: passphrase: rsa16k lRxEBEOqMIIBQADOLnatcT5OkI4Q0WApTbqZ7DULalwwzHmnY+HhZKSDTJIAdJ5L W1IleD88aqplyHQJz3E8t0BSsy1AAQjX2xXK013a4RA89gDUkgAFgSr1bN3hgXWR 2du+jVH4HGtsCQi8gzIOwr25WKlPm9PpzdnBWYWuR5F7xnbUtY+zvm+mWItrlxTK Og/qsJZhqUJtVWHvsAciK7N9tfhYQQh72q3nrEaNpPsy7+8d0Aw5gpyvyrDEP8Sh jPCVi3A+TPKJ2BvoBNIusblV3Lqta+PQtP6/Jah4bimEdyxWN617YdU0MGovEhDz 8K91DxEUtyyAiKWxuqE7XnkZzyb8jXHzdHN2H0/bsw782Z7V18rDwaRGXibTEDea u7/22Tnlc7+Rqu59kemvu02t4thVQSvUvcdV5Zi0HB1j8ZHXH15ywwzwdl2jZQCL 2vedNj0I5ZfvZ24tDWKwzwG3QgNNEBYJLdodQkwFmmAX4SgAqqZkfSGDhSzmrbBy +7qkFs6WA/fRzg6wenjhSDoy8Ekphm/1E73RUct8Hu/uhtWYUvwF8UbmGx2dPwIO mNYbdAur8BWEfcztlez1zst+wTq8dZzj9VY8eTalcEJE0hlzJuPYm4UytpkcOXye g7tk/0Z51YBaS4oPLY3CPRt/36AgYGutAc5FWM7KfNh4EVI3eofO4ZModeiT3CI4 b4Crswbn0hP7Pz4LzpTd6pxsQ8awzMxQzCdpIPIazjMNzsEdh2DD/l2AREkEas6+ zIZcbvGrtPt6kc/xwJQIzR+7KwFw+7kce0314cbRDd6AG05B2Shki6HNOLnJmzje qfXVN8dUZcl/qrnv6oGo02x5xTcLVw4gjYcr9DrGh3JZNLeUSTcQefu5cnHu5ZeX Gtt7d5oMQNZAC0kji3gJwZ1ZyPsz/jKpGo9/m8XxvOgabU344ONYXb7Rp/etJSbg 0wfVOJbYPB7li/dsSaKjmIEh6HJ95Uv/Fjy0/8YwJAp2Citpc+yAWkXqInj7jxs0 PcpaJmJDP0clWM+pBlrvyGilzRSBiEcSjB3rBeLmLNO72fxXCBEdw97A7TxzFKci Nai4UMRzbMPqT7sUI5wZPcDkcFV0o1+N8TjUKQUuU7pkv5Wc6/sIgZAh3ZPDhifz iYVyXH5fzIjYkuUbVPo0pG9pP51XQqC/ickSlF695cIbDP2kksx52kz64X9jmb9Y 0bySoGBTfuHmpNfnoghIaABGFi93frTk6PXGLtfci0PROL8qWr6764ySjzsbzSl/ PEUaTEt3gtDdy9QI7hsDDuyOuNsKI+wumHdMtwsoktgZGUwW8wLcyRjFhmgR0IYq V/SYzyBarhAcVgcAI/YQFqJGgEf+PHGro9r5o9xx/lk/97YZbZr/jAUt63Rj8VNe qBFgi0BnnoAQvG1jLVtt3ZEq5y66HNamViT+i2YJGP174BZqQn1cP8wllz1bWK48 2IF+Ib8TCQIYTuA3ISsNjvG3hyE5tmmLjWrZoyoKpEnRpCtARC+wV9p/raizscK7 5yGxXiXb0vVVqs3rzDvV5AhHfiAJ/SFvev9yCe8M9edufNXr8FQOGN/iCmy063WG 0uR/bJdAsk7EyYfHpXYAURsvUjq1g0Ou9SDk/zjCSu2Jt2PoMjFSlpAxhgrHTxFZ 7UTyxngnAa/FEb9IOqipj9miaWriTOd72CI0IQhWEOHTHZgQUX+7aQgGGz058++H BJXqWcuvyxik9MRKc/w/vYdnhayN1sFs0fAnWAZ7Xkqam3IX1SXV8U4aJVrb/ioJ VjD3p/SfIIwlXXHxhVYiS6Bk+mpKbWEU2Cez8l9/EmLpVT1Xqfor182asSH5waf1 xIvAlKI0KQm6X3+jqu65TEJ/u5elMhSK6WHClOREHo1v2l2S8QGOHN4gZ7JbktYQ DGooE4BD6j+MBEpN60+vVxRJKoOHFfLSUSrlPzktPj23W3uztDYVmkJdY9kldY8F 1f/yKGwbUrwJzx7ZnxXb1tJYO1dE4Qin9l1+tawfhG6uk+smjZWsnLupAhUYQRwH nNfpluhWI0rJTPvTP8dLUEA/vvXd6QZTkbu503eUPidiuetrmy6fFYqPfDMnn4ll AsKOoUqFUATXMKyNd2SZgWuSMhv6f2ZMyzOsDWfnJrMrGD6pKfirgVxJDhG0a5AU leNZg8r0ByAd1F8K/HViuUlIvV6wq4VrPJ1FEFj5fqBnL494swcmshnVbvR6+W9K Vz3zhcogl6AArxhIaxGLDhCj8zzrleS8eeUMX8XuiYCqZvE++qL+5gk9bq018X0Z qf4vVPvbJglBPR/t8irfSxeZGIgqFS8LpIlAMnuBf5uUNRKg+t89IuKy51PXQcFz FYWreBl0PuC31oAlEfw4SC/aJsLufCVfZqAbSFjWof60ImsHNDTB4ld75P+EyYSf D53iyrVHCmz9cZ2yA7KSC7ZueDx9oeEat44fqG4o4KyX8FWo6pqfCRuW83qKytyp 1D8cZu2TWQ5Oj+bH/Im6rty5QNmnrScBEyFp9WI7qQUiqp4afIVazfXE0R91fPFl a+1AyPP0azubyoYceIyG3pby4B8sj7rzmMhzr+VtFiwicFOqiqOecCD8+jLd8aJa 6TT9HXtxlah2HYRZ1zRN7Z6ZGL5/kRqvDxg2Nhs/ahAuXIW74E0fSIEjRxtKVW/Z TUCcVqgxpEMDJuqwqLafguOAHtxdo0DZ7zTcmvSIrf2BMLY7zIMHwyghAQAFEf4J AwLkUf+nITYPpGAbWRMynwTX6h8CNrvNPB7SOpwmc/nn8YgPzhcs52FacPpUMEvP utgg7qyfXbRmLVWwLUMlEddwzm8FrzPIuSwgA+g6qeiNBO/r46mrPaVz5jRnHc2U HGmBhChruO5tT8So7C5mTen1EsgKcYKAkY3IgmKBnE4K7Xs1olKLGEed+/o4fm38 TWD8kCU19G4lKgL2jhw822VGF7rdaRkaVAFxzQTKTnYx+M4fjO8e6rnAcVeo+6kG xXkZK2JsT0dfHLT/C+5tUIPYvWn7zZirPFp80CXh+NobA8ruKZqZShjY2afVAedG pDscjoRr0SnLeqMelAMDxN+5VbWXzmAub9vrlrMa0NrVFTfihQWH8T48RFM3YYKb wEP4niXiGb4fq/jT+GYfiKij1tUNgqky9oLnw7+ZqJlvDy+QfRkGkQ1NF6JdKEyK ZlcAYGKacxQ/O/3CyoQhLW8VoKtUOKFVineFiDDseguaLkHsoAV6VyTVn8HIIjlK rpKtamPsj5raZz6u+pyGM+zPMw5yfg7xMwFodJnVuKQAPGAhdmK9zLvABhzhg4Bq sY6DCFZygCbTQOvM5bR4Af1MzGAaHyaPEUYGAd9ivbjixWc2HYg+h/92w7K+Wxmf RMGXPUr2WYHowfqS5DQqv2WrJSxDzBuQ1NxBUyP8uaZtAllkbCpjwoz3CICpNRdI 8j/Q/rDlBhfQnD/4nCqy2RTo0Ff6PeL87sqknr/pSEiSZc+fNd9Vlv3PR/Q/rLca EuRkqLN1gRAUMBn/xX4lm1rmITtygVm2kSF4Hw4zL7OBXPZLtkCDhjEBD3gGKRRf EL07v9l6U9Ibl2uEhzulOObEsdbkIuUoepVFz0Cy5eLtHVs1jBykpaZTXZ+h8GzN A97U+/NZcWlYKDT9582p/1XEwb+MnG71K9LfGtqJAVAfZ4j8XZWzwx/6t3UURPk7 nvpUODtGbn6D+8snIgcfFDvRIEHjfJREKLMVc6+E6FMWjRXxmKUol/kQJM1oS9wv jLc3GZQZqQstmN4jApgWzgFa4kEOx4m7Aaw2GES1nPEzyuazEl/JJS7upS2T2hdo gLLfIaYlKhYpi6ZyQLYc7QnaJjxPzk45SrqATpimGCBH5iRaWHJM6UiEYG3TOMmE tFmpNpsBoVkuzwF6yPmhsqBBGRA9ZEQyRpCPsL2iBZZfp21u9DsSnB5icB2cNnT6 EYRYx4hM8qUqw3LoziUFuHlUlx+CRXYBoh0tWVo8Fb58EL1QtZ5Oqi7PQuykt650 x1aJ9DufTFgWSDlG7XMWiH+ilmPKVs1cvBk453kVpTEgDpybHr5PbH60JhEmKwwr Qm5E3/0hNHhtq9nsC5xTBf0sNsQ8JRpn0iwsysKBmyQ+0w1fTpRUjun3NRqndCZJ A9ITKUNdgDaUvblkPSLAyEtiz32Nvp3B7X7QHxMAW7v0teiZUni8YyQNKBiPQg/e zXgodBRk7rspsHZVfitn1nbjyRYCoSx1FlbjmnOOStCZq9JR/N9NJF/bTkCPY/8u oOOxWD5Z62GHLbTm38FwWPoflHRfL0roopCSyCYKpQ4uL3ZvYsm6qbjbD23ngx+s rFjacwSOTnqyCqhvlClfh4sKJmRjNEg2+YzTVKzfPVz6XK/lILXbfgYds72PCgBQ ple/bCqLaS8WRd+Py916uf036ysinJ6fX5jL2iqd5sFGAx8aTqsNycZVma0w3PX5 SyvxEN2INZbDRAKzq62957tBFpdscDbu5clL+eZOR+2bCJ55zsiRpS/h/0ci25yN UfSAACMM6uN0tbA8xUmE6lTakmY+aTuH29l/+WlogtT3JATE3Iy8uR51v9F2UTnu 1jx31m3mFfjFvKKYU70PTXrzzxE/xLbfKjqsIZlWh6Pqw+pxHz0nQ/qfd6rHopIi rYeZbCMhbsMWI9ctSl6ukMzot02Y6jz6M2EDZm0AEVxT1xDJKZxAiD/MO72gc+ca buJ0WTdP/HUoWJqddFuw3/CRqLxHiI6havvORaAkW68Dj+vf/aqdpvmbnst24jZe i6qdynZNG19xZmTu87ZyNZkapEuetJHvPKwabtRcTlcPfutCYPhx7+zZQERCPtbh Ho+9NTLOBbvTTv0/MfBa2j559nn80kiUlhasZ1dy16siUX7SYdR4N2bFTeKcWb5O hewWiw1NJkcAgOwfKGSKECzlTE5ErJEsh4h9cwVT5B/14jIOd2brTH56oFHNmCWf NiUuGAqnWH4hW3QgFX22fVynjoA/1+G7ewXYxw4LMCbMXadqjldGq6j2NLSfDjrw 7dsNKu0ZngLuqGuhJCPIg3HlkQPAaKY12p0R4Fcn9vejxmoukxtPizBW5OoRqrc8 eM6sRfYEbYgcbLu1D4ad0GTK5Laf1isXOIQNSM+/BLdih4tSNstvs2qU27+i3vXO cU+EDCuG2LE4iuPb+KQv/U756S43Z1/babKgq2OVCm4RbFNSb/QWUW9jTZZ/C0hv yZjev8PjkTlDkrmSDmDYO0QFDk4Q2VkNKtGj7NfAGeDaFN04mLfcNHcmt/Gdn3ZL rO8TGtUjv0tB7j7a0fWvsjKy7REnQso+forGTcTSN9wJNe0vtEE1wWUQhpdM0ZEE /p8JkRa6+DVCyxidIOA0fnPcyHpASi+oin/i79vBfRwWwxsh3yII5T3Jeoq4TRzD 6oi7vcLMxpOONxZ75ePOJDCt26Tl7NZAvic0nr5/B+DONxk/gfUshHXTOkdnwSd8 2KJZbKdz7O12Tmi1XXA2o2B1vMZUP3ihzdvtz3PK5eoTaAKNmzD3DGAw/ObCEXAO AtAqbB59KjkKuecCAThwx45n8nYskVPKS7eRbQx7G4wfQtkV6838sQ2nxOpOka0r r8dq+E8HDCfM0iC8Dj0MaYvaUwRK9fVJnJob3rHsSZGLhxV5MjUpbOflrfbMTKcq bILZOtnOJaIzmCSPs+cv1az/h1BChsbd8oYPWJH6HyNOAToV5NJkECdAQA2kGIrM ANcdFiSbzaARP1jvB0+801cfwETOCRsr2F4cDtY5gwWr40kI+5L66fxj7gDAqIBc COuw7yRxrqDEAnODEAP28i48Fxo6V1QSF6kkmALNZt4qFb2RfVgrGr5ysKOfWDfD trKKpgLVh6u/9PIfaWvjD+u425cEn79GhgDdd9U0IYSy5qPInilqM0QcdbYzF8Hn C9saglJdxDpqIuDkkrkiSrGIcX71IW0KDgfSIzWVLyF2QTZk8v17+qKJOOrWkt+R eMjMnOXBvb/XZSqc7Rflz8pTz5Aa2uqXzChLnMQbJaEXUD1m4GJWQypy3z+Yhsiq WnbRS0ILMraPfShdNTa2OycmS+PQLGILd/fG36ibFsZBm8yqBHS0mJxgn8DDXcpz o3d08W4LoPdvoWOBsi8ECM9FNxfegqaZMD+G4ZgCIEAzmh58CqI6MkNgdkYG/hOa NeldXlYg+NHK1bYiMOUZlefixQLJ5HwhDrbMyDC0VIq7hdtWy7AEWYlHRggVjqQB +8thJEmad/XX69PuXR6q7GfZtMpc59fD0W6m/cSD6QPPVhPfXD9gBvSUjMpTm4Gy Y9OxgiJYHILNf4FxnT3lOixMQ/U2lDwe/3KN7L/Fbw5HFeuLtj6eKzFfMZZ7xzeb vYSonDNpxQ5v2SXEW3Yn57L/6H+MpD9IFW5Wn9Cx2mLtxsm7TGMaERcF0PXN5hWw Uvk8dehD/gu6n4Evv05ozzvqmHjIV8BjJHB6DYg7t63nE3e3lQ/UPQfhGd0QJhgI VSMcLZTMnHJuOx9250pBrL15bJ1A5P8QkvAwGCp82UfY1UAprhKypd2ZFms2bpXU 7TABO+12/UuFFyO2BiFuIj+VwKqMSy7umCC6ofBGjvVh1v156XCUBdYmJ1uUdlzw OFWT9jK1o59d+Yy3acf9lHBFVcjswRPJM55hSp04oZg0g7E59loWSGl7HfjpVmOn BYDxlBgB3a9vX3P5vnAJxhlmuD2eKa7rTal+d5//KRL7s6ba8HxZ2/Clyi8wYgZf +hMTNcK1FRE+nLnbVnOJQquzket9aNGVQDoR1EWJL3X+YQKXaggp8dcLlgoFzBgw SYQZbUIlNzWSn1bQ+bFiDmfnQ8PrHqYK2xltOMhBvQhUul/6nV8Km7ZQ66jq6/lJ A5dlfKuDVeOFFajXTVPvP/wK/fDz6/VfzteI4GE+4TSkG1l7YYGdr712dxHPtq3X FnOk3LbW2OF1HTBCSwDUNv7BF7qYn+PkToZC4LtLut71BVyFLkA3No7pQpJ1HHOp S90WfmoHAR7TF/M4AlyRaWQHZr96vDzOUbO7QmyYEispxeIdvt6kVKQVD7mtpSrV Mdm/0MIEfJ6C0qYrwmwdqxFqLNLDO0DNrYLfD/DEuzIcqUrzHETB+n/Inuvu+zz4 jOkRGSwG4zDFSt64ofA1viau3wwZ/8bLr9TGGWVcdVdBHYzt+/4U1Em/0BILE2Q/ 5DEgDrVRb03O9KeZe2itGfM7qBsd3HlJvp5VjD3Q85BHXwO013cFiNUt4A/XpJQ3 hdBkuYhjmk5v5vofIyyf0L/oHe7rz8ejlU0DWxLK9/KdGps44EZm1xOS0lSXuWwQ 2Biy9EOMJOXO/xmfqWog8MnVo2ocAN5nd1dXGKRnaIh1cOxqeP1a5Kz30K+l8C+x asCWjzDksTiDsViiy8DF+HWK92QPg31iCz/lRX6n7F65JoBNyNw6D8UdrAVJPF8U ts9j+W6mjss13aTMXNCzbNh1rBIRf6u+3mdj+thc5CKnKZb97ucvtVuTeFWImCpW 212uptmSacWHGR3cbPbTB25GR9YbsnQEvB0y0p4lF9gvfAPuPGvGiwq213CKjGfA LS2A9ggfr9ZgkfU68pLBulGDzDdLcT5ski7sGFhSaSinT+PuqaMhEWPbkiG6DsN3 k3jIsZq76Z0tUtlmnaMnD+n+6WT1qN3OVIrsStiD3KNOnIidDXfUNfbDmesd6QPA pJ7zxn16Nm+fHwhnP3CUeo+WOITV4S1fBnm4KmabQ1QBztaI08MOQN+tE3NqBZDF GTMlSL/izWU2N/eBhOqwcX6uVOzr4ISUD4dbN6HmrHQ0q6lak4eZ2wwn5eVUjJ+G fXGpL7J9R/vlXGsFf2IVE5lSz1ClMN3OXSLyAkCVuTpSr859vaZ9VaO+Lwz6kGSv ac3hyplnyEZ1GgNizZIY2fEXaw1pGEHor1PToumKrym+PTzecl1D06rrXiARnUY2 ZMahZmVzru4mZ30UXc/7DfHUdoE8vnaAqpMjrKLAva6hj5kZ7tLMFrKWOhjerpz5 iM9g5ejloD+CRYfWO0rFuUZ2rw4+nfAJIBN9WvhtlR1wjgt/fyY9rkYloHbz/0uL rqzHvmUVPUe96f5N9jr7V8p4cqPmBpq8YZefXSDoi2Iql3mhau3ilyEZNokCoD+y Kksf5tI+7uy4HlEotD55vYFXGKmouoKZJvu492fY9LXzbu7LUmxptSPjwvFfpE6Q kCxo5RAbImw+uqTwg5a5PzZLaSbLWqLzsZ7pYClJN7EaRhE8ZCy/QdM4hzOK5HOF BCkIZYCiH/LJRYXQ5YBPOqfc2opr8x5jmoHNeEWU9qq/89n2qjvez1/OK8f8LZD2 FQY1WAutooTwuHsTwpaYc/1xQRMBPqPMVPkTi24caCPFqIr8qgKxl1eLDsm+6GjK 7gQJD3aMKTA5KHvIRWNejaZcAtfcsKeQmFh7UNeQw0qYMt4Eota40T2QVS6txqcu 3QowCNYe5cpVfwDNXkrWWBohP0UEMW/DU8Xk5SV//On1TCK1qgHtXXeuHvvQBb+H QhDJO5LFo2ROotYPknlJV04znH5/ceSY7u82hxrJYhMZRbxV5adnCrFarA4AENRw /rNK6Z7sTL6d3jufRb4HkSn3mixsP+HLEG9G2+G1YMTUPvZk4+EVS4+fdm+YaojK b5d6HsTr7mauFf/PtwLOrCzAUJ6IQm9jY+p9HBMD/zsdtSJQ3MJBEoyDgPPHZuvb NxXfuYTQSmQBWAmGm9S1Z2eEZa7vxoZDTJzGVBFjEdazGA5IMkeEoWDmPg8tRG2a VucCVJnP5kKfGGmmPGz2u+Fq1vCsfFhn7kuMpkntW6x/K50hiktT3B1ApcZ/LdzV eBW2s4dmeyy42D2Hrm6sD/qyxh7EG+2wHnJ72ev1xFEzvDraVQsH2P14WeNjMja6 Kpgf7ctmmXjwIpBBPD6yAf7w/jfizDK72DPOg8S355hhIr9ptVsfqTmkKSC+Yumc gBK4ZQpVGXy2kA8yNHtWBY3/2OBzvJZOuJglWfMhvj4JmxfuhCKC5SkNJpzAyniF bEVl8uu+HPhx1Gz/wrogGksEtmAWte+oPqZQHPHGhvlDOOOEl5FudR7q7U2Wh1HU okazCrMnbUX4WvwP+PxzMncNUHxJppaQNiKU0D4pPF/9VqcUDII8DohFtCt/VvLZ mFIotf6SrspVwCg7GNXjDccFU/A9RpV+2agWoqixRjXM5hOnCEBe39hM/7EkV4kF zac8BCot9DezZl5pwxwwroQQPSBUfnpRv0oOvyghAes5Yw7qeqyOOmAupNm6B2na kywzFAsKLd/po+86wx4WJzBKy0I0caVX7Afy8H88EVIaaUnFp6pGAby6WD0w5YPd HyfHJVAm58PFyOLtx+rWzjV6JzSG5JNEP8vQL3zfqYZNNjckUqgFLViYqW5/Dhy4 /36vIN8CIQ0l4VVROBsIE9St4uRmk54TKM1m/3zZl7+AsOPSERpq5z9N4xamDqH0 W2cCZpBog7L7zEoubu1p4C0axBQArm7q1b3+WBz+3BPQiwQUnyFhT3Dhk2MlZYYF ilWLMleZd2p96Eg6kMR+lUO8awIkWa94KVCGn8lKtBxJFLXiBVcktBhyc2ExNmsg PHJzYTE2a0BrZXkudGVzdD4= =jMeI -----END PGP PRIVATE KEY BLOCK----- after trying it for a half hour or less, it should be out of everyone's curiosity ;-) vedaal Concerned about your privacy? Instantly send FREE secure email, no account required http://www.hushmail.com/send?l=480 Get the best prices on SSL certificates from Hushmail https://www.hushssl.com?l=485 From atom at smasher.org Thu Dec 22 17:00:18 2005 From: atom at smasher.org (Atom Smasher) Date: Thu Dec 22 16:59:57 2005 Subject: Create key's over 4096 bit ???? In-Reply-To: <43AA82CF.3050406@hammernoch.net> References: <200512220945.jBM9jJQE002312@vulcan.xs4all.nl> <43AA82CF.3050406@hammernoch.net> Message-ID: <20051222160021.31745.qmail@smasher.org> On Thu, 22 Dec 2005, Ludwig H?gelsch?fer wrote: > That's true. Even considering a brute force attack, 1025 bits is in > average only sqrt(2) better as 1024 bits. =============== so, does that mean that a 2048 bit asymmetric key is (only) this many times stronger than a 1024 bit key(?): 13407807929942597099574024998205846127479365820592393377723561443721\ 76403007354697680187429816690342769003185818648605085375388281194656\ 9946433649006084096 ??? sqrt((2^2048)/(2^1024)) ??? i never studied higher math, so apologies for any confusion that i'm adding to things. -- ...atom _________________________________________ PGP key - http://atom.smasher.org/pgp.txt 762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808 ------------------------------------------------- "The real truth of the matter is, as you and I know, that a financial element in the large centers has owned the government of the U.S. since the days of Andrew Jackson." -- Franklin Delano Roosevelt, November 21st, l933 From mlisten at hammernoch.net Thu Dec 22 19:45:23 2005 From: mlisten at hammernoch.net (=?ISO-8859-1?Q?Ludwig_H=FCgelsch=E4fer?=) Date: Thu Dec 22 19:45:08 2005 Subject: Create key's over 4096 bit ???? In-Reply-To: <20051222160021.31745.qmail@smasher.org> References: <200512220945.jBM9jJQE002312@vulcan.xs4all.nl> <43AA82CF.3050406@hammernoch.net> <20051222160021.31745.qmail@smasher.org> Message-ID: <43AAF443.4020304@hammernoch.net> Hi, On 22.12.2005 17:06 Uhr, Atom Smasher wrote: > On Thu, 22 Dec 2005, Ludwig H?gelsch?fer wrote: > >> That's true. Even considering a brute force attack, 1025 bits is in >> average only sqrt(2) better as 1024 bits. > =============== > > so, does that mean that a 2048 bit asymmetric key is (only) this many > times stronger than a 1024 bit key(?): > > 13407807929942597099574024998205846127479365820592393377723561443721\ > 76403007354697680187429816690342769003185818648605085375388281194656\ > 9946433649006084096 This is something around 10^156. This doesn't match my result below. > ??? sqrt((2^2048)/(2^1024)) ??? Exactly. This gives for me 1,84467440737e+146 - please correct me when I'm wrong. > i never studied higher math, so apologies for any confusion that i'm > adding to things. If an attacker wants to find the specific primes whose product make up the secret key of the victim, then the the primes are usually around sqrt(keylength). Ludwig From johanw at vulcan.xs4all.nl Fri Dec 23 14:52:18 2005 From: johanw at vulcan.xs4all.nl (Johan Wevers) Date: Fri Dec 23 16:12:22 2005 Subject: Create key's over 4096 bit ???? In-Reply-To: <200512221504.jBMF4ZAE022685@mailserver2.hushmail.com> Message-ID: <200512231352.jBNDqIQS003384@vulcan.xs4all.nl> vedaal@hush.com wrote: [snp 16k key] >after trying it for a half hour or less, >it should be out of everyone's curiosity ;-) Over 15 years, why would I care it's slow with current hardware with my then low-end multicore 20 GHz CPU? :-) -- ir. J.C.A. Wevers // Physics and science fiction site: johanw@vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From johanw at vulcan.xs4all.nl Fri Dec 23 14:49:32 2005 From: johanw at vulcan.xs4all.nl (Johan Wevers) Date: Fri Dec 23 16:12:27 2005 Subject: Create key's over 4096 bit ???? In-Reply-To: <87acet6zln.fsf@wheatstone.g10code.de> Message-ID: <200512231349.jBNDnWQF003370@vulcan.xs4all.nl> Werner Koch wrote: >Talking about 4k keys is in this respect useless - unless you have >very special requirements and can neglect the above points. However, >with such requirements you will also have the staff and money to take >proper decisions and implement new code from scratch. Not necessarily. I don't think Bin Laden or Al Zawahiri have access to a staff of capable cryptographers and programmers, but thei certainly has a need for strong encryption, and he can be certain the NSA will do its best to decrypt any intercepted message. -- ir. J.C.A. Wevers // Physics and science fiction site: johanw@vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From atom at smasher.org Fri Dec 23 16:28:11 2005 From: atom at smasher.org (Atom Smasher) Date: Fri Dec 23 16:27:48 2005 Subject: Create key's over 4096 bit ???? In-Reply-To: <200512231349.jBNDnWQF003370@vulcan.xs4all.nl> References: <200512231349.jBNDnWQF003370@vulcan.xs4all.nl> Message-ID: <20051223152814.5861.qmail@smasher.org> On Fri, 23 Dec 2005, Johan Wevers wrote: > Werner Koch wrote: > >> Talking about 4k keys is in this respect useless - unless you have very >> special requirements and can neglect the above points. However, with >> such requirements you will also have the staff and money to take proper >> decisions and implement new code from scratch. > > Not necessarily. I don't think Bin Laden or Al Zawahiri have access to a > staff of capable cryptographers and programmers, but thei certainly has > a need for strong encryption, and he can be certain the NSA will do its > best to decrypt any intercepted message. ================== maybe they can justify 4K keys for everyday use, although anything larger would attract attention. even then, how hard is it to get a group of non-geeks, who didn't grow up with computers, to use pgp? i think they're more likely to use carrier pigeons than pgp. -- ...atom _________________________________________ PGP key - http://atom.smasher.org/pgp.txt 762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808 ------------------------------------------------- "We must have strong minds, ready to accept facts as they are." -- President Harry Truman "I don't care what the facts are." -- President George H.W. Bush, 1988 From johanw at vulcan.xs4all.nl Fri Dec 23 18:11:44 2005 From: johanw at vulcan.xs4all.nl (Johan Wevers) Date: Fri Dec 23 18:51:32 2005 Subject: Create key's over 4096 bit ???? In-Reply-To: <20051223152814.5861.qmail@smasher.org> Message-ID: <200512231711.jBNHBidM002009@vulcan.xs4all.nl> Atom Smasher wrote: >even then, how hard is it to get a group of non-geeks, who didn't grow up >with computers, to use pgp? I'm even trying to convince my girlfriend after the latest EU data retention laws (combined with remailers). >i think they're more likely to use carrier pigeons than pgp. I've read that in Afghanistan they use couriers by horse who memorise the message. That makes it practically unintercaptable. -- ir. J.C.A. Wevers // Physics and science fiction site: johanw@vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From vedaal at hush.com Fri Dec 23 19:07:07 2005 From: vedaal at hush.com (vedaal@hush.com) Date: Fri Dec 23 19:06:50 2005 Subject: Create key's over 4096 bit ???? Message-ID: <200512231807.jBNI7ArJ044995@mailserver2.hushmail.com> Johan Wevers johanw at vulcan.xs4all.nl wrote on Fri Dec 23 14:52:18 CET 2005 : > Over 15 years, why would I care it's slow with current hardware with > my then low-end multicore 20 GHz CPU? :-) might be interesting to see the year 2020 gnupg version, the max keylength proposed then, and then link back to this thread ;-) vedaal Concerned about your privacy? Instantly send FREE secure email, no account required http://www.hushmail.com/send?l=480 Get the best prices on SSL certificates from Hushmail https://www.hushssl.com?l=485 From holger.schuettel at googlemail.com Fri Dec 23 19:03:13 2005 From: holger.schuettel at googlemail.com (Holger Schuettel) Date: Fri Dec 23 19:43:43 2005 Subject: Create key's over 4096 bit ???? In-Reply-To: <43A92850.9000000@googlemail.com> References: <43A92850.9000000@googlemail.com> Message-ID: <43AC3BE1.1060209@googlemail.com> Holger Schuettel schrieb: > - gpg control packet > Hi > I've any questions. How can i generate a keypair with size more than > 4096 bits? I've a RSA key from my friend in my keyring with 16384 bits. > How is that possible? I've to try it with gnupg to generate a key over > 4096 bits and thats not possible. Can you help me ? > Sorry for my english :-) > (german answer preferred) > Many Thanks and > > -- > ________________________________________________________________________________ > With best regards, > > Holger Schuettel > > E-Mail: holger.schuettel@googlemail.com > FAX: + 49 69 13 30 69 12 572 > Homepage Gnupg: http://www.gnupg.org/ > GnuPG-Key-ID: 0xC956679A http://tinyurl.com/9b4y8 > Fingerprint: 96A0 B66D D1B7 620D 9C3D E5F9 8EAA B85E C956 679A > > Encrypted e-mail preferred. > Hi ! Ok many thanks for so many answers but i'm using GnuPg only for secure-mails (for my old home pc 2,4 ghz machine) and a normal (standard generated 4096 bit ;-) :-D ) key is (so i hope) enough. Out of curiosity. It's possible to create a key over 4096 bit? And the answer is yes (but ... using hacking Gnu-Version ...blah blah). I'ts to high for me ! The standard version is ok !! Many thanks to all !!!! :-D I know my english is verry horrible ;-) -- ________________________________________________________________________________ With best regards, Holger Schuettel E-Mail: holger.schuettel@googlemail.com FAX: + 49 69 13 30 69 12 572 Homepage Gnupg: http://www.gnupg.org/ GnuPG-Key-ID: 0xC956679A http://tinyurl.com/9b4y8 Fingerprint: 96A0 B66D D1B7 620D 9C3D E5F9 8EAA B85E C956 679A Encrypted e-mail preferred. From johanw at vulcan.xs4all.nl Fri Dec 23 19:47:26 2005 From: johanw at vulcan.xs4all.nl (Johan Wevers) Date: Fri Dec 23 19:45:22 2005 Subject: Create key's over 4096 bit ???? In-Reply-To: <200512231807.jBNI7ArJ044995@mailserver2.hushmail.com> Message-ID: <200512231847.jBNIlQYZ002883@vulcan.xs4all.nl> vedaal@hush.com wrote: >might be interesting to see the year 2020 gnupg version, >the max keylength proposed then, >and then link back to this thread ;-) Considering the direction the EU is moving, it might be very wel that key lengts above 64 bits RSA or DH are outlawed then. :-( -- ir. J.C.A. Wevers // Physics and science fiction site: johanw@vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From widhalmt at unix.sbg.ac.at Fri Dec 23 18:47:56 2005 From: widhalmt at unix.sbg.ac.at (Thomas Widhalm) Date: Fri Dec 23 19:46:41 2005 Subject: gnupg in large scale at University Message-ID: <200512231847.57020.widhalmt@unix.sbg.ac.at> Hi! I already sent this email twice to this mailinglist, but it didn't appear at my mailserver, so I assume it didn't reach any of you. I just got in charge of managing Linux- and Unix servers at the University of Salzburg (Austria) and one of my first tasks is to implement a secure way of exchanging email and storing data. Having a big affection to Free Software, I try to implement a solution based upon gpg. My biggest problem is, that our users have many different mailclients, mostly MS Outlook connected to MS exchange. Maybe some of you could help me with some details: I need a plugin for Outlook which support gpg/MIME and maybe inline gpg. (Not Gdata, this didn't work out) I think it would be a good idea to create a CA. How to achieve that? How to keep the key save? Is just one person the CA, or a bunch of people? What if someone leaves us? What if an employee leaves, loses his email address but still has a signature. Should we revoke it? Is it possible/useful to create an own keyserver which synchronises with the official ones? How to do that? I have some ideas, but need more input. Maybe some of you could help me out. Regards, Thomas Widhalm -- ***************************************************************** * Thomas Widhalm Unix Administrator * * University of Salzburg IT- Services (ITS) * * Systems Management Unix Systems * * Hellbrunnerstr. 34 5020 Salzburg, Austria * * widhalmt@unix.sbg.ac.at +43/662/8044-6774 * * gpg: 6265BAE6 * * http://www.sbg.ac.at/zid/organisation/mitarbeiter/widhalm.htm * ***************************************************************** -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20051223/f573573b/attachment-0001.pgp From johnmoore3rd at joimail.com Fri Dec 23 20:04:23 2005 From: johnmoore3rd at joimail.com (John W. Moore III) Date: Fri Dec 23 20:03:59 2005 Subject: Create key's over 4096 bit ???? In-Reply-To: <200512231847.jBNIlQYZ002883@vulcan.xs4all.nl> References: <200512231847.jBNIlQYZ002883@vulcan.xs4all.nl> Message-ID: <43AC4A37.40207@joimail.com> Johan Wevers wrote: > vedaal@hush.com wrote: > > >>might be interesting to see the year 2020 gnupg version, >>the max keylength proposed then, >>and then link back to this thread ;-) > > > Considering the direction the EU is moving, it might be very wel that > key lengts above 64 bits RSA or DH are outlawed then. :-( > The Bell cannot be "un-rung" so there will be large migration to Portable Apps. NGO's throughout China/Indonesia are doing this all the time. JOHN :) Timestamp: Friday 23 Dec 2005, 02:03 PM --500 (Eastern Standard Time) From zvrba at globalnet.hr Fri Dec 23 21:32:28 2005 From: zvrba at globalnet.hr (zvrba@globalnet.hr) Date: Fri Dec 23 21:32:01 2005 Subject: gnupg in large scale at University In-Reply-To: <200512231847.57020.widhalmt@unix.sbg.ac.at> References: <200512231847.57020.widhalmt@unix.sbg.ac.at> Message-ID: <20051223203228.GA5570@zax.ifi.uio.no> -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 On Fri, Dec 23, 2005 at 06:47:56PM +0100, Thomas Widhalm wrote: > > I just got in charge of managing Linux- and Unix servers at the University of > Salzburg (Austria) and one of my first tasks is to implement a secure way of > exchanging email and storing data. > You will have to clarify the part about storing data. Do you need encrypted backups (and then, with per-user keys, or some "master key" for all backup), a way to transfer data from one facility to another, what? > > My biggest problem is, that our users have many different mailclients, mostly > MS Outlook connected to MS exchange. > Sorry, I can't help you with that :) > > I think it would be a good idea to create a CA. How to achieve that? How to > Very good idea. I would recommend to go with X.509 certificates which work quite nicely with out of the box LookOut :) As a bonus, you get to issue web SSL certificates and you can implement certificate-based client authentication (e.g. to connect to web-mail) Here's an open-sourced CA: http://www.openca.org/ I haven't used it, but it seems quite decent judging by the online documentation. Depending on how large your installation is, you might even use the CA.pl script which comes in any OpenSSL distribution (just be sure to set the CRL distribution points correctly). Browse the manual at http://www.openca.org/openca/docs/online/ it has a "Design Guide" which might give you some rough idea what it means to deploy a PKI in large organization (either GPG or X.509). If you have at least one Win2000 or Win2003 server installed, I can heartily recommend Microsoft CA[1]. Whatever we think of Microsoft, it is a quality product which works, and readily integrates in a Windows domain, if such requirement should later occur. Issued certificates are standard X.509 certificates (with some MS specific extensions, which are non-critical and should be therefore ignored by all compliant non-MS software that doesn't recognize them). [1] afaik, you get it in the package, and don't need to pay any extra licenses. I have studied the MS CA a bit, and it has a nice, pluggable architecture and is completely scriptable, so you can programmaticaly alter certificates you are issuing. the whole thing is described on the MSDN. Additionaly, if your users on windows will want to use smart-cards, they will be free to choose any smart-card which comes with MS CAPI provider. Such cards can then be used in addition to e.g. log on to the windows domain. No, this is not MS commercial, I'm just giving credit where it is due. If you have MS CA, it'll save you a lot of work in making things work on Win platform, and there are no ill consequences for Unix users. They will just use file-based certificates as they would with GPG. There are even some PKCS#11 cards for Linux, and it should be possible to make it work with MS CA (I've never done it though). > > keep the key save? Is just one person the CA, or a bunch of people? What if > someone leaves us? What if an employee leaves, loses his email address but > still has a signature. Should we revoke it? > Depending on your security needs. I have worked in a commercial CA. The following is a combined list of my experience working there and some of my own advice and common sense :) - - heavy physical protection (i.e. several steel doors, safes needing both a PIN code and key to unlock it, biometric controls, cameras, etc.) - - two persons needed to enter the premises - - root keys stored in a HW cryptographic module - - k of m scheme to reconstruct the root key in case of catastrophic failure - - BACKUPS of all critical data (most notably, the root key) in TWO different physical locations - - all access-controls codes (smart-card pins, passwords to all systems, etc.) locked in safes in sealed envelopes and strict policies when and in whose presence such envelopes may be opened - - people with different roles (e.g. an administrator to manage systems, security officers to identify and create users, etc...) - - written and approved POLICIES! situations DO happen when someone barges in your office and needs a new certificate immediately and just happens not to have any ID with him/herself but expects you to believe him/her that he really IS at the university and DOES have the right to get the certificate. Of course, you can immediately issue a certificate, but does that person REALLY have the legitimate right to receive the cert? - - if you expect to issue a large number of certificates (e.g. > 100), you might want to think about registration offices to identify users instead of you, the administrator (i presume that you don't want to personally create 100+ certificates for your users?). in which case, you'll need some SW and the OpenSSL CA.pl script is out of the question. - - key escrow! are you going to back up your user's private keys? if yes, you definetly need some policy under which you disclose the key. (users are hasty, often don't know exactly what they are doing and if they have used their key to encrypt some data and loose the key.. they'll get angry. in that case, you could save them :)) - - again, WRITE your policies and MAKE THEM PUBLIC. Or, it can be one man band with an old desktop computer under your desk locked in an office with you issuing certificates whenever someone visits your office. And anything in between the two extremes. You might even think of using a hardware cryptographic module for maximum security. Ask yourself, what happens if your root key gets compromised? are you willing to pay >= 3000EUR for a tamper-resistant HW device? some of manufacturers that I can recommend, as I've worked with their products, are Thales E-security and NCipher. Both deliver PKCS#11 drivers for Linux. If you choose GPG, you could (should!) use the GPG smart-card for the root key. > > I have some ideas, but need more input. Maybe some of you could help me out. > If you choose to go down the X.509 route, you have MUCH additional reading to do! And BTW, here's another plus for X.509 certificates: much of the existing client software (LookOut, Mozilla, Thunderbird, etc.) can be configured to check CRL each time it verifies a signature. I don't know whether that is possible with GPG. Except for requesting the key from the keyserver each time anew, although it is already in the keyring. Personally, with my experience and in your position, my order of preference would be: 1. X.509 with Microsoft CA 2. X.509 with OpenCA 3. X.509 with OpenSSL and CA.pl (for small number of users; not more than 100) 4. GnuPG This is based on my perceived amount of management in the long run. If most of your users are Win users, then I'd say that X.509 is definetly a win, as it works nicely across all platforms and mail clients, with no additional plugins needed for the most popular software (LookOut, Mozilla, Thunderbird). I would rank the initial setup effort as 2, 1, 3, 4. Note that your security and operational policies are orthogonal to the standard and technology you choose (i.e. OpenPGP vs. X.509 on any platform). Hope I've helped a bit :) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFDrF7cFtofFpCIfhMRA3uWAJ9vlFR9UIJaKEQqSwvKY6c+X1Y09ACfYPi1 DjyY1MAMdDaUltNA65MhMTs= =j0hn -----END PGP SIGNATURE----- From zvrba at globalnet.hr Fri Dec 23 22:01:19 2005 From: zvrba at globalnet.hr (zvrba@globalnet.hr) Date: Fri Dec 23 22:00:40 2005 Subject: gnupg in large scale at University In-Reply-To: <20051223203228.GA5570@zax.ifi.uio.no> References: <200512231847.57020.widhalmt@unix.sbg.ac.at> <20051223203228.GA5570@zax.ifi.uio.no> Message-ID: <20051223210119.GB5570@zax.ifi.uio.no> -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 On Fri, Dec 23, 2005 at 09:32:28PM +0100, zvrba@globalnet.hr wrote: > > I would rank the initial setup effort as 2, 1, 3, 4. > To followup on myself... All your users will have to import your root certificate to stop SW from complaining about unknown root cert (but they'd have to do that with you GPG root cert anyway) AFAIR, Verisign (and possibly other CAs) offer "hosted PKI", or "managed PKI" (these two are NOT equivalent), but I have no clue about the price. If you really have strict security requirements, you might go down that route. Look at e.g. http://www.wisekey.com/pages/pki_managed.htm (the difference between hosted and managed is that in hosted you have your own, dedicated servers..) They are charging by the number of "seats" in use. Final words from me: running a PKI for a large organization is a COMPLEX business. Don't make an immediate decision but create several toy CAs in different ways (both X.509 and OpenPGP), and try to: - - issue certificate to several users (multiple certs for the SAME user, on different email addresses) - - revoke one particular certificate (e.g. one tied to particular email) - - play with CRL checking - - actually USE those certs on all platforms in question to see how much of a hassle it will be to less technical users And one important question: how are you going to disambiguate users with identical names (e.g. are you going to require a unique email address?). What about shared email addresses? etc... and do MUCH reading while doing this. IMO, what you're trying to do requires serious preparation.. you should play with all of the above possibilities and READ during that time for at least a month before making ANY kind of decision. once you give your users PKI, they'll start coming up with the strangest ideas.. many of them you will flat-out reject, but some of them will be legitimate requests and can catch you unprepared.. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFDrGWfFtofFpCIfhMRA77GAJ9K8dI+VNsMhtg6vye1gDpzf4bqsACePWDP Z4OTmrlcit0lNNFXUToD0Ww= =XiqQ -----END PGP SIGNATURE----- From mlisten at hammernoch.net Wed Dec 21 12:29:48 2005 From: mlisten at hammernoch.net (=?ISO-8859-15?Q?Ludwig_H=FCgelsch=E4fer?=) Date: Sat Dec 24 06:37:54 2005 Subject: Create key's over 4096 bit ???? In-Reply-To: <43A92850.9000000@googlemail.com> References: <43A92850.9000000@googlemail.com> Message-ID: <43A93CAC.2010302@hammernoch.net> Hi Holger, On 21.12.2005 12:18 Uhr, Holger Schuettel wrote: > Hi > I've any questions. How can i generate a keypair with size more than > 4096 bits? I've a RSA key from my friend in my keyring with 16384 bits. > How is that possible? I've to try it with gnupg to generate a key over > 4096 bits and thats not possible. Can you help me ? Well, there are different possibilities. First, there (still) are ckt-Versions of PGP 5/6.x in use which allow creation of such big keys. Second, everybody is free to modify the key size limits in the existing gnupg code and compile a version for him/herself. That should not be too difficult. I'm quite conservative and think, that 4096 bits are really really enough for now and even a lot of years to come. There are far more weaknesses in the communication chain than a key size below 16384. > Sorry for my english :-) No reason to apologize :-) > (german answer preferred) This is an english-speaking mailing list :-) Ludwig From wk at gnupg.org Sat Dec 24 13:57:06 2005 From: wk at gnupg.org (Werner Koch) Date: Sat Dec 24 14:02:17 2005 Subject: gnupg in large scale at University In-Reply-To: <200512231847.57020.widhalmt@unix.sbg.ac.at> (Thomas Widhalm's message of "Fri, 23 Dec 2005 18:47:56 +0100") References: <200512231847.57020.widhalmt@unix.sbg.ac.at> Message-ID: <87irte3b6l.fsf@wheatstone.g10code.de> On Fri, 23 Dec 2005 18:47:56 +0100, Thomas Widhalm said: > I need a plugin for Outlook which support gpg/MIME and maybe inline gpg. (Not > Gdata, this didn't work out) GPGol supports reaading PGP/MIME encrypted messages. The user interface is not very nice because it is only possible save attachments from such mails, but well it works and you can read PGP/MIME encrypted mails. Works only well with OL2003SP2 - older versions may or may not work. Creating PGP/MIME messages is not possible becuase there is no way to set the content-type from a plugin. I have been thinking of a hack but that would require changes to all other mail clients (Foo-Content-Type to override the actual content-type). Check out ftp://ftp.gpg4win.org/gpg4win/ for an executable version. That installer includes a lot of other software too; I have no current stripped down version available. GPGol itself is just one DLL. IF you have access to a current Debian system you can build GPGol from the sources available at ftp://ftp.g10code.com/g10code/gpgol/ Setting up a PKI is a complex task for both formats X.509 and OpenPGP; so I can't tell you how to do this in a few sentences. Shalom-Salam, Werner From wk at gnupg.org Sat Dec 24 14:07:13 2005 From: wk at gnupg.org (Werner Koch) Date: Sat Dec 24 14:12:16 2005 Subject: using gpgsm In-Reply-To: <20051221142326.2t6o7ivrtwkg08og@www.milivojevic.org> (Aleksandar Milivojevic's message of "Wed, 21 Dec 2005 14:23:26 -0600") References: <20051221142326.2t6o7ivrtwkg08og@www.milivojevic.org> Message-ID: <87ek423apq.fsf@wheatstone.g10code.de> On Wed, 21 Dec 2005 14:23:26 -0600, Aleksandar Milivojevic said: > gpgsm: gpgsm: GPG_TTY has not been set - using maybe bogus default > gpgsm: gpg-protect-tool: Secure memory is not locked into core > gpgsm: gpg-protect-tool: gpg-agent is not available in this session You need to start gpg-agent first; importing p12 files is not possible with an on-demand loaded gpg-agent. gpg-agent --daemon /bin/sh is probably the easiest way for testing this. Within this shell run the import again. Use exit to sto the agent then. Hint: Running just gpg-agent will show whether an agent is available. > gpgsm: gpg-protect-tool: error while asking for the passphrase: Invalid digest > algorithm Hmmm, the error message does not seem to be correct. I found the problem and will fix for the next versions. The correct error message is "no agent" > Attempting to generate new private key using --gen-key hasn't worked eiter (this > function is not yet available from the commandline). Check out http://www.fsfe.org/en/fellows/werner/weblog/creating_server_certificates_with_gnupg Or use KMail/Kleopatra > Another question is about support for non US-ASCII characters in certificates > (something tells me you might be getting lot of these questions). I've > received one certificate that has some accented letters in CN and OU. After > importing it, and then doing "gpgsm --list-keys", the output shows the Subject > without CN and OU (only O, L, ST and C are displayed). Is this certificate gpgsm always displays utf-8 thus they may look weir depending on your locale setting. Salam-Shalom, Werner From blueness at gmx.net Sat Dec 24 14:49:23 2005 From: blueness at gmx.net (Mica Mijatovic) Date: Sat Dec 24 15:17:34 2005 Subject: failure notice Message-ID: <1106152097.20051224144923@gmx.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Hello GPGUsers, Could someone please explain to me what the term "Administrative_prohibition" means in the context of the text quoted here: /// Hi. This is the qmail-send program at mail.gmx.net. I'm afraid I wasn't able to deliver your message to the following addresses. This is a permanent error; I've given up. Sorry it didn't work out. : 217.69.77.222_failed_after_I_sent_the_message./Remote_host_said:_550_Administrative_prohibition/ \\\ I received it as a part of "failure notice" message from GMX when I sent my reply on the vedaal's message "Create key's over 4096 bit ????" to the list. - -- Mica PGP keys nestled at: http://blueness.port5.com/pgpkeys/ ~~~ For personal mail please use my address as it is *exactly* given in my "From|Reply To" field(s). ~~~ -----BEGIN PGP SIGNATURE----- iQEVAwUBQ61R4bSpHvHEUtv8AQOroQgAnVF682CLUWquLRh/1VeGxv87YsqsOdxm dwCwDIpOngnqXtdZRYN1ZIqX9Vuv8JEp8lfM2/lkN3FYHm/RqIFxvwsVfmn0ZyPR gI4qIAT1uBrA1tYBzefVghUqNM4CnZsXpPf5CjhnvkpN3WFQX8+y/ycTQl/NVC9g 3yBqkgUc3XJq4jMryllRnDDWfkdkTegHcUUroA2Xndx+VdEOAJ1NAl6lmxKhqicC NfHiReNH+se1MB7+nbvevbzbeM0wMyT4G0Y2z1+2gZMu32JPokNYMjyI52O88dEv LMP6MgZ0WnFWLNDX4i5wlCKccyowu5ONRYqRZJcBmOKsf4c1J3Ky6Q== =nG1h -----END PGP SIGNATURE----- From boldyrev+nospam at cgitftp.uiggm.nsc.ru Sat Dec 24 12:39:35 2005 From: boldyrev+nospam at cgitftp.uiggm.nsc.ru (Ivan Boldyrev) Date: Sat Dec 24 22:48:56 2005 Subject: Create key's over 4096 bit ???? References: <200512220945.jBM9jJQE002312@vulcan.xs4all.nl> <43AA82CF.3050406@hammernoch.net> <20051222160021.31745.qmail@smasher.org> <43AAF443.4020304@hammernoch.net> Message-ID: On 9332 day of my life Ludwig H?gelsch?fer wrote: >> ??? sqrt((2^2048)/(2^1024)) ??? > > Exactly. This gives for me 1,84467440737e+146 - please correct me when > I'm wrong. (2^2048)/(2^1024)=2^1024 sqrt(2^1024)=2^512 =13407807929942597099574024998205846127479365820592393377723561443721764\ 030073546976801874298166903427690031858186486050853753882811946569946433\ 649006084096 =1.3407807929942597e+154 -- Ivan Boldyrev | recursion, n: | See recursion From widhalmt at unix.sbg.ac.at Wed Dec 21 11:40:22 2005 From: widhalmt at unix.sbg.ac.at (Thomas Widhalm) Date: Sun Dec 25 02:39:25 2005 Subject: gnupg in larger scale for our OU Message-ID: <1135161622.9968.8.camel@aphrodite> Hi! I just got in charge of some of the Linux- und Unix- Servers at the University of Salzburg. One of my tasks is to generate a possibility for our organizational unit to communicate safely via Email and store data encrypted. For some reasons I thought of implenting this on base of gnupg. Maybe you can help me with some ideas. I'm searching the web and I'm writing to others as well, but since this is a big task, I want as many opinions as I can get: I need plugins for many different clients. Unfortunately most of the users have MS Outlook for their primary Mail Client, so I need a plugin which does well with it and isn't too complicated to use. Although we are the IT department, we have many administrative employees who are not all too willing to dive into some "techie mumbo jumbo". Do you have any suggestions? I think, it would be a could idea to create our own CA. Maybe you have some experiences to share? How many people should have access to the CAs passphrase and secret key, what if one of them leaves us, what if an employee with a signed key leaves, etc. Maybe it would even be an option to create an own keyserver. Is this useful or would it be far too overpowered? Thanks a lot, Regards, Thomas -- ***************************************************************** * Thomas Widhalm Unix Administrator * * University of Salzburg IT Services (ITS) * * Systems Management Unix Systems * * Hellbrunnerstr. 34 5020 Salzburg, Austria * * widhalmt@unix.sbg.ac.at +43/662/8044-6774 * * gpg: 6265BAE6 * * http://www.sbg.ac.at/zid/organisation/mitarbeiter/widhalm.htm * ***************************************************************** -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 185 bytes Desc: Dies ist ein digital signierter Nachrichtenteil Url : /pipermail/attachments/20051221/53bc1614/attachment.pgp From widhalmt at unix.sbg.ac.at Sun Dec 25 15:11:39 2005 From: widhalmt at unix.sbg.ac.at (Thomas Widhalm) Date: Sun Dec 25 15:11:14 2005 Subject: gnupg in large scale at University In-Reply-To: <01C4F706.01926EAF.0307202B@netscape.net> References: <01C4F706.01926EAF.0307202B@netscape.net> Message-ID: <200512251511.55049.widhalmt@unix.sbg.ac.at> Am Samstag, 24. Dezember 2005 00:50 schrieb Henry Hertz Hobbit: > Thomas Widhalm wrote: > > I already sent this email twice to this mailinglist, but it didn't > > appear at my mailserver, so I assume it didn't reach any of you. > > > > I just got in charge of managing Linux and Unix servers at the > > University of Salzburg (Austria) and one of my first tasks is > > to implement a secure way of exchanging email and storing data. > > Having a big affection to Free Software, I try to implement a > > solution based upon gpg. > > Congratulations on getting the job. Thanks. :-) > > > My biggest problem is, that our users have many different > > mailclients, mostly MS Outlook connected to MS exchange. > > > > Maybe some of you could help me with some details: > > > > I need a plugin for Outlook which support gpg/MIME and > > maybe inline gpg. (Not Gdata, this didn't work out) > > Others will give a much better answer to this question > than I can. However, having just said that, both Outlook > and Outlook Express are HORRIBLE to work with (from more > points of view than just encryption - Active-X, et al). Yes, we think the same way... But unfortunately its not up to me to decide on our primary mail client. And as I remember, it was hard enough to switch from Eudora to Outlook, so I'm not too positive on changing again to soon. > But if they must use Outlook, I would recommend the not > for free PGP instead for Windows machines. However if you > must use GPG with Outlook then be aware it will be INLINE > (also called clearsigning by some), not OpenPGP/MIME. If > you want to go that way, you can use either WinPT for > Outlook Express, or g10code for Outlook. WinPT will > auto-install the Outlook Express plugin. You can get > WinPT at: > > http://www.stud.uni-hannover.de/~twoaday/winpt.html > > You can get g10code (sponsored by the German government) at: > > http://www.g10code.com/ Ah! I used both of them, but I lost the link to g10 (and the name, so I couldn't google). Thanks a lot! > > My advice is that if you aren't boiler-plated, welded, > and totally unable to use anything other than Outlook > or Outlook Express is to go freebie whole hog and > install Thunderbird on EVERYTHING you can. You will > also need the Enigmail plugin (one piece of advice, > install Enigmail in each user's account, NOT in the > Thunderbird executable area itself on Linux). Here > are the URLs for that approach: I, for myself use Thunderbird on any Windows PC I have to use. But unfortunately many of our users are rather fixated to Outlook. > > http://www.mozilla.com/thunderbird/ > http://enigmail.mozdev.org/ > > > I think it would be a good idea to create a CA. How to > > achieve that? How to keep the key save? Is just one person > > the CA, or a bunch of people? What if someone leaves us? > > What if an employee leaves, loses his email address but > > still has a signature. Should we revoke it? > > I take a dim view of that. Each person should be responsible > for his / her own keys. Putting up a web page showing them how > to create, manage, and PROTECT their own keys is more in line. > On that subject, every time I hear the person leaving routine > (usually for software projects that a large group is working on), > there is only ONE solution. YOU CREATE A FICTITIOUS PERSON! No, > I am not a fictitious person (unless a Turing machine gets colds > and Pneumonia which I have right now). Henry Hertz Hobbit has > been my net name for almost ten years. For Unix perms, that person > is the group leader for the shared files, etc. You can have a > complete replacement of everybody working on the project, as > long as there is some sort of continuity to passing the control > to new people as the old ones leave. Just remember to have the > new care taker of the of the fictitious person to change the > passphrases for the fictitious user IMMEDIATELY after they assume > guardianship for the account. Also make sure they are dependable > and reliable. But when it comes to OpenPGP keys, exporting and > importing the ones you need is an INDIVIDUAL proposition. Teach > the users how to handle it themselves. They are the ONLY ones > that knows what keys they need and use. And they are the ONLY > ones that should know their secret key's passphrase! I DO NOT > WANT TO KNOW IT! We achieve greater security if we do NOT know > other people's passphrases. Ok, we think the same way for many details. I would rather cut off my right ear but to know the passphrase of one of our users. ;-) I would create a key for our department to sign the users keys. And this would available only to some special administrators. e.g. those who know the root passwords of the domain controllers or mailservers. > > > Is it possible/useful to create an own keyserver which > > synchronises with the official ones? How to do that? > > Sure, it is possible. Search the archives and you will find > answers to all of your questions on this topic. The problem > is, how much time do you have to invest on this project? It > sounds to me like your plate is fairly full as it is. Well it is. But creating this possibility is a mixture of low priority task for my employer and a hobby to me. So I will take some time for creating this. First I need a simple and easy to use solution for encrypting and signing mails and single files. Bigger tasks like own SSL certificates, etc. will follow but are not on my schedule for now. > > > I have some ideas, but need more input. Maybe some of you > > could help me out. > > Well, you got it, but without knowing all the intricacies > and the desires of the school, I don't know what to say. > For example, there are frequently both school and government > policies relating to the keeping of email. Most companies > say the email belongs to them, but schools are different. > This gets real messy since they will say the keys also > belongs to them, but I would NEVER want somebody else having > access to my secret keys, NOR knowing the passphrases for > them. There are some people that don't want encryption, but do > need to ascertain that a message REALLY came from another > person (before replying to the interloper who is pretending > to be them). Also, there are laws concerning the safe > guarding of medical information in many countries. If > that is the case, THESE ARE THE PEOPLE YOU WORK WITH FIRST > (and refine your web instructions before deploying it more > widely) and you will expand out from there. Spend some time > analyzing what they need from a HUMAN standpoint, and create > and use your own keys FIRST. I will send you more information > privately. I will write howtos and make tutorials and maybe even some short courses for the users. So everyone who wants to join is able to and knows about what he/she is doing. This includes that using this possibilities will be a choice of them and not obligatory. Thanks for your other mail. > > Henry Hertz Hobbit Regards, Thomas > > > __________________________________________________________________ > Switch to Netscape Internet Service. > As low as $9.95 a month -- Sign up today at > http://isp.netscape.com/register > > Netscape. Just the Net You Need. > > New! Netscape Toolbar for Internet Explorer > Search from anywhere on the Web and block those annoying pop-ups. > Download now at http://channels.netscape.com/ns/search/install.jsp -- ***************************************************************** * Thomas Widhalm Unix Administrator * * University of Salzburg IT- Services (ITS) * * Systems Management Unix Systems * * Hellbrunnerstr. 34 5020 Salzburg, Austria * * widhalmt@unix.sbg.ac.at +43/662/8044-6774 * * gpg: 6265BAE6 * * http://www.sbg.ac.at/zid/organisation/mitarbeiter/widhalm.htm * ***************************************************************** -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20051225/36dad08e/attachment.pgp From blueness at gmx.net Sun Dec 25 15:08:36 2005 From: blueness at gmx.net (Mica Mijatovic) Date: Sun Dec 25 15:53:44 2005 Subject: Create key's over 4096 bit ???? In-Reply-To: <200512231807.jBNI7ArJ044995@mailserver2.hushmail.com> References: <200512231807.jBNI7ArJ044995@mailserver2.hushmail.com> Message-ID: <1802195268.20051225150836@gmx.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Was Fri, 23 Dec 2005, at 10:07:07 -0800, when vedaal wrote: > might be interesting to see the year 2020 gnupg version, > the max keylength proposed then, > and then link back to this thread ;-) Your lines, as to the form they form, look like a verses. Is that done deliberately or your Eudora again entangles on its own? As to the content in the form... They could equally use some other technology, some keys of just few bits and with No Such Agency as a "standard" any more. (-: - -- Mica PGP keys nestled at: http://blueness.port5.com/pgpkeys/ ~~~ For personal mail please use my address as it is *exactly* given in my "From|Reply To" field(s). ~~~ If you don't care, don't panic. -----BEGIN PGP SIGNATURE----- iQEVAwUBQ6yJerSpHvHEUtv8AQOsPgf+MsJIVaQrcxc5PoTFLTYu7IC9yVJwoQMb Hmvgq4vJe1enMDTmBqOk30RvwMEr5iO18W49asQLnTIgLGN4BtFhr5w+mqHo701U JsNuQPArholv1SkZ10q1lvhzjQPnIbEB6EXW1S6x8sHxbhHCPXZErJpaDK5zQnBi thrfG5QMPtYOPS/FaWB05KGK29fa03qrYpWHYni844kQ0grlkBaGWVaj7kCQatUK 9XmHB9qxJudpSL7HgULXf1hrghYMRycPiA5Oq3CwrS3f5y65Ko2/G2enZHX4JmRe D+fbNxcTFBxsoiJLxNpkLKk+tGampCIiWXEObsupLshhU7OMQHeP8g== =w9yw -----END PGP SIGNATURE----- From widhalmt at unix.sbg.ac.at Sun Dec 25 16:52:14 2005 From: widhalmt at unix.sbg.ac.at (Thomas Widhalm) Date: Sun Dec 25 16:51:34 2005 Subject: gnupg in large scale at University In-Reply-To: <87irte3b6l.fsf@wheatstone.g10code.de> References: <200512231847.57020.widhalmt@unix.sbg.ac.at> <87irte3b6l.fsf@wheatstone.g10code.de> Message-ID: <200512251652.26947.widhalmt@unix.sbg.ac.at> > On Fri, 23 Dec 2005 18:47:56 +0100, Thomas Widhalm said: > > I need a plugin for Outlook which support gpg/MIME and maybe inline gpg. > > (Not Gdata, this didn't work out) > > GPGol supports reaading PGP/MIME encrypted messages. The user > interface is not very nice because it is only possible save > attachments from such mails, but well it works and you can read > PGP/MIME encrypted mails. Works only well with OL2003SP2 - older > versions may or may not work. Creating PGP/MIME messages is not > possible becuase there is no way to set the content-type from a > plugin. I have been thinking of a hack but that would require changes > to all other mail clients (Foo-Content-Type to override the actual > content-type). Thanks for this is hint. I will tell this link to my co workers who work on windows boxes so they can evaluate it. I found several plugins which can't do what I need, but this one sounds rather nice to me. > Shalom-Salam, > > Werner Thanks a lot, Thomas -- ***************************************************************** * Thomas Widhalm Unix Administrator * * University of Salzburg IT- Services (ITS) * * Systems Management Unix Systems * * Hellbrunnerstr. 34 5020 Salzburg, Austria * * widhalmt@unix.sbg.ac.at +43/662/8044-6774 * * gpg: 6265BAE6 * * http://www.sbg.ac.at/zid/organisation/mitarbeiter/widhalm.htm * ***************************************************************** -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20051225/a685d8ff/attachment.pgp From vedaal at hush.com Sun Dec 25 17:58:57 2005 From: vedaal at hush.com (vedaal@hush.com) Date: Sun Dec 25 17:58:40 2005 Subject: line wrapping (was ' creating keys over 4096???') Message-ID: <200512251659.jBPGx0bc085789@mailserver2.hushmail.com> On Sun, 25 Dec 2005 06:08:36 -0800 Mica Mijatovic wrote: > Was Fri, 23 Dec 2005, at 10:07:07 -0800, > when vedaal wrote: > >> might be interesting to see the year 2020 gnupg version, >> the max keylength proposed then, >> and then link back to this thread ;-) > >Your lines, as to the form they form, look like a verses. Is >that done >deliberately or your Eudora again entangles on its own? done intentionally on my own, each thought gets a line, long thoughts get broken up at suitable spots, related short thoughts sometimes are on the same line, this avoids the e-mail client or pgp wrapping them in places i don't want, and (at least for me) is easier to read and follow All the Best, vedaal Concerned about your privacy? Instantly send FREE secure email, no account required http://www.hushmail.com/send?l=480 Get the best prices on SSL certificates from Hushmail https://www.hushssl.com?l=485 From cpollock at earthlink.net Sun Dec 25 17:22:56 2005 From: cpollock at earthlink.net (Chris) Date: Sun Dec 25 18:04:38 2005 Subject: Are gpg signatures considered attachments? Message-ID: <200512251022.56893.cpollock@earthlink.net> I know that is probably a lame question, however, I'm on several mailing lists that are bouncing my messages back to me because they are signed. The list owners are telling me this is because they don't allow attachments. -- Chris Registered Linux User 283774 http://counter.li.org 10:19:22 up 6 days, 12:15, 1 user, load average: 0.23, 0.29, 0.29 Mandriva Linux 10.1 Official, kernel 2.6.8.1-12mdk -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20051225/293f7b8e/attachment.pgp From linux at thorstenhau.de Sun Dec 25 18:54:32 2005 From: linux at thorstenhau.de (Thorsten Haude) Date: Sun Dec 25 20:04:17 2005 Subject: Are gpg signatures considered attachments? In-Reply-To: <200512251022.56893.cpollock@earthlink.net> References: <200512251022.56893.cpollock@earthlink.net> Message-ID: <20051225175432.GF1937@eumel.yoo.local> Hi, * Chris wrote (2005-12-25 17:22): >I know that is probably a lame question, however, I'm on several mailing >lists that are bouncing my messages back to me because they are signed. The >list owners are telling me this is because they don't allow attachments. Mutt adds a 'Content-Disposition: inline' to the MIME part containing the signature. This seems to work, I don't remember any bouncing mails. (Pipermail has a problem with signed attachments though.) Thorsten -- I can conceive no system more fatal to the integrity and independence of literary man than one under which they should be taught to look for their daily bread to the favor of ministers and nobles. - Thomas Babington Macaulay -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20051225/bb671481/attachment-0001.pgp From cpollock at earthlink.net Sun Dec 25 20:29:13 2005 From: cpollock at earthlink.net (Chris) Date: Sun Dec 25 20:28:53 2005 Subject: Are gpg signatures considered attachments? In-Reply-To: <20051225175432.GF1937@eumel.yoo.local> References: <200512251022.56893.cpollock@earthlink.net> <20051225175432.GF1937@eumel.yoo.local> Message-ID: <200512251329.14022.cpollock@earthlink.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sunday 25 December 2005 11:54 am, Thorsten Haude wrote: > Hi, > > * Chris wrote (2005-12-25 17:22): > >I know that is probably a lame question, however, I'm on several mailing > >lists that are bouncing my messages back to me because they are signed. > > The list owners are telling me this is because they don't allow > > attachments. > > Mutt adds a 'Content-Disposition: inline' to the MIME part containing > the signature. This seems to work, I don't remember any bouncing > mails. (Pipermail has a problem with signed attachments though.) > > > Thorsten Thanks Thorsten. It was pointed out to me that my signatures had been added as attachments which was causing the bounces. When I changed to 'inline' the problem went away. Kmail however shows 'Inline OpenPGP (deprecated)' not exactly why it shows that, but its the option I'm now using. Thanks - -- Chris Registered Linux User 283774 http://counter.li.org 13:20:00 up 6 days, 15:15, 1 user, load average: 0.65, 0.41, 0.37 Mandriva Linux 10.1 Official, kernel 2.6.8.1-12mdk -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFDrvMK43Kn2pjmcFwRAt6kAJ9J2g+qjIkZHIPgdBl4u2wxrup07QCcD2U2 E+s/L1rB7watA0StdLO2vSA= =OL3B -----END PGP SIGNATURE----- From linux at thorstenhau.de Sun Dec 25 21:40:57 2005 From: linux at thorstenhau.de (Thorsten Haude) Date: Sun Dec 25 21:40:31 2005 Subject: Are gpg signatures considered attachments? In-Reply-To: <200512251329.14022.cpollock@earthlink.net> References: <200512251022.56893.cpollock@earthlink.net> <20051225175432.GF1937@eumel.yoo.local> <200512251329.14022.cpollock@earthlink.net> Message-ID: <20051225204057.GH1937@eumel.yoo.local> Hi, * Chris wrote (2005-12-25 20:29): >On Sunday 25 December 2005 11:54 am, Thorsten Haude wrote: >> * Chris wrote (2005-12-25 17:22): >> >I know that is probably a lame question, however, I'm on several mailing >> >lists that are bouncing my messages back to me because they are signed. >> > The list owners are telling me this is because they don't allow >> > attachments. >> >> Mutt adds a 'Content-Disposition: inline' to the MIME part containing >> the signature. This seems to work, I don't remember any bouncing >> mails. (Pipermail has a problem with signed attachments though.) > >Thanks Thorsten. It was pointed out to me that my signatures had been added >as attachments which was causing the bounces. When I changed to 'inline' >the problem went away. Kmail however shows 'Inline OpenPGP (deprecated)' >not exactly why it shows that, but its the option I'm now using. No, you misunderstood me. The way you sign your mails now is indeed deprecated, I don't use it and I don't recommend it. I use PGP/MIME signatures, which Mutt tags as inline MIME elements following RFC 2183: - - - Schnipp - - - 2.1 The Inline Disposition Type A bodypart should be marked `inline' if it is intended to be displayed automatically upon display of the message. Inline bodyparts should be presented in the order in which they occur, subject to the normal semantics of multipart messages. - - - Schnapp - - - So a smart mail handler (eg. a mailing list software) that does not know about PGP/MIME can at least gracefully fall back. KMail does not set this field for the signature (it does for the mail text), so this is a KMail bug. I'm not sure how receiving MUAs are expected to cope with a non-existing Content-Disposition field, but there is a hint in the RFC: "Unrecognized disposition types should be treated as `attachment'." Here is a rough outline of the MIME headers of our mails: - - - Schnipp - - - KMail, signed mail (ie. wrapper around mail text + signature): Content-Type: multipart/signed; boundary="nextPart2829039.id6uN21AOM"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit KMail, mail text: Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline KMail, signature: Content-Type: application/pgp-signature - - - Schnapp - - - - - - Schnipp - - - Mutt, signed mail: Content-Type: multipart/signed; boundary="CXFpZVxO6m2Ol4tQ" protocol="application/pgp-signature"; micalg=pgp-sha1; Content-Disposition: inline Mutt, mail text: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Mutt, signature: Content-Type: application/pgp-signature Content-Disposition: inline - - - Schnapp - - - So the only difference is KMail's redundant Content-Transfer-Encoding (which is 7bit by default anyway) and Mutt's Content-Disposition. In conclusion, use whatever works for you, but please try to get the KMail guys to add the Content-Disposition field by filing a bug with them (they may regard it as a feature request). Thorsten -- Unix is not an 'A-ha!' experience, it is more of a 'Holy shit!' experience. - Colin McFadyen -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20051225/18f492d4/attachment.pgp From linux at thorstenhau.de Sun Dec 25 18:56:36 2005 From: linux at thorstenhau.de (Thorsten Haude) Date: Mon Dec 26 00:04:20 2005 Subject: line wrapping (was ' creating keys over 4096???') In-Reply-To: <200512251659.jBPGx0bc085789@mailserver2.hushmail.com> References: <200512251659.jBPGx0bc085789@mailserver2.hushmail.com> Message-ID: <20051225175636.GG1937@eumel.yoo.local> Hi, * vedaal@hush.com wrote (2005-12-25 17:58): >this avoids >the e-mail client or pgp wrapping them >in places i don't want, > >and (at least for me) >is easier to read and follow So you read you own mails a lot? I think you text is harder to read by fragment it the way you do. Thorsten -- Im ?brigen gilt ja hier derjenige, der auf den Schmutz hinweist, f?r viel gef?hrlicher als der, der den Schmutz macht. - Kurt Tucholsky -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20051225/a699b98f/attachment.pgp From ryan at malayter.com Mon Dec 26 19:57:04 2005 From: ryan at malayter.com (Ryan Malayter) Date: Mon Dec 26 19:56:37 2005 Subject: Create key's over 4096 bit ???? In-Reply-To: References: <200512220945.jBM9jJQE002312@vulcan.xs4all.nl> <43AA82CF.3050406@hammernoch.net> <20051222160021.31745.qmail@smasher.org> <43AAF443.4020304@hammernoch.net> Message-ID: <5d7f07420512261057o622514aai573ee0c48cf4f8c5@mail.gmail.com> On 12/24/05, Ivan Boldyrev wrote: > sqrt(2^1024)=2^512 The factoring algorithm with the best running time is still the GNFS. See http://tinyurl.com/dlyl5 GNFS has a running time of: O(e^((64/9*log(n))^1/3 * (log(log(n)))^2/3) When you subsitute 2^(keylength) for n in that equation, I get the following table for RSA key strengths and the comparable symmetric key length: RSA Key Bits Operations Symmetric equivalent 192 1.92821E+12 40 256 1.11356E+14 46 384 8.09434E+16 56 512 1.75249E+19 63 640 1.78448E+21 70 768 1.0746E+23 76 1024 1.31176E+26 86 1536 1.30666E+31 103 2048 1.52656E+35 116 2560 4.71401E+38 128 3072 5.77594E+41 138 4096 1.28186E+47 156 13568 1.28393E+77 256 -- RPM ========================= All problems can be solved by diplomacy, but violence and treachery are equally effective, and more fun. -Anonymous From johanw at vulcan.xs4all.nl Mon Dec 26 18:43:33 2005 From: johanw at vulcan.xs4all.nl (Johan Wevers) Date: Mon Dec 26 20:03:24 2005 Subject: Are gpg signatures considered attachments? In-Reply-To: <200512251022.56893.cpollock@earthlink.net> Message-ID: <200512261743.jBQHhXT2001583@vulcan.xs4all.nl> Chris wrote: >I know that is probably a lame question, however, I'm on several mailing >lists that are bouncing my messages back to me because they are signed. The >list owners are telling me this is because they don't allow attachments. You could switch to inline signatures instead of attached signatures. -- ir. J.C.A. Wevers // Physics and science fiction site: johanw@vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From jharris at widomaker.com Mon Dec 26 20:03:16 2005 From: jharris at widomaker.com (Jason Harris) Date: Mon Dec 26 20:03:51 2005 Subject: new (2005-12-25) keyanalyze results (+sigcheck) Message-ID: <20051226190316.GA388@wilma.widomaker.com> New keyanalyze results are available at: http://keyserver.kjsl.com/~jharris/ka/2005-12-25/ Signatures are now being checked using keyanalyze+sigcheck: http://dtype.org/~aaronl/ Earlier reports are also available, for comparison: http://keyserver.kjsl.com/~jharris/ka/ Even earlier monthly reports are at: http://dtype.org/keyanalyze/ SHA-1 hashes and sizes for all the "permanent" files: 32be96fbd9b82ec0c47fa76dc9cbe7d896296931 13225176 preprocess.keys a09835e20ab039cc14ec1059e2e848a11cb639e7 7998390 othersets.txt 0173b7d1379e0fec615990b10e5b3af0da780ffa 3269678 msd-sorted.txt a751f9d5477744a4f5e5ce6ebad6a60908e317ee 1372 index.html be184646b736dd40e6eca5c76ce71153364156bb 2291 keyring_stats 07ed524e7f7b3a5e7ab7d1c8bb80641d2ff633a7 1278076 msd-sorted.txt.bz2 29b525da814cf19d8ddd1b3ae67835fd5807457c 26 other.txt 9fef3fa32a80b6f772502b28ae88409e8562a7ad 1722601 othersets.txt.bz2 d91508dbac9382994fdf69031317476ae0d73c0b 5342573 preprocess.keys.bz2 dbb2b34d7385fa93c2454e73a33ba955e7294bd9 13336 status.txt 78315a010646c70e3f6a75bfd8aacce7a6493b74 210078 top1000table.html e506bb7f276b3ee43632998b19084211b9d2951e 30083 top1000table.html.gz a28e7f0cd5362b007604f00a1bdd3fca8005b99c 10780 top50table.html b1610820aa1e16cabf4b6e4f2e6c07aeb871f8b2 2514 D3/D39DA0E3 -- Jason Harris | NIC: JH329, PGP: This _is_ PGP-signed, isn't it? jharris@widomaker.com _|_ web: http://keyserver.kjsl.com/~jharris/ Got photons? (TM), (C) 2004 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 313 bytes Desc: not available Url : /pipermail/attachments/20051226/6f1d5803/attachment.pgp From ndof at gmx.li Sat Dec 24 10:45:13 2005 From: ndof at gmx.li (=?ISO-8859-1?Q?Hans_M=FCller?=) Date: Tue Dec 27 01:34:51 2005 Subject: using passphrase with special chars on Windows Message-ID: <43AD18A9.60806@gmx.li> Hello, I have a key with a passphrase that contains special char's(german extra chars). On Linux all is ok. On Windows PGP can use the key. But gpg on Windows say every time, that the pasphrase are wrong. But the passphrase is ok. Have someone an idea??? From zwon at severodvinsk.ru Tue Dec 27 01:44:29 2005 From: zwon at severodvinsk.ru (Pawel Shajdo) Date: Tue Dec 27 02:13:27 2005 Subject: PKA Message-ID: <20051227004429.GA1388@sky.schizandra.ru> Salve! What is PKA? Just have found in manual unknown words... Vale! -- Pawel I. Shajdo From sk at intertivity.com Tue Dec 27 03:17:28 2005 From: sk at intertivity.com (Kiefer, Sascha) Date: Tue Dec 27 03:15:10 2005 Subject: PKA In-Reply-To: <20051227004429.GA1388@sky.schizandra.ru> Message-ID: <005201c60a8b$b0aa98e0$f500a8c0@HOME> Not sure: PKI - Public Key Infrastructure PKA - Public Key Application ? HTH --esskar > -----Original Message----- > From: gnupg-users-bounces@gnupg.org > [mailto:gnupg-users-bounces@gnupg.org] On Behalf Of Pawel Shajdo > Sent: Dienstag, 27. Dezember 2005 01:44 > To: gnupg-users@gnupg.org > Subject: PKA > > > Salve! > What is PKA? Just have found in manual unknown words... > > Vale! > -- > Pawel I. Shajdo > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > From pkern at debian.org Tue Dec 27 03:21:39 2005 From: pkern at debian.org (Philipp Kern) Date: Tue Dec 27 03:21:48 2005 Subject: using passphrase with special chars on Windows In-Reply-To: <43AD18A9.60806@gmx.li> References: <43AD18A9.60806@gmx.li> Message-ID: <43B0A533.4080309@debian.org> Hans M?ller wrote: > Hello, I have a key with a passphrase that contains special char's(german extra chars). > On Linux all is ok. On Windows PGP can use the key. But gpg on Windows say every time, that the > pasphrase are wrong. But the passphrase is ok. Have someone an idea??? You certainly encounter charset problems. On Linux you use either ISO-8859-1 or UTF-8 on your terminal. On Windows... Well I don't know but I recall something Windows specific. You should change the passphrase on Linux to remove the umlauts, because they *will* cause problems. If you somehow manage to get an UTF-8 environment on both Linux and Windows you're fine. But as I dropped Windows some time ago, I can't help on this one, I don't even know if it's possible. Kind regards, Philipp Kern -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 186 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20051227/db9bdc7c/signature.pgp From cpollock at earthlink.net Tue Dec 27 03:30:36 2005 From: cpollock at earthlink.net (Chris) Date: Tue Dec 27 03:30:50 2005 Subject: Are gpg signatures considered attachments? In-Reply-To: <200512261743.jBQHhXT2001583@vulcan.xs4all.nl> References: <200512261743.jBQHhXT2001583@vulcan.xs4all.nl> Message-ID: <200512262030.36875.cpollock@earthlink.net> On Monday 26 December 2005 11:43 am, Johan Wevers wrote: > Chris wrote: > >I know that is probably a lame question, however, I'm on several mailing > >lists that are bouncing my messages back to me because they are signed. > > The list owners are telling me this is because they don't allow > > attachments. > > You could switch to inline signatures instead of attached signatures. I've switched to that method, however, Kmail shows Inline OpenPGP as deprecated. On the Mandriva Newibe list signatures using OpenPGP/MIME show up as bad while those using Inline OpenPGP show up as good. Not sure if the fault lies in Kmail and/or the ML software configuration. I've already received quite a few off-list replies explaining the pros and cons of inline signatures. Thanks -- Chris Registered Linux User 283774 http://counter.li.org 20:22:45 up 7 days, 22:18, 4 users, load average: 0.36, 1.11, 1.62 Mandriva Linux 10.1 Official, kernel 2.6.8.1-12mdk -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20051226/5d88cbe9/attachment.pgp From JPClizbe at comcast.net Tue Dec 27 03:42:12 2005 From: JPClizbe at comcast.net (John Clizbe) Date: Tue Dec 27 03:42:38 2005 Subject: PKA In-Reply-To: <20051227004429.GA1388@sky.schizandra.ru> References: <20051227004429.GA1388@sky.schizandra.ru> Message-ID: <43B0AA04.30805@comcast.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Pawel Shajdo wrote: > Salve! > What is PKA? Just have found in manual unknown words... > > Vale! Without context it is difficult to tell. My guess would be Public Key Authentication; e.g. OpenSSH. Google also turned up "Private Key Access" and "Public Key Algorithm" and "Public-Key Accelerators" as poosibilities. - -- John P. Clizbe Inet: John (a) Mozilla-Enigmail.org You can't spell fiasco without SCO. PGP/GPG KeyID: 0x608D2A10/0x18BB373A "what's the key to success?" / "two words: good decisions." "what's the key to good decisions?" / "one word: experience." "how do i get experience?" / "two words: bad decisions." "Just how do the residents of Haiku, Hawai'i hold conversations?" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3-cvs-3981-2005-12-24 (Windows XP Pro SP2) Comment: When cryptography is outlawed, b25seSBvdXRsYXdzIHdpbGwgdXNlIG Comment: Be part of the ?33t ECHELON -- Use Strong Encryption. Comment: It's YOUR right - for the time being. Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQCVAwUBQ7Cp/b4fmBEYuzc6AQI+dgP9GahP+uNrNvdu/Cjb/2r/vq3qACpb0gxC zMteWey99hR6fpWLA4stnEvftUw8c+yyjqLXV7R9jvwVdxTJ8ATW59W2N5L0CsaX GQUyGaLaor/Dey2OjNSET6i7WR7SUzvhYtBjolT0a2w9rA+pU4rT6EH6FbINQDy7 ymh/9cZVg1WIPwMFAUOwqgIdBKxKYI0qEBECMVoAn1utlIVHzhOwhDeowcncufsJ c+k1AJ9ykX3RuUiSAajtN6Egz+ag9weJeg== =pp0a -----END PGP SIGNATURE----- From JPClizbe at comcast.net Tue Dec 27 04:08:34 2005 From: JPClizbe at comcast.net (John Clizbe) Date: Tue Dec 27 04:09:00 2005 Subject: Are gpg signatures considered attachments? In-Reply-To: <200512262030.36875.cpollock@earthlink.net> References: <200512261743.jBQHhXT2001583@vulcan.xs4all.nl> <200512262030.36875.cpollock@earthlink.net> Message-ID: <43B0B032.8010209@comcast.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Chris wrote: > I've switched to that method, however, Kmail shows Inline OpenPGP as > deprecated. On the Mandriva Newibe list signatures using OpenPGP/MIME show > up as bad while those using Inline OpenPGP show up as good. Not sure if the > fault lies in Kmail and/or the ML software configuration. I've already > received quite a few off-list replies explaining the pros and cons of > inline signatures. You could try Thunderbird + Enigmail. Enigmail will allow you to create per-recipient rules, so that you may send either inline-signed or PGP/MIME-signed messages depending on which list you're posting. The Mandriva list must be mangling the PGP/MIME signature portion of the message. - -- John P. Clizbe Inet: John (a) Mozilla-Enigmail.org You can't spell fiasco without SCO. PGP/GPG KeyID: 0x608D2A10/0x18BB373A "what's the key to success?" / "two words: good decisions." "what's the key to good decisions?" / "one word: experience." "how do i get experience?" / "two words: bad decisions." "Just how do the residents of Haiku, Hawai'i hold conversations?" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3-cvs-3981-2005-12-24 (Windows XP Pro SP2) Comment: When cryptography is outlawed, b25seSBvdXRsYXdzIHdpbGwgdXNlIG Comment: Be part of the ?33t ECHELON -- Use Strong Encryption. Comment: It's YOUR right - for the time being. Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQCVAwUBQ7CwLr4fmBEYuzc6AQLjMAP9FNfmy7cThVPvwoTraR7d5K6DJwiKE6dL YzJ2O9htiF3eAE/XxwqGqO6ziJ9F0yXMS/zUN/tFdy/dXlYmIYkY6mKgjAoBwHDr tAbOf7WxqSV7C6xp6PvbAc3+pc20RXniRICpEhA/oUvp4W1ICn5aC4MyvwLd3+cp 3Q7bBB25neuIPwMFAUOwsDEdBKxKYI0qEBEClBgAn1g/EokF2EzIvcxWR6p+EZbo xnafAJ0REX23mtnJwK2bxBjtsu3cOGfH7w== =slwQ -----END PGP SIGNATURE----- From johnmoore3rd at joimail.com Tue Dec 27 05:21:13 2005 From: johnmoore3rd at joimail.com (John W. Moore III) Date: Tue Dec 27 05:20:54 2005 Subject: PKA In-Reply-To: <43B0AA04.30805@comcast.net> References: <20051227004429.GA1388@sky.schizandra.ru> <43B0AA04.30805@comcast.net> Message-ID: <43B0C139.6040706@joimail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 John Clizbe wrote: > Without context it is difficult to tell. > > My guess would be Public Key Authentication; e.g. OpenSSH. I believe your "Guess" to be correct. Since the Release of GnuPG 1.4.3 *will* contain support for PKA Key retrieval (among other goodies) this may indeed be "the context." JOHN :) Timestamp: Monday 26 Dec 2005, 11:20 PM --500 (Eastern Standard Time) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3-cvs-3981. (MingW32) Comment: Public Key at: http://tinyurl.com/8cpho Comment: Gossamer Spider Web of Trust: http://www.gswot.org Comment: Homepage: http://tinyurl.com/9ubue Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iQEcBAEBCAAGBQJDsMEyAAoJEBCGy9eAtCsPC7kIAIdRbVLwa7dqu2r94dr/wxaD 4C3iQJQb+/ERunoaVjTXAlUkEBXwZOu+NiDVGcPIF832W2G/yInhpN9khc4Rv5v2 +d1LbbyPOpU6eCdErXDzHRZsh/twV5dlQWkcS4Dzd8v40cTE5lfJsrxFGY5eYabS ERdHT5ELN0f5DsFh0EK8aY28GvQ65g7ThmV55fTuY6LsEZXWgpTYU6NRgZcT19v5 cJjX0yeCSHeXGQJMksOe80oWErdwAimgtjxuvroYT7bQgkg11sgKs1m7Po4X/uBC MQ/j7r5m4DQopdKypl889b2u5B1NVK3mIQswOFaWZ1bUw/1TI85mAuGWHd56WSs= =Ok2t -----END PGP SIGNATURE----- From linux at thorstenhau.de Tue Dec 27 11:51:00 2005 From: linux at thorstenhau.de (Thorsten Haude) Date: Tue Dec 27 11:51:20 2005 Subject: Are gpg signatures considered attachments? In-Reply-To: <200512262030.36875.cpollock@earthlink.net> References: <200512261743.jBQHhXT2001583@vulcan.xs4all.nl> <200512262030.36875.cpollock@earthlink.net> Message-ID: <20051227105100.GA1928@eumel.yoo.local> Hi, * Chris wrote (2005-12-27 03:30): >On the Mandriva Newibe list signatures using OpenPGP/MIME show up as >bad while those using Inline OpenPGP show up as good. They show up as good where? Are the Mails coming back from the list not verifyable? Is there some kind of status attached? Thorsten -- I've been accused of vulgarity. I say that's bullshit. - Mel Brooks -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20051227/33a0295c/attachment.pgp From linux at thorstenhau.de Tue Dec 27 11:52:15 2005 From: linux at thorstenhau.de (Thorsten Haude) Date: Tue Dec 27 11:56:54 2005 Subject: Are gpg signatures considered attachments? In-Reply-To: <43B0B032.8010209@comcast.net> References: <200512261743.jBQHhXT2001583@vulcan.xs4all.nl> <200512262030.36875.cpollock@earthlink.net> <43B0B032.8010209@comcast.net> Message-ID: <20051227105215.GB1928@eumel.yoo.local> Hi, * John Clizbe wrote (2005-12-27 04:08): >You could try Thunderbird + Enigmail. Enigmail will allow you to create >per-recipient rules, so that you may send either inline-signed or >PGP/MIME-signed messages depending on which list you're posting. Mutt can do that, too. >You can't spell fiasco without SCO. PGP/GPG KeyID: 0x608D2A10/0x18BB373A >"what's the key to success?" / "two words: good decisions." >"what's the key to good decisions?" / "one word: experience." >"how do i get experience?" / "two words: bad decisions." >"Just how do the residents of Haiku, Hawai'i hold conversations?" >Comment: When cryptography is outlawed, b25seSBvdXRsYXdzIHdpbGwgdXNlIG >Comment: Be part of the ?33t ECHELON -- Use Strong Encryption. >Comment: It's YOUR right - for the time being. >Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org Quite an excessive sig, I must say. Thorsten -- As we enjoy great advantages from the inventions of others we should be glad of an opportunity to serve others by any invention of ours, and this we should do freely and generously. - Benjamin Franklin -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20051227/70c84d15/attachment.pgp From mlisten at hammernoch.net Thu Dec 22 10:47:24 2005 From: mlisten at hammernoch.net (=?ISO-8859-1?Q?Ludwig_H=FCgelsch=E4fer?=) Date: Tue Dec 27 14:04:35 2005 Subject: Create key's over 4096 bit ???? Message-ID: <43AA762C.1040203@hammernoch.net> On 22.12.2005 10:35 Uhr, Johan Wevers wrote: > Christoph Anton Mitterer wrote: > >> - And even from a cryptographic point of view this wouldn't make sense >> (as far as I know), as currently hashfunctions are the weak point of the >> whole system. > > That depends on what you consider important. Hash functions are only used > for signing; Ack. And for protection of the private key. > for encryption, currently the 256 bit algo's are the strongest. Please don't mix symmetrical encryption strength (I suppose you are referring to the session key length/encryption algo) with asymmetrical encryption strength. A chain is only as strong as its weakest element. Ludwig BTW: Sorry for first replying via PM From abhalerao at apple.com Fri Dec 23 01:22:51 2005 From: abhalerao at apple.com (amit bhalerao) Date: Tue Dec 27 16:45:46 2005 Subject: Issue in decrypting file In-Reply-To: References: Message-ID: <98DAC564-CC3C-418E-9231-2BA5E097E579@apple.com> Hi , We are decrypting a file using GPG mechanism. We have send the GPG keys to vendor . However when i decrypt the file i get the following Log message :- COMMAND:- --------------- echo AAAAAA | /ngs/lpp/gpg/bin/gpg --no-tty --passphrase-fd 0 -- output decyryted_file.TXT --decrypt encrypted_file.TXT.pgp ???????????? gpg: WARNING: using insecure memory! gpg: please see http://www.gnupg.org/faq.html for more information gpg: encrypted with 1024-bit ELG-E key, ID XXXXXXX, created 2005-12-05 "XXXXXXXXXX" gpg: Signature made Thu Dec 22 21:06:26 2005 GMT using DSA key ID XXXXX gpg: Can't check signature: public key not found ?????????? The error status of the command is 2 . If anyone has face this issue before please let me know. Thanks, Amit From dshaw at jabberwocky.com Tue Dec 27 17:08:06 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Tue Dec 27 17:07:47 2005 Subject: Issue in decrypting file In-Reply-To: <98DAC564-CC3C-418E-9231-2BA5E097E579@apple.com> References: <98DAC564-CC3C-418E-9231-2BA5E097E579@apple.com> Message-ID: <20051227160806.GE31051@jabberwocky.com> On Thu, Dec 22, 2005 at 04:22:51PM -0800, amit bhalerao wrote: > Hi , > > We are decrypting a file using GPG mechanism. We have send the > GPG keys to vendor . However when i decrypt the file i get the > following Log message :- > > COMMAND:- > --------------- > echo AAAAAA | /ngs/lpp/gpg/bin/gpg --no-tty --passphrase-fd 0 -- > output decyryted_file.TXT --decrypt encrypted_file.TXT.pgp > ???????????? > gpg: WARNING: using insecure memory! > gpg: please see http://www.gnupg.org/faq.html for more information > gpg: encrypted with 1024-bit ELG-E key, ID XXXXXXX, created 2005-12-05 > "XXXXXXXXXX" > gpg: Signature made Thu Dec 22 21:06:26 2005 GMT using DSA key ID XXXXX > gpg: Can't check signature: public key not found > ?????????? > The error status of the command is 2 . > > If anyone has face this issue before please let me know. This isn't an error. It just means that the person who sent the file signed it and GPG is warning you that you don't have that person's key so you can verify the signature. GPG will decrypt the file anyway, but you might want to get a copy of the vendor's key so you can verify the signature. David From widhalmt at unix.sbg.ac.at Tue Dec 27 17:16:07 2005 From: widhalmt at unix.sbg.ac.at (Thomas Widhalm) Date: Tue Dec 27 17:15:26 2005 Subject: Reimporting key into gpgsm Message-ID: <200512271716.08017.widhalmt@unix.sbg.ac.at> Hi! I managed to get my keys from CaCert.org into gpgsm via the openssl tools exporting them from Firefox. Considering it just for transport I used a far too simple passphrase while exporting and importing as I thought the passphrase of CaCert.org was written into the key itself. I tried to delete my key and do same procedure with a more complex key but it still uses the simple one. I deleted my whole keyring.kbx file and imported all anew but the issue stays the same. Could anyone help me changing my passphrase within gpgsm? Regards, Thomas -- ***************************************************************** * Thomas Widhalm Unix Administrator * * University of Salzburg IT- Services (ITS) * * Systems Management Unix Systems * * Hellbrunnerstr. 34 5020 Salzburg, Austria * * widhalmt@unix.sbg.ac.at +43/662/8044-6774 * * gpg: 6265BAE6 * * http://www.sbg.ac.at/zid/organisation/mitarbeiter/widhalm.htm * ***************************************************************** -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20051227/4a54669b/attachment.pgp From widhalmt at unix.sbg.ac.at Tue Dec 27 17:20:38 2005 From: widhalmt at unix.sbg.ac.at (Thomas Widhalm) Date: Tue Dec 27 17:19:51 2005 Subject: Reimporting key into gpgsm In-Reply-To: <200512271716.08017.widhalmt@unix.sbg.ac.at> References: <200512271716.08017.widhalmt@unix.sbg.ac.at> Message-ID: <200512271720.39040.widhalmt@unix.sbg.ac.at> Am Dienstag, 27. Dezember 2005 17:16 schrieb Thomas Widhalm: I must have been blind: It's "gpgsm --passwd [keyid]" Sorry. Thomas > Hi! > > I managed to get my keys from CaCert.org into gpgsm via the openssl tools > exporting them from Firefox. Considering it just for transport I used a far > too simple passphrase while exporting and importing as I thought the > passphrase of CaCert.org was written into the key itself. I tried to delete > my key and do same procedure with a more complex key but it still uses the > simple one. I deleted my whole keyring.kbx file and imported all anew but > the issue stays the same. Could anyone help me changing my passphrase > within gpgsm? > > Regards, > Thomas -- ***************************************************************** * Thomas Widhalm Unix Administrator * * University of Salzburg IT- Services (ITS) * * Systems Management Unix Systems * * Hellbrunnerstr. 34 5020 Salzburg, Austria * * widhalmt@unix.sbg.ac.at +43/662/8044-6774 * * gpg: 6265BAE6 * * http://www.sbg.ac.at/zid/organisation/mitarbeiter/widhalm.htm * ***************************************************************** -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20051227/2d36ec3d/attachment.pgp From zwon at severodvinsk.ru Tue Dec 27 21:58:49 2005 From: zwon at severodvinsk.ru (Pawel Shajdo) Date: Tue Dec 27 22:04:26 2005 Subject: PKA In-Reply-To: <43B0C139.6040706@joimail.com> References: <20051227004429.GA1388@sky.schizandra.ru> <43B0AA04.30805@comcast.net> <43B0C139.6040706@joimail.com> Message-ID: <20051227205849.GA992@sky.schizandra.ru> On Dec 26, 2005 at 23:21 -0500, John W. Moore III wrote: > > Without context it is difficult to tell. > > My guess would be Public Key Authentication; e.g. OpenSSH. > > I believe your "Guess" to be correct. Since the Release of GnuPG 1.4.3 > *will* contain support for PKA Key retrieval (among other goodies) this > may indeed be "the context." Yes, I mean new GnuPG PKA feature. I'm translate manual to russian and have found this term in cvs version. What is this? I don't see relation between authentication and trust model, while. Maybe Werner or David explain this new feature? Vale! -- Pawel I. Shajdo From johnmoore3rd at joimail.com Tue Dec 27 22:30:49 2005 From: johnmoore3rd at joimail.com (John W. Moore III) Date: Tue Dec 27 22:30:31 2005 Subject: PKA In-Reply-To: <20051227205849.GA992@sky.schizandra.ru> References: <20051227004429.GA1388@sky.schizandra.ru> <43B0AA04.30805@comcast.net> <43B0C139.6040706@joimail.com> <20051227205849.GA992@sky.schizandra.ru> Message-ID: <43B1B289.7000001@joimail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Pawel Shajdo wrote: > On Dec 26, 2005 at 23:21 -0500, John W. Moore III wrote: > >>>Without context it is difficult to tell. >>>My guess would be Public Key Authentication; e.g. OpenSSH. >> >>I believe your "Guess" to be correct. Since the Release of GnuPG 1.4.3 >>*will* contain support for PKA Key retrieval (among other goodies) this >>may indeed be "the context." > > Yes, I mean new GnuPG PKA feature. I'm translate manual to russian and > have found this term in cvs version. What is this? I don't see relation > between authentication and trust model, while. Maybe Werner or David > explain this new feature? While waiting for Werner or David; I'll share what I "know" about PKA in 1.4.3cvs: * Implemented Public Key Association (PKA) trust sub model. This is an optional trust model on top of the standard ones. It makes use of special DNS records and notation data to associate a mail address with an OpenPGP key. It is by default not used. To use it you need to set the new option --allow-pka-lookup and an appropriate trust-model. Also added new keyserver option auto-pka-retrieve which is enabled by default but only working if --allow-pka-lookup is also used. JOHN :) Timestamp: Tuesday 27 Dec 2005, 04:29 PM --500 (Eastern Standard Time) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3-cvs-3981. (MingW32) Comment: Public Key at: http://tinyurl.com/8cpho Comment: Gossamer Spider Web of Trust: http://www.gswot.org Comment: Homepage: http://tinyurl.com/9ubue Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iQEcBAEBCAAGBQJDsbKGAAoJEBCGy9eAtCsPIeMIAKOsAKlZ8os4AQnIfwWB9inR kpLUtDykLhie8Rd1dOnYASUI5it1OSNCndwnjZOhGT4LSjZe421zqo33irnBrdXh LD4K3pAMBnijTlU4rmXVe+pacwzD6mfY9GHJaHEa45qR5U/LjX/QuGSYit0uLJD4 Q1d094K5Wy1FnQt5fp2MSpc+SY7wlKMsas26YWff6u30jmsw1Rb8wxMUesb3w2mW rM8m6dDxAXMaF7S9yOEDBaukQyb8Hp2tl0F47+tzmoBOYvvcDSmWVgVCyD6uHvHh 5jgCNLWTjCgGPki/M34W1uO+7mBBwkgEmUIvZA0ge+cp0U1Gb1CJLOBcgMXkbMQ= =+0sU -----END PGP SIGNATURE----- From zwon at severodvinsk.ru Tue Dec 27 23:44:47 2005 From: zwon at severodvinsk.ru (Pawel Shajdo) Date: Tue Dec 27 23:44:36 2005 Subject: PKA In-Reply-To: <43B1B289.7000001@joimail.com> References: <20051227004429.GA1388@sky.schizandra.ru> <43B0AA04.30805@comcast.net> <43B0C139.6040706@joimail.com> <20051227205849.GA992@sky.schizandra.ru> <43B1B289.7000001@joimail.com> Message-ID: <20051227224447.GH1893@sky.schizandra.ru> On Dec 27, 2005 at 16:30 -0500, John W. Moore III wrote: > -----BEGIN PGP SIGNED MESSAGE----- > While waiting for Werner or David; I'll share what I "know" about PKA in > 1.4.3cvs: > > * Implemented Public Key Association (PKA) trust sub model. This > is an optional trust model on top of the standard ones. It makes > use of special DNS records and notation data to associate a mail > address with an OpenPGP key. It is by default not used. To use > it you need to set the new option --allow-pka-lookup and an > appropriate trust-model. Also added new keyserver option > auto-pka-retrieve which is enabled by default but only working > if --allow-pka-lookup is also used. Thanks! Now the things much clearer. Can somebody point me to RFC or IETF draft (or other info) about this special DNS recodrds? Vale! -- Pawel I. Shajdo From cam at mathematica.scientia.net Wed Dec 28 00:25:34 2005 From: cam at mathematica.scientia.net (Christoph Anton Mitterer) Date: Wed Dec 28 00:25:21 2005 Subject: PKA In-Reply-To: <20051227224447.GH1893@sky.schizandra.ru> References: <20051227004429.GA1388@sky.schizandra.ru> <43B0AA04.30805@comcast.net> <43B0C139.6040706@joimail.com> <20051227205849.GA992@sky.schizandra.ru> <43B1B289.7000001@joimail.com> <20051227224447.GH1893@sky.schizandra.ru> Message-ID: <43B1CD6E.4060506@mathematica.scientia.net> Pawel Shajdo wrote: >Can somebody point me to RFC or IETF draft (or other info) about this special DNS recodrds? > I'm not sure, but perhaps this utilizes the SIG resrouce record,... have a look at RFC 2535 about DNSSEC (http://www.ietf.org/rfc/rfc2535.txt). Perhaps David or Werner could confirm this. Chris. -------------- next part -------------- A non-text attachment was scrubbed... Name: cam.vcf Type: text/x-vcard Size: 449 bytes Desc: not available Url : /pipermail/attachments/20051228/aec2b454/cam.vcf From cam at mathematica.scientia.net Wed Dec 28 00:30:33 2005 From: cam at mathematica.scientia.net (Christoph Anton Mitterer) Date: Wed Dec 28 00:30:07 2005 Subject: Create key's over 4096 bit ???? In-Reply-To: <200512231807.jBNI7ArJ044995@mailserver2.hushmail.com> References: <200512231807.jBNI7ArJ044995@mailserver2.hushmail.com> Message-ID: <43B1CE99.1060800@mathematica.scientia.net> vedaal@hush.com wrote: >might be interesting to see the year 2020 gnupg version, >the max keylength proposed then, >and then link back to this thread ;-) > > Perhaps in 2020 gpg uses quantum cryptography,... (of course one would need a special dongle attached via USB version 42) RSA/SHA/ElG/EEC have been cracked long ago by 15 year old Norwegian programmers... I've had a vision about all this ;-) ... Ok,... just kidding ;-) Chris. -------------- next part -------------- A non-text attachment was scrubbed... Name: cam.vcf Type: text/x-vcard Size: 449 bytes Desc: not available Url : /pipermail/attachments/20051228/264b7c46/cam.vcf From cpollock at earthlink.net Wed Dec 28 00:45:21 2005 From: cpollock at earthlink.net (Chris) Date: Wed Dec 28 00:45:12 2005 Subject: Are gpg signatures considered attachments? In-Reply-To: <20051227105100.GA1928@eumel.yoo.local> References: <200512261743.jBQHhXT2001583@vulcan.xs4all.nl> <200512262030.36875.cpollock@earthlink.net> <20051227105100.GA1928@eumel.yoo.local> Message-ID: <200512271745.28644.cpollock@earthlink.net> On Tuesday 27 December 2005 4:51 am, Thorsten Haude wrote: > Hi, > > * Chris wrote (2005-12-27 03:30): > >On the Mandriva Newibe list signatures using OpenPGP/MIME show up as > >bad while those using Inline OpenPGP show up as good. > > They show up as good where? Are the Mails coming back from the list > not verifyable? Is there some kind of status attached? > > > Thorsten They make it to the list, however, they show up this way using OpenPGP/MIME: Message was signed by cpollock@earthlink.net (Key ID: 0xE372A7DA98E6705C). Warning: The signature is bad. On the bad signature I see this when looking at the msg source: --nextPart5566026.XhGQNAZr0e Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On a good signature I see this: Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Its even gotten so messed up that some have their signatures show bad when adding a sig to the bottom of the message, leaving it off shows the signature as valid. The opinion on the list is that something is definately out of whack in the list software configuration. -- Chris Registered Linux User 283774 http://counter.li.org 17:37:19 up 24 min, 1 user, load average: 0.24, 0.22, 0.35 Mandriva Linux 10.1 Official, kernel 2.6.8.1-12mdk -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20051227/6a0cee9e/attachment-0001.pgp From erpo41 at hotpop.com Wed Dec 28 08:51:40 2005 From: erpo41 at hotpop.com (Eric) Date: Wed Dec 28 09:34:44 2005 Subject: Create key's over 4096 bit ???? In-Reply-To: <200512231711.jBNHBidM002009@vulcan.xs4all.nl> References: <200512231711.jBNHBidM002009@vulcan.xs4all.nl> Message-ID: <1135756300.5256.1.camel@localhost.localdomain> On Fri, 2005-12-23 at 18:11 +0100, Johan Wevers wrote: > Atom Smasher wrote: > > >even then, how hard is it to get a group of non-geeks, who didn't grow up > >with computers, to use pgp? > > I'm even trying to convince my girlfriend after the latest EU data retention > laws (combined with remailers). > > >i think they're more likely to use carrier pigeons than pgp. > > I've read that in Afghanistan they use couriers by horse who memorise the > message. That makes it practically unintercaptable. > What about rubber hose cryptanalysis? -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : /pipermail/attachments/20051227/deda180a/attachment.pgp From linux at thorstenhau.de Wed Dec 28 10:46:59 2005 From: linux at thorstenhau.de (Thorsten Haude) Date: Wed Dec 28 10:48:40 2005 Subject: Are gpg signatures considered attachments? In-Reply-To: <200512271745.28644.cpollock@earthlink.net> References: <200512261743.jBQHhXT2001583@vulcan.xs4all.nl> <200512262030.36875.cpollock@earthlink.net> <20051227105100.GA1928@eumel.yoo.local> <200512271745.28644.cpollock@earthlink.net> Message-ID: <20051228094659.GB1886@eumel.yoo.local> Hi, * Chris wrote (2005-12-28 00:45): >> * Chris wrote (2005-12-27 03:30): >> >On the Mandriva Newibe list signatures using OpenPGP/MIME show up as >> >bad while those using Inline OpenPGP show up as good. >> >They make it to the list, however, they show up this way using OpenPGP/MIME: > >Message was signed by cpollock@earthlink.net (Key ID: 0xE372A7DA98E6705C). >Warning: The signature is bad. Standard unvalid signature then, ok. >On the bad signature I see this when looking at the msg source: > >--nextPart5566026.XhGQNAZr0e >Content-Type: text/plain; > charset="iso-8859-1" >Content-Transfer-Encoding: quoted-printable >Content-Disposition: inline > >On a good signature I see this: > >Content-Type: text/plain; > charset="iso-8859-1" >Content-Transfer-Encoding: 7bit >Content-Disposition: inline This is from a single mail, before and after it got munged by the mailing list software? If not, *are* the mails changed that way? In what way are they changed? If possible, attach one of your mails from your outbound folder and from the list folder. (I'm not sure the others would approve though, so send the mails to me privately. Let's keep the discussion on the list though.) >Its even gotten so messed up that some have their signatures show bad when >adding a sig to the bottom of the message, leaving it off shows the >signature as valid. The opinion on the list is that something is >definately out of whack in the list software configuration. So whack it over the head. These things can be changed. What software do they use? What does the list provider say? What does the creator of the mailing list say? Thorsten -- Der Leser hat's gut: Er kann sich seine Schriftsteller aussuchen. - Kurt Tucholsky -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20051228/30993dc5/attachment.pgp From alphasigmax at gmail.com Wed Dec 28 14:27:20 2005 From: alphasigmax at gmail.com (Alphax) Date: Wed Dec 28 14:27:40 2005 Subject: Are gpg signatures considered attachments? In-Reply-To: <20051228094659.GB1886@eumel.yoo.local> References: <200512261743.jBQHhXT2001583@vulcan.xs4all.nl> <200512262030.36875.cpollock@earthlink.net> <20051227105100.GA1928@eumel.yoo.local> <200512271745.28644.cpollock@earthlink.net> <20051228094659.GB1886@eumel.yoo.local> Message-ID: <43B292B8.6040004@gmail.com> Thorsten Haude wrote: > Hi, > > * Chris wrote (2005-12-28 00:45): > >>On the bad signature I see this when looking at the msg source: >> >>--nextPart5566026.XhGQNAZr0e >>Content-Type: text/plain; >> charset="iso-8859-1" >>Content-Transfer-Encoding: quoted-printable >>Content-Disposition: inline >> >>On a good signature I see this: >> >>Content-Type: text/plain; >> charset="iso-8859-1" >>Content-Transfer-Encoding: 7bit >>Content-Disposition: inline > > > This is from a single mail, before and after it got munged by the > mailing list software? If not, *are* the mails changed that way? In > what way are they changed? I can answer this in part... "quoted-printable" equals-escapes things such as newlines and equals signs - which of course changes the message hash, invalidating the signature. Any mailing list software which changes message encoding is EVIL. >>Its even gotten so messed up that some have their signatures show bad when >>adding a sig to the bottom of the message, leaving it off shows the >>signature as valid. The opinion on the list is that something is >>definately out of whack in the list software configuration. > > > So whack it over the head. These things can be changed. What software > do they use? What does the list provider say? What does the creator of > the mailing list say? > > Mailman seems to be okay with such things... generally adding a mailing list footer won't mangle PGP/MIME (I've never seen it mangle inline PGP), but once you add attachments the list footer will start breaking things. -- Alphax | /"\ Encrypted Email Preferred | \ / ASCII Ribbon Campaign OpenPGP key ID: 0xF874C613 | X Against HTML email & vCards http://tinyurl.com/cc9up | / \ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 556 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20051228/6df01c63/signature.pgp From atom at smasher.org Wed Dec 28 14:31:52 2005 From: atom at smasher.org (Atom Smasher) Date: Wed Dec 28 14:31:39 2005 Subject: Create key's over 4096 bit ???? In-Reply-To: <1135756300.5256.1.camel@localhost.localdomain> References: <200512231711.jBNHBidM002009@vulcan.xs4all.nl> <1135756300.5256.1.camel@localhost.localdomain> Message-ID: <20051228133155.42200.qmail@smasher.org> On Tue, 27 Dec 2005, Eric wrote: > On Fri, 2005-12-23 at 18:11 +0100, Johan Wevers wrote: >> Atom Smasher wrote: >>> i think they're more likely to use carrier pigeons than pgp. >> >> I've read that in Afghanistan they use couriers by horse who memorise >> the message. That makes it practically unintercaptable. >> > > What about rubber hose cryptanalysis? =================== it ~may~ be effective against password recovery in some forms of crypto: an attacker (torturer) would know when the password is revealed because a valid message is produced. a courier with a photographic memory could give up countless "secrets", and none of them the ~right~ one. really, if you beat the crap out of someone long enough and hard enough, they'll admit to being osama bin laden. off the top of my head, outguess is the closest thing to a real crypto app with a decent "plausible deniability" feature. -- ...atom _________________________________________ PGP key - http://atom.smasher.org/pgp.txt 762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808 ------------------------------------------------- "I never did give them hell. I just told the truth, and they thought it was hell." -- Harry S Truman, Apr. 3, 1956 From widhalmt at unix.sbg.ac.at Wed Dec 28 22:50:51 2005 From: widhalmt at unix.sbg.ac.at (Thomas Widhalm) Date: Wed Dec 28 22:50:15 2005 Subject: What policy for signing keys do you use? Message-ID: <200512282251.05550.widhalmt@unix.sbg.ac.at> Hi! Many people have their keys or key IDs and fingerprints on their websites which should be very hard to fake for an attacker. Website, key, key ID, all at a time just before it gets discovered. But is this enough for you sign the key? Not locally but epxortable. I know of the policies of some CAs, who need a meeting in the real life, a passport and a signature. So how do you deal with signatures? Is it irresponsible signing keys just with because of them being on a website with a fingerprint? Is it sufficient if you give "haven't checked anything" or "checked marginally" while signing. Or is this just for the local trustdb? What about keys without real names but just nicknames? Regards, Thomas -- ***************************************************************** * Thomas Widhalm Unix Administrator * * University of Salzburg IT- Services (ITS) * * Systems Management Unix Systems * * Hellbrunnerstr. 34 5020 Salzburg, Austria * * widhalmt@unix.sbg.ac.at +43/662/8044-6774 * * gpg: 6265BAE6 * * http://www.sbg.ac.at/zid/organisation/mitarbeiter/widhalm.htm * ***************************************************************** -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20051228/6a4a59fd/attachment.pgp From linux at thorstenhau.de Wed Dec 28 23:04:37 2005 From: linux at thorstenhau.de (Thorsten Haude) Date: Wed Dec 28 23:06:28 2005 Subject: What policy for signing keys do you use? In-Reply-To: <200512282251.05550.widhalmt@unix.sbg.ac.at> References: <200512282251.05550.widhalmt@unix.sbg.ac.at> Message-ID: <20051228220437.GH1886@eumel.yoo.local> Hi, * Thomas Widhalm wrote (2005-12-28 22:50): >So how do you deal with signatures? Is it irresponsible signing keys just with >because of them being on a website with a fingerprint? Is it sufficient if >you give "haven't checked anything" or "checked marginally" while signing. Or >is this just for the local trustdb? Nope, only sign what you *know*. If the data you mentioned above (key ID, fingerprint) is freely available on a website, everyone can get it and there is no point in signing it. I'm only talking about non-local signatures of course. Locally, do whatever makes you smile the most. >What about keys without real names but just nicknames? No signature from me unless I know them personally. (Not looking forward to yet another absence mail from this Kramer guy. Could he *please* thrown off the list?) Thorsten -- I was amazed today to find out how much Windows can actually be used for useful things. - Donald E. Knuth -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20051228/007183f7/attachment.pgp From zwon at severodvinsk.ru Wed Dec 28 23:27:23 2005 From: zwon at severodvinsk.ru (Pawel Shajdo) Date: Wed Dec 28 23:43:46 2005 Subject: PKA In-Reply-To: <43B1CD6E.4060506@mathematica.scientia.net> References: <20051227004429.GA1388@sky.schizandra.ru> <43B0AA04.30805@comcast.net> <43B0C139.6040706@joimail.com> <20051227205849.GA992@sky.schizandra.ru> <43B1B289.7000001@joimail.com> <20051227224447.GH1893@sky.schizandra.ru> <43B1CD6E.4060506@mathematica.scientia.net> Message-ID: <20051228222723.GA2487@sky.schizandra.ru> On Dec 28, 2005 at 00:25 +0100, Christoph Anton Mitterer wrote: > I'm not sure, but perhaps this utilizes the SIG resrouce record,... have > a look at RFC 2535 about DNSSEC (http://www.ietf.org/rfc/rfc2535.txt). Seems nothing with DNSSEC. IIRC, after looking into util/pka.c, this searches in DNS TXT RR of form v=pka1;fpr=a4d94e92b0986ab5ee9dcd755de249965b0358a2;uri=string fpr - key fingerprint uri - key location If email is alice@example.com, then RR name alice._pka.example.com Am I right? Where I can find specs? Vale! -- Pawel I. Shajdo From linux at thorstenhau.de Thu Dec 29 14:49:54 2005 From: linux at thorstenhau.de (Thorsten Haude) Date: Thu Dec 29 14:51:41 2005 Subject: Are gpg signatures considered attachments? In-Reply-To: <20051228094659.GB1886@eumel.yoo.local> References: <200512261743.jBQHhXT2001583@vulcan.xs4all.nl> <200512262030.36875.cpollock@earthlink.net> <20051227105100.GA1928@eumel.yoo.local> <200512271745.28644.cpollock@earthlink.net> <20051228094659.GB1886@eumel.yoo.local> Message-ID: <20051229134954.GD2171@eumel.yoo.local> Hi, * Thorsten Haude wrote (2005-12-28 10:46): >If possible, attach one of your mails from your outbound folder and >from the list folder. (I'm not sure the others would approve though, >so send the mails to me privately. Let's keep the discussion on the >list though.) So the problem is indeed QP-reencoding, but not in a way I would have expected. The last part of the body of your mails are different: Good: - - - Schnipp - - - So, again, just what is causing the 'bad' signature? =20 Question for anyone, what mailing list software is being used? =2D-=20 Chris - - - Schnapp - - - Bad: - - - Schnipp - - - So, again, just what is causing the 'bad' signature?=20=20 Question for anyone, what mailing list software is being used? --=20 Chris - - - Schnapp - - - I'm not too sure about QP, the bad version might even have the cleaner encoding (Why is the dash encoded?), but it should never have touched the signed part anway. Either pass is through, or, if it is considered dangerous, block it. >So whack it over the head. These things can be changed. What software >do they use? What does the list provider say? What does the creator of >the mailing list say? I tried to search Sympa's bug tracker, but it doesn't work (at least not the way I used it). So my next step would be to contact the Sympa guys to let them know, through the bug tracker and/or through one of their mailing lists. Let me know if I can be of any help. Thorsten -- A foolish consistency is the hobgoblin of little minds, adored by little statesmen and philosophers and divines. - Ralph Waldo Emerson -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20051229/27900165/attachment-0001.pgp From blueness at gmx.net Thu Dec 29 15:54:09 2005 From: blueness at gmx.net (Mica Mijatovic) Date: Thu Dec 29 16:00:46 2005 Subject: line wrapping In-Reply-To: <200512251659.jBPGx0bc085789@mailserver2.hushmail.com> References: <200512251659.jBPGx0bc085789@mailserver2.hushmail.com> Message-ID: <1814762010.20051229155409@gmx.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Was Sun, 25 Dec 2005, at 08:58:57 -0800, when vedaal wrote: >>Your lines, as to the form they form, look like a verses. Is >>that done >>deliberately or your Eudora again entangles on its own? > done intentionally on my own, > each thought gets a line, > long thoughts get broken up at suitable spots, > related short thoughts sometimes are on the same line, I noticed this, recalling the Sanskrit "syntax" and sutras' "verses", and this was the reason for me to ask, since I wasn't quite clear what is done intentionally and what is work of your mailer. > this avoids > the e-mail client or pgp wrapping them > in places i don't want, It helps indeed, to the certain extent, but your Eudora is still wrapping "inconsistently". I am leaving citations of my previous text above "intacta", for us to see this. - -- Mica PGP keys nestled at: http://blueness.port5.com/pgpkeys/ ~~~ For personal mail please use my address as it is *exactly* given in my "From|Reply To" field(s). ~~~ -----BEGIN PGP SIGNATURE----- iQEVAwUBQ7P4kLSpHvHEUtv8AQMXmgf+J196nURwbHGOTvH364MaHoMZZCBu22Ci O6IsFgKqzc9eRUeneZf2FqTboFbkvkGPGX9cwfTBVH32L5ioobokjav8ySHR67XM zNr8hBzFgZqkwXqE/G9CTYpydApowfgq0OLMeJIPA56aSfS89H9ahCriu7ygS1UJ Diq9zrQxCMKH2ZoTYXtTAWLdhhaopVqTQIUlWcCGtehekRu51BoAYhYGUAHjToZi yhy8OwyFIGogfwiwrhpdkEDGzZMEUB5WVWv5XD3I/DK973SXSJuFYCQ9QuG+q6YD 1cXkL2Ux5KEe/xEVUP1ruZOh7qljfDwxpNQxUAMgkNESIHnr4ijYjg== =UQVm -----END PGP SIGNATURE----- From cam at mathematica.scientia.net Thu Dec 29 16:37:17 2005 From: cam at mathematica.scientia.net (Christoph Anton Mitterer) Date: Thu Dec 29 16:36:58 2005 Subject: PKA In-Reply-To: <20051228222723.GA2487@sky.schizandra.ru> References: <20051227004429.GA1388@sky.schizandra.ru> <43B0AA04.30805@comcast.net> <43B0C139.6040706@joimail.com> <20051227205849.GA992@sky.schizandra.ru> <43B1B289.7000001@joimail.com> <20051227224447.GH1893@sky.schizandra.ru> <43B1CD6E.4060506@mathematica.scientia.net> <20051228222723.GA2487@sky.schizandra.ru> Message-ID: <43B402AD.9080302@mathematica.scientia.net> Pawel Shajdo wrote: >On Dec 28, 2005 at 00:25 +0100, Christoph Anton Mitterer wrote: > > >>I'm not sure, but perhaps this utilizes the SIG resrouce record,... have >>a look at RFC 2535 about DNSSEC (http://www.ietf.org/rfc/rfc2535.txt). >> >> >Seems nothing with DNSSEC. > > Sorry,.. was just an idea due to the comment in the source code: "It makes use of special DNS records and notation data to associate a mail address with an OpenPGP key." And the only (standardized) RR that has to do with sigs I've heard about was that from the DNS SEC ;-) Chris. From zwon at severodvinsk.ru Thu Dec 29 20:40:22 2005 From: zwon at severodvinsk.ru (Pawel Shajdo) Date: Thu Dec 29 20:43:30 2005 Subject: PKA In-Reply-To: <43B402AD.9080302@mathematica.scientia.net> References: <20051227004429.GA1388@sky.schizandra.ru> <43B0AA04.30805@comcast.net> <43B0C139.6040706@joimail.com> <20051227205849.GA992@sky.schizandra.ru> <43B1B289.7000001@joimail.com> <20051227224447.GH1893@sky.schizandra.ru> <43B1CD6E.4060506@mathematica.scientia.net> <20051228222723.GA2487@sky.schizandra.ru> <43B402AD.9080302@mathematica.scientia.net> Message-ID: <20051229194022.GA1675@sky.schizandra.ru> On Dec 29, 2005 at 16:37 +0100, Christoph Anton Mitterer wrote: > Sorry,.. was just an idea due to the comment in the source code: > "It makes use of special DNS records and notation data to associate a > mail address with an OpenPGP key." > And the only (standardized) RR that has to do with sigs I've heard about > was that from the DNS SEC ;-) I have found some info about this in gnupg-devel: http://lists.gnupg.org/pipermail/gnupg-devel/2005-August/022254.html Vale! -- Pawel I. Shajdo From alex at milivojevic.org Thu Dec 29 21:52:43 2005 From: alex at milivojevic.org (Aleksandar Milivojevic) Date: Thu Dec 29 21:53:02 2005 Subject: using gpgsm In-Reply-To: <87ek423apq.fsf@wheatstone.g10code.de> References: <20051221142326.2t6o7ivrtwkg08og@www.milivojevic.org> <87ek423apq.fsf@wheatstone.g10code.de> Message-ID: <20051229145243.ritwptqpwk4k4s88@www.milivojevic.org> Quoting Werner Koch : > On Wed, 21 Dec 2005 14:23:26 -0600, Aleksandar Milivojevic said: > >> gpgsm: gpgsm: GPG_TTY has not been set - using maybe bogus default >> gpgsm: gpg-protect-tool: Secure memory is not locked into core >> gpgsm: gpg-protect-tool: gpg-agent is not available in this session > > You need to start gpg-agent first; importing p12 files is not possible > with an on-demand loaded gpg-agent. > > gpg-agent --daemon /bin/sh > > is probably the easiest way for testing this. Within this shell run > the import again. Use exit to sto the agent then. > > Hint: Running just gpg-agent will show whether an agent is available. It was two things. The gpg-agent was the first one. The second one was the pinentry program (I didn't have one). After downloading and installing it, I was able to import PKCS#12 file. Might be good idea if configure script was checking if pinentry is installed and complaining if it wasn't, like for other dependencies. >> Another question is about support for non US-ASCII characters in >> certificates >> (something tells me you might be getting lot of these questions). I've >> received one certificate that has some accented letters in CN and OU. After >> importing it, and then doing "gpgsm --list-keys", the output shows >> the Subject >> without CN and OU (only O, L, ST and C are displayed). Is this certificate > > gpgsm always displays utf-8 thus they may look weir depending on > your locale setting. The thing is, it wasn't displaying them at all. As if they were not there. Example (removed non-relevant lines from output): $ echo $LANG en_US.UTF-8 $ openssl x509 -noout -text -in test.crt Subject: C=CA, ST=Quebec, L=Montreal, O=\x00T\x00e\x00s\x00t\x00_\x00I\x00m\x00p\x00r\x00i\x00m\x00e\x00u\x00r, OU=\x00T\x00e\x00s\x00t\x00_\x00I\x00m\x00p\x00r\x00i\x00m\x00e\x00u\x00r, CN=\x00T\x00e\x00s\x00t\x00_\x00I\x00m\x00p\x00r\x00i\x00m\x00e\x00u\x00r $ gpgsm --import test.crt $ gpgsm --list-keys Subject: /L=Montreal/ST=Quebec/C=CA As you can see, the CN, O and OU attributes are missing in output. Only the "clean US-ASCII" C, ST and L are present. Openssl displayed them all using hex notation (they look weir, but they are there). I know that gpgsm imported the certificate correctly (if I export it into a file, and then run openssl x509 -text on it, it displays correct Subject). If I import that same certificate into Windows machine, it is also displayed correctly (this time no weir stuff). BTW, the certificate in this example is almost unselectable using gpgsm. The CN is in UTF-8, but when I looked closer into it, it doesn't really contain any non-US-ASCII characters. It just reads "Test_Imprimeur" (just remove all those "\x00"). However if I do 'gpgsm --list-keys CN=Test_Imprimeur', nothing is displayed. ---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program. From nixclusive0 at gmail.com Tue Dec 27 20:06:03 2005 From: nixclusive0 at gmail.com (Nicky) Date: Fri Dec 30 17:37:51 2005 Subject: GnuPG --edit-key, help req. Message-ID: What does the usage letters mean in the key listing? usage: CS usage: SEA What does SEA stand for? I think S and E stand for Signing and Encryption respectively but what about A and C? -- Using Opera's revolutionary e-mail client: http://www.opera.com/mail/ Download PGP Public Key for Nicky: https://keyserver2.pgp.com:443/vkd/DownloadKey.event?keyid=0xC0C5F557057AC4BC Key fingerprint = 79FD 0A0A A997 C52A 9133 86D9 C0C5 F557 057A C4BC From mk at fsfe.org Wed Dec 28 16:41:13 2005 From: mk at fsfe.org (Matthias Kirschner) Date: Fri Dec 30 18:57:22 2005 Subject: verify CHV1 failed - not able to sign Message-ID: <20051228154112.GA3710@mbwg.de> Hi all, I just figured out, that I am not able to sign with my OpenPGP fellowship smartcard any more. The error message is: gpg: signatures created so far: 274 gpg: verify CHV1 failed: invalid passphrase gpg: signing failed: invalid passphrase gpg: signing failed: invalid passphrase I don't know what the problem is as the card worked quite well the last weeks without any problems. En- and decrypting files is working without any problems. Here on the machine GnuPG 1.4.2rc1 is installed. I am running Debian sarge. And the only change I can think of was running aptitude update and upgrade during the last days. Thank you, Matze -- Join the Fellowship and protect your freedom! (http://www.fsfe.org) From lusfert at gmail.com Fri Dec 30 20:22:02 2005 From: lusfert at gmail.com (lusfert) Date: Fri Dec 30 20:22:57 2005 Subject: GnuPG --edit-key, help req. In-Reply-To: References: Message-ID: <43B588DA.30009@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Nicky wrote on 27.12.2005 22:06: > What does the usage letters mean in the key listing? > usage: CS > usage: SEA > What does SEA stand for? I think S and E stand for Signing and > Encryption respectively but what about A and C? > S - Signing E - Encryption A - Authentication (for SSH), look at http://lists.gnupg.org/pipermail/gnupg-users/2005-November/027478.html C - Certifying (signing OpenPGP keys), can be used only for primary key, not a subkey usage: SEA - key can be used for signing, encryption, and authentication Regards - -- My current OpenPGP key ID: 0x500B8987 Key fingerprint: E883 045D 36FB 8CA3 8D69 9C79 9E35 3B56 500B 8987 Encrypted e-mail preferred. -----BEGIN PGP SIGNATURE----- iD8DBQFDtYjWnjU7VlALiYcRA9AxAJ97DQKackDxK+9+651PcqP02hH7swCg0FbW JOQ12CfXjl/quyHt09qUHQo= =Y/Iu -----END PGP SIGNATURE----- From twoaday at gmx.net Fri Dec 30 20:14:13 2005 From: twoaday at gmx.net (Timo Schulz) Date: Fri Dec 30 21:34:08 2005 Subject: GnuPG --edit-key, help req. In-Reply-To: References: Message-ID: <20051230191413.GA1208@daredevil.joesixpack.net> On Wed Dec 28 2005; 00:36, Nicky wrote: > What does the usage letters mean in the key listing? > usage: CS > usage: SEA > What does SEA stand for? I think S and E stand for Signing and Encryption > respectively but what about A and C? C = Certifying. A = Authentication. C is used to indicate the key can sign other keys. A is a hint that the key might be used for authentication (logins for example). Timo From kfitzner at excelcia.org Sat Dec 31 00:58:55 2005 From: kfitzner at excelcia.org (Kurt Fitzner) Date: Sat Dec 31 00:58:43 2005 Subject: Smart card signing failure Message-ID: <43B5C9BF.5090807@excelcia.org> Hi all, I'm having a tough time trying to get a smart card to work. I followed the card-howto to the letter to initialize the card and generate the keys. This works, and gpg --card-status seems to work just fine. When I try to sign a file, though, I get: > gpg -u card --detach-sign test.txt gpg: detected reader `OMNIKEY CardMan 2020 0' gpg: signing failed: invalid argument gpg: signing failed: invalid argument I have also tried --disable-ccid, as this is a pc/sc card reader, but that has no effect. Any hints as to what I am doing wrong? Kurt. From mk at fsfe.org Fri Dec 30 18:11:55 2005 From: mk at fsfe.org (Matthias Kirschner) Date: Sat Dec 31 05:05:25 2005 Subject: verify CHV1 failed - not able to sign Message-ID: <20051230171155.GD12218@mbwg.de> Hi all, I just figured out, that I am not able to sign with my OpenPGP fellowship smartcard any more. The error message is: gpg: signatures created so far: 274 gpg: verify CHV1 failed: invalid passphrase gpg: signing failed: invalid passphrase gpg: signing failed: invalid passphrase I don't know what the problem is as the card worked quite well the last weeks without any problems. En- and decrypting files is working without any problems. Here on the machine GnuPG 1.4.2rc1 is installed. I am running Debian sarge. And the only change I can think of was running aptitude update and upgrade during the last days. Thank you, Matze -- Join the Fellowship and protect your freedom! (http://www.fsfe.org) From kfitzner at excelcia.org Sat Dec 31 11:57:41 2005 From: kfitzner at excelcia.org (Kurt Fitzner) Date: Sat Dec 31 11:57:19 2005 Subject: Smart card signing failure In-Reply-To: <43B5C9BF.5090807@excelcia.org> References: <43B5C9BF.5090807@excelcia.org> Message-ID: <43B66425.2050901@excelcia.org> I have solved my own problem. If the gpg.conf has a setting for personal-digest-preferences, and if an algo that is supported by a smartcard is not first in the list, then GnuPG will fail with any signing operation made with a smartcard. For example, my gpg.conf setting was: personal-digest-preferences SHA256 SHA384 SHA512 This was causing gnupg to fail with all signing operations. I don't know whether or not this is a bug, or just an error message that is too cryptic. Kurt. From widhalmt at unix.sbg.ac.at Thu Dec 22 22:06:24 2005 From: widhalmt at unix.sbg.ac.at (Thomas Widhalm) Date: Sun Jan 1 22:04:54 2006 Subject: Using gpg in larger scale at a University Message-ID: <200512222206.24946.widhalmt@unix.sbg.ac.at> Hi! I already sent this email twice to this mailinglist, but it didn't appear at my mailserver, so I assume it didn't reach any of you. I just got in charge of managing Linux- and Unix servers at the University of Salzburg (Austria) and one of my first tasks is to implement a secure way of exchanging email and storing data. Having a big affection to Free Software, I try to implement a solution based upon gpg. My biggest problem is, that our users have many different mailclients, mostly MS Outlook connected to MS exchange. Maybe some of you could help me with some details: I need a plugin for Outlook which support gpg/MIME and maybe inline gpg. (Not Gdata, this didn't work out) I think it would be a good idea to create a CA. How to achieve that? How to keep the key save? Is just one person the CA, or a bunch of people? What if someone leaves us? What if an employee leaves, loses his email address but still has a signature. Should we revoke it? Is it possible/useful to create an own keyserver which synchronises with the official ones? How to do that? I have some ideas, but need more input. Maybe some of you could help me out. Regards, Thomas Widhalm -- ***************************************************************** * Thomas Widhalm Unix Administrator * * University of Salzburg IT- Services (ITS) * * Systems Management Unix Systems * * Hellbrunnerstr. 34 5020 Salzburg, Austria * * widhalmt@unix.sbg.ac.at +43/662/8044-6774 * * gpg: 6265BAE6 * * http://www.sbg.ac.at/zid/organisation/mitarbeiter/widhalm.htm * ***************************************************************** From widhalmt at unix.sbg.ac.at Thu Dec 22 13:10:15 2005 From: widhalmt at unix.sbg.ac.at (Thomas Widhalm) Date: Sun Jan 1 22:35:43 2006 Subject: gnupg in larger scale for our OU Message-ID: <1135253415.10076.0.camel@aphrodite> Hi! I just got in charge of some of the Linux- und Unix- Servers at the University of Salzburg. One of my tasks is to generate a possibility for our organizational unit to communicate safely via Email and store data encrypted. For some reasons I thought of implenting this on base of gnupg. Maybe you can help me with some ideas. I'm searching the web and I'm writing to others as well, but since this is a big task, I want as many opinions as I can get: I need plugins for many different clients. Unfortunately most of the users have MS Outlook for their primary Mail Client, so I need a plugin which does well with it and isn't too complicated to use. Although we are the IT department, we have many administrative employees who are not all too willing to dive into some "techie mumbo jumbo". Do you have any suggestions? I think, it would be a could idea to create our own CA. Maybe you have some experiences to share? How many people should have access to the CAs passphrase and secret key, what if one of them leaves us, what if an employee with a signed key leaves, etc. Maybe it would even be an option to create an own keyserver. Is this useful or would it be far too overpowered? Thanks a lot, Regards, Thomas -- ***************************************************************** * Thomas Widhalm Unix Administrator * * University of Salzburg IT Services (ITS) * * Systems Management Unix Systems * * Hellbrunnerstr. 34 5020 Salzburg, Austria * * widhalmt@unix.sbg.ac.at +43/662/8044-6774 * * gpg: 6265BAE6 * * http://www.sbg.ac.at/zid/organisation/mitarbeiter/widhalm.htm * ***************************************************************** -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 185 bytes Desc: Dies ist ein digital signierter Nachrichtenteil Url : /pipermail/attachments/20051222/efbaaf01/attachment.pgp From gnupg-users at gnupg.org Fri Dec 30 18:18:58 2005 From: gnupg-users at gnupg.org (Christoph Anton Mitterer) Date: Tue Jan 3 11:20:56 2006 Subject: GnuPG --edit-key, help req. In-Reply-To: References: Message-ID: <43B56C02.8060405@gnupg.org> Nicky wrote: >What does the usage letters mean in the key listing? > usage: CS > usage: SEA >What does SEA stand for? I think S and E stand for Signing and Encryption >respectively but what about A and C? > > Please have a look at the "Keytypes and changing them" thread (http://lists.gnupg.org/pipermail/gnupg-users/2005-November/027470.html"). You might also consult the standard (http://www.ietf.org/internet-drafts/draft-ietf-openpgp-rfc2440bis-15.txt) section 5.2.3.21. Chris.